CISCO sur FNAC.COM

 

 

Cisco Prime Network Control System Configuration Guide Software Release OL-25451-01 July 201

Voir le pdf

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Cisco Prime Network Control System Configuration Guide Software Release OL-25451-01 July 2011 Text Part Number: 1THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Copyright © 2011 Cisco Systems, Inc. All rights reserved.iii Cisco Prime Network Control System Configuration Guide OL-25451-01 C O N T E N T S Preface lv Audience lv Purpose lv Conventions lv Related Publications lvi Obtaining Documentation and Submitting a Service Request lvi C H A P T E R 1 Cisco NCS Overview 1-1 The Cisco Unified Network Solution 1-1 About NCS 1-2 NCS Licenses 1-3 NCS Evaluation License 1-4 NCS Device Count License 1-4 NCS Upgrade License 1-4 NCS Migration License 1-5 Obtaining the XML file from Existing WCS Deployment 1-5 Uploading the XML file to the Cisco Migration Portal 1-5 Applying the New License to Cisco Prime NCS 1-6 Cisco Unified Network Components 1-6 Cisco Prime NCS 1-7 WLAN Controllers 1-7 Access Points 1-7 Embedded Access Points 1-8 Access Point Communication Protocols 1-9 Guidelines and Restrictions for Using CAPWAP 1-10 Cisco Wireless LAN Controller Autodiscovery 1-10 The Controller Discovery Process 1-10 NCS Services 1-11 Cisco Context Aware Service Solution 1-11 Cisco Identity Service Engine Solution 1-12 Cisco Adaptive Wireless Intrusion Prevention Service 1-13 C H A P T E R 2 Getting Started 2-1 NCS Delivery Modes 2-1Contents iv Cisco Prime Network Control System Configuration Guide OL-25451-01 Physical Appliance 2-2 Virtual Appliance 2-2 Virtual Appliance for Large Deployment 2-2 Virtual Appliance for Medium Deployment 2-3 Virtual Appliance for Small Deployment 2-3 Operating Systems Requirements 2-3 Client Requirements 2-4 Prerequisites 2-4 Reinstalling NCS on Physical Appliance 2-5 Deploying the NCS Virtual Appliance 2-5 Deploying the NCS Virtual Appliance from the VMware vSphere Client 2-6 Configuring the Basic Settings for NCS Virtual Appliance 2-8 Deploying NCS Virtual Appliance using the Command Line Client 2-9 Setting Up NCS 2-9 Starting the NCS Server 2-10 Logging into the NCS User Interface 2-11 Applying the NCS Software License 2-12 Understanding NCS Home Page 2-13 Dashboards 2-13 General Dashboard 2-15 Client Dashboard 2-16 Security Dashboard 2-17 Mesh Dashboard 2-18 CleanAir Dashboard 2-18 Context Aware Dashboard 2-21 Icons 2-22 Menu Bar 2-23 Monitor Menu 2-23 Configure Menu 2-24 Services Menu 2-25 Reports Menu 2-25 Administration Menu 2-25 Global Toolbar 2-26 Tools 2-26 Help 2-26 Alarm Summary 2-27 Command Buttons 2-27 Main Data Page 2-28 Administrative Elements 2-28Contents v Cisco Prime Network Control System Configuration Guide OL-25451-01 Customizing NCS Home Page 2-29 Editing NCS Home Page 2-29 Adding Dashlets 2-30 Adding a New Dashboard 2-32 Using the Search Feature 2-33 Quick Search 2-33 Advanced Search 2-34 Searching Alarms 2-36 Searching Access Points 2-37 Searching Controller Licenses 2-38 Searching Controllers 2-38 Searching Switches 2-39 Searching Clients 2-40 Searching Chokepoints 2-41 Searching Events 2-42 Searching Interferers 2-42 Searching AP-Detected Interferers 2-43 Searching Wi-Fi TDOA Receivers 2-44 Searching Maps 2-44 Searching Rogue Clients 2-44 Searching Shunned Clients 2-45 Searching Tags 2-45 Saved Searches 2-46 Configuring the Search Results Display (Edit View) 2-46 C H A P T E R 3 Configuring Security Solutions 3-1 Cisco Unified Wireless Network Solution Security 3-1 Layer 1 Solutions 3-2 Layer 2 Solutions 3-2 Layer 3 Solutions 3-2 Single Point of Configuration Policy Manager Solutions 3-2 Rogue Access Point Solutions 3-3 Rogue Access Point Challenges 3-3 Tagging and Containing Rogue Access Points 3-3 Securing Your Network Against Rogue Access Points 3-3 Interpreting the Security Dashboard 3-4 Security Index 3-5 Malicious Rogue Access Points 3-6 Adhoc Rogues 3-6Contents vi Cisco Prime Network Control System Configuration Guide OL-25451-01 CleanAir Security 3-7 Unclassified Rogue Access Points 3-7 Friendly Rogue Access Points 3-8 Access Point Threats or Attacks 3-8 MFP Attacks 3-9 Attacks Detected 3-9 Recent Rogue AP Alarms 3-9 Recent Adhoc Rogue Alarm 3-9 Most Recent Security Alarms 3-9 Rogue Access Points, Ad hoc Events, and Clients 3-9 Classifying Rogue Access Points 3-10 Rogue Access Point Classification Types 3-11 Adhoc Rogue 3-13 Rogue Access Point Location, Tagging, and Containment 3-13 Detecting Access Points on a Network 3-14 Viewing Rogue Access Points by Controller 3-15 Working with Alarms 3-16 Monitoring Rogue Alarm Events 3-17 Viewing Rogue AP Event Details 3-18 Monitoring Adhoc Rogue Events 3-19 Viewing Adhoc Rogue Event Details 3-19 Security Overview 3-20 Security Vulnerability Assessment 3-20 Security Index 3-21 Top Security Issues 3-22 Switch Port Tracing 3-28 Integrated Security Solutions 3-28 Using NCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode 3-29 Configuring a Firewall for NCS 3-30 Access Point Authorization 3-30 Management Frame Protection (MFP) 3-31 Guidelines for Using MFP 3-32 Configuring Intrusion Detection Systems (IDS) 3-33 Viewing IDS Sensors 3-33 Configuring IDS Signatures 3-33 Uploading IDS Signatures 3-36 Downloading IDS Signatures 3-37 Enabling or Disabling IDS Signatures 3-38Contents vii Cisco Prime Network Control System Configuration Guide OL-25451-01 Enabling Web Login 3-41 Downloading Customized Web Authentication 3-42 Connecting to the Guest WLAN 3-44 Certificate Signing Request (CSR) Generation 3-44 C H A P T E R 4 Performing Maintenance Operations 4-1 Information About Maintenance Operations 4-1 Performing System Tasks 4-1 Adding a Controller to the NCS Database 4-1 Using NCS to Update System Software 4-2 Downloading Vendor Device Certificates 4-3 Downloading Vendor CA Certificates 4-4 Using NCS to Enable Long Preambles for SpectraLink NetLink Phones 4-5 Creating an RF Calibration Model 4-5 Performing NCS Operations 4-6 Verifying the Status of NCS 4-6 Stopping NCS 4-6 Backing Up the NCS Database 4-7 Scheduling Automatic Backups 4-7 Performing a Manual Backup 4-8 Restoring the NCS Database 4-8 Restoring the NCS Database 4-8 Restoring the NCS Database in a High Availability Environment 4-9 Uninstalling NCS 4-10 Upgrading WCS to NCS 4-10 Upgrading NCS in a High Availability Environment 4-12 Upgrading the Network 4-12 Reinitializing the Database 4-13 Recovering the NCS Password 4-13 C H A P T E R 5 Monitoring Devices 5-1 Information About Monitoring 5-1 Monitoring Controllers 5-1 Searching Controllers 5-2 Viewing List of Controllers 5-2 Configuring the Controller List Display 5-3 Monitoring System Parameters 5-3 Monitoring System Summary 5-4 Monitoring Spanning Tree Protocol 5-5Contents viii Cisco Prime Network Control System Configuration Guide OL-25451-01 Monitoring CLI Sessions 5-7 Monitoring DHCP Statistics 5-8 Monitoring WLANs 5-9 Monitoring Ports 5-9 Monitoring General Ports 5-9 Monitoring CDP Interface Neighbors 5-14 Monitoring Controller Security 5-15 Monitoring RADIUS Authentication 5-15 Monitoring RADIUS Accounting 5-17 Monitoring Management Frame Protection 5-19 Monitoring Rogue AP Rules 5-20 Monitoring Guest Users 5-22 Monitoring Controllers Mobility 5-23 Monitoring Mobility Stats 5-23 Monitoring Controller 802.11a/n 5-24 Monitoring 802.11a/n Parameters 5-25 Monitoring 802.11a/n RRM Groups 5-26 Monitoring Controllers 802.11b/g/n 5-28 Monitoring 802.11b/g/n Parameters 5-28 Monitoring 802.11b/g/n RRM Groups 5-30 Monitoring Switches 5-32 Searching Switches 5-32 Viewing List of Switches 5-33 Configuring the Switch List Page 5-33 Monitoring Switch System Parameters 5-33 Viewing Switch Summary Information 5-34 Viewing Switch Memory Information 5-35 Viewing Switch Environment Information 5-35 Viewing Switch Module Information 5-36 Viewing Switch VLAN Information 5-36 Viewing Switch VTP Information 5-36 Viewing Switch Physical Ports Information 5-37 Viewing Switch Sensor Information 5-37 Viewing Switch Spanning Tree Information 5-38 Viewing Switch Stacks Information 5-39 Viewing Switch NMSP and Location Information 5-39 Monitoring Switch Interfaces 5-39 Monitoring Switch Ethernet Interfaces 5-39 Monitoring Switch IP Interfaces 5-40 Monitoring Switch VLAN Interfaces 5-41Contents ix Cisco Prime Network Control System Configuration Guide OL-25451-01 Monitoring Switch EtherChannel Interfaces 5-41 Monitoring Switch Clients 5-41 Monitoring Access Points 5-42 Searching Access Points 5-42 Viewing List of Access Points 5-43 Configuring the Access Point List Display 5-44 Configuring the List of Access Points Display 5-45 Generating a Report for Access Points 5-46 Monitoring Traffic Load 5-48 Monitoring Dynamic Power Control 5-49 Monitoring Access Points Noise 5-50 Monitoring Access Points Interference 5-50 Monitoring Access Points Coverage (RSSI) 5-51 Monitoring Access Points Coverage (SNR) 5-51 Monitoring Access Points Up/Down Statistics 5-51 Monitoring Access Points Voice Statistics 5-52 Monitoring Access Points Voice TSM Table 5-52 Monitoring Access Points Voice TSM Reports 5-54 Monitoring Access Points 802.11 Counters 5-54 Monitoring Access Points AP Profile Status 5-55 Monitoring Access Points Radio Utilization 5-55 Monitoring Access Points Traffic Stream Metrics 5-55 Monitoring Access Points Tx Power and Channel 5-55 Monitoring VoIP Calls 5-56 Monitoring Voice Statistics 5-56 Monitoring Air Quality 5-56 Monitoring Access Points Details 5-56 General Tab 5-56 Interfaces Tab 5-64 CDP Neighbors Tab 5-66 Current Associated Clients Tab 5-66 SSID Tab 5-67 Monitoring Access Point Radio Details 5-68 Monitoring On Demand Statistics 5-68 General Tab 5-70 CleanAir Tab 5-71 Monitoring Operational Parameters 5-72 Monitoring 802.11 MAC Counters 5-75 Monitoring View Alarms 5-76 Monitor View Events 5-77Contents x Cisco Prime Network Control System Configuration Guide OL-25451-01 Monitoring Mesh Access Points 5-77 Mesh Statistics for an Access Point 5-78 Retrieving the Unique Device Identifier on Controllers and Access Points 5-83 Monitoring Coverage Hole 5-84 Monitoring Pre-Coverage Holes 5-84 Monitoring Rogue Access Points 5-86 Detecting Rogue Devices 5-86 Classifying Rogue Access Points 5-87 Monitoring Rogue AP Alarms 5-90 Viewing Rogue AP Alarm Details 5-94 Viewing Rogue Client Details 5-98 Viewing Rogue AP History Details 5-99 Viewing Rogue AP Event History Details 5-100 Monitoring Adhoc Rogues 5-100 Monitoring Adhoc Rogue Alarms 5-100 Viewing Adhoc Rogue Alarm Details 5-103 Searching Rogue Clients Using Advanced Search 5-105 Monitoring Rogue Access Point Location, Tagging, and Containment 5-107 Detecting Access Points 5-107 Monitoring Rogue Alarm Events 5-108 Viewing Rogue AP Event Details 5-109 Monitoring Adhoc Rogue Events 5-110 Viewing Adhoc Rogue Event Details 5-111 Monitoring RFID Tags 5-113 Tag Summary 5-113 Searching Tags 5-113 Viewing RFID Tag Search Results 5-114 Viewing Tag List 5-115 Monitoring Chokepoints 5-115 Performing a Chokepoint Search 5-115 Monitoring Interferers 5-116 Monitoring AP Detected Interferers 5-116 Monitoring AP Detected Interferer Details 5-117 Monitoring AP Detected Interferer Details Location History 5-118 Configuring the Search Results Display 5-119 Monitoring Spectrum Experts 5-119 Spectrum Experts Summary 5-119 Interferers Summary 5-120 Interferers Search 5-121Contents xi Cisco Prime Network Control System Configuration Guide OL-25451-01 Spectrum Experts Details 5-121 Monitoring WiFi TDOA Receivers 5-121 Monitoring Radio Resource Management (RRM) 5-122 Channel Change Notifications 5-123 Transmission Power Change Notifications 5-123 RF Grouping Notifications 5-123 Viewing the RRM Dashboard 5-123 Monitoring Clients and Users 5-125 Monitoring Alarms 5-125 Alarms and Events Overview 5-126 Viewing List of Alarms 5-126 Filtering Alarms 5-127 Viewing Alarm Details 5-128 Viewing Events Related to Alarms 5-129 Modifying Alarms 5-129 Specifying Email Notifications for Alarms 5-130 Modifying the Alarm Browser 5-130 Viewing the Alarm Summary 5-130 Modifying Alarm Settings 5-132 Modifying Alarm Count Refresh Rate 5-132 Configuring Alarm Severity Levels 5-132 Working with Alarms 5-133 Monitoring Access Point Alarms 5-134 Monitoring Air Quality Alarms 5-135 Monitoring CleanAir Security Alarms 5-137 Monitoring Email Notifications 5-138 Monitoring Severity Configurations 5-139 Monitoring Cisco Adaptive wIPS Alarms 5-139 Monitoring Cisco Adaptive wIPS Alarm Details 5-140 Monitoring Events 5-142 Searching Events 5-144 Monitoring Failure Objects 5-144 Monitoring Events for Rogue APs 5-145 Monitoring Events for Adhoc Rogues 5-146 Monitoring Cisco Adaptive wIPS Events 5-147 Monitoring CleanAir Air Quality Events 5-147 Viewing Air Quality Event Details 5-148 Monitoring Interferer Security Risk Events 5-149 Viewing Interferer Security Risk Event Details 5-150Contents xii Cisco Prime Network Control System Configuration Guide OL-25451-01 Monitoring Health Monitor Events 5-150 Viewing Health Monitor Event Details 5-151 Working with Events 5-151 Monitoring Site Maps 5-152 Monitoring Google Earth Maps 5-152 5-152 C H A P T E R 6 Monitoring Maps 6-1 Information About Maps 6-2 Maps 6-2 Campus 6-3 Building 6-3 Floor Area 6-3 Outdoor Area 6-4 Access Points 6-4 Chokepoints 6-4 Wi-Fi TDOA Receivers 6-4 Map Editor 6-4 Guidelines and Limitations 6-5 Guidelines for Using the Map Editor 6-5 Guidelines for Placing Access Points 6-5 Guidelines for Inclusion and Exclusion areas on a Floor 6-7 Monitoring Maps 6-8 Configuring Maps 6-8 Viewing a Map 6-8 Editing a Map 6-10 Deleting a Map 6-10 Copying a Map 6-11 Exporting a Map 6-12 Importing a Map 6-13 Editing Map Properties 6-14 Filtering Maps 6-15 Configuring Buildings 6-16 Adding a Building to a Campus Map 6-16 Viewing a Building 6-21 Editing a Building 6-21 Deleting a Building 6-22 Moving a Building 6-22 Configuring Campus 6-23Contents xiii Cisco Prime Network Control System Configuration Guide OL-25451-01 Adding a Campus Map 6-23 Viewing a Campus Map 6-24 Editing a Campus Map 6-24 Deleting a Campus Map 6-25 Configuring Outdoor Areas 6-25 Adding an Outdoor Area 6-25 Editing Outdoor Areas 6-27 Deleting Outdoor Areas 6-27 Configuring Floor Areas 6-28 Adding Floor Areas to a Campus Building 6-28 Adding Access Points to a Floor Area 6-34 Editing Floor Areas 6-39 Deleting Floor Areas 6-39 Placing Access Points 6-40 Configuring Floor Settings 6-41 Import Map and AP Location Data 6-53 Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File 6-54 Changing Access Point Positions by Importing and Exporting a File 6-55 Configuring ChokePoints 6-56 Using Chokepoints to Enhance Tag Location Reporting 6-56 Adding Chokepoints to the NCS Database 6-56 Adding a Chokepoint to a NCS Map 6-57 Positioning Chokepoints 6-58 Removing Chokepoints from the NCS Database and Map 6-59 Configuring WiFi TDOA Receivers 6-59 Adding WiFi TDOA Receivers to the NCS Database 6-60 Adding WiFi TDOA Receivers to a Map 6-60 Positioning WiFi TDOA Receivers 6-60 Removing WiFi TDOA Receivers from the Map 6-61 Removing WiFi TDOA Receivers from the NCS Database 6-61 Managing RF Calibration Models 6-62 Access Current Calibration Models 6-63 Apply Calibration Models to Maps 6-63 Calibration Model Properties 6-63 Calibration Model Details 6-63 Create New Calibration Models 6-64 Start Calibration Process 6-64 Calibrating 6-67 Apply to Maps 6-67Contents xiv Cisco Prime Network Control System Configuration Guide OL-25451-01 Delete Calibration Models 6-67 Managing Location Presence Information 6-68 Searching Maps 6-69 Using the Map Editor 6-69 Opening Map Editor 6-70 Using the Map Editor to Draw Polygon Areas 6-70 Defining an Inclusion Region on a Floor 6-73 Defining an Exclusion Region on a Floor 6-74 Defining a Rail Line on a Floor 6-75 Inspecting Location Readiness and Quality 6-76 Inspect Location Readiness 6-76 Inspecting Location Quality Using Calibration Data 6-76 Inspect VoWLAN Readiness 6-77 Troubleshooting Voice RF Coverage Issues 6-78 Monitoring Mesh Networks Using Maps 6-78 Monitoring Mesh Link Statistics Using Maps 6-78 Monitoring Mesh Access Points Using Maps 6-81 Monitoring Mesh Access Point Neighbors Using Maps 6-83 Viewing the Mesh Network Hierarchy 6-85 Using Mesh Filters to Modify Map Display of Maps and Mesh Links 6-87 Monitoring Tags Using Maps 6-89 Using Planning Mode 6-89 Accessing Planning Mode 6-89 Using Planning Mode to Calculate Access Point Requirements 6-90 Refresh Options 6-97 Creating a Network Design 6-98 Designing a Network 6-98 Importing or Exporting WLSE Map Data 6-102 Monitoring Device Details 6-103 Access Point Details 6-103 Client Details 6-105 Tag Details 6-106 Rogue Access Point Details 6-106 Rogue Adhoc Details 6-107 Rogue Client Details 6-107 Interferer Details 6-107 Floor View Navigation 6-108 Understanding RF Heatmap Calculation 6-109Contents xv Cisco Prime Network Control System Configuration Guide OL-25451-01 Monitoring Google Earth Maps 6-111 Creating an Outdoor Location Using Google Earth 6-112 Understanding Geographical Coordinates for Google Earth 6-112 Creating and Importing Coordinates in Google Earth (KML File) 6-113 Creating and Importing Coordinates as a CSV File 6-115 Importing a File into NCS 6-116 Viewing Google Earth Maps 6-117 Viewing Google Earth Map Details 6-117 Adding Google Earth Location Launch Points to Access Point Pages 6-117 Google Earth Settings 6-118 C H A P T E R 7 Managing NCS User Accounts 7-1 Managing NCS User Accounts 7-1 Adding NCS User Accounts 7-2 Deleting NCS User Accounts 7-3 Changing Passwords 7-4 Monitoring Active Sessions 7-4 Viewing or Editing User Account Information 7-5 Setting the Lobby Ambassador Defaults 7-6 Viewing or Editing Group Information 7-7 Editing the Guest User Credentials 7-8 Viewing the Audit Trail 7-8 Audit Trail Details Page 7-9 Creating Guest User Accounts 7-9 Logging in to the NCS User Interface as a Lobby Ambassador 7-10 Managing NCS Guest User Accounts 7-11 Scheduling NCS Guest User Accounts 7-11 Printing or E-mailing NCS Guest User Details 7-13 Saving Guest Accounts on a Device 7-13 Editing the Guest User Credentials 7-13 Adding a New User 7-14 Adding User Names, Passwords, and Groups 7-14 Assigning a Virtual Domain 7-15 Managing Lobby Ambassador Accounts 7-16 Creating a Lobby Ambassador Account 7-17 Editing a Lobby Ambassador Account 7-18 Logging in to the NCS User Interface as a Lobby Ambassador 7-19 Logging the Lobby Ambassador Activities 7-19Contents xvi Cisco Prime Network Control System Configuration Guide OL-25451-01 C H A P T E R 8 Configuring Mobility Groups 8-1 Information About Mobility 8-1 Symmetric Tunneling 8-5 Overview of Mobility Groups 8-5 When to Include Controllers in a Mobility Group 8-7 Messaging among Mobility Groups 8-7 Configuring Mobility Groups 8-8 Prerequisites 8-8 Setting the Mobility Scalability Parameters 8-11 Mobility Anchors 8-12 Configuring Mobility Anchors 8-13 Configuring Multiple Country Codes 8-14 Configuring Controller Config Groups 8-16 Adding New Group 8-17 Configuring Config Groups 8-18 Adding or Removing Controllers from a Config Group 8-18 Adding or Removing Templates from the Config Group 8-20 Applying or Scheduling Config Groups 8-20 Auditing Config Groups 8-21 Rebooting Config Groups 8-22 Reporting Config Groups 8-22 Downloading Software 8-23 Downloading IDS Signatures 8-23 Downloading Customized WebAuth 8-24 C H A P T E R 9 Configuring Devices 9-1 Configuring Controllers 9-1 Understanding the Controller Audit Report 9-3 Adding Controllers 9-4 Bulk Update of Controller Credentials 9-7 Removing Controllers from NCS 9-8 Rebooting Controllers 9-8 Downloading Software to Controllers 9-9 Download Software (FTP) 9-9 Download Software (TFTP) 9-11 Configure IPaddr Upload Configuration/Logs from Controller 9-13 Downloading IDS Signatures 9-14 Downloading a Customized WebAuthentication Bundle to a Controller 9-15Contents xvii Cisco Prime Network Control System Configuration Guide OL-25451-01 Downloading a Vendor Device Certificate 9-16 Downloading a Vendor CA Certificate 9-17 Saving the Configuration to Flash 9-18 Refreshing the Configuration from the Controller 9-18 Discovering Templates from the Controller 9-19 Updating Credentials in NCS 9-19 Viewing Templates Applied to a Controller 9-20 Using the Audit Now Feature 9-20 Viewing the Latest Network Audit Report 9-22 Configuring Existing Controllers 9-23 Viewing Controllers Properties 9-23 Configuring Controller System Parameters 9-25 Managing General System Properties for Controllers 9-25 Configuring Controller System Commands 9-31 Restoring Factory Defaults 9-33 Setting Controller Time and Date 9-34 Uploading Configuration/Logs from Controllers 9-34 Downloading Configurations to Controllers 9-35 Downloading Software to a Controller 9-35 Downloading a Web Admin Certificate to a Controller 9-36 Downloading IDS Signatures 9-37 Downloading a Customized Web Auth Bundle to a Controller 9-37 Configuring Controller System Interfaces 9-38 Adding an Interface 9-39 Viewing Current Interface Details 9-40 Deleting a Dynamic Interface 9-41 Configuring Controller System Interface Groups 9-41 Adding an Interface Group 9-41 Deleting an Interface Group 9-42 Viewing Interface Groups 9-43 NAC Integration 9-43 Configuring Wired Guest Access 9-46 Creating an Ingress Interface 9-48 Creating an Egress Interface 9-48 Configuring Controller Network Routes 9-49 Viewing Existing Network Routes 9-49 Configuring Controller Spanning Tree Protocol Parameters 9-50 Configuring Controller Mobility Groups 9-50 Configuring Controller Network Time Protocol 9-53 Background Scanning on 1510s in Mesh Networks 9-53Contents xviii Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring Controller QoS Profiles 9-56 Configuring Controller DHCP Scopes 9-56 Configuring Controller User Roles 9-57 Configuring a Global Access Point Password 9-59 Configuring Global CDP 9-59 Configuring AP 802.1X Supplicant Credentials 9-60 Configuring Controller DHCP 9-61 Configuring Controller Multicast Mode 9-62 Configuring Access Point Timer Settings 9-63 Configuring Controller WLANs 9-64 Viewing WLAN Details 9-65 General Tab 9-65 Security Tab 9-66 QoS Tab 9-70 Advanced Tab 9-70 Adding a WLAN 9-73 Deleting a WLAN 9-74 Managing WLAN Status Schedules 9-75 Mobility Anchors 9-76 Configuring WLANs AP Groups 9-77 Adding Access Point Groups 9-77 Deleting Access Point Groups 9-78 Auditing Access Point Groups 9-79 Configuring Hybrid REAP Parameters 9-79 Configuring H-REAP AP Groups 9-79 Auditing an H-REAP Group 9-81 Configuring Security Parameters 9-81 Configuring Controller File Encryption 9-82 Configure Controllers > IPaddr > Security > AAA 9-82 Configuring AAA General Parameters 9-83 Configuring AAA RADIUS Auth Servers 9-83 Configuring AAA RADIUS Acct Servers 9-84 Configuring AAA RADIUS Fallback Parameters 9-85 Configuring AAA LDAP Servers 9-86 Configuring AAA TACACS+ Servers 9-87 Configuring AAA Local Net Users 9-88 Configuring AAA MAC Filtering 9-89 Configuring AAA AP/MSE Authorization 9-90 Configuring AAA Web Auth Configuration 9-91 Configuring AAA Password Policy 9-92Contents xix Cisco Prime Network Control System Configuration Guide OL-25451-01 Configure Controllers > IPaddr > Security > Local EAP 9-93 Configuring Local EAP General Parameters 9-93 Configuring Local EAP Profiles 9-94 Configuring Local EAP General EAP-FAST Parameters 9-96 Configuring Local EAP General Network Users Priority 9-96 Configuring User Login Policies 9-97 Managing Manually Disabled Clients 9-97 Configuring Access Control Lists 9-98 Configure IPaddr > Access Control List > listname Rules 9-98 Configuring CPU Access Control Lists 9-99 Configuring the IDS Sensor List 9-100 Configuring CA Certificates 9-100 Configuring ID Certificates 9-101 Configure Controllers > IPaddr > Security > Web Auth Certificate 9-102 Configuring Wireless Protection Policies 9-102 Configuring Rogue Policies 9-103 Configuring Rogue AP Rules 9-104 Configuring Client Exclusion Policies 9-104 Configuring IDS Signatures 9-105 Configuring Controller Standard Signature Parameters 9-105 Configuring Custom Signatures 9-109 Configuring AP Authentication and MFP 9-109 Configuring Cisco Access Points 9-110 Sniffer feature 9-111 Configuring 802.11 Parameters 9-112 Configuring General Parameters for an 802.11 Controller 9-112 Configuring Aggressive Load Balancing 9-113 Configuring Band Selection 9-115 Configuring 802.11 Media Parameters 9-116 Configuring 802.11a/n Parameters 9-117 Configuring 802.11a/n General Parameters 9-117 Configuring 802.11a/n RRM Thresholds 9-119 Configuring 802.11a/n RRM Intervals 9-119 Configuring 802.11a/n RRM Transmit Power Control 9-120 Configuring 802.11a/n RRM Dynamic Channel Allocation 9-121 Configuring 802.11a/n RRM Radio Grouping 9-123 Configuring 802.11a/n Media Parameters 9-123 Configuring 802.11a/n EDCA Parameters 9-126 Configuring 802.11a/n Roaming Parameters 9-126 Configuring 802.11a/n 802.11h Parameters 9-127Contents xx Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring 802.11a/n High Throughput (802.11n) Parameters 9-128 Configuring 802.11a/n CleanAir Parameters 9-128 Configuring 802.11b/g/n Parameters 9-129 Configuring 802.11b/g/n General Parameters 9-130 Configuring 802.11b/g/n RRM Thresholds 9-131 Configuring 802.11b/g/n RRM Intervals 9-131 Configuring 802.11b/g/n RRM Transmit Power Control 9-132 Configuring 802.11b/g/n RRM DCA 9-133 Configuring 802.11b/g/n RRM Radio Grouping 9-133 Configuring 802.11b/g/n Media Parameters 9-134 Configuring 802.11b/g/n EDCA Parameters 9-136 Configuring 802.11b/g/n Roaming Parameters 9-137 Configuring 802.11b/g/n High Throughput (802.11n) Parameters 9-138 Configuring 802.11b/g/n CleanAir Parameters 9-138 Configuring Mesh Parameters 9-139 Client Access on 1524SB Dual Backhaul 9-140 Backhaul Channel Deselection Using NCS 9-141 Configuring Port Parameters 9-142 Configuring Controllers Management Parameters 9-143 Configuring Trap Receivers 9-143 Configuring Trap Control Parameters 9-144 Configuring Telnet SSH Parameters 9-146 Configuring a Syslog for an Individual Controller 9-147 Configuring Multiple Syslog Servers 9-147 Configuring WEB Admin 9-147 Download Web Auth or Web Admin Certificate to Controller 9-148 Configuring Local Management Users 9-149 Configuring Authentication Priority 9-149 Configuring Location Configurations 9-149 Configuring Access Points 9-151 Setting AP Failover Priority 9-152 Configuring Global Credentials for Access Points 9-152 Configuring Ethernet Bridging and Ethernet VLAN Tagging 9-154 Ethernet VLAN Tagging Guidelines 9-155 Enabling Ethernet Bridging and VLAN Tagging 9-157 Autonomous to Lightweight Migration Support 9-158 Adding Autonomous Access Points to NCS 9-159 Viewing Autonomous Access Points in NCS 9-163 Downloading Images to Autonomous Access Points (TFTP) 9-163 Downloading Images to Autonomous Access Points (FTP) 9-164Contents xxi Cisco Prime Network Control System Configuration Guide OL-25451-01 Supporting Autonomous Access Points in Work Group Bridge (WGB) mode 9-164 Configuring Access Point Details 9-164 Configuring an Ethernet Interface 9-173 Importing AP Configuration 9-174 Exporting AP Configuration 9-175 Configuring Access Points 802.11n Antenna 9-175 Configuring CDP 9-184 Configuring CDP on Access Point 9-184 Configuring Access Point Radios for Tracking Optimized Monitor Mode 9-184 Copying and Replacing Access Points 9-185 Removing Access Points 9-186 Scheduling and Viewing Radio Status 9-186 Scheduling Radio Status 9-186 Viewing Scheduled Tasks 9-186 Viewing Audit Status (for Access Points) 9-187 Filtering Alarms for Maintenance Mode Access Points 9-187 Placing an Access Point in Maintenance State 9-188 Removing an Access Point from Maintenance State 9-188 Searching Access Points 9-188 Viewing Mesh Link Details 9-189 Viewing or Editing Rogue Access Point Rules 9-190 Configuring Switches 9-190 Features Available by Switch Type 9-191 Viewing Switches 9-191 Viewing Switch Details 9-191 Modifying SNMP Parameters 9-192 Modifying Telnet/SSH Parameters 9-193 Adding Switches 9-193 Configuring SNMPv3 on Switches 9-194 Sample CSV File for Importing Switches 9-195 Configuring Switch NMSP and Location 9-196 Enabling and Disabling NMSP for Switches 9-196 Configuring a Switch Location 9-196 Configuring a Switch Port Location 9-197 Removing Switches 9-197 Refreshing Switch Configuration 9-198 Enabling Traps and Syslogs on Switches for Wired Client Discovery 9-198 MAC Notification for Traps (used for non-identity client discovery) 9-198 Syslog Configuration 9-199Contents xxii Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring Unknown Devices 9-199 Configuring Spectrum Experts 9-200 Adding a Spectrum Expert 9-200 Monitoring Spectrum Experts 9-201 Viewing Spectrum Experts Summary 9-201 Viewing Interferers Summary 9-201 Viewing Spectrum Experts Details 9-202 OfficeExtend Access Point 9-202 Licensing for an OfficeExtend Access Point 9-203 Configuring Link Latency Settings for Access Points 9-203 Configuring Chokepoints 9-204 Configure New Chokepoints 9-205 Adding a Chokepoint to NCS Database 9-205 Adding a Chokepoint to a NCS Map 9-205 Removing a Chokepoint from a NCS Map 9-206 Removing a Chokepoint from NCS 9-207 Editing Current Chokepoints 9-207 Configuring WiFi TDOA Receivers 9-207 Using WiFi TDOA Receivers to Enhance Tag Location Reporting 9-208 Adding Wi-Fi TDOA Receivers to Cisco NCS and Maps 9-208 Viewing or Editing Current Wi-Fi TDOA Receivers 9-210 Removing Wi-Fi TDOA Receivers from Cisco NCS and Maps 9-210 Configuring Scheduled Configuration Tasks 9-211 AP Template Tasks 9-211 Modifying a Current AP Template Task 9-211 Viewing AP Status Report for the Scheduled Task 9-211 Enabling or Disabling a Current AP Template Task 9-212 Viewing AP Template Task History 9-212 Deleting a Current AP Template Task 9-212 Configuring Config Groups 9-213 Modifying a Current Config Group Task 9-213 Viewing Controller Status Report for the Scheduled Task 9-213 Enabling or Disabling a Current Config Group Task 9-214 Viewing Config Group Task History 9-214 Deleting a Current Config Group Task 9-214 Viewing WLAN Configuration Scheduled Task Results 9-215 Downloading Software Task 9-215 Adding a Download Software Task 9-216 Modifying a Download Software Task 9-217Contents xxiii Cisco Prime Network Control System Configuration Guide OL-25451-01 Selecting Controllers for the Download Software Task 9-218 Viewing Download Software Results 9-218 Deleting a Download Software Task 9-219 Enabling or Disabling a Download Software Task 9-219 Configuring wIPS Profiles 9-220 Profile List 9-220 Adding a Profile 9-221 Profile Editor 9-222 Deleting a Profile 9-224 Applying a Current Profile 9-224 Configure > wIPS > SSID Group List 9-225 Global SSID Group List 9-225 SSID Groups 9-227 Configuring ACS View Servers 9-229 Configuring ACS View Server Credentials 9-229 Configuring TFTP Servers 9-230 Adding a TFTP Server 9-230 Deleting TFTP Servers 9-230 Interactive Graphs 9-230 Interactive Graphs Overview 9-230 Interactive Graph Features 9-231 Time-based Graphs 9-231 C H A P T E R 10 Managing Clients 10-1 Client Dashlets on the General Dashboard 10-3 Client Dashboard 10-3 Client Troubleshooting Dashlet 10-4 Client Distribution Dashlet 10-4 Client Authentication Type Distribution 10-5 Client Alarms and Events Summary Dashlet 10-6 Client Traffic Dashlet 10-7 Wired Client Speed Distribution Dashlet 10-8 Top 5 SSIDs by Client Count 10-9 Top 5 Switches by Switch Count 10-9 Client Posture Status Dashlet 10-9 Monitoring Clients and Users 10-10 Filtering Client and Users 10-11 Viewing Clients and Users 10-12 Client Attributes 10-15Contents xxiv Cisco Prime Network Control System Configuration Guide OL-25451-01 Client Statistics 10-16 Client Association History 10-17 Client Event Information 10-18 Client Location Information 10-18 Wired Location History 10-18 Wireless Location History 10-19 Client CCXv5 Information 10-19 Client Troubleshooting 10-20 Using the Search Feature to Troubleshoot Clients 10-23 Tracking Clients 10-30 Notification Settings 10-30 Identifying Unknown Users 10-31 Configuring the Search Results Display 10-32 Enabling Automatic Client Troubleshooting 10-32 Client Details from Access Point Page 10-33 Viewing Currently Associated Clients 10-33 Running Client Reports 10-33 Running ISE Reports 10-33 Specifying Client Settings 10-33 Receiving Radio Measurements for a Client 10-33 Radio Measurement Results for a Client 10-34 Viewing Client V5 Statistics 10-35 Viewing Client Operational Parameters 10-36 Viewing Client Profiles 10-38 Disabling a Current Client 10-38 Removing a Current Client 10-39 Enabling Mirror Mode 10-39 Viewing a Map (High Resolution) of a Client Recent Location 10-39 Viewing a Map (High Resolution) of a Client Current Location 10-39 Running a Client Sessions Report for the Client 10-40 Viewing a Roam Reason Report for the Client 10-40 Viewing Detecting Access Point Details 10-41 Viewing Client Location History 10-41 Viewing Voice Metrics for a Client 10-41 C H A P T E R 11 Using Templates 11-1 Information About Templates 11-1Contents xxv Cisco Prime Network Control System Configuration Guide OL-25451-01 Accessing Controller Template Launch Pad 11-1 Adding Controller Templates 11-2 Deleting Controller Templates 11-2 Applying Controller Templates 11-2 Configuring Controller Templates 11-4 Configuring System Templates 11-4 Configuring General Templates 11-5 Configuring SNMP Community Controller Templates 11-9 Configuring an NTP Server Template 11-10 Configuring User Roles Controller Templates 11-11 Configuring AP Username Password Controller Templates 11-11 Configuring AP 802.1X Supplicant Credentials 11-12 Configuring a Global CDP Configuration Template 11-13 Configuring DHCP Template 11-14 Configuring Dynamic Interface Templates 11-15 Configuring QoS Templates 11-18 Configuring AP Timers Template 11-19 Configuring an Interface Group Template 11-20 Configuring a Traffic Stream Metrics QoS Template 11-20 Configuring WLAN Templates 11-22 Configuring WLAN Template 11-22 Security 11-25 QoS 11-31 Advanced 11-32 Configuring WLAN AP Groups Template 11-36 Adding Access Point Groups 11-37 Deleting Access Point Groups 11-38 Configuring H-REAP Templates 11-38 Configuring H-REAP AP Groups Template 11-38 Configuring H-REAP Users 11-40 Configuring Security Templates 11-41 Configuring a General Security Controller Template 11-41 Configuring a File Encryption Template 11-42 Configuring a RADIUS Authentication Template 11-43 Configuring a RADIUS Accounting Template 11-45 Configuring a RADIUS Fallback Template 11-46 Configuring a LDAP Server Template 11-47 Configuring a TACACS+ Server Template 11-48 Configuring a Local EAP General Template 11-50Contents xxvi Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring a Local EAP Profile Template 11-51 Configuring an EAP-FAST Template 11-53 Configuring a Network User Priority Template 11-54 Configuring a Local Network Users Template 11-55 Guest User Templates 11-56 Configuring a Guest User Template 11-56 Configuring a User Login Policies Template 11-58 Configuring a MAC Filter Template 11-58 Configuring an Access Point or MSE Authorization Template 11-59 Configuring a Manually Disabled Client Template 11-61 Configuring a Client Exclusion Policies Template 11-61 Configuring an Access Point Authentication and MFP Template 11-63 Configuring a Web Authentication Template 11-64 Configuring an External Web Auth Server Template 11-67 Configuring a Security Password Policy Template 11-68 Configuring Security - Access Control Templates 11-69 Configuring an Access Control List Template 11-69 Configuring an ACL IP Groups Template 11-73 Configuring an ACL Protocol Groups Template 11-74 Configuring Security - CPU Access Control List Templates 11-75 Configuring a CPU Access Control List (ACL) Template 11-75 Configuring Security - Rogue Templates 11-76 Configuring a Rogue Policies Template 11-76 Configuring a Rogue AP Rules Template 11-78 Configuring a Rogue AP Rule Groups Template 11-80 Configuring a Friendly Access Point Template 11-82 Configuring 802.11 Templates 11-84 Configuring Load Balancing Templates 11-84 Configuring Band Selection Templates 11-84 Configuring Media Stream for Controller Templates (802.11) 11-85 Configuring Radio Templates (802.11a/n) 11-86 Configuring 802.11a/n Parameters Templates 11-86 Configuring Media Parameters Controller Templates (802.11a/n) 11-89 Configuring EDCA Parameters Through a Controller Template (802.11a/n) 11-90 Configuring a Roaming Parameters Template (802.11a/n) 11-92 Configuring an 802.11h Template 11-93 Configuring a High Throughput Template (802.11a/n) 11-94 Configuring CleanAir Controller Templates (802.11a/n) 11-95 Configuring 802.11a/n RRM Templates 11-96 Configuring Radio Templates (802.11b/g/n) 11-101Contents xxvii Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring 802.11b/g/n Parameters Templates 11-102 Configuring Media Parameters Controller Templates (802.11b/g/n) 11-104 Configuring EDCA Parameters Controller Templates (802.11b/g/n) 11-106 Configuring Roaming Parameters Controller Templates (802.11b/g/n) 11-107 Configuring High Throughput (802.11n) Controller Templates (802.11b/g/n) 11-108 Configuring CleanAir Controller Templates (802.11 b/g/n) 11-108 Configuring 802.11b/g/n RRM Templates 11-110 Configuring Mesh Templates 11-114 Configuring Mesh Setting Templates 11-114 Configuring Management Templates 11-115 Configuring Trap Receiver Templates 11-116 Configuring Trap Control Templates 11-116 Configuring Telnet SSH Templates 11-119 Configuring Legacy Syslog Templates 11-120 Configuring Multiple Syslog Templates 11-120 Configuring Local Management User Templates 11-121 Configuring User Authentication Priority Templates 11-122 Configuring CLI Templates 11-123 Applying a Set of CLI Commands 11-124 Configuring Location Configuration Templates 11-125 Configuring AP Configuration Templates 11-127 Configuring Lightweight Access Point Templates 11-127 Configuring a New Lightweight Access Point Template 11-127 Editing a Current Lightweight Access Point Template 11-135 Configuring Autonomous Access Point Templates 11-136 Configuring a New Autonomous Access Point Template 11-136 Applying an AP Configuration Template to an Autonomous Access Point 11-136 Configuring Switch Location Configuration Templates 11-137 Configuring Autonomous AP Migration Templates 11-138 Migrating Autonomous Access Point to CAPWAP Access Point 11-138 Migrating a Autonomous Access Point to a Lightweight Access Point 11-139 Editing Current Autonomous AP Migration Templates 11-140 Viewing the Migration Analysis Summary 11-141 Adding/Modifying a Migration Template 11-142 Copying a Migration Template 11-143 Deleting Migration Templates 11-144 Viewing Current Status of Cisco IOS Access Points 11-144 Disabling Access Points that are Ineligible 11-144Contents xxviii Cisco Prime Network Control System Configuration Guide OL-25451-01 C H A P T E R 12 Configuring Hybrid REAP 12-1 Information About Hybrid REAP 12-1 Hybrid-REAP Authentication Process 12-2 Hybrid REAP Guidelines 12-4 Configuring Hybrid REAP 12-4 Configuring the Switch at the Remote Site 12-5 Configuring the Controller for Hybrid REAP 12-6 Configuring an Access Point for Hybrid REAP 12-9 Connecting Client Devices to the WLANs 12-11 Hybrid REAP Access Point Groups 12-11 Hybrid-REAP Groups and Backup RADIUS Servers 12-12 Hybrid-REAP Groups and CCKM 12-12 Hybrid-REAP Groups and Local Authentication 12-13 Configuring Hybrid-REAP Groups 12-13 Auditing an H-REAP Group 12-15 C H A P T E R 13 Alarm and Event Dictionary 13-1 Notification Format 13-2 Traps Added in Release 2.0 13-2 AP_BIG_NAV_DOS_ATTACK 13-4 AP_CONTAINED_AS_ROGUE 13-4 AP_HAS_NO_RADIOS 13-4 AP_MAX_ROGUE_COUNT_CLEAR 13-5 AP_MAX_ROGUE_COUNT_EXCEEDED 13-5 AUTHENTICATION_FAILURE (From MIB-II standard) 13-6 BSN_AUTHENTICATION_FAILURE 13-6 IPSEC_IKE_NEG_FAILURE 13-6 IPSEC_INVALID_COOKIE 13-7 LINK_DOWN (FROM MIB-II STANDARD) 13-7 LINK_UP (FROM MIB-II STANDARD) 13-7 LRAD_ASSOCIATED 13-7 LRAD_DISASSOCIATED 13-8 LRADIF_COVERAGE_PROFILE_PASSED 13-8 LRADIF_CURRENT_CHANNEL_CHANGED 13-9 LRADIF_CURRENT_TXPOWER_CHANGED 13-9 LRADIF_DOWN 13-9 LRADIF_INTERFERENCE_PROFILE_FAILED 13-10 LRADIF_INTERFERENCE_PROFILE_PASSED 13-10 LRADIF_LOAD_PROFILE_PASSED 13-11Contents xxix Cisco Prime Network Control System Configuration Guide OL-25451-01 LRADIF_NOISE_PROFILE_PASSED 13-11 LRADIF_UP 13-11 MAX_ROGUE_COUNT_CLEAR 13-12 MAX_ROGUE_COUNT_EXCEEDED 13-12 MULTIPLE_USERS 13-12 NETWORK_DISABLED 13-13 NO_ACTIVITY_FOR_ROGUE_AP 13-13 POE_CONTROLLER_FAILURE 13-13 RADIO_ADMIN_UP_OPER_DOWN 13-14 RADIOS_EXCEEDED 13-14 RADIUS_SERVERS_FAILED 13-14 ROGUE_ADHOC_DETECTED 13-15 ROGUE_ADHOC_ON_NETWORK 13-15 ROGUE_AP_DETECTED 13-15 ROGUE_AP_ON_NETWORK 13-16 ROGUE_AP_REMOVED 13-16 RRM_DOT11_A_GROUPING_DONE 13-17 RRM_DOT11_B_GROUPING_DONE 13-17 SENSED_TEMPERATURE_HIGH 13-17 SENSED_TEMPERATURE_LOW 13-18 STATION_ASSOCIATE 13-18 STATION_ASSOCIATE_FAIL 13-18 STATION_AUTHENTICATE 13-19 STATION_AUTHENTICATION_FAIL 13-19 STATION_BLACKLISTED 13-19 STATION_DEAUTHENTICATE 13-20 STATION_DISASSOCIATE 13-20 STATION_WEP_KEY_DECRYPT_ERROR 13-20 STATION_WPA_MIC_ERROR_COUNTER_ACTIVATED 13-21 SWITCH_DETECTED_DUPLICATE_IP 13-21 SWITCH_UP 13-22 TEMPERATURE_SENSOR_CLEAR 13-22 TEMPERATURE_SENSOR_FAILURE 13-22 TOO_MANY_USER_UNSUCCESSFUL_LOGINS 13-23 Traps Added in Release 2.1 13-23 ADHOC_ROGUE_AUTO_CONTAINED 13-24 ADHOC_ROGUE_AUTO_CONTAINED_CLEAR 13-24 NETWORK_ENABLED 13-24 ROGUE_AP_AUTO_CONTAINED 13-25 ROGUE_AP_AUTO_CONTAINED_CLEAR 13-25Contents xxx Cisco Prime Network Control System Configuration Guide OL-25451-01 TRUSTED_AP_INVALID_ENCRYPTION 13-25 TRUSTED_AP_INVALID_ENCRYPTION_CLEAR 13-26 TRUSTED_AP_INVALID_RADIO_POLICY 13-26 TRUSTED_AP_INVALID_RADIO_POLICY_CLEAR 13-26 TRUSTED_AP_INVALID_SSID 13-26 TRUSTED_AP_INVALID_SSID_CLEAR 13-27 TRUSTED_AP_MISSING 13-27 TRUSTED_AP_MISSING_CLEAR 13-27 Traps Added in Release 2.2 13-28 AP_IMPERSONATION_DETECTED 13-28 AP_RADIO_CARD_RX_FAILURE 13-28 AP_RADIO_CARD_RX_FAILURE_CLEAR 13-29 AP_RADIO_CARD_TX_FAILURE 13-29 AP_RADIO_CARD_TX_FAILURE_CLEAR 13-29 SIGNATURE_ATTACK_CLEARED 13-30 SIGNATURE_ATTACK_DETECTED 13-30 TRUSTED_AP_INVALID_PREAMBLE 13-31 TRUSTED_AP_INVALID_PREAMBLE_CLEARED 13-31 Traps Added in Release 3.0 13-31 AP_FUNCTIONALITY_DISABLED 13-32 AP_IP_ADDRESS_FALLBACK 13-32 AP_REGULATORY_DOMAIN_MISMATCH 13-33 RX_MULTICAST_QUEUE_FULL 13-33 Traps Added in Release 3.1 13-34 AP_AUTHORIZATION_FAILURE 13-34 HEARTBEAT_LOSS_TRAP 13-35 INVALID_RADIO_INTERFACE 13-35 RADAR_CLEARED 13-36 RADAR_DETECTED 13-36 RADIO_CORE_DUMP 13-36 RADIO_INTERFACE_DOWN 13-37 RADIO_INTERFACE_UP 13-37 UNSUPPORTED_AP 13-37 Traps Added in Release 3.2 13-38 LOCATION_NOTIFY_TRAP 13-38 Traps Added In Release 4.0 13-38 CISCO_LWAPP_MESH_POOR_SNR 13-39 CISCO_LWAPP_MESH_PARENT_CHANGE 13-39 CISCO_LWAPP_MESH_CHILD_MOVED 13-40 CISCO_LWAPP_MESH_CONSOLE_LOGIN 13-40Contents xxxi Cisco Prime Network Control System Configuration Guide OL-25451-01 CISCO_LWAPP_MESH_AUTHORIZATION_FAILURE 13-40 EXCESSIVE_ASSOCIATION 13-41 CISCO_LWAPP_MESH_PARENT_EXCLUDED_CHILD 13-41 CISCO_LWAPP_MESH_CHILD_EXCLUDED_PARENT 13-42 CISCO_LWAPP_MESH_EXCESSIVE_PARENT_CHANGE 13-42 IDS_SHUN_CLIENT_TRAP 13-42 IDS_SHUN_CLIENT_CLEAR_TRAP 13-43 MFP_TIMEBASE_STATUS_TRAP 13-43 MFP_ANOMALY_DETECTED_TRAP 13-43 GUEST_USER_REMOVED_TRAP 13-44 Traps Added or Updated in Release 4.0.96.0 13-44 AP_IMPERSONATION_DETECTED 13-45 RADIUS_SERVER_DEACTIVATED 13-45 RADIUS_SERVER_ACTIVATED 13-45 RADIUS_SERVER_WLAN_DEACTIVATED 13-46 RADIUS_SERVER_WLAN_ACTIVATED 13-46 RADIUS_SERVER_TIMEOUT 13-46 DECRYPT_ERROR_FOR_WRONG_WPA_WPA2 13-46 Traps Added or Updated in Release 4.1 13-47 AP_IMPERSONATION_DETECTED 13-48 INTERFERENCE_DETECTED 13-48 INTERFERENCE_CLEAR 13-48 ONE_ANCHOR_ON_WLAN_UP 13-49 RADIUS_SERVER_DEACTIVATED 13-49 RADIUS_SERVER_ACTIVATED 13-49 RADIUS_SERVER_WLAN_DEACTIVATED 13-50 RADIUS_SERVER_WLAN_ACTIVATED 13-50 RADIUS_SERVER_TIMEOUT 13-50 MOBILITY_ANCHOR_CTRL_PATH_DOWN 13-50 MOBILITY_ANCHOR_CTRL_PATH_UP 13-51 MOBILITY_ANCHOR_DATA_PATH_DOWN 13-51 MOBILITY_ANCHOR_DATA_PATH_UP 13-52 WLAN_ALL_ANCHORS_TRAP_DOWN 13-52 MESH_AUTHORIZATIONFAILURE 13-52 MESH_CHILDEXCLUDEDPARENT 13-53 MESH_PARENTCHANGE 13-53 MESH_PARENTEXCLUDECHILD 13-53 MESH_CHILDMOVED 13-54 MESH_EXCESSIVEASSOCIATIONFAILURE 13-54 MESH_EXCESSIVEPARENTCHANGE 13-55Contents xxxii Cisco Prime Network Control System Configuration Guide OL-25451-01 MESH_POORSNR 13-55 MESH_POORSNRCLEAR 13-55 MESH_CONSOLELOGIN 13-56 LRADIF_REGULATORY_DOMAIN 13-56 LRAD_CRASH 13-57 LRAD_UNSUPPORTED 13-57 Traps Added or Updated in Release 4.2 13-57 GUEST_USER_ADDED 13-58 GUEST_USER_AUTHENTICATED 13-58 IOSAP_LINK_UP 13-58 LRAD_POE_STATUS 13-59 ROGUE_AP_NOT_ON_NETWORK 13-59 IOSAP_UP 13-59 Traps Added or Updated in Release 5.0 13-60 GUEST_USER_LOGOFF 13-60 STATION_ASSOCIATE_DIAG_WLAN 13-60 Traps Added or Updated in Release 5.2 13-60 LRAD_REBOOTREASON 13-61 WIPS_TRAPS 13-61 Alarm Names 13-62 Traps Added or Updated in Release 6.0 13-63 MSE_EVAL_LICENSE 13-63 MSE_LICENSING_ELEMENT_LIMIT 13-64 STATION_AUTHENTICATED 13-64 WLC_LICENSE_NOT_ENFORCED 13-64 WLC_LICENSE_COUNT_EXCEEDED 13-65 VOIP_CALL_FAILURE 13-65 Traps Added or Updated in Release 7.0 13-65 SI_AQ_TRAPS 13-65 SI_SECURITY_TRAPS 13-66 SI_SENSOR_CRASH_TRAPS 13-66 Traps Added or Updated in Release 7.0.1 13-66 FAN_MONITOR 13-67 FUTURE_RESTART_DAY_MSG 13-67 LOCATION_CALCULATOR 13-68 RAID_MONITOR 13-72 POWER_MONITOR 13-72 SI_AQ_BUFFER_UNAVAILABLE_TRAPS 13-73 NCS_NOTIFICATION_ALARM 13-74 NMSP 13-75Contents xxxiii Cisco Prime Network Control System Configuration Guide OL-25451-01 MSE_DOWN 13-75 Traps Added in NCS Release 1.0 13-76 AP_FUNCTIONALITY_LICENSE_EXPIRED 13-77 AP_IP_FALLBACK 13-77 COUNTRY_CODE_CHANGED 13-77 CPU_RX_MULTICAST_QUEUE_FULL 13-78 FAN_FAILURE 13-78 GUEST_USER_REMOVED 13-78 HEART_BEAT_LOSS 13-79 IPSEC_ESP_AUTH_FAILURE 13-79 IPSEC_ESP_INVALID_SPI 13-79 IPSEC_ESP_REPLAY_FAILURE 13-80 IPSEC_SUITE_NEG_FAILURE 13-80 INVALID_RADIO 13-80 LINK_FAILURE 13-81 MESH_BATTERY 13-81 MESH_DEFAULTBRIDGEGROUPNAME 13-81 MESH_EXCESSIVECHILDREN 13-82 MESH_EXCESSIVEHOPCOUNT 13-82 MESH_QUEUEOVERFLOW 13-82 MESH_SECBACKHAULCHANGE 13-83 MSTREAM_CLIENT_DLIST 13-83 MSTREAM_CLIENT_FAILURE 13-83 MSTREAM_CLIENT_ADMIT 13-84 POWER_SUPPLY_CHANGE 13-84 RADAR_CHANNEL_DETECTED 13-84 RADIOCARD_FAILURE 13-85 RADIO_CURRENT_TXPOWER_CHANGED 13-85 RRM_GROUPING_DONE 13-85 SIGNATURE_ATTACK 13-86 STATION_IOS_DEAUTHENTICATE 13-86 STATION_IOS_AUTHENTICATION_FAIL 13-87 STATION_WIRED_CHANGED 13-88 STP_NEWROOT 13-88 TEMP_MOBILITY_ANCHOR_CTRL_PATH_DOWN 13-88 TEMP_MOBILITY_ANCHOR_DATA_PATH_DOWN 13-89 TEMP_WLAN_ALL_ANCHORS_TRAP_DOWN 13-89 VOICE_COVERAGE_HOLE_ALARM 13-89 WLC_SCHEDULED_RESET 13-90 Switch Traps 13-90Contents xxxiv Cisco Prime Network Control System Configuration Guide OL-25451-01 COLD_START (FROM MIB-II STANDARD) 13-91 LINK_DOWN (FROM MIB-II STANDARD) 13-92 LINK_UP (FROM MIB-II STANDARD) 13-92 SWT_AUTH_FAIL 13-92 SWT_CAEM_TEMPERATURE 13-93 SWT_CAEM_VOLTAGE 13-93 SWT_CDER_MON_EXCEPTION 13-93 SWT_CEFC_STATUS_CHANGE 13-94 SWT_CEV_FANONS15540_FAN_TRAY8 13-94 SWT_CEV_PORT_TRANSPARENT 13-94 SWT_CEV_PORT_WAVE 13-95 SWT_CONFIG_MAN_EVENT 13-95 SWT_CONTENT_ENGINE_OVERLOAD 13-95 SWT_CONTENT_ENGINE_WRITE_FAILED 13-96 SWT_CVPDN_SESSION 13-96 SWT_DMD_NBRLAYER2_CHANGE 13-96 SWT_ENV_MON_SHUTDOWN 13-97 SWT_GROUP_CHANGE 13-97 SWT_IP_PERMIT_DENIED 13-97 SWT_LER_ALARM_ON 13-98 SWT_LS1010_CHASSIS_CHANGE 13-98 SWT_LS1010_CHASSIS_FAILURE 13-98 SWT_MODULE_DOWN 13-99 SWT_MODULE_UP 13-99 SWT_PETH_POWER_USAGE_OFF 13-99 SWT_PETH_POWER_USAGE_ON 13-100 SWT_PETH_PSE_PORT_STATUS 13-100 SWT_RESET_EVENT 13-100 SWT_RPTR_HEALTH 13-101 SWT_RTT_MON_CONN_CHANGE 13-101 SWT_RTT_MON_NOTE 13-101 SWT_RTT_MON_THRESHOLD 13-102 SWT_RTT_MON_TIMEOUT 13-102 SWT_RTT_MON_VERIFY_ERROR 13-102 SWT_STP_NEW_ROOT 13-103 SWT_STP_TOPOLOGY_CHANGE 13-103 SWT_SWT_LER_ALARM_OFF 13-104 SWT_SYS_CONFIG_CHANGE 13-104 SWT_VLAN_TRAUNK_PORT_DYN_STATUS 13-104 SWT_VM_VMPS_CHANGE 13-105Contents xxxv Cisco Prime Network Control System Configuration Guide OL-25451-01 SWT_VTP_CONFIG_DIGEST_ERROR 13-105 SWT_VTP_CONFIG_REV_NUMBER 13-105 SWT_VTP_MTU_TOO_BIG 13-106 SWT_VTP_SERVER_DIABLED 13-106 SWT_VTP_VER1_DEV_DETECTED 13-106 SWT_VTP_VLAN_RING_NUM_CONFLICT 13-107 STP_TOPOLOGY_CHANGE 13-107 WARM_START 13-107 Traps Added in NCS Release 1.1 13-108 FRIENDLY_ROGUE_AP_DETECTED_ON_NETWORK 13-108 FRIENDLY_ROGUE_AP_DETECTED 13-108 UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK 13-109 UNCLASSIFIED_ROGUE_AP_DETECTED_ON_NETWORK_AND_CONTAINED 13-109 Alarms Raised Through Polling 13-112 AP_DETECTED_DUPLICATE_IP 13-114 AUTHMGR-5-SUCCESS 13-114 AUTHMGR-5-FAIL 13-114 AUTHMGR-5-SECURITY_VIOLATION 13-115 DOT1X-5-SUCCESS 13-115 DOT1X-5-FAIL 13-115 AP_DISASSOCIATED_MAINTENANCE 13-116 CPM_UNREACHABLE 13-116 IOSAP_ADMIN_DOWN 13-116 IOSAP_DOWN 13-117 NCS_VERY_LOW_DISK_SPACE 13-117 NCS_LOW_MEMORY 13-117 NCS_CLIENT_TRAP_DISABLED 13-118 AUTHMGR-5-START 13-118 AUTHMGR-5-FAIL 13-119 AUTHMGR-5-SECURITY_VIOLATION 13-119 AUTHMGR-5-START 13-119 AUTHMGR-5-SUCCESS 13-119 AUTHMGR-SP-5-VLANASSIGN 13-120 APPLIANCE_FAN_BACK_TO_NORMAL 13-120 APPLIANCE_FAN_BAD_OR_MISSING 13-120 APPLIANCE_POWER_SUPPLY_BACK_TO_NORMAL 13-121 APPLIANCE_POWER_SUPPLY_BAD_OR_MISSING 13-121 APPLIANCE_RAID_BACK_TO_NORMAL 13-121 APPLIANCE_RAID_BAD_OR_MISSING 13-122 APPLIANCE_TEMP_BACK_TO_NORMAL 13-122Contents xxxvi Cisco Prime Network Control System Configuration Guide OL-25451-01 APPLIANCE_TEMP_EXCEED_UPPER_LIMIT 13-122 AUDIT_STATUS_DIFFERENCE 13-123 CONFIG_BACKUP_FAILED 13-123 CONFIG_BACKUP_SUCCEEDED 13-123 COLD_START (FROM MIB-II STANDARD) 13-124 CONFIGAUDITSET_ENFORCEMENT_FAIL 13-124 CONFIGAUDITSET_ENFORCEMENT_SUCCESS 13-124 CONFIG_SAVED 13-125 CPM_REACHABLE 13-125 DOT1X_SWITCH-5-ERR_VLAN_NOT_FOUND 13-125 DOT1X-5-FAIL 13-126 DOT1X-5-SUCCESS 13-126 DBADMIN_PASSWORD_RESET 13-126 DBADMIN_PASSWORD_RESET_FAILED 13-127 DBADMIN_PASSWORD_RESET_FAILED_ALERTi 13-127 EPM-4-POLICY_APP_FAILURE 13-127 EPM-6-POLICY_APP_SUCCESS 13-128 HM_CONFIGURATION 13-128 HM_DATABASE_CRITICAL 13-128 HM_DATABASE 13-129 HM_FAILOVER 13-129 HM_FAILBACK 13-129 HM_REACHABILITY 13-130 HM_REGISTRATION 13-130 IOSAP_LINK_DOWN 13-130 IPSEC_ESP_POLICY_FAILURE 13-131 IPSEC_OTHER_POLICY_FAILURE 13-131 LICENSE_VIOLATION 13-131 LOC_SENSOR_UP 13-131 LINK-3-UPDOWN 13-132 LOCATION_SENSOR_DOWN 13-132 LOCATION_SERVER_DOWN 13-132 LOCATION_SERVER_LIMIT 13-133 LOCATION_SERVER_OUT_OF_SYNC 13-133 LWAPP_AP_IF_DOWN_FC 13-133 LWAPP_AP_IF_DOWN_RC 13-134 MSE_LICENSING 13-134 MSE_NOTIFY 13-134 MSE_UPGRADE 13-134 MAB-5-FAIL 13-135Contents xxxvii Cisco Prime Network Control System Configuration Guide OL-25451-01 MAB-5-SUCCESS 13-135 NB_OSS_UNREACHABLE 13-135 NB_OSS_REACHABLE 13-136 NCS_ALARM_TABLE_SIZE_BASED_CLEANUP_DONE 13-136 NCS_DOWN 13-136 NCS_EMAIL_FAILURE 13-137 NCS_NOTIFICATION_FAILURE 13-137 NCS_LOW_DISK_SPACE 13-137 NCS_OK_DISK_SPACE_BACKUP 13-138 NCS_OK_DISK_SPACE 13-138 NCS_LOW_DISK_SPACE_BACKUP 13-138 PASSWORD_EXPIRY_ALARM 13-139 RADIO_COVERAGE_PROFILE_FAILED 13-139 RADIO_CURRENT_CHANNEL_CHANGED 13-139 RADIO_INTERFERENCE_PROFILE_FAILED 13-140 RADIO_LOAD_PROFILE_FAILED 13-140 RADIO_NOISE_PROFILE_FAILED 13-141 RADIO_SHUT_FAILED 13-141 RADIO_SHUT_SUCCESS 13-141 RADIUS-4-RADIUS_ALIVE 13-142 RADIUS-4-RADIUS_DEAD 13-142 ROGUE_ADHOC_DETECTED_ON_NETWORK 13-142 ROGUE_ADHOC_DETECTED_CONTAINED 13-143 ROGUE_AP_STATE_CHANGE 13-143 ROGUE_DETECTED 13-143 ROGUE_DETECTED_CONTAINED 13-144 ROGUE_DETECTED_ON_NETWORK 13-144 ROGUE_AUTO_CONTAINED 13-144 SWITCH_DOWN 13-145 SWT_SWITCH_DOWN 13-145 STATION_AUTHFAIL_VLAN_ASSIGNED 13-145 STATION_CRITICAL_VLAN_ASSIGNED 13-146 STATION_GUEST_VLAN_ASSIGNED 13-146 TRACKED_CLIENT_DETECTION 13-146 USER_AUTHENTICATION_FAILURE 13-147 WARM_START 13-147 Wireless Intrusion Protection Alarms 13-147 WLAN_SHUT_FAILED 13-148 WLAN_SHUT_SUCCESS 13-148 WLC_CANCEL_SCHEDULED_RESET 13-148Contents xxxviii Cisco Prime Network Control System Configuration Guide OL-25451-01 WLC_SCHEDULED_RESET_FAILED 13-149 Unsupported Traps 13-149 C H A P T E R 14 Reports 14-1 Report Launch Pad 14-2 Mapping Reports in WCS with Reports in NCS 14-3 Non Upgradable Reports from WCS to NCS 14-5 Creating and Running a New Report 14-6 Managing Current Reports 14-13 Managing Scheduled Run Results 14-14 Sorting Scheduled Run Results 14-15 Viewing or Editing Scheduled Run Details 14-16 Managing Saved Report Templates 14-16 Filtering Saved Report Templates 14-17 Viewing or Editing Saved Report Template Details 14-18 Running a Saved Report Template 14-18 Autonomous AP Reports 14-21 Autonomous AP Memory and CPU Utilization 14-21 Configuring an Autonomous AP Memory and CPU Utilization Report 14-21 Autonomous AP Memory and CPU Utilization Report Results 14-22 Autonomous AP Summary 14-23 Configuring the Autonomous AP Summary Report 14-23 Autonomous AP Summary Report Results 14-24 Autonomous AP Tx Power and Channel 14-25 Configuring an Autonomous AP Tx Power and Channel Report 14-25 Autonomous AP Tx Power and Channel Report Results 14-26 Autonomous AP Uptime 14-27 Configuring Autonomous AP Uptime Report 14-27 Autonomous AP Uptime Report Results 14-28 Autonomous AP Utilization 14-29 Configuring an Autonomous AP Utilization Report 14-29 Autonomous AP Utilization Report Results 14-30 Busiest Autonomous APs 14-31 Configuring a Busiest Autonomous APs Report 14-31 Busiest Autonomous APs Report Results 14-32 CleanAir Reports 14-32 Air Quality vs Time 14-33 Configuring an Air Quality vs Time Report 14-33 Air Quality vs Time Report Results 14-34Contents xxxix Cisco Prime Network Control System Configuration Guide OL-25451-01 Security Risk Interferers 14-34 Configuring a Security Risk Interferers Report 14-35 Security Risks Interferers Report Results 14-36 Worst Air Quality APs 14-36 Configuring a Worst Air Quality APs Report 14-36 Worst Air Quality APs Report Results 14-38 Worst Interferers 14-38 Configuring a Worst Interferers Report 14-38 Worst Interferers Report Results 14-39 Client Reports 14-40 Busiest Clients 14-40 Configuring a Busiest Client Report 14-41 Busiest Client Report Results 14-42 Client Count 14-43 Configuring a Client Count Report 14-43 Client Count Report Results 14-45 Client Sessions 14-46 Configuring a Client Sessions Report 14-46 Client Sessions Report Results 14-48 Client Summary 14-50 Configuring a Client Summary Report 14-50 Client Summary Report Results 14-52 Client Traffic 14-54 Configuring a Client Traffic Report 14-54 Client Traffic Report Results 14-55 Client Traffic Stream Metrics 14-56 Configuring a Client Traffic Stream Metrics Report 14-56 Client Traffic Stream Metrics Report Results 14-58 Posture Status Count 14-60 Configuring a Posture Status Count Report 14-60 Posture Status Count Report Results 14-61 Throughput 14-62 Configuring a Throughput Report 14-62 Throughput Report Results 14-63 Unique Clients 14-64 Configuring a Unique Clients Report 14-64 Unique Client Report Results 14-66 V5 Client Statistics 14-67 Configuring a V5 Client Statistics Report 14-67 V5 Client Statistics Report Results 14-67Contents xl Cisco Prime Network Control System Configuration Guide OL-25451-01 Compliance Reports 14-68 Configuration Audit 14-69 Configuring a Configuration Audit Report 14-69 Configuration Audit Report Results 14-70 PCI DSS Detailed 14-72 Configuring a PCI DSS Detailed Report 14-72 PCI DSS Detailed Report Results 14-73 PCI DSS Summary 14-74 Configuring a PCI DSS Summary Report 14-74 PCI DSS Summary Report Results 14-75 ContextAware Reports 14-77 Client Location History 14-77 Configuring a Client Location History 14-77 Client Location History Results 14-78 Client Location Tracking 14-78 Configuring a Client Location Tracking 14-79 Client Location Tracking Results 14-79 Guest Location Tracking 14-80 Configuring a Guest Location Tracking 14-80 Guest Location Tracking Results 14-81 Location Notifications 14-81 Configuring a Location Notification 14-81 Location Notification Results 14-83 Rogue AP Location Tracking 14-83 Configuring a Rogue AP Location Tracking 14-83 Rogue AP Location Tracking Results 14-84 Rogue Client Location Tracking 14-84 Configuring a Rogue Client Location Tracking 14-84 Rogue Client Location Tracking Results 14-85 Tag Location History 14-86 Configuring a Tag Location History 14-86 Tag Location History Results 14-87 Tag Location Tracking 14-87 Configuring a Tag Location Tracking 14-87 Tag Location Tracking Results 14-88 Device Reports 14-88 AP Image Predownload 14-89 Configuring an AP Image Predownload Report 14-89 AP Image Predownload Report Results 14-90 AP Profile Status 14-91Contents xli Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring an AP Profile Report 14-91 AP Profile Status Report Results 14-92 Busiest APs 14-93 Configuring a Busiest APs Report 14-93 Busiest APs Report Results 14-94 CPU Utilization 14-95 Configuring a CPU Utilization Report 14-95 Detailed Switch Inventory 14-96 Configuring a Detailed Switch Inventory Report 14-96 Identity Capability 14-97 Configuring an Identity Capability Report 14-97 Memory Utilization 14-98 Configuring a Memory Utilization Report 14-98 Non-Primary Controller APs 14-99 Configuring a Non-Primary Controller APs Report 14-99 Non-Primary Controller APs Report Results 14-100 Switch Interface Utilization 14-100 Configuring Switch Interface Utilization Report 14-100 Switch Interface Utilization Report Results 14-102 AP Summary 14-102 Configuring an AP Summary Report 14-102 AP Summary Report Results 14-104 Inventory 14-105 Configuring an Inventory Report 14-105 Inventory Report Results 14-109 Uptime 14-111 Configuring an Uptime Report 14-112 Uptime Report Results 14-112 Utilization 14-113 Configuring a Utilization Report 14-113 Utilization Report Results 14-115 Guest Reports 14-116 Guest Accounts Status 14-116 Configuring a Guest Accounts Status Report 14-116 Guest Account Status Report Results 14-117 Guest Association 14-118 Configuring a Guest Association Report 14-118 Guest Association Report Results 14-119 Guest Count 14-119 Configuring a Guest Count Report 14-119Contents xlii Cisco Prime Network Control System Configuration Guide OL-25451-01 Guest Count Report Results 14-120 Guest User Sessions 14-120 Configuring a Guest User Sessions Report 14-121 Guest User Sessions Report Results 14-121 NCS Guest Operations 14-122 Configuring a NCS Guest Operations Report 14-122 NCS Guest Operation Report Results 14-123 Identity Services Engine Reports 14-123 Mesh Reports 14-124 Alternate Parent 14-124 Configuring an Alternate Parent Report 14-125 Alternate Parent Report Results 14-125 Link Stats 14-126 Configuring a Link Stats Report 14-126 Link Stats Report Results 14-127 Nodes 14-128 Configuring a Nodes Report 14-128 Nodes Report Results 14-129 Packet Stats 14-130 Configuring a Packet Stats Report 14-130 Packet Stats Report Results 14-131 Packet Error Statistics 14-132 Configuring a Packet Error Statistics Report 14-132 Packet Error Statistics Report Results 14-133 Packet Queue Statistics 14-134 Configuring a Packet Queue Statistics Report 14-134 Packet Queue Statistics Report Results 14-135 Stranded APs 14-136 Configuring a Stranded APs Report 14-136 Stranded APs Report Results 14-137 Worst Node Hops 14-138 Configuring a Worst Node Hops Report 14-138 Worst Node Hops Report Results 14-140 Network Summary 14-141 802.11n Summary 14-141 Configuring an 802.11n Summary Report 14-141 802.11n Summary Report Results 14-142 Executive Summary 14-142 Configuring an Executive Summary Report 14-142Contents xliii Cisco Prime Network Control System Configuration Guide OL-25451-01 Executive Summary Report Results 14-142 Performance Reports 14-143 802.11 Counters 14-144 Configuring an 802.11 Counters Report 14-144 802.11 Counters Report Results 14-146 Coverage Hole 14-147 Configuring a Coverage Hole Report 14-147 Coverage Hole Report Results 14-148 Network Utilization 14-149 Configuring a Network Utilization Report 14-150 Network Utilization Report Results 14-150 Traffic Stream Metrics 14-151 Configuring a Traffic Stream Metrics Report 14-151 Traffic Stream Metrics Report Results 14-153 Tx Power and Channel 14-154 Configuring a Tx Power and Channel Report 14-155 Tx Power and Channel Report Results 14-155 VoIP Calls Graph 14-156 Configuring a VoIP Calls Graph Report 14-156 VoIP Calls Report Results 14-157 VoIP Calls Table 14-157 Configuring a VoIP Calls Table Report 14-157 VoIP Calls Table Results 14-158 Voice Statistics 14-159 Configuring a Voice Statistics Report 14-159 Voice Statistics Results 14-160 Security Reports 14-161 Adaptive wIPS Alarm 14-162 Configuring an Adaptive wIPS Alarm Report 14-162 Adaptive wIPS Alarm Report Results 14-163 Adaptive wIPS Alarm Summary 14-164 Configuring an Adaptive wIPS Alarm Summary Report 14-164 Adaptive wIPS Alarm Summary Report Results 14-165 Adaptive wIPS Top 10 AP 14-167 Configuring an Adaptive wIPS Top 10 AP Report 14-167 Adaptive wIPS Top 10 AP Report Results 14-168 Adhoc Rogue Count Summary 14-169 Configuring an Adhoc Rogue Count Summary Report 14-169 Adhoc Rogue Count Summary Report Results 14-170 Adhoc Rogue Events 14-170Contents xliv Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring an Adhoc Rogue Events Report 14-171 Adhoc Rogue Events Report Results 14-172 Adhoc Rogues 14-172 Configuring an Adhoc Rogues Report 14-173 Adhoc Rogues Report Results 14-174 New Rogue AP Count Summary 14-174 Configuring a New Rogue AP Count Summary Report 14-175 New Rogue AP Count Summary Report Results 14-176 New Rogue APs 14-176 Configuring a New Rogue AP Report 14-176 New Rogue AP Report Results 14-177 Rogue AP Count Summary 14-178 Configuring a Rogue AP Count Summary Report 14-179 Rogue AP Count Summary Report Results 14-180 Rogue Access Point Events 14-181 Configuring a Rogue Access Point Events Report 14-181 Rogue AP Events Report Results 14-182 Rogue APs 14-183 Configuring a Rogue APs Report 14-183 Rogue APs Report Results 14-184 Security Alarm Trending Summary 14-185 Configuring a Security Alarm Trending Summary Report 14-185 Security Alarm Trending Summary Report Results 14-186 C H A P T E R 15 Performing Administrative Tasks 15-1 Information About Administrative Tasks 15-1 Background Tasks 15-2 Configuring Administrative Settings 15-3 Other Background Tasks 15-4 Configuring Auto Provisioning for Controllers 15-5 Auto Provisioning Device Management (Auto Provisioning Filter List) 15-6 High Availability 15-6 User Preferences 15-7 License Center 15-8 NCS License Information 15-8 WLC Controller License Information 15-9 WLC Controller License Summary 15-10 Mobility Services Engine (MSE) License Information 15-12 Mobility Services Engine (MSE) License Summary 15-13Contents xlv Cisco Prime Network Control System Configuration Guide OL-25451-01 Performing Background Tasks 15-15 Performing a Data Collection Task 15-15 Data Collection Tasks 15-18 Performing Other Background Tasks 15-19 Viewing Appliance Status 15-20 Viewing Autonomous AP Client Status 15-20 Viewing Autonomous AP Operational Status 15-21 Performing a Configuration Sync 15-22 Viewing Lightweight Client Status 15-24 Viewing Controller Configuration Backup Status 15-25 Viewing Controller Operational Status 15-26 Viewing Data Cleanup Status 15-28 Performing Device Data Collection 15-28 Performing Guest Accounts Sync 15-29 Viewing Identity Services Engine Status 15-30 Updating License Status 15-31 Lightweight AP Operational Status 15-33 Lightweight AP Client Status 15-34 Performing location appliance Backup 15-35 Viewing location appliance Status 15-36 Performing location appliance Synchronization 15-37 Performing NCS Server Backup 15-38 Viewing OSS Server Status 15-39 Viewing the Switch NMSP and Location Status 15-40 Viewing Switch Operational Status 15-41 Performing wIPS Alarm Synchronization 15-42 Wired Client Status 15-43 Other Background Tasks 15-44 Importing Tasks Into ACS 15-52 Adding NCS to an ACS Server 15-53 Adding NCS as a TACACS+ Server 15-53 Adding NCS User Groups into ACS for TACACS+ 15-54 Adding NCS to an ACS Server for Use with RADIUS 15-56 Adding NCS User Groups into ACS for RADIUS 15-57 Adding NCS to a Non-Cisco ACS Server for Use with RADIUS 15-60 Configuring Controller Auto Provisioning 15-61 Adding an Auto Provisioning Filter 15-61 Editing an Auto Provisioning Filter 15-64 Deleting an Auto Provisioning Filter(s) 15-64 Listing Auto Provisioning Filter(s) Device Information 15-65Contents xlvi Cisco Prime Network Control System Configuration Guide OL-25451-01 Listing All Auto Provisioning Filter(s) Device Information 15-65 Exporting Auto Provisioning Filter(s) 15-66 Exporting All Auto Provisioning Filter(s) 15-66 Auto Provisioning Primary Search Key Settings 15-67 Establishing Logging Options 15-67 General Logging Options 15-67 SNMP Logging Options 15-69 Syslog Options 15-70 Using Logging Options to Enhance Troubleshooting 15-71 Configuring Administrative Settings 15-72 Configuring Alarms 15-72 Configuring an Audit 15-74 Audit Mode 15-74 Audit On 15-76 Configuring Clients 15-76 Configuring Protocols for CLI Sessions 15-79 Configuring Controller Upgrade 15-79 Configuring Data Management 15-81 NCS Historical Data 15-81 Configuring a Guest Account 15-82 Configuring Login Disclaimer 15-83 Configuring the Mail Server 15-84 Configuring the Notification Receiver 15-85 Adding a Notification Receiver to NCS 15-86 Removing a Notification Receiver 15-87 MIB to NCS Alert/Event Mapping 15-89 Configuring Reports 15-92 Configuring Server Settings 15-93 Configuring Alarm Severities 15-93 Configuring SNMP Credentials 15-94 Viewing Current SNMP Credential Details 15-95 Adding a New SNMP Credential Entry 15-96 Configuring SNMP Settings 15-98 Configuring Switch Port Tracing 15-99 Establishing Switch Port Tracing 15-102 Switch Port Tracing Details 15-103 Switch Port Tracing Troubleshooting 15-103 Configuring High Availability 15-104 Guidelines and Limitations for High Availability 15-104Contents xlvii Cisco Prime Network Control System Configuration Guide OL-25451-01 Failover Scenario 15-105 High Availability Status 15-105 Configuring High Availability on the Primary NCS 15-106 Deploying High Availability 15-107 Adding a New Primary NCS 15-108 Removing a Primary NCS 15-109 Setting User Preferences 15-109 Viewing Appliance Details 15-110 Viewing Appliance Status Details 15-110 Viewing Appliance Interface Details 15-112 Managing Individual Licenses 15-112 Managing Controller Licenses 15-113 Managing NCS Licenses 15-114 Managing MSE Licenses 15-115 Configuring ACS 5.x 15-115 Creating Network Devices and AAA Clients 15-116 Adding Groups 15-116 Adding Users 15-117 Creating Policy Elements or Authorization Profiles 15-118 Creating Policy Elements or Authorization Profiles for RADIUS 15-118 Creating Policy Elements or Authorization Profiles For TACACS 15-118 Creating Authorization Rules 15-119 Creating Service Selection Rules for RADIUS 15-119 Creating Service Selection Rules for TACACS 15-120 Configuring Access Services 15-121 Configuring Access Services for RADIUS 15-121 Configuring Access Services for TACACS 15-122 Managing Licenses 15-123 Managing NCS Licenses 15-123 Adding a New NCS License File 15-123 Deleting an NCS License File 15-124 Monitoring Controller Licenses 15-124 Managing Mobility Services Engine (MSE) Licenses 15-125 Registering Product Authorization Keys 15-126 Installing Client and wIPS License Files 15-127 Deleting a Mobility Services Engine License File 15-128 Configuring AAA 15-128 Changing Password 15-128 Configuring AAA Mode 15-129Contents xlviii Cisco Prime Network Control System Configuration Guide OL-25451-01 Configuring Local Password Policy 15-130 Configuring Users 15-130 Configuring Groups 15-134 Viewing Active Sessions 15-136 Configuring TACACS+ Servers 15-137 Configuring RADIUS Servers 15-139 Authenticating AAA Users Through RADIUS Using Cisco Identity Services Engine (ISE) 15-141 Adding NCS as an AAA client in ISE 15-142 Creating a New User Group in ISE 15-142 Creating a New User and Adding to a User Group in ISE 15-143 Creating a New Authorization Profile in ISE 15-143 Creating an Authorization Policy Rule in ISE 15-143 Configuring AAA in NCS 15-144 C H A P T E R 16 NCS Services 16-1 Mobility Services 16-1 Accessing Services Installation Guides 16-2 MSE Services Co-Existence 16-2 Viewing Current Mobility Services 16-3 Adding a Mobility Services Engine 16-5 Deleting a Mobility Services Engine from Cisco NCS 16-6 Registering Product Authorization Keys 16-7 Installing Device and wIPS License Files 16-8 Adding a Location Server 16-9 Synchronizing Services 16-10 Keeping Mobility Services Engines Synchronized 16-10 Synchronizing NCS and a Mobility Services Engine 16-10 Synchronizing Controllers with Mobility Services Engines 16-12 Working with Third-Party Elements 16-13 Setting and Verifying the Timezone on a Controller 16-14 Configuring Smart Mobility Services Engine Database Synchronization 16-15 Out-of-Sync Alarms 16-17 Viewing Mobility Services Engine Synchronization Status 16-18 Viewing Synchronization History 16-18 Viewing Notification Statistics 16-19 Managing System Properties for a Mobility Services Engine 16-20 Editing General Properties for a Mobility Services Engine 16-20 Editing NMSP Parameters for a Mobility Services Engine 16-22 Viewing Active Session Details for a Mobility Services Engine 16-24 Viewing and Adding Trap Destinations for a Mobility Services Engine 16-24Contents xlix Cisco Prime Network Control System Configuration Guide OL-25451-01 Editing Advanced Parameters for a Mobility Services Engine 16-25 Rebooting the Mobility Services Engine Hardware 16-26 Shutting Down the Mobility Services Engine Hardware 16-27 Clearing the Mobility Services Engine Database 16-27 Working with Logs 16-27 Managing User and Group Accounts for a Mobility Services Engine 16-29 Monitoring Status Information for a Mobility Services Engine 16-32 Viewing Server Events for a Mobility Services Engine 16-32 Viewing Audit Logs from a Mobility Services Engine 16-32 Viewing NCS Alarms for a Mobility Services Engine 16-33 Viewing NCS Events for a Mobility Services Engine 16-33 Viewing NMSP Connection Status for a Mobility Services Engine 16-33 Managing Maintenance for Mobility Services 16-35 Viewing or Editing Mobility Services Backup Parameters 16-35 Backing Up Mobility Services Engine Historical Data 16-36 Restoring Mobility Services Engine Historical Data 16-36 Downloading Software to a Mobility Services Engine Using NCS 16-37 Managing Cisco Adaptive wIPS Service Parameters 16-37 Managing Context-Aware Software Parameters 16-38 Context-Aware General Parameters 16-39 Context-Aware Administration Parameters 16-39 Modifying Tracking Parameters for Mobility Services 16-40 Modifying Filtering Parameters for Mobility Services 16-44 Modifying History Parameters for Mobility Services 16-46 Enabling Location Presence for Mobility Services 16-47 Importing Asset Information for Mobility Services 16-48 Exporting Asset Information for Mobility Services 16-48 Importing Civic Information for Mobility Services 16-49 Context Aware Wired Parameters 16-49 Monitoring Interferers 16-52 Context Aware Advanced Parameters 16-57 Modifying Location Parameters for Mobility Services 16-57 Modifying Notification Parameters for Mobility Services 16-59 Viewing Tag Engine Status 16-61 Viewing Notification Information for Mobility Services 16-62 Viewing the Notifications Summary for Mobility Services 16-62 Viewing and Managing Notifications Settings for Mobility Services 16-64 Viewing Notification Statistics 16-64 About Event Groups 16-65 Adding Event Groups 16-65Contents l Cisco Prime Network Control System Configuration Guide OL-25451-01 Deleting Event Groups 16-65 Working with Event Definitions 16-66 Adding Event Definitions 16-68 Deleting an Event Definition 16-72 Upgrading from 5.x to 6.0 or 7.0 16-72 Viewing the MSE Alarm Details 16-74 MSE License Overview 16-76 MSE License Structure Matrix 16-76 Sample MSE License File 16-76 Revoking and Reusing an MSE License 16-77 Location Assisted Client Troublshooting from the ContextAware Dashboard 16-77 MSE Reports 16-78 Planning for and Configuring Context-Aware Software 16-78 wIPS Planning and Configuring 16-80 Identity Services 16-80 Viewing Identify Services 16-81 Adding an Identity Services Engine 16-81 Removing an Identity Services Engine 16-82 C H A P T E R 17 Tools 17-1 Information About Tools 17-1 Voice Audit 17-1 Location Accuracy Tool 17-2 Running Voice Audits 17-2 Running Voice Audits on Controllers 17-2 Choosing Voice Audit Rules 17-3 Voice Audit Report Details 17-6 Voice Audit Report Results 17-6 Configuring Location Accuracy Tool 17-7 Enabling the Location Accuracy Tool 17-7 Viewing Currently Scheduled Accuracy Tests 17-8 Viewing Accuracy Test Details 17-8 Using Scheduled Accuracy Testing to Verify Accuracy of Current Location 17-8 Using On-demand Accuracy Testing to Test Location Accuracy 17-10 Configuring Audit Summary 17-11 Configuring Migration Analysis 17-12 Upgrading Autonomous Access Points 17-13 Changing Station Role to Root Mode 17-13 Running Migration Analysis 17-13Contents li Cisco Prime Network Control System Configuration Guide OL-25451-01 Generating the Migration Analysis Report 17-13 Viewing a Firmware Upgrade Report 17-14 Changing Station Role to Root Mode 17-14 Viewing a Role Change Report 17-14 Running Migration Analysis 17-14 Viewing a Migration Analysis Report 17-14 Configuring TAC Case Attachments 17-15 C H A P T E R 18 Configuring Virtual Domains 18-1 Information About Virtual Domains 18-1 Configuring a Virtual Domain 18-2 Creating a New Virtual Domain 18-2 Understanding Virtual Domain Hierarchy 18-3 Managing a Virtual Domain 18-7 Virtual Domain RADIUS and TACACS+ Attributes 18-9 Understanding Virtual Domains as a User 18-9 C H A P T E R 19 wIPS Policy Alarm Encyclopedia 19-1 Security IDS/IPS Overview 19-1 Intrusion Detection—Denial of Service Attack 19-2 Denial of Service Attack Against Access Points 19-3 Denial of Service Attack: Association Flood 19-3 Denial of Service Attack: Association Table Overflow 19-4 Denial of Service Attack: Authentication Flood 19-5 Denial of Service Attack: EAPOL-Start Attack 19-6 Denial of Service Attack: PS Poll Flood 19-6 Denial of Service Attack: Unauthenticated Association 19-7 Denial of Service Attack Against Infrastructure 19-8 Denial of Service Attack: CTS Flood 19-9 Denial of Service Attack: Queensland University of Technology Exploit 19-9 Denial of Service attack: RF Jamming 19-10 Denial of Service: RTS Flood 19-11 Denial of Service Attack: Virtual Carrier Attack 19-12 Denial of Service Attack Against Client Station 19-13 Denial of Service Attack: Authentication-Failure Attack 19-14 Denial of Service Attack: Block ACK 19-15 Denial of Service Attack: Deauthentication Broadcast Flood 19-16 Denial of Service Attack: Deauthentication Flood 19-17 Denial of Service Attack: Disassociation Broadcast Flood 19-19Contents lii Cisco Prime Network Control System Configuration Guide OL-25451-01 Denial of Service Attack: Disassociation Flood 19-20 Denial of Service Attack: EAPOL-Logoff Attack 19-21 Denial of Service Attack: FATA-Jack Tool 19-21 Denial of Service Attack: Premature EAP-Failure 19-23 Denial of Service Attack: Premature EAP-Success 19-23 Intrusion Detection—Security Penetration 19-24 Airsnarf Attack 19-25 Chopchop Attack 19-27 RDay-0 Attack by WLAN Performance Anomaly 19-28 Day-0 Attack by WLAN Security Anomaly 19-30 Day-0 Attack by Device Performance Anomaly 19-31 Day-0 Attack by Device Security Anomaly 19-32 Device Probing for APs 19-33 Dictionary Attack on EAP Methods 19-36 EAP Attack Against 802.1x Authentication 19-36 Fake Access Points Detected 19-37 Fake DHCP Server Detected 19-37 Fast WEP Crack Tool Detected 19-38 Fragmentation Attack 19-39 Hot-Spotter Tool Detected 19-40 Malformed 802.11 Packets Detected 19-42 Man-in-the-Middle Attack 19-42 Monitored Device Detected 19-43 NetStumbler Detected 19-44 NetStumbler Victim Detected 19-45 Publicly Secure Packet Forwarding (PSPF) Violation Detected 19-46 ASLEAP Tool Detected 19-47 Honey Pot AP Detected 19-48 Soft AP or Host AP Detected 19-49 Spoofed MAC Address Detected 19-49 Suspicious After-Hours Traffic Detected 19-50 Unauthorized Association by Vendor List 19-50 Unauthorized Association Detected 19-51 Wellenreiter Detected 19-52 A P P E N D I X A Troubleshooting and Best Practices A-1 Troubleshooting Cisco Compatible Extensions Version 5 Client Devices A-1 Diagnostic Channel A-1 Configuring the Diagnostic Channel A-2Contents liii Cisco Prime Network Control System Configuration Guide OL-25451-01 Web Auth Security on WLANs A-3 Debug Commands A-4 Debug Strategy A-4 RF Heatmap Analysis A-8 Best Practices A-9 A P P E N D I X B NCS and End-User Licenses B-1 NCS Licenses B-1 Types of Licenses B-1 Licensing Enforcement B-3 Product Authorization Key Certificate B-3 Determining Which License To Use B-3 Installing a License B-4 Backup and Restore License B-4 Notices and Disclaimers B-5 Notices B-5 OpenSSL/Open SSL Project B-5 License Issues B-5 Disclaimers B-7 End-User License Agreement B-7 A P P E N D I X C Cisco NCS Server Hardening C-1 NCS Password Handling C-1 Setting Up SSL Certification C-2 Setting Up SSL Client Certification C-2 Setting Up SSL Server Certification C-3 I N D E XContents liv Cisco Prime Network Control System Configuration Guide OL-25451-01lv Cisco Prime Network Control System Configuration Guide OL-25451-01 Preface The preface provides an overview of the Cisco Prime Network Control System Configuration Guide, Release 1.0, references related publications, and explains how to obtain other documentation and technical assistance, if necessary. This chapter contains the following sections: • Audience, page lv • Purpose, page lv • Conventions, page lv • Related Publications, page lvi • Obtaining Documentation and Submitting a Service Request, page lvi Audience This guide describes the Cisco Prime Network Control System (NCS). It is meant for networking professional, who use NCS to manage a Cisco Unified Network Solution. To use this guide, you should be familiar with the concepts and terminology associated with wired and wireless LANs. Purpose This guide provides the information you need to manage a Cisco Unified Network Solution using NCS. Note This guide pertains specifically to NCS Release 1.0. Earlier versions of NCS or WCS software may look and operate somewhat differently. Conventions This publication uses the following conventions to convey instructions and information: • Commands and keywords are in boldface text. • Variables are in italicized text. • Examples depict screen displays and the command-line in screen font. • Information you need to enter in examples is shown in boldface screen font.lvi Cisco Prime Network Control System Configuration Guide OL-25451-01 Preface Note Means reader take note. Notes contain helpful suggestions or references to material not contained in the manual. Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Related Publications For more information about NCS and related products, see the following website: http://www.cisco.com/cisco/web/psa/default.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0. C H A P T E R 1-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 1 Cisco NCS Overview This chapter describes the Cisco Unified Network Solution and the Cisco NCS. It contains the following sections: • The Cisco Unified Network Solution, page 1-1 • About NCS, page 1-2 • NCS Licenses, page 1-3 • Cisco Unified Network Components, page 1-6 • Access Point Communication Protocols, page 1-9 • NCS Services, page 1-11 The Cisco Unified Network Solution The Cisco Unified Network Solution provides both wired and 802.11 wireless networking solutions for enterprises and service providers. It simplifies the deployment and management of large-scale wired and wireless LANs and enables you to create a unique best-in-class security infrastructure. The operating system manages all client data, communications, and system administration functions, performs radio resource management (RRM) functions, manages system-wide mobility policies using the operating system security solution, and coordinates all security functions using the operating system security framework. The Cisco Unified Network Solution consists of Cisco Managed Switches, Cisco Unified Wireless Network Controllers (hereafter called controllers), and their associated lightweight access points controlled by the operating system, all concurrently managed by any or all of the following operating system user interfaces: • An HTTPS full-featured web user interface hosted by Cisco controllers can be used to configure and monitor individual controllers. • A full-featured command-line interface (CLI) can be used to configure and monitor individual controllers. • NCS can be used to configure and monitor one or more controllers and associated access points. NCS has tools to facilitate large-system monitoring and control. It runs on predefined physical appliance and on specific virtual deployments. • An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant third-party network management system.1-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview About NCS The Cisco Unified Network Solution supports client data services, client monitoring and control, and all rogue access point detection, monitoring, and containment functions. It uses lightweight access points, controllers, and the optional NCS to provide wireless services to enterprises and service providers. Note Unless specified otherwise, information pertaining to controllers applies to all Cisco Unified Wireless Network Controllers, including but not limited to Cisco 2000 and 2100 Series Unified Wireless Network Controllers, Cisco 4100 Series Unified Wireless Network Controllers, Cisco 4400 Series Unified Wireless Network Controllers, Cisco 5500 Series Wireless LAN Controllers, and controllers within the Cisco Wireless Services Module (WiSM) and Cisco 26/28/37/38xx Series Integrated Services Routers. Figure 1-1 shows the Cisco Unified Network Solution components, which can be simultaneously deployed across multiple floors and buildings. Figure 1-1 Cisco Unified Network Solution About NCS The Cisco Prime Network Control System (NCS) is a Cisco LAN Solution network management tool that adds to the capabilities of the Web User Interface and the command-line interface (CLI). NCS enables you to manage a network of controllers. NCS enables you to configure and monitor one or more controllers, switches and associated access points. NCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points.1-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Licenses NCS runs on Red Hat Linux Enterprise Server 5.X 64-bit installations. On Linux, NCS runs as a service, which runs continuously and resumes running after a reboot. You must use Internet Explorer 7.0 with chrome plugins or later to control all permitted Cisco Unified Network Solution configuration, monitoring, and control functions through Internet Explorer 7.0 with the Flash plug-in, or Mozilla Firefox 3.5 or later. The administrator defines permissions from the Administration menu, which also enables the administrator to manage user accounts and schedule periodic maintenance tasks. Note We strongly recommend you do not enable third-party browser extensions. In Internet Explorer, you can disable third-party browser extensions by choosing Tools > Internet Options and unselecting the Enable third-party browser extensions check box on the Advanced tab. NCS simplifies controller configuration and monitoring and reduces data entry errors. NCS uses the industry-standard SNMP protocol to communicate with the controllers. NCS also includes the Floor Plan editor which allows you to do the following: • Vectorized bitmap campus, floor plan, and outdoor area maps. • Add and change wall types. • Import the vector wall format maps into the database. Note The vector files allow the Cisco NCS RF Prediction Tool to make better RF predictions based on more accurate wall and window RF attenuation values. NCS Licenses NCS is deployed through physical or virtual appliances, you will use the standard License Center Graphical User Interface to add new licenses, which will be locked by the standard Cisco Unique Device Identifier (UDI). When NCS is deployed on a virtual appliance, the licensing is similar to physical appliance, except instead of using a UDI, you will use a Virtual Unique Device Identifier (VUDI). Note If you want to move licenses from one physical appliance to another, you will need to call the Licensing TAC and rehost the licenses to a new UDI. NCS License is recognized by the SKU, which is usually attached to every purchase order to clearly identify which software or package is purchased by a customer. The different NCS license options are described in this section. This section contains the following topics: • NCS Evaluation License, page 1-4 • NCS Device Count License, page 1-4 • NCS Upgrade License, page 1-4 • NCS Migration License, page 1-51-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Licenses NCS Evaluation License NCS can be used in a lab, or in an evaluation with the following license: NCS-DEMO-10. This provides an evaluation license for 10 number of devices, and for a duration of 30 days. If you need a custom device count or duration, please contact your Cisco representative. NCS Device Count License NCS uses a single-tier licensing structure that includes all features and functionality in a single tier. Part numbers are purchased based on number of devices to be managed. Part numbers are available to support 50, 100, 500, 1000, 2500, 5000 or 10000 devices; where both an AP and a Switch are considered a single managed device. NCS Device Count license is of the following: You can either choose physical appliance or virtual appliance for NCS setup. If you choose the option of ordering the physical appliances, you will be shipped with PRIME-NCS-APL-K9 along with a PAK for the license quantity you ordered. That is, if you are ordering L-NCS-1.0-1K with PRIME-NCS-APL-K9 SKU, you will get a physical NCS appliance, plus a PAK for managing 1000 devices. If you choose the virtual appliance option, download the virtual NCS image and get the L-NCS-1.0-X PAK mailed to you once it has been ordered. If you want to add more devices into your network, you can get the L-NCS-1.0-X-ADD SKU for X devices. The L-NCS-1.0-X-ADD are identical licenses supplied. The only difference is that these SKUs are for additional licenses and they do not come with physical or virtual activation. The larger license quantities, specifically 1K, 2.5K, 5K, and 10K are shipped in smaller increments to allow the licenses to be split across different NCS instances. NCS Upgrade License The L-NCS-2.0-UPGRADE-X-ADD SKU is used to upgrade NCS 1.X to NCS 2.X. Upgrades come in the following counts: 50, 100, and 500, 1K, 2.5K, 5K and 10K devices. Once the lower-license level count is equaled or exceeded, the system considers the license for the next level. At this point new, lower-level licenses are not allowed, but additional higher-level licenses are allowed. Note that a higher-level system allows lower-level licenses as long as there is no higher-level license or upgrade license present. This allows you to migrate licenses; take care to migrate the licenses in order from the lowest version to the highest version. Consider a case where you are running NCS 3.0 and you have NCS 1.0, NCS 2.0, and NCS 3.0 licenses. You need to replace the current appliance with a new one and want to move the licenses, but not as part of a backup/restore process. You must first load all NCS 1.0 licenses, an NCS 2.0 Upgrade, the NCS 2.0 licenses, an NCS 3.0 Upgrade, and then all the NCS 3.0 licenses for the licenses to be applied correctly.1-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Licenses NCS Migration License The NCS uses a single-tier license model. When Cisco WCS BASE or WCS PLUS licenses are being migrated, licenses will be mapped to the new Cisco Prime NCS single-tier model. This is a two stage process. This section contains the following topics: • Obtaining the XML file from Existing WCS Deployment, page 1-5 • Uploading the XML file to the Cisco Migration Portal, page 1-5 • Applying the New License to Cisco Prime NCS, page 1-6 The migration licenses that are generated from the Cisco migration portal basically have two levels of plus or base with a count, additionally there could be a spectrum expert license. These licenses are mapped to NCS 1.0 licenses of equivalent counts. For example, a WCS 7.0 Base 500 with Spectrum Expert licenses can be converted to an NCS 1.0 500 device license. Obtaining the XML file from Existing WCS Deployment To Obtain the XML file from the existing WCS deployment, follow these steps: Step 1 Log in to the WCS server (version 7.0.164.0 or higher) and choose Administration > License Center. Note Apply the L-WCS-NCS1-M-K9 License first, before adding the licenses migrated from your WCS installation. Step 2 From the left sidebar menu, choose File > WCS File. Step 3 Select the WCS license you want to export, and click the Export button and save the XML file generated to your local machine. Uploading the XML file to the Cisco Migration Portal To upload the generated XML file to the Cisco Migration Portal, follow these steps: Step 1 Go to: http://www.cisco.com/go/license.1-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview Cisco Unified Network Components Step 2 Scroll down to the Migration section and click the Register for Upgrade/Migrate License link. Step 3 Choose NCS 1.0 from the drop-down list, and click Go to Upgrade/Migration License Portal. Step 4 Enter your Product ID and Serial Number. Step 5 Open the generated XML file in a text editor and copy the contents of the file to the License Text box. Step 6 Accept the end-user license agreement (EULA), verify your contact information, and click Continue. Step 7 The Cisco Migration Portal generates the new license file and will e-mail the license to you. Applying the New License to Cisco Prime NCS As mentioned in step 7 under the “Uploading the XML file to the Cisco Migration Portal” section on page 1-5, the license file is distributed to you in an email from Cisco. Do not edit the contents of the .lic file in any way or you will render the file useless To apply the New License to Cisco Prime NCS, follow these steps: Step 1 Log in to the Cisco NCS. Step 2 Choose Administration > License Center. Step 3 Choose File > NCS Files. Step 4 Click Add, and then choose a license file. Step 5 Click OK. Note Prior to migrating WCS licenses on Cisco Wireless LAN Solution Engine (WLSE), the solution needs to be running Cisco Wireless Control System 7.0.164.0 or later. Note Cisco WLSE hardware will not support Cisco Prime NCS 1.0. Customers using the WLSE hardware to run WCS are required to purchase either the physical appliance option, or deploy the virtual appliance on your own hardware. Cisco Unified Network Components Cisco Unified Network Solutions ensures that your business achieves the highest level of network security and versatility. Cisco Unified Network Solutions empowers your network with the ability to offer secure wireless networking, either within your office for increased mobility or bridging between your office buildings. The following are the different network components in the Cisco Unified Network Solutions: • Cisco Prime NCS, page 1-7 • WLAN Controllers, page 1-7 • Access Points, page 1-71-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview Cisco Unified Network Components Cisco Prime NCS With NCS, network administrators have a single solution for RF prediction, policy provisioning, network optimization, troubleshooting, user tracking, security monitoring, and wired and wireless LAN systems management. Robust graphical interfaces make wired and wireless LAN deployment and operations simple and cost-effective. Detailed trending and analysis reports make NCS vital to ongoing network operations. WLAN Controllers The WLAN Controllers is a highly scalable and flexible platforms that enables system wide services for mission-critical wireless in medium to large-sized enterprises and campus environments. Designed for 802.11n performance and maximum scalability, the WLAN controllers offer enhanced uptime with the ability to simultaneously manage from 5000 access points to 250 access points; superior performance for reliable streaming video and toll quality voice; and improved fault recovery for a consistent mobility experience in the most demanding environments. NCS supports the Cisco wireless controllers that help reduce the overall operational expenses of Cisco Unified Networks by simplifying network deployment, operations, and management. The following WLAN Controllers are supported in NCS: • Cisco 2700 Series Location Appliance • Cisco 2000 Series Wireless LAN Controllers • Cisco 2100 Series Wireless LAN Controllers • Cisco 2500 Series Wireless Controllers • Cisco 4400 Series Wireless LAN Controllers • Cisco 5500 Series Wireless Controllers • Catalyst 3750G Wireless LAN Controller Switches • Cisco Wireless Services Modules (WiSMs) for Cisco Catalyst 6500 Series Switches • Cisco Wireless Services Module 2 (WiSM2) for Cisco Catalyst 6500 Series Switches • Cisco Wireless Controller on SRE for ISR G2 Routers • Cisco Flex 7500 Series Wireless Controllers • Cisco WLAN Controller Network Modules for Cisco Integrated Services Routers Access Points NCS supports the industry-leading performance access points for highly secure and reliable wireless connections for both indoor and outdoor environments. NCS supports a broad portfolio of access points targeted to the specific needs of all industries, business types, and topologies. The following access points are supported in NCS: • Cisco Aironet 1000, 1040, 1100, 1130, 1140, 1200, 1230, 1240, 1250, 1260, 1310, 1500, 1524, 3500i, 3500e, and 3500p Series Lightweight Access Points. • Cisco Aironet 801, 1040, 1100, 1130, 1141, 1142, 1200, 1240, 1250, and 1260 Autonomous Access Points. • Cisco 600 Series OfficeExtend Access Points.1-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview Cisco Unified Network Components • Cisco Aironet Access Points running Lightweight Access Point Protocol (LWAPP) or Control and Provisioning of Wireless Access Points protocol (CAPWAP). • Cisco 1550 Series Mesh Access Points. Embedded Access Points NCS supports the AP801, which is the integrated access point on the Cisco 800 Series Integrated Services Routers (ISRs). This access point uses a Cisco IOS software image that is separate from the router Cisco IOS software image. It can operate as an autonomous access point that is configured and managed locally, or it can operate as a centrally managed access point using CAPWAP or LWAPP protocol. The AP801 is preloaded with both an autonomous Cisco IOS release and a recovery image for the unified mode. When you want to use the AP801 with a controller, you must enable the recovery image for the unified mode on the access point by entering the CLI command on the router in privileged EXEC mode: service-module wlan-ap 0 bootimage unified. Note If the service-module wlan-ap 0 bootimage unified command does not work, make sure that the software license is still current. After enabling the recovery image, enter the CLI command on the router to shut down and reboot the access point: service-module wlan-ap 0 reload. After the access point reboots, it discovers the controller, downloads the full CAPWAP or LWAPP software release from the controller, and acts as a lightweight access point. Note To use the CLI commands mentioned previously, the router must be running Cisco IOS Release 12.4(20)T or later. If you experience any problems, refer to the “Troubleshooting an Upgrade or Reverting the AP to Autonomous Mode” section in the Integrated Services Router configuration guide at this URL: http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/gui de/admin_ap.html To support CAPWAP or LWAPP, the router must be activated with at least the Cisco Advanced IP Services IOS license-grade image. A license is required to upgrade to this Cisco IOS image on the router. See this URL for licensing information: http://www.cisco.com/en/US/docs/routers/access/sw_activation/SA_on_ISR.html After the AP801 boots up with the recovery image for the unified mode, it requires an IP address to communicate with the controller and to download its unified image and configuration from the controller. The router can provide DHCP server functionality, the DHCP pool to reach the controller, and setup option 43 for the controller IP address in the DHCP pool configuration. Use the following configuration to perform this task. ip dhcp pool pool_name network ip_address subnet_mask dns-server ip_address default-router ip_address option 43 hex controller_ip_address_in_hex Example: ip dhcp pool embedded-ap-pool network 209.165.200.224 255.255.255.224 dns-server 209.165.200.225 default-router 209.165.200.2261-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview Access Point Communication Protocols option 43 hex f104.0a0a.0a0f /* single WLC IP address (209.165.201.0) in hex format */ The AP801 802.11n radio supports lower power levels than the 802.11n radio in the Cisco Aironet 1250 series access points. The AP801 stores the radio power levels and passes them to the controller when the access point joins the controller. The controller uses the supplied values to limit the user configuration. The AP801 can be used in hybrid-REAP mode. See the “Configuring Hybrid REAP” section on page 12-1 for more information on hybrid REAP. Note For more information about AP801, refer to the documentation for the Cisco 800 Series ISRs at this URL:http://www.cisco.com/en/US/products/hw/routers/ps380/tsd_products_support_series_ho me.html. Access Point Communication Protocols In controller software release 5.2 or later, Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate between the controller and other lightweight access points on the network. Controller software releases prior to 5.2 use the Lightweight Access Point Protocol (LWAPP) for these communications. CAPWAP, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points. CAPWAP is being implemented in controller software release 5.2 for these reasons: • To provide an upgrade path from Cisco products that use LWAPP to next-generation Cisco products that use CAPWAP • To manage RFID readers and similar devices • To enable controllers to interoperate with third-party access points in the future LWAPP-enabled access points are compatible with CAPWAP, and conversion to a CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when using CAPWAP are the same as when using LWAPP. The one exception is for Layer 2 deployments, which are not supported by CAPWAP. Deployments can combine CAPWAP and LWAPP software on the controllers. The CAPWAP-enabled software allows access points to join either a controller running CAPWAP or LWAPP. The only exception is the Cisco Aironet 1140 Series Access Point, which supports only CAPWAP and therefore joins only controllers running CAPWAP. Note The Cisco Aironet 1140 series and 3500 series access points associate only with CAPWAP controllers that run WLC versions 7.0 or later. This section contains the following topics: • Guidelines and Restrictions for Using CAPWAP, page 1-10 • Cisco Wireless LAN Controller Autodiscovery, page 1-10 • The Controller Discovery Process, page 1-101-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview Access Point Communication Protocols Guidelines and Restrictions for Using CAPWAP • CAPWAP and LWAPP controllers cannot be used in the same mobility group. Therefore, client mobility between CAPWAP and LWAPP controllers is not supported. • If your firewall is currently configured to allow traffic only from access points using LWAPP, you must change the rules of the firewall to allow traffic from access points using CAPWAP. • Make sure that the CAPWAP ports are enabled and are not blocked by an intermediate device that could prevent an access point from joining the controller. • Any access control lists (ACLs) in your network might need to be modified if CAPWAP uses different ports than LWAPP. Cisco Wireless LAN Controller Autodiscovery In a Cisco Unified Network architecture, access points (APs) are lightweight. This means they cannot act independently of a wireless LAN controller (WLC). The access points have to first discover the WLCs and register with them before the AP services the wireless clients. After the AP has registered to the controller, CAPWAP messages are exchanged and the AP initiates a firmware download from the controller (if there is a version mismatch between the AP and controller). If the AP's onboard firmware is not the same as the controller, the AP will download the latest firmware to stay in sync with the controller. The firmware download mechanism utilizes CAPWAP. Then, the controller provisions the AP with the configurations that are specific to the WLANs so that the AP can accept client associations. Controller Autodiscovery is limited to the Cisco WLAN Solution mobility group subnets defined by the operator. The Cisco Wireless LAN Controller Autodiscovery: • Allows operators to search for a single controller by IP address. • Finds the controller on the network within the specified IP address range. • Automatically enters the controller information into the Cisco NCS database. Note Controller Autodiscovery can take a long time in a Class C address range. Because of the large number of addresses in a Class B or Class A range, we recommend that you do not attempt Autodiscovery across Class B or Class A ranges. As access points associate with a controller, the controller immediately transmits the access point information to Cisco NCS, which automatically adds the access point to the database. Once the access point information is added to the Cisco NCS database, operators can add the access point to the appropriate spot on a Cisco NCS user interface map. The Controller Discovery Process In a CAPWAP environment, a lightweight access point discovers a controller by using CAPWAP discovery mechanisms and then sends it a CAPWAP join request. The controller sends the access point a CAPWAP join response allowing the access point to join the controller. When the access point joins the controller, the controller manages its configuration, firmware, control transactions, and data transactions.1-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Services Lightweight access points must be discovered by a controller before they can become an active part of the network. The lightweight access points support these controller discovery processes: • Layer 3 CAPWAP or LWAPP discovery—Can occur on different subnets from the access point and uses IP addresses and UDP packets rather the MAC addresses used by Layer 2 discovery. • Over-the-air provisioning (OTAP)—This feature is supported by Cisco 4400 series controllers. If this feature is enabled on the controller (in the controller General page), all associated access points transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the controller IP address from these messages. This feature is disabled by default and should remain disabled when all access points are installed. • Locally stored controller IP address discovery—If the access point was previously associated to a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the non-volatile memory of an access point. This process of storing controller IP addresses on access points for later deployment is called priming the access point. • DHCP server discovery—This feature uses DHCP option 43 to provide controller IP addresses to the access points. Cisco switches support a DHCP server option that is typically used for this capability. • DNS discovery—The access point can discover controllers through your domain name server (DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response to CISCO-CAPWAP-CONTROLLER.localdomain or CISCO-LWAPP-CONTROLLER.localdomain, where localdomain is the access point domain name. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain or CISCO-LWAPP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers. NCS Services The IT departments within organizations are tasked with meeting increased bandwidth and performance demands, managing a proliferation of new mobile devices, while guaranteeing network access, availability, and regulatory compliance. Cisco and its partners can work with IT staff to assist with migration to the Cisco Unified Network, making it easier to manage a secure, high-performance, and integrated wired and wireless network that incorporates rich media and diverse mobile devices, including Wi-Fi-enabled phones and tablets. NCS provides the following Services: • Cisco Context Aware Service Solution, page 1-11 • Cisco Identity Service Engine Solution, page 1-12 • Cisco Adaptive Wireless Intrusion Prevention Service, page 1-13 Cisco Context Aware Service Solution Context Aware Service (CAS) provides the capability for a Wi-Fi 802.11a/b/g/n network to determine the location of a person or object with an active Wi-Fi device, such as a wireless client or active RFID tag and/or associated data that can be passed by the end point through the wireless infrastructure to an upstream client. 1-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Services Context Aware Service (CAS) allows a Mobility Services Engine (MSE) to simultaneously track thousands of mobile assets and clients by retrieving contextual information such as location and availability from Cisco access points. The collected contextual information can be viewed in GUI format in the NCS User Interface, the centralized WLAN management platform. NCS is the management system that interfaces with the MSE and serves user interface (UI) for the services that the MSE provides. After installation of MSE and initial configurations are complete, the MSE can communicate with multiple Cisco wireless LAN controllers to collect operator-defined contextual information. You can then use the associated NCS to communicate with each MSE to transfer and display selected data. You can configure the MSE to collect data for clients, switches, rogue access points, rogue clients, mobile stations, and active RFID asset tags. With Context-Aware Location Services, administrators can determine the location of any 802.11-based device, as well as the specific type or status of each device. Clients (associated, probing, and so on.), rogue access points, rogue clients, and active tags can all be identified and located by the system. See Context Aware Mobility Solution Deployment Guide for more information. Note One MSE can be managed by only one NCS, that is, a single MSE cannot be managed by multiple NCS’s, but a single NCS can manage multiple MSEs. When the number of devices to be managed exceeds the capacity of a single MSE, you need to deploy multiple, independent MSEs. Cisco Identity Service Engine Solution The Cisco Identity Services Engine (ISE) is a next-generation identity and policy-based network access platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. The Cisco ISE provides a single console where authentication, authorization, posture, guest, and profiling policies can be created and managed. In addition, policy elements can now be reused across all services, reducing the number of tasks and overhead and bringing consistency to the enterprise. The Cisco ISE gathers information from devices, the infrastructure, and services to enable organizations to build richer contextual policies that can be enforced centrally across the network. The ISE tracks all clients and devices connected to the network, acting as a single source of information for connected user and device identity and location, as well as the health of the endpoint. The ability to discover, identify, and monitor all IP-enabled endpoint devices gives IT teams complete visibility of both users and “headless” devices on the corporate network. The Cisco ISE combines AAA, posture, profiling, and guest management capabilities in a single appliance to enforce dynamic access control. The Identity Services Engine can be deployed across the enterprise infrastructure, supporting 802.1x wired, wireless, and VPN networks. NCS manages the wired and the wireless clients in the network. When Cisco ISE is used as a RADIUS server to authenticate clients, NCS collects additional information about these clients from Cisco ISE and provides all client relevant information to NCS to be visible in a single console. When posture profiling is enforced in the network, NCS talks to Cisco ISE to get the posture data for the clients and displays it along with other client attributes. When Cisco ISE is used to profile the clients or an endpoint in the network, NCS collects the profiled data to determine what type of client it is, whether it is an iPhone, iPad, an Android device, or any other device.1-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS Services Cisco ISE is assisting NCS to monitor and troubleshoot client information, and displays all the relevant information for a client in a single console. Cisco Adaptive Wireless Intrusion Prevention Service Maintain a constant awareness of your RF environment to minimize legal liability, protect your brand reputation, and assure regulatory compliance. Cisco Adaptive Wireless Intrusion Prevention System (IPS) offers advanced network security for dedicated monitoring and detection of wireless network anomalies, unauthorized access, and RF attacks. Fully integrated with the Cisco Unified Network, this solution delivers integrated visibility and control across the network, without the need for an overlay solution. Cisco Adaptive Wireless Intrusion Prevention Service (wIPS) performs rogue access point, rogue client, and ad-hoc connection detection and mitigation, over-the-air wireless hacking and threat detection, security vulnerability monitoring, performance monitoring and self-optimization, network hardening for proactive prevention of threats and complete wireless security management and reporting. Cisco's wIPS is made up of the following components that work together to provide a unified security monitoring solution. • A mobility services engine (MSE) running wIPS software-Serves as the central point of alarm aggregation for all controllers and their respective wIPS monitor mode access points. Alarm information and forensic files are stored on the mobility services engine for archival purposes. • An wIPS monitor mode access point-Provides constant channel scanning with attack detection and forensics (packet capture) capabilities. • Local mode access point-Provides wireless service to clients in addition to time-sliced rogue scanning. • Wireless LAN Controller-Forwards attack information received from wIPS monitor mode access points to the mobility services engine and distributes configuration parameters to access points. • Network Control System-Provides a centralized management platform for the administrator to configure the wIPS Service on the mobility services engine, push wIPS configurations to the controller, and configure access points in wIPS monitor mode. NCS is also used to view wIPS alarms, forensics, reporting, and to access the attack encyclopedia.1-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 1 Cisco NCS Overview NCS ServicesC H A P T E R 2-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 2 Getting Started This chapter describes information on system requirements, setting up and starting the NCS. The NCS is an application used to configure, manage, and monitor the wired and wireless networks. This chapter contains the following sections: • NCS Delivery Modes, page 2-1 • Reinstalling NCS on Physical Appliance, page 2-5 • Deploying the NCS Virtual Appliance, page 2-5 • Setting Up NCS, page 2-9 • Starting the NCS Server, page 2-10 • Logging into the NCS User Interface, page 2-11 • Applying the NCS Software License, page 2-12 • Understanding NCS Home Page, page 2-13 • Using the Search Feature, page 2-33 NCS Delivery Modes Cisco NCS comes preinstalled on a physical appliance with various performance characteristics. The NCS software runs on either a dedicated Cisco Prime Network Control System appliance or on a VMware server. The NCS software image does not support the installation of any other packages or applications on this dedicated platform. The inherent scalability of NCS allows you to add appliances to a deployment and increase performance and resiliency. NCS is delivered in two modes, the Physical Appliance and Virtual Appliance. This section contains the following topics: • Physical Appliance, page 2-2 • Virtual Appliance, page 2-2 • Operating Systems Requirements, page 2-3 • Client Requirements, page 2-4 • Prerequisites, page 2-42-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started NCS Delivery Modes Physical Appliance The Physical Appliance is a dual Intel 2.40GHz Xeon E5620 quad core processor, with 16 GB RAM, and four hard drives running in a RAID level 5 configuration. The appliance will run the latest 64bit Red Hat Linux Operating System. The Physical Appliance supports up to 15000 Cisco Aironet lightweight access points, 5000 standalone access points, 5000 switches and 1200 Cisco wireless LAN controllers. Note To receive the expected results with NCS, you should run on High performance Physical appliance with built-in redundancy for hard disks, power supplies and internal cooling fans. For more information on the Physical Appliance, see Cisco Prime Network Control System Getting Started Guide, Release 1.0. Virtual Appliance NCS is also offered as a Virtual Appliance, to help support lower level deployments. Cisco NCS can be run on a workstation or a server, and access points can be distributed unevenly across controllers. The NCS Virtual Appliance software is distributed as an Open Virtualization Archive (OVA) file. There are three recommended levels of NCS distribution with different resources, and numbers of devices supported. This section contains the following topics: • Virtual Appliance for Large Deployment, page 2-2 • Virtual Appliance for Medium Deployment, page 2-3 • Virtual Appliance for Small Deployment, page 2-3 Note You can deploy the OVA file directly from the vSphere Client; you do not need to extract the archive before performing the deployment. You can install NCS Virtual Appliance using any of the method for deploying an OVF supported by the VMware environment. Before starting, make sure that the NCS Virtual Appliance distribution archive is in a location that is accessible to the computer on which you are running the vSphere Client. Note For more information about setting up your VMware environment, see the VMware vSphere 4.0 documentation. Virtual Appliance for Large Deployment • Supports up to 15000 Cisco Aironet lightweight access points, 5000 standalone access points, 5000 switches and 1200 Cisco wireless LAN controllers. • 8 Processors at 2.93 GHz or better. • 16-GB RAM. • 400 GB minimum free disk space is needed on your hard drive.2-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started NCS Delivery Modes Note The free disk space listed is a minimum requirement but may be different for your system, depending on the number of backups. Virtual Appliance for Medium Deployment • Supports up to 7500 Cisco Aironet lightweight access points, 2500 standalone access points, 2500 Switches and 600 Cisco wireless LAN controllers. • 4 Processors at 2.93 GHz or better. • 12-GB RAM. • 300 GB minimum free disk space is needed on your hard drive. Virtual Appliance for Small Deployment • Supports up to 3000 Cisco Aironet lightweight access points, 1000 standalone access points, 1000 Switches and 240 Cisco wireless LAN controllers. • 2 Processors at 2.93 GHz or better. • 8-GB RAM. • 200 GB minimum free disk space is needed on your hard drive. Note For all server levels, AMD processors equivalent to the listed Intel processors are also supported. Note The free disk space listed is a minimum requirement, but several variables (such as backups) impact the disk space. Note If you want to use a Cisco UCS Server to deploy a virtual appliance for Cisco Prime NCS, you can use the UCS C-Series or B-Series. Make sure the server you pick matches to the Processor, RAM and Hard Disk requirements specified in “Virtual Appliance” section on page 2-2 deployment. Operating Systems Requirements The following operating systems are supported: • Red Hat Linux Enterprise Server 5.4 64-bit operating system installations are supported. Note You cannot install NCS on a standalone operating system, like Red Hat Linux, as NCS is shipped as a physical or a virtual appliance that comes preinstalled with a secure and hardened Operating System. • Red Hat Linux version support on VMware ESX version 3.0.1 and later with either local storage or SAN over fiber channel.2-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started NCS Delivery Modes • The recommended deployments for virtual appliance are UCS and ESX/ESXi. Note Individual operating systems running NCS in VMware must follow the specifications for the size of NCS that you intend to use. Client Requirements The Cisco NCS user interface requires Microsoft Internet Explorer 7.0 or later with the Google Chrome plugin or Mozilla Firefox 3.6 or later releases. Microsoft Internet Explorer 6.0 is not supported. Note We strongly advise that you do not enable third-party browser extensions. In Internet Explorer, you can disable third-party browser extensions by choosing Tools > Internet Options and unselecting the Enable third-party browser extensions check box from the Advanced tab. The client running the browser must have a minimum of 1 GB of RAM and a 2-GHz processor. The client device should not be running any CPU or memory-intensive applications. Note The minimum screen resolution that is recommended for NCS and use it as 1024 x 768 pixels. Prerequisites Before installing Cisco NCS, ensure that you have completed the following: • Meet the necessary hardware and software requirements for Cisco NCS. • Check the Compatibility Matrix for supported Controller, IOS versions. • Update your system with the necessary critical updates and service packs. Note See the latest release notes for information on the service packs and patches required for correct operation of Cisco NCS. • To receive the expected results, you should run no more than 3 concurrent NCS setups for standard server use (4 GB memory and 3 GHz CPU speed) and no more than 5 concurrent NCS setups for high-end server use (8 GB memory and 3 GHz CPU speed). • Verify that the following ports are open during installation and startup: – HTTP: configurable during install (80 by default) – HTTPS: configurable during install (443 by default) – 1315 – 1299 – 6789 – 8009 – 8456 – 80052-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Reinstalling NCS on Physical Appliance – 69 – 21 – 162 – 8457 Note Make sure your firewall rules are not restrictive. You can check the current rules on Linux with the built-in iptables -L command. Reinstalling NCS on Physical Appliance You must have root privileges to install NCS on Physical Appliance. Step 1 Insert the NCS software Image DVD provided to you. The system boots up and the following console screen appears. ISOLINUX 3.11 2005-09-02 Copyright (C) 1994-2005 H. Peter Anvin Welcome to Cisco Prime Network Control System To boot from hard disk, press . Available boot options: [1] Network Control System Installation (Keyboard/Monitor) [2] Network Control System Installation (Serial Console) [3] Recover administrator password. (Keyboard/Monitor) [4] Recover administrator password. (Serial Console) Boot existing OS from Hard Disk. Enter boot option and press . boot: Step 2 Select the option 1 to reinstall the NCS software Image. The system will reboot and take you to configure appliance screen. Step 3 Enter the initial setup parameters and the system will reboot again. Remove the DVD and follow the steps to start the NCS server. Deploying the NCS Virtual Appliance This section describes how to deploy NCS Virtual Appliance both from the vSphere Client using the Deploy OVF Wizard or from the command line.(VMware vSphere Client, a Windows application for managing and configuring the vCenter Server) This section contains the following topics: • Deploying the NCS Virtual Appliance from the VMware vSphere Client, page 2-6 • Deploying NCS Virtual Appliance using the Command Line Client, page 2-92-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Deploying the NCS Virtual Appliance Deploying the NCS Virtual Appliance from the VMware vSphere Client NCS Virtual Image is packaged as an OVA file. An OVF is a collection of items in a single archive. In the vSphere Client, you can use the Deploy OVF Wizard to create a virtual machine, running the NCS Virtual Appliance application, as described in this section. Note While the following procedure provides a general guideline for how to deploy NCS Virtual Appliance, the exact steps that you need to perform may vary depending on the characteristics of your VMware environment and setup. To deploy the NCS Virtual Appliance, follow these steps: Step 1 From the VMware vSphere Client main menu, choose File > Deploy OVF Template. The Deploy OVF Template Source window appears: (See Figure 2-1) Figure 2-1 Deploy OVF Template window Step 2 Choose Deploy from file and choose the OVA file that contains the NCS Virtual Appliance distribution. Step 3 Click Next. The OVF Template Details window appears. VMware ESX/ESXi reads the OVA attributes. The details include the product you are installing, the size of the OVA file (download size), and the amount of disk space that needs to be available for the virtual machine (size on disk). Step 4 Verify the OVF Template details and click Next. The Name and Location window appears (See Figure 2-2).2-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Deploying the NCS Virtual Appliance Figure 2-2 Name and Location window Step 5 Either keep the default name for the VM to be deployed in the Name text box or provide a new one and click Next. This name value is used to identify the new virtual machine in the VMware infrastructure so you should use any name that distinguishes this particular VM in your environment.The Host / Cluster window appears (see Figure 2-3).2-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Deploying the NCS Virtual Appliance Figure 2-3 Host/Cluster Window Step 6 Choose the destination host or HA cluster on which you want to deploy the NCS VM and click Next. The Resource Pool window appears. Step 7 If you have more than one resource pool in your target host environment, choose the resource pool to use for the deployment and click Next. The Ready to Complete window appears. Step 8 Review the settings shown for your deployment and, if needed, click the Back button to modify any of the settings shown. Step 9 Click Finish to complete the deployment. A message notifies you when the installation completes and you can see the NCS Appliance in your inventory. Step 10 Click Close to dismiss the Deployment Completed Successfully dialog box. Configuring the Basic Settings for NCS Virtual Appliance You have completed deploying (installing) NCS Virtual Appliance on a new virtual machine. A node for the virtual machine now appears in the resource tree in the VMware vSphere Client window. Deploying the OVF template creates a new virtual machine in vCenter with the NCS Virtual Appliance application and related resources already installed on it. After deployment, you need to configure basic settings for NCS Virtual Appliance. To start the NCS setup, follow these steps: Step 1 In the vSphere Client, click the NCS Virtual Appliance node in the resource tree. The virtual machine node should appear in the Hosts and Clusters tree below the host, cluster, or resource pool to which you deployed NCS Virtual Appliance.2-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Setting Up NCS Step 2 On the Getting Started tab, click the Power on the virtual machine link under Basic Tasks. The Recent Tasks pane at the bottom of the vSphere Client pane indicates the status of the task associated with powering on the virtual machine. After the virtual machine successfully starts, the status column for the task displays Completed. Step 3 Click the Console tab, within the console pane to make the console prompt active for keyboard input. Now you need to set up the virtual appliance, as described in Setting Up NCS, page 2-9 section. Deploying NCS Virtual Appliance using the Command Line Client This section describes how to deploy the NCS Virtual Appliance from the command line. As an alternative to using the vSphere Client to deploy the NCS OVA distribution, you can use the VMware OVF Tool, which is a command-line client. To deploy an OVA with the VMware OVF Tool, use the ovftool command, which takes the name of the OVA file to be deployed and the target location as arguments, as in the following example: ovftool NCS-VA-X.X.X-large.ova vi://my.vmware-host.example.com/ In this case, the OVA file to be deployed is NCS-VA-X.X.X-large.ova and the target ESX host is my.vmware-host.example.com. For complete documentation on the VMware OVF Tool, see the VMware vSphere 4.0 Documentation. Setting Up NCS This section describes how to configure the initial settings of the NCS Virtual Appliance. Note These steps need to be performed only once, upon first installation of NCS Virtual Appliance. To configure the basic network and login settings for the NCS Virtual Appliance system, follow the below steps. When the steps are completed, the NCS Virtual Appliance is accessible over the network. Note Once you put the NCS Image DVD in the physical appliance for reinstallation, you will get the same console prompt. Use the following steps to reinstall NCS for the physical appliance. Step 1 At the login Prompt, enter setup. localhost.localdomain login: setup The NCS configuration script starts. The script takes you through the initial configuration steps for NCS Virtual Appliance. In the first sequence of steps, you configure network settings. Step 2 As prompted, enter the following settings: a. Hostname for the virtual appliance. b. IP address for the virtual appliance. c. IP default subnet mask for the IP address entered.2-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Starting the NCS Server d. IP address of the default gateway for the network environment in which you are creating the virtual machine. e. Default DNS domain for the target environment. f. IP address or hostname of the primary IP nameserver in the network. g. At the Add/Edit another nameserver prompt, you can enter y (yes) to add additional nameservers, if desired. Otherwise, press Enter to continue. h. NTP server location (or accept the default by pressing Enter). At the Add/Edit secondary NTP server prompt, you can enter y (yes) to add another NTP server. Otherwise, enter n (no) to continue. Step 3 Enter the username for the user account used to access the Cisco NCS system running on the virtual machine. The default username is admin, but you can change this to another username by typing it here. Step 4 Enter the password for NCS. The password must be at least eight characters and must include both lowercase and uppercase letters and at least one number. It cannot include the username or default Cisco passwords. After you enter the password, the script verifies the network settings you configured. For instance, it attempts to reach the default gateway that you have configured. After verifying the network settings, the script starts the NCS installation processes. This process can take several minutes, during which there is no screen feedback. When finished, the following banner appears on the screen: === Initial Setup for Application: NCS === After this banner, it starts with database scripts and reboots the server as shown in the console: Running database cloning script... logger: invalid option -- l usage: logger [-is] [-f file] [-p pri] [-t tag] [-u socket] [ message ... ] Running database creation script... logger: invalid option -- l usage: logger [-is] [-f file] [-p pri] [-t tag] [-u socket] [ message ... ] Setting Timezone, temporary workaround for DB... Generating configuration... Rebooting... Note If you are installaing a physical appliance, remove the ISO DVD from the DVD tray. Step 5 Log in as admin and enter the admin password. Step 6 Exit the console using the exit command. Starting the NCS Server This section provides instructions to start NCS on either a physical appliance or virtual appliance. Note To check the status of NCS at any time, follow the instructions in the “Verifying the Status of NCS” section on page 4-6. To start the NCS server, follow these steps:2-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Logging into the NCS User Interface Step 1 Once you have setup NCS, rebooted the server and login as admin. Step 2 Enter the following command to start the NCS Server. ncs start Logging into the NCS User Interface To log into the NCS user interface through a web browser, follow these steps: Step 1 Launch Internet Explorer 7.0 or later or Mozilla Firefox 3.6 or later on a different computer than the one on which you installed and started NCS. Note When you use Firefox 3.x to log in and access NCS for the first time, the Firefox web browser displays a warning that the site is untrustable. When Firefox displays this warning, follow the prompts to add a security exception and download the self-signed certificate from the NCS server. After you complete this procedure, Firefox accepts the NCS server as a trusted site both now and during all future login attempts. Step 2 In the address line of browser, enter https://ncs-ip-address, where ncs-ip-address is the IP address of the server on which you installed and started NCS. The NCS user interface displays the Login page. Step 3 Enter your username. The default username is root. Step 4 Enter the root password you created during setup. Note If any licensing problems occur, a message appears in an alert box. If you have an evaluation license, the number of days until the license expires is shown. You are also alerted to any expired licenses. You have the option to go directly to the licensing page to address these problems. Step 5 Click Login to log into NCS. The NCS user interface is now active and available for use. The NCS home page appears. The NCS home page enables you to choose the information that you want to see. You can organize the information in user-defined tabs called dashboards. The default view comes with default dashboards and pre-selected dashlets for each, and you can arrange them as you like. You can predefine what appears on the home page by choosing the monitoring dashlets that are critical for your network. For example, you may want different monitoring dashlets for a mesh network so that you can create a customized mesh dashboard. Note If the database or Apache web server does not start, check the launchout.txt file in Linux. You will see a generic “failed to start database” or “failed to start the Apache web server” message. Note When an upgrade occurs, the user-defined tabs arranged by the previous user in the previous version are maintained. Therefore, the latest dashlets may not show. Look at the Edit dashboard link to find what new dashlets are added.2-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Applying the NCS Software License The home page provides a summary of the Cisco Unified Network Solution, including coverage areas, the most recently detected rogue access points, access point operational data, reported coverage holes, and client distribution over time. Figure 2-4 shows a typical NCS home page. By default, you should see six dashboards on the NCS home page: General, Client, Security, Mesh, CleanAir and ContextAware dashboards. Note When you use NCS for the first time, the network summary pages show that the Controllers, Coverage Areas, Most Recent Rogue APs, Top 5 APs, and Most Recent Coverage Holes databases are empty. It also shows that no client devices are connected to the system. After you configure the NCS database with one or more controllers, the NCS home page provides updated information. Figure 2-4 NCS Home Page To exit the NCS user interface, close the browser page or click Log Out in the upper-right corner of the page. Exiting an NCS user interface session does not shut down NCS on the server. When a system administrator stops the NCS server during your NCS session, your session ends, and the web browser displays the message: “The page cannot be displayed.” Your session does not reassociate to NCS when the server restarts. You must restart the NCS session. Applying the NCS Software License This section describes how to apply a license to NCS. Before starting, make sure that you have already acquired the license from the Cisco License Center and put it in a location that is accessible by the network from NCS. To add a new NCS license file, follow these steps: Step 1 In the Administrator menu, choose License Center > Files > NCS Files page, and click Add.2-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Step 2 In the Add a License File dialog box, enter or browse to the applicable license file. Step 3 Once displayed in the License File text box, click Upload. To add a new license, see “Managing Licenses” section on page 15-123. Understanding NCS Home Page The NCS home page: • enables the administrator to create and configure Cisco Unified Network Solution coverage area layouts, configure system operating parameters, monitor real-time Cisco Unified Network Solution operations, and perform troubleshooting tasks using an HTTPS web browser page. • enables the administrator to create, modify, and delete user accounts; change passwords; assign permissions; and schedule periodic maintenance tasks. The administrator creates new usernames and passwords and assigns them to predefined permissions groups. • allows the administrator to perform all necessary network administration tasks from one page. The NCS home page, is the landing page, displaying real-time monitoring and troubleshooting data. The navigation tabs and menus at the top of the page provide point-and-click access to all other administration features. The NCS user interface provides an integrated network administration console from which you can manage various devices and services. These include wired and wireless devices and clients. The services may include authentication, authorization, profiler, location and mobility services as well as monitoring, troubleshooting, and reporting. All of these devices and services can be managed from a single console called the Cisco Prime NCS home page. This section describes the NCS user interface page and contains the following topics: • Dashboards, page 2-13 • Icons, page 2-22 • Menu Bar, page 2-23 • Global Toolbar, page 2-26 • Alarm Summary, page 2-27 • Main Data Page, page 2-28 • Administrative Elements, page 2-28 Dashboards The NCS dashboards consist of dashlets and graphs that provide a visual overview of network health and security. The Dashboard elements visually convey complex information in a simplified format. This display allows you to quickly analyze the data and drill down for in-depth information if needed. Dashlets utilize a variety of elements to display data, including pie-charts, sparklines, stack bars, and metric meters.2-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page The fundamental purpose of a dashboard is to provide an at-a-glance view of the most important parts of NCS. A quick scan of the dashboard should let you know if anything needs attention. Dashboard generally provides the status and alerts, monitoring and reporting information. Dashboards contain several dashlets, which are UI containers that display a variety of widgets, such as text, form elements, tables, charts, tabs, and nested content modules. The dashboard displays the current status which reflects the status and usage of the network, like client distribution. The dashboard also displays the trend which reflects the usage and status over time which is from data collected over time, like client count. Figure 2-5 Dashboards Note You must have Adobe Flash Player installed to view the dashlets on the NCS dashboard. The six NCS dashboards are described in this section. This section contains the following topics: • General Dashboard, page 2-15 • Client Dashboard, page 2-16 • Security Dashboard, page 2-17 • Mesh Dashboard, page 2-18 • CleanAir Dashboard, page 2-18 • Context Aware Dashboard, page 2-21 You can customize the predefined set of dashlets depending on your network management needs. You can organize the information in user-defined dashboards. The default view comes with default dashboards and pre-selected dashlets for each. Note • The label “Edited” next to the dashlet heading indicates that the dashlet has been customized. If you reset to the default settings, the Edited label is cleared. Hover your mouse cursor over the label see the edited information. • When an upgrade occurs, the arrangement of dashlets in a previous version is maintained. Because of this, dashlets or features added in a new release are not displayed. Click the Manage Dashboards link to discover new dashlets.2-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page • The horizontal and vertical scrollbars are visible if you zoom the dashlets. Reset the zoom level back to zero, or no zoom for viewing the dashlets without the scrollbars. General Dashboard Table 2-1 lists the factory default dashlets for the General dashboard. Ta b l e 2-1 General Dashboard Dashlet Description Inventory Detail Status Displays the following: • Controllers—Lists the number of controllers that are managed in NCS. Graphically depicts reachable and unreachable controllers. • Switches—Lists the number of switches managed in NCS. Graphically depicts reachable and unreachable switches. • Radios—Lists the number of radios managed in NCS. Graphically depicts the number of radios in out-of-service (critical), minor, and ok conditions. This dashlet reflects ONLY the greatest radio alarm status, that is, if the radio has a minor alarm, and a critical alarm, then the radio status will show as critical. • Autonomous APs—Lists the number of Autonomous APs managed in NCS. Graphically depicts reachable and unreachable Autonomous APs. • MSEs—Lists the number of MSEs that are managed in NCS. Graphically depicts reachable and unreachable servers. Look at the installation log to verify that nothing went wrong while manually adding the servers to NCS. (The trace for MSEs must be turned on.) Note Clicking on the corresponding sections of the chart will take you the item list view of the inventory. Device Uptime Displays the devices based upon the device up time. Coverage Area Displays access points, radios, and client details for each coverage area.2-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Client Dashboard Table 2-2 lists the factory default dashlets for the Client dashboard. Client Count by Association/Authentication Displays the total number of clients by Association and authentication in NCS over the selected period of time. • Associated client—All clients connected regardless of whether it is authenticated or not. • Authenticated client—All clients connected through an RADIUS or TACACS server. Note Client count includes autonomous clients. Client Count by Wireless/Wired Displays the total number of clients by Wired and Wireless in NCS over the selected period of time. Note Client count includes autonomous clients. Top 5 Devices by Memory Utilization Displays the Top 5 devices based upon memory utilization. Recent Coverage Holes Displays the five most recent coverage alarms. Table 2-1 General Dashboard (continued) Dashlet Description Ta b l e 2-2 Client Dashboard Dashlet Description Client Troubleshooting Allows you to troubleshoot a client by entering a client MAC address, then clicking Troubleshoot. Client Distribution Displays the distribution of clients by protocol, EAP type, and authentication and the total current client count. • 802.3 represents wired clients • 802.11 represents wireless clients Note Clicking on the corresponding sections of the chart will take you the item list view of the clients and users. Client Alarms and Events Summary Displays a summary of client alarms and events. Client Traffic Displays the trend of both upstream and downstream client traffic in a given time period. Wired Client Speed Distribution Displays the wired client speeds and the client count for each speed. Top 5 SSIDs by Client Count Displays the top 5 SSID client counts.2-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Security Dashboard Table 2-3 lists the factory default dashlets for the Security dashboard. Top 5 Switches by Client Count Displays the 5 switches that have the most clients as well as the number of clients associated to the switch. Client Posture Status Displays the client posture status and the number of clients in each of the following status: • Compliant • Non-compliant • Unknown • Pending • Not Applicable • Error Table 2-2 Client Dashboard (continued) Dashlet Description Ta b l e 2-3 Security Dashboard Dashlet Description Security Index Indicates the security of the NCS managed network. The security index is calculated by assigning priority to the various security configurations and displaying them in visual form. Malicious Rogue APs Displays malicious rogue access points for the past hour, past 24 hours, and total active. Unclassified Rogue APs Displays unclassified rogue access points for the past hour, past 24 hours, and total active. Friendly Rogue APs Displays friendly rogue access points for the past hour, past 24 hours, and total active. Adhoc Rogues Displays ad hoc rogues for the past hour, past 24 hours, and total active. CleanAir Security Displays cleanair security events for past hour, 24 hours, and total active. Attacks Detected Displays wIPS and signature attacks for the past hour, past 24 hours, and total active. Cisco Wired IPS Events Displays Wired IPS events for the past hour, past 24 hours, and total active. AP Threats/Attacks Displays threats or attacks to access points for the past hour, past 24 hours, and total active. MFP Attacks Displays MFP attacks for the past hour, past 24 hours, and total active. Client Security Events Displays the client security events for the past hour, past 24 hours and total active.2-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Note The Rogue alarm which is set as informational, cannot be seen in the security dashboard. Mesh Dashboard Table 2-4 lists the factory default dashlets for the Mesh dashboard. CleanAir Dashboard Table 2-5 lists the factory default dashlets for the Mesh dashboard. Ta b l e 2-4 Mesh Dashboard Dashlet Description Most Recent Mesh Alarms Displays the five most recent mesh alarms. Click the number in parentheses to access the Alarms page. Mesh Worst SNR Links Displays the worst signal-to-noise ratio (SNR) links. Data includes the Parent AP Name, the Child AP Name, and the Link SNR. Mesh Worst Node Hop Count Displays the worst node hop counts. Data includes the AP Name, the Hop Count, and the Parent AP Name. Mesh Worst Packet Error Rate Displays the worst packet error rates. Data includes the Parent AP Name, the Child AP Name, and the Packet Error Rate. Ta b l e 2-5 CleanAir Dashboard Dashlet Description 802.11a/n Avg Air Quality Provides a line chart representing the average air quality for the entire network over a set period of time. Displays the average air quality on the 802.11 a/n band. Data includes time and the average air quality. 802.11b/g/n Avg Air Quality Provides a line chart representing the average air quality for the entire network over a set period of time. Displays the average air quality on the 802.11 b/g/n band. Data includes time and the average air quality. 802.11a/n Min Air Quality Provides a line chart representing the minimum air quality for the entire network over a set period of time. Displays the minimum air quality on the 802.11 a/n band. Data includes time and the minimum air quality.2-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page 802.11b/g/n Min Air Quality Provides a line chart representing the minimum air quality for the entire network over a set period of time. Displays the minimum air quality on the 802.11 b/g/n band. Data includes time and minimum air quality. Worst 802.11a/n Interferers Provides a list of active interferers with the worst severity level for the 802.11 a/n band. The graph displays the top ten worst interferers that are currently active. Data includes InterfererID, Type, Status, Severity, Affected Channels, Duty Cycle(%), Discovered, Last Updated, and Floor. Worst 802.11b/g/n Interferers Provides a list of active interferers with the worst severity level for 802.11 b/g/n band. The graph displays the top ten worst interferers that are currently active. Data includes InterfererID, Type, Status, Severity, Affected Channels, Duty Cycle(%), Discovered, Last Updated, and Floor. 802.11a/n Interferer Count Provides a line chart representing the total number of interferers on all channels over the selected period of time. Displays the number of devices interfering in the 802.11 a/n band. Data includes time and interferer count. Note The air quality is calculated for all controllers in your network that have CleanAir-enabled access points. The report includes aggregated air quality data across your network. Table 2-5 CleanAir Dashboard (continued) Dashlet Description2-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page 802.11b/g/n Interferer Count Provides a line chart representing the total number of interferers on all channels over the selected period of time. Displays the number of devices interfering in the 802.11 b/g/n band. Data includes time and interferer count. Note The information in the worst interferer and interferer count charts is collected from Mobility Services Engines (MSE). If MSEs are not available, this chart will not show any results. Recent-Security risk Interferers Provides a list of active interferers with the worst severity level for each band. Displays the recent security risk interferers on your wireless network. Data includes Type, Severity, Affected Channels, Last Detected, Detected AP. Note This chart includes information for the interferers for which security alarms are enabled. You can also view the data presented on this dashlet in different formats. Table 2-5 CleanAir Dashboard (continued) Dashlet Description2-21 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Context Aware Dashboard Table 2-6 lists the factory default dashlets for the Context Aware dashboard. Ta b l e 2-6 Context Aware Dashboard Dashboard Description MSE Historical Element Count Displays the historical trend of tags, clients, rogue APs, rogue clients, interferers, wired clients, and guest client counts in a given period of time. Note The MSE Historical Count information is presented in a time-based graph. For graphs that are time-based, there is a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y, and Custom. When selected, the data for that time frame is retrieved and the corresponding graph is displayed. See the “Time-Based Graphs” section on page 6-71 for more information. Rogue Elements detected by CAS Displays the indices of the Rogue APs and Rogue Clients in percentage. It also provides a count of the number of Rogue APs and Rogue Clients detected by each MSE within an hour, 24 hours as well as more than 24 hours. Rogue AP Index is defined as the percentage of total active tracked elements that are detected as Rogue APs across all the MSEs on NCS. Rogue Client Index is defined as the percentage of total active tracked elements that are detected as Rogue Clients across all the MSEs on NCS. Location Assisted Client Troubleshooting You can troubleshoot clients using this option with location assistance. You can provide either a MAC Address, Username or IP Address as the criteria for troubleshooting. Note Username, IP Address, and partial MAC address-based troubleshooting is supported only on MSEs with version 7.0.200.0 and later. For more information about Location Assisted Client Troubleshooting, see the “Location Assisted Client Troubleshooting from the Context-Aware Dashboard” section on page 12-77.2-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Icons The icons on the dashlets and within the General, Client, Security, Mesh, CleanAir, and Context Aware dashboards have the following functions listed in Table 2-7. MSE Tracking Counts Represents the tracked and not-tracked count of each of the element types. The element type includes tags, rogue APs, rogue clients, interferers, wired clients, wireless clients, and guest clients. Top 5 MSEs Lists the top five MSEs based on the percentage of license utilization. It also provides count for each element type for each MSE. Note If you have installed NCS license but you have not added any MSE to NCS then the Context-Aware dashboard will be empty. However a message would be displayed with a link to add an MSE. In the dashlet, click the count link to get a detailed report. Use the icons in a dashlet to switch between chart and grid view. Use the Enlarge Chart icon to view the grid or chart in full screen. Table 2-6 Context Aware Dashboard (continued) Dashboard Description Ta b l e 2-7 Icon Representation Icon Description The Dashlet Options icon enables you to customize and filter the data by using variables and search options. For example, you can search the client count trends for SSIDs, floor areas, controllers, specific autonomous APs and so on. Note Only some of the dashlets have these search by parameters. The Refresh Dashlet icon enables you to automatically refresh the dashboard so that it reflects the current network status. The Detach Dashlet icon enables you to detach the dashlet. The Maximize Dashlet icon enables you to maximize the dashelt so that it is visible in full view.2-23 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Menu Bar The primary navigation is the menu from the top of the Cisco NCS page. Administrators can monitor and perform various tasks from the NCS menus. This menu is an easy-access pop-up menu that provides quick access to the sub menu that are associated with a primary menu. Hover your mouse cursor over the title of a menu to bring up the associated menu. Clicking the name links on the menu takes you directly to the feature page. The following illustration is an example of the NCS menu. Figure 2-6 NCS Primary Global Menu This section describes the menus and contains the following topics: • Monitor Menu, page 2-23 • Configure Menu, page 2-24 • Services Menu, page 2-25 • Reports Menu, page 2-25 • Administration Menu, page 2-25 When you hover your mouse cursor over any of the five menu heading, a drop-down menu appears. Monitor Menu The Monitor menu provides you with a top-level description of your network devices. You can monitor your network, maps, google earth maps, network devices (controllers, switches, access points, clients, tags, chokepoints, Wi-Fi TDOA receivers), RRM, alarms, and events. The following submenu options are available from the Monitor menu: • Monitoring Devices – Monitoring Controllers The collapse Dashlet icon enables you to minimize the dashlet so that the dashlet is not visible. The View in Chart icon enables you to view the dashlet in chart rather than table form. The View in Grid icon enables you to view the dashlet in a table rather than chart form. Table 2-7 Icon Representation Icon Description2-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page – Monitoring Switches – Monitoring Access Points – Monitoring RFID Tags – Monitoring Chokepoints – Monitoring Interferers – Monitoring WiFi TDOA Receivers • Monitoring Radio Resource Management (RRM) • Monitoring Clients and Users • Monitoring Alarms and Events – Monitoring Alarms – Monitoring Events • Monitoring Maps – Monitoring Maps – Monitoring Google Earth Maps Configure Menu The Configure menu enables you to configure templates, controllers, access points, switches, chokepoints, Wi-Fi TDOA receivers, config groups, auto provisioning, scheduled configuration tasks, profiles, ACS view servers, and TFTP servers on your network. The following submenu options are available from the Configure drop-down menu: • Configuring Devices – Configuring Controllers – Configuring Switches – Configuring Unknown Devices – Configuring Access Points – Configuring Chokepoints – Configuring Spectrum Experts – Configuring WiFi TDOA Receivers • Configuring Scheduled Configuration Tasks • Configuring Controller Auto Provisioning • Configuring wIPS Profiles • Configuring Templates – Accessing Controller Template Launch Pad – Configuring Lightweight Access Point Templates – Configuring Autonomous Access Point Templates – Configuring Switch Location Configuration Templates – Configuring Autonomous AP Migration Templates • Configuring Controller Config Groups2-25 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page • Configuring Servers – Configuring ACS View Servers – Configuring TFTP Servers Services Menu The Services menu enables you to manage mobility services including mobility services engines and Identity Service Engines. The following submenu options are available from the Services drop-down menu: • Mobility Services – Viewing Current Mobility Services – Synchronizing Services – Viewing Synchronization History – Viewing the Notifications Summary for Mobility Services • Identity Services Reports Menu The Reports menu provides the following submenu options: • Report Launch Pad • Managing Scheduled Run Results • Managing Saved Report Templates Administration Menu The Administration menu enables you to schedule tasks like making a backup, checking a device status, auditing your network, synchronizing the MSE, and so on. It also contains Logging to enable various logging modules and specify restart requirements. For user administration such as changing passwords, establishing groups, setting application security settings, and so on, choose AAA. From the Administration Menu, you can also access the licensing information, set user preferences, and establish high availability (a secondary backup device running NCS). The following submenu options are available from the Administration drop-down menu: • Performing Background Tasks • Configuring Virtual Domains • Configuring Administrative Settings • Setting User Preferences • Viewing Appliance Details • Configuring AAA • Establishing Logging Options • Configuring High Availability • Managing Licenses2-26 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Global Toolbar The Global Toolbar is always available at the bottom of the NCS page, providing instantaneous access to the Tools, NCS online Help system and a summary of alarm notifications. Hover your mouse cursor over the Help icon to access the available online Help. Hover your mouse cursor over the Alarms Browser to display the summarized Alarms page, with a list of recent system alarms and the ability to filter for alarms of a specific nature. You can also drill down for detailed information on individual alarms. For more information on Alarms, see Alarm Summary, page 2-27. Figure 2-7 Global Toolbar This section contains the following topics: • Tools, page 2-26 • Help, page 2-26 Tools The Tools menu provides access to the Voice Audit, Configuration Audit, and Migration Analysis features of NCS. The following submenu options are available from the Tools drop-down menu: • Configuring Vo ic e A u d it • Configuring Location Accuracy Tool • Configuring Audit Summary • Configuring Migration Analysis • Configuring TAC Case Attachments Help The Help menu allows you to access online help, learning modules, submit feedback, and to verify the current version of NCS. The Help icon is located in the bottom left corner of the Global Toolbar in the NCS page. The Help provides quick access to the comprehensive online help for NCS. The following submenu options are available from the Help drop-down menu: • Online Help—enables you to view online help. The online help is context sensitive and will open to documentation for the NCS window that you currently have open. • Learning Modules—allows you to access short video clips of certain NCS features. To learn more about Cisco NCS features and functionality, go to Cisco.com to watch multimedia presentations about NCS configuration workflow, monitoring, troubleshooting, and more. Over future releases, more overview and technical presentations will be added to enhance your learning. • MSE Installation Guide—provides links to the MSE installation section. • Submit Feedback—allows you to access a page where you can enter feedback on the NCS.2-27 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page • Help Us Improve Cisco Products—allows you to enable and provide permission to automatic collect data about how you and your organization use your Cisco wireless products, this data will be useful to improve product performance and usability. The data will be automatically collected and sent to Cisco in encrypted form. The data may contain information about your organization and it will not be shared or used outside of Cisco. Note To get the automated feedback enabled, you have to configure your Mail Server Configuration by choosing Administration > Settings > Mail Server Configuration. • About Cisco NCS—allows you to verify the version of NCS that you are running. It provides the version, host name, feature, AP limit, and type. To verify the version of NCS, choose About Cisco NCS. The following information is displayed: • Product Name • Version Number • Host Name • Feature • AP Limit • License Type • Copyright statement Alarm Summary When NCS receives an alarm message from a controller, it displays an alarm indicator at the bottom of the NCS page (see Figure 2-8). Alarms indicate the current fault or state of an element that needs attention, and they are usually generated by one or more events. The alarm can be cleared but the event remains. The Critical (red), Major (orange) and Minor (yellow) alarms appear in the alarm dashboard, left to right. Note The Administration > Settings > Alarms page has a Hide Acknowledged Alarms check box. You must unselect it if you want acknowledged alarms to appear in the NCS and alarms lists page. By default, acknowledged alarms are not shown. Figure 2-8 NCS Alarm Summary Note Alarm counts are refreshed every 15 seconds. Command Buttons The Cisco NCS user interface uses a number of command buttons throughout its pages. The most common of these are as follows: • Apply: Applies the selected information2-28 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page • Delete: Deletes the selected information • Cancel: Cancels new information entered on the current page and returns to the previous page • Save: Saves the current settings • Audit: Discovers the present status of this access point • Place AP: Audits the configuration of the selected entity by flagging the differences between NCS database device configurations Main Data Page The main data page is determined by the required parameter information. Active areas on the data pages include the following: • Text boxes into which data may be entered using the keyboard • Drop-down lists from which one of several options may be chosen • Check boxes in lists allow you to choose one or more items from the displayed list • Radio buttons allow you to turn a parameter on or off • Hyperlinks take you to other pages in the Cisco NCS user interface Input text boxes are black text on a white background. When data is entered or selected, it is not sent to the controller, but it is saved in the text box until you click Go. Administrative Elements The following provides information regarding the current NCS user: • User—Indicates the username for the current NCS user. Click the User link to change the user password. See the “Changing Password” section on page 15-128 for more information. • Virtual Domain—Indicates the current virtual domain for this NCS user. See the “Configuring Virtual Domains” section on page 18-1 for more information. Note To switch domain names, click the blue inverted triangle to the right of the virtual domain name to open the Switch to another Virtual Domain page. Select the new virtual domain radio button and click Save. Your privileges are changed accordingly. Icon Description Click to access the NCS online help. Note The online help provides information applicable to your current NCS version. Click to update the data in the current NCS version.2-29 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Customizing NCS Home Page NCS home page dashlets, contains default predefined list of dashlets which you can customize. The following customization are possible in the NCS home page: • drag-and-drop dashlets • add or delete dashboards • reordering dashboards • renaming dashlets and dashboards • customize layout Note You can add or delete dashlets by selecting from the predefined list. You can customize the home page with time-based or non-time-based interactive graphs which you can display in grid or chart format (by clicking the appropriate icon). These graphs refresh automatically within a predetermined time based on the default polling cycles of dependent tasks, or you can click the Refresh dashlet icon to get the most current status. You can click the Enlarge Chart icon to enlarge the graph in a separate page. This section contains the following topics: • Editing NCS Home Page, page 2-29 • Adding Dashlets, page 2-30 • Adding a New Dashboard, page 2-32 Editing NCS Home Page To customize the NCS home page dashlets, follow these steps: Step 1 On the NCS home page, click the Edit Dashboard icon. The drop-down list appears. Step 2 Click the Add dashlets link, which lists the available dashlets drop-down list. Add the desired dashlet by clicking the Add link in the right column. The dashlet is added to the appropriate dashboard. Step 3 Click Apply. Click to access a print-friendly version of the current NCS. Note Click Print to print the current NCS version or Exit Print View to return to the previous page. Click to edit the dashboard or to add a new dashboard in NCS. Icon Description2-30 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Adding Dashlets Table 2-7 lists the default dashlet options you can add in your NCS home page. Ta b l e 2-8 Default Dashlets Dashlet Description AP Join Taken Time Displays the access point name and the amount of time (in days, minutes, and seconds) that it took for the access point to join. AP Threats/Attacks Displays various types of access point threats and attacks and indicates how many of each type have occurred. AP Uptime Displays each access point name and amount of time it has been associated. Ad hoc Rogues Displays ad hoc rogues for the previous hour, previous 24 hours, and total active. Cisco Wired IPS Events Displays wired IPS events for the previous hour, previous 24 hours, and total active. Client Displays the five most recent client alarms with client association failures, client authentication failures, client WEP key decryption errors, client WPA MIC errors, and client exclusions. Client Authentication Type Displays the number of clients for each authentication type. Client Count Displays the trend of associated and authenticated client counts in a given period of time. Client Distribution Displays how clients are distributed by protocol, EAP type, and authentication type. Client EAP Type Distribution Displays count based upon the EAP type. Client Protocol Distribution Displays the current client count distribution by protocols. Client Security Events Displays client security events within the previous 24 hours including excluded client events, WEP decrypt errors, WPA MIC errors, shunned clients, and IPsec failures. Client Traffic Displays the trend of client traffic in a given time period. Client Troubleshooting Allows you to enter a MAC address of a client and retrieve information for diagnosing the client in the network. Clients Detected by Context Aware Service Displays the client count detected by the context aware service within the previous 15 minutes. Controller CPU Utilization (%) Displays the average, maximum, and minimum CPU usage. Controller Memory Utilization Displays the average, maximum, and minimum memory usage as a percentage for the controllers. 2-31 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Coverage Areas Displays the list coverage areas and details about each coverage area. Friendly Rogue APs Displays friendly rogue access points for the previous hour, previous 24 hours, and total active. Guest Users Count Displays Guest client count over a specified time. Inventory Detail Status Displays the Chart summarizing the status for the following device types. - Controllers - Switches - Autonomous APs - Radios - MSEs Inventory Status Displays the total number of client controllers and the number of unreachable controllers. LWAPP Uptime Displays the access point name and the amount of its uptime in days, minutes, and seconds. Latest 5 Logged in Guest Users Displays the most recent guest users to login. Mesh AP by Hop Count Displays the APs based upon hop count. Mesh AP Queue Based on QoS Displays the APs based upon QOS. Mesh Parent Changing AP Displays the worst Mesh APs based upon changing parents. Mesh Top Over Subscribed AP Displays the considered over subscribed APs. Mesh Worst Node Hop Count2-28 Displays the Worst AP node hop counts from the root AP. Mesh Worst Packet Error Rate Displays the worst Mesh AP links based upon the packet error rates of the links. Mesh Worst SNR Link Displays the worst Mesh AP links based upon the SNR values of the links. Most Recent AP Alarms Displays the five most recent access point alarms. Click the number in parentheses to open the Alarms page which shows all alarms. Most Recent Client Alarms Displays the most recent client alarms. Most Recent Mesh Alarms Displays the most recent mesh alarms Most Recent Security Alarms Displays the five most recent security alarms. Click the number in parentheses to open the Alarms page. Recent 5 Guest User Accounts Displays the most recent guest user accounts created or modified. Table 2-8 Default Dashlets (continued) Dashlet Description2-32 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Understanding NCS Home Page Adding a New Dashboard To create a new dashboard, follow these steps: Step 1 Click the Edit Dashboard icon on NCS home page. The Edit Dashboard menu appears (see Figure 2-9). Figure 2-9 Edit Dashboard Recent Alarms Displays the five most recent alarms by default. Click the number in parentheses to open the Alarms page. Recent Coverage Holes Displays the recent coverage hole alarms listed by access point. Recent Malicious Rogue AP Alarms Displays the recent malicious rogue AP alarms. Recent Rogue Alarms Displays the five most recent rogue alarms. Click the number in parentheses to open the Alarms page which shows alarms. Security Index Displays the security index score for the wireless network.Security index is calculated as part of 'Configuration Sync' background task. Top APs by Client Count Displays the Top APs by client count are displayed. Unclassified Rogue APs Displays unclassified rogue access points for the previous hour, previous 24 hours, and total active. Table 2-8 Default Dashlets (continued) Dashlet Description2-33 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Step 2 Enter the name of the new dashboard you are creating, and click Add. The dashboard name you just added appears in the Display Order list. Note Add is the only function that does not require a Save after its operation. If you click X, Move Up, or Move Down, you must click Apply for the changes to be applied. Step 3 You can add dashlets to the new dashboard. For more information see the “Adding Dashlets” section on page 2-30. Note If you want to return to the restored factory defaults as shown in Figure 2-8, click Reset to reset to factory defaults. Using the Search Feature The enhanced NCS Search feature (see Figure 2-10) provides easy access to advanced search options and saved searches. You can access the search options from any page within NCS making it easy to search for a device or SSID (Service Set IDentifier). Figure 2-10 NCS Search Feature The following searches are possible using NCS: • Quick Search, page 2-33 • Advanced Search, page 2-34 • Saved Searches, page 2-46 Quick Search For a quick search, you can enter a partial or complete IP address, MAC address, name, or SSID for clients, alarms, access points, controllers, maps, tags, or rogue clients (see Figure 2-10). Note You can also enter a username if you are searching for a client. To quickly search for a device, follow these steps: Step 1 Enter the complete or partial IP address, device name, SSID, or MAC address of the device in the Search text box (see Figure 2-11).2-34 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Figure 2-11 Quick Search with Partial IP Address Step 2 Click Search to display all devices that match the Quick Search parameter. The search results display the matching item type, the number of items that match your search parameter, and links to the list of matching results (see Figure 2-12). Click View List to view the matching devices from the Monitor or Configuration pages. Figure 2-12 Quick Search Results Advanced Search Advanced Search To perform a more specific search for a device in NCS, follow these steps: Step 1 Click Advanced Search located in the top right corner of NCS (see Figure 2-10). Step 2 In the New Search dialog, select a category from the Search Category drop-down list (see Figure 2-13).2-35 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Figure 2-13 Search Category Drop-Down List Note Click each of the following categories for more information. Search categories include the following: • Searching Alarms • Searching Access Points • Searching Controller Licenses • Searching Controllers • Searching Switches • Searching Clients • Searching Chokepoints • Searching Events • Searching Interferers • Searching Wi-Fi TDOA Receivers • Searching Maps • Searching Rogue Clients • Searching Shunned Clients • Searching Tags Step 3 Select all applicable filters or parameters for your search (see Figure 2-14). Note Search parameters change depending on the selected category. The following pre-defined search filters have been added in release 6.0: Associated Clients, Authenticated Clients, Excluded Clients, Probing Clients, All Clients, New Clients detected in last 24 hours, unauthenticated clients, 2.4 GHz clients, and 5 GHz clients.2-36 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Figure 2-14 New Search Parameters Step 4 Choose the number of items to display on the results page. Step 5 To save this search, select the Save Search check box and enter a name for the search in the text box. Step 6 When all filters and parameters are set, click Go. Searching Alarms You can configure the following parameters when performing an advanced search for alarms (see Table 2-9). Ta b l e 2-9 Search Alarms Parameters Parameter Options Severity Choose All Severities, Critical, Major, Minor, Warning, or Clear. Alarm Category Choose All Types, Access Points, Controller, Switches, Coverage Hole, Config Audit, Mobility Service, Context Aware Notifications, Interference, Mesh Links, Rogue AP, Adhoc Rogue, Security, NCS or Performance. Condition Use the drop-down list to select a condition. Also, you can enter a condition by typing it in this drop-down list. Note If you have selected an alarm category, this drop-down list would contain the conditions available in that category. Time Period Choose a time increment from Any Time to Last 7 days. The default is Any Time.2-37 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Note You can decide what information appears on the alarm search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching Access Points You can configure the following parameters when performing an advanced search for access points (see Table 2-10). Acknowledged State Select this check box to search for alarms with an Acknowledged or Unacknowledged state. If this check box is not selected, the acknowledged state is not taken into search criteria consideration. Assigned State Select this check box to search for alarms with an Assigned or Unassigned state or by Owner Name. If this check box is not selected, the assigned state is not part of the search criteria. Note If you choose Assigned State > Owner Name, type the owner name in the available text box. Table 2-9 Search Alarms Parameters (continued) (continued) Parameter Options Ta b l e 2-10 Search Access Points Parameters Parameter Options Search By Choose All APs, Base Radio MAC, Ethernet MAC, AP Name, IP Address, Controller Name, Controller IP, All Unassociated APs, Floor Area, Outdoor Area, Unassigned APs, or Alarms. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. For example, when you select Floor Area, you also must identify its campus and building. Or, if you select Alarms, you can search for access points based on the severity of the alarm. AP Type Choose All Types, LWAPP, or Autonomous. AP Mode Choose All Modes, Local, Monitor, H-REAP, Rogue Detector, Sniffer, Bridge, or SE-Connect. Radio Type Choose All Radios, 802.11a, or 802.11b/g.2-38 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Note You can decide what information displays on the access points search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching Controller Licenses You can configure the following parameters when performing an advanced search for controller licenses (see Table 2-11). Ta b l e 2-11 Search Controller Licenses Parameters See the “Managing Licenses” section on page 15-123 for more information on licenses and the License Center. Searching Controllers You can configure the following parameters when performing an advanced search for controllers (see Table 2-12). 802.11n Support Check to search for access points with 802.11n support. OfficeExtend AP Enabled Check to search for OfficeExtend access points. CleanAir Support Check to search for access points which support CleanAir. CleanAir Enabled Check to search for access points which support CleanAir and which are enabled. Items per page Configure the number of records to be displayed in the search results page. Table 2-10 Search Access Points Parameters (continued) (continued) Parameter Options Parameter Options Controller Name Type the controller name associated with the license search. Feature Name Choose All, Plus, or Base depending on the license tier. Type Choose All, Demo, Extension, Grace Period, or Permanent. % Used or Greater Select the percentage of the license use. The percentages range from 0 to 100. Items per page Configure the number of records to be displayed in the search results page.2-39 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Note You can decide what information displays on the controllers search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching Switches You can configure the following parameters when performing an advanced search for switches (see Table 2-13). Ta b l e 2-12 Search Controllers Parameters Parameter Options Search for controller by Choose All Controllers, IP Address, Controller Name. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Enter Controller IP Address This text box appears only if you select IP Address from the Search for controller by text box. Enter Controller Name This text box appears only if you select Controller Name from the Search for controller by text box. Audit Status Choose one of the following from the drop-down list: • All Status • Mismatch—Config differences were found between NCS and controller during the last audit. • Identical—No config differences were found during the last audit. • Not Available—Audit status is unavailable. Items per page Configure the number of records to be displayed in the search results page. Ta b l e 2-13 Search Switches Parameters Parameter Options Search for Switches by Choose All Switches, IP Address, or Switch Name. You can use wildcards (*). For example, if you select IP Address and enter 172*, NCS returns all switches that begin with IP address 172. Items per page Configure the number of records to be displayed in the search results page.2-40 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature You can decide what information displays on the client search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching Clients You can configure the following parameters when performing an advanced search for clients (see Table 2-14).s Ta b l e 2-14 Search Clients Parameters Parameter Options Media Type Choose All, Wireless Clients, Wired Clients. Wireless Type Choose All, Lightweight or Autonomous Clients. If you have selected Wireless Clients in Media Type. Search By Choose All Clients, All Excluded Clients, All Wired Clients, All Logged in Guests, IP Address, User Name, MAC Address, Asset Name, Asset Category, Asset Group, AP Name, Controller Name, Controller IP, MSE IP, Floor Area, or Outdoor Area, Switch Name, Switch Type. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. For example, when you select IP address, you must enter the specific IP address for this search. Clients Detected By Choose NCS or MSEs. Clients detected by NCS—Clients stored in NCS databases. Clients detected by MSE—Clients located by Context Aware service in the MSE directly communicating with the controllers. Client States Choose All States, Idle, Authenticated, Associated, Probing, or Excluded. Posture Status Choose All, Unknown, Passed, Failed if you want to know if the devices are clean or not. Restrict By Radio Band Select the check box to indicate a specific radio band. Choose 5 GHz or 2.4 GHz from the drop-down list. Restrict By Protocol Select the check box to indicate a specific protocol. Choose 802.11a, 802.11b, 802.11g, 802.11n, or Mobile from the drop-down list. SSID Select the check box and choose the applicable SSID from the drop-down list.2-41 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Note You can decide what information displays on the client search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching Chokepoints You can configure the following parameters when performing an advanced search for chokepoints (see Table 2-15). Profile Select the check box to list all of the clients associated to the selected profile. Note Once the check box is selected, choose the applicable profile from the drop-down list. CCX Compatible Select the check box to search for clients that are compatible with Cisco Client Extensions. Note Once the check box is selected, choose the applicable version, All Versions, or Not Supported from the drop-down list. E2E Compatible Select the check box to search for clients that are End to End compatible. Note Once the check box is selected, choose the applicable version, All Versions, or Not Supported from the drop-down list. NAC State Select the check box to search for clients identified by a certain Network Admission Control (NAC) state. Note Once the check box is selected, choose the applicable state from the drop-down list. Select from Quarantine, Access, Invalid, and Not Applicable. Include Disassociated Select to include clients that are no longer on the network but for which NCS has historical records. Items per page Configure the number of records to be displayed in the search results page. Table 2-14 Search Clients Parameters (continued) Parameter Options 2-42 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Ta b l e 2-15 Search Chokepoint Parameters Searching Events You can configure the following parameters when performing an advanced search for events (see Table 2-16). Ta b l e 2-16 Search Events Parameters See the “Monitoring Rogue Alarm Events” section on page 5-108 for more information on events. Searching Interferers You can configure the following parameters when performing an advanced search for interferers detected by access points (see Table 2-17). Parameter Options Search By Choose MAC Address or Chokepoint Name. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. For example, when you select MAC address, you must enter the specific MAC address for this search. Parameter Options Severity Choose All Severities, Critical, Major, Minor, Warning, Clear, or Info. Color coded. Event Category Choose All Types, Access Points, Controller, Security, Coverage Hole, Rogue AP, Adhoc Rogue, Interference, Mesh Links, Client, Mobility Service, Location Notifications, Pre Coverage Hole, or NCS. Condition Use the drop-down list to select a condition. Also, you can enter a condition by typing it in this drop-down list. Note If you have selected an event category, this drop-down list would contain the conditions available in that category. Search All Events Configure the number of records to be displayed in the search results page.2-43 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Ta b l e 2-17 Search SE-Detected Interferers Parameters You can decide what information displays on the SE-detected interferers search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Searching AP-Detected Interferers You can configure the following parameters when performing an advanced search for interferers detected by access points (see Table 2-18). Ta b l e 2-18 Search AP-Detected Interferers Parameters Note You can decide what information displays on the AP-detected interferers search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. Parameter Options Search By Choose All Interferers, Interferer ID, Interferer Category, Interferer Type, Affected Channel, Affected AP, Severity, Power, or Duty Cycle. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Detected By Choose All Spectrum Experts or a specific spectrum expert from the drop-down list. Detected within the last Choose the time range for the interferer detections. The times range from 5 minutes to 24 hours to All History. Interferer Status Restrict by Radio Bands/Channels Configure the search by radio bands or channels. Items per page Configure the number of records to be displayed in the search results page. Parameter Options Search By Choose All Interferers, Interferer ID, Interferer Type, Affected Channel, Severity, Duty Cycle, or Location. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Detected within the last Choose the time range for the interferer detections. The times range from 5 minutes to 24 hours to All History. Active Interferers Only Select the check box to only include active interferers in your search.2-44 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Searching Wi-Fi TDOA Receivers You can configure the following parameters when performing an advanced search for Wi-Fi TDOA receivers (see Table 2-19). Ta b l e 2-19 Search Wi-Fi TDOA Receivers Parameters Searching Maps You can configure the following parameters when performing an advanced search for maps (see Table 2-20). Ta b l e 2-20 Search Map Parameters Note You can decide what information displays on the maps search results page. See the “Configuring the Search Results Display (Edit View)” section on page 2-46 for more information. See the “Information About Maps” section on page 6-2 for more information on maps. Searching Rogue Clients You can configure the following parameters when performing an advanced search for rogue clients (see Table 2-21). Ta b l e 2-21 Search Rogue Client Parameters Parameter Options Search By Choose MAC Address or Wi-Fi TDOA Receivers Name. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Parameter Options Search for Choose All Maps, Campuses, Buildings, Floor Areas, or Outdoor Areas. Map Name Search by Map Name. Enter map name in the text box. Items per page Configure the number of records to be displayed in the search results page. Parameter Options Search for clients by Choose All Rogue Clients, MAC Address, Controller, MSE, Floor Area, or Outdoor Area. Search In Choose MSEs or NCS Controllers. Status Select the check box and choose Alert, Contained, or Threat from the drop-down list to include status in the search criteria.2-45 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature See the “Rogue Access Points, Ad hoc Events, and Clients” section on page 3-9 for more information on rogue clients. Searching Shunned Clients Note When a Cisco IPS sensor on the wired network detects a suspicious or threatening client, it alerts the controller to shun this client. You can configure the following parameters when performing an advanced search for shunned clients (see Table 2-22). Ta b l e 2-22 Search Shunned Client Parameters Searching Tags You can configure the following parameters when performing an advanced search for tags (see Table 2-23). Ta b l e 2-23 Search Tags Parameters Parameter Options Search By Choose All Shunned Clients, Controller, or IP Address. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Parameter Options Search for tags by Choose All Tags, Asset Name, Asset Category, Asset Group, MAC Address, Controller, MSE, Floor Area, or Outdoor Area. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Search In Choose MSEs or NCS Controllers. Last detected within Choose a time increment from 5 minutes to 24 hours. The default is 15 minutes. Tag Vendor Select the check box and choose Aeroscout, G2, PanGo, or WhereNet. Telemetry Tags only Check the Telemetry Tags only to search tags accordingly. Items per page Configure the number of records to be displayed in the search results page.2-46 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Saved Searches The Saved Search feature enables you to access and run any previously saved search (see Figure 2-15). Note When saving a search, you must assign a unique name to the search. Saved searches apply only to the current partition. Figure 2-15 Saved Search Page To access and run a saved search, follow these steps: Step 1 Click Saved Search. Step 2 Choose a category from the Search Category drop-down list. Step 3 Choose a saved search from the Saved Search List drop-down list. Step 4 If necessary, change the current parameters for the saved search. Step 5 Click Go. Configuring the Search Results Display (Edit View) The Edit View page (see Figure 2-16) enables you to choose which columns appear on the Search Results page.2-47 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search Feature Figure 2-16 Edit View Page Column names appear in one of the following lists: • Hide Information—Lists columns that do not appear in the table. The Hide button points to this list. • View Information—Lists columns that do appear in the table. The Show button points to this list. To display a column in a table, click it in the Hide Information list, then click Show. To remove a column from a table, click it in the View Information list, then click Hide. You can select more than one column by holding down the shift or control key. To change the position of a column in the View Information list, click it, then click Up or Down. The higher a column is in the list, the farther left it appears in the table. Command Buttons The following command buttons appear in the Edit View page: • Reset—Sets the table to the default display. • Show—Moves the highlighted columns from the Hide Information list to the View Information list. • Hide—Moves the highlighted columns from the View Information list to the Hide Information list. • Up—Moves the highlighted columns upward in the list (further to the left in the table). • Down—Moves the highlighted columns downward in the list (further to the right in the table). • Submit—Saves the changes to the table columns and returns to the previous page. • Cancel—Undoes the changes to the table columns and returns to the previous page.2-48 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 2 Getting Started Using the Search FeatureC H A P T E R 3-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 3 Configuring Security Solutions This chapter describes the security solutions for wireless LANs. It contains the following sections: • Cisco Unified Wireless Network Solution Security, page 3-1 • Interpreting the Security Dashboard, page 3-4 • Rogue Access Points, Ad hoc Events, and Clients, page 3-9 • Rogue Access Point Location, Tagging, and Containment, page 3-13 • Security Overview, page 3-20 • Switch Port Tracing, page 3-28 • Using NCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode, page 3-29 • Configuring a Firewall for NCS, page 3-30 • Access Point Authorization, page 3-30 • Management Frame Protection (MFP), page 3-31 • Configuring Intrusion Detection Systems (IDS), page 3-33 • Configuring IDS Signatures, page 3-33 • Enabling Web Login, page 3-41 • Certificate Signing Request (CSR) Generation, page 3-44 Cisco Unified Wireless Network Solution Security The Cisco Unified Wireless Network Solution bundles potentially complicated Layer 1, Layer 2, and Layer 3 802.11 access point security components into a simple policy manager that customizes system-wide security policies on a per wireless LAN basis. It provides simple, unified, and systematic security management tools. One of the challenges to wireless LAN deployment in the enterprise is wired equivalent privacy (WEP) encryption, which is a weak standalone encryption method. A more recent problem is the availability of low-cost access points that can be connected to the enterprise network and used to mount man-in-the-middle and denial of service attacks. Also, the complexity of add-on security solutions has prevented many IT managers from embracing the benefits of the latest advances in wireless LAN security. This section contains the following topics: 3-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Cisco Unified Wireless Network Solution Security • Layer 1 Solutions • Layer 2 Solutions • Layer 3 Solutions • Single Point of Configuration Policy Manager Solutions • Rogue Access Point Solutions Layer 1 Solutions The Cisco Unified Wireless Network Solution operating system security solution ensures that all clients gain access within an operator-set number of attempts. Should a client fail to gain access within that limit, it is automatically excluded (blocked from access) until the operator-set timer expires. The operating system can also disable SSID broadcasts on a per wireless LAN basis. Layer 2 Solutions If a higher level of security and encryption is required, the network administrator can also implement industry-standard security solutions such as 802.1X dynamic keys with Extensible Authentication Protocol (EAP) or Wi-Fi Protected Access (WPA) dynamic keys. The Cisco Unified Wireless Network Solution WPA implementation includes Advanced Encryption Standard (AES), Temporal Key Integrity Protocol + message integrity code checksum (TKIP + Michael MIC) dynamic keys, or static WEP keys. Disabling is also used to automatically block Layer 2 access after an operator-set number of failed authentication attempts. Regardless of the wireless security solution selected, all Layer 2 wired communications between controllers and access points are secured by passing data through Lightweight Access Point Protocol (LWAPP) tunnels. Layer 3 Solutions The WEP problem can be further solved using industry-standard Layer 3 security solutions such as Virtual Private Networks (VPNs). The Cisco Unified Wireless Network Solution supports local and RADIUS media access control (MAC) filtering. This filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses. The Cisco Unified Wireless Network Solution also supports local and RADIUS user/password authentication. This authentication is best suited to small to medium client groups. Single Point of Configuration Policy Manager Solutions When the Cisco Unified Wireless Network Solution is equipped with Cisco NCS, you can configure system-wide security policies on a per wireless LAN basis. small office, home office (SOHO) access points force you to individually configure security policies on each access point or use a third-party appliance to configure security policies across multiple access points. Because the Cisco Unified Wireless Network Solution security policies can be applied across the whole system from NCS, errors can be eliminated, and the overall effort is greatly reduced.3-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Cisco Unified Wireless Network Solution Security Rogue Access Point Solutions This section describes security solutions for rogue access points and includes the following topics: Rogue Access Point Challenges Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain text or other denial of service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as passwords and usernames. The hacker can then transmit a series of clear-to-send (CTS) frames, which mimics an access point informing a particular wireless LAN client adapter to transmit and instructing all others to wait. This scenario results in legitimate clients being unable to access the wireless LAN resources. Thus, wireless LAN service providers have a strong interest in banning rogue access points from the air space. The operating system security solution uses the Radio Resource Management (RRM) function to continuously monitor all nearby access points, automatically discover rogue access points, and locate them as described in the “Tagging and Containing Rogue Access Points” section on page 3-3 section. Tagging and Containing Rogue Access Points When the Cisco Unified Wireless Network Solution is monitored using NCS, NCS generates the flags as rogue access point traps and displays the known rogue access points by MAC address. The operator can then display a map showing the location of the access points closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points (have between one and four access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point). Securing Your Network Against Rogue Access Points You can secure your network against any rogue access points and disallow access point attacks for those access points not defined in the MAC filter list. To set up MAC filtering, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address for which you want to enter MAC filters. Step 3 Choose Security > AAA> MAC Filtering from the left sidebar menu. The MAC Filtering page appears (see Figure 3-1). 3-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Interpreting the Security Dashboard Figure 3-1 MAC Filtering Page The RADIUS compatibility mode, MAC delimiter, MAC address, profile name, interface, and description appears. Step 4 If you want to set the same configuration across multiple devices, you can choose Add MAC Filter from the Select a command drop-down list, and click Go. If a template exists, you can apply it. If you need to create a template, you can click the URL to get redirected to the template creation page. Note The ability to join a controller without specification within a MAC filter list is only supported on mesh access points. Step 5 To make changes to the profile name, interface, or description, click a specific MAC address in the MAC Address column. Interpreting the Security Dashboard Because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish insecure access point locations, increasing the odds of having the enterprise security breached. Rather than having a person with a scanner manually detect rogue access points, the Cisco Unified Wireless Network Solution automatically collects information on rogue access points detected by its managed access points (by MAC and IP address) and allows the system operator to locate, tag, and contain them. It can also be used to discourage rogue access point clients by sending them deauthenticate and disassociate messages from one to four access points. For a summary of existing events and the security state of the network, click the Security dashboard from the NCS home page. Figure 3-2 shows the security dashboard and different dashlets.3-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Interpreting the Security Dashboard Figure 3-2 Security Dashboard This section describes the Security dashboard, dashlets and contains the following topics: • Security Index, page 3-5 • Malicious Rogue Access Points, page 3-6 • Adhoc Rogues, page 3-6 • CleanAir Security, page 3-7 • Unclassified Rogue Access Points, page 3-7 • Friendly Rogue Access Points, page 3-8 • Access Point Threats or Attacks, page 3-8 • MFP Attacks, page 3-9 • Attacks Detected, page 3-9 You can customize the order of information you want in the Security dashboard to display. You can move the dashlets to change the order. Use the Edit Dashelt option to customize the information displayed in the dashlet. You can change the dashlet title, enable refresh, and set the refresh time interval using the Edit Dashlet options. Security Index The Security Index dashlet indicates the security of the NCS managed network, and it is calculated as part of daily background tasks. It is calculated by assigning weight to the various security configurations and displaying it in visual form. The combined weighting can vary from 0 to 100 where 0 signifies the least secured and 100 is the maximum secured. The weighting comes from the lowest scoring controller and the lowest scoring Location Server/Mobility Service Engine related security configurations that are maintained within NCS itself. The Security Index of the NCS managed network is equal to the lowest scoring controller plus the lowest scoring Location Service/Mobility Service Engine. The security thermometer color range is represented as follows: • Above or equal to 80 - Green • Below 80 but greater than or equal to 60 - Yellow • Below 60 - Red 3-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Interpreting the Security Dashboard Note Guest WLANs are excluded from the WLANs. A WLAN that has web authentication or web passthrough enabled is identified as a guest WLAN. The security index of the latest release is the benchmark for the required security configurations. For example, if AES encryption was not present in an earlier version of code, the index is reduced by the number associated with the AES encryption security configuration. Likewise, if new security configurations are introduced, the weighting would be altered. Note The configurations stored in NCS may not be the latest with the ones in the controllers unless the Refresh from Controller command is run from NCS. You can run Security Index calculations from the Configuration Sync task to get the latest configuration data from all the controllers. See the “Performing a Configuration Sync” section on page 15-22 for steps on enabling the security index. Malicious Rogue Access Points This dashlet provides information on rogue access points that are classified as Malicious. Table 3-1 describes the various parameters. For each of these parameters, a value is provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the time period categories, a page with further information appears. Note Malicious access points are detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. Adhoc Rogues The Adhoc Rogues dashlet displays the rogues that have occurred in the last hour, last 24 hours, and the total active. Table 3-2 describes the various parameters. If you click the number in any of these columns, a page with further information appears. Ta b l e 3-1 Malicious Rogue AP Details Parameter Description Alert Indicates the number of rogues in an alert state. Note An access point is moved to Alert if it is not on the neighbor list or part of the user-configured Friendly AP list. Contained Indicates the number of contained rogues. Threat Indicates the number of threat rogues. Contained Pending Indicates the number of contained rogues pending. Note Contained Pending indicates that the containment action is delayed due to unavailable resources.3-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Interpreting the Security Dashboard Note The Adhoc Rogue state displays as Alert when first scanned by the controller or as Pending when operating system identification is underway. CleanAir Security This dashlet provides information on CleanAir security and provides information about the security-risk devices active during the last hour, 24 hours, and Total Active security-risk devices on the wireless network. The following information is displayed: • Severity • Failure Source • Owner • Date/Time • Message • Acknowledged To learn more about the security-risk interferers, see the “Monitoring CleanAir Security Alarms” section on page 5-137. Unclassified Rogue Access Points Table 3-3 describes the unclassified rogue access point parameters. For each of these parameters, a value is provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the time period categories, a page with further information appears. Note An unclassified rogue access point refers to a rogue access point that is not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. Ta b l e 3-2 Ad hoc Rogues Parameter Description Alert Indicates the number of ad hoc rogues in an alert state. Note An access point is moved to Alert if it is not on the neighbor list or part of the user-configured Friendly AP list. Contained Indicates the number of contained rogues. Threat Indicates the number of threat rogues. Contained Pending Indicates the number of contained rogues pending. Note Contained pending indicates that the containment action is delayed due to unavailable resources. 3-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Interpreting the Security Dashboard Friendly Rogue Access Points This dashlet provides information on rogue access points that are classified as friendly. Table 3-4 describes the various parameters. For each of these parameters, a value is provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the time period categories, a page with further information appears. Note Friendly rogue access points are known, acknowledged, or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. Access Point Threats or Attacks Table 3-5 describes the AP Threats or Attacks parameters. For each of these parameters, a value is provided for last hour, last 24 hours, and total active. If you click an underlined number in any of the time period categories, a page with further information appears. Ta b l e 3-3 Unclassified Rogue Access Points Parameter Description Alert Number of unclassified rogues in alert state. Rogue access point radios appear as Alert when first scanned by the controller or as Pending when operating system identification is underway. Contained Number of contained unclassified rogues. Contained Pending Number of contained unclassified rogues pending. Ta b l e 3-4 Friendly Rogue AP Details Parameter Description Alert Indicates the number of rogues in an alert state. Note An access point is moved to Alert if it is not on the neighbor list or part of the user-configured Friendly AP list. Internal Indicates the number of internal access points. Note Internal indicates that the detected access point is inside the network and has been manually configured as Friendly - Internal. External Indicates the number of external access points. Note External indicates that the detected access point is outside of the network and has been manually configured as Friendly - External.3-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Points, Ad hoc Events, and Clients MFP Attacks A value is provided for Infrastructure and client MFP attacks in the last hour, last 24 hours, and total active. If you click an underlined number in any of the time period categories, a page with further information appears. Attacks Detected A value is provided for wIPS Denial of Service and wIPS Security Penetration attacks and custom signature attacks for the past hour, past 24 hours, and total active. If you click an underline number in any of the time period categories, a page with further information appears. Recent Rogue AP Alarms A value is provided for the five most recent rogue alarms. Click the number in parentheses to access the Alarms page. Then click an item under MAC address to view alarm details. Recent Adhoc Rogue Alarm Displays the five most recent ad hoc rogue alarms. Click the number in parentheses to access the Alarms page. Click an item under MAC address to view ad hoc details. Most Recent Security Alarms Displays the five most recent security alarms. Click the number in parentheses to access the Alarms page. Rogue Access Points, Ad hoc Events, and Clients This section describes security solutions for rogue devices. A rogue device is an unknown access point or client that is detected by managed access points in your network. Ta b l e 3-5 AP Threats/Attacks Parameter Description Fake Attacks Number of fake attacks AP Missing Number of missing access points AP Impersonation Number of access point impersonations AP Invalid SSID Number of invalid access point SSIDs AP Invalid Preamble Number of invalid access point preambles AP Invalid Encryption Number of invalid access point encryption AP Invalid Radio Policy Number of invalid access point radio policies Denial of Service (NAV related) Number of Denial of Service (NAV related) request AP Detected Duplicate IP Number of detected duplicate access point IPs 3-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Points, Ad hoc Events, and Clients Controllers continuously monitor all nearby access points and automatically discover and collect information on rogue access points and clients. When a controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. Note NCS consolidates all of the controllers’ rogue access point data. You can configure controllers to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure a controller to use RLDP on all access points, the controller always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue. This section contains the following topics: • Classifying Rogue Access Points, page 3-10 • Rogue Access Point Classification Types, page 3-11 • Adhoc Rogue, page 3-13 Classifying Rogue Access Points Classification and reporting of rogue access points occurs through the use of rogue states and user-defined classification rules that enable rogues to automatically move between states. You can create rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or Unclassified. Note NCS consolidates all of the controllers’ rogue access point data. By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious, and unclassified) in the Alert state only. Note Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients. Note The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to 625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode). When the controller receives a rogue report from one of its managed access points, it responds as follows: 1. The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.3-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Points, Ad hoc Events, and Clients 2. If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules. 3. If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state. 4. The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule. 5. If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified. 6. The controller repeats the previous steps for all rogue access points. 7. If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue. 8. If desired, you can manually move the access point to a different classification type and rogue state. As mentioned previously, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules, or you can manually move the unknown access point to a different classification type and rogue state. Table 3-6 shows the allowable classification types and rogue states from and to which an unknown access point can be configured. Ta b l e 3-6 Allowable Classification Type and Rogue State Transitions If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it. Rogue Access Point Classification Types Rogue access points classification types include: • Malicious—Detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. See the “Malicious Rogue Access Points” section on page 3-6 for more information. From To Friendly (Internal, External, Alert) Malicious (Alert) Friendly (Internal, External, Alert) Unclassified (Alert) Friendly (Alert) Friendly (Internal, External) Malicious (Alert, Threat) Friendly (Internal, External) Malicious (Contained, Contained Pending) Malicious (Alert) Unclassified (Alert, Threat) Friendly (Internal, External) Unclassified (Contained, Contained Pending) Unclassified (Alert) Unclassified (Alert) Malicious (Alert) 3-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Points, Ad hoc Events, and Clients • Friendly—Known, acknowledged, or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. See the “Friendly Rogue APs” section on page 3-12 for more information. For more information on configuring friendly access point rules, see the “Configuring a Friendly Access Point Template” section on page 11-82. • Unclassified—Rogue access point that are not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. See the “Unclassified Rogue APs” section on page 3-13 for more information. Malicious Rogue APs Malicious rogue access points are detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. The Security dashboard of the NCS home page displays the number of malicious rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active malicious rogue access points. Malicious rogue access point states include: • Alert—Indicates that the access point is not on the neighbor list or part of the user-configured Friendly AP list. • Contained—The unknown access point is contained. • Threat—The unknown access point is found to be on the network and poses a threat to WLAN security. • Contained Pending—Indicates that the containment action is delayed due to unavailable resources. • Removed—This unknown access point was seen earlier but is not seen now. Click an underlined number in any of the time period categories for detailed information regarding the malicious rogue access points. See the “Monitoring Rogue Access Points” section on page 5-86 for more information. Friendly Rogue APs Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. The Security dashboard of the NCS home page displays the number of friendly rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active friendly rogue access points. Friendly rogue access point states include: • Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you would manually configure it as Friendly, Internal. For example, the access points in your lab network. • External—If the unknown access point is outside the network and poses no threat to WLAN security, you would manually configure it as Friendly, External. For example, the access points belonging to a neighboring coffee shop. • Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list.3-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment Click an underlined number in any of the time period categories for detailed information regarding the friendly rogue access points. See the “Monitoring Rogue Access Points” section on page 5-86 for more information. Unclassified Rogue APs An unclassified rogue access point refers to a rogue access point that is not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. The Security dashboard of the NCS home page displays the number of unclassified rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active unclassified rogue access points. Unclassified rogue access point states include: • Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point. • Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list. • Contained—The unknown access point is contained. • Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources. Click an underlined number in any of the time period categories for further information. See the “Monitoring Rogue Access Points” section on page 5-86. Adhoc Rogue If the MAC address of a mobile client operating in a adhoc network is not in the authorized MAC address list, then it is identified as an adhoc rogue. Rogue Access Point Location, Tagging, and Containment When the Cisco Unified Wireless Network Solution is monitored using NCS, NCS generates the flags as rogue access point traps and displays the known rogue access points by MAC address. The operator can then display a map showing the location of the access points closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points (have between one and four access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point). This built-in detection, tagging, monitoring, and containment capability enables system administrators to take the appropriate action: • Locate rogue access points • Receive new rogue access point notifications, eliminating hallway scans • Monitor unknown rogue access points until they are eliminated or acknowledged • Determine the closest authorized access point, making directed scans faster and more effective 3-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment • Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet. • Tag rogue access points: – Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or wireless LAN security – Accept rogue access points when they do not compromise the LAN or wireless LAN security – Tag rogue access points as unknown until they are eliminated or acknowledged – Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point. This section contains the following topics: • Detecting Access Points on a Network, page 3-14 • Viewing Rogue Access Points by Controller, page 3-15 Detecting Access Points on a Network Use the Detecting Access Points feature to view information about the Cisco lightweight access points that are detecting a rogue access point. To access the Rogue AP Alarms details page, follow these steps: Step 1 To display the Rogue AP Alarms page, do one of the following: • Perform a search for rogue APs. See the “Using the Search Feature” section on page 2-33 for more information about the search feature. • In the NCS home page, click the Security dashboard. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms. • Click the Malicious AP number link in the dashlet. Step 2 In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The Rogue AP Alarms details page displays. Step 3 From the Select a command drop-down list, choose View Detecting AP on Network. Step 4 Click Go. Click a list item to display data about that item: • AP Name • Radio • Detecting AP Location • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • WEP—Enabled or disabled. • WPA—Enabled or disabled.3-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment • Pre-Amble—Long or short. • RSSI—Received signal strength indicator in dBm. • SNR—Signal-to-noise ratio. • Containment Type—Type of containment applied from this access point. • Containment Channels—Channels that this access point is currently containing. Viewing Rogue Access Points by Controller Use the Detecting Access Points feature to view information about the rogue access points by controller. To access the Rogue AP Alarms details page, follow these steps: Step 1 To display the Rogue AP Alarms page, do one of the following: • Perform a search for rogue APs. See the “Using the Search Feature” section on page 2-33 for more information about the search feature. • In the NCS home page, click the Security dashboard. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms. • Click the Malicious AP number link in the dashlet. Step 2 In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The Rogue AP Alarms details page displays. Step 3 From the Select a command drop-down list, choose View AP Details by Controller. Step 4 Click Go. Click a list item to display data about that item: • Controller IP Address • Detecting AP Name • Radio • Detecting AP Location • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • RSSI—Received signal strength indicator in dBm. • Classification—Indicates if the rogue AP classification. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. See the “Rogue Access Point Classification Types” section on page 3-11 for additional information. • On Network—Whether it belongs to this network “Yes” or “No”. • Containment Level—Indicates the containment level of the rogue access point or Unassigned (not contained). 3-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment • Last Updated Time Working with Alarms You can view, assign, and clear alarms and events on access points and mobility services engine using Cisco NCS. Details on how to have email notifications of alarms sent to you is also described. This section contains the following topics: • Assigning and Unassigning Alarms, page 3-16 • Deleting and Clearing Alarms, page 3-16 • Acknowledging Alarms, page 3-17 Assigning and Unassigning Alarms To assign and unassign an alarm to yourself, follow these steps: Step 1 Perform an advanced search for access point alarms. See the “Using the Search Feature” section on page 2-33 for more information. Step 2 Select the alarms that you want to assign to yourself by selecting their corresponding check boxes. Note To unassign an alarm assigned to you, unselect the box next to the appropriate alarm. You cannot unassign alarms assigned to others. Step 3 From the Select a command drop-down list, choose Assign to Me (or Unassign), and click Go. If you choose Assign to Me, your username appears in the Owner column. If you choose Unassign, the username column becomes empty. Deleting and Clearing Alarms To delete or clear an alarm from a mobility services engine, follow these steps: Step 1 In the Monitor > Alarms page, select the alarms that you want to delete or clear by selecting their corresponding check boxes. Note If you delete an alarm, Cisco NCS removes it from its database. If you clear an alarm, it remains in the Cisco NCS database, but in the Clear state. You clear an alarm when the condition that caused it no longer exists. Step 2 From the Select a command drop-down list, choose Delete or Clear, and click Go.3-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment Note To set up cleanup of old alarms and cleared alarms, choose Administration > Settings > Alarms. Acknowledging Alarms You may want certain alarms to be removed from the Alarms List. For example, if you are continuously receiving an interference alarm from a certain access point on the 802.11g interface, you may want to stop that access point from being counted as an active alarm on the page or any alarms list. In this scenario, you can find the alarm for the 802.11g interface in the Alarms list, select the check box, and choose Acknowledge from the Select a command drop-down list. Now if the access point generates a new violation on the same interface, NCS will not create a new alarm, and the page shows no new alarms. However, if the interference violation is created on another interface, such as 802.11a, a new alarm is created. Any alarms, once acknowledged, will not show up on either the page or any alarm list page. Also, no emails are generated for these alarms after you have marked them as acknowledged. By default, acknowledged alarms are not included for any search criteria. To change this default, choose Administration > Settings > Alarms page and disable the Hide Acknowledged Alarms preference. Note When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled. Use the Administration > User Preferences page to disable this warning message. You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged during the last seven days. NCS automatically deletes cleared alerts that are more than seven days old so your results can only show activity for the last seven days. Until an existing alarm is deleted, a new alarm cannot be generated for any managed entity for which NCS has already generated an alarm. Monitoring Rogue Alarm Events The Events page enables you to review information about rogue alarm events. NCS generates an event when a rogue access point is detected or if you make manual changes to a rogue access point (such as changing its state). The Rogue AP Events list page displays all rogue access point events. To access the Rogue AP Events list page, follow these steps: Step 1 Do one of the following: • Perform a search for rogue access point events using the Advanced Search feature of NCS. See the “Using the Search Feature” section on page 2-33 for more information. • In the Rogue AP Alarms details page, choose Event History from the Select a command drop-down list. Step 2 The Rogue AP Events list page displays the following event information. • Severity—Indicates the severity of the alarm. • Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See the “Viewing Rogue AP Event Details” section on page 3-18 for more information. • Vendor—Rogue access point vendor name or Unknown. 3-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment • Classification Type—Malicious, Friendly, or Unclassified. See the “Rogue Access Point Classification Types” section on page 3-11 for more information. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Radio Type—Lists all radio types applicable to this rogue access point. • Date/Time—The date and time that the event was generated. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. See the “Rogue Access Point Classification Types” section on page 3-11 for additional information. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Viewing Rogue AP Event Details To view rogue access point event details, follow these steps: Step 1 In the Rogue AP Events list page, click the Rogue MAC Address link. Step 2 The Rogue AP Events Details page displays the following information: • Rogue MAC Address • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Classification Type—Malicious, Friendly, or Unclassified. See the “Rogue Access Point Classification Types” section on page 3-11 for more information. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. See the “Rogue Access Point Classification Types” section on page 3-11 for additional information. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • Containment Level—Indicates the containment level of the rogue access point or Unassigned. • Radio Type—Lists all radio types applicable to this rogue access point. • Created—The date and time that the event was generated. • Generated By—The method by which the event was generated (such as Controller). • Device IP Address • Severity—Indicates the severity of the alarm. 3-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Rogue Access Point Location, Tagging, and Containment • Message—Provides details of the current event. Monitoring Adhoc Rogue Events The Events page enables you to review information about adhoc rogue events. NCS generates an event when an adhoc rogue is detected or if you make manual changes to an adhoc rogue (such as changing its state). The Adhoc Rogue Events list page displays all adhoc rogue events. To access the Rogue AP Events list page, follow these steps: Step 1 Do one of the following: • Perform a search for adhoc rogues events using the Advanced Search feature of NCS. See the “Using the Search Feature” section on page 2-33 for more information. • In the Adhoc Rogue Alarms details page, choose Event History from the Select a command drop-down list. Step 2 The Rogue AP Events list page displays the following event information. • Severity—Indicates the severity of the alarm. • Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See the “Viewing Adhoc Rogue Event Details” section on page 3-19 for more information. • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Radio Type—Lists all radio types applicable to this rogue access point. • Date/Time—The date and time that the event was generated. • State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Viewing Adhoc Rogue Event Details To view rogue access point event details, follow these steps: Step 1 In the Rogue AP Events list page, click the Rogue MAC Address link. Step 2 The Rogue AP Events Details page displays the following information: • Rogue MAC Address • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. 3-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • Containment Level—Indicates the containment level of the rogue access point or Unassigned. • Radio Type—Lists all radio types applicable to this rogue access point. • Created—The date and time that the event was generated. • Generated By—The method by which the event was generated (such as Controller). • Device IP Address • Severity—Indicates the severity of the alarm. • Message—Provides details of the current event. Security Overview NCS provides a foundation that allows IT managers to design, control, secure, and monitor enterprise wireless networks from a centralized location. NCS provides the following tools for managing and enforcing wireless security configurations and policies within the Cisco wireless network infrastructure: • Network security policy creation and enforcement, such as user authentication, encryption, and access control • Wireless infrastructure security configuration • Rogue detection, location, and containment • Wireless intrusion prevention system (wIPS) • Wireless IPS signature tuning and management • Management Frame Protection (MFP) • Collaboration with Cisco wired Network IPS for monitoring and mitigating unauthorized or malicious wireless user activity • Comprehensive security event management and reporting Security Vulnerability Assessment In Cisco Unified Wireless Network Version 5.1, an automated security vulnerability assessment is available to facilitate analysis of an enterprise's overall wireless security posture, as well as to provide WLAN operators with real-time benchmarking of their security services configurations against industry best practices. The automated security vulnerability assessment provides: • Proactive vulnerability monitoring of the entire wireless network3-21 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview • Comprehensive information on security vulnerabilities that could lead to loss of data, network intrusion, or malicious attack • Reduction in the time and expertise required to analyze and remedy weaknesses in wireless security posture The automated wireless vulnerability assessment audits the security posture of the entire wireless network for vulnerabilities. These vulnerabilities can result in: • Unauthorized management access or using management protocols to compromise or adversely impact the network • Unauthorized network access, data leakage, man-in-the-middle, or replay attacks • Compromised or adverse impacts to the network through manipulation of network protocols and services, for example through denial of service (DoS) attacks The Cisco NCS automatically scans the entire network and compares settings against Cisco recommended and industry best practices for wireless security configurations. The automated wireless security assessment functions within NCS scan wireless LAN controllers, access points, and network management interfaces for vulnerabilities in configuration settings, encryption, user authentication, infrastructure authentication network management, and access control. Status of the wireless network security is graphically displayed to provide wireless network administrators with an easy-to-read dashboard of security events. The NCS displays the vulnerability assessment results through a Security Index on the NCS security dashboard. The Security Index summarizes the network security posture with a composite security score and prioritized summary of vulnerabilities. See the “Security Index” section on page 3-21” for more information. Administrators can drill down to the Security Index Detailed Report if an event in the Security Summary warrants further investigation. The Security Index Detailed Report provides in-depth analysis of the vulnerabilities across the network. It also identifies optimal security settings and recommends changes that will remedy the vulnerabilities. Any changes the administrator makes are reflected in an updated Security Index score. See the “Security Index Detailed Report” section on page 3-22” for more information. Security Index The Security Index gives an indication of the security of the NCS managed network. The security index is calculated by assigning weight to the various security configurations and displaying it in visual form. The combined weightages can vary from 0 to 100, where 0 signifies least secured and 100 maximum secured. The weighting comes from the lowest scoring controller and the lowest scoring Location Server/Mobility Service Engine related security configurations that are maintained within NCS itself. For example, the security index of the NCS managed network is equal to the lowest scoring controller plus the lowest scoring Location Server/Mobility Service Engine. The following color scheme applies for the security index: • Above or equal to 80—Green • Below 80 but above or equal to 60—Yellow • Below 60—Red Note Guest WLANs are excluded from the WLANs. A WLAN which has web authentication or web passthrough enabled is identified as a guest WLAN. 3-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview The security index of the latest release is the benchmark for the required security configurations. For example, if AES encryption was not present in an earlier version of code, the index is reduced by the number associated with the AES encryption security configuration. Likewise, if new security configurations are introduced, the weighting would be altered. The configurations stored in NCS may not be up-to-date with the ones in the controllers unless the Refresh from Controller command is run from NCS. You can run Security Index calculations from the Configuration Sync task to get the latest config data from all the controllers. Top Security Issues The Top Security Issues section displays the five top security issues. The View All and Devices links sort relevant columns and show a report of security issues occurring across all controllers. Click View All to open the Security Index Detailed Report. Click Devices to view the Security Index Controller Report. • Security Index Detailed Report, page 3-22 • Security Index Controller Report, page 3-22 • Potential Security Issues, page 3-23 Security Index Detailed Report The Security Index Detailed Report displays all security issues found across all controllers, location servers, and mobility service engines. It details problems found in a particular security configuration retrieved from the device. If a particular issue has been acknowledged (just like alarms), it is ignored when the next Configuration Sync task runs (if Security Index Calculation is enabled). In some cases when an issue is acknowledged and it is ignored the next time the Configuration Sync task runs, the final security index score does not change. Some possible reasons for this may include: • The acknowledged issue is on a controller which is not directly affecting the security index score (for instance, it is not the controller with the lowest score). • The acknowledged issue is on a WLAN that is not directly affecting the security index score. Only the lowest scoring WLAN of the lowest scoring controller affects the security index score. When SSH and Telnet are enabled on a controller and are both flagged as issues, the Telnet issue has a higher precedence than SSH. Even if SSH is acknowledged on the controller with the lowest score, no change would occur for the security index. From the Select a command drop-down list, choose Show All to view all security issues (both acknowledged and unacknowledged). Choose Show Unacknowledged to only view unacknowledged security issues. This is the default view when View All is selected from the Security Summary page. Choose Show Acknowledged to only view acknowledged security issues. Note In order for an user to Acknowledge or Unacknowledge security issues, the user has to have “Ack and Unack Security Index Issues permission enabled". Security Index Controller Report This page shows the security violation report as a summary for each controller. By row, each controller shows the number of security issues that occurred on that controller and provides a link to all security issues. If you click the number in the Security Issues Count column, the Security Index Detailed Report appears.3-23 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview Potential Security Issues Table 3-7 and Table 3-8 describe the potential security issues. Ta b l e 3-7 Potential Security Issues Controller Security Issue Why is this an Issue? What is the Solution? WLAN SSID on the controller has a weak authentication method. Weak authentication method for a WLAN which can be broken by using tools available online if WLAN packets are sniffed. Use the most secured authentication method and one that is WPA+WPA2. WLAN SSID on the controller has a weak authentication method (CKIP) configured. Weak authentication method for a WLAN. Use the most secured authentication method and one that is WPA+WPA2. WLAN SSID on the controller has no user authentication configured. No authentication method is a clear security risk for a WLAN. Configure strong authentication methods such as WPA+WPA2. WLAN SSID on the controller has a weak encryption method (CKIP WEP 40 bits) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 40 bits with Key Permutation) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 40 bits with MMH) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 40 bits with MMH and Key Permutation) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (WEP 104 bits) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 104 bits) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 104 bits with MMH) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (CKIP WEP 104 bits with Key Permutation) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. 3-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview WLAN SSID on the controller has a weak encryption method (CKIP WEP 104 bits with MMH and Key Permutation) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (WEP 40 bits) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (WEP 128 bits) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (TKIP) configured. Weak encryption method for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has no encryption configured. No encryption method is a clear security risk for a WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has a weak encryption method (WEP 104 bits) configured. Weak encryption method for WLAN. Configure strong authentication and encryption methods such as WPA+WPA2 with AES. WLAN SSID on the controller has no key management methods configured (applicable only for WPA+WPA2). A key management method enhances the security of keys; without one, WLAN is less secure. Configure at least one key management methods such as CCKM. WLAN SSID on the controller has MFP Client Protection set to “Optional”. With MFP Client Protection set to optional for a WLAN, authenticated clients may not be shielded from spoofed frames. Set MFP Client Protection to “Required” to protect against clients connecting to a rogue access point. WLAN SSID on the controller has MFP Client Protection set to “Disabled”. With MFP Client Protection set to disabled for a WLAN, authenticated clients may not be shielded from spoofed frames. Set MFP Client Protection to “Required” to protect against clients connecting to a rogue access point. WLAN SSID interface is set to “management” on the controller. As recommended from SAFE, user traffic should be separated from management traffic. WLAN interface should not be set to “management” on the controller. Interface set to one which is VLAN for a WLAN. As recommended from SAFE, user traffic should be separated from VLAN traffic. WLAN needs its interface to be set to one which is neither management nor one which has a VLAN. WLAN SSID on the controller has “Client Exclusion” disabled. With Client Exclusion policies disabled, an attacker is able to continuously try to access the WLAN network. Enable “Client Exclusion” to secure against malicious WLAN client behavior. WLAN SSID on the controller has “Broadcast SSID” enabled. Disable “Broadcast SSID” to secure your wireless network. Table 3-7 Potential Security Issues (continued) Controller Security Issue Why is this an Issue? What is the Solution?3-25 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview WLAN SSID on the controller has “MAC Filtering” disabled. Enable “MAC Filtering” to secure your wireless network. Protection Type is set to “AP Authentication” on the controller. When AP Authentication is set, an access point checks beacon/probe response frames in neighboring access points to see if they contain an authenticated information element (IE) that matches that of the RF group. This provides some security but does not cover all management frames and is open to alteration by rogue access points. Set Protection Type to “Management Frame Protection (MFP)” on the controller. Protection Type is set to “None” of the controller. No security for 802.11 management messages passed between access points and clients. Set Protection Type to “Management Frame Protection (MFP)” on the controller. Radio type is configured to detect rogues only on DCA channels. Rogue detection, if done only on a subset of country/all channels, is less secure than one that is done on country/all channels. Configure radio types 802.11a/n and 802.11b/g/n to detect rogues on country channels or all channels. Radio type is configured to detect rogues on neither country channels nor DCA channels. Rogue detection, if not configured on country nor DCA channels, is less secure than when done on country/all channels. Configure radio types 802.11a/n and 802.11b/g/n to detect rogues on country channels or all channels. The rogue policy to detect and report adhoc networks is disabled on the controller. With detection and reporting of adhoc networks turned off, adhoc rogues go undetected. Enable the rogue policy to detect and report adhoc networks “Check for all Standard and Custom Signatures” is disabled on the controller. If check for all Standard and Custom Signatures is disabled, various types of attacks in incoming 802.11 packets would go undetected. various types of attacks in incoming 802.11 packets would go undetected. Check for all Standard and Custom Signatures needs to be turned on to identify various types of attacks in incoming 802.11 packets. Some of the Standard Signatures are disabled on the controller. If only some of the Standard Signatures are disabled, Enable all Standard Signatures on the controller. The “Excessive 802.11 Association Failures” Client Exclusion Policy is disabled on the controller. Excessive failed association attempts can consume system resources and launch potential a denial of service attack to the infrastructure. Enable the “Excessive 802.11 Association Failures” Client Exclusion Policy on the controller. Table 3-7 Potential Security Issues (continued) Controller Security Issue Why is this an Issue? What is the Solution? 3-26 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview The “Excessive 802.11 Authentication Failures” Client Exclusion Policy is disabled on the controller. Excessive failed authentication attempts can consume system resources and launch potential Denial of Service attack to the infrastructure. Enable the “Excessive 802.11 Authentication Failures” Client Exclusion Policy on the controller. The “Excessive 802.1X Authentication Failures” Client Exclusion Policy is disabled on the controller. Excessive 802.1X failed authentication attempts can consume system resources and launch potential denial of service attack to the infrastructure. Excessive 802.1X Authentication Failures Client Exclusion Policy must be enabled to prevent denial of service attack to the infrastructure. The “Excessive 802.11 Web Authentication Failures” Client Exclusion Policy is disabled on the controller. If Excessive 802.11 Web failed web authentication attempts can consume system resources and launch potential Denial of Service attack to the infrastructure. Enable the “Excessive 802.11 Web Authentication Failures” Client Exclusion Policy on the controller. The “IP Theft or IP Reuse” Client Exclusion Policy is disabled on the controller. If IP Theft or Reuse Client Exclusion Policy is disabled, then an attacker masquerading as another client would not be disallowed. Enable the “IP Theft or IP Reuse” Client Exclusion Policy on the controller. No CIDS Sensor configured on the controller. If no enabled IDS Sensor is configured, then IP-level attacks would not be detected. Configure at least one CIDS Sensor on the controller. Controller is configured with default community strings for SNMP v1/v2. If SNMP V1 or V2 with default Community is configured then it is open to easy attacks since default communities are well known. Use SNMPv3 with Auth and Privacy Types. Controller is configured with non-default community strings for SNMP v1/v2. SNMP V1 or V2 with non-default Community is slightly more secure than default Community but still less secure than SNMP V3. Use SNMPv3 with Auth and Privacy types. SNMPv3 is configured with a default user on the controller. Using a default user makes SNMP V3 connections less secure. Use a non-default username for SNMPv3 with Auth and Privacy Types. SNMPv3 is configured with either no Auth or Privacy Type on the controller. SNMP V3 with either Auth or Privacy Type set to none reduces the security of SNMP V3 connection. Use SNMPv3 with Auth and Privacy Types to secure your wireless network. HTTP (Web Mode enabled but Secure Web Mode disabled) is enabled on the controller. HTTP is less secure than HTTPS. Enable HTTPS (both Web Mode and Secure Web Mode) on the controller. Table 3-7 Potential Security Issues (continued) Controller Security Issue Why is this an Issue? What is the Solution?3-27 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Security Overview Telnet is enabled on the controller. If telnet is enabled, then the controller is at risk of being hacked into. Disable telnet on the controller. SSH is disabled and timeout value is set to zero on the controller. If SSH is enabled and timeout is zero then the controller has risk of being hacked into. Enable SSH with non-zero timeout value on the controller. Telnet is enabled on the AP. If telnet is enabled, then the access point is at risk of being hacked into. Disable Telnet on all access points. SSH is enabled on the AP. Disable SSH on all the access points. At least one of the APs is configured with default username or password. If default password is configured, then access points are more susceptible to connections from outside the network. Configure a non-default username and strong password for all access points associated to the controller. Table 3-7 Potential Security Issues (continued) Controller Security Issue Why is this an Issue? What is the Solution? Ta b l e 3-8 Potential Security Issues Location Server/ Mobility Server Engine Security Issue Why is this an Issue? What is the Solution? HTTP is enabled on the location server. HTTP is less secure than HTTPS. Enable HTTPS on the location server. A location server user has a default password configured. If default password is configured, then Location Server/ Mobility Server Engine is more susceptible to connections from outside the network. Configure a strong password for the location server users. HTTP is enabled on the mobility services engine. HTTP is less secure than HTTPS. Enable HTTPS on the mobility services engine. A mobility services engine user has default password configured. If default password is configured, then Location Server/ Mobility Server Engine is more susceptible to connections from outside the network. Configure a strong password for the users on the mobility services engine. wIPS Service is not enabled on the mobility services engine. Your network is vulnerable to advanced security threats. Deploy wIPS Service to protect your network from advanced security threats. 3-28 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Switch Port Tracing Switch Port Tracing Currently, NCS provides rogue access point detection by retrieving information from the controller. The rogue access point table is populated with any detected BSSID addresses from any frames that are not present in the neighbor list. At the end of a specified interval, the contents of the rogue table are sent to the controller in an CAPWAP Rogue AP Report message. With this method, NCS would simply gather the information received from the controllers; but with software release 5.1, you can incorporate switch port tracing of Wired Rogue Access Point Switch Ports. This enhancement allows you to react to found wired rogue access points and prevent future attacks. The trace information is available only in the NCS log and only for rogue access points, not rogue clients. Note Rogue Client connected to the Rogue Access point information is used to track the switch port to which the Rogue Access point is connected in the network. Note If you try to set tracing for a friendly or deleted rogue, a warning message appears. Note For Switch Port Tracing to successfully trace the switch ports using SNMP v3, all of the OIDs should be included in the SNMP v3 view and VLAN content should be created for each VLAN in the SNMP v3 group. Establishing Switch Port Tracing To establish switch port tracing, follow these steps: Step 1 In the NCS home page, click the Security dashboard. Step 2 In the Rogue APs and Adhoc Rogues section, click the number URL which specifies the number of rogues in the last hour, last 24 hours, or total active. Step 3 Choose for which rogue you are setting switch port tracking by clicking the URL in the MAC Address column. The Alarms > Rogue AP details page opens. Step 4 From the Select a command drop-down list, choose Trace Switch Port. The Trace Switch Port page opens, and NCS runs a switch port trace. When one or more searchable MAC addresses are available, the NCS uses CDP to discover any switches connected up to two hops away from the detecting access point. The MIBs of each CDP discovered switch is examined to see if it contains any of the target MAC addresses. If any of the MAC addresses are found, the corresponding port number is returned and reported as the switch port of a rogue. Integrated Security Solutions The Cisco Unified Wireless Network Solution also provides these integrated security solutions:3-29 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Using NCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode • Cisco Unified Wireless Network Solution operating system security is built around a robust 802.1X authorization, authentication, and accounting (AAA) engine, which enables operators to rapidly configure and enforce a variety of security policies across the Cisco Unified Wireless Network Solution. • The controllers and access points are equipped with system-wide authentication and authorization protocols across all ports and interfaces, maximizing system security. • Operating system security policies are assigned to individual wireless LANs, and access points simultaneously broadcast all (up to 16) configured wireless LANs. These policies can eliminate the need for additional access points, which can increase interference and degrade system throughput. • Operating system security uses the RRM function to continually monitor the air space for interference and security breaches and notify the operator when they are detected. • Operating system security works with industry-standard AAA servers, making system integration simple and easy. • The Cisco intrusion detection system/intrusion protection system (CIDS/IPS) instructs controllers to block certain clients from accessing the wireless network when attacks involving these clients are detected. • The operating system security solution offers comprehensive Layer 2 and Layer 3 encryption algorithms, which typically require a large amount of processing power. Rather than assigning the encryption tasks to yet another server, the controller can be equipped with a VPN/enhanced security module that provides extra hardware required for the most demanding security configurations. Using NCS to Convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 Mode To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 LWAPP transport mode using the NCS user interface, follow these steps: Note Cisco-based lightweight access points do not support Layer 2 LWAPP mode. These access points can only be run with Layer 3. Note This procedure causes your access points to go offline until the controller reboots and the associated access points reassociate to the controller. Step 1 Make sure that all controllers and access points are on the same subnet. Note You must configure the controllers and associated access points to operate in Layer 2 mode before completing the conversion. Step 2 Log into the NCS user interface. Then follow these steps to change the LWAPP transport mode from Layer 3 to Layer 2: a. Choose Configure > Controllers to navigate to the All Controllers page. b. Click the desired IP address of a controller to display the IP Address > Controller Properties page. 3-30 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring a Firewall for NCS c. From the left sidebar menu, click System > General to display the IP Address > General page. d. Change LWAPP transport mode to Layer2, and click Save. e. If NCS displays the following message, click OK: Please reboot the system for the LWAPP Mode change to take effect. Step 3 To restart your Cisco Unified Wireless Network Solution, follow these steps: a. Return to the IP Address > Controller Properties page. b. Click System > Commands to display the IP Address > Controller Commands page. c. Under Administrative Commands, choose Save Config To Flash, and click Go to save the changed configuration to the controller. d. Click OK to continue. e. Under Administrative Commands, choose Reboot, and click Go to reboot the controller. f. Click OK to confirm the save and reboot. Step 4 After the controller reboots, follow these steps to verify that the LWAPP transport mode is now Layer 2: a. Click Monitor > Controllers to navigate to the Controllers > Search Results page. b. Click the desired IP address of a controller to display the Controllers > IP Address > Summary page. c. Under General, verify that the current LWAPP transport mode is Layer2. You have completed the LWAPP transport mode conversion from Layer 3 to Layer 2. The operating system software now controls all communications between controllers and access points on the same subnet. Configuring a Firewall for NCS When an NCS server and an NCS user interface are on different sides of a firewall, they cannot communicate unless the following ports on the firewall are open to two-way traffic: • 80 (for initial http) • 69 (tftp) • 162 (trap port) • 443 (https) Open these ports to configure your firewall to allow communications between a NCS server and a NCS user interface. Access Point Authorization You can view a list of authorized access points along with the type of certificate that an access point uses for authorization. Step 1 Choose Configure > Controllers.3-31 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Management Frame Protection (MFP) Step 2 Click one of the URLs in the IP address column. Step 3 From the left sidebar menu, choose Security > AP/MSE Authorization. Step 4 The AP Policies portion of the page indicates whether the authorization of access points is enabled or disabled. It also indicates whether the acceptance of self-signed certificates (SSC APs) is enabled or disabled. Normally, access points can be authorized either by AAA or certificates. (SSC is only available for 4400 and 200 controllers.) To change these values, choose Edit AP Policies from the Select a command drop-down list, and click Go. Step 5 The AP Authorization List portion shows the radio MAC address of the access point, certificate type, and key hash. To add a different authorization entry, choose Add AP/MSE Auth Entry from the Select a command drop-down list, and click Go. Step 6 From the drop-down list, choose a template to apply to this controller, and click Apply. To create a new template for access point authorization, click the click here link to get redirected to the template creation page. See the “Configuring an Access Point or MSE Authorization Template” section on page 11-59 for steps on creating a new template. Management Frame Protection (MFP) Management Frame Protection (MFP) provides security for the otherwise unprotected and unencrypted 802.11 management messages passed between access points and clients. MFP provides both infrastructure and client support. • Infrastructure MFP—Protects management frames by detecting adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting network performance by attacking the QoS and radio measurement frames. It also provides a quick and effective means to detect and report phishing incidents. Specifically, infrastructure MFP protects 802.11 session management functions by adding message integrity check information elements (MIC IEs) to the management frame emitted by access points (and not those emitted by clients), which are then validated by other access points in the network. Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them. • Client MFP—Shields authenticated clients from spoofed frames, preventing many of the common attacks against wireless LANs from becoming effective. Most attacks, such as deauthentication attacks, revert to simply degrading performance by contending with valid clients. Specifically, client MFP encrypts management frames sent between access points and Cisco Compatible Extension clients so that both access points and clients can take preventive action by dropping spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect the following types of class 3 unicast management frames: disassociation, deauthentication, and QoS (WMM) action. Client MFP is active. It can protect a client-access point session from the most common type of denial of service attack. It protects class 3 management frames by using the same encryption method used for the session’s data frames. If a frame received by the access point or client fails decryption, it is dropped, and the event is reported to the controller. 3-32 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Management Frame Protection (MFP) To use client MFP, clients must support Cisco Compatible Extensions (version 5) MFP and must negotiate WPA2 using either TKIP or AES-CCMP. EAP or PSK may be used to obtain the PMK. CCKM and controller mobility management are used to distribute session keys between access points or Layer 2 and Layer 3 fast roaming. To prevent attacks against broadcast frames, access points supporting Cisco Compatible Extensions (version 5) do not emit any broadcast class 3 management frames (such as disassociation, deauthentication, or action). Compatible extensions clients (version 5) and access points must discard broadcast class 3 management frames. Client MFP supplements infrastructure MFP rather than replacing it because infrastructure MFP continues to detect and report invalid unicast frames sent to clients that are not client-MFP capable, as well as invalid class 1 and 2 management frames. Infrastructure MFP is applied only to management frames that are not protected by client MFP. Infrastructure MFP consists of three main components: • Management frame protection—The access point protects the management frames it transmits by adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. • Management frame validation—In infrastructure MFP, the access point validates every management frame it receives from other access points in the network. It ensures that the MC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system. In order for the timestamps to operate properly, all controllers must be Network Transfer Protocol (NTP) synchronized. • Event reporting—The access point notifies the controller when it detects an anomaly, and the controller aggregates the received anomaly events and reports the results through SNMP traps to the network management system. Note Client MFP uses the same event reporting mechanisms as infrastructure MFP. Infrastructure MFP is enabled by default and can be disabled globally. When you upgrade from a previous software release, infrastructure MFP is disabled globally if access point authentication is enabled because the two features are mutually exclusive. After infrastructure MFP is enabled globally, signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected access points. You set MFP in the WLAN template. See the “Configuring WLAN Template” section on page 11-22. Guidelines for Using MFP Follow these guidelines for using MFP: • MFP is supported for use with Cisco Aironet lightweight access points, except for the 1500 series mesh access points. • Lightweight access points support infrastructure MFP in local and monitor modes and in REAP and hybrid-REAP modes when the access point is connected to a controller. They support client MFP in local, hybrid-REAP, and bridge modes. • Client MFP is supported for use only with Cisco Compatible Extensions (version 5) clients using WPA2 with TKIP or AES-CCMP.3-33 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring Intrusion Detection Systems (IDS) • Non-Cisco Compatible Extensions (version 5) clients may associate to a WLAN if client MFP is disabled or optional. Configuring Intrusion Detection Systems (IDS) The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/IPS) instructs controllers to block certain clients from accessing the wireless network when attacks involving these clients are detected. This system offers significant network protection by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. Two methods are available to detect IDS attacks: • IDS sensors (for Layer 3) • IDS signatures (for Layer 2) Viewing IDS Sensors When the sensors identify an attack, they alert the controller to shun the offending client. When you add a new IDS sensor, you register the controller with that IDS sensor so that the sensor can send shunned client reports to the controller. The controller also polls the sensor periodically. To view IDS sensors, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Choose a controller by clicking an IP address. Step 3 From the left sidebar menu, choose Security > IDS Sensor Lists. The IDS Sensor page appears. This page lists all of the IDS sensors that have been configured for this controller. Configuring IDS Signatures You can configure IDS signatures, or bit-pattern matching rules used to identify various types of attacks in incoming 802.11 packets, on the controller. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. If an attack is detected, an appropriate mitigation action is initiated. Cisco supports 17 standard signatures on the controller as shown on the Standard Signatures and Custom Signatures page (see Figure 3-3). To open this page, choose Configure > Controllers, select a controller IP address, and then choose Security > Wireless Protection Policies > Standard Signatures from the left sidebar menu. 3-34 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures Figure 3-3 Standard Signatures Page These signatures are divided into six main groups. The first four groups contain management signatures, and the last two groups contain data signatures: • Broadcast deauthentication frame signatures—During a broadcast deauthentication frame attack, a hacker sends an 802.11 deauthentication frame to the broadcast MAC destination address of another client. This attack causes the destination client to disassociate from the access point and lose its connection. If this action is repeated, the client experiences a denial of service. When the broadcast deauthentication frame signature (precedence 1) is used to detect such an attack, the access point listens for clients transmitting broadcast deauthentication frames that match the characteristics of the signature. If the access point detects such an attack, it alerts the controller. Depending on how your system is configured, the offending device is contained so that its signals no longer interfere with authorized clients, or the controller forwards an immediate alert to the system administrator for further action, or both. • NULL probe response signatures—During a NULL probe response attack, a hacker sends a NULL probe response to a wireless client adapter. As a result, the client adapter locks up. When a NULL probe response signature is used to detect such an attack, the access point identifies the wireless client and alerts the controller. The NULL probe response signatures include: – NULL probe resp 1 (precedence 2) – NULL probe resp 2 (precedence 3) • Management frame flood signatures—During a management frame flood attack, a hacker floods an access point with 802.11 management frames. The result is a denial of service to all clients associated or attempting to associate to the access point. This attack can be implemented with different types of management frames: association requests, authentication requests, reassociation requests, probe requests, disassociation requests, deauthentication requests, and reserved management subtypes.3-35 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures When a management frame flood signature is used to detect such an attack, the access point identifies management frames matching the entire characteristics of the signature. If the frequency of these frames is greater than the value of the frequency set in the signature, an access point that hears these frames triggers an alarm. The controller generates a trap and forwards it to NCS. The management frame flood signatures include: – Assoc flood (precedence 4) – Auth flood (precedence 5) – Reassoc flood (precedence 6) – Broadcast probe flood (precedence 7) – Disassoc flood (precedence 8) – Deauth flood (precedence 9) – Reserved mgmt 7 (precedence 10) – Reserved mgmt F (precedence 11) The reserved management frame signatures 7 and F are reserved for future use. • EAPOL flood signature—During an EAPOL flood attack, a hacker floods the air with EAPOL frames containing 802.1X authentication requests. As a result, the 802.1X authentication server cannot respond to all of the requests and fails to send successful authentication responses to valid clients. The result is a denial of service to all affected clients. When the EAPOL flood signature (precedence 12) is used to detect such an attack, the access point waits until the maximum number of allowed EAPOL packets is exceeded. It then alerts the controller and proceeds with the appropriate mitigation. • NetStumbler signatures—NetStumbler is a wireless LAN scanning utility that reports access point broadcast information (such as operating channel, RSSI information, adapter manufacturer name, SSID, WEP status, and the latitude and longitude of the device running NetStumbler when a GPS is attached). If NetStumbler succeeds in authenticating and associating to an access point, it sends a data frame with the following strings, depending on the NetStumbler version listed in Table 3-9. When a NetStumbler signature is used to detect such an attack, the access point identifies the offending device and alerts the controller. The NetStumbler signatures include: – NetStumbler 3.2.0 (precedence 13) – NetStumbler 3.2.3 (precedence 14) – NetStumbler 3.3.0 (precedence 15) – NetStumbler generic (precedence 16) • Wellenreiter signature—Wellenreiter is a wireless LAN scanning and discovery utility that can reveal access point and client information. When the Wellenreiter signature (precedence 17) is used to detect such an attack, the access point identifies the offending device and alerts the controller. Ta b l e 3-9 NetStumbler Versions Version String 3.2.0 “Flurble gronk bloopit, bnip Frundletrune” 3.2.3 “All your 802.11b are belong to us” 3.3.0 Sends white spaces 3-36 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures This section provides the instructions to configure signatures and includes the following topics: • Uploading IDS Signatures, page 3-36 • Downloading IDS Signatures, page 3-37 • Enabling or Disabling IDS Signatures, page 3-38 Uploading IDS Signatures To upload IDS signatures from the controller, follow these steps: Step 1 Obtain a signature file from Cisco (hereafter called a standard signature file). You can also create your own signature file (hereafter called a custom signature file) by following the “Downloading IDS Signatures” section on page 3-37. Step 2 You can configure a TFTP server for the signature download. Keep these guidelines in mind when setting up a TFTP server: • If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add IP address of TFTP server). • If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable. • A third-party TFTP server cannot run on the same computer as the Cisco NCS because built-in TFTP server of NCS and third-party TFTP server use the same communication port. Step 3 Choose Configure > Controllers. Step 4 Choose a controller by clicking on an IP address. Step 5 From the left sidebar menu, choose Security and then Standard Signatures or Custom Signatures. Step 6 From the Select a command drop-down list, choose Upload Signature Files from Controller. Figure 3-4 shows the page that appears. 3-37 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures Figure 3-4 Uploading Signature File Step 7 Specify the TFTP server name being used for the transfer. Step 8 If the TFTP server is new, enter the TFTP IP address at the Server IP Address parameter. Step 9 Choose Signature Files from the File Type drop-down list. Step 10 The signature files are uploaded to the root directory which was configured for use by the TFTP server. You can change to a different directory at the Upload to File parameter (this parameter only shows if the Server Name is the default server). The controller uses this local file name as a base name and then adds _std.sig as a suffix for standard signature files and _custom.sig as a suffix for custom signature files. Step 11 Click OK. Downloading IDS Signatures If the standard signature file is already on the controller but you want to download customized signatures to it, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Choose a controller by clicking an IP address. Step 3 Choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download IDS Signatures, and click Go. Step 5 Copy the signature file (*.sig) to the default directory on your TFTP server. Step 6 Choose local machine from the File is Located On parameter. If you know the filename and path relative to the server’s root directory, you can also choose TFTP server. Step 7 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries parameter. 3-38 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures Step 8 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout parameter. Step 9 The signature files are uploaded to the c:\tftp directory. Specify the local file name in that directory or use the Browse button to navigate to it. A “revision” line in the signature file specifies whether the file is a Cisco-provided standard signature file or a site-tailored custom signature file (custom signature files must always have revision=custom). Step 10 If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name will be populated for you and retried. The local machine option initiates a two-step operation. First, the local file is copied from the administrator’s workstation to the built-in TFTP server of NCS. Then the controller retrieves that file. For later operations, the file is already in the NCS server’s TFTP directory, and the download web page now automatically populates the filename. Step 11 Click OK. Enabling or Disabling IDS Signatures To enable or disable IDS signature, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Choose a controller by clicking on an IP address. Step 3 From the left sidebar menu, choose Security and then Standard Signatures or Custom Signatures. Figure 3-5 shows a sample of the page that appears.3-39 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures Figure 3-5 Checking for Standard Signatures Step 4 To enable or disable an individual signature, click in the Name column for the type of attack you want to enable or disable. Figure 3-6 shows a sample of a detailed signature screen. The Standard Signature Parameters page shows the list of Cisco-supplied signatures that are currently on the controller. The Custom Signatures page shows the list of customer-supplied signatures that are currently on the controller. The following information is displayed either on the signature page or the detailed signature page: • Precedence - The order, or precedence, in which the controller performs the signature checks. • Name - The type of attack the signature is trying to detect. • Description - A more detailed description of the type of attack that the signature is trying to detect. • Frame Type - Management or data frame type on which the signature is looking for a security attack. • Action - What the controller is directed to do when the signature detects an attack. One possibility is None, where no action is taken, and another is Report, to report the detection. • Frequency - The signature frequency, or the number of matching packets per interval that must be identified at the detecting access point level before an attack is detected. The range is 1 to 32,000 packets per interval, and the default value is 50 packets per interval. • Quiet Time - The length of time (in seconds) after which no attacks have been detected at the individual access point level, and the alarm can stop. This time appears only if the MAC information is all or both. The range is 60 to 32,000 seconds, and the default value is 300 seconds. • MAC Information - Whether the signature is to be tracked per network or per MAC address or both at the detecting access point level. • MAC Frequency - The signature MAC frequency, or the number of matching packets per interval that must be identified at the controller level before an attack is detected. The range is 1 to 32,000 packets per interval, and the default value is 30 packets per interval. 3-40 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Configuring IDS Signatures • Interval - Enter the number of seconds that must elapse before the signature frequency threshold is reached within the configured interval. The range is 1 to 3600 seconds, and the default value is 1 second. • Enable - Select this to enable this signature to detect security attacks or unselect it to disable this signature. • Signature Patterns - The pattern that is being used to detect a security attack. Figure 3-6 Standard Signature Step 5 From the Enabled yes or no drop-down list, choose yes. Because you are downloading a customized signature, you should enable the files named with the _custom.sgi and disable the standard signature with the same name but differing suffix. (For example, if you are customizing broadcast probe flood, you want to disable broadcast probe flood in the standard signatures but enable it in custom signatures.) Step 6 To enable all standard and custom signatures currently on the controller, choose Edit Signature Parameters (from the screen in Figure 3-5) from the Select a command drop-down list, and choose Go. The Edit Signature Parameters page appears (see Figure 3-7).3-41 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Enabling Web Login Figure 3-7 Global Setting for Standard and Custom Signature Step 7 Select the Check for All Standard and Custom Signatures parameter, Enable check box. This enables all signatures that were individually selected as enabled in Step 5. If this check box remains unselected, all files are disabled, even those that were previously enabled in Step 5. When the signatures are enabled, the access points joined to the controller perform signature analysis on the received 802.11 data or management frames and report any discrepancies to the controller. Step 8 Click Save. Enabling Web Login With web authentication, guests are automatically redirected to web authentication pages when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts may be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. See the “Configuring a Web Authentication Template” section on page 11-64 to create a template that replaces the Web authentication page provided on the controller. Step 1 Choose Configure > Controllers. Step 2 Choose the controller on which to enable web authentication by clicking an IP address URL in the IP Address column. Step 3 From the left sidebar menu, choose Security > AAA > Web Auth Configuration. Step 4 Choose the appropriate web authentication type from the drop-down list. The choices are default internal, customized web authentication, or external. • If you choose default internal, you can still alter the page title, message, and redirect URL, as well as choose whether the logo appears. Continue to Step 5. 3-42 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Enabling Web Login • If you choose customized web authentication, skip to the “Downloading Customized Web Authentication” section on page 3-42. • If you choose external, you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page. Step 5 Select the Logo Display check box if you want your company logo to display. Step 6 Enter the title you want displayed on the Web authentication page. Step 7 Enter the message you want displayed on the Web authentication page. Step 8 In the Customer Redirect URL parameter, provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.company.com, the user is directed to the company home page. Step 9 Click Save. Downloading Customized Web Authentication You can download a customized Web authentication page to the controller. A customized web page is created to establish a username and password for user web access. When downloading customized web authentication, these strict guidelines must be followed: • A username must be provided. • A password must be provided. • A redirect URL must be retained as a hidden input item after extracting from the original URL. • The action URL must be extracted and set from the original URL. • Scripts to decode the return status code must be included. • All paths used in the main page should be of relative type. Before downloading, if you chose the customized web authentication option in Step 4 of the previous section, follow these steps: Step 1 Click the preview image to download the sample login.html bundle file from the server. See Figure 3-8 for an example of the login.html file. The downloaded bundle is a .TAR file. 3-43 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Enabling Web Login Figure 3-8 Login.html Step 2 Open and edit the login.html file and save it as a .tar or .zip file. Note You can edit the text of the Submit button with any text or HTML editor to read “Accept terms and conditions and Submit.” Step 3 Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server: • If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. • If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable. • A third-party TFTP server cannot run on the same computer as the Cisco NCS because the built-in TFTP server of NCS and third-party TFTP server use the same communication port. Step 4 Click here in the “After editing the HTML you may click here to redirect to the Download Web Auth Page” link to download the .tar or .zip file to the controller(s). The Download Customized Web Auth Bundle to Controller page appears. Note The IP address of the controller to receive the bundle and the current status are displayed. Step 5 Choose local machine from the File is Located On parameter. If you know the filename and path relative to the server’s root directory, you can also choose TFTP server. Note For a local machine download, either .zip or .tar file options exists, but NCS does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files are specified. Step 6 Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout parameter. Step 7 The NCS Server Files In parameter specifies where the NCS server files are located. Specify the local file name in that directory or use the Browse button to navigate to it. A “revision” line in the signature file specifies whether the file is a Cisco-provided standard signature file or a site-tailored custom signature file (custom signature files must always have revision=custom). 3-44 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 3 Configuring Security Solutions Certificate Signing Request (CSR) Generation Step 8 If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name is populated. The local machine option initiates a two-step operation. First, the local file is copied from the administrator’s workstation to the built-in TFTP server of NCS. Then the controller retrieves that file. For later operations, the file is already in the NCS server’s TFTP directory, and the download web page now automatically populates the filename. Step 9 Click OK. If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name is populated for you. Step 10 After completing the download, you are directed to the new page and able to authenticate. Connecting to the Guest WLAN To connect to the guest central WLAN to complete the web authentication process, follow these steps: See the “Creating Guest User Accounts” section on page 7-9 for more explanation of a guest user account. Step 1 When you are set for open authentication and are connected, browse to the virtual interface IP address (such as /1.1.1.1/login.html). Step 2 When the NCS user interface displays the Login page, enter your username and password. Note All entries are case sensitive. The lobby ambassador has access to the templates only to add guest users. Certificate Signing Request (CSR) Generation To generate a Certificate Signing Request (CSR) for a third-party certificate using NCS, refer to the following document for instructions on uploading the certificate: http://www.cisco.com/en/US/products/ps6305/products_configuration_example09186a00808a94ca.sht ml.C H A P T E R 4-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 4 Performing Maintenance Operations You can perform the actions at the system level, such as updating system softwares or downloading certificates that can be used with many items. This chapter describes the system level tasks to perform with Cisco NCS. It contains the following sections: • Information About Maintenance Operations, page 4-1 • Performing System Tasks, page 4-1 • Performing NCS Operations, page 4-6 Information About Maintenance Operations A system-level task is a collection of tasks that relate to operations that apply to the NCS database as a whole. System tasks also includes restoring NCS database. For more information, see the “Restoring the NCS Database” section on page 4-8. Performing System Tasks This sections describes how to use NCS to perform system-level tasks. This section contains the following topics: • Adding a Controller to the NCS Database, page 4-1 • Using NCS to Update System Software, page 4-2 • Downloading Vendor Device Certificates, page 4-3 • Downloading Vendor CA Certificates, page 4-4 • Using NCS to Enable Long Preambles for SpectraLink NetLink Phones, page 4-5 • Creating an RF Calibration Model, page 4-5 Adding a Controller to the NCS Database To add a controller to the NCS database, follow these steps:4-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing System Tasks Note We recommend that you manage controllers through the controller dedicated service port for improved security. However, when you manage controllers that do not have a service port (such as 2000 series controllers) or for which the service port is disabled, you must manage those controllers through the controller management interface. Step 1 Log into the NCS user interface. Step 2 Choose Configure > Controllers to display the All Controllers page. Step 3 From the Select a command drop-down list, choose Add Controller, and click Go. Step 4 In the Add Controller page, enter the controller IP address, network mask, and required SNMP settings. Step 5 Click OK. NCS displays a Please Wait dialog box while it contacts the controller and adds the current controller configuration to the NCS database. It then returns you to the Add Controller page. Step 6 If NCS does not find a controller at the IP address that you entered for the controller, the Discovery Status dialog displays this message: No response from device, check SNMP. Check these settings to correct the problem: • The controller service port IP address might be set incorrectly. Check the service port setting on the controller. • NCS might not have been able to contact the controller. Make sure that you can ping the controller from the NCS server. • The SNMP settings on the controller might not match the SNMP settings that you entered in NCS. Make sure that the SNMP settings configured on the controller match the settings that you entered in NCS. Step 7 Add additional controllers if desired. Using NCS to Update System Software To update controller (and access point) software using NCS, follow these steps: Step 1 Enter the ping ip-address command to be sure that the NCS server can contact the controller. If you use an external TFTP server, enter ping ip-address to be sure that the NCS server can contact the TFTP server. Note When you are downloading through a controller distribution system (DS) network port, the TFTP server can be on the same or a different subnet because the DS port is routable. Step 2 Click the Configure > Controllers to navigate to the All Controllers page. Step 3 Select the check box of the desired controller, choose Download Software (TFTP or FTP) from the Select a command drop-down list, and click Go. NCS displays the Download Software to Controller page.4-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing System Tasks Step 4 If you use the built-in NCS TFTP server, choose the Default Server from the Server Name list box. If you use an external TFTP server, select New from the Server Name list box and add the external TFTP server IP address. Step 5 Enter the file path and server file name in their respective text box (for example, AS_2000_release.aes for 2000 series controllers). The files are uploaded to the root directory which was configured for use by the TFTP server. You can change to a different directory. Note Be sure that you have the correct software file for your controller. Step 6 Click Download. NCS downloads the software to the controller, and the controller writes the code to flash RAM. As NCS performs this function, it displays its progress in the Status field. Downloading Vendor Device Certificates Each wireless device (controller, access point, and client) has its own device certificates. For example, the controller is shipped with a Cisco-installed device certificate. This certificate is used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific device certificate, it must be downloaded to the controller. To download a vendor-specific device certificate to the controller, follow the instructions: Step 1 Choose Configure > Controllers. Step 2 You can download the certificates in one of two ways: a. Select the check box of the controller you choose. b. Choose Download Vendor Device Certificate from the Select a command drop-down list, and click Go. or Click the URL of the desired controller in the IP Address column. c. Choose System > Commands from the left sidebar menu. d. Choose TFTP or FTP in the Upload/Download Command section. e. Choose Download Vendor Device Certificate from the Upload/Download Commands drop-down list, and click Go. Step 3 In the Certificate Password text box, enter the password which was used to protect the certificate. Step 4 Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP server, the name must be supplied in the Server File Name parameter. If the certificate is on the local machine, you must specify the file path in the Local File Name parameter using the Choose File button. Step 5 Enter the TFTP server name in the Server Name parameter. The default is for the NCS server to act as the TFTP server. Step 6 Enter the server IP address. Step 7 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.4-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing System Tasks Step 8 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate. Step 9 In the Local File Name text box, enter the directory path of the certificate. Step 10 Click OK. Downloading Vendor CA Certificates Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific CA certificate, it must be downloaded to the controller. To download vendor CA certificate to the controller, follow the instructions: Step 1 Click Configure > Controllers. Step 2 You can download the certificates in one of two ways: a. Select the check box of the controller you choose. b. Choose Download Vendor CA Certificate from the Select a command drop-down list, and click Go. or Click the URL of the desired controller in the IP Address column. c. Choose System > Commands from the left sidebar menu. d. Choose Download Vendor CA Certificate from the Upload/Download Commands drop-down list, and click Go. Step 3 Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP server, the name must be supplied in the Server File Name parameter in Step 9. If the certificate is on the local machine, you must specify the file path in the Local File Name parameter in Step 8 using the Browse button. Step 4 Enter the TFTP server name in the Server Name parameter. The default is for the NCS server to act as the TFTP server. Step 5 Enter the server IP address. Step 6 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate. Step 7 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate. Step 8 In the Local File Name text box, enter the directory path of the certificate. Step 9 Click OK.4-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing System Tasks Using NCS to Enable Long Preambles for SpectraLink NetLink Phones A radio preamble (sometimes called a header) is a section of data at the head of a packet. It contains information that wireless devices need when sending and receiving packets. Short preambles improve throughput performance, so they are enabled by default. However, some wireless devices, such as SpectraLink NetLink phones, require long preambles. To optimize the operation of SpectraLink NetLink phones on your wireless LAN, to use NCS to enable long preambles, follow these steps: Step 1 Log into the NCS user interface. Step 2 Click Configure > Controllers to navigate to the All Controllers page. Step 3 Click the IP address of the desired controller. Step 4 From the left sidebar menu, choose 802.11b/g/n > Parameters. Step 5 If the IP Address > 802.11b/g/n Parameters page shows that short preambles are enabled, continue to the next step. However, if short preambles are disabled, which means that long preambles are enabled, the controller is already optimized for SpectraLink NetLink phones, and you do not need to continue this procedure. Step 6 Enable long preambles by unselecting the Short Preamble check box. Step 7 Click Save to update the controller configuration. Step 8 To save the controller configuration, click System > Commands from the left sidebar menu, Save Config To Flash from the Administrative Commands drop-down list, and Go. Step 9 To reboot the controller, click Reboot from the Administrative Commands drop-down list and Go. Step 10 Click OK when the following message appears: Please save configuration by clicking “Save Config to flash”. Do you want to continue rebooting anyways? The controller reboots. This process may take some time, during which NCS loses its connection to the controller. Note You can view the controller reboot process with a CLI session. Creating an RF Calibration Model If you would like to further refine NCS Location tracking of client and rogue access points across one or more floors of a building, you have the option of creating an RF calibration model that uses physically collected RF measurements to fine-tune the location algorithm. When you have multiple floors in a building with the same physical layout as the calibrated floor, you can save time calibrating the remaining floors by using the same RF calibration model for the remaining floors. The calibration models are used as RF overlays with measured RF signal characteristics that can be applied to different floor areas. This allows the Cisco Unified Wireless Network Solution installation team to lay out one floor in a multi-floor area, use the RF calibration tool to measure and save the RF characteristics of that floor as a new calibration model, and apply that calibration model to all the other floors with the same physical layout.4-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Performing NCS Operations This section contains the following topics: • Verifying the Status of NCS, page 4-6 • Stopping NCS, page 4-6 • Backing Up the NCS Database, page 4-7 • Restoring the NCS Database, page 4-8 • Uninstalling NCS, page 4-10 • Upgrading WCS to NCS, page 4-10 • Upgrading the Network, page 4-12 • Reinitializing the Database, page 4-13 • Recovering the NCS Password, page 4-13 Verifying the Status of NCS This section provides instructions for checking the status of NCS. To check the status of NCS. You can check the status at any time, follow these steps: Step 1 Log into the system as root. Step 2 Using the Linux CLI, perform one of the following: • Navigate to the installation directory (such as /opt/NCS1.0.X.X) and enter ./NCSStatus. • Navigate to the installation directory (such as /opt/NCS1.0.X.X) and enter NCSAdmin status. The CLI displays messages indicating the status of NCS. Stopping NCS This section provides instructions for stopping NCS. You can stop NCS at any time. To stop NCS follow these steps: Note If any users are logged in when you stop NCS, their NCS sessions stop functioning. Step 1 Log into the system as root. Note To see which version of NCS you currently have installed, enter nmsadmin.sh version. Step 2 Using the Linux CLI, perform one of the following: • Navigate to the shortcut location (defaulted to /opt/NCSA.B.C.D) and enter ./StopNCS. • Navigate to the installation bin directory (defaulted to /opt/NCSA.B.C.D/bin) and enter StopNCS.4-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations The CLI displays messages indicating that NCS is stopping. Backing Up the NCS Database This section provides instructions for backing up the NCS database. You can schedule regular backups through the NCS user interface or manually initiate a backup. Note Machine specific settings (such as FTP enable and disable, FTP port, FTP root directory, TFTP enable and disable, TFTP port, TFTP root directory, HTTP forward enable and disable, HTTP port, HTTPS port, report repository directory, and all high availability settings) are not included in the backup and restore function if the backup is restored to a different device. This section contains the following topics: • Scheduling Automatic Backups, page 4-7 • Performing a Manual Backup, page 4-8 Scheduling Automatic Backups To schedule automatic backups of the NCS database, follow these steps: Step 1 Log into the NCS user interface. Step 2 Click Administration > Background Tasks to display the Scheduled Tasks page. Step 3 Click the NCS Server Backup task to display the NCS Server Backup page. Step 4 Select the Enabled check box. Step 5 At the Backup Repositoiry parameter, Choose an exisiting backup repository or click create button to create a new repository. Step 6 If you are backing up in remote location, select the FTP Repository check box. You need to enter the FTP location, Username and Password of the remote machine. Step 7 In the Interval (Days) text box, enter a number representing the number of days between each backup. For example, 1 = a daily backup, 2 = a backup every other day, 7 = a weekly backup, and so on. Range: 1 to 360 Default: 7 Step 8 In the Time of Day text box, enter the time when you want the backup to start. It must be in this format: hh:mm AM/PM (for example: 03:00 AM). Note Backing up a large database affects the performance of the NCS server. Therefore, we recommend that you schedule backups to run when the NCS server is idle (for example, in the middle of the night).4-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Step 9 Click Submit to save your settings. The backup file is saved as a .zip file in the ftp-install-dir/ftp-server/root/NCSBackup directory using this format: dd-mmm-yy_ hh-mm-ss.zip (for example, 11-Nov-05_10-30-00.zip). Performing a Manual Backup To back up the NCS database on a Linux server, follow these steps: Note you do not need to shutdown Oracle or the platform to do a backup. Step 1 Log into the system as root. Step 2 Create a local or remote backup directory for the NCS database with no spaces in the name (for example, mkdir NCS1.0.X.X_Backup). Note Make sure that the directory name does not contain spaces. Spaces can generate errors. Note If it is a remote backup location, you MUST specify the correct ftp location (For example, ftp://hostname/location) and user credentials. Step 3 You can do a backup either through Command Line Step 4 Perform one of the following: • Backup the appliance and application to the repository (local or remote). backup testbackup repository backup_repo • Backup the application only to the repository (local or remote). backup testbackup repository backup_repo application NCS The CLI displays messages indicating the status of the backup. Restoring the NCS Database This section provides instructions for restoring the NCS database. This section contains the following topics: • Restoring the NCS Database, page 4-8 • Restoring the NCS Database in a High Availability Environment, page 4-9 Restoring the NCS Database If you are restoring the NCS database in a high availability environment, see the “Restoring the NCS Database in a High Availability Environment” section on page 4-9. To restore the NCS database from a backup file. follow these steps:4-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Step 1 To view all local repository backups, use the below command: show repository backup_repo Note If possible, stop all NCS user interfaces to stabilize the database. Step 2 Manually shutdown the platform as root. Step 3 Using the CLI, perform one of the following: • restore the appliance and applicaion backup. restore testbackup-yymmdd-xxxx.tar.gpg repository backup_repo • restor the appliance only backup. restore testbackup-yymmdd-xxxx.tar.gpg repository backup_repo application NCS Step 4 Click Yes if a message appears indicating that NCS is running and needs to be shut down. Note If the restore process shuts down NCS, a restart is attempted after a successful restore. The appliance will then restart and you will have to again login and restart the dbserver, and the platform manually as root (make sure you do not start with dbclean, else you will loose your recently restored data). The CLI displays messages indicating that the NCS database is being restored. Restoring the NCS Database in a High Availability Environment During installation, you were prompted to determine if a secondary NCS server would be used for high availability support to the primary NCS server. If you opted for this high availability environment and enabled it in the Administration > High Availability page, the status appears as HA enabled. Before restoring a database, you must convert the status to HA not configured. Note If you attempt to restore the database while the status is set to HA enabled, unexpected results may occur. To change the status from HA enabled to HA not configured, follow one of these procedures: • Click the Remove button in the HA Configuration page (Administration > High Availability). • Restart the primary server. Go to the secondary HealthMonitor GUI (https://:8082), and click Failback. – Use this method when one of the following instances has occurred: The primary server is down and failover has not been executed, so then the secondary server is in SecondaryLostPrimary state. or The primary server is down and failover is already executed, so the secondary server is in the SecondaryActive state.4-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations The primary server will now be in HA Not Configured mode, and you can safely restore the database. Uninstalling NCS This section provides instructions for uninstalling NCS. You can uninstall NCS at any time, even while NCS is running. To uninstall NCS on a Linux server, follow these steps: Step 1 Stop NCS. Step 2 Log into the system as root through an X terminal session. Step 3 Using the Linux CLI, navigate to the /opt/NCS1.0.X.X directory (or the directory chosen during installation). Step 4 Enter ./UninstallNCS. Step 5 Click Yes to continue the uninstall process. Step 6 Click Finish when the uninstall process is complete. Note If any part of the /opt/NCS1.0.X.X directory remains on the hard drive, manually delete the directory and all of its contents. If you fail to delete the previous NCS installation, this error message appears when you attempt to reinstall NCS: “Cisco NCS is already installed. Please uninstall the older version before installing this version.” Upgrading WCS to NCS This section provides instructions for upgrading to NCS. If you are upgrading to NCS in a high availability environment, see the “Upgrading NCS in a High Availability Environment” section on page 4-12. Note NCS supports data migration from WCS releases 7.0.164.3 and 7.0.172.0. If you do not have this release of WCS, you must upgrade to either WCS 7.0.164.3 or 7.0.172.0 first and then follow the migration steps. To Upgrade from WCS to NCS, perform the following: Step 1 Stop the WCS server. Step 2 Run the export command to export all the WCS data in to a export file. For Linux, run the export.sh all and for windows run the export.bat all command.4-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Note Current zip tool can only handle zip files of up to 4G in size. If the WCS DB size is larger than 10G there is high possibility that the zip file size will be more than 4G. Please request for a patch if you face this issue. Note While upgrading from WCS to NCS, on running the export command, you might encounter a “could not reserve enough space” error. If you encounter this error then access either the export.bat (for Windows OS) or export.sh (for Linux OS) file and replace the instance of -Xmx1024m with -Xmx512m. Step 3 Copy the export zip file (for example, wcs.zip) in to a local repository folder. Step 4 Login to NCS as admin and stop the NCS server using the ncs stop command. Step 5 Configure the repository in NCS Appliance using the repository command. ncs-appliance/admin#configure ncs-appliance/admin(config)#repository wcs-ftp-repo ncs-appliance/admin(config-Repository)#url ftp://172.19.28.229// ncs-appliance/admin(config-Repository)#user ftp-user password plain ftp-user Note Make sure wcs.zip is listed for the 'show repository ' command. For tftp, if directory listing is not enabled, then restore will fail. This is an expected behavior and 'show repository' will throw error message. ncs-appliance/admin# show repository wcs-ftp-repo wcs.zip ncs-appliance/admin# show repository wcs-tftp-repo % Protocol does not support listing directories Step 6 Execute the ncs migrate command to restore the WCS database. ncs-appliance/admin# ncs migrate wcs-data wcs.zip repository wcs-ftp-repo Using the noclientstats option, no client count and client statistics data will get migrated to NCS . By default no WCS events are migrated. Step 7 Run the ncs start command to start the NCS server after the upgrade is completed. Step 8 Login to the NCS User Interface using the root and the root password. Note The client count, client summary, client throughput, client traffic, rogue AP, adhoc rogues, new adhoc rogues, PCI details, PCI summary and security summary reports, dashboard customizations, client station information and its statistics, all WCS events, RADIUS/TACACS server IP and credentials, and the root password are not migrated from WCS to NCS. Make sure you enable the RADIUS/TACACS server as AAA mode in Administration > AAA > AAA Mode Settings page and click Save.4-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Upgrading NCS in a High Availability Environment If you have a primary and secondary NCS, follow these steps for a successful upgrade: Step 1 You must first remove the HA configuration with the following steps: a. Login to the primary NCS server. b. Choose Administration > High Availability and select HA Configuration from the left sidebar menu. c. Click Remove to remove the HA configuration. Note It may take a few minutes for the remove to complete. Step 2 You must first upgrade the secondary NCS with the following steps: a. Shut down the secondary NCS. See the “Stopping NCS” section on page 4-6 for more information. Note You can use StopNCS for a graceful shut down. A graceful shut down does not trigger the automatic failover. Use the CLI command \nmsadmin.bat -switchover stop to trigger automatic failover when shutting down NCS. b. Perform an upgrade on the secondary NCS. c. Start the secondary NCS. Note It will attempt to reconnect to the primary NCS, but a version mismatch error is returned. Step 3 Upgrade the primary NCS. a. Shut down the primary NCS. See the “Stopping NCS” section on page 4-6 for more information. b. Perform an upgrade on the primary NCS. c. Start the primary NCS. Step 4 Enable HA again on the primary NCS. a. Login to the primary NCS server. b. Choose Administration > High Availability and select HA Configuration from the left sidebar menu. c. Enter the HA configuration settings and click Save to enable high availability. Upgrading the Network Network upgrades must follow a recommended procedure so that databases can remain synchronized with each other. For example, You cannot upgrade the controller portion of the network to a newer release but maintain the current NCS version and not upgrade it. The supported order of upgrade is NCS first, followed by the controller, and then any additional devices.4-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS Operations Reinitializing the Database If you need to reset the database because of a synchronization problem or a corruption of some type, enter {install directory}/bin/dbadmin.(sh|bat) reinitdb to reinitialize the database. Recovering the NCS Password You can change the NCS application root user or FTP user password. This option provides a safeguard if you lose the root password. An executable was added to the installer /bin directory (passwd.bat for Windows and passwd.sh for Linux). For password recovery on a wireless location device, refer to Chapters 8 or 9 of the Cisco 2700 Series Location Appliance Configuration Guide. To recover the passwords and regain access to NCS, follow these steps: Note If you are a Linux user, you must be the root user to run the command. Note In Linux, use the passwd.sh to change the NCS password. The passwd is a built-in Linux command to change the OS password. Step 1 Change to the NCS bin folder. Step 2 For Linux, use the following command: Enter passwd.sh root-user newpassword to change the NCS root password. The newpassword is the root login password you choose. or Enter passwd.sh location-ftp-user newuser newpassword to change the FTP user and password. The newuser and newpassword are the MSE or Location server user and password. Step 3 The following options are available with these commands: • -q — to quiet the output • -pause — to pause before exiting • -gui — to switch to the graphical user interface • -force — to skip prompting for configuration Step 4 Start NCS.4-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 4 Performing Maintenance Operations Performing NCS OperationsC H A P T E R 5-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 5 Monitoring Devices Information About Monitoring This chapter describes how to use Cisco NCS to monitor Cisco WLAN Solution device configurations. This chapter contains the following sections: • Monitoring Controllers, page 5-1 • Monitoring Switches, page 5-32 • Monitoring Access Points, page 5-42 • Monitoring RFID Tags, page 5-113 • Monitoring Chokepoints, page 5-115 • Monitoring Interferers, page 5-116 • Monitoring Spectrum Experts, page 5-119 • Monitoring WiFi TDOA Receivers, page 5-121 • Monitoring Radio Resource Management (RRM), page 5-122 • Monitoring Clients and Users, page 5-125 • Monitoring Alarms, page 5-125 • Monitoring Events, page 5-142 • Monitoring Site Maps, page 5-152 • Monitoring Google Earth Maps, page 5-152 Monitoring Controllers Choose Monitor > Controllers to access the controller list page. Click a controller IP address to view its details. This section contains the following topics: • Searching Controllers, page 5-2 • Viewing List of Controllers, page 5-2 • Monitoring System Parameters, page 5-3 • Monitoring Ports, page 5-9 • Monitoring Controller Security, page 5-155-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers • Monitoring Controllers Mobility, page 5-23 • Monitoring Controller 802.11a/n, page 5-24 • Monitoring Controllers 802.11b/g/n, page 5-28 Searching Controllers Use the NCS Search feature to find specific controllers or to create and save custom searches. For a controller search, you can search using the following parameters: See one of the following topics for additional information: • Using the Search Feature, page 2-33 • Quick Search, page 2-33 • Advanced Search, page 2-34 • Saved Searches, page 2-46 Viewing List of Controllers Choose Monitor > Controllers or perform a controller search to access the controller list page. Note See the “Advanced Search” section on page 2-34 for more information on performing an advanced search. Ta b l e 5-1 Search Controllers Parameter Description Search for controller by Choose All Controllers, IP Address, Controller Name, or Network. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. Enter Controller IP Address This field only appears if you select IP Address from the Search for controller by field. Enter Controller Name This field only appears if you select Controller Name from the Search for controller by field. Select a Network Audit Status Choose one of the following from the drop-down list: – All Status – Mismatch—Config differences were found between NCS and controller during the last audit. – Identical—No config differences were found during the last audit. – Not Available—Audit status is unavailable.5-3 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers The data area of this page contains a table with the following columns: Click the title to toggle from ascending to descending order. To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page. Configuring the Controller List Display The Edit View page allows you to add, remove, or reorder columns in the Controllers table. To edit the available columns in the controllers table, follow these steps: Step 1 Choose Monitor > Controllers. Step 2 Click the Edit View link. Step 3 To add an additional column to the controllers table, click to highlight the column heading in the left list. Click Show to move the heading to the right list. All items in the right list are displayed in the controllers table. Step 4 To remove a column from the controllers table, click to highlight the list heading in the right list. Click Hide to move the heading to the left list. All items in the left list are not displayed in the controllers table. Step 5 Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired list heading and click Up or Down to move it higher or lower in the current list. Step 6 Click Reset to restore the default view. Step 7 Click Submit to confirm the changes. Monitoring System Parameters This section provides the detailed information regarding monitoring controller system parameters and contains the following topics: • Monitoring System Summary, page 5-4 • Monitoring Spanning Tree Protocol, page 5-5 • Monitoring CLI Sessions, page 5-7 • Monitoring DHCP Statistics, page 5-8 • Monitoring WLANs, page 5-9 Ta b l e 5-2 Controller List Details Parameter Description IP Address Local network IP address of the controller management interface. Click an IP address in the list to display the controller details. Controller Name Name of the Controller. Location The geographical location (such as a campus or building). Mobility Group Name Name of the controller mobility or WPS group. Reachability Status Reachable or Unreachable. Click the title to toggle from ascending to descending order.5-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring System Summary This page displays a summary of the controller parameters with a graphic displaying the status of the controller. The graphic of the front of the controller shows front-panel ports (click a port to go to Monitor Controllers > IPaddr > Ports > General for information about that port). You can find the links to alarms, events and access points details related to the controller. To access this page: • Choose Monitor > Controllers and click the applicable IP address. • Choose Monitor > Access Points, click a list item under AP Name, and then click Registered Controller. • Choose Configure > Access Points, choose a list item under AP Name, then click Registered Controller. Click Controllers in the page title to view a list of all the controllers. See the “Viewing List of Controllers” section on page 5-2. The following parameters are displayed: Ta b l e 5-3 Monitoring System Summary Parameter Description General IP Address Local network IP address of the controller management interface. Name User-defined name of the controller. Device Type Type of controller. UP Time Time in days, hours and minutes since the last reboot. System Time Time used by the controller. Internal Temperature The temperature of the controller. Location User-defined physical location of the controller. Contact Contact person or the owner of the controller. Total Client Count Total number of clients currently associated with the controller. Current CAPWAP Transport Mode Control and Provisioning of Wireless Access Points protocol (CAPWAP) transport mode. Communications between controllers and access points. Selections are Layer 2 or Layer 3. Power Supply One If the power supply is available and operation. This is only for 4400 series controller. Power Supply Two If the power supply is available and operation. This is only for 4400 series controller. Inventory Software Version The operating system release.version.dot.maintenance number of the code currently running on the controller. Emergency Image Ve r s io n An image version of the controller. Description Description of the inventory item. Model No Specifies the machine model as defined by the Vital Product Data.5-5 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring Spanning Tree Protocol The Spanning Tree Protocol (STP) is a link management protocol. Cisco WLAN Solution implements the IEEE 802.1D standard for media access control bridges. Spanning tree algorithm provides redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations. STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail. Serial No Unique serial number for this controller. Burned-in MAC Address The burned-in MAC address for this controller. Number of APs Supported The maximum number of access points supported by the controller. Gig Ethernet/Fiber Card Displays the presence or absence of the optional 1000BASE-T/1000BASE-SX GigE card. Crypto Card One Displays the presence or absence of an enhanced security module which enables IPSec security and provides enhanced processing power. Note By default, enhanced security module is not installed on a controller. Maximum number of crypto cards that can be installed on a Cisco Wireless LAN controller: – Cisco 2000 Series—None – Cisco 4100 Series—One – Cisco 4400 Series—Two Crypto Card Two Displays the presence or absence of a second enhanced security module. GIGE Port(s) Status Up or Down. Click to review the status of the port. Unique Device Identifier (UDI) Name Product type. Chassis for controller and Cisco AP for access points. Description Description of controller and may include number of access points. Product ID Orderable product identifier. Ve r s io n I D Version of product identifier. Serial No Unique product serial number. Utilization CPU Utilization Displays a graph of the maximum, average, and minimum CPU utilization over the specified amount of time. Memory Utilization Displays a graph of the maximum, average, and minimum Memory utilization over the specified amount of time. Table 5-3 Monitoring System Summary Parameter Description5-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers You can access this page in the following ways: • Choose Monitor > Controllers, select an IP address, and choose System > Spanning Tree Protocol from the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose System > Spanning Tree Protocol from the left sidebar menu. Note The controllers that do not support Spanning Tree Protocol are WISM, 2500, 5500, 7500 and SMWLC. This page enables you to view the following Spanning Tree Algorithm parameters: Ta b l e 5-4 Spanning Tree Protocol Parameters Parameter Description General Spanning Tree Specification An indication of what version of the Spanning Tree Protocol is being run. IEEE 802.1D implementations will return 'IEEE 802.1D'. If future versions of the IEEE Spanning Tree Protocol are released that are incompatible with the current version a new value will be defined. Spanning Tree Algorithm Specifies if this controller will participate in the Spanning Tree Protocol. May be enabled or disabled by selecting the corresponding line on the drop-down list entry field. The factory default is disabled. Priority The value of the writable portion of the Bridge ID, that is, the first two octets of the (8 octet long) Bridge ID. The other (last) 6 octets of the Bridge ID are given by the value of Bridge MAC Address. The value may be specified as a number between 0 and 65535. The factory default is 32768. STP Statistics Topology Change Count The total number of topology changes detected by this bridge since the management entity was last reset or initialized. Time Since Topology Changed The total number of topology changes detected by this bridge since the management entity was last reset or initialized. Designated Root The bridge identifier of the root of the spanning tree as determined by the Spanning Tree Protocol as executed by this node. This value is used as the Root Identifier parameter in all Configuration Bridge PDUs originated by this node. Root Cost The cost of the path to the root as seen from this bridge. Root Port The port number of the port which offers the lowest cost path from this bridge to the root bridge.5-7 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring CLI Sessions The CLI Sessions page for a controller can be accessed in the following ways: • Choose Monitor > Controllers, click the applicable IP address, then choose System > CLI Sessions from the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then select System > CLI Sessions from the left sidebar menu. This page provides a list of open command-line interface sessions. It details the following information: Maximum Age (seconds) The value that all bridges use for MaxAge when this bridge is acting as the root. Note The 802.1D-1990 specifies that the range for this parameter is related to the value of Stp Bridge Hello Time. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 6 through 40 seconds. The factory default is 20. Hello Time (seconds) The value that all bridges use for HelloTime when this bridge is acting as the root. The granularity of this timer is specified by 802.1D-1990 to be 1 second. Valid values are 1 through 10 seconds. The factory default is 2. Forward Delay (seconds) The value that all bridges use for ForwardDelay when this bridge is acting as the root. Note that 802.1D-1990 specifies that the range for this parameter is related to the value of Stp Bridge Maximum Age. The granularity of this timer is specified by 802.1D-1990 to be 1 second. An agent may return a badValue error if a set is attempted to a value which is not a whole number of seconds. Valid values are 4 through 30 seconds. The factory default is 15. Hold Time (seconds) The minimum time period to elapse between the transmission of Configuration BPDUs through a given LAN Port: at most one Configuration BPDU shall be transmitted in any Hold Time period. Table 5-4 Spanning Tree Protocol Parameters Parameter Description Ta b l e 5-5 CLI Sessions Details Parameter Description Session Index Session identification. Username Login username. Connection Type Telnet or serial session. Connection From IP address of the client computer system. Session Time Elapsed active session time. Idle Time Elapsed inactive session time.5-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring DHCP Statistics NCS provides DHCP server statistics for version 5.0.6.0 controllers or later. These statistics include information on the packets sent and received, DHCP server response information, last request timestamp. To access this page, choose Monitor > Controllers, click the applicable IP address, then choose System > DHCP Statistics from the left sidebar menu. The DHCP Statistics page provides the following information: Ta b l e 5-6 DHCP Statistics Parameter Description Server IP Identifies the IP address of the server. Is Proxy Identifies whether or not this server is proxy. Discover Packets Sent Identifies the total number of packets sent intended to locate available servers. Request Packets Sent Identifies the total number of packets sent from the client requesting parameters from the server or confirming the correctness of an address. Decline Packets Identifies the number of packets indicating that the network address is already in use. Inform Packets Identifies the number of client requests to the DHCP server for local configuration parameters because the client already has an externally configured network address. Release Packets Identifies the number of packets that release the network address and cancel the remaining lease. Reply Packets Identifies the number of reply packets. Offer Packets Identifies the number of packets that respond to the discover packets with an offer of configuration parameters. Ack Packets Identifies the number of packets that acknowledge successful transmission. Nak Packets Identifies the number of packets that indicate that the transmission occurred with errors. Tx Failures Identifies the number of transfer failures that occurred. Last Response Received Provides a timestamp of the last response received. Last Request Sent Provides a timestamp of the last request sent.5-9 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring WLANs Choose Monitor > Controllers and click a controller IP address, and choose WLANs from the left sidebar menu. This page enables you to view a summary of the wireless local access networks (WLANs) that you have configured on this controller: Monitoring Ports This section provides the detailed information regarding monitoring controller port parameters and contains the following topics: • Monitoring General Ports, page 5-9 • Monitoring CDP Interface Neighbors, page 5-14 Monitoring General Ports The Ports > General page provides information regarding physical ports on the selected controller. Click a port number to view details for that port. See the “Port Details” section on page 5-10 for more information. Ta b l e 5-7 WLAN Details Parameter Description WLAN ID Identification number of the WLAN. Profile Name User-defined profile name specified when initially creating the WLAN. Profile Name is the WLAN name. SSID User-defined SSID name. Security Policies Security policies enabled on the WLAN. No of Mobility Anchors Mobility anchors are a subset of a mobility group specified as the anchor controllers for a WLAN. Admin Status Status of the WLAN is either enabled or disabled. No. of Clients Current number of clients currently associated with this WLAN.5-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers General port information includes the following: To access the Monitor > Ports > General page, do one of the following: • Choose Configure > Controllers, click the applicable IP address. From the left sidebar menu, choose General under Ports. • Choose Monitor > Controllers, click the applicable, and click a port to access this page. • Choose Monitor > Access Points and click a list item under AP Name, click Registered Controller, then click a port to access this page. • Choose Monitor > Clients and click a list item under AP Name, then click Registered Controller, then click a port to access this page. Port Details Note Click Alarms to open the Monitor Alarms page. See the “Monitoring Alarms” section on page 5-125 for more information. Click Events to open the Monitor Events page. See the “Monitoring Events” section on page 5-142 for more information. Ta b l e 5-8 General Ports Parameter Description Port Click the port number to view port details. See the “Port Details” section on page 5-10 for more information. Physical Mode Displays the physical mode of all ports. Selections include: – 100 Mbps Full Duplex – 100 Mbps Half Duplex – 10 Mbps Full Duplex – 10 Mbps Half Duplex Admin Status Displays the state of the port of either Enable or Disable. STP State Displays the STP state of the port of either Forwarding or Disabled. Physical Status Displays the actual port physical interface: – Auto Negotiate – Half Duplex 10 Mbps – Full Duplex 10 Mbps – Half Duplex 100 Mbps – Full Duplex 100 Mbps – Full Duplex 1 Gbps Link Status Red (down/failure), Yellow (alarm), Green (up/normal).5-11 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers The Port Detail page includes the following information: Ta b l e 5-9 Port Details Parameter Description Interface Operational Status Displays the operational status of the controller: Options are UP or DOWN. Unknown Protocol Packets The number of packets of unknown type which were received from this server on this port. Traffic (Received and Transmitted) Total Bytes The total number of packets received. Packets The total number of packets (including bad packets) received that were within the indicated octet range in length (excluding framing bits but including FCS octets). Ranges include: – 64 Octets – 65-127 Octets – 128-255 Octets – 256-511 Octets – 512-1023 Octets – 1024-1518 Octets Packets (Received and Transmitted) Total Total number of packets received/transmitted. Unicast Packets The number of subnetwork-unicast packets delivered/sent to a higher-layer protocol. Broadcast Packets The total number of packets received/sent that were directed to the broadcast address. Packets Discarded Packets Discarded (Received/Transmitted): The number of inbound/outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. A possible reason for discarding a packet could be to free up buffer space. Errors in Packets The total number of packets received that were with errors. Received packets with MAC errors5-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Jabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note This definition of jabber is different than the definition in IEEE-802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 and 150 ms. Fragments/Undersize The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets). Alignment Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with a non-integral number of octets. FCS Errors The total number of packets received that had a length (excluding framing bits, but including FCS octets) of between 64 and 1518 octets, inclusive, but had a bad Frame Check Sequence (FCS) with an integral number of octets. Transmit discards Single Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision. Multiple Collision Frames A count of the number of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision. Deferred Transmissions A count of frames for which transmission on a particular interface fails due to deferred transmissions. Late Collisions A count of frames for which transmission on a particular interface fails due to late collisions. Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. Ether Stats Table 5-9 Port Details Parameter Description5-13 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers CRC Align Errors The number of incoming packets with the Checksum (FCS) alignment error. This represents a count of frames received on a particular interface that are not an integral number of octets in length and do not pass the FCS check. Received frames for which multiple error conditions obtain are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC. Undersize Packets The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets). Oversize Packets The total number of frames that exceeded the maximum permitted frame size. This counter has a maximum increment rate of 815 counts per second at 10 Mbps. Ether Stats Collisions The number of packets with collision errors. SQE Test Errors Signal Quality Error Test errors (that is, Heartbeat) during transmission. This tests the important collision detection electronics of the transceiver, and lets the Ethernet interface in the computer know that the collision detection circuits and signal paths are working correctly. The errors indicate a count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface. The SQE TEST ERROR message is defined in section 7.2.2.2.4 of ANSI/IEEE 802.3-1985 and its generation is described in section 7.2.4.6 of the same document. Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the FrameTooLong property, the AlignmentErrors property, or the FCSErrors property. The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of receive errors on a particular interface that are not otherwise counted. Table 5-9 Port Details Parameter Description5-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring CDP Interface Neighbors To access the Monitor CDP Interface Neighbors page, follow these steps: Step 1 Choose Monitor > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose CDP Interface Neighbors (under the Port heading). Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the LateCollisions property, the ExcessiveCollisions property, or the CarrierSenseErrors property. The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of transmission errors on a particular interface that are not otherwise counted. Carrier Sense Errors The Carrier Sense detects the presence of a carrier. The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame on a particular interface. Too Long Frames A count of frames received on a particular interface that exceed the maximum permitted frame size. The count represented by an instance of this object is incremented when the FrameTooLong status is returned by the MAC layer to the LLC (or other MAC user). Received frames for which multiple error conditions obtain are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC. Table 5-9 Port Details Parameter Description5-15 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Step 4 The CDP Interface Neighbors page provides the following information: Monitoring Controller Security This section provides the detailed information regarding monitoring controller security and contains the following topics: • Monitoring RADIUS Authentication, page 5-15 • Monitoring RADIUS Accounting, page 5-17 • Monitoring Management Frame Protection, page 5-19 • Monitoring Rogue AP Rules, page 5-20 • Monitoring Guest Users, page 5-22 Monitoring RADIUS Authentication The RADIUS authentication page displays RADIUS authentication server information and enables you to add or delete a RADIUS authentication server. To access this page, do one of the following: • Choose Monitor > Controllers, click the applicable IP address, then choose Radius Authentication from the Security section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose Radius Authentication from the Security section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose Radius Authentication from the Security section of the left sidebar menu. Ta b l e 5-10 CDP Interface Neighbor Details Parameter Description Local Interface Local Port information. Neighbor Name The name of each CDP neighbor. Neighbor Address The IP address of each CDP neighbor. Neighbor Port The port used by each CDP neighbor for transmitting CDP packets. Capability The functional capability of each CDP neighbor. Platform The hardware platform of each CDP neighbor device. Duplex Indicates Full Duplex or Half Duplex. Software Version The software running on the CDP neighbor.5-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers The following information is displayed: Ta b l e 5-11 RADIUS authentictaion details Parameter Description RADIUS Authentication Servers Server Index Access priority number for RADIUS servers. Up to four servers can be configured, and controller polling of the servers starts with Index 1, Index 2 second, and so forth. Index number is based on when the RADIUS server is added to the controller. IP Address The IP address of the RADIUS server. Ping Click to icon to ping the RADIUS Server from the controller to verify the link. Port Controller port number for the interface protocols. Admin Status Indicates whether the server is enabled or disabled. Authentication Server Statistics Msg Round Trip Time The time interval (in milliseconds) between the most recent Access-Reply/Access-Challenge and the Access-Request that matched it from this RADIUS authentication server. First Requests The number of RADIUS Access-Request packets sent to this server. This does not include retransmissions. Retry Requests The number of RADIUS Authentication-Request packets retransmitted to this RADIUS authentication server. Accept Responses The number of RADIUS Access-Accept packets (valid or invalid) received from this server. Reject Responses The number of RADIUS Access-Reject packets (valid or invalid) received from this server. Challenge Responses The number of RADIUS Access-Challenge packets (valid or invalid) received from this server. Malformed Msgs The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or Signature attributes or unknown types are not included as malformed access responses.5-17 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring RADIUS Accounting You can access this page by any of the following ways: • Choose Monitor > Controllers and click the applicable IP address, then choose Radius Accounting from the Security section of the left sidebar menu. • Choose Monitor > Clients and click a list item under AP Name, click Registered Controller, then choose Radius Accounting from the Security section of the left sidebar menu. • Choose Monitor > Maps, click an item in the Name column, click an access point icon, click Controller, then choose Radius Accounting from the Security section of the left sidebar menu. • Choose Configure > Access Points and select a list item under AP Name, click Registered Controller, then choose Radius Accounting from the Security section of the left sidebar menu. Pending Requests The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response. This variable is incremented when an Access-Request is sent and decremented due to receipt of an Access-Accept, Access-Reject or Access-Challenge, a timeout, or retransmission. Bad Authentication Msgs The number of RADIUS Access-Response packets containing invalid authenticators or Signature attributes received from this server. Timeouts Requests The number of authentication timeouts to this server. After a timeout the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as a Request as well as a timeout. Unknown Type Msgs The number of RADIUS packets of unknown type which were received from this server on the authentication port. Other Drops The number of RADIUS packets received from this server on the authentication port and dropped for some other reason. Table 5-11 RADIUS authentictaion details Parameter Description5-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers This page displays RADIUS accounting server information and statistics: Ta b l e 5-12 RADIUS Accoungting Details Parameter Description RADIUS Accounting Server Server Index Access priority number for RADIUS servers. Up to four servers can be configured, and controller polling of the servers starts with Index 1, Index 2 second, and so forth. Index number is based on when the RADIUS server is added to the controller. IP Address The IP address of the RADIUS server. Ping Click to icon to ping the RADIUS Server from the controller to verify the link. Port The Port of the RADIUS Server. Admin Status Indicates whether the server is enabled or disabled. Accounting Statistics Msg Round Trip Time The time interval (in milliseconds) between the most recent Accounting-Response and the Accounting-Request that matched it from this RADIUS accounting server. First Requests The number of RADIUS Accounting-Request packets sent. This does not include retransmissions. Retry Requests The number of RADIUS Accounting-Request packets retransmitted to this RADIUS accounting server. Retransmissions include retries where the Identifier and Acct-Delay have been updated, as well as those in which they remain the same. Accounting Responses The number of RADIUS packets received on the accounting port from this server. Malformed Msgs The number of malformed RADIUS Accounting-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators and unknown types are not included as malformed accounting responses. Bad Authentication Msgs The number of RADIUS Accounting-Response packets which contained invalid authenticators received from this server.5-19 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring Management Frame Protection This page displays the Management Frame Protection (MFP) summary information. MFP provides for the authentication of 802.11 management frames. Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames. If one or more of the WLANs for the controller has MFP enabled, the controller sends each registered access point a unique key for each BSSID the access point uses for those WLANs. Management frames sent by the access point over the MFP enabled WLANs will be signed with a Frame Protection Information Element (IE). Any attempt to alter the frame invalidates the message causing the receiving access point configured to detect MFP frames to report the discrepancy to the WLAN controller. Access this page in one of the following ways: • Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable IP Address, then choose Management Frame Protection from the Security section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose Management Frame Protection from the Security section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose Management Frame Protection from the Security section of the left sidebar menu. Pending Requests The number of RADIUS Accounting-Request packets sent to this server that have not yet timed out or received a response. This variable is incremented when an Accounting-Request is sent and decremented due to receipt of an Accounting-Response, a timeout or a retransmission. Timeouts Requests The number of accounting timeouts to this server. After a timeout the client may retry to the same server, send to a different server, or give up. A retry to the same server is counted as a retransmit as well as a timeout. A send to a different server is counted as an Accounting-Request as well as a timeout. Unknown Type Msgs The number of RADIUS packets of unknown type which were received from this server on the accounting port. Other Drops The number of RADIUS packets which were received from this server on the accounting port and dropped for some other reason. Table 5-12 RADIUS Accoungting Details Parameter Description5-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers The following parameters are displayed: Monitoring Rogue AP Rules Rogue AP rules automatically classify rogue access points based on criteria such as authentication type, matching configured SSIDs, client count, and RSSI values. NCS applies the rogue access point classification rules to the controllers and respective access points. These rules can limit a rogue appearance on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time). Rogue AP Rules also help reduce false alarms. Ta b l e 5-13 MFP Details Parameter Description General Management Frame Protection Indicates if infrastructure MFP is enabled globally for the controller. Controller Time Source Valid The Controller Time Source Valid field indicates whether the controller time is set locally (by manually entering the time) or through an external source (such as NTP server). If the time is set by an external source, the value of this field is “True.” If the time is set locally, the value is “False.” The time source is used for validating the timestamp on management frames between access points of different controllers within a mobility group. WLAN Details WLAN ID The WLAN ID, 1 through 17. WLAN Name User-defined profile name when initially creating the WLAN. Both the SSID name and profile name are user-defined. The WLAN name is same as the profile name. MFP Protection Management Frame Protection is either enabled or disabled. Status Status of the WLAN is either enabled or disabled. AP Details AP Name Operator defined name of access point. MFP Validation Management Frame Protection is enabled or disabled. Radio 802.11a or 802.11b/g. Operation Status Displays the operational status of the: either UP or DOWN. Protection Full (All Frames). Validation Full (All Frames).5-21 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Note Rogue classes include the following types: Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly AP category. Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules. Unclassified Rogue—A detected access point that does not match the malicious or friendly rules. Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable IP Address, then choose Rogue AP Rules from the Security section of the left sidebar menu. The Rogue AP Rules page provides a list of all rogue access point rules currently applied to this controller. The following information is displayed for rogue access point rules: • Rogue AP Rule name—Click the link to view Rogue AP Rule details. • Rule Type—Malicious or Friendly. – Malicious Rogue—A detected access point that matches the user-defined Malicious rules or has been manually moved from the Friendly AP category. – Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined Friendly rules. • Priority—Indicates the priority level for this rogue AP rule. Note See the “Configuring a Rogue AP Rules Template” section on page 11-78 for more information on Rogue AP Rules. Rogue AP Rules Details The Rogue AP Rules Details page displays the following information: Ta b l e 5-14 Rogue AP Rule Details Parameter Description Rule Name Name of the rule. Rule Type Malicious or Friendly – Malicious Rogue—A detected access point that matches the user-defined Malicious rules or has been manually moved from the Friendly AP category. – Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined Friendly rules.5-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Note See the “Configuring a Rogue AP Rules Template” section on page 11-78 for more information on Rogue AP Rules. Monitoring Guest Users Choose Monitor > Controllers. From the Controllers > Search Results page, click the applicable IP Address, then choose Guest Users from the Security section of the left sidebar menu. NCS allows you to monitor guest users from the Guest Users page as well as from the NCS home page. The Guest Users page provides a summary of the guest access deployment and network use. The following information is displayed for guest users currently associates on the network: Match Type Match any or match all conditions. Enabled Rule Conditions Indicates all enabled rule conditions including: – Open Authentication – Match Managed AP SSID – Match User Configured SSID – Minimum RSSI – Time Duration – Minimum Number Rogue Clients Table 5-14 Rogue AP Rule Details Parameter Description Ta b l e 5-15 Guest User Details Parameter Description Guest User Name Indicates the guest user login name. Profile Indicates the profile to which the guest user is connected. Lifetime Indicates the length of time that the guest user account is active. Length of time appears in days, hours, and minutes or as Never Expires. Start Time Indicates when the guest user account was activated. Remaining Lifetime Indicates the remaining time for the guest user account. Role Indicates the designated user role. First Logged in at Indicates the date and time of the user first log in. Number of logins Indicates the total number of log ins for this guest user. Description User-defined description of the guest user account for identification purposes.5-23 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring Controllers Mobility Monitoring Mobility Stats The Mobility Stats page displays the statistics for mobility group events. Access this page in one of the following ways: • Choose Monitor > Controllers and click the applicable IP address, then choose Mobility Stats from the Mobility section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose Mobility Stats from the Mobility section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose Mobility Stats from the Mobility section of the left sidebar menu. The following parameters are displayed: Ta b l e 5-16 Mobility Stats Parameter Description Global Mobility Statistics Rx Errors Generic protocol packet receive errors, such as packet too short or format incorrect. Tx Errors Generic protocol packet transmit errors, such as packet transmission fail. Responses Retransmitted The Mobility protocol uses UDP and it resends requests several times if it does not receive a response. Because of network or processing delays, the responder may receive one or more retry requests after it initially responds to a request. This is a count of the response resends. Handoff Requests Received Total number of handoff requests received, ignored or responded to. Handoff End Requests Total number of handoff end requests received. These are sent by the Anchor or the Foreign to notify the other about the close of a client session. State Transitions Disallowed PEM (policy enforcement module) has denied a client state transition, usually resulting in the handoff being aborted. Resource Unavailable A necessary resource, such as a buffer, was unavailable, resulting in the handoff being aborted. Mobility Responder Statistics Handoff Requests Ignored Number of handoff requests/client announces that were ignored. The controller simply had no knowledge of that client. Ping Pong Handoff Requests Dropped Number of handoff requests that were denied because the handoff period was too short (3 sec).5-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring Controller 802.11a/n This section provides detailed information regarding monitoring 802.11a/n parameters and contains the following topics: Handoff Requests Dropped Number of handoff requests that were dropped due to a either an incomplete knowledge of the client or a problem with the packet. Handoff Requests Denied Number of handoff requests that were actively denied. Client Handoff as Local Number of handoffs responses sent while in the local role. Client Handoff as Foreign Number of handoffs responses sent while in the foreign role. Anchor Requests Received Number of anchor requests received. Anchor Requests Denied Number of anchor requests denied. Anchor Requests Granted Number of anchor requests granted. Anchor Transferred Number of anchors transferred because the client has moved from a foreign controller to controller on the same subnet as the current anchor. Mobility Initiator Statistics Handoff Requests Sent Number of clients that have associated with controller and have been announced to the mobility group. Handoff Replies Received Number of handoff replies that have been received in response to the requests sent. Handoff as Local Received Number of handoffs in which the entire client session has been transferred. Handoff as Foreign Received Number of handoffs in which the client session was anchored elsewhere. Handoff Denies Received Number of handoffs that were denied. Anchor Request Sent Number of anchor requests that were sent for a three party (foreign to foreign) handoff. Handoff was received from another foreign and the new controller is requesting the anchor to move the client. Anchor Deny Received Number of anchor requests that were denied by the current anchor. Anchor Grant Received Number of anchor requests that were approved by the current anchor. Anchor Transfer Received Number of anchor transfers that were received by the current anchor. Table 5-16 Mobility Stats Parameter Description5-25 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers • Monitoring 802.11a/n Parameters, page 5-25 • Monitoring 802.11a/n RRM Groups, page 5-26 Monitoring 802.11a/n Parameters Access this parameters page in one of the following ways: • Choose Monitor > Controllers and click the applicable IP address, then choose Parameters from the 802.11a/n section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose Parameters from the 802.11a/n section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose Parameters from the 802.11a/n section of the left sidebar menu. This page displays the following 802.11a/n parameters: Ta b l e 5-17 802.11 a/n Parameters Parameter Description MAC Operation Parameters RTS Threshold Indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed. Note An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the MPDU is a data or management type, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute higher than the maximum MSDU size turns off the RTS/CTS handshake for data or management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all transmitted data or management type frames. Short Retry Limit The maximum number of transmission attempts of a frame (less than or equal to dot11RTSThreshold) made before a failure condition is indicated. The default value is 7. Long Retry Limit The maximum number of transmission attempts of a frame (greater than dot11RTSThreshold) made before a failure condition is indicated. The default value is 4. Max Tx MSDU Lifetime The elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU are terminated. The default value is 512.5-26 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring 802.11a/n RRM Groups Access the RRM Grouping page in one of the following ways: • Choose Monitor > Controllers and click the applicable IP address, then choose Grouping or WPS Grouping from the 802.11a/n section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose RRM Grouping or WPS Grouping from the 802.11a/n section of the left sidebar menu. Max Rx Lifetime The elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU are terminated. The default value is 512. Physical Channel Parameters TI Threshold The threshold being used to detect a busy medium (frequency). CCA shall report a busy medium upon detecting the RSSI above this threshold. Channel Agility Enabled Physical channel agility functionality is or is not implemented. Station Configuration Parameters Medium Occupancy Limit Indicates the maximum amount of time, in TU, that a point coordinator may control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000. CFP Period The number of DTIM intervals between the start of CFPs. It is modified by MLME-START.request primitive. CFP Max Duration The maximum duration of the CFP in TU that may be generated by the PCF. It is modified by MLME-START.request primitive. CF Pollable When this attribute is implemented, it indicates that the client is able to respond to a CF-Poll with a data frame within a SIFS time. This attribute is not implemented if the STA is not able to respond to a CF-Poll with a data frame within a SIFS time. CF Poll Request Specifies whether CFP is requested by the client. DTIM Period The number of beacon intervals that shall elapse between transmission of Beacon frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames. Table 5-17 802.11 a/n Parameters Parameter Description5-27 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose RRM Grouping or WPS Grouping from the 802.11a/n section of the left sidebar menu. This page displays the following 802.11a RRM groups parameters: Ta b l e 5-18 802.11 a/n RRM Groups Parameter Description 802.11a Grouping Control Grouping Mode Dynamic grouping has two modes: on and off. When the grouping is off, no dynamic grouping occurs. Each controller optimizes only its own access point's parameters. When grouping is on, the controller forms groups and elects leaders to perform better dynamic parameter optimization. Grouping Role There are five grouping roles: – None—This grouping role appears when the RF Group Mode is configured as Off. – Auto-Leader—This grouping role appears when the RF Group Mode is configured as Automatic and the controller is elected as a leader by the automatic grouping algorithm. – Auto-Member—This grouping role appears when the RF Group Mode is configured as Automatic and the controller is selected as a member by the automatic grouping algorithm. – Static-Leader—This grouping role appears when the RF Group Mode is configured as Leader. – Static-member—This grouping role appears when the RF Group Mode is configured as automatic and the controller joins the leader as a result of the join request from the leader. Group Leader IP Address This is the IP address of the group leader. Group Leader MAC Address This is the MAC address of the group leader for the group containing this controller. Is 802.11a Group Leader Yes, if this controller is the group leader or No if the controller is not the group leader. Last Update Time (secs) The elapsed time since the last group update in seconds. This is only valid if this controller is a group leader.5-28 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring Controllers 802.11b/g/n This section provides the detailed information regarding monitoring 802.11b/g/n parameters and contains the following topics: • Monitoring 802.11b/g/n Parameters, page 5-28 • Monitoring 802.11b/g/n RRM Groups, page 5-30 Monitoring 802.11b/g/n Parameters Access this parameters page in one of the following ways: • Choose Monitor > Controllers and click the applicable IP Address, then choose Parameters from the 802.11b/g/n section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose Parameters from the 802.11b/g/n section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose Parameters from the 802.11b/g/n section of the left sidebar menu. Group Update Interval (secs) When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. Grouping algorithm will also run when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. Default value is 3600 seconds. Group Members Group Member Name Name of group member(s). Group Member IP Address IP address of group member(s). Member Join Reason Current state of the member(s). Table 5-18 802.11 a/n RRM Groups Parameter Description5-29 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers This page displays the following 802.11b/g parameters: Ta b l e 5-19 802.11 b/g/n Parameters Parameter Description MAC Operation Parameters RTS Threshold Indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed. Note An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the MPDU is a data or management type, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute higher than the maximum MSDU size turns off the RTS/CTS handshake for data or management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all transmitted data or management type frames. Short Retry Limit The maximum number of transmission attempts of a frame (less than or equal to dot11RTSThreshold) made before a failure condition is indicated. The default value is 7. Long Retry Limit The maximum number of transmission attempts of a frame (greater than dot11RTSThreshold) made before a failure condition is indicated. The default value is 4. Max Tx MSDU Lifetime The elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU are terminated. The default value is 512. Max Rx Lifetime The elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU are terminated. The default value is 512. Physical Channel Parameters TI Threshold The threshold being used to detect a busy medium (frequency). CCA shall report a busy medium upon detecting the RSSI above this threshold. Channel Agility Enabled Physical channel agility functionality is or is not implemented. Station Configuration Parameters5-30 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers Monitoring 802.11b/g/n RRM Groups Access the RRM Group page in one of the following ways: • Choose Monitor > Controllers and click the applicable IP address, then choose RRM Grouping or WPS Grouping from the 802.11b/g/n section of the left sidebar menu. • Choose Monitor > Access Points, click a list item under AP Name, click Registered Controller, then choose RRM Grouping or WPS Grouping from the 802.11b/g/n section of the left sidebar menu. • Choose Monitor > Clients, click a list item under AP Name, click Registered Controller, then choose RRM Grouping or WPS Grouping from the 802.11b/g/n section of the left sidebar menu. Medium Occupancy Limit Indicates the maximum amount of time, in TU, that a point coordinator may control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000. CFP Period The number of DTIM intervals between the start of CFPs. It is modified by MLME-START.request primitive. CFP Max Duration The maximum duration of the CFP in TU that may be generated by the PCF. It is modified by MLME-START.request primitive. CF Pollable When this attribute is implemented, it indicates that the client is able to respond to a CF-Poll with a data frame within a SIFS time. This attribute is not implemented if the STA is not able to respond to a CF-Poll with a data frame within a SIFS time. CF Poll Request Specifies whether CFP is requested by the client. DTIM Period The number of beacon intervals that shall elapse between transmission of Beacon frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames. Table 5-19 802.11 b/g/n Parameters Parameter Description5-31 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Controllers This page displays the following 802.11b/g RRM groups parameters: Ta b l e 5-20 802.11 b/g/n RRM groups Parameter Description 802.11 b/g/n Grouping Control Grouping Mode Dynamic grouping has two modes: on and off. When the grouping is off, no dynamic grouping occurs. Each controller optimizes only its own access point's parameters. When grouping is on, the controller forms groups and elects leaders to perform better dynamic parameter optimization. Grouping Role There are five grouping roles: – None—This grouping role appears when the RF Group Mode is configured as Off. – Auto-Leader—This grouping role appears when the RF Group Mode is configured as Automatic and the controller is elected as a leader by the automatic grouping algorithm. – Auto-Member—This grouping role appears when the RF Group Mode is configured as Automatic and the controller is selected as a member by the automatic grouping algorithm. – Static-Leader—This grouping role appears when the RF Group Mode is configured as Leader. – Static-member—This grouping role appears when the RF Group Mode is configured as automatic and the controller joins the leader as a result of the join request from the leader. Group Leader IP Address This is the IP address of the group leader. Group Leader MAC Address This is the MAC address of the group leader for the group containing this controller. Is 802.11a Group Leader Yes, if this controller is the group leader or No if the controller is not the group leader. Last Update Time (secs) The elapsed time since the last group update in seconds. This is only valid if this controller is a group leader.5-32 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Monitoring Switches Choose Monitor > Switches to view the detailed information about the switches. The following sections provide more detailed information regarding monitoring switches: • Searching Switches, page 5-32 • Viewing List of Switches, page 5-33 • Monitoring Switch System Parameters, page 5-33 • Monitoring Switch Interfaces, page 5-39 • Monitoring Switch Clients, page 5-41 Searching Switches Use the NCS search feature to find specific switches or to create and save custom searches. You can configure the following parameters when performing an advanced search for switches (see Table 5-21): See one of the following topics for additional information: • Using the Search Feature, page 2-33 • Quick Search, page 2-33 Group Update Interval (secs) When grouping is on, this interval (in seconds) represents the period with which the grouping algorithm is run by the Group Leader. Grouping algorithm will also run when the group contents changes and the automatic grouping is enabled. A dynamic grouping can be started upon request from the system administrator. Default value is 3600 seconds. Group Members Group Member Name Name of group member(s). Group Member IP Address IP address of group member(s). Member Join Reason Current state of the member(s). Table 5-20 802.11 b/g/n RRM groups Parameter Description Ta b l e 5-21 Search Switches Parameters Parameter Options Search for Switches by Choose All Switches, IP Address, or Switch Name. You can use wildcards (*). For example, if you select IP Address and enter 172*, NCS returns all switches that begin with IP address 172. Items per page Select the number of switches to return per page.5-33 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches • Advanced Search, page 2-34 • Saved Searches, page 2-46 Viewing List of Switches Choose Monitor > Switches to view a list of switches. From this page you can view a summary of switches including the default information shown in Table 5-22: Configuring the Switch List Page The Edit View page allows you to add, remove, or reorder columns in the Switches table. To edit the available columns in the table, follow these steps: Step 1 Choose Monitor > Switches. Step 2 Click the Edit View link. Step 3 To add an additional column to the table, click to highlight the column heading in the left column. Click Show to move the heading to the right column. All items in the right column are displayed in the table. Step 4 To remove a column from the table, click to highlight the column heading in the right column. Click Hide to move the heading to the left column. All items in the left column are not displayed in the table. Step 5 Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list. Step 6 Click Reset to restore the default view. Step 7 Click Submit to confirm the changes. Monitoring Switch System Parameters Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. This section provides the detailed information regarding each switch details page and contains the following topics: • Viewing Switch Summary Information, page 5-34 • Viewing Switch Memory Information, page 5-35 Ta b l e 5-22 Viewing List of Switches Parameter Description IP Address The IP address assigned to the switch. Click a list item to view access point details. Device Name Name of the switch. Device Type Type of switch. Reachability Status Indicates OK if the switch is reachable or Unreachable if the switch is not reachable. Endpoint Count Number of endpoints on the switch.5-34 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches • Viewing Switch Environment Information, page 5-35 • Viewing Switch Module Information, page 5-36 • Viewing Switch VLAN Information, page 5-36 • Viewing Switch VTP Information, page 5-36 • Viewing Switch Physical Ports Information, page 5-37 • Viewing Switch Sensor Information, page 5-37 • Viewing Switch Spanning Tree Information, page 5-38 • Viewing Switch Stacks Information, page 5-39 • Viewing Switch NMSP and Location Information, page 5-39 Viewing Switch Summary Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. Table 5-23 describes the summary information that is displayed. Ta b l e 5-23 Viewing Switches Summary Information General IP Address IP address of the switch. Device Name Name of the switch. Device Type Switch type. Up Time Time since last reboot. System Time Time on the switch. Reachability Status which can be: • Reachable • Unreachable Location Location of the switch. Contact Contact name for the switch. Cisco Identity Capable Specifies if the switch is identity-capable. Location Capable Specifies if the switch is capable of storing the location information. CPU Utilization Displays a graph of the maximum, average, and minimum CPU utilization over the specified amount of time. Unique Device Identifier (UDI) Name Product type. Description Description of UDI. Product ID Orderable product identifier. Ve r s io n I D Version of product identifier. Serial Number Unique product serial number. Inventory Software Version Version of software currently running on the switch. Model No. Model number of the switch.5-35 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Related Topic • Monitoring Switch Interfaces, page 5-39 Viewing Switch Memory Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Memory. Table 5-24 describes the memory information that is displayed. Viewing Switch Environment Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Environment. Table 5-25 describes the environment information that is displayed. Port Summary Number of Ports Up Number of ports up on the switch. Number of Ports Down Number of ports down on the switch. Memory Utilization Displays a graph of the maximum, average, and minimum memory utilization over the specified amount of time. Table 5-23 Viewing Switches Summary Information (continued) Ta b l e 5-24 Viewing Switches Memory Information Memory Pool Type Type of memory. Name Name assigned to the memory pool. Used (MB) Amount of memory (in MB) used. Free (MB) Amount of memory (in MB) available. Ta b l e 5-25 Viewing Switches Environment Information Power Supply Model Name Model name of the power supply. Description Description of the power supply. Operational Status Status of the associated power supply, which can be • Green—Power supply is operational. • Red—Power supply is inoperable. Manufacturer Name Name of the power supply manufacturer. Free Power supply free slots. Vendor Equipment Type Description of vendor equipment type. Fans Name Name of fan.5-36 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Viewing Switch Module Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Modules. Table 5-26 describes the module information that is displayed. Viewing Switch VLAN Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose VLANs. Table 5-27 describes the VLAN information that is displayed. Viewing Switch VTP Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose VTP. Table 5-28 describes the VTP information that is displayed. Description Description of fan. Operational Status Status of the fan which can be • Green—Fan is operational. • Red—Fan is inoperable. Vendor Equipment Type Description of vendor equipment type. Serial Number Serial number of the fan. Table 5-25 Viewing Switches Environment Information Ta b l e 5-26 Viewing Switches Modules Information Modules Product Name Name of the module. Physical Location Location where the module is contained. Number of Ports Number of ports supported by the module. Operational State Operational status of the module. Equipment Type Type of equipment. Inline Power Capable Specifies whether the module has inline power capability. Ta b l e 5-27 Viewing Switches VLANs Information VLANs VLAN ID ID of the VLAN. VLAN Name Name of the VLAN. VLAN Type Type of VLAN.5-37 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Viewing Switch Physical Ports Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Physical Ports. Table 5-29 describes the physical ports information that is displayed. Viewing Switch Sensor Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Sensors. Table 5-30 describes the sensor information that is displayed. Ta b l e 5-28 Viewing Switches VTP Information VTP VTP Domain Name Name of the VTP domain. VTP Version Version of VTP in use. VTP Mode The VTP mode, which can be: • Client • Server • Transparent—Does not generate or listen to VTP messages, but forwards messages. • Off—Does not generate, listen to, or forward any VTP messages. Pruning Enabled Specifies whether VTP pruning is enabled. Ta b l e 5-29 Viewing Switches Physical Ports Information Physical Ports Port Name Name of the physical port. Port Description Description of the physical port. Residing Module Module on which the physical port resides. Vendor Equipment Type Description of vendor equipment type. Ta b l e 5-30 Viewing Switches Sensors Information Sensors Sensor Name Name of the sensor. Sensor Description Description of the sensor. Type Type of sensor. Vendor Sensor Type Description of vendor sensor type. Equipment Name Name of equipment.5-38 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Viewing Switch Spanning Tree Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Spanning Tree. Table 5-31 describes the spanning tree information that is displayed. Viewing Spanning Tree Details Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Spanning Tree, then click on an STP instance ID to see the spanning tree details as described in Table 5-32. Precision When in the range 1 to 9, Sensor Precision is the number of decimal places in the fractional part of a Sensor Value fixed-point number. When in the range -8 to -1, Sensor Precision is the number of accurate digits in a SensorValue fixed-point number. Status Operational status of the sensor. Table 5-30 Viewing Switches Sensors Information Ta b l e 5-31 Viewing Switches Spanning Tree Information Spanning Tree STP Instance ID ID of the STP. Click on a STP Instance ID to see the spanning tree details as described in Viewing Spanning Tree Details. VLAN ID ID of the VLAN. Root Path Cost Root cost of the path. Designated Root Forwarding port. Bridge Priority Priority of the bridge. Root Bridge Priority Priority number of the root bridge. Max Age (sec) STP timer value for maximum age (in seconds). Hello Interval (sec) STP timer value (in seconds). Ta b l e 5-32 Viewing Spanning Tree Details Spanning Tree STP Port Name of the STP port. Port Role Role of the port. Port Priority Priority number of the port. Path Cost Cost of the path. Port State State of the port. Port Type Type of port.5-39 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Viewing Switch Stacks Information Choose Monitor > Switches, then click an IP address under the IP Address column to view details about the switch. From the System menu, choose Stacks. Table 5-33 describes the spanning tree information that is displayed. Viewing Switch NMSP and Location Information You can view the NMSP and Location information for a switch using the System left side-bar menu. To view the NMSP and Location information for a switch, choose NCS > Monitor > Switches > Switch IP Address > System > NMSP and Location. The NMSP and Location page appears. You can view the NMSP Status in the NMSP Status pane and Location information in the Location pane. For more information on NMSP and Location, see the Configuring Switch NMSP and Location. Monitoring Switch Interfaces Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces, then select one of the following interfaces: • Monitoring Switch Ethernet Interfaces • Monitoring Switch IP Interfaces • Monitoring Switch VLAN Interfaces • Monitoring Switch EtherChannel Interfaces Monitoring Switch Ethernet Interfaces Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces > Ethernet Interfaces. Table 5-34 describes the Ethernet interface information that is displayed: Ta b l e 5-33 Viewing Switches Stacks Information Stacks MAC Address MAC address of the stack. Role Role of the stack, which can be: • Master—Stack master • Member—Active member of the stack • Not Member—Non-active stack member Switch Priority Priority number of the switch. State Current state of the stack. Software Version Software image running on the switch.5-40 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Monitoring Switch Ethernet Interface Details Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces > Ethernet Interfaces, then click on an Ethernet interface name in the Name column. Table 5-35 describes the Ethernet interface detail information that is displayed: Monitoring Switch IP Interfaces Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces > IP Interfaces. Table 5-36 describes the IP interface information that is displayed: Ta b l e 5-34 Viewing Switch Ethernet Interfaces Name Name of the Ethernet interface. Click on an Ethernet interface name to see details as described in Monitoring Switch Ethernet Interface Details. MAC Address MAC address of the Ethernet interface. Speed (Mbps) Estimate of the Ethernet interface’s current bandwidth in bits per second. Operational Status Current operational state of the Ethernet interface. MTU Size of the largest packet that can be sent/received on the interface. Desired VLAN Mode VLAN mode. Access VLAN VLAN on which the port is configured. Ta b l e 5-35 Viewing Switch Ethernet Interface Details Ethernet Interfaces Name Name of the Ethernet interface. Admin Status Administration status of the interface. Duplex Mode Duplex mode configured on the interface. VLAN Switch Port Operational VLAN Mode Specifies the operational mode of the VLAN switch port, which can be either an access port or a trunk port. Desired VLAN Mode VLAN mode, which can be truck, access, dynamic, or desirable. Access VLAN VLAN on which the port is configured. Operational Truck Encapsulation Trunk encapsulation, which can be 802.1Q or none. VLAN Trunk Native VLAN Untagged VLAN on the trunk switch port. Prune Eligible Specifies whether VLANs on the trunk port can be pruned. Allows VLANs List of allowed VLANs on the trunk port. Desired Trunking Encapsulation Trunk encapsulation. Trunking Encapsulation Negotiation Specifies that the interface negotiate with the neighboring interface to become an ISL (preferred) or 802.1Q trunk, depending on the configuration and capabilities of the neighboring interface. 5-41 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Switches Monitoring Switch VLAN Interfaces Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces > VLAN Interfaces. Table 5-37 describes the VLAN interface information that is displayed: Monitoring Switch EtherChannel Interfaces Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Interfaces > EtherChannel Interfaces. Table 5-38 describes the EtherChannel interface information that is displayed: Monitoring Switch Clients Choose Monitor > Switches, then click an IP address under the IP Address column. From the System menu, choose Clients. Table 5-38 describes the EtherChannel interface information that is displayed: Ta b l e 5-36 Viewing Switch IP Interfaces Interface Name of the interface. IP Address IP address of the interface. Address Type Type of address (IPv4 or IPv6). Ta b l e 5-37 Viewing Switch VLAN Interfaces Port Name Name of the VLAN port. VLAN ID ID of the VLAN port. Operational Status Current operational state of the VLAN interface. Admin Status Current administrative state of the VLAN interface. Port Type Type of VLAN port. Maximum Speed (Mbps) Maximum supported speed for the VLAN interface. MTU Size of the largest packet that can be sent/received on the VLAN interface. Ta b l e 5-38 Viewing Switch EtherChannel Interfaces Name Name of the EtherChannel interface. Channel Group ID Numeric identifier for the EtherChannel. Control Method Protocol for managing the EtherChannel, which can be LACP or TAgP. Actor Admin Key Channel Identifier. Number of (LAG) Members Number of ports configured. Ta b l e 5-39 Viewing Current Associated Client IP Address IP address of the client. MAC Address MAC address of the client.5-42 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Access Points This section provides access to the controller access points summary details. Use the main date area to access the respective access point details. Choose Monitor > Access Points to access this page. This section provides more detailed information regarding monitoring access points and contains the following topics: • Searching Access Points, page 5-42 • Viewing List of Access Points, page 5-43 • Generating a Report for Access Points, page 5-46 • Monitoring Access Points Details, page 5-56 • Monitoring Access Point Radio Details, page 5-68 • Monitoring Mesh Access Points, page 5-77 • Retrieving the Unique Device Identifier on Controllers and Access Points, page 5-83 • Monitoring Coverage Hole, page 5-84 • Monitoring Rogue Access Points, page 5-86 • Monitoring Adhoc Rogues, page 5-100 • Searching Rogue Clients Using Advanced Search, page 5-105 • Monitoring Rogue Access Point Location, Tagging, and Containment, page 5-107 Searching Access Points Use the NCS Search feature to find specific access points or to create and save custom searches. See one of the following topics for additional information: • Using the Search Feature, page 2-33 • Quick Search, page 2-33 • Advanced Search, page 2-34 • Saved Searches, page 2-46 User Name User Name of the client. Vendor Name Vendor Name of the client. Map Location Location of the client. VLAN VLAN on which the client is configured. Interface Interface on which the client is configured. Association Time Timestamp of the client association. Authorization Profile Name Authorization Profile Name stored. Table 5-39 Viewing Current Associated Client 5-43 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Viewing List of Access Points Choose Monitor > Access Points or perform an access point search to access this page. This page enables you to view a summary of access points including the following default information: Ta b l e 5-40 Access Point Search Results Parameter Description AP Name Ethernet MAC The name assigned to the access point. Click a list item to view access point details. See the “Monitoring Access Points Details” section on page 5-56 for more information. IP Address Local IP address of the access point. Radio Protocol of the rogue access point is 802.11a, 802.11b or 802.11g. Click a list item to view access point radio details. See the “Monitoring Access Point Radio Details” section on page 5-68 for more information. Map Location Click a list item to go to the location indicated on the list. Controller Click a list item to display a graphic and information about the controller. See the “Monitoring System Summary” section on page 5-4 for more information. Client Count Displays the total number of clients currently associated with the controller. Admin Status Displays the administration state of the access point as either enabled or disabled. AP Mode Displays the operational mode of the access point. Oper Status Displays the operational status of the Cisco WLAN Solution device, either Up or Down. If the admin status is disabled, the operation status is labeled as down and there will be no alarms. Alarm Status Alarms are color coded as follows: – Clear—No Alarm – Red—Critical Alarm – Orange—Major Alarm – Yellow—Min or Alar m Note This status is radio alarm status ONLY and does not includes the admin status in the operation status.5-44 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Configuring the Access Point List Display To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page. The following are optional access point parameters available for the search results: Ta b l e 5-41 Edit View Search Results Parameters Description AP Type Indicates the type of access point (unified or autonomous). Antenna Azim. Angle Indicates the horizontal angle of the antenna. Antenna Diversity Indicates if antenna diversity is enabled or disabled. Antenna diversity refers to the access point sampling the radio signal from two integrated antenna ports to choose the preferred antenna. Antenna Elev. Angle Indicates the elevation angle of the antenna. Antenna Gain The peak gain of the dBi of the antenna for directional antennas and the average gain in dBi for omni-directional antennas connected to the wireless network adapter. The gain is in multiples of 0.5 dBm. An integer value 4 means 4 x 0.5 = 2 dBm of gain. Antenna Mode Indicates the antenna mode such as omni, directional, or non-applicable. Antenna Name Indicates the antenna name or type. Audit Status Indicates one of the following audit statuses: – Mismatch—Config differences were found between NCS and controller during the last audit. – Identical—No config differences were found during the last audit. – Not Available—Audit status is unavailable. Base Radio MAC Indicates the MAC address of the base radio. Bridge Group Name Indicates the name of the bridge group used to group the access points, if applicable. CDP Neighbors Indicates all directly connected Cisco devices. Channel Control Indicates whether the channel control is automatic or custom. Channel Number Indicates the channel on which the Cisco Radio is broadcasting. Controller Port Indicates the number of controller ports. Google Earth Location Indicates whether or not a Google Earth location is assigned and indicates the location. Location Indicates the physical location of the access point.5-45 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Configuring the List of Access Points Display The Edit View page allows you to add, remove, or reorder columns in the Access Points table. To edit the available columns in the alarms table, follow these steps: Step 1 Choose Monitor > Access Points. Node Hops Indicates the number of hops between access points. OfficeExtend AP Specifies whether or not OfficeExtend access is enabled. If it is disabled, the access point is remotely deployed which increases the security risk. PoE Status Indicates the power over ethernet status of the access point. The possible values include: – Low—The access point draws low power from the ethernet. – Lower than 15.4 volts—The access point draws lower than 15.4 volts from the ethernet. – Lower than 16.8 volts—The access point draws lower than 16.8 volts from the ethernet. – Normal—The power is high enough for the operation of the access point. – Not Applicable—The power source is not from the ethernet. Primary Controller Indicates the name of the primary controller for this access point. Radio MAC Indicates the radio MAC address. Reg. Domain Supported Indicates whether or not the regulatory domain is supported. Serial Number Indicates the access point serial number. Slot Indicates the slot number. Tx Power Control Indicates whether the transmission power control is automatic or custom. Tx Power Level Indicates the transmission power level. Up Time Indicates how long the access point has been up in days, hours, minutes and seconds. WLAN Override Names Indicates the WLAN override profile names. WLAN Override Indicates whether WLAN Override is enabled or disabled. Table 5-41 Edit View Search Results Parameters Description5-46 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Step 2 Click the Edit View link. Step 3 To add an additional column to the access points table, click to highlight the column heading in the left column. Click Show to move the heading to the right column. All items in the right column are displayed in the table. Step 4 To remove a column from the access points table, click to highlight the column heading in the right column. Click Hide to move the heading to the left column. All items in the left column are not displayed in the table. Step 5 Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list. Step 6 Click Reset to restore the default view. Step 7 Click Submit to confirm the changes. Note See the “Viewing List of Access Points” section on page 5-43 for additional access point parameters than can be added through Edit View. Generating a Report for Access Points To generate a report for access points, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Click to select the access point(s) for which you want to run a report. Step 3 Choose the applicable report from the Select a report drop-down list. Step 4 Click Go. The following reports are available: Ta b l e 5-42 Access Point Reports Report Description Reference Load Generates a report with load information. Monitoring Traffic Load, page 5-48 Dynamic Power Control Generates a report with Dynamic Power Control information. Monitoring Dynamic Power Control, page 5-49 Noise Generates a report with Noise information. Monitoring Access Points Noise, page 5-50 Interference Generates a report with Interference information. Monitoring Access Points Interference, page 5-50 Coverage (RSSI) Generates a report with Coverage (RSSI) information. Monitoring Access Points Coverage (RSSI), page 5-51 Coverage (SNR) Generates a report with Coverage (SNR) information. Monitoring Access Points Coverage (SNR), page 5-515-47 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Up/Down Statistics Time in days, hours and minutes since the last reboot. Generates a report with Up Time information. Monitoring Access Points Up/Down Statistics, page 5-51 Voice Statistics Generates a report for selected access points showing radio utilization by voice traffic. Monitoring Access Points Voice Statistics, page 5-52 Voice TSM Table Generates a report for selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream. Monitoring Access Points Voice TSM Table, page 5-52 Voice TSM Reports Graphical representation of the TSM table except that metrics from the clients are averaged together on the graphs. Monitoring Access Points Voice TSM Reports, page 5-54 802.11 Counters Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer. Monitoring Access Points 802.11 Counters, page 5-54 AP Profile Status Displays access point load, noise, interference, and coverage profile status. Monitoring Access Points AP Profile Status, page 5-55 Air Quality vs. Time Displays the air quality index of the wireless network during the configured time duration. Monitoring Air Quality, page 5-56 Traffic Stream Metrics Useful in determining the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays. Monitoring Access Points Traffic Stream Metrics, page 5-55 Tx Power and Channel Displays the channel plan assignment and transmit power level trends of devices based on the filtering criteria used when the report was generated. It could help identify unexpected behavior or issues with network performance. Monitoring Access Points Tx Power and Channel, page 5-55 Table 5-42 Access Point Reports Report Description Reference5-48 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Traffic Load Traffic Load is the total amount of bandwidth used for transmitting and receiving traffic. This enables WLAN managers to track network growth and plan network growth ahead of client demand. To access the access point load report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Step 3 From the Generate a report for selected APs drop-down list, choose Load. Step 4 Click Go. The Load report displays for the selected access points. VoIP Calls Graph Helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays information in a graph. Monitoring VoIP Calls, page 5-56 VoIP Calls Table Provides the same information as the VoIP Calls Graph report but in table form. Monitoring VoIP Calls, page 5-56 Voice Statistics Helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure call admission control (CAC) is supported on voice clients. Monitoring Voice Statistics, page 5-56 Worst Air Quality APs Monitoring Air Quality, page 5-56 Table 5-42 Access Point Reports Report Description Reference5-49 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points This page displays the following load data: Monitoring Dynamic Power Control To access the access point Load report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Step 3 From the Generate a report for selected APs drop-down list, choose Dynamic Power Control. Step 4 Click Go. The Dynamic Power Control report displays for the selected access points. This page displays dynamic control parameters for access points as follows: Ta b l e 5-43 Traffic Load Parameter Description AP Name Click the access point name to view access point details. See the “Monitoring Access Points Details” section on page 5-56 for more information. Radio Protocol of the rogue access point is either 802.11a, 802.11b or 802.11g. Click the radio to view On-Demand Statistics for this access point. See the “Monitoring Access Point Radio Details” section on page 5-68 for more information. Attached Client Count Number of clients attached (Actual and Threshold.) Channel Utilization 802.11a RF utilization threshold between 0 and 100 percent (Actual and Threshold). Receive Utilization 802.11a or 802.11b/g RF receive utilization threshold between 0 and 100 percent. Transmit Utilization 802.11a or 802.11b/g RF transmit utilization threshold between 0 and 100 percent. Status Status of the client connection. Ta b l e 5-44 Dynamic Power Control Parameter Description AP Name This is the name assigned to the access point. Click an access point name in the list to access its parameters. See the “Monitoring Access Points Details” section on page 5-56 for more information. Radio Protocol of the rogue access point is either 802.11a, or 802.11b/g. Click a Cisco Radio on the list to access its parameters. See the “Monitoring Access Point Radio Details” section on page 5-68 for more information.5-50 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Access Points Noise To access the access point Noise report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Note If multiple access points are selected, they must have the same radio type. Step 3 From the Generate a report for selected APs drop-down list, choose Noise. Step 4 Click Go. The Noise report displays for the selected access points. This page displays a bar graph of noise (RSSI in dBm) for each channel. Monitoring Access Points Interference To access the access point Interference report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Current Power Level Displays the operating transmit power level from the transmit power table. Access point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. Note The power levels and available channels are defined by the Country Code Setting, and are regulated on a country by country basis. Power Assignment Mode Dynamic transmit power assignment has three modes: – Automatic—The transmit power will be periodically updated for all Cisco 1000 Series lightweight access points that permit this operation. – On Demand—Transmit power is updated when the Assign Now button is selected. – Fixed—No dynamic transmit power assignments occur and value are set to their global default. The default is Automatic. – Recommended Power Level. Table 5-44 Dynamic Power Control Parameter Description5-51 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note If multiple access points are selected, they must have the same radio type. Step 3 From the Generate a report for selected APs drop-down list, choose Interference. Step 4 Click Go. The Interference report displays for the selected access points. This page displays a bar graph of interference (RSSI in dBm) for each channel: • High interference -40 to 0 dBm. • Marginal interference -100 to -40 dBm. • Low interference -110 to -100 dBm. Monitoring Access Points Coverage (RSSI) To access the access point Coverage (RSSI) report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Step 3 From the Generate a report for selected APs drop-down list, choose Coverage (RSSI). Step 4 Click Go. The Coverage (RSSI) report displays for the selected access points. This page displays a bar graph of client distribution by received signal strength showing the number of clients versus RSSI in dBm. Monitoring Access Points Coverage (SNR) To access the access point Coverage (SNR) report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Step 3 From the Generate a report for selected APs drop-down list, choose Coverage (SNR). Step 4 Click Go. The Coverage (SNR) report displays for the selected access points. This page displays a bar graph of client distribution by signal-to-noise ratio showing the number of clients versus SNR. Monitoring Access Points Up/Down Statistics To access the access point Up/Down Statistics report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box of the applicable access point.5-52 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Step 3 From the Generate a report for selected APs drop-down list, choose Up/Down Statistics. Click Go. The Up/Down Statistics report displays for the selected access points. Note Up Time is time in days, hours, and minutes since the last reboot. This page displays a line graph of access point up time graphed against time. If you select more than one access point, the following message appears: Please select only one AP for the Up Time Report. Monitoring Access Points Voice Statistics This generates a report for selected access points showing radio utilization by voice traffic. The report includes the number of current calls. Note Voice Statistics reports are only applicable for CAC/WMM clients. To access the access point Voice Statistics report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box(es) of the applicable access point(s). Step 3 From the Generate a report for selected APs drop-down list, choose Voice Statistics. Click Go. The Voice Statistics report displays for the selected access points. The page displays the following access point voice statistics: • AP Name—Select an item under AP Name. For more information, see the “Monitoring Access Points Details” section on page 5-56. • Radio—Select an item under Radio. For more information, see the “Monitoring Access Point Radio Details” section on page 5-68. • Calls in Progress—Number of calls in progress. • Roaming Calls in Progress—Number of roaming calls in progress. • Bandwidth in Use—Percentage of bandwidth in use. Monitoring Access Points Voice TSM Table This generates a report for selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream. To access the access point Voice TSM Table report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box of the applicable access point.5-53 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Step 3 From the Generate a report for selected APs drop-down list, choose Voice TSM Table. Step 4 Click Go. The Voice TSM Table report displays for the selected access point. The page displays the following voice TSM data: Ta b l e 5-45 Voice TSM table Parameter Description Time Time that the statistics were gathered from the access point(s). Client MAC MAC address of the client. This shows a list of the clients evaluated during the most recent 90 second interval. The client could be a VoIP phone, laptop, PDA and refers to any client attached to the access point collecting measurements. QoS QoS values (packet latency, packet jitter, packet loss, roaming time) which can affect the WLAN are monitored. Access points and clients measure the metrics, access points collect the measurements and send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds and 10 minutes of data is stored at one time. % PLR (Downlink) Percentage of packets lost on the downlink (access point to client) during the 90 second interval. % PLR (Uplink) Percentage of packets lost on the uplink (client to access point) during the 90 second interval. Avg Queuing Delay (ms) (Downlink) Average queuing delay in milliseconds for the downlink. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. Avg Queuing Delay (ms) (Uplink) Average queuing delay in milliseconds for the uplink. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. % Packets > 40 ms Queuing Delay Percentage of queuing delay packets greater than 40 ms. % Packets > 20 ms Queuing Delay Percentage of queuing delay packets greater than 20 ms. Roaming Delay Roaming delay in milliseconds. Roaming delay, which is measured by clients, is measured beginning when the last packet is received from the old access point and ending when the first packet is received from the new access point after a successful roam.5-54 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Access Points Voice TSM Reports This report provides a graphical representation of the TSM table except that metrics from the clients are averaged together on the graphs. To access the access point Voice TSM report, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the check box of the applicable access point. Step 3 From the Generate a report for selected APs drop-down list, choose Voice TSM Reports. Click Go. The Voice TSM Table report displays for the selected access point. This page displays line graphs of the following downlink and uplink metric information, including times and dates: Monitoring Access Points 802.11 Counters Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer. See the “802.11 Counters” section on page 14-144 for more information on 802.11 Counters reports. Ta b l e 5-46 Voice TSM Reports Parameter Description Average Queuing Delay (ms) Average queuing delay in milliseconds. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. % Packet with less than 10 ms delay Percentage of packets with less than 10 milliseconds delay. % Packet with more than 10 < 20 ms delay Percentage of packets with more than 10 milliseconds delay but less than 20 milliseconds delay. % Packet with more than 20 < 40 ms delay Percentage of packets with more than 20 milliseconds delay but less than 40 milliseconds delay. % Packet with more than 40 ms delay Percentage of packets with more than 40 milliseconds delay. Packet Loss Ratio Ratio of lost packets. Total Packet Count Number of total packets. Roaming Count Number of packets exchanged for roaming negotiations in this 90 seconds metrics page. Roaming Delay Roaming delay in milliseconds.5-55 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Access Points AP Profile Status Displays access point load, noise, interference, and coverage profile status. See the “AP Profile Status” section on page 14-91 for more information on AP Profile Status reports. Monitoring Access Points Radio Utilization See the “Network Utilization” section on page 14-149 for more information on Radio Utilization reports. Monitoring Access Points Traffic Stream Metrics Useful in determining the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays. See the “Traffic Stream Metrics” section on page 14-151 for more information on Traffic Stream Metrics reports. Monitoring Access Points Tx Power and Channel See the “Tx Power and Channel” section on page 14-154 for more information on Tx Power and Channel reports. The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the Product Guide or data sheet at www.cisco.com for each specific model to determine the access point capability. The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example. 2, 3, 4, and so on.) represents approximately a 50% (or 3dBm) reduction in transmit power from the previous power level. Note The actual power reduction may vary slightly for different models of access points. Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded. Note Irrespective of whether you choose Global or Custom assignment method, the actual conducted transmit power at the access point is verified such that country specific regulations are not exceeded. Command Buttons • Save—Save the current settings. • Audit—Discover the present status of this access point.5-56 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring VoIP Calls VoIP calls reports helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays information in a graph. Click VoIP Calls Graph from the Report Launch Pad to open the VoIP Calls Graph Reports page. From this page, you can enable, disable, delete, or run currently saved report templates. See Vo I P C a lls G r a p h , page 14-156 for more information. Monitoring Voice Statistics Voice Statistics report helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure call admission control (CAC) is supported on voice clients. See Voice Statistics, page 14-159 for more information. Monitoring Air Quality To facilitate an "at a glance" understanding of where interference problems are impacting the network, it rolls up the detailed information into a high-level, easy-to- understand metric referred to as Air Quality (AQ). AQ is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold. See Monitoring CleanAir Air Quality Events, page 5-147 for more information. Monitoring Access Points Details Access Points Details page enables you to view access point information for a single AP. Choose Monitor > Access Points and click a list item under AP Name to access this page. Depending on the type of access point, the following tabs may be displayed. This section provides the detailed information regarding each Access Points Details page tab and contains the following topics: • General Tab, page 5-56 • Interfaces Tab, page 5-64 • CDP Neighbors Tab, page 5-66 • Current Associated Clients Tab, page 5-66 • SSID Tab, page 5-67 General Tab Note The General tab parameters differ between lightweight and autonomous access points. • General Parameters—Lightweight Access Points • General Parameters—Autonomous5-57 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points General Parameters—Lightweight Access Points Ta b l e 5-47 General- LightWeight Access Points Parameter Description General AP Name Operator defined name of access point. AP IP address, Ethernet MAC address, and Base Radio MAC address IP address, Ethernet MAC address and Radio MAC address. Country Code The codes of the supported countries. Up to 20 countries can be supported per controller. Note Access points may not operate properly if they are not designed for use in your country of operation. For a complete list of country codes supported per product, refer to http://www.cisco.com/en/US/docs/wirele ss/wcs/4.0/configuration/guide/wcscod.ht ml. Link Latency Settings You can configure link latency on the controller to measure the link between an access point and the controller. See the “Configuring Link Latency Settings for Access Points” section on page 9-203 for more information. – Current Link Latency (in msec)—The current round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. – Minimum Link Latency (in msec)—Because link latency has been enabled or reset, the minimum round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. – Maximum Link Latency (in msec)—Because link latency has been enabled or reset, the maximum round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. LWAPP/CAPWAP Uptime Displays how long the LWAPP/CAPWAP connection has been active. LWAPP?CAPWAP Join Taken Time Displays how long the LWAPP/CAPWAP connection has been joined. Admin Status The administration state of the access point as either enabled or disabled. AP Mode5-58 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Local Default mode. Data clients are serviced while configured channels are scanned for noise and rogues. The access point goes off-channel for 50 ms and listens for rogues. It cycles through each channel for the period specified under the Auto RF configuration. Note To configure Local or H-REAP access points for Cisco Adaptive wIPS feature, choose Local or H-REAP and select the Enhanced wIPS Engine Enabled check box. Monitor Radio receive only mode. The access point scans all configured channels every 12 seconds. Only deauthenticated packets are sent in the air with an access point configured this way. A monitor mode access point detects rogues, but it cannot connect to a suspicious rogue as a client to prepare for the sending of RLDP packets. Note To configure access points for Cisco Adaptive wIPS feature, select Monitor. Select the Enhanced wIPS Engine Enabled check box and choose wIPS from the Monitor Mode Optimization drop-down list. Before you can enable an access point to be in wIPS mode, you must disable the access point radios. If you do not disable the access point radio, an error message displays. Note Once you have enabled the access point for wIPS, re-enable the radios. Rogue Detector The access point radio is turned off and the access point listens to wired traffic only. The controllers that operate in this mode monitor the rogue access points. The controller sends all the rogue access point and client MAC address lists to the rogue detector, and the rogue detector forwards this information to the WLC. The MAC address list is compared to what the WLC access points heard over the network. If the MAC addresses match, you can determine which rogue access points are connected on the wired network. Table 5-47 General- LightWeight Access Points Parameter Description5-59 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Sniffer The access point captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. These packets contain information such as timestamp, signal strength, packet size, and so on. This feature can only be enabled if you run AiroPeek, which is a third-party network analyzer software that supports the decoding of data packets. For more information on AiroPeek, see www.wildpackets.com. H-REAP Enables hybrid REAP for up to six access points. The H-REAP access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. Note H-REAP must be selected to configure an OfficeExtend access point. When the AP mode is H-REAP, H-REAP configuration options display including the option to enable OfficeExtend AP and to enable Least Latency Controller Join. Bridge This is a special mode where an autonomous access point functions as a wireless client and connects to a lightweight access point. The bridge and its wired clients are listed as client in NCS if the AP mode is set to Bridge, and the access point is bridge capable. Spectrum Expert This mode allows a CleanAir-enabled access point to be used extensively for interference detection on all monitored channels. All other functions such as IDS scanning and Wi-Fi are suspended. Enhanced wIPs Engine Enabled or Disabled, to enable the monitoring of the security attacks using Cisco Adaptive wIPS feature. Operational Status Registered or Not Registered, as determined by the controller. Registered Controller The controller to which the access point is registered. Click to display the registered controller details. See the “Monitoring System Summary” section on page 5-4 for more information. Primary Controller The name of the primary controller for this access point. Table 5-47 General- LightWeight Access Points Parameter Description5-60 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Port Number The SNMP name of the access point primary controller. The access point attempts to associate with this controller first for all network operations and in the event of a hardware reset. AP Uptime Displays how long the access point has been active to receive and transmit. Map Location Customer-definable location name for the access point. Click to look at the actual location on a map. See Monitor > Access Points > name > Map Location for more information. Google Earth Location Indicates whether a Google Earth location is assigned. Location The physical location where the access point is placed (or Unassigned). Statistics Timer This counter sets the time in seconds that the access point sends its DOT11 statistics to the controller. PoE Status The power over ethernet status of the access point. The possible values include: – Low—The access point draws low power from the Ethernet. – Lower than 15.4 volts—The access point draws lower than 15.4 volts from the Ethernet. – Lower than 16.8 volts—The access point draws lower than 16.8 volts from the Ethernet. – Normal—The power is high enough for the operation of the access point. – Not Applicable—The power source is not from the Ethernet. Rogue Detection Indicates whether or not Rogue Detection is enabled. See the “” section on page 5-152 for more information on rogue detection. Note Rogue detection is disabled automatically for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. For more information regarding OfficeExtend access points, see the Cisco Wireless LAN Controller Configuration Guide. Table 5-47 General- LightWeight Access Points Parameter Description5-61 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points OfficeExtend AP Indicates whether or not the access point is enabled as an OfficeExtend access point. The default is Enabled. Encryption Indicates whether or not encryption is enabled. Note Enabling or disabling encryption functionality causes the access point to reboot which then causes a loss of connectivity for clients. Note DTLS data encryption is enabled automatically for OfficeExtend access points to maintain security. Encryption is only available if the access point is connected to a 5500 series controller with a Plus license. Least Latency Join The access point switches from a priority order search (primary, secondary, and then tertiary controller) to a search for the controller with the best latency measurement (least latency). The controller with the least latency provides the best performance. Telnet Access Indicates whether or not Telnet Access is enabled. SSH Access Indicates whether or not SSH is enabled. Note An OfficeExtend access point may be connected directly to the WAN which could allow external access if the default password is used by the access point. Because of this, Telnet and SSH access are disabled automatically for OfficeExtend access points. Versions Software Version The operating system release.version.dot.maintenance number of the code currently running on the controller. Boot Version The operating system bootloader version number. Inventory Information AP Type Type of Access Point AP Model Access point model number. Cisco IOS Version The Cisco IOS version details AP Certificate Type Either Self Signed or Manufacture Installed. H-REAP Mode Supported Indicates if H-REAP mode is supported or not. wIPS Profile (when applicable) Table 5-47 General- LightWeight Access Points Parameter Description5-62 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points General Parameters—Autonomous Note For autonomous clients, NCS only collects client counts. The client counts in the Monitor page and reports have autonomous clients included. Client search, client traffic graphs, or other client reports (such as Unique Clients, Busiest Clients, Client Association) do not include clients from autonomous access points. Profile Name Click the user-assigned profile name to view wIPS profile details. Profile Version Unique Device Identifier (UDI) Name Name of Cisco AP for access points. Description Description of access point. Product ID Orderable product identifier. Ve r s io n I D Version of product identifier. Serial Number Unique product serial number. Run Ping Test Link Click to ping the access point. The results are displayed in a pop-up dialog box. Alarms Link Click to display alarms associated with this access point. Events Link Click to display events associated with this access point. Table 5-47 General- LightWeight Access Points Parameter Description Ta b l e 5-48 General Parameters - Autonomous Parameters Description AP Name Operator defined name of access point. AP IP address and Ethernet MAC address IP address, Ethernet MAC address of the access point. AP UpTime Indicates how long the access point has been up in number of days, hours, minutes, and seconds. Map Location Customer-definable location name for the access point. Click to look at the actual location on a map. See the“Monitoring Maps” section on page 6-8 for more information. WGB Mode Indicates whether or not the access point is in work group bridge mode. SNMP Info5-63 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note Memory and CPU utilization charts are displayed. Note Click Alarms to display the alarms associated with the access point. Click Events to display events associated with the access point. SysObjectId SysDescription SysLocation SysContact System Object ID. The system device type and current version of firmware. The physical location of the device, such as a building name or room in which it is installed. The name of the system administrator responsible for the device. Versions Software Version The operating system release.version.dot.maintenance number of the code currently running on the controller. CPU Utilization Displays the maximum, average, and minimum CPU utilization over the specified amount of time. Memory Utilization Displays the maximum, average, and minimum memory utilization over the specified amount of time. Inventory Information AP Type Autonomous or lightweight. AP Model The Access Point model number. AP Serial Number Unique serial number for this access point. H-REAP Mode Supported If H-REAP mode is supported or not. Unique Device Identifier (UDI) Name Name of Cisco AP for access points. Description Description of access point. Product ID Orderable product identifier. Ve r s io n I D Version of product identifier. Serial Number Unique product serial number. Table 5-48 General Parameters - Autonomous Parameters Description5-64 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Interfaces Tab The Interfaces tab displays the following parameters: Click an interface name to view its properties: Ta b l e 5-49 Interfaces Tab Parameter Description Interface Admin Status Indicates whether the Ethernet interface is enabled. Operational Status Indicates whether the Ethernet interface is operational. Rx Unicast Packets Indicates the number of unicast packets received. Tx Unicast Packets Indicates the number of unicast packets sent. Rx Non-Unicast Packets Indicates the number of non-unicast packets received. Tx Non-Unicast Packets Indicates the number of non-unicast packets sent. Radio Interface Protocol 802.11a/n or 802.11b/g/n. Admin Status Indicates whether the access point is enabled or disabled. CleanAir Capable Indicates whether the access point is able to use CleanAir. CleanAir Status Indicates the status of CleanAir. Channel Number Indicates the channel on which the Cisco Radio is broadcasting. Extension Channel Indicates the secondary channel on which Cisco radio is broadcasting. Power Level Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. Channel Width Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section on page 9-121 for more information on configuring channel bandwidth. Minimum (default) setting is 20 MHz. Maximum setting is the maximum channel width supported by this radio. Antenna Name Identifies the type of antenna. Ta b l e 5-50 Interface properties Parameter Description AP Name Name of the Access Point. Link speed Indicates the speed of the interface in Mbps. RX Bytes Indicates the total number of bytes in the error-free packets received on the interface. RX Unicast Packets Indicates the total number of unicast packets received on the interface. RX Non-Unicast Packets Indicates the total number of non-unicast or mulitcast packets received on the interface.5-65 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Input CRC Indicates the total number of CRC error in packets received on the interface. Input Errors Indicates the sum of all errors in the packets while receiving on the interface. Input Overrun Indicates the number of times the receiver hardware was incapable of handing received data to a hardware buffer because the input rate exceeded the receiver capability to handle the data. Input Resource Indicates the total number of resource errors in packets received on the interface. Runts Indicates the number of packets that are discarded because they are smaller than the medium minimum packet size. Throttle Indicates the total number of times the interface advised a sending NIC that it was overwhelmed by packets being sent and to slow the pace of delivery. Output Collision Indicates the total number of packet retransmitted due to an Ethernet collision. Output Resource Indicates the total number of resource errors in packets transmitted on the interface. Output Errors Indicates the sum of all errors that prevented the final transmission of packets out of the interface. Operational Status Indicates the operational state of the physical Ethernet interface on the AP. Duplex Indicates the duplex mode of an interface. TX Bytes Indicates the total number of bytes in the error-free packets transmitted on the interface. TX Unicast Packets Indicates the total number of unicast packets transmitted on the interface. TX Non-Unicast Packets Indicates the total number of non-unicast or mulitcast packets transmitted on the interface. Input Aborts Indicates the total number of packet aborted while receiving on the interface. Input Frames Indicates the total number of packet received incorrectly having a CRC error and a non-integer number of octets on the interface. Input Drops Indicates the total number of packets dropped while receiving on the interface because the queue was full. Unknown Protocol Indicates the total number of packet discarded on the interface due to an unknown protocol. Giants Indicates the number of packets that are discarded because they exceed the medium's maximum packet size. Interface Resets Indicates the number of times that an interface has been completely reset. Table 5-50 Interface properties Parameter Description5-66 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points CDP Neighbors Tab The CDP Neighbors tab displays the following parameters: Note This tab is visible only when the CDP is enabled. Current Associated Clients Tab The Current Associated Clients tab displays the following parameters: Note This tab is visible only when there are clients associated to the AP (CAPWAP or Autonomous AP). Output No Buffer Indicates the total number of packets discarded because there was no buffer space. Output Underrun Indicates the number of times the transmitter has been running faster than the router can handle. Output Total Drops Indicates the total number of packets dropped while transmitting from the interface because the queue was full. Table 5-50 Interface properties Parameter Description Ta b l e 5-51 CDP Neighbors Parameters Description AP Name The name assigned to the access point. AP IP Address IP address of the access point. Port No Port number connected or assigned to the access point. Local Interface Identifies the local interface. Neighbor Name Name of the neighboring Cisco device. Neighbor Address Network address of the neighboring Cisco device. Neighbor Port Port of the neighboring Cisco device. Duplex Indicates Full Duplex or Half Duplex. Interface Speed Speed at which the interface operates. Ta b l e 5-52 Current Associated Clients Parameter Description Username Click the username to view the Monitor Client Details page for this client. See the “Monitoring Clients and Users” section on page 10-10 for more information. IP Address IP address of the associated client.5-67 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note Click the Edit View link to add, remove or reorder columns in the Current Associated Clients table. See the “Configuring the List of Access Points Display” section on page 5-45 for adding a new parameter using the Edit View. SSID Tab The SSID tab displays the following parameters: Client MAC Address Click the client MAC address to view the Monitor Client Details page for this client. See the “Monitoring Clients and Users” section on page 10-10 for more information. Association Time Date and time of the association. UpTime Time duration of the association. SSID User-defined SSID name. SNR (dB) Signal to Noise Ratio in dB of the associated client. RSSI Received signal strength indicator in dBm. Bytes Tx This indicates the total amount of data that has passed through the ethernet interface either way. Bytes Rx This indicate the total amount of data that has been received through the ethernet interface either way When the access point is not associated with the controller, then the database is used to retrieve the data (rather than the controller itself). If the access point is not associated, the following parameters appears: User Name IP Address Local IP Address Client MAC Address Client MAC Address Association Time Session Length Time length of the session SSID User-defined SSID name. Protocol Avg. Session Throughput Traffic (MB) as before Table 5-52 Current Associated Clients Parameter Description5-68 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note This tab is visible only when the access point is Autonomous AP and there are SSID's configured on the AP. Monitoring Access Point Radio Details Choose Monitor > Access Points and click a list item under Radio to access this page. Choose Monitor > Maps, then click an item in the Name column, then click an access point icon to access this page. Choose Monitor > Access Points and click a list item under AP Name, click 802.11a or 802.11b under AP Interfaces to access this page. This page enables you to view access point information for a single 802.11a or 802.11b/g Cisco Radio. The default is to show On Demand Statistics. Use the View drop-down list to select a different view: • Choose On Demand Statistics, and click Go to display “Monitoring On Demand Statistics”. • Choose Operational Parameters, and click Go to display “Monitoring Operational Parameters”. • Choose 802.11 MAC Counters, and click Go to display “Monitoring 802.11 MAC Counters”. • Choose View Alarms and, click Go to display “Monitoring View Alarms”. • Choose View Events and, click Go to display “Monitor View Events”. Monitoring On Demand Statistics To view On Demand Statistics for an access point, click the Radio of the applicable access point from the Monitor > Access Points page. The Radio Details page defaults to On Demand Statistics. See the “Monitoring Access Point Radio Details” section on page 5-68 for more information on radio details. Ta b l e 5-53 Current Associated Clients Parameter Description SSID Service Set Identifier being broadcast by the access point radio. SSID Vlan SSID on an access point is configured to recognize a specific VLAN ID or name. SSID Vlan Name SSID on an access point is configured to recognize a specific VLAN ID or name. MB SSID Broadcast SSID broadcast disabled essentially makes your Access Point invisible unless a wireless client already knows the SSID, or is using tools that monitor or 'sniff' traffic from an AP's associated clients. MB SSID Time Period Within this specified time period, internal communication within the SSID continues to work. 5-69 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note You can also select On Demand Statistics from the View drop-down list located on the Radio Details page. This page enables you to view the following access point 802.11a or 802.11b Cisco Radio statistics for a single access point. General • AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section on page 5-56 for more information. • AP MAC Address • Radio • CleanAir Capable—Indicates if the access point is CleanAir Capable. • AP in SE-Connect Mode—Yes or No. Indicates if the access point is connected in SE-Connect mode. • CleanAir Enabled—Indicates if CleanAir is enabled on this access point. • CleanAir Sensor Status—Indicates the operational status of the CleanAir censor (Up or Down). • Admin Status—Enabled or disabled. • Operational Status—Displays the operational status of the Cisco Radios (Up or Down). • Controller—Click to display controller system details. See the “Monitoring System Summary” section on page 5-4 for more information. • Channel—The channel upon which the Cisco Radio is broadcasting. • Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting. • Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section on page 9-121 for more information on configuring channel bandwidth. • Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis. • Port—(1 to 24) Port to which the access point is connected. • Map Location—Click to display the floor map showing the access point location. Management Frame Protection • Protection Capability—All Frames • Validation Capability—All Frames • MFP Version Supported—Management Frame Protection version supported and configured. Profile Information • Noise Profile—Notification sent when Noise Profile state changes between Success and Failure.5-70 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Interference Profile—Notification sent when Interference Profile state changes between Success and Failure. • Load Profile—Notification sent when Load Profile state changes between Success and Failure. • Coverage Profile—Notification sent when Coverage Profile state changes between Success and Failure. Note Click Success or Failure to view associated alarms. Noise by Channel (dBm) Graph showing channel and noise. Interference by Channel (dBm%) Graph showing the percentage of interference per channel. Note Channel Utilization is a combination of Receive Power (RX) + Transmit Power (TX) + Interference. Interference—Access points report on the percentage of the medium taken up by interfering 802.11 transmissions (this can be from overlapping signals from foreign APs, as well as non-neighbors). Note The channel list (as configured from the RRM page) is scanned completely using the “channel scan duration” parameter under monitor intervals. For example, if scanning all 11 channels in 2.4 GHz, and using the default duration (180 seconds), you get: 180/11 = 16.36 seconds approximately between each channel that is being scanned. Load Statistics • RX Utilization—802.11a or 802.11b/g RF receive utilization threshold between 0 and 100 percent. • TX Utilization—802.11a or 802.11b/g RF transmit utilization threshold between 0 and 100 percent. • Channel Utilization—802.11a RF utilization threshold between 0 and 100 percent (Subcolumns for Actual and Threshold). • Attached Client Count—The number of clients attached. General Tab The General tab displays the following information: % Client Count by RSSI Graph with % and Received Signal Strength Indicator. % Client Count by SNR Graph with % and Signal-to-Noise Ratio.5-71 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Channel Utilization (% Busy) Graph displaying the channel number on the x-axis and channel utilization on the y-axis. Noise by Channel(dBm) Graph displaying the channel on the x-axis and power in dBm on the y-axis. Rx Neighbors • Radio MAC Address • AP Name—Click to view access point details. • Map—Click to view the map. • Mobility Group-Leader IP Address • Neighbor Channel • Channel Bandwidth • RSSI (dBm) Channel Utilization Statistics • Time • Picc—Percentage of time consumed by received frames from co-channel APs and clients. • Pib—Percentage of time consumed by interference on the channel which cannot be correctly demodulated. Note Picc and Pib values should give a good indication of the percentage of time the access point is busy because of co channel interference. CleanAir Tab The CleanAir tab provides the following information: Air Quality This graph displays the air quality index of the wireless network. A value of 100 indicates the air quality is best and a value of 1 indicates maximum interference. Interference Power This graph displays the interference power of the interfering devices on the channel number. Non-WiFi Channel Utilization This graph displays the non-WiFi channel utilization of the wireless network.5-72 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Active Interferers This section displays the details of the active interferers on the wireless network. The following details are available: • Interferer Name—The name of the interfering device. • Affected Channels—The channel the interfering device is affecting. • Detected Time—The time at which the interference was detected. • Severity—The severity index of the interfering device. • Duty Cycle(%)—The duty cycle (in percentage) of the interfering device. • RSSI(dBm)—The Received Signal Strength Indicator of the interfering device. View Drop-Down List • Choose On Demand Statistics, and click Go to display On Demand Statistics for this access point radio. See the “Monitoring On Demand Statistics” section on page 5-68 for more information. • Choose Operational Parameters, and click Go to display Operational parameters for this access point radio. See the “Monitoring Operational Parameters” section on page 5-72 for more information. • Choose 802.11 MAC Counters, and click Go to display 802.11 MAC Counters for this access point radio. See the “Monitoring 802.11 MAC Counters” section on page 5-75 for more information. • Choose View Alarms,and click Go to display alarms for this access point radio. See the “Monitoring View Alarms” section on page 5-76 for more information. • Choose View Events, and click Go to display events for this access point radio. See the “Monitor View Events” section on page 5-77 for more information. Monitoring Operational Parameters To view Operational Parameters for an access point radio, follow these steps: Step 1 Choose Monitor > Access Points, click the radio for the applicable access point. Step 2 From the View drop-down list, choose Operational Parameters. Step 3 Click Go. This page enables you to view configuration information for a single 802.11a or 802.11b Cisco radio. General • AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section on page 5-56 for more information. • AP MAC Address • Radio • Admin Status—Enabled or disabled. • Operational Status—Displays the operational status of the Cisco Radios (Up or Down). • Controller—Click to display controller system details. See the “Monitoring System Summary” section on page 5-4 for more information.5-73 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Channel—The channel upon which the Cisco Radio is broadcasting. • Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting. • Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section on page 9-121 for more information on configuring channel bandwidth. • Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis. • Port—(1 to 24) Port to which the access point is connected. • Map Location—Click to display the floor map showing the access point location. Station Configuration Parameters • Configuration Type—Automatic or Custom. • Number of WLANs—1 (one) is the default. • Medium Occupancy Limit—Indicates the maximum amount of time, in TU, that a point coordinator may control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000. • CFP Period—The number of DTIM intervals between the start of CFPs. • CFP Max. Duration—The maximum duration of the CFP in TU that may be generated by the PCF. • BSSID—MAC address of the access point. • Beacon Period—The rate at which the SSID is broadcast by the access point, from 100 to 600 milliseconds. • DTIM Period—The number of beacon intervals that shall elapse between transmission of Beacon frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames. • Country String—Identifies the country in which the station is operating. The first two octets of this string are the two character country code. Physical Channel Parameters • Current Channel—Current operating frequency channel. • Configuration—Locally customized or globally controlled. • Current CCA Mode—CCA method in operation. Valid values: – Energy detect only (edonly) = 01. – Carrier sense only (csonly) = 02. – Carrier sense and energy detect (edandcs)= 04. – Carrier sense with timer (cswithtimer)= 08. – High rate carrier sense and energy detect (hrcsanded)=16. • ED/TI Threshold—The Energy Detect and Threshold being used to detect a busy medium (frequency). CCA reports a busy medium upon detecting the RSSI above this threshold.5-74 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Physical Antenna Parameters • Antenna Type—Internal or External. • Diversity—Enabled via the internal antennas or via either Connector A or Connector B. (Enabled or Disabled). RF Recommendation Parameters • Channel—802.11a Low Band, Medium Band, and High Band; 802.11b/g. • Tx Power Level—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio Resource Management (RRM) is enabled. • RTS/CTS Threshold—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio Resource Management (RRM) is enabled. • Fragmentation Threshold—Zero (0) if Radio Resource Management (RRM) is disabled. MAC Operation Parameters • Configuration Type—Automatic or Custom. • RTS Threshold—This attribute indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed. An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the MPDU is a Data or Management type, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size turns off the RTS/CTS handshake for Data or Management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default value of this attribute shall be 2347. • Short Retry Limit—The maximum number of transmission attempts of a frame, the length of which is less than or equal to dot11RTSThreshold, that shall be made before a failure condition is indicated. The default value of this attribute is 7. • Long Retry Limit—The maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that shall be made before a failure condition is indicated. The default value of this attribute shall be 4. • Fragmentation Threshold—The current maximum size, in octets, of the MPDU that may be delivered to the PHY. An MSDU shall be broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU shall be fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute shall be the lesser of 2346 or the aMPDUMaxLength of the attached PHY and shall never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute shall never be less than 256. • Max Tx MSDU Lifetime—The elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU shall be terminated. The default value of this attribute is 512. • Max Rx Lifetime—The MaxReceiveLifetime shall be the elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU shall be terminated. The default value is 512.5-75 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Tx Power • # Supported Power Levels—Five or fewer power levels, depending on operator preference. • Tx Power Level x—Access point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. Note The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis. • Tx Power Configuration—Globally controlled or customized for this access point (Custom or Global). • Current Tx Power Level—Displays the operating transmit power level from the transmit power table. Monitoring 802.11 MAC Counters To view Operational Parameters for an access point radio, follow these steps: Step 1 Choose Monitor > Access Points, click the radio for the applicable access point. Step 2 From the View drop-down list, choose 802.11 MAC Counters. Step 3 Click Go. This page enables you to view 802.11 MAC Counter information for a single 802.11a or 802.11b Cisco Radio. General • AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section on page 5-56 for more information. • AP MAC Address • Radio • Admin Status—Enabled or disabled. • Operational Status—Displays the operational status of the Cisco Radios (Up or Down). • Controller—Click to display controller system details. See the “Monitoring System Summary” section on page 5-4 for more information. • Channel—The channel upon which the Cisco Radio is broadcasting. • Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting. • Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section on page 9-121 for more information on configuring channel bandwidth.5-76 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note Minimum (default) setting is 20 MHz. Maximum setting is the maximum channel width supported by this radio. • Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis. • Port—(1 to 24) Port to which the access point is connected. • Map Location—Click to display the floor map showing the access point location. RF Counters • Tx Fragment Count—This counter is incremented for each successfully received MPDU Data or Management type. • Multicast Tx Frame Count—This counter increments only when the multicast bit is set in the destination MAC address of a successfully transmitted MSDU. When operating as a STA in an ESS, where these frames are directed to the access point, this implies having received an acknowledgment to all associated MPDUs. • Tx Failed Count—This counter increments when an MSDU is successfully transmitted after one or more retransmissions. • Retry Count—This counter increments when an MSDU is successfully transmitted after one or more retransmissions. • Multiple Retry Count—This counter increments when an MSDU is successfully transmitted after more than one retransmission. • Frame Duplicate Count—This counter increments when a frame is received that the Sequence Control field indicates is a duplicate. • RTS Success Count—This counter increments when a CTS is received in response to an RTS. • RTS Failure Count—This counter increments when a CTS is not received in response to an RTS. • ACK Failure Count—This counter increments when an ACK is not received when expected. • Rx Fragment Count—The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets). • Multicast Rx Framed Count—This counter increments when a MSDU is received with the multicast bit set in the destination MAC address. • FCS Error Count—This counter increments when an FCS error is detected in a received MPDU. • Tx Frame Count—This counter increments for each successfully transmitted MSDU. • WEP Undecryptable Count—This counter increments when a frame is received with the WEP subfield of the Frame Control field set to one and the WEP On value for the key mapped to the AT MAC address indicates that the frame should not have been encrypted or that frame is discarded due to the receiving STA not implementing the privacy option. Monitoring View Alarms To access the View Alarms page from the Monitor Access Points page, follow these steps:5-77 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note When the AP is disassociated, in the Monitor > Access Points page, the radio status will have critical status. There will be only one alarm, AP disassociated. This is because radio alarms will be correlated to AP disassociated alarm. Note When the controller goes down, the controller inventory dashlet shows the controller status as critical. But the radio inventory dashlet, will retain the last known status. In Monitor > Access Point page, the AP alarm status is shown as "Unknown". Step 1 Choose Monitor > Access Points. Step 2 Select the Radio Type in the Radio Type column of the applicable access point. Step 3 From the View drop-down list, choose View Alarms. Step 4 Click Go. For more information on Viewing Alarms, see the “Monitoring Alarms” section on page 5-125. Monitor View Events To access the View Events page from the Monitor Access Points page, follow these steps: Step 1 Choose Monitor > Access Points. Step 2 Select the Radio Type in the Radio Type column of the applicable access point. Step 3 From the View drop-down list, select View Events. Step 4 Click Go. For more information on viewing events, see the “Monitoring Events” section on page 5-142. Monitoring Mesh Access Points Mesh Health monitors the overall health of Cisco Aironet 1500 and 1520 series outdoor access points as well as Cisco Aironet 1130 and 1240 series indoor access points when configured as mesh access points, except as noted. Tracking this environmental information is particularly critical for access points that are deployed outdoors. The following factors are monitored: • Temperature: Displays the internal temperature of the access point in Fahrenheit and Celsius (Cisco Aironet 1510 and 1520 outdoor access points only). • Heater status: Displays the heater as on or off (Cisco Aironet 1510 and 1520 outdoor access points only) • AP Up time: Displays how long the access point has been active to receive and transmit. • LWAPP Join Taken Time: Displays how long it took to establish the LWAPP connection (excluding Cisco Aironet 1505 access points). 5-78 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • LWAPP Up Time: Displays how long the LWAPP connection has been active (excluding Cisco Aironet 1505 access points). Mesh Health information is displayed in the General Properties page for mesh access points. To view the mesh health details for a specific mesh access point, follow these steps: Step 1 Choose Monitor > Access Points. A listing of radios belonging to access points appears. Note The radio status (not an access point status) is displayed when you choose Monitor > Access Points. The given status is updated frequently from traps and wireless status polling and takes several minutes to reflect actual radio status. The overall status of an access point can be found by viewing the access point on a map. Note You can also use the New Search button to display the mesh access point summary. With the New Search option, you can further define the criteria of the access points that appear. Search criteria include AP Type, AP Mode, Radio Type, and 802.11n Support. Step 2 Click the AP Name link to display details for that mesh access point. The General tab for that mesh access point appears. Note You can also access the General tab for a mesh access point from a Cisco NCS map page. To display the page, double-click the mesh access point label. A tabbed page appears and displays the General tab for the selected access point. To add, remove, or reorder columns in the table, click the Edit View link In the Monitor > Access Points page. Mesh Statistics for an Access Point Mesh Statistics are reported when a child mesh access point authenticates or associates with a parent mesh access point. Security entries are removed and no longer displayed when the child mesh access point disassociates from the controller. The following mesh security statistics are displayed for mesh access points: • Bridging • Queue • Security To view the mesh statistics for a specific mesh access point, follow these steps. Step 1 Choose Monitor > Access Points. A listing of radios belonging to access points appears.5-79 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note The radio status (not an access point status) is displayed when you choose Monitor > Access Points. The given status is updated frequently from traps and wireless status polling and takes several minutes to reflect actual radio status. The overall status of an access point can be found by viewing the access point on a map. Note You can also use the New Search button to display the access point summary. With the New Search option, you can further define the criteria of the access points that display. Search criteria include AP Name, IP address, MAC address, Controller IP or Name, Radio type, and Outdoor area. Step 2 Click the AP Name link of the target mesh access point. A tabbed page appears and displays the General Properties page for the selected access point. Step 3 Click the Mesh Statistics tab (see Figure 5-1). A three-tabbed Mesh Statistics page appears. Note The Mesh Statistics tab and its subordinate tabs (Bridging, Queue and Security) only appear for mesh access points. The Mesh Link Alarms and Mesh Link Events links are accessible from each of the three tabbed panels. Note You can also access the Mesh Securities page for a mesh access point from a Cisco NCS map. To display the page, double-click the mesh access point label. Figure 5-1 Monitor > Access Points > AP Name > Mesh Statistics Summaries of the Bridging, Queue and Security Statistics and their definitions are provided in Table 5-54, Table 5-55 and Table 5-56 respectively.5-80 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Ta b l e 5-54 Bridging Mesh Statistics Parameter Description Role The role of the mesh access point. Options are mesh access point (MAP) and root access point (RAP). Bridge Group Name The name of the bridge group to which the MAP or RAP is a member. We recommend assigning membership in a bridge group name. If one is not assigned, a MAP is by default assigned to a default bridge group name. Backhaul Interface The radio backhaul for the mesh access point. Routing State The state of parent selection. Values that display are seek, scan and maint. Maint appears when parent selection is complete. Malformed Neighbor Packets The number of malformed packets received from the neighbor. Examples of malformed packets include malicious floods of traffic such as malformed or short DNS packets and malformed DNS replies. Poor Neighbor SNR The number of times the signal-to-noise ratio falls below 12 dB on the backhaul link. Excluded Packets The number of packets received from excluded neighbor mesh access points. Insufficient Memory The number of insufficient memory conditions. RX Neighbor Requests The number of broadcast and unicast requests received from the neighbor mesh access points. RX Neighbor Responses The number of responses received from the neighbor mesh access points. TX Neighbor Requests The number of unicast and broadcast requests sent to the neighbor mesh access points. TX Neighbor Responses The number of responses sent to the neighbor mesh access points. Parent Changes The number of times a mesh access point (child) moves to another parent. Neighbor Timeouts The number of neighbor timeouts. Node Hops The number of hops between the MAP and the RAP. Click the value link to display a dialog box which enables you to configure details of what is reported, how often the node hop value is updated, and view a graphical representation of the report.5-81 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Ta b l e 5-55 Queue Mesh Statistics Parameter Description Silver Queue The average and peak number of packets waiting in the silver (best effort) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. Gold Queue The average and peak number of packets waiting in the gold (video) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. Platinum Queue The average and peak number of packets waiting in the platinum (voice) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. Bronze Queue The average and peak number of packets waiting in the bronze (background) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. Management Queue The average and peak number of packets waiting in the management queue during the defined statistics time interval. Packets dropped and queue size is also summarized. Ta b l e 5-56 Security Mesh Statistics Parameter Description Packets Transmitted Summarizes the total number of packets transmitted during security negotiations by the selected mesh access point. Packets Received Summarizes the total number of packets received during security negotiations by the selected mesh access point. Association Request Failures Summarizes the total number of association request failures that occur between the selected mesh access point and its parent. Association Request Timeouts Summarizes the total number of association request time outs that occur between the selected mesh access point and its parent. Association Request Success Summaries the total number of successful association requests that occur between the selected mesh access point and its parent. Authentication Request Failures Summarizes the total number of failed authentication requests that occur between the selected mesh access point and its parent.5-82 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Authentication Request Timeouts Summarizes the total number of authentication request timeouts that occur between the selected mesh access point and its parent. Authentication Request Success Summarizes the total number of successful authentication requests between the selected mesh access point and its parent mesh node. Reassociation Request Failures Summarizes the total number of failed reassociation requests between the selected mesh access point and its parent. Reassociation Request Timeouts Summarizes the total number of reassociation request timeouts between the selected mesh access point and its parent. Reassociation Request Success Summarizes the total number of successful reassociation requests between the selected mesh access point and its parent. Reauthentication Request Failures Summarizes the total number of failed reauthentication requests between the selected mesh access point and its parent. Reauthentication Request Timeouts Summarizes the total number of reauthentication request timeouts that occurred between the selected mesh access point and its parent. Reauthentication Request Success Summarizes the total number of successful reauthentication requests that occurred between the selected mesh access point and its parent. Invalid Association Request Summarizes the total number of invalid association requests received by the parent mesh access point from the selected child mesh access point. This state might occur when the selected child is a valid neighbor but is not in a state that allows association. Unknown Association Requests Summarizes the total number of unknown association requests received by the parent mesh access point from its child. The unknown association requests often occur when a child is an unknown neighbor mesh access point. Invalid Reassociation Request Summarizes the total number of invalid reassociation requests received by the parent mesh access point from a child. This might happen when a child is a valid neighbor but is not in a proper state for reassociation. Unknown Reassociation Request Summarizes the total number of unknown reassociation requests received by the parent mesh access point from a child. This might happen when a child mesh access point is an unknown neighbor. Table 5-56 Security Mesh Statistics (continued) Parameter Description5-83 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Retrieving the Unique Device Identifier on Controllers and Access Points The unique device identifier (UDI) standard uniquely identifies products across all Cisco hardware product families, enabling customers to identify and track Cisco products throughout their business and network operations and to automate their asset management systems. The standard is consistent across all electronic, physical, and standard business communications. The UDI consists of five data elements: • The orderable product identifier (PID) • The version of the product identifier (VID) • The serial number (SN) • The entity name • The product description The UDI is burned into the EEPROM of controllers and lightweight access points at the factory and can be retrieved through the GUI. To retrieve the UDI on controllers and access points, perform the following steps: Step 1 Choose Monitor > Controllers/Access Points. The Controllers/Access Points page appears (see Figure 5-2). Figure 5-2 Monitor > Controllers Page Step 2 Click the IP address of the controller/access point (see in Figure 5-2) whose UDI information you want to retrieve. Data elements of the controller/access point UDI display. These elements are described in Table 5-57:. Ta b l e 5-57 Maximum Number of Crypto Cards That Can Be Installed on a Cisco Wireless LAN Controller Type of Controller Maximum Number of Crypto Cards Cisco 2000 Series None5-84 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Monitoring Coverage Hole Coverage holes are areas where clients cannot receive a signal from the wireless network. The Cisco Unified Network Solution, radio resource management (RRM) identifies these coverage hole areas and reports them to the NCS, enabling the IT manager to fill holes based on user demand. NCS is informed about the reliability-detected coverage holes by the controllers. NCS alerts the user about these coverage holes. For more information on finding coverage holes, refer to Cisco Context-Aware Services documentation at this location: http://www.cisco.com/en/US/docs/wireless/mse/3350/5.2/CAS/configuration/guide/msecg_ch7_CAS.h tml Note Coverage holes are displayed as alarms. Pre-coverage holes are displayed as events. Monitoring Pre-Coverage Holes To view pre-coverage hole events, perform these steps: Step 1 Choose Monitor > Events to display all current events. Step 2 To view pre-coverage hole events only, click the Advanced Search link. Step 3 In the New Search page, change the Search Category drop-down to Events. Step 4 From the Event Category drop-down list, choose Pre Coverage Hole, and click Go. The Pre-Coverage Hole Events page provides the information described in the following table (see Table 5-58): Cisco 4100 Series One Cisco 4400 Series Two Table 5-57 Maximum Number of Crypto Cards That Can Be Installed on a Cisco Wireless LAN Controller Type of Controller Maximum Number of Crypto Cards Ta b l e 5-58 Pre-Coverage Hole Parameters Parameter Description Severity Pre-coverage hole events are always considered informational (Info). Client MAC Address MAC address of the client affected by the pre-coverage hole. AP MAC Address MAC address of the applicable access point. AP Name The name of the applicable access point. Radio Type The radio type (802.11b/g or 802.11a) of the applicable access point. Power Level Access point transmit power level: 1 = Maximum power allowed per country code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.5-85 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Step 5 Choose a Client MAC Address to view pre-coverage hole details. • General—Provides the following information: – Client MAC Address – AP MAC Address – AP Name – Radio Type – Power Level – Client Type – Category – Created – Generated By – Device AP Address Client Type Client type can be any of the following: laptop(0) pc(1) pda(2) dot11mobilephone(3) dualmodephone(4) wgb(5) scanner(6) tabletpc(7) printer(8) projector(9) videoconfsystem(10) camera(11) gamingsystem(12) dot11deskphone(13) cashregister(14) radiotag(15) rfidsensor(16) server(17) WLAN Coverage Hole Status Determines if the current coverage hole state is enabled or disabled. WLAN The name for this WLAN. Date/Time The date and time the event occurred. Click the title to toggle between ascending and descending order. Table 5-58 Pre-Coverage Hole Parameters (continued) Parameter Description5-86 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points – Severity • Neighbor AP’s—Indicates the MAC addresses of nearby access points, their RSSI values, and their radio types. • Message—Describes what device reported the pre-coverage hole and on which controller it was detected. • Help—Provides additional information, if available, for handling the event. Monitoring Rogue Access Points This section describes security solutions for rogue devices. A rogue device is an unknown access point or client that is detected by managed access points in your network. Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial of service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of clear-to-send (CTS) frames. This action mimics an access point informing a particular client to transmit and instructing all others to wait, which results in legitimate clients being unable to access network resources. Therefore, wireless LAN service providers have a strong interest in banning rogue access points from the air space. Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad-hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security as they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish insecure access point locations, increasing the odds of having enterprise security breached. Detecting Rogue Devices The controllers continuously monitor all nearby access points and automatically discover and collect information on rogue access points and clients. When a controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network. Note NCS consolidates all of the controllers rogue access point data. You can configure controllers to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure a controller to use RLDP on all access points, the controller always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue. See “Configuring Rogue Policies” for information on enabling RLDP.5-87 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, NCS uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition may be changed at any time. This section contains the following topics: • Viewing Rogue AP Alarm Details, page 5-94 • Monitoring Rogue AP Alarms, page 5-90 • Viewing Rogue AP Alarm Details, page 5-94 • Viewing Rogue Client Details, page 5-98 • Viewing Rogue AP History Details, page 5-99 • Viewing Rogue AP Event History Details, page 5-100 • Monitoring Adhoc Rogue Alarms, page 5-100 Classifying Rogue Access Points Classification and reporting of rogue access points occurs through the use of rogue states and user-defined classification rules that enable rogues to automatically move between states. You can create rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or Unclassified. Note NCS consolidates all of the controllers rogue access point data. By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious, and unclassified) in the Alert state only. Note Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients. Note The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to 625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode). When the controller receives a rogue report from one of its managed access points, it responds as follows: 1. The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly. 2. If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.5-88 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points 3. If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state. 4. The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule. 5. If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified. 6. The controller repeats the previous steps for all rogue access points. 7. If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue. 8. If desired, you can manually move the access point to a different classification type and rogue state. As mentioned previously, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules, or you can manually move the unknown access point to a different classification type and rogue state. Table 5-59 shows the allowable classification types and rogue states from and to which an unknown access point can be configured. Ta b l e 5-59 Allowable Classification Type and Rogue State Transitions If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it. Rogue access points classification types include: • Malicious—Detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. See “Malicious Rogue APs” for more information. • Friendly—Known, acknowledged, or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. See “Friendly Rogue APs” for more information. For more information on configuring friendly access point rules, see “Configuring a Friendly Access Point Template”. From To Friendly (Internal, External, Alert) Malicious (Alert) Friendly (Internal, External, Alert) Unclassified (Alert) Friendly (Alert) Friendly (Internal, External) Malicious (Alert, Threat) Friendly (Internal, External) Malicious (Contained, Contained Pending) Malicious (Alert) Unclassified (Alert, Threat) Friendly (Internal, External) Unclassified (Contained, Contained Pending) Unclassified (Alert) Unclassified (Alert) Malicious (Alert)5-89 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Unclassified—Rogue access point that are not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. See for more information. See “Unclassified Rogue APs” for more information. Malicious Rogue APs Malicious rogue access points are detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. The Security dashboard of the NCS home page displays the number of malicious rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active malicious rogue access points. Malicious rogue access point states include: • Alert—Indicates that the access point is not on the neighbor list or part of the user-configured Friendly AP list. • Contained—The unknown access point is contained. • Threat—The unknown access point is found to be on the network and poses a threat to WLAN security. • Contained Pending—Indicates that the containment action is delayed due to unavailable resources. • Removed—This unknown access point was seen earlier but is not seen now. Click an underlined number in any of the time period categories for detailed information regarding the malicious rogue access points. See “Monitoring Rogue Access Points” for more information. Friendly Rogue APs Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. Note Only NCS user can add a rogue access point MAC address to the Friendly AP list. The NCS will not apply the Friendly AP MAC address to controllers. The Security dashboard of the NCS home page displays the number of friendly rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active friendly rogue access points. Friendly rogue access point states include: • Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you would manually configure it as Friendly, Internal. For example, the access points in your lab network. • External—If the unknown access point is outside the network and poses no threat to WLAN security, you would manually configure it as Friendly, External. For example, the access points belonging to a neighboring coffee shop. • Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list. Click an underlined number in any of the time period categories for detailed information regarding the friendly rogue access points. See “Monitoring Rogue Access Points” for more information.5-90 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points To delete a rogue access point from the Friendly AP list, ensure that both the NCS and controller remove the rogue access point from the Friendly AP list. Change the rogue access point from Friendly AP Internal or External to Unclassified or Malicious Alert. Unclassified Rogue APs An unclassified rogue access point refers to a rogue access point that is not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. The Security dashboard of the NCS home page displays the number of unclassified rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active unclassified rogue access points. Unclassified rogue access point states include: • Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point. • Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list. • Contained—The unknown access point is contained. • Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources. Click an underlined number in any of the time period categories for further information. See “Monitoring Rogue Access Points”. Monitoring Rogue AP Alarms Rogue access point radios are unauthorized access points detected by one or more Cisco 1000 Series lightweight access points. To open the Rogue AP Alarms page, do one of the following: • Search for rogue APs. See “Using the Search Feature” for more information about the search feature. • From the NCS home page, click the Security dashboard. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms. • Click the Malicious AP number link in the Alarm Summary. Note If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use it to view additional alarms. Note Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, NCS uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition may be changed at any time. The Rogue AP Alarms page contains the following parameters:5-91 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note When NCS polls, some data may change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue. • Severity—Indicates the severity of the alarm including: You can use the Severity Configuration feature to determine the level of severity for the following rogue access point alarm types: – Rogue detected – Rogue detected contained – Rogue detected on network See “Configuring Alarm Severities” for more information. • Rogue MAC Address—Indicates the MAC address of the rogue access points. See “Viewing Rogue AP Alarm Details”. • Vendor—Rogue access point vendor name or Unknown. • Classification Type—Pending, Malicious, Friendly, or Unclassified. • Radio Type—Lists all radio types applicable to this rogue access point. • Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location. • No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-92 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note This number comes from the NCS database It is updated every two hours. From the Monitor > Alarms > Alarm Details page, this number is a real-time number. It is updated each time you open the Alarm Details page for this rogue access point. • Owner—Name of person to which this alarm is assigned, or (blank). • Last Seen Time—Indicates the date and time that the rogue access point was last seen. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. See “Classifying Rogue Access Points” for additional information. – Malicious rogue states include: Alert, Contained, Threat, Contained Pending, and Removed. See “Malicious Rogue APs” for more information. – Friendly rogue states include: Internal, External, and Alert. See “Friendly Rogue APs” for more information. – Unclassified rogue states include: Pending, Alert, Contained, and Contained Pending. See “Unclassified Rogue APs” for more information. • SSID—Indicates the service set identifier being broadcast by the rogue access point radio. It is blank if the SSID is not being broadcast. • Map Location—Indicates the map location for this rogue access point. • Acknowledged—Displays whether or not the alarm is acknowledged by the user. You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. See “Acknowledging Alarms” for more information. Note The alarm remains in NCS, and you can search for all Acknowledged alarms using the alarm search functionality. Caution When you choose to contain a rogue device, the following warning appears: “There may be legal issues following this containment. Are you sure you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another network could have legal consequences. Select a command Menu Select one or more alarms by selecting their respective check boxes, select one of the following commands from the Select a command drop-down list, and click Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Delete—Delete the selected alarm(s). • Clear—Clear the selected alarm(s). Indicates that the alarm is no longer detected by any access point. Note Once the severity is Clear, the alarm is deleted from NCS after 30 days.5-93 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See “Acknowledging Alarms” for more information. Note The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge Alarm—Unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See “Monitoring RFID Tags” for more information. • Severity Configuration—Allows you to change the severity level for newly-generated alarms. See “Configuring Alarm Severities” for more information. • Detecting APs—View the Cisco 1000 Series lightweight access points that are currently detecting the rogue access point. See “Detecting Access Points” for more information. • Map (High Resolution)—Click to display a high-resolution map of the rogue access point location. • Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the Rogue access point. See “Viewing Rogue Client Details” for more information. This information can also be accessed by using the NCS Search feature. See “Using the Search Feature” or “Advanced Search” for more information. • Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest threat, continue monitoring the rogue access point, and to turn off Containment. See “Unclassified Rogue APs” for more information on Unclassified rogues. • Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’. See “Malicious Rogue APs” for more information on Malicious rogues. • Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal, add it to the Known Rogue APs list, and to turn off Containment. See “Friendly Rogue APs” for more information on Friendly rogues. • Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external, add it to the Known Rogue APs list, and to turn off Containment. See “Friendly Rogue APs” for more information on Friendly rogues. • 1 AP Containment—Target the rogue access point for containment by one access point. (Lowest containment level.) • 2 AP Containment—Target the rogue access point for containment by two Cisco 1000 Series lightweight access points. • 3 AP Containment—Target the rogue access point for containment by three Cisco 1000 Series lightweight access points. • 4 AP Containment—Target the rogue access point for containment by four Cisco 1000 Series lightweight access points. (Highest containment level.) Note The higher the threat of the rogue access point, the higher the containment required.5-94 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Caution Attempting to contain a rogue access point may lead to legal consequences. When you select any of the AP Containment commands and click Go, a message “Containing a Rogue AP may have legal consequences. Do you want to continue?” appears. Click OK if you are sure or click Cancel if you do not wish to contain any access points. Viewing Rogue AP Alarm Details Rogue access point radios are unauthorized access points detected by Cisco 1000 Series lightweight access points. Alarm event details for each rogue access point are available from the Rogue AP Alarms list page. To view alarm events for a rogue access point radio, click the rogue MAC address for the applicable alarm from the Monitor > Alarms page for rogue access point alarms. Note All Alarm Details page fields (except No. of Rogue Clients) are populated through polling and are updated every two hours. The number of rogue clients is a real-time number and is updated each time you access the Alarm Details page for a rogue access point alarm. Note When NCS polls, some data may change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue. The Alarm Details page displays the following information: • General – Rogue MAC Address—MAC address of the rogue access points. – Vendor—Rogue access point vendor name or Unknown. Note When a rogue access point alarm displays for Airlink, the vendor displays as Alpha instead of Airlink. – Rogue Type—Indicates the rogue type such as AP. – On Network—Indicates how the rogue detection occurred. Controller—The controller detected the rogue (Yes or No). Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. – Owner—Indicates the owner or is left blank. – Acknowledged—Indicates whether or not the alarm is acknowledged by the user. You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. See “Acknowledging Alarms” for more information.5-95 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points – Classification Type—Malicious, Friendly, or Unclassified. – State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. – SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) – Channel Number—Indicates the channel of the rogue access point. – Containment Level—Indicates the containment level of the rogue access point or Unassigned (not contained). – Radio Type—Lists all radio types applicable to this rogue access point. – Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location. – No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point. Note The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point. All other fields on the Alarm Details page are populated through polling and are updated every two hours. – First Seen Time—Indicates the date and time when the rogue access point was first detected. This information is populated from the controller. – Last Seen Time—Indicates the date and time when the rogue access point was last detected. This information is populated from the controller. – Modified—Indicates when the alarm event was modified. – Generated By—Indicates how the alarm event was generated (either NMS or from a trap). NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS. Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. – Severity—The severity of the alarm including: Icon Meaning Critical Major Minor Warning5-96 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points You can use the Severity Configuration feature to determine the level of severity for rogue access points. See “Configuring Alarm Severities” for more information. – Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear. – Event Details—Click the Event History link to view the event details. – Rogue AP History—Click the Rogue AP History link to view the Rogue Alarm details. – Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status may include: Traced, but not found, Traced and found, Not traced, Failed. See “Configuring Switch Port Tracing” for more information. • Switch Port Tracing Details—Provides the most recent switch port tracing details. To view additional trace details, use the Click here for more details link. See “Configuring Switch Port Tracing” for more information. • Rogue Clients—Lists rogue clients for this access point including the client MAC address, the last date and time the client was heard, and the current client status. See “Viewing Rogue Client Details” for more information. Note The number of rogue clients is the only real-time field on the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point. All other fields on the Alarm Details page are populated through polling and are updated every two hours. • Message—Displays the most recent message regarding this rogue access point. A message is sent for the following: When the rogue access point is first detected, for any trap sent, and for any changed state. • Annotations—Lists current notes regarding this rogue access point. To add a new note, click New Annotation. Type the note and click Post to save and display the note or Cancel to close the page without saving the note. • Location Notifications—Displays the number of location notifications logged against the client. Clicking a link displays the notifications. • Location—Provides location information, if available. Note The switch port tracing will not update any of the rogue attributes such as severity, state, and so on. As the rogue attributes are not updated by switch port tracing, alarms would not be triggered if a rogue is discovered to be 'on network' using switch port tracing. Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days. Icon Meaning5-97 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Select a command Menu The Select a command drop-down list located on the Rogue AP Alarm Details page provides the following options. Select an option from the drop-down list and click Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Delete—Delete the selected alarm(s). • Clear—Clear the selected alarm(s). • Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See “Acknowledging Alarms” for more information. Note The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—Unacknowledge an already acknowledged alarm. • Trace Switch Port—Click to run a switch port trace for this rogue access point. See “Configuring Switch Port Tracing” for more information. • Event History—Click to view a list of events for this rogue access point. See “Monitoring Rogue Alarm Events” for more information. • Refresh from Network—Click to sync up the rogue APs from the network. • View Detecting AP on Network—View the Cisco 1000 Series lightweight access points that are currently detecting the rogue access point. See “Detecting Access Points” for more information. Note Detecting AP Name, Radio, SSID information might be empty as the information is not available on controller. Refresh the page after the rogue AP task is completed to see the AP details. • View Details by Controller—View the classification type and state of the rogue APs reported by the controller. • Map (High Resolution)—Click to display a high-resolution map of the rogue access point location. • Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the Rogue access point. See “Viewing Rogue Client Details” for more information. This information can also be accessed by using the NCS Search feature. See “Using the Search Feature” or “Advanced Search” for more information. • Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest threat, continue monitoring the rogue access point, and to turn off Containment. See “Unclassified Rogue APs” for more information on Unclassified rogues. • Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’. See “Malicious Rogue APs” for more information on Malicious rogues. • Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal, add it to the Known Rogue APs list, and to turn off Containment. See “Friendly Rogue APs” for more information on Friendly rogues.5-98 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external, add it to the Known Rogue APs list, and to turn off Containment. See “Friendly Rogue APs” for more information on Friendly rogues. • 1 AP Containment—Target the rogue access point for containment by one access point. (Lowest containment level.) • 2 AP Containment—Target the rogue access point for containment by two Cisco 1000 Series lightweight access points. • 3 AP Containment—Target the rogue access point for containment by three Cisco 1000 Series lightweight access points. • 4 AP Containment—Target the rogue access point for containment by four Cisco 1000 Series lightweight access points. (Highest containment level.) Note The higher the threat of the rogue access point, the higher the containment required. Viewing Rogue Client Details You can view a list of rogue clients in several ways: • Perform a search for rogue clients using the NCS Search feature. See the “Using the Search Feature” section on page 2-33 for more information. • View the list of rogue clients for a specific rogue access point from the Alarm Details page for the applicable rogue access point.Click the Rogue MAC Address for the applicable rogue client to view the Rogue Client details page. • From the Alarms Details page of a rogue access point, select Rogue Clients from the Select a command drop-down list. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the associated rogue access point. Note Rogue client statuses include: Contained (the controller contains the offending device so that its signals no longer interfere with authorized clients); Alert (the controller forwards an immediate alert to the system administrator for further action); and Threat (the rogue is a known threat). Click the Client MAC Address for the rogue client to view the Rogue Client details page. The Rogue Client details page displays the following information: • General—Information includes: client MAC address, number of access points that detected this client, when the client was first and last heard, the rogue access point MAC address, and the client current status. • Location Notifications—Indicates the number of notifications for this rogue client including: absence, containment, distance, and all. Click the notification number to open the applicable Monitor > Alarms page. • APs that detected the rogue client—Provides the following information for all access points that detected this rogue client: base radio MAC address, access point name, channel number, radio type, RSSI, SNR, and the date/time that the rogue client was last heard. • Location—Provides location information, if available.5-99 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Note The higher the threat of the rogue access point, the higher the containment required. Select a command The Select a command drop-down list on the Rogue Client details page includes the following options: • Set State to ‘Unknown - Alert’—Choose this command to tag the rogue client as the lowest threat, continue monitoring the rogue client, and to turn off Containment. • 1 AP Containment—Target the rogue client for containment by one access point. (Lowest containment level.) • 2 AP Containment—Target the rogue client for containment by two access points. • 3 AP Containment—Target the rogue client for containment by three access points. • 4 AP Containment—Target the rogue client for containment by four access points. (Highest containment level.) • Map (High Resolution)—Click to display a high-resolution map of the rogue client location. • Location History—Click to display the history of the rogue client location based on RF fingerprinting. Viewing Rogue AP History Details To view the history of a rogue AP alarms, click the Rogue AP History link in the Rogue AP Alarm page. The Rogue AP History page displays the following information: • Severity—The severity of the alarm. • Rogue MAC Address—MAC address of the rogue access points. • Classification Type—Malicious, Friendly, or Unclassified. • Radio Type—Lists all radio types applicable to this rogue access point. • Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location. • No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point. Note The number of rogue clients is the only real-time field on the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point. All other fields on the Alarm Details page are populated through polling and are updated every two hours. • First Seen Time—Indicates the date and time when the rogue access point was first detected. This information is populated from the controller. • Last Seen Time—Indicates the date and time when the rogue access point was last detected. This information is populated from the controller. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. 5-100 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Category—Indicates the category of this alarm such as Security or NCS. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Channel Number—Indicates the channel of the adhoc rogue. • Containment Level—Indicates the containment level of the adhoc rogue or Unassigned. • Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status may include: Traced, but not found, Traced and found, Not traced, Failed. Click the Rogue MAC Address to view the specific rogue AP history details page. The rogue AP history details page displays the above details and also displays the actual alarm message. Viewing Rogue AP Event History Details To view the event details of a rogue AP, click the Event History link in the Rogue AP Alarm page. The Rogue AP Event History page displays the following information: • Severity—The severity of the alarm. • Rogue MAC Address—MAC address of the rogue access points. • Vendor—Rogue access point vendor name or Unknown. • Classification Type—Malicious, Friendly, or Unclassified. • On Network—Indicates whether the rogue detection occurred.The controller detected the rogue (Yes or No). • Date/Time—The date and time that the event was generated. • Radio Type—Lists all radio types applicable to this rogue access point. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Monitoring Adhoc Rogues If the MAC address of a mobile client operating in a adhoc network is not in the authorized MAC address list, then it is identified as an adhoc rogue. • Monitoring Adhoc Rogue Alarms • Viewing Adhoc Rogue Alarm Details Monitoring Adhoc Rogue Alarms The Adhoc Rogue Alarms page displays alarm events for adhoc rogues.To access the Adhoc Rogue Alarms page, do one of the following:5-101 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Perform a search for adhoc rogue alarms. See “Using the Search Feature” for more information. • From the NCS home page, click the Security dashboard. This page displays all the adhoc rogues detected in the past hour and the past 24 hours. Click the adhoc rogue number to view the adhoc rogue alarms. If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms. The Adhoc Rogue Alarms page contains the following parameters: Note When NCS polls, some data may change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue. • Severity—Indicates the severity of the alarm including: You can use the Severity Configuration feature to determine the level of severity for the following adhoc rogue alarm types: – Adhoc Rogue auto contained – Adhoc Rogue detected – Adhoc Rogue detected on network – Adhoc Rogue detected on network See “Configuring Alarm Severities” for more information. • Rogue MAC Address—Indicates the MAC address of the rogue. See “Viewing Adhoc Rogue Alarm Details” for more information. • Vendor—Indicates the adhoc rogue vendor name, or Unknown. • Radio Type—Lists all radio types applicable to this rogue access point. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-102 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Strongest AP RSSI—Displays the strongest AP RSSI for this rogue across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue and your building or location. The higher the RSSI, the closer the location. No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point. Note The number of rogue clients is the only real-time field on the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point. All other fields on the Alarm Details page are populated through polling and are updated every two hours. • Owner—Indicates the owner or is left blank. • Last Seen Time—Indicates the date and time that the alarm was last viewed. • State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. • SSID—The Service Set Identifier that is being broadcast by the rogue adhoc radio. It is blank if there is no broadcast. • Map Location—Indicates the map location for this adhoc rogue. • Acknowledged—Displays whether or not the alarm is acknowledged by the user. You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. See “Acknowledging Alarms” for more information. Select a command Menu Select one or more alarms by selecting their respective check boxes, select one of the following commands from the Select a command drop-down list, and click Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Delete—Delete the selected alarm(s). • Clear—Clear the selected alarm(s). • Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See “Acknowledging Alarms” for more information. Note The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—Unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See “Monitoring RFID Tags” for more information. • Detecting APs—View the access points that are currently detecting the rogue adhoc. See “Detecting Access Points” for more information. • Map (High Resolution)—Click to display a high-resolution map of the adhoc rogue location.5-103 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Rogue Clients—Click to view a list of rogue clients associated with this adhoc rogue. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the adhoc rogue. • Set State to ‘Alert’—Choose this command to tag the adhoc rogue as the lowest threat, continue monitoring the rogue access point, and to turn off Containment. • Set State to ‘Internal’—Choose this command to tag the adhoc rogue as internal, add it to the Known Rogue APs list, and to turn off Containment. • Set State to ‘External’—Choose this command to tag the adhoc rogue as external, add it to the Known Rogue APs list, and to turn off Containment. • 1 AP Containment—Target the adhoc rogue for containment by one access point. (Lowest containment level.) • 2 AP Containment—Target the adhoc rogue for containment by two access points. • 3 AP Containment—Target the adhoc rogue for containment by three access points. • 4 AP Containment—Target the adhoc rogue for containment by four access points. (Highest containment level.) Caution Attempting to contain an adhoc rogue may lead to legal consequences. When you select any of the AP Containment commands and click Go, a message “Containing a Rogue AP may have legal consequences. Do you want to continue?” appears. Click OK if you are sure, or click Cancel if you do not wish to contain any access points. Viewing Adhoc Rogue Alarm Details Alarm event details for each adhoc rogue are available from the Adhoc Rogue Alarms page. To view alarm events for a adhoc rogue radio, click the applicable Rogue MAC Address from the Adhoc Rogue Alarms page. This page displays alarm events for a rogue access point radio. Rogue access point radios are unauthorized access points detected by Cisco 1000 Series lightweight access points. Note When NCS polls, some data may change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.The following information is available: • General – Rogue MAC Address—Media Access Control address of the adhoc rogue. – Vendor—Adhoc rogue vendor name or Unknown. – On Network—Indicates how the rogue detection occurred. Controller—The controller detected the rogue (Yes or No). Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. – Owner—Indicates the owner or left blank. – Acknowledged—Indicates whether or not the alarm is acknowledged by the user. 5-104 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. See “Acknowledging Alarms” for more information. – State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. – SSID—Service Set Identifier being broadcast by the adhoc rogue radio. (Blank if SSID is not broadcast.) – Channel Number—Indicates the channel of the adhoc rogue. – Containment Level—Indicates the containment level of the adhoc rogue or Unassigned. – Radio Type—Lists all radio types applicable to this adhoc rogue. – Strongest AP RSSI—Indicates the strongest received signal strength indicator for this NCS (including all detecting access points for all controllers and across all detection times). – No. of Rogue Clients—Indicates the number of rogue clients associated to this adhoc. Note This number comes from the NCS database It is updated every two hours. From the Monitor > Alarms > Alarm Details page, this number is a real-time number. It is updated each time you open the Alarm Details page for this rogue access point. – Created—Indicates when the alarm event was created. – Modified—Indicates when the alarm event was modified. – Generated By—Indicates how the alarm event was generated (either NMS or from a trap). NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. – Severity—Indicates the severity of the alarm including: Icon Meaning Critical Major Minor Warning5-105 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points – Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear. Color coded. • Annotations—Enter any new notes in this box and click Add to update the alarm. • Message—Displays descriptive information about the alarm. • Help—Displays the latest information about the alarm. • Event History—Click to access the Monitor > Events page. See “Monitoring Events” for more information. • Annotations—Lists existing notes for this alarm. Searching Rogue Clients Using Advanced Search When the access points on your wireless LAN are powered up and associated with controllers, NCS immediately starts listening for rogue access points. When a controller detects a rogue access point, it immediately notifies NCS, which creates a rogue access point alarm. Follow these steps to find rogue access point alarms using Advanced Search. Step 1 Click Advanced Search in the top right-hand corner of the NCS main page. Step 2 Choose Rogue Client from the Search Category drop-down list. Step 3 (optional) You can filter the search even further with the other search criteria if desired. Step 4 Click Search. Step 5 The list of rogue clients appears (see Figure 5-3). Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days. Icon Meaning5-106 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Figure 5-3 Rogue Clients Page Step 6 Choose a rogue client by clicking a client MAC address. The Rogue Client detail page appears (see Figure 5-4). Figure 5-4 Rogue Client Detail Page Step 7 To modify the alarm, choose one of these commands from the Select a command drop-down list, and click Go. • Set State to ‘Unknown-Alert’—Tags the ad hoc rogue as the lowest threat, continues to monitor the ad hoc rogue, and turns off containment. • 1 AP Containment through 4 AP Containment—Indicates the number of access points (1-4) in the vicinity of the rogue unit that send dauthenticate and disassociate messages to the client devices that are associated to the rogue unit.5-107 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Map (High Resolution)—Displays the current calculated rogue location on the Maps > Building Name > Floor Name page. • Location History—Displays the history of the rogue client location based on RF fingerprinting. Note The client must be detected by an MSE for the location history to appear. Monitoring Rogue Access Point Location, Tagging, and Containment When the Cisco Unified Network Solution is monitored using NCS, NCS generates the flags as rogue access point traps and displays the known rogue access points by MAC address. The operator can then display a map showing the location of the access points closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points (have between one and four access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point). This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action: • Locate rogue access points • Receive new rogue access point notifications, eliminating hallway scans • Monitor unknown rogue access points until they are eliminated or acknowledged • Determine the closest authorized access point, making directed scans faster and more effective • Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet. • Tag rogue access points: – Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or wireless LAN security – Accept rogue access points when they do not compromise the LAN or wireless LAN security – Tag rogue access points as unknown until they are eliminated or acknowledged • Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point. Detecting Access Points Use the Detecting Access Points feature to view information about the Cisco lightweight access points that are detecting a rogue access point. To access the Rogue AP Alarms details page, follow these steps: Step 1 To display the Rogue AP Alarms page, do one of the following:5-108 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Perform a search for rogue APs. See “Using the Search Feature” for more information about the search feature. • From the NCS home page, click the Security dashboard. This dashboard displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms. • Click the Malicious AP number link in the Alarm Summary box. Step 2 From the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The Rogue AP Alarms details page appears. Step 3 From the Select a command drop-down list, choose Detecting APs. Step 4 Click Go. Click a list item to display data about that item: • AP Name • Radio • Map Location • SSID—Service Set Identifier being broadcast by the rogue access point radio. • Channel Number—Which channel the rogue access point is broadcasting on. • WEP—Enabled or disabled. • WPA—Enabled or disabled. • Pre-Amble—Long or short. • RSSI—Received signal strength indicator in dBm. • SNR—Signal-to-noise ratio. • Containment Type—Type of containment applied from this access point. • Containment Channels—Channels that this access point is currently containing. Monitoring Rogue Alarm Events The Events page enables you to review information about rogue alarm events. NCS generates an event when a rogue access point is detected or if you make manual changes to a rogue access point (such as changing its state). The Rogue AP Events list page displays all rogue access point events. To access the Rogue AP Events list page, follow these steps: Step 1 Do one of the following: • Perform a search for rogue access point events using the Advanced Search feature of NCS. See “Advanced Search” for more information. • From the Rogue AP Alarms details page, click Event History from the Select a command drop-down list. See “Viewing Rogue AP Alarm Details” for more information. Step 2 The Rogue AP Events list page displays the following event information. • Severity—Indicates the severity of the alarm including:5-109 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See “Viewing Rogue AP Event Details” for more information. • Vendor—Rogue access point vendor name or Unknown. • Classification Type—Malicious, Friendly, or Unclassified. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Radio Type—Lists all radio types applicable to this rogue access point. • Date/Time—The date and time that the event was generated. • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Viewing Rogue AP Event Details To view rogue access point event details, follow these steps: Step 1 From the Rogue AP Events list page, click the Rogue MAC Address link. Step 2 The Rogue AP Events Details page displays the following information: • Rogue MAC Address • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Classification Type—Malicious, Friendly, or Unclassified. Icon Meaning Critical Major Minor Warning Info5-110 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points • State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • Containment Level—Indicates the containment level of the rogue access point or Unassigned. • Radio Type—Lists all radio types applicable to this rogue access point. • Created—The date and time that the event was generated. • Generated By—Indicates how the alarm event was generated (either NMS or from a trap). – NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS. – Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. • Device IP Address • Severity—Indicates the severity of the alarm including: • Message—Provides details of the current event. Monitoring Adhoc Rogue Events The Events page enables you to review information about adhoc rogue events. NCS generates an event when an adhoc rogue is detected or if you make manual changes to an adhoc rogue (such as changing its state). The Adhoc Rogue Events list page displays all adhoc rogue events. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-111 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points To access the Rogue AP Events list page, follow these steps: Step 1 Do one of the following: • Perform a search for adhoc rogues events using the Advanced Search feature of NCS. See “Advanced Search” for more information. • From the Adhoc Rogue Alarms details page, click Event History from the Select a command drop-down list. See “Viewing Adhoc Rogue Alarm Details” for more information. Step 2 The Rogue AP Events list page displays the following event information. • Severity—Indicates the severity of the alarm including: • Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See “Viewing Adhoc Rogue Event Details” for more information. • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Radio Type—Lists all radio types applicable to this rogue access point. • Date/Time—The date and time that the event was generated. • State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Viewing Adhoc Rogue Event Details To view rogue access point event details, follow these steps: Step 1 From the Rogue AP Events list page, click the Rogue MAC Address link. Icon Meaning Critical Major Minor Warning Info5-112 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Access Points Step 2 The Rogue AP Events Details page displays the following information: • Rogue MAC Address • Vendor—Rogue access point vendor name or Unknown. • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Channel Number—The channel on which the rogue access point is broadcasting. • Containment Level—Indicates the containment level of the rogue access point or Unassigned. • Radio Type—Lists all radio types applicable to this rogue access point. • Created—The date and time that the event was generated. • Generated By—Indicates how the alarm event was generated (either NMS or from a trap). – NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS – Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. • Device IP Address • Severity—Indicates the severity of the alarm including: Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-113 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring RFID Tags • Message—Provides details of the current event. Monitoring RFID Tags The Monitor > RFID Tags page allows you to monitor tag status and location on NCS maps as well as review tag details. Note This page is only available in the Location version of NCS. This section provides information on the tags detected by the location appliance. Choose Monitor > RFID Tags to access this section. By default, Tag Summary page is displayed. • Tag Summary • Searching Tags • Viewing RFID Tag Search Results • Viewing Tag List Tag Summary Choose Monitor > RFID Tags to access this page. This page provides information on the number of tags that are detected by MSE. The following parameters are displayed on the main data area: • MSE Name—Name of the MSE device. • Total Tags—Click the number to view tag details. Clicking on the number gives the list of tags located by the MSE. Click on a mac address gives the tag details pertaining to that mac address. Searching Tags Use the NCS Advanced Search feature to find specific or all tags. To search for tags in NCS, follow these steps: Step 1 Click Advanced Search. Step 2 Select Tags from the Search Category drop-down list. Step 3 Identify the applicable tag search parameters including: • Search By—Choose All Tags, Asset Name, Asset Category, Asset Group, MAC Address, Controller, MSE, Floor Area, or Outdoor Area. Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. 5-114 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring RFID Tags • Search In—Choose MSEs or NCS Controllers. • Last detected within—Choose a time increment from 5 minutes to 24 hours. The default is 15 minutes. • Tag Vendor—Select the check box and choose Aeroscout, G2, PanGo, or WhereNet. • Telemetry Tags only—Check the Telemetry Tags only to search tags accordingly. Step 4 Click Go. Viewing RFID Tag Search Results Use the NCS Advanced Search feature located at the top right of the NCS window to search for tags by asset type (name, category and group), by MAC address, by system (controller or location appliance), and by area (floor area and outdoor area). Note Search parameters may change depending on the selected category. When applicable, enter the additional parameter or filter information to help identify the Search By category. You can further refine your search using the Advanced search parameters and save the search criteria for future use. Saved search criteria can be retrieved from the Saved Searches located in the navigation bar. See “Advanced Search” or “Saved Searches” for additional information. When you click the MAC address of a tag location in a search results page, the following details display for the tag: • Tag vendor Note Option does not display when Asset Name, Asset Category, Asset Group or MAC Address are the search criteria for tags. • Controller to which tag is associated • Telemetry data (CCX v1 compliant tags only) – Telemetry data displayed is vendor-specific; however, some commonly reported details are GPS location, battery extended information, pressure, temperature, humidity, motion, status, and emergency code. Note The Telemetry data option only appears when MSE (select for location servers), Floor Area, or Outdoor Area are selected as the Search for tags by option. Note Only those vendor tags that support telemetry appear. • Asset Information (Name, Category, Group) • Statistics (bytes and packets received) • Location (Floor, Last Located, MSE, map) 5-115 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Chokepoints • Location Notification (Absence, Containment, Distance, All) Note Telemetry data displayed is vendor-specific; however, some commonly reported details are GPS location, battery extended information, pressure, temperature, humidity, motion, status, and emergency code. • Emergency Data (CCX v1 compliant tags only) Viewing Tag List Click the Total Tags number link to view the Tags List for the applicable device name. The Tag List contains the following information: • MAC Address • Asset Name • Asset Group • Asset Category • Vendor Name • Mobility Services Engine • Controller • Battery Status • Map Location Monitoring Chokepoints Chokepoints are installed and configured as recommended by the Chokepoint vendor. After the chokepoint installation is complete and operational, the chokepoint can be added to NCS and placed on Floor Maps. They are pushed to the Location Server during synchronization. Choose Monitor > Chokepoints to access this section. A page appears displaying a list of found chokepoints. Clicking a the link under Map Location for a particular chokepoint displays a map that shows the location of the chokepoint. The following parameters are displayed: • MAC Address—The MAC address of the chokepoint. • Chokepoint Name—The user-defined name of the chokepoint. • Entry/Exit Chokepoint—Indicates whether or not the chokepoint is an entry/exit chokepoint. • Range—The range of the chokepoint in feet. • Static IP—The static IP address of the chokepoint. • Map Location—A link to a map showing the location of the chokepoint. Performing a Chokepoint Search An advanced search allows you to search for chokepoints.5-116 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Interferers To perform an advanced search for a chokepoint in NCS, follow these steps: Step 1 Click Advanced Search located in the top right corner of NCS. Step 2 From the New Search page, select Chokepoint from the Search Category drop-down list. Step 3 Select the method by which you want to search (by MAC address or chokepoint name) from the Search for Chokepoint by drop-down list. Step 4 Enter the MAC address or chokepoint name, depending on the search method selected. Step 5 Click Search. Monitoring Interferers The Monitor > Interferer page allows you to monitor interference devices detected by the CleanAir enabled access points. This section provides information on the interferers detected by the CleanAir enabled access points. By default, the Monitoring AP Detected Interferers page is displayed. • Monitoring AP Detected Interferers, page 5-116 • Monitoring AP Detected Interferer Details, page 5-117 • Monitoring AP Detected Interferer Details Location History, page 5-118 • Configuring the Search Results Display, page 5-119 Monitoring AP Detected Interferers Choose Monitor > Interferers to view all the interfering devices detected by the CleanAir enabled access points on your wireless network. This page enables you to view a summary of the interfering devices including the following default information: • Interferer ID—A unique identifier for the interferer. Click this link to know more about the interferer. • Type—Indicates the category of the interferer. Click to read more about the type of device. A pop-up page appears displaying more details. The categories include: – Bluetooth link—A Bluetooth link (802.11b/g/n only) – Microwave Owen—A microwave oven (802.11b/g/n only) – 802.11 FH—An 802.11 frequency-hopping device (802.11b/g/n only) – Bluetooth Discovery—A Bluetooth discovery (802.11b/g/n only) – TDD Transmitter—A time division duplex (TDD) transmitter – Jammer—A jamming device – Continuous Transmitter—A continuous transmitter – DECT-like Phone—A digital enhanced cordless communication (DECT)-compatible phone – Video Camera—A video camera – 802.15.4—An 802.15.4 device (802.11b/g/n only)5-117 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Interferers – WiFi Standard—A device using standard Wi-Fi channels – WiFi Inverted—A device using spectrally inverted Wi-Fi signals – WiFi Invalid Channel—A device using non-standard Wi-Fi channels – SuperAG—An 802.11 SuperAG device – Canopy—A Motorola Canopy device – Radar—A radar device (802.11a/n only) – XBox—A Microsoft Xbox (802.11b/g/n only) – WiMAX Mobile—A WiMAX mobile device (802.11a/n only) – WiMAX Fixed—A WiMAX fixed device (802.11a/n only) – WiFi AOCI—A WiFi device with AOCI – Unclassified • Status—Indicates the status of the interfering device. – Active—Indicates that the interferer is currently being detected by the CleanAir capable access point. – Inactive—Indicates that the interferer is no longer being detected by the CleanAir capable access point or no longer reacheable by NCS. • Severity—Displays the severity ranking of the interfering device. • Affected Band—Displays the band in which this device is interfering. • Affected Channels—Displays the affected channels. • Duty Cycle (%)—The duty cycle of interfering device in percentage. • Discovered—Displays the time at which it was discovered. • Last Updated—The last time the interference was detected. • Floor—The location where the interfering device is present. Monitoring AP Detected Interferer Details Choose Monitor > Interferers > to view this page. This page enables you to view the details of the interfering devices detected by the access points. This page provides the following details about the interfering device. • Interferer Properties – Type—Displays the type of the interfering device detected by the AP. • Status—The status of the interfering device. Indicates the status of the interfering device. – Active—Indicates that the interferer is currently being detected by the CleanAir capable access point. – Inactive—Indicates that the interferer is no longer being detected by the CleanAir capable access point or no longer reachable by NCS. – Severity—Displays the severity ranking of the interfering device. – Duty Cycle (%)—The duty cycle of interfering device in percentage. – Affected Band—Displays the band in which this device is interfering. – Affected Channels—Displays the affected channels.5-118 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Interferers – Discovered—Displays the time at which it was discovered. – Last Updated—The last time the interference was detected. • Location – Floor—The location where this interfering device was detected. – Last Located At—The last time where the interfering device was located. – On MSE—The Mobility Server Engine on which this interference device was located. • Clustering Information – Clustered By—Displays the IP address of the controller or the MSE that clustered the interferer information from the access point. – Detecting APs—Displays the details of the access point that has detected the interfering device. The details include: Access Point Name (Mac), Severity, and Duty Cycle(%). • Details—Displays a short description about the interfering type. Select a command The Select a command drop-down list provides access to the location history of the interfering device detected by the access point. See Monitoring AP Detected Interferer Details Location History. Monitoring AP Detected Interferer Details Location History Choose Monitor > Interferers > Interferers. The AP Detected Interferers page appears showing details of the interferers detected by the CleanAir enabled access points. Step 2 Click the Edit View link. Step 3 To add an additional column to the access points table, click to highlight the column heading in the left column. Click Show to move the heading to the right column. All items in the right column are displayed in the table. Step 4 To remove a column from the access points table, click to highlight the column heading in the right column. Click Hide to move the heading to the left column. All items in the left column are not displayed in the table. Step 5 Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list. Step 6 Click Reset to restore the default view. Step 7 Click Submit to confirm the changes. Monitoring Spectrum Experts A Spectrum Expert client acts as a remote interference sensor and sends dynamic interference data to NCS. This feature allows the NCS to collect and archive and monitor detailed interferer and air quality data from Spectrum Experts in the network. To access the Monitor Spectrum Experts page, follow these steps: Step 1 Choose Monitor > Spectrum Experts. Step 2 From the left sidebar menu, you can access the Spectrum Experts Summary page and the Interferers Summary page. Spectrum Experts Summary The Spectrum Experts > Summary page is the default page and provides a table of the Spectrum Experts added to the system. The table provides the following Spectrum Expert information: • Hostname—Displays the hostname or IP Address depending on how it was added. Click the hostname to access the Spectrum Experts Details page.5-120 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Spectrum Experts • Active Interferers—Indicates the current number of interferes being detected by the Spectrum Experts. • Affected APs—The number of access points seen by the Spectrum Expert that are potentially affected by detected interferers. • Alarms—The number of active interference traps sent by the Spectrum Expert. Click to access the Alarm page that is filtered to the active alarms for this Spectrum Expert. • Reachability Status—Indicates “Reachable” in green if the Spectrum Expert is running and sending data to NCS; otherwise indicates “Unreachable” in red. • Location—When the Spectrum is a wireless client, a link is available that displays the location of the Spectrum Expert. A red box around the Spectrum Expert indicates the effective range. Click to access the nearest mapped access point. Interferers Summary The Interferers > Summary page displays a list of all the Interferers detected over a 30 day interval. The table provides the following Interferers information: • Interferer ID—An identifier that is unique across different spectrum experts. • Category—Indicates the category of the interferer. Categories include: Bluetooth, Cordless Phones, Microwave Ovens, 802.11 FH, Generic - Fixed-Frequency, Jammers, Generic - Frequency-Hopped, Generic - Continuous. • Type—Indicates the type of Interferer. Click to access a pop-up description of the type. • Status—Indicates Active or Inactive. – Active—Indicates that the interferer is currently being detected by a spectrum expert. – Inactive—Indicates that the interferer is no longer detected by a spectrum expert or the spectrum expert that saw the interferer is no longer reachable by NCS. • Discover Time—Indicates the time of discovery. • Affected Channels—Identifies affected channels. • Number of APs Affected—An access point is listed as Affected if the following conditions are met: – The access point is managed by NCS. – The spectrum expert detects the access point. – The spectrum expert detects an interferer on the serving channel of the access point. • Power—Indicated in dBm. • Duty Cycle—Indicated in percentage. Note 100% indicates the worst value. • Severity—Indicates the severity ranking of the Interferer. Note 100% indicates the worst value where 0 indicates no interference.5-121 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring WiFi TDOA Receivers Interferers Search Use the NCS Search feature to find specific Interferers or to create and save custom searches. See one of the following topics for additional information: • Using the Search Feature • Quick Search • Advanced Search • Saved Searches Spectrum Experts Details The Spectrum Expert Details page provides all interference details from a single Spectrum Expert. This page updates every 20 seconds providing a real-time look at what is happening on the remote Spectrum Expert and includes the following items: • Total Interferer Count—As seen by the specific Spectrum Expert. • Active Interferers Count Chart—Displays a pie chart that groups interferes by category. • Active Interferer Count Per Channel—Displays the number of interferes grouped by category on different channels. • AP List—Provides a list of access points detected by the Spectrum Expert that are on channels that have active interferers detected by the Spectrum Expert on those channels. • Affected Clients List—Provides a list of clients that are currently authenticated/associated to the radio of one of the access points listed in the access point list. Monitoring WiFi TDOA Receivers To monitor Wi-Fi TDOA receivers, follow these steps: Step 1 Choose Monitor > WiFi TDOA Receivers. The WiFi TDOA Receiver summary page appears showing all mapped WiFI TDOA receivers. Step 2 To refine the search criteria when an extensive lists appears, you can search by MAC address or location sensor name. a. To initiate a search for a TDOA receiver by its MAC address, click the Advanced Search link in the NCS window. Select WiFi TDOA Receiver from the Search Category drop-down list and MAC Address from the Search by drop-down list. Enter the MAC address of the TDOA receiver in the available text box and click Search. b. To initiate a search for a TDOA receiver by its name, select Advanced Search link in the NCS window. Select WiFi TDOA Receiver from the Search Category drop-down list and WiFi TDOA Receivers from the Search by drop-down list. Enter the name of the TDOA receiver in the available text box and click Search. If no match exists, then a message indicating that appears in the page. Otherwise the search result displays.5-122 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Radio Resource Management (RRM) Note See “Using the Search Feature” or “Advanced Search” for more information on the NCS Search feature. The WiFi TDOA Receivers page displays the following information: • MAC Address • WiFi TDOA Receiver Name • Static IP—Static IP address of the WiFi TDOA receiver. • Oper Status—Up or down. • Map Location—Click the Map Location link to view the floor map for this WiFi TDOA receiver. See “Floor Area” for more information on NCS floor maps. Note See “Configuring WiFi TDOA Receivers” for more information on adding, configuring, and editing WiFi TDOA receivers. Monitoring Radio Resource Management (RRM) The operating system security solution uses the radio resource management (RRM) function to continuously monitor all nearby access points, automatically discover rogue access points, and locate them as described in the “” section. Radio Resource Management (RRM) built into the Cisco Unified Wireless Network monitors and dynamically corrects performance issues found in the RF environment. NCS would receive traps whenever a change in the transmit power of the access point or channel occurred. These trap events or similar events such as RF regrouping were logged into NCS events as informational and were maintained by the event dispatcher. The reason behind the transmit power or channel changes (such as signals from neighboring access points, interference, noise, load, and the like) were not evident. You could not view these events and statistics to then perform troubleshooting practices. Radio Resource Management (RRM) statistics helps to identify trouble spots and provides possible reasons for channel or power level changes. The dashboard provides network-wide RRM performance statistics and predicts reasons for channel changes based on grouping the events together (worst performing access points, configuration mismatch between controllers in the same RF group, coverage holes that were detected by access points based on threshold, pre-coverage holes that were detected by controllers, ratios of access points operating at maximum power, and so on). Note The RRM dashboard information is only available for lightweight access points. • Channel Change Notifications • Transmission Power Change Notifications • RF Grouping Notifications • Viewing the RRM Dashboard5-123 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Radio Resource Management (RRM) Channel Change Notifications Notifications are sent to the NCS RRM dashboard when a channel change occurs. Channel changes depend on the dynamic channel assignment (DCA) configuration where the mode can be set to auto or on demand. When the mode is auto, channel assignment is periodically updated for all lightweight access points which permit this operation. When the mode is set to on demand, channel assignments are updated based upon request. If the DCA is static, no dynamic channel assignments occur, and values are set to their global default. When a channel change trap is received and a channel change had occurred earlier, the event is marked as Channel Revised; otherwise, the event is marked as Channel Changed. Each event for channel change can be caused by multiple reasons. The reason code is factored and equated to one irrespective of the number of reasons for the event to occur. For example, suppose a channel change is caused by signal, interference, or noise. When the reason code is received in the notification, the reason code is refactored across the reasons. If three reasons caused the event to occur, the reason code is refactored to 1/3 or 0.33 per reason. If ten channel change events are received with the same reason code, all of the three reasons are equally factored to determine the cause of the channel change. Transmission Power Change Notifications Notifications are sent to the NCS RRM dashboard when transmission power changes occur. Each event for transmit power changes is caused by multiple reasons. The reason code is factored and equated to one irrespective of the number of reasons for the event to occur. RF Grouping Notifications When RRM is run on the controller, dynamic grouping is done, and a new group leader is chosen. Dynamic grouping has three modes: Automatic, Off and Leader. When the grouping is Off, no dynamic grouping occurs, and each switch optimizes only its own lightweight access point parameters. When the grouping is Automatic, switches form groups and elect leaders to perform better dynamic parameter optimization. With grouping automatic, configured intervals (in seconds) represent the period with which the grouping algorithm is run. (Grouping algorithms also run when the group contents change and automatic grouping is enabled.) Viewing the RRM Dashboard The RRM dashboard is accessed by choosing Monitor > RRM. The dashboard is made up of the following parts: • The RRM RF Group Summary shows the number of different RF groups. Note To get the latest number of RF Groups, you have to run the configuration sync background task. • The RRM Statistics portion shows network-wide statistics • The Channel Change Reason portion shows why channels changed for all 802.11a/b/g/n radios. – Signal—The channel changed because it improved the channel quality for some other neighbor radio(s). Improving the channel quality for some other neighbor radio(s) improved the channel plan of the system as evaluated by the algorithm. – Wifi Interference5-124 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Radio Resource Management (RRM) – Load – Radar – Noise – Persistent Non-Wifi Interference – Major Air Quality Event – Other • The Channel Change shows all events complete with causes and reasons. • The Configuration Mismatch portion shows comparisons between leaders and members. • The Coverage Hole portion rates how severe the coverage holes are and gives their location. • The Percent Time at Maximum Power shows what percent of time the access points were at maximum power and gives the location of those access points. The following statistics are displayed: • Total Channel Changes—The sum total of channel changes across 802.11a/b/g/n radios, irrespective of whether the channel was updated or revised. The count is split over a 24-hour and 7-day period. If you click the percentages link or the link under the 24-hour column, a page with details for that access point only appears. • Total Configuration Mismatches—The total number of configuration mismatches detected over a 24-hour period. • Total Coverage Hole Events—The total number of coverage hole events over a 24-hour and 7-day period. • Number of RF Groups—The total number of RF groups (derived from all the controllers which are currently managed by NCS). • Configuration Mismatch—The configuration mismatch over a 24-hour period by RF group with details on the group leader. • APs at MAX Power—The percentage of access points with 802.11a/n radios as a total percentage across all access points which are at maximum power. The maximum power levels are preset and are derived with reference to the preset value. Note Maximum power is shown in three areas of the RRM dashboard. This maximum power portion shows the current value and is poll driven. • Channel Change Causes—A graphical bar chart for 802.11a/n radios. The chart is factored based on the reason for channel change. The chart is divided into two parts, each depicting the percentage of weighted reasons causing the event to occur over a 24-hour and 7-day period. Each event for channel change can be caused by multiple reasons, and the weight is equally divided across these reasons. The net reason code is factored and equated to one irrespective of the number of reasons for the event to occur. • Channel Change - APs with channel changes—Each event for channel change includes the MAC address of the lightweight access point. For each reason code, you are given the most channel changes that occurred for the 802.11a/n access point based on the weighted reason for channel events. This count is split over a 24-hour and 7-day period. • Coverage Hole - APs reporting coverage holes—The top five access points filtered by IF Type 11 a/n which triggered a coverage hole event (threshold based) are displayed.5-125 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Clients and Users • Aggregated Percent Max Power APs—A graphical progressive chart of the total percentage of 802.11a/n lightweight access points which are operating at maximum power to accommodate coverage holes events. The count is split over a 24-hour and 7-day period. Note This maximum power portion shows the values from the last 24 hours and is poll driven. This occurs every 15 minutes or as configured for radio performance. • Percent Time at Maximum Power—A list of the top five 802.11a/n lightweight access points which have been operating at maximum power. Note This maximum power portion shows the value from the last 24 hours and is only event driven. Monitoring Clients and Users The Monitor Clients and Users information assists in identifying, diagnosing, and resolving client issues. Using the Monitor Clients and Users feature, you can view a client association history and statistical information. You can also troubleshoot client historical issues. These tools are useful when users complain of network performance as they move throughout a building with their laptop computers. The information may help you assess what areas experience inconsistent coverage and which areas have the potential to drop coverage. See Managing Clients, page 10-1 for more information. Monitoring Alarms This section contains the following topics: • Alarms and Events Overview, page 5-126 • Viewing List of Alarms, page 5-126 • Filtering Alarms, page 5-127 • Viewing Alarm Details, page 5-128 • Viewing Events Related to Alarms, page 5-129 • Modifying Alarms, page 5-129 • Modifying the Alarm Browser, page 5-130 • Viewing the Alarm Summary, page 5-130 • Modifying Alarm Settings, page 5-132 • Working with Alarms, page 5-133 • Monitoring Access Point Alarms, page 5-134 • Monitoring Air Quality Alarms, page 5-135 • Monitoring CleanAir Security Alarms, page 5-137 • Monitoring Email Notifications, page 5-138 • Monitoring Severity Configurations, page 5-139 • Monitoring Cisco Adaptive wIPS Alarms, page 5-1395-126 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms • Monitoring Cisco Adaptive wIPS Alarm Details, page 5-140 Alarms and Events Overview An event is an occurrence or detection of some condition in and around the network. For example, it can be a report about radio interference crossing a threshold, the detection of a new rogue access point, or a controller rebooting. Events are not generated by a controller for each and every occurrence of a pattern match. Some pattern matches must occur a certain number of times per reporting interval before they are considered a potential attack. The threshold of these pattern matches is set in the signature file. Events can then generate alarms which further can generate e-mail notifications if configured as such. An alarm is a Cisco NCS response to one or more related events. If an event is considered of high enough severity (critical, major, minor, or warning), the NCS raises an alarm until the resulting condition no longer occurs. For example, an alarm may be raised while a rogue access point is detected, but the alarm terminates after the rogue has not been detected for several hours. One or more events can result in a single alarm being raised. The mapping of events to alarms is their correlation function. For example, some IDS events are considered to be network wide so all events of that type (regardless of which access point the event is reported from) map to a single alarm. On the other hand, other IDS events are client-specific. For these, all events of that type for a specific client MAC address map to an alarm which is also specific for that client MAC address, regardless of whether multiple access points report the same IDS violation. If the same kind of IDS violation takes place for a different client, then a different alarm is raised. A NCS administrator currently has no control over which events generate alarms or when they time out. On the controller, individual types of events can be enabled or disabled (such as management, SNMP, trap controls, and so on). Viewing List of Alarms Choose Monitor > Alarms to access the Alarm Browser page which provides a list of alarms. You can also hover your mouse cursor over Alarm Browser in the toolbar at the bottom of the NCS page to view the Alarm Browser page. The Alarm Browser lists the following information for each alarm: • Severity—Severity of the alarm which can be: – Critical – Major – Minor – Warning – Informational • Status— Status of the alarm. • Timestamp—Date and time that the alarm occurred. • Category—Category assigned to the alarm such as rogue AP, controller, switch, and security. • Condition—Condition that caused the alarm. • Owner—Name of the person to whom this alarm is assigned, if one was entered.5-127 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms • Message—Messages about the alarm. • Failure Source—Indicates the source of the event (including name and/or MAC address). Note By default, acknowledged alarms are not shown in the Alarm Browser page. To change this, select Administration > Settings > Alarms, then unselect the Hide Acknowledged Alarms check box. You must unselect the preference of hiding acknowledged alarms if you want acknowledged alarms to show on the NCS Alarm Summary and alarms lists page. Use the check box to select one or more alarms. To select all alarms displayed in the Alarm Browser, click the topmost box. See Modifying Alarms for more information. Filtering Alarms From the Monitor > Alarms page, you can filter the alarms that are displayed in the Alarm Browser. Figure 5-5 Filtering Alarms Choose Monitor > Alarms, then from the Show pulldown menu, select one of the following filters: • Quick Filter—Enter text in any of the boxes to display alarms that contain the text you enter. For example, if you enter AP in the Category field, AP and Rogue AP alarms are displayed. It provides an optional filtered view of alarms for wired and wireless alarms. • Advance Filter—This filter provides an advanced alarm search capability. It provides ability to search on specific fields with various conditions like contains, does not contain, starts with, ends with and so on. Additionally advanced filters allows nesting of AND/OR conditions. Select the category and operator, then enter criteria in the text field to compare against, then: – Click + to add an additional filter or - to remove a filter you specified. – Click Go to apply your filter. – Click Clear Filter to clear the entries you entered. – Click the disc icon to save your filter. Enter a name for the filter you want to save, then click Save.5-128 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Note When a preset filter is selected and the filter button is clicked, the filter criteria is greyed out. You can only see the filter criteria but will not be able to change it. When 'All' is selected to view all the entries, clicking on the filter button shows the Quick Filter options, where you can filter the data using the filterable fields, there is also a free form text box, where you can enter text and filter the table. • All—Displays all alarms. • Manage Preset Filter—Displays any previously saved filters and allows you to edit and delete previously saved filters. • Assigned to Me—Displays all alarms assigned to you. • Unassigned Alarms—Displays all unassigned alarms. • Alarms in Last 5 Minutes • Alarms in Last 15 Minutes • Alarms in Last 30 Minutes • Alarms in the last hour • Alarms in the last 8 hours • Alarms in the last 24 hours • Alarms in last 7 days • All wired alarms—Displays all alarms for wired devices. • All wireless alarms—Displays all alarms for wireless devices. Viewing Alarm Details You can view alarm details from the Monitor > Alarms page by clicking the expand icon to the far left of the Monitor > Alarms page for the alarm for which you want to see details. The details that are displayed depend on the alarm type you selected. Ta b l e 5-60 Viewing Alarm Details Section Field Description General Info 1 Failure Source Indicates the source of the event (including name and/or MAC address). Owner Name of person to which this alarm is assigned, or blank. Acknowledged Displays whether or not the alarm is acknowledged by the user. Category The category of the alarm (for example, AP, Rogue AP, or Security). Created Month, day, year, hour, minute, second, AM or PM alarm created. Modified Month, day, year, hour, minute, second, AM or PM alarm last modified. Generated By Device that generated the alarm. Severity Level of security: Critical, Major, Minor, Warning, Clear, Info. Previous Severity The severity of the alarm the after the most recent polling cycle. 5-129 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms From the Alarms list page, you can also view the events for the alarm you selected as explained in Viewing Events Related to Alarms, page 5-129. Viewing Events Related to Alarms When you select Monitor > Alarms page, you can view alarm summary information by hovering your mouse over an alarm severity in the Severity column and clicking the icon that appears. A dialog appears displaying the top 5 events related to the alarm you selected. Click Events to display all events associated with the selected alarm. Modifying Alarms From the Monitor > Alarms page, you can modify the alarms by selecting the checkbox next to an alarm and then clicking one of the tasks at the top of the Alarm Browser page: Note The alarms that appear on the Monitor > Alarms page depend on the settings you specify on the Administration > Settings page. See Modifying Alarm Settings, page 5-132 for more information. • Change Status—Change the alarm status to one of the following: – Acknowledge—You can acknowledge the alarm. By default, acknowledged alarms are not displayed in the Alarm Browser page. Acknowledged alarms remain in NCS and you can search for all acknowledged alarms using the alarm search functionality. See “Acknowledging Alarms” for more information. – Unacknowledge—You can choose to unacknowledge an already acknowledged alarm. – Clear—Clear the selected alarm(s). The alarm is removed from the Alarm Browser. Cleared alarms remain in NCS and you can search for all cleared alarms using the alarm search functionality Device Info Device Name Name of the device. Device Address IP address of the device. Device Contact Contact information for the device. Device Location Location of the device. Device Status Status of the device. Messages Device information retrieved from log messages. Annotation Lists current notes regarding this rogue access point. To add a new note, click New Annotation. Type the note and click Post to save and display the note or Cancel to close the page without saving the note. 1.The General information may vary depending on the type of alarm. For example, some alarm details may include location and switch port tracing information. Table 5-60 Viewing Alarm Details Section Field Description5-130 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Note Once the severity is Clear, the alarm is deleted from NCS after 30 days by default. You can modify this setting on the Administration > Settings page. • Assign—For the selected alarm, you can – Assign to me—Assigns the alarm to the specified user. – Unassign—Removes the specified owner from the alarm. • Annotation—Enter an annotation for the selected alarm, then click Post. The annotation you entered appears when you view the alarm details. • Delete—Delete the selected alarm(s). Indicates that the alarm is no longer detected by any device. Specifying Email Notifications for Alarms From the Monitor > Alarms page, you can set up email notifications for alarms based on the alarm category and severity level. Step 1 Choose Monitor > Alarms, then click Email Notification. Step 2 Select the Enable checkbox next to the alarm category for which you want to set up email notifications, then click Save. NCS will send email notifications when alarms for the categories you specified occur. Modifying the Alarm Browser Choose Monitor > Alarms to view a list of alarms. You can also click Alarm Browser in the toolbar at the bottom of the NCS page. You can modify the following information displayed in the Alarm Browser: • To reorder the columns, drag and drop the column headings into any position. • Click on a column heading to sort the information by that column. By default, the column is sorted in descending order. Click the column heading again to change the sort the column in ascending order. Note Not every column is sortable. Hover your mouse cursor over a column heading, and NCS will display whether the column is sortable. • To customize which columns are displayed, click the Settings icon, then click Columns. Select the checkbox next to columns you want to appear, and unselect the boxes for the columns you do not want to appear in the Alarm Browser window. Viewing the Alarm Summary When NCS receives an alarm message from a controller, switch, or NCS, it displays an alarm indicator in the Alarm Summary. The Alarm Summary is at the bottom of the NCS page and displays the total count of critical, major, and minor alarms currently detected by NCS. Hover your mouse cursor over the Alarm Summary, and the alarm details are displayed as shown in Figure 5-6.5-131 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Figure 5-6 NCS Alarm Summary Note The alarms that appear on the Alarm Summary and on the Monitor > Alarms page depends on the settings you specify on the Administration > Settings page. By default, acknowledged alarms are not shown.See Modifying Alarm Settings, page 5-132 for more information. Alarms are color coded as follows: • Red—Critical Alarm • Orange—Major Alarm • Yellow—Minor Alarm Alarms indicate the current fault or state of an element, and alarms are usually generated by one or more events. The alarm can be cleared but the event remains. See Alarms and Events Overview for more information about alarms. Note By default, alarm counts refresh every minute. You can modify when alarms are refreshed on the Administration > User Preferences page. When you hover your mouse cursor over the Alarm Summary, a window appears listing the number of critical, major, and minor alarms for each of alarm category. You can specify which alarm categories are displayed in the Alarm Summary on the Administration > User Preferences page. By default, all categories are displayed: • Alarm Summary—Displays a summary of the total alarms for all alarm categories. • AP—Display counts for AP alarms such as AP Disassociated from controller, Thresholds violation for Load, Noise or Interference, AP Contained as Rogue, AP Authorization Failure, AP regulatory domain mismatch, or Radio card Failure. • Context Aware Notifications • Controller—Displays counts for controller alarms, such as reachability problems from NCS and other controller failures (fan failure, POE controller failure, AP license expired, link down, temperature sensor failure, and low temperature sensed). • Coverage Hole—Displays counts for coverage hole alarms generated for access points whose clients are not having enough coverage set by thresholds. See the “Monitoring Maps” for more information. • Mesh Links—Displays counts for mesh link alarms, such as poor SNR, console login, excessive parent change, authorization failure, or excessive association failure. • Mobility Services—Displays counts for location alarms such as reachability problems from NCS and location notifications (In/Out Area, Movement from Marker, or Battery Level). 5-132 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms • NCS—Displays counts for NCS alarms. • Performance—Displays counts for performance alarms. • Rogue AP—Displays counts for malicious rogue access points alarms. • Rogue Adhoc—Displays counts for unclassified rogue access point alarms. • Security—Displays counts for security alarms such as Signature Attacks, AP Threats/Attacks, and Client Security Events. • Switch—Displays counts for switch alarms such as authentication errors. Modifying Alarm Settings You can modify the following settings for alarms: • Alarm count refresh rate—See Modifying Alarm Count Refresh Rate • Alarm severity levels—See Configuring Alarm Severity Levels Modifying Alarm Count Refresh Rate By default, alarm counts refresh every minute. You can modify the refresh rate by selecting Administration > User Preferences, and then selecting a new value for the Refresh Alarm Count in the Alarm Summary Every menu. Configuring Alarm Severity Levels The Administration > Settings > Severity Configuration page allows you to change the severity level for newly generated alarms. Note Existing alarms remain unchanged. To reconfigure the severity level for a newly generated alarm, follow these steps: Step 1 Choose Administration > Settings. Step 2 From the left sidebar menu, select Severity Configuration. Step 3 Select the check box of the alarm condition whose severity level you want to change. Step 4 From the Configure Security Level drop-down list, select from the following severity levels: • Critical • Major • Minor • Warning • Informational • Reset to Default Step 5 Click Go.5-133 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Step 6 Click OK to confirm the change or Cancel to leave the security level unchanged. Working with Alarms You can view, assign, and clear alarms and events on access points and mobility services engine using NCS. This section also describes on how to have email notifications of alarms sent to you. • Assigning and Unassigning Alarms • Deleting and Clearing Alarms • Acknowledging Alarms Assigning and Unassigning Alarms To assign and unassign an alarm to yourself, follow these steps: Step 1 Perform an advanced search for access point alarms. See “Advanced Search” for more information. Step 2 Select the alarms that you want to assign to yourself by selecting their corresponding check boxes. Note To unassign an alarm assigned to you, Unselect the box next to the appropriate alarm. You cannot unassign alarms assigned to others. Step 3 From the Select a command drop-down list, choose Assign to Me (or Unassign) and click Go. If you choose Assign to Me, your username appears in the Owner column. If you choose Unassign, the username column becomes empty. Deleting and Clearing Alarms To delete or clear an alarm from a mobility services engine, follow these steps: Step 1 From the Monitor > Alarms page, select the alarms that you want to delete or clear by selecting their corresponding check boxes. Note If you delete an alarm, NCS removes it from its database. If you clear an alarm, it remains in the NCS database, but in the Clear state. You clear an alarm when the condition that caused it no longer exists. Step 2 From the Select a command drop-down list, choose Delete or Clear, and click Go.5-134 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Note To set up cleanup of old alarms and cleared alarms, choose Administration > Settings > Alarms. See “Configuring Alarms” for more information. Acknowledging Alarms You may want certain alarms to be removed from the Alarms List. For example, if you are continuously receiving an interference alarm from a certain access point on the 802.11g interface, you may want to stop that access point from being counted as an active alarm on the Alarm Summary page or any alarms list. In this scenario, you can find the alarm for the 802.11g interface in the Alarms list, select the check box, and choose Acknowledge from the Select a command drop-down list. Now if the access point generates a new violation on the same interface, NCS will not create a new alarm, and the Alarm Summary page shows no new alarms. However, if the interference violation is created on another interface, such as 802.11a, a new alarm is created. By default, acknowledged alarms are not displayed in either the Alarm Summary page or any alarm list page. Also, no emails are generated for these alarms after you have marked them as acknowledged. By default, acknowledged alarms are not included for any search criteria. To change this default, go to the Administration > Settings > Alarms page and disable the Hide Acknowledged Alarms preference. When you acknowledge an alarm, the following warning appears as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled (see Figure 5-7). Figure 5-7 Alarm Warning Note When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled. Use the Administration > User Preferences page to disable this warning message. You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged during the last seven days. NCS automatically deletes cleared alerts that are more than seven days old so your results can only show activity for the last seven days. Until an existing alarm is deleted, a new alarm cannot be generated for any managed entity for which NCS has already generated an alarm. Monitoring Access Point Alarms The Access Point Alarms page displays the access point based alarms on your network.5-135 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms To access the AP alarms page, do one of the following: • Perform a search for AP alarms. See “Using the Search Feature” for more information. • Click the Access Point number link in the Alarm Summary box. The Monitor AP Alarms page contains the following parameters: • Severity—Indicates the severity of the alarm including: • Failure Source—Device that generated the alarm. • Owner—Name of the person to which this alarm is assigned, or blank. • Date/Time—The time at which the alarm was generated. • Message—The associated message displayed in the NCS alarm browser. • Category—Indicates the category assigned to the alarm such as rogue AP, controller, switch, and security. • Condition—Condition that caused the alarm. • Acknowledged—Displays whether or not the alarm is acknowledged by the user. See “Acknowledging Alarms” for more information. Monitoring Air Quality Alarms The Air Quality Alarms page displays air quality alarms on your network. Icon Meaning Critical Major Minor Warning Info Unknown Note When the controller goes down, the controller inventory dashlet shown the controller status as critical. But the radio inventory dashlet, will retain the last known status. In Monitor > AP page, the AP alarm status is shown as "Unknown". Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-136 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms To access the air quality alarms page, do one of the following: • Perform a search for Performance alarms. See “Using the Search Feature” for more information. • Click the Performance number link in the Alarm Summary box. The Monitor Air Quality Alarms page contains the following parameters: • Severity—Indicates the severity of the alarm including: • Failure Source—Device that generated the alarm. • Owner—Name of the person to which this alarm is assigned, or blank. • Date/Time—The time at which the alarm was generated. • Message—The associated message displayed in the NCS alarm browser. • Acknowledged—Displays whether or not the alarm is acknowledged by the user. See “Acknowledging Alarms” for more information. Select a command Menu Select one or more alarms by selecting their respective check boxes, select one of the following commands from the Select a command drop-down list, and click Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Clear—Clear the selected alarm(s). • Delete—Delete the selected alarm(s). • Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See “Acknowledging Alarms” for more information. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-137 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Note The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—Unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See “Monitoring RFID Tags” for more information. Monitoring CleanAir Security Alarms The CleanAir Security Alarms page displays security alarms on your network. To access the security alarms page, do one of the following: • Perform a search for Security alarms. See “Using the Search Feature” for more information. • Click the Security number link in the Alarm Summary box. The Monitor CleanAir Security Alarms page contains the following parameters: • Severity—Indicates the severity of the alarm including: • Failure Source—Device that generated the alarm. • Owner—Name of the person to which this alarm is assigned, or blank. • Date/Time—The time at which the alarm was generated. • Message—The associated message displayed in the NCS alarm browser. • Acknowledged—Displays whether or not the alarm is acknowledged by the user. See “Acknowledging Alarms” for more information. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-138 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Select a command Menu Select one or more alarms by selecting their respective check boxes, select one of the following commands from the Select a command drop-down list, and click Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Clear—Clear the selected alarm(s). • Delete—Delete the selected alarm(s). • Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See “Acknowledging Alarms” for more information. Note The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—Unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See “Monitoring RFID Tags” for more information. Monitoring Email Notifications The Cisco NCS includes a built-in email notification function which can notify the network operator when critical alarms occur. The email notification filter page allows you to add a filter for each alert category. Severity level is set to critical by default when the alert category is enabled, but you can choose a different severity level for different categories. Email notifications are generated only for the severity levels that are configured. To configure e-mail notifications, follow these steps: Step 1 Choose Monitor > Alarms. Step 2 From the Select a command drop-down list, choose Email Notification. Step 3 Click Go. Step 4 Click an Alarm Category to edit severity level and e-mail recipients for its e-mail notifications. Step 5 Select the severity level check box(es) (Critical, Major, Minor, or Warning) for which you want a notification sent. Step 6 Enter the notification recipient e-mail addresses in the To text box. Note Separate multiple e-mail addresses with a comma. Step 7 Click OK. Step 8 Select the Enabled check box for applicable alarm categories to activate the delivery of e-mail notifications.5-139 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms Step 9 Click OK. Monitoring Severity Configurations You can change the severity level for newly generated alarms. Note Existing alarms remain unchanged. To change the severity level of newly-generated alarms, follow these steps: Step 1 Choose Administration > Setting. Step 2 Choose Severity Configuration from the left sidebar menu. Step 3 Select the check box of the alarm condition for which you want to change the severity level. Step 4 From the Configure Severity Level drop-down list, choose the new severity level (Critical, Major, Minor, Warning, Informational, Reset to Default). Step 5 Click Go. Step 6 Click OK to confirm the change. Monitoring Cisco Adaptive wIPS Alarms Alarms from Cisco Adaptive wIPS DoS (Denial of Service) and security penetration attacks are classified as security alarms. You can view these wIPS alarms and their details in the Monitor > Alarms section of NCS. To view a list of wIPs DoS and security penetration attack alarms, follow these steps: Step 1 Perform a search for Security alarms using the Advanced Search feature. See “Advanced Search” for more information on performing an advanced search. The following information is provided for wIPS alarms: • Severity—Severity levels include critical, major, info, warning, and clear. • Failure Object—Displays the name and IP or MAC address of the object for which the alarm was generated. Click the Failure Object to view alarm details. See “Monitoring Cisco Adaptive wIPS Alarm Details” for more information on viewing wIPS alarm details. • Date/Time—Displays the date and time that the alarm occurred. • Message—Displays a message explaining why the alarm occurred (such as the applicable wIPS policy). • Acknowledged—Displays whether or not the alarm is acknowledged by the user. • Category—Indicates the category of this alarm such as Security. • Condition—Displays a description of what caused this alarm to be triggered.5-140 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms When there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms. To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page. Select a command Using the Select a command drop-down list, you can perform the following actions on the selected alarms: • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Delete—Delete the selected alarm(s). • Clear—Clear the selected alarm(s). • Acknowledge—You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—You can choose to unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. To perform an action on the selected alarm, follow these steps: Step 1 Select an alarm by selecting its check box. Step 2 From the Select a command drop-down list, select a the applicable command. Step 3 Click Go. Monitoring Cisco Adaptive wIPS Alarm Details Choose Monitor > Alarms > to view details of the selected Cisco wIPS alarm. The following Alarm Details are provided for Cisco Adaptive wIPS alarms: • General – Detected By wIPS AP—The access point that detected the alarm. – wIPS AP IP Address—The IP address of the wIPS access point. – Owner—Name of person to which this alarm is assigned or left blank. – Acknowledged—Displays whether or not the alarm is acknowledged by the user. – Category—For wIPS, the alarm category is Security. – Created—Month, day, year, hour, minute, second, AM or PM that the alarm was created. – Modified—Month, day, year, hour, minute, second, AM or PM that the alarm was last modified. – Generated By—Indicates how the alarm event was generated (either NMS or from a trap).5-141 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Alarms NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. – Severity—Level of severity including critical, major, info, warning, and clear. – Last Disappeared—The date and time that the potential attack last disappeared. – Channel—The channel on which the potential attack occurred. – Attacker Client/AP MAC—The MAC address of the client or access point that initiated the attack. – Attacker Client/AP IP Address—The IP address of the client or access point that initiated the attack. – Target Client/AP IP Address—The IP address of the client or access point targeted by the attacker. – Controller IP Address—The IP address of the controller to which the access point is associated. – MSE—The IP address of the associated mobility services engine. – Controller MAC address—The MAC address of the controller to which the access point is associated. – wIPS access point MAC address – Forensic File – Event History—Takes you to the “Monitoring Alarms” page to view all events for this alarm. • Annotations—Enter any new notes in this box and click Add to update the alarm. Notes are displayed in the “Annotations” display area. • Messages—Displays information about the alarm. • Audit Report—Click to view config audit alarms details. This report is only available for Config Audit alarms. Configuration audit alarms are generated when audit discrepancies are enforced on config groups. Note If enforcement fails, a critical alarm is generated on the config group. If enforcement succeeds, a minor alarm is generated on the config group. The alarms have links to the audit report where you can view a list of discrepancies for each controller. • Rogue Clients—If the failure object is a rogue access point, information about rogue clients is displayed. Select a command Select one or more alarms by selecting their respective check boxes, selecting one of the following commands, and clicking Go. • Assign to me—Assign the selected alarm(s) to the current user. • Unassign—Unassign the selected alarm(s). • Delete—Delete the selected alarm(s).5-142 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Clear—Clear the selected alarm(s). • Acknowledge—You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in NCS and you can search for all Acknowledged alarms using the alarm search functionality. • Unacknowledge—You can choose to unacknowledge an already acknowledged alarm. • Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. • Event History—Takes you to the Monitor Alarms > Events page to view events for Rogue Alarms. Monitoring Events One or more events may generate an abnormal state or alarm. The alarm can be cleared, but the event remains. Choose Monitor > Events to access the Events page, which displays the following information: • Description—Describes the event details. • Time—Indicates the date and time the event was generated. • Severity—Event severities include: Critical, Major, Minor, Warning, Cleared, or Information. • Failure Source—Indicates the source of the event (including name and/or MAC address). • Category—Type of event such as Rogue AP, Security, or AP Click on any column heading to sort by that column. Use the quickview icon to disclose more information on the event. The additional information for the event is divided into general information and the message. In the general information, the failure source, the category, severity, generated time and IP address. The message of the event is also displayed. (See Figure 5-8) Figure 5-8 Viewing Events Note Events also has preset, quick and advanced filters similar to alarms. These filters work in same way as the filters in alarms.5-143 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events When you filter the table using the Search feature, the Events page may display the additional information. See “Advanced Search”(Advanced Search results for Events) for more information on performing a search. The additional information includes: • Coverage Hole Events – Access Point Name – Failed Clients—Number of clients that failed due to the coverage hole. – Total Clients—Total number of clients affected by the coverage hole. – Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point. – Coverage Threshold • Rogue AP Events – Vendor—Rogue access point vendor name or Unknown. – Classification Type—Indicates the type of rogue access point including Malicious, Friendly, or Unclassified. – On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. – Radio Type—Lists all radio types applicable to this rogue access point. – State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. – SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) Note See “Monitoring Rogue Alarm Events” or “Viewing Rogue AP Event Details” for more information on rogue access points events. • Adhoc Rogue Events – Vendor—Rogue access point vendor name or Unknown. – On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. – Radio Type—Lists all radio types applicable to this rogue access point. – State—Indicates the state of the alarm. Possible states for adhoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed. – SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Interference – Detected By—IP address of the device that detected the interference. – ID—ID of the device that detected the interference. • Mesh Links5-144 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Client • Context Aware Notification • Pre Coverage Hole – Client MAC Address—MAC address of the client affected by the Pre Coverage Hole. – AP MAC Address—MAC address of the applicable access point. – Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point. – Power Level—Access Point transmit power level (1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, 5 = 0.195 to 6.25% power). – Client Type—Client type can be laptop(0), pc(1), pda(2), dot11mobilephone(3), dualmodephone(4), wgb(5), scanner(6), tabletpc(7), printer(8), projector(9), videoconfsystem(10), camera(11), gamingsystem(12), dot11deskphone(13), cashregister(14), radiotag(15), rfidsensor(16), server(17) – WLAN Coverage Hole Status If there is more than one page of events, the number of pages is displayed with a scroll arrow on each side. Use this to view additional events. This section contains the following topics: • Searching Events • Monitoring Failure Objects • Monitoring Events for Rogue APs • Viewing Adhoc Rogue Event Details • Monitoring Cisco Adaptive wIPS Events • Monitoring Cisco Adaptive wIPS Events • Working with Events Searching Events Use the NCS Search feature to find specific events or to create and save custom searches. See one of the following topics for additional information: • Using the Search Feature • Quick Search • Advanced Search • Saved Searches Monitoring Failure Objects Note The event categories Location Servers and Location Notifications appear only in the Cisco NCS Location version.5-145 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events Choose Monitor > Events, then click the expand icon to the far left of the Monitor > Events page for the event for which you want to see details. Details about the event are displayed. Depending on the type of event you selected, the associated details will vary. • General Info – Failure Source—Indicates the source of the event (including name and/or MAC address). – Category—Type of alarm such as Security or AP. – Generated—Date and time that the event was generated. – Generated By—Indicates how the alarm event was generated (either NMS or from a trap). NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS. Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. – Device IP Address—IP address of the alarm-generating device. – Severity—Level of severity including critical, major, info, warning, and clear. • Messages—Message explaining why the event occurred. Monitoring Events for Rogue APs Choose Monitor > Events. From the left sidebar menu Event Category, choose Rogue AP to display the Monitoring Events page for rogue access points. Click an item under Rogue MAC Address to display this page. This page displays alarm events for a rogue access point radio. Rogue access point radios are unauthorized access points detected by controllers. The following parameters appear: General • Rogue MAC Address • Vendor • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Owner—Name of person to which this alarm is assigned, or (blank). • State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Containment Level—An access point which is being contained will either not be able to provide service at all, or will provide exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 Series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.5-146 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Channel—Indicates the band at which the adhoc rogue is broadcasting. • Radio Type—Lists all radio types applicable to this rogue access point. • Created—Date and time that the event occurred. • Generated By—Indicates how the alarm event was generated (either NMS or from a trap). – NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS. – Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. • Device IP Address—IP address of the alarm-generating device. • Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded. Message—Displays descriptive information about the alarm. Help—Displays information about the alarm. Note Use the Advance Search feature to find specific events. See Advanced Search for more information. Monitoring Events for Adhoc Rogues Choose Monitor > Events. From the left sidebar menu Event Category, choose Adhoc Rogue to display the Monitoring Events page for adhoc rogue. Click an item under Rogue MAC Address to display adhoc rogue event details. General • Rogue MAC Address • Vendor • On Network—Indicates how the rogue detection occurred. – Controller—The controller detected the rogue (Yes or No). – Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced. • Owner—Name of person to which this alarm is assigned, or (blank). • State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway. • SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.) • Containment Level—An access point which is being contained will either not be able to provide service at all, or will provide exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 Series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.5-147 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Channel—Indicates the band at which the adhoc rogue is broadcasting. • Created—Date and time that the event occurred. • Generated By—Indicates how the alarm event was generated (either NMS or from a trap). – NMS (Network Management System - NCS)—Generated through polling. NCS periodically polls the controllers and generates events. NCS generates events when the traps are disabled or when the traps are lost for those events. In this case “Generated by” will be NMS. – Trap—Generated by the controller. NCS process these traps and raises corresponding events for them. In this case “Generated by” will be Controller. • Device IP Address—IP address of the alarm-generating device. • Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded. Message—Displays descriptive information about the alarm. Help—Displays information about the alarm. Monitoring Cisco Adaptive wIPS Events Choose Monitor > Events to view wIPS events. One or more events may generate an abnormal state or alarm. The alarm can be cleared, but the event remains. For more information regarding monitoring events, see “Monitoring Events.” The following sections provide additional information regarding Cisco Adaptive wIPS: • Configuring wIPS Profiles • NCS Services • wIPS Policy Alarm Encyclopedia Perform an events search to narrow the results to mobility services engine or Security events only. To view mobility services engine or Security events only, follow these steps: Step 1 Choose Monitor > Events. Step 2 From the left sidebar menu, choose Mobility Service or Security from the Event Category drop-down list. Step 3 Click Go. Note If there is more than one page of events, the number of pages is displayed with a scroll arrow on each side. Use this to view additional events. Monitoring CleanAir Air Quality Events You can use NCS to view the events generated on the air quality of the wireless network. To view air quality events, follow these steps: Step 1 Click Advanced Search in the NCS window.5-148 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events The New Search page appears. Step 2 In the New Search page, choose Events from the Search Category drop-down list. Step 3 From the Severity drop-down list, choose the type of severity you want to search the air quality events. Step 4 From the Event Category drop-down list, choose Performance. Step 5 Click Go. The air quality events page displays the following information: • Severity—Indicates the severity of the alarm including: • Failure Source—Device that generated the alarm. • Date/Time—The time at which the alarm was generated. Viewing Air Quality Event Details To view air quality event details, follow these steps: Step 1 From the Air Quality Events page, click an item under Failure Source to access the alarm details page. See Monitoring CleanAir Air Quality Events. Step 2 The air quality event page displays the following information: • Failure Source—Device that generated the alarm. • Category—The category this event comes under. In this case, Performance. • Created—The time stamp at which the event was generated. • Generated by—The device that generated the event. • Device IP Address—The IP address of the device that generated the event. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-149 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Severity—The severity of the event. • Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details. • Message—Describes the air quality index on this access point. Monitoring Interferer Security Risk Events You can use NCS to view the security events generated on your wireless network. To view interferer security events, follow these steps: Step 1 Click Advanced Search in the NCS window. The New Search page appears. Step 2 In the New Search page, choose Events from the Search Category drop-down list. Step 3 From the Severity drop-down list, choose the type of severity you want to search the air quality events. Step 4 From the Event Category drop-down list, choose Security. Step 5 Click Go. The interferer security events page displays the following information: • Severity—Indicates the severity of the alarm including: • Failure Source—Device that generated the alarm. • Date/Time—The time at which the alarm was generated. Icon Meaning Critical Major Minor Warning Info Clear—Displays if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from NCS after 30 days.5-150 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events Viewing Interferer Security Risk Event Details To view interferer security event details, follow these steps: Step 1 In the Interferer Security Event details page, click an item under Failure Source to access the alarm details page. See Monitoring Interferer Security Risk Events. Step 2 The air quality event page displays the following information: • Failure Source—Device that generated the alarm. • Category—The category this event comes under. In this case, Security. • Created—The time stamp at which the event was generated. • Generated by—The device that generated the event. • Device IP Address—The IP address of the device that generated the event. • Severity—The severity of the event. • Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details. • Message—Describes the interferer device affecting the access point. Monitoring Health Monitor Events You can use NCS to view the events generated by the Health Monitor. To view the health monitor events, follow these steps: Step 1 Click Advanced Search in the NCS window. The New Search page appears. Step 2 In the New Search page, choose Events from the Search Category drop-down list. Step 3 From the Severity drop-down list, choose the type of severity you want to search the health monitor events. Step 4 From the Event Category drop-down list, choose NCS. Step 5 Click Go. The health monitor events page displays the following information: • Severity—Indicates the severity of the alarm including: Icon Meaning Critical Major Minor Warning5-151 Cisco Wireless Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Events • Failure Source—Device that generated the alarm. • Date/Time—The time at which the alarm was generated. • Message—Describes the health details. Viewing Health Monitor Event Details To view health monitor event details, follow these steps: Step 1 From the Health Monitor Events page, click an item under Failure Source to access the alarm details page. See the “Monitoring Health Monitor Events” section on page 5-150. Step 2 The health monitor event page displays the following information: • Failure Source—Device that generated the alarm. • Category—The category this event comes under. In this case, NCS. • Created—The time stamp at which the event was generated. • Generated by—The device that generated the event. • Device IP Address—The IP address of the device that generated the event. • Severity—The severity of the event. • Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details. • Message—Describes the event through a message. Working with Events You can use NCS to view mobility services engine and access point events. You can search and display events based on their severity (critical, major, minor, warning, clear, info) and event category or you can search for a mobility services engine and access point by its IP address, MAC address or name. A successful event search displays the event severity, failure object, date and time of the event, and any messages for each event. To display events, follow these steps: Step 1 In Cisco NCS, click Monitor > Events. Step 2 In the Events page: • If you want to display the events for a specific element and you know its IP address, MAC address, or Name, enter that value in the Quick Search text box (left pane). Click Go. Info Clear Icon Meaning5-152 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 5 Monitoring Devices Monitoring Site Maps • To display events by severity and category, select the appropriate options from the Severity and Event Category drop-down lists (left pane). Click Search. Step 3 If NCS finds events that match the search criteria, it displays a list of these events. Note For more information about an event, click the failure object associated with the event. Additionally, you can sort the events summary by each of the column headings. Monitoring Site Maps Maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and floors. With the NCS database, you can add maps and view your managed system on realistic campus, building, and floor maps. See Monitoring Maps, page 6-1 for more information. Monitoring Google Earth Maps You can enable location presence by mobility server to provide expanded Civic (city, state, postal code, country) and GEO (longitude, latitude) location information beyond the Cisco default setting (campus, building, floor, and X, Y coordinates). This information can then be requested by clients on a demand basis for use by location-based services and applications. Location Presence can be configured when a new campus, building, floor, or outdoor area is being added or configured at a later date. See Monitoring Google Earth Maps, page 6-111 for more information.C H A P T E R 6-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 6 Monitoring Maps This chapter describes how to add maps to the Cisco NCS database and use them to monitor your LAN. With the NCS database, you can add maps and view your managed system on realistic campus, building, and floor maps. Note Additionally, you can enable location presence by mobility server to provide expanded Civic (city, state, postal code, country) and GEO (longitude, latitude) location information beyond the Cisco default setting (campus, building, floor, and X, Y coordinates). This information can then be requested by clients on a demand basis for use by location-based services and applications. Location Presence can be configured when a new campus, building, floor, or outdoor area is being added or configured at a later date. Note A mobility server should be synchronized before Location Presence is enabled. For details on enabling location presence and assigning its parameters, refer to Cisco Context-Aware Services documentation. This configuration guide also covers verifying location accuracy, using chokepoints, using Wi-FI TDOA receivers, applying calibration models and other context-aware planning and verification topics. This chapter contains the following sections: • Information About Maps, page 6-2 • Guidelines and Limitations, page 6-5 • Monitoring Maps, page 6-8 • Searching Maps, page 6-69 • Using the Map Editor, page 6-69 • Inspecting Location Readiness and Quality, page 6-76 • Monitoring Mesh Networks Using Maps, page 6-78 • Monitoring Tags Using Maps, page 6-89 • Using Planning Mode, page 6-89 • Refresh Options, page 6-97 • Creating a Network Design, page 6-98 • Importing or Exporting WLSE Map Data, page 6-102 • Monitoring Device Details, page 6-103 • Monitoring Google Earth Maps, page 6-1116-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Information About Maps Information About Maps This section contains the following topics: • Maps, page 6-2 • Campus, page 6-3 • Building, page 6-3 • Floor Area, page 6-3 • Outdoor Area, page 6-4 • Access Points, page 6-4 • Chokepoints, page 6-4 • Wi-Fi TDOA Receivers, page 6-4 • Map Editor, page 6-4 Maps Maps provide a summary view of all your managed systems on campuses, buildings, outdoor areas, and floors. The available information includes: • Total APs—Number of total access points for each map. • 802.11a/n Radios and 802.11b/g/n Radios—Number of 802.11a/n and 802.11b/g/n radios associated with each map. • Out of Service (OOS) Radios—Number of 802.11a/n and 802.11b/g/n radios associated with each map. • Clients—Number of clients associated to access points on the map. • AP Heat Maps—A real time wireless RF graphical representation of data which shows RF coverage throughout a facility or campus through the use of a heat map. For more Information on Heat APs refer Understanding RF Heatmap Calculation, page 6-109. Note This number is based on the most recent Client Statistics Poll. The number of clients located on the map by MSE may not match this number. • 802.11a/n and 802.11b/g/n Avg Air Quality—Indicates the average Air Quality (AQ) for 802.11a/n and 802.11b.g.n radios. • 802.11a/n and 802.11b/g/n Min Air Quality—Indicates the minimum Air Quality (AQ) for 802.11a/n and 802.11b/g/n radios. • Status—Indicates the current status of the map. – Red circle—Critical fault – Yellow triangle—Minor fault – Green square—Ok Note To view or edit current maps, choose Monitor > Site Maps (see Figure 6-1) and select the appropriate map from the list. Use the Select a command drop-down list to access additional functionality.6-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Information About Maps Figure 6-1 Site Maps Page The left sidebar menu lists all campuses, buildings, and floors in a tree view. When you click a campus, building, or floor in the Maps Tree View menu, the main area of the Page displays corresponding information. Note Click Edit View to change the information displayed for the listed maps. See the “Configuring Edit View” section on page 6-9 for more information. Note Root Area (listed in the Maps Tree View menu) displays a list of buildings that are not in campuses. Status and object counts for Root Area buildings are not aggregated. Use the Select a command drop-down list for additional map functionality. Campus A campus is the area in which a building, an outdoor area or set of surrounding buildings are situated. Building A structure that has a roof and walls and stands more or less permanently in one place. Floor Area The floor area is the area of each floor of the building measured to the outer surface of the outer walls including the area of lobbies, cellars, elevator shafts and in multi-dwelling buildings all the common spaces.6-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Information About Maps Outdoor Area An area which includes building or set of buildings or could be just plain land that is not an indoor area. Access Points Access Points (APs) are specially configured nodes on wireless local area networks (WLANs). Access points act as a central transmitter and receiver of WLAN radio signals. Access points support Wi-Fi wireless communication standards. Chokepoints Installation of chokepoints provides enhanced location information for RFID tags. When an active Cisco Compatible Extensions version 1 compliant RFID tag enters the range of a chokepoint, it is stimulated by the chokepoint. The MAC address of this chokepoint is then included in the next beacon sent by the stimulated tag. All access points that detect this tag beacon then forward the information to the controller and location appliance. See “Configuring ChokePoints” section on page 6-56 for more information. Wi-Fi TDOA Receivers TDoA technology uses a time-based method to calculate the location. Each Wi-Fi TDoA receivers report the time of arrival of the signal from the tag to its respective receiver. The Cisco Mobility Services Engine correlates the time of arrival for all the tag signals from all the TDoA receivers to find the intersection points of known distances. The greater the number of receivers used in the calculation, the more accurately the tag can be located. Wi-Fi TDoA receivers are typically used for calculating location information in manufacturing or retail warehouse environments (where there are lots of machines or high ceilings or both), in outdoor environments, or in other line-of-site environments. See “Configuring WiFi TDOA Receivers” section on page 6-59 for more information. Map Editor You can use the NCS map editor to define, draw, and enhance floor plan information. The map editor enables you to create obstacles to consider when you compute RF prediction heat maps for access points. You can also add coverage areas for MSEs that locate clients and tags in that particular area. With the map editor, you can perform the following functions: • Save—Saves the current map image. • Recompute prediction—Updates the RF prediction heatmap if any changes are made to the existing floor map image. • Reload Last Saved—Loads the last saved map image. • Select all—Selects all the obstacles and coverage areas that you have created. • Unselect—Deselects the obstacles and coverage areas that are selected. • Move selected Obstacles—Moves the selected obstacles to a different location on the map. • Duplicate selected Obstacles—Creates a copy of the selected obstacles. • Zoom in/Zoom out— Zoom in or out on the image you are currently viewing.6-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Guidelines and Limitations • Show floor image—Use this to display the floor image. • Show obstacles—Use this to display the obstacles. • Larger resolution/Medium resolution/Smaller resolution—Increase or decrease the resolution of the floor map image. • SNAP Mode—Use this to snap an obstacle to its nearest obstacle while drawing. • ORTHO Mode—Use to draw a horizontal or vertical obstacle. This is especially useful when you want to draw all the obstacles at right angles. Guidelines and Limitations This section includes the guidelines and limitations for this feature and contains the following topics: • Guidelines for Using the Map Editor, page 6-5 • Guidelines for Placing Access Points, page 6-5 • Guidelines for Inclusion and Exclusion areas on a Floor, page 6-7 Guidelines for Using the Map Editor Consider the following when modifying a building or floor map using the map editor: • We recommend that you use the map editor to draw walls and other obstacles rather than importing an .FPE file from the legacy floor plan editor. – If necessary, you can still import .FPE files. To do so, navigate to the desired floor area, choose Edit Floor Area from the Select a command drop-down list, click Go, select the FPE File check box, and browse to and choose the .FPE file. • You can add any number of walls to a floor plan with the map editor; however, the processing power and memory of a client workstation may limit the refresh and rendering aspects of NCS. – We recommend a practical limit of 400 walls per floor for machines with 1-GB RAM or less. • All walls are used by NCS when generating RF coverage heatmaps. – However, the MSEs use no more than 50 heavy walls in its calculations, and the MSE does not use light walls in its calculations because those attenuations are already accounted for during the calibration process. If you have a high resolution image (near 12 megapixels), you may need to scale down the image resolution with an image editing software prior to using map editor. Guidelines for Placing Access Points Place access points along the periphery of coverage areas to keep devices close to the exterior of rooms and buildings (see Figure 6-2). Access points placed in the center of these coverage areas provide good data on devices that would otherwise appear equidistant from all other access points.6-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Guidelines and Limitations Figure 6-2 Access Points Clustered Together By increasing overall access point density and moving access points towards the perimeter of the coverage area, location accuracy is greatly improved (see Figure 6-3). Figure 6-3 Improved Location Accuracy by Increasing Density In long and narrow coverage areas, avoid placing access points in a straight line (see Figure 6-4). Stagger them so that each access point is more likely to provide a unique snapshot of a device location. Figure 6-4 Refrain From Straight Line Placement Although the design in Figure 6-4 may provide enough access point density for high bandwidth applications, location suffers because each access point view of a single device is not varied enough; therefore, location is difficult to determine. Move the access points to the perimeter of the coverage area and stagger them. Each has a greater likelihood of offering a distinctly different view of the device, resulting in higher location accuracy (see Figure 6-5).6-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Guidelines and Limitations Figure 6-5 Improved Location Accuracy by Staggering Around Perimeter Designing a location-aware wireless LAN, while planning for voice as well, is better done with a few things in mind. Most current wireless handsets support only 802.11b/n, which offers only three non-overlapping channels. Therefore, wireless LANs designed for telephony tend to be less dense than those planned to carry data. Also, when traffic is queued in the Platinum QoS bucket (typically reserved for voice and other latency-sensitive traffic), lightweight access points postpone their scanning functions that allow them to peak at other channels and collect, among other things, device location information. The user has the option to supplement the wireless LAN deployment with access points set to monitor-only mode. Access points that perform only monitoring functions do not provide service to clients and do not create any interference. They simply scan the airwaves for device information. Less dense wireless LAN installations, such as voice networks, find their location accuracy greatly increased by the addition and proper placement of monitor access points (see Figure 6-6). Figure 6-6 Less Dense Wireless LAN Installations Verify coverage using a wireless laptop, handheld, or phone to ensure that no fewer than three access points are detected by the device. To verify client and asset tag location, ensure that NCS reports client devices and tags within the specified accuracy range (10 m, 90%). Note If you have a ceiling-mounted AP with an integrated omni-directional antenna, the antenna orientation does not really need to be set in NCS. However, if you mount that same AP on the wall, you will have to set the antenna orientation to 90 degrees. Guidelines for Inclusion and Exclusion areas on a Floor Inclusion and exclusion areas can be any polygon shape and must have at least three points. You can only define one inclusion region on a floor. By default, an inclusion region is defined for each floor when it is added to NCS. The inclusion region is indicated by a solid aqua line, and generally outlines the region. You can define multiple exclusion regions on a floor.6-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Newly defined inclusion and exclusion regions appear on heatmaps only after the mobility services engine recalculates location. Monitoring Maps This section contains the following topics: • Configuring Maps, page 6-8 • Configuring Buildings, page 6-16 • Configuring Campus, page 6-23 • Configuring Outdoor Areas, page 6-25 • Configuring Floor Areas, page 6-28 • Configuring ChokePoints, page 6-56 • Configuring WiFi TDOA Receivers, page 6-59 • Managing RF Calibration Models, page 6-62 • Managing Location Presence Information, page 6-68 Configuring Maps This section contains the following topics: • Viewing a Map, page 6-8 • Editing a Map, page 6-10 • Deleting a Map, page 6-10 • Copying a Map, page 6-11 • Exporting a Map, page 6-12 • Importing a Map, page 6-13 • Editing Map Properties, page 6-14 Viewing a Map To view a current campus map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the campus map to open its details page (see Figure 6-7).6-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-7 Campus View Step 3 The Select a command drop-down list provides the following options: • New Floor Area—See the “Adding Floor Areas to a Campus Building” section on page 6-28 for more information. • Edit Building—See the “Editing a Map” section on page 6-10 for more information. • Delete Building— See the “Deleting a Map” section on page 6-10 for more information. • Copy Building—See the “Managing RF Calibration Models” section on page 6-62 for more information. • Edit Location Presence Information—See the “Managing Location Presence Information” section on page 6-68 for more information. Note Use the Monitor > Site Maps > Campus View main navigation bar at the top of the campus image to enlarge or decrease the size of the map view and to hide or show the map grid (which displays the map size in feet or meters). Configuring Edit View The Edit View page enables you to choose which columns appear in the maps list page. Note Name and Type are fixed columns. They cannot be moved or hidden. Column names appear in one of the following lists: • Hide Information—Lists columns that do not appear in the table. The Hide button points to this list. • View Information—Lists columns that do appear in the table. The Show button points to this list. To display a column in a table, click it in the Hide Information list, then click Show. To remove a column from a table, click it in the View Information list, then click Hide. You can select more than one column by pressing the Shift or Control key.6-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps To change the position of a column in the View Information list, click it, then click Up or Down. The higher a column is in the list, the farther left it appears in the table. Edit View Command Buttons The following command buttons appear in the Edit View page: • Reset—Set the table to the default display. • Show—Move the highlighted columns from the Hide Information list to the View Information list. • Hide—Move the highlighted columns from the View Information list to the Hide Information list. • Up—Move the highlighted columns upward in the list (further to the left in the table). • Down—Move the highlighted columns downward in the list (further to the right in the table). • Submit—Save the changes to the table columns and return to the previous page. • Cancel—Undo the changes to the table columns and return to the previous page. Editing a Map To edit a current campus map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the campus map to open its details page. Step 3 From the Select a command drop-down list, choose Edit Campus. Step 4 Make any necessary changes to the Campus Name, and the Contact. Note To change the unit of measurement (feet or meters), choose Monitor > Site Maps and select Properties from the Select a command drop-down list. Step 5 Click Next. Step 6 Make any additional changes to Maintain Aspect Ratio or Dimensions (feet). Step 7 Click OK. Note System Campus is part of all partitions. Also, you can not edit or delete a system campus. Deleting a Map Follow these steps to delete a map: Step 1 From the Monitor > Site Maps page, Select the check box(es) for the map(s) that you want to delete. Step 2 Click Delete at the bottom of the map list or choose Delete Maps from the Select a command drop-down list, and click Go. Step 3 Click OK to confirm the deletion.6-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note Deleting a campus or building also deletes all of its container maps. The access points from all deleted maps are moved to an Unassigned state. System Campus can not be deleted, however buildings or floors in system campus can be modified. Copying a Map The following guidelines apply to the copying process: • Only the child elements are copied to the new map. • The selected map is copied to the current applicable partition. • Overlapping areas are not checked when buildings are copied. You should edit these after copying the map for proper positioning. • If the selected map is above ground, the first available floor above ground is used for the copy. • If the selected map is a basement, the first available basement is used for the copy. • The following are not copied: – Access points and their positioning coordinates. – Planning mode data. Note You can not copy a System Campus.6-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps To copy a map, follow these steps: Step 1 From the Monitor > Site Maps page, select the check box of the map that you want to copy. Step 2 From the Select a command drop-down list, click Copy Maps. The Copy Maps dialog box opens (see Figure 6-8). Figure 6-8 Copy Maps Step 3 Enter the name of the new map to which you want to copy the current map. Note If a map with the new name already exists, the copying process stops. Step 4 Select the Copy Option (Map Only or Map and Map Details). Note Map and Map Details includes coverage areas, perimeters, obstacles, location regions, markers, and rails. Step 5 Click Copy to complete the copying process or Cancel to close the dialog box without copying the current map. Exporting a Map The Export Map feature allows you to export map or calibration information to XML. The exported XML will be in an encrypted format and will not be readable. XML and images are bundled, tarred, and zipped into a file for a successful import into another NCS. To export a map, follow these steps: Step 1 Choose Monitor > Site Maps page.6-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 2 From the Select a command drop-down list, Choose Export Maps. The Export Map page appears. (see Figure 6-9) Figure 6-9 Export Map Step 3 Select the maps that you want to export. Step 4 Click Export to export the selected map data. Importing a Map The Import Map feature allows you to import map information from external sources such as XML, WLSE and CSV. During import, the XML may be encrypted (if exported from NCS) or unencrypted. To import a map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose Import Maps. The Import Map page appears. Note It is important that APs are first added to the NCS Server prior to importing maps, since APs in the maps are also included during the export process. APs that have not been added to NCS server but are present in exported floor maps will result in error being displayed during importing these maps into NCS. If APs are unassociated or unreachable, will result in the same error, you will have to manually add these APs to your maps after the importing process.6-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-10 Import Map Step 3 Choose the map format. Step 4 Select one of the following formats. • XML • AP/WiFi TDOA Receiver/Chokepoint Placement • WLSE Map and AP Location Data Note The XML format option is available only to the root user. Note Aeroscout engine fails to start MSE if NCS map names have special characters such as '&'. Step 5 Click Next. Step 6 Click Browse to select the file that you want to import. Step 7 Click Import to import the selected data. Editing Map Properties To edit your map properties, follow these steps: Note Users with Map Read-Write permissions can only edit the map properties. Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose Properties.6-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 3 Click Go. Step 4 Edit the information in Table 6-1. Ta b l e 6-1 Map Properties Parameters Filtering Maps At the Monitor > Site Maps, the list of maps can be filtered based on type and status. To filter your map list, follow these steps: Parameter or Control Description Unit of Dimension Set dimension measurement in feet or meters for all NCS maps. Wall Usage Calibration Choose to use or not use walls, or set to automatic. Refresh Map From Network Enable refresh of map data for Cisco NCS to update maps by polling the Cisco WLAN Solution each time an Cisco WLAN Solution operator requests a map update. Select disable for Cisco NCS to update maps from its stored database. Note Updates to the database may not be frequent enough to keep the map data current. Advanced Debug Mode This option must be enabled on both the location appliance and NCS to allow use of the location accuracy testpoint feature. Use Dynamic Heatmaps This option must be enabled to allow use of dynamic heatmaps. By default it is enabled. Minimum Number of APs for Dynamic Heatmaps Dynamic heatmap of an AP is calculated only if it receives the RSSI strengths from a number of neighboring APs, which should be greater than or equal to this parameter value. The minimum and default is 4 and the maximum number of APs is 10. Recomputation Frequency (Hours) Configure the time when you want the data to be polled and refreshed when you are not actively using the maps. You can always refresh the data and get the latest heatmaps when you are actively using the maps. The default is 6 hours. The minimum is 1 hour and the maximum is 24 hours. Note We recommend minimum number of APs as 4 and 6 hours as recomputation frequency for maximum performance.6-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 1 Choose Monitor > Site Maps. Step 2 Choose the map type from the Type drop-down list. Map types include All, Campus, Building, Outdoor Area, and Floor Area. Step 3 To further sort the map list by status, choose the status type from the Status drop-down list. Status types include All, Critical, Major, Minor. Note Status indicates the most serious level of alarm on an access point located on this map or one of its children. Step 4 When the filtering criteria is selected, click Go. The list displays maps which fit the filtering criteria. Configuring Buildings You can add buildings to the NCS database regardless of whether you have added campus maps to the database. This section explains how to add a building to a campus map or a standalone building (one that is not part of a campus) to the Cisco NCS database. This section contains the following topics: • Adding a Building to a Campus Map, page 6-16 • Viewing a Building, page 6-21 • Editing a Building, page 6-21 • Deleting a Building, page 6-22 • Moving a Building, page 6-22 Adding a Building to a Campus Map Follow these steps to add a building to a campus map in the NCS database: Step 1 Choose Monitor > Site Maps to display the Maps page. Step 2 Click the desired campus. NCS displays the Site Maps > Campus Name page. Step 3 From the Select a command drop-down list, choose New Building and click Go (see Figure 6-11).6-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-11 New Building Step 4 On the Campus Name > New Building page, follow these steps to create a virtual building in which to organize related floor plan maps: a. Enter the building name. b. Enter the building contact name. c. Enter the number of floors and basements. d. Enter the horizontal position (distance from the corner of the building rectangle to the left edge of the campus map) and the vertical position (distance from the corner of the building rectangle to the top edge of the campus map) in feet. Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. e. Enter an approximate building horizontal span and vertical span (width and depth on the map) in feet. Note The horizontal and vertical span should be larger than or the same size as any floors that you might add later. Tip You can also use Ctrl-click to resize the bounding area in the upper left corner of the campus map. As you change the size of the bounding area, the Horizontal Span and Vertical Span parameters of the building change to match your actions. f. Click Place to put the building on the campus map. NCS creates a building rectangle scaled to the size of the campus map. g. Click the building rectangle and drag it to the desired position on the campus map.6-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note After adding a new building, you can move it from one campus to another without having to recreate it. h. Click Save to save this building and its campus location to the database. NCS saves the building name in the building rectangle on the campus map. Note A hyperlink associated with the building takes you to the corresponding Map page. Step 5 (Optional) To assign location presence information for the new outdoor area, do the following: a. Choose Edit Location Presence Info from the Select a command drop-down list. Click Go. The Location Presence page appears (see Figure 6-12). Note By default, the Override Child Element’s Presence Info check box is selected. This option should remain selected if you want to propagate the campus location to all buildings and floors on that campus. When adding buildings to the campus map, you can import the campus location information. The campus address cannot be imported to a building if the check box is unselected. This option should be deselected if you want to assign building-specific addresses to buildings on its campus rather than one campus address to all. Figure 6-12 Location Presence b. Click either the Civic Address, GPS markers, or Advanced tab. – Civic Address identifies the campus by name, street, house number, house number suffix, city (address line2), state, postal code, and country. – GPS Markers identify the campus by longitude and latitude.6-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps – Advanced identifies the campus with expanded civic information such as neighborhood, city division, country, and postal community name. Note Each selected parameter is inclusive of all of those above it. For example, if you choose Advanced, it can also provide GPS and Civic location information upon client demand. The selected setting must match what is set on the location server level (Services > Mobility Services). Note If a client requests location information such as GPS Markers for a campus, building, floor, or outdoor area that is not configured for that parameter, an error message is returned. c. By default, the Override Child Element’s Presence Info check box is selected. There is no need to alter this setting for standalone buildings. Step 6 Click Save. Adding a Standalone Building Follow these steps to add a standalone building to the NCS database: Step 1 Choose Monitor > Site Maps to display the Maps page. Step 2 From the Select a command drop-down list, choose New Building and click Go (see Figure 6-11). Figure 6-13 New Standalone Building Step 3 In the Maps > New Building page, follow these steps to create a virtual building in which to organize related floor plan maps: a. Enter the building name.6-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps b. Enter the building contact name. Note After adding a new building, you can move it from one campus to another without having to recreate it. c. Enter the number of floors and basements. d. Enter an approximate building horizontal span and vertical span (width and depth on the map) in feet. Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. Note The horizontal and vertical span should be larger than or the same size as any floors that you might add later. e. Click OK to save this building to the database. Step 4 (Optional) To assign location presence information for the new building, do the following: a. Choose Location Presence from the Select a command drop-down list. Click Go. The Location Presence page appears (see Figure 6-12). b. Click either the Civic, GPS markers, or Advanced tab. – Civic Address identifies the campus by name, street, house number, house number suffix, city (address line2), state, postal code, and country. – GPS Markers identify the campus by longitude and latitude. – Advanced identifies the campus with expanded civic information such as neighborhood, city division, county, and postal community name. Note Each selected parameter is inclusive of all of those above it. For example, if you select Advanced, it can also provide GPS and Civic location information upon client demand. The selected setting must match what is set on the location server level (Services > Mobility Services). Note If a client requests location information such as GPS Markers for a campus, building, floor, or outdoor area that is not configured for that parameter, an error message is returned. c. By default, the Override Child Element’s Presence Info check box is selected. This option should remain selected if you want to propagate the campus location to all buildings and floors on that campus. When adding buildings to the campus map, you can import the location information. The campus address cannot be imported to a building if the check box is unselected. This option should be deselected if you want to assign building-specific addresses to buildings on its campus rather than one campus address to all. Step 5 Click Save.6-21 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note The standalone buildings are automatically placed in System Campus. Viewing a Building To view a current building map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the building map to open its details page. The Building View page provides a list of floor maps and map details for each floor. Note From the Building View page, you can click the Floor column heading to sort the list ascending or descending by floor. The map details include: • Floor area • Floor index—Indicates the floor level. A negative number indicates a basement floor level. • Contact • Status—Indicates the most serious level of alarm on an access point located on this map or one of its children. • Number of total access points located on the map. • Number of 802.11a/n and 802.11b/g/n radios located on the map. • Number of out of service (OOS) radios. • Number of clients—Click the number link to view the Monitor > Clients page. See the “Monitoring Clients and Users” section on page 10-10 for more information. Step 3 The Select a command drop-down list provides the following options: • New Floor Area—See the “Adding Floor Areas to a Campus Building” section on page 6-28 or the “Adding Floor Plans to a Standalone Building” section on page 6-32 for more information. • Edit Building—See the “Editing a Building” section on page 6-21 for more information. • Delete Building—See the “Deleting a Building” section on page 6-22 for more information. • Copy Building—See the “Copying a Map” section on page 6-11 for more information. • Edit Location Presence Info—See the “Managing Location Presence Information” section on page 6-68 for more information. Editing a Building To edit a current building map, follow these steps: Step 1 Choose Monitor > Site Maps.6-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 2 Click the name of the building map to open its details page. Step 3 From the Select a command drop-down list, choose Edit Building. Step 4 Make any necessary changes to Building Name, Contact, Number of Floors, Number of Basements, and Dimensions (feet). Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. Step 5 Click OK. Deleting a Building To delete a current building map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the check box for the building that you want to delete. Step 3 Click Delete at the bottom of the map list (or choose Delete Maps from the Select a command drop-down list and click Go). Step 4 Click OK to confirm the deletion. Note Deleting a building also deletes all of its container maps. The access points from all deleted maps are moved to an Unassigned state. Moving a Building To move a building to a different campus, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the check box of the applicable building. Step 3 From the Select a command drop-down list, choose Move Buildings. Step 4 Click Go. Step 5 Choose the Target Campus from the drop-down list. Step 6 Select the buildings that you want to move. Unselect any buildings that will remain in their current location. Step 7 Click OK.6-23 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Configuring Campus This section contains the following topics: • Adding a Campus Map, page 6-23 • Editing a Campus Map, page 6-24 • Editing a Campus Map, page 6-24 • Deleting a Campus Map, page 6-25 Adding a Campus Map Follow these steps to add a single campus map to the NCS database: Step 1 Save the map in .PNG, .JPG, .JPEG, or .GIF format. Note The map can be of any size because NCS automatically resizes the map to fit its working areas. Step 2 Browse to and import the map from anywhere in your file system. Step 3 Choose Monitor > Site Maps to display the Maps page (see Figure 6-14). Figure 6-14 New Campus Step 4 From the Select a command drop-down list, choose New Campus and click Go. Step 5 In the Maps > New Campus page, enter the campus name, and campus contact name. Step 6 Browse to and choose the image filename containing the map of the campus and click Open. Step 7 Select the Maintain Aspect Ratio check box to prevent length and width distortion when NCS resizes the map. Step 8 Enter the horizontal and vertical span of the map in feet. Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. The horizontal and vertical span should be larger than any building or floor plan to be added to the campus. Step 9 Click OK to add this campus map to the NCS database. NCS displays the Maps page, which lists maps in the database, map types, and campus status.6-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 10 (Optional) To assign location presence information, click the newly created campus link at the Monitor > Site Maps page. See the “Managing Location Presence Information” section on page 6-68 for more information. Viewing a Campus Map To view a current campus map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the campus map to open its details page. Step 3 The Select a command drop-down list provides the following options: • New Building—See the “Adding a Building to a Campus Map” section on page 6-16 for more information. • New Outdoor Area—See the “Adding an Outdoor Area” section on page 6-25 for more information. • Edit Campus—See the “Editing a Campus Map” section on page 6-24 for more information. • Delete Campus—See the “Deleting a Campus Map” section on page 6-25 for more information. • Copy Campus—See the “Copying a Map” section on page 6-11 for more information. • Edit Location Presence Information—See the “Managing Location Presence Information” section on page 6-68 for more information. Note Use the Monitor > Site Maps > Campus View main navigation bar at the top of the campus image to enlarge or decrease the size of the map view and to hide or show the map grid (which displays the map size in feet or meters). Editing a Campus Map The edit feature allows you to make changes to a current campus map. You can change the campus name, contact person, image, and map dimensions. To edit a current campus map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the campus map to open its details page. Step 3 From the Select a command drop-down list, choose Edit Campus. Step 4 Make any necessary changes to Campus Name, Contact, or Image File. Step 5 Click Next. Step 6 Make any additional changes to Maintain Aspect Ratio or Dimensions (feet). Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list.6-25 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 7 Click OK. Deleting a Campus Map To delete a current campus map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the check box for the campus that you want to delete. Step 3 Click Delete at the bottom of the map list or choose Delete Maps from the Select a command drop-down list, and click Go. Step 4 Click OK to confirm the deletion. Note Deleting a campus also deletes all of its container maps. The access points from all deleted maps are moved to an Unassigned state. Configuring Outdoor Areas This section contains the following topics: • Adding an Outdoor Area, page 6-25 • Editing Outdoor Areas, page 6-27 • Deleting Outdoor Areas, page 6-27 Adding an Outdoor Area Note You can add an outdoor area to a campus map in the NCS database regardless of whether you have added outdoor area maps to the database. To add an outdoor area to a campus map, follow these steps: Step 1 If you want to add a map of the outdoor area to the database, save the map in .PNG, .JPG, .JPEG, or .GIF format. Then browse to and import the map from anywhere in your file system. Note You do not need a map to add an outdoor area. You can simply define the dimensions of the area to add it to the database. The map can be any size because NCS automatically resizes the map to fit the workspace. Step 2 Choose Monitor > Site Maps. Step 3 Click the desired campus to display the Monitor > Site Maps > Campus View page. Step 4 From the Select a command drop-down list, choose New Outdoor Area.6-26 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 5 Click Go. The Create New Area page opens. Step 6 On the New Outdoor Area page, enter the following information: • Name—The user-defined name of the new outdoor area. • Contact—The user-defined contact name. • Area Type (RF Model)—Cubes And Walled Offices, Drywall Office Only, Outdoor Open Space (default). • AP Height (feet)—Enter the height of the access point. • Image File—Name of the file containing the outdoor area map. Use the browse button to find the file. Step 7 Click Next. Step 8 Enter the following information: • Zoom—Use to zoom in or zoom out on the map that you are currently viewing. • Maintain Image Aspect Ratio—Select this check box to maintain the aspect ratio (ratio of horizontal and vertical pixels) of the map image. Maintaining the aspect ratio prevents visual distortion of the map. • Horizontal Position—Distance from the corner of the outdoor area rectangle to the left edge of the campus map, in feet or meters. • Vertical Position—Distance from the corner of the outdoor area rectangle to the top edge of the campus map, in feet or meters. • Horizontal Span—Horizontal measurement (left to right) of the outdoor area rectangle, in feet or meters. • Vertical Span—Vertical measurement (up and down) of the outdoor area rectangle, in feet or meters. Tip The horizontal and vertical spans should be larger than or the same size. Use Ctrl-click to resize the bounding area in the upper-left corner of the campus map. The horizontal and vertical span parameters change to match. Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. Step 9 Click Place to put the outdoor area on the campus map. NCS creates an outdoor area rectangle scaled to the size of the campus map. Step 10 Click and drag the outdoor area rectangle to the desired position on the campus map. Step 11 Click Save to save this outdoor area and its campus location to the database. Note A hyperlink associated with the outdoor area takes you to the corresponding Map page. Step 12 (Optional) To assign location presence information for the new outdoor area, choose Edit Location Presence Info, and click Go. See the “Managing Location Presence Information” section on page 6-68 for more information.6-27 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note By default, the Override Child Element Presence Info check box is selected. There is no need to alter this setting for outdoor areas. Editing Outdoor Areas To edit a current outdoor area, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the desired outdoor area map from the Name column. Step 3 From the Select a command drop-down list, choose Edit Outdoor Area. Step 4 Click Go. Step 5 In the Campus Name > Outdoor Area page, edit the following information: • Name—The user-defined name of the new outdoor area. • Contact—The user-defined contact name. • New Image File—Use the Browse button to import a new image file, if necessary. • Maintain Image Aspect Ratio—Select this check box to maintain the aspect ratio (ratio of horizontal and vertical pixels) of the map image. Maintaining the aspect ratio prevents visual distortion of the map. • Horizontal Position—Distance from the corner of the outdoor area rectangle to the left edge of the campus map, in ft. or meters. • Vertical Position—Distance from the corner of the outdoor area rectangle to the top edge of the campus map, in ft. or meters. • Horizontal Span—Horizontal measurement (left to right) of the outdoor area rectangle, in ft. or meters. • Vertical Span—Vertical measurement (up and down) of the outdoor area rectangle, in ft. or meters. Step 6 Click Place to put the outdoor area on the campus map. NCS creates an outdoor area rectangle scaled to the size of the campus map. Step 7 Click and drag the outdoor area rectangle to the desired position on the campus map. Step 8 Click Save to save this outdoor area and its campus location to the database. Note A hyperlink associated with the outdoor area takes you to the corresponding Map page. Deleting Outdoor Areas To delete a current outdoor area, follow these steps: Step 1 Choose Monitor > Site Maps.6-28 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 2 Select the check box for the outdoor area that you want to delete. Step 3 Click Delete at the bottom of the map list (or choose Delete Maps from the Select a command drop-down list, and click Go). Step 4 Click OK to confirm the deletion. Configuring Floor Areas This section explains on how to add floor plans to either a campus building or a standalone building in the NCS database and contains the following topics: • Adding Floor Areas to a Campus Building, page 6-28 • Adding Access Points to a Floor Area, page 6-34 • Editing Floor Areas, page 6-39 • Deleting Floor Areas, page 6-39 • Placing Access Points, page 6-40 • Configuring Floor Settings, page 6-41 • Import Map and AP Location Data, page 6-53 • Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File, page 6-54 • Changing Access Point Positions by Importing and Exporting a File, page 6-55 Adding Floor Areas to a Campus Building After you add a building to a campus map, you can add individual floor plan and basement maps to the building. To add a floor area to a campus building, follow these steps: Step 1 Save your floor plan maps in .PNG, .JPG, or .GIF format. Note The maps can be any size because NCS automatically resizes the maps to fit the workspace. Step 2 Browse to and import the floor plan maps from anywhere in your file system. You can also import CAD image files DXF, and DWG. Note If there are problems converting the auto-cad file, an error message is displayed. NCS uses a native image conversion library to convert auto-cad files into raster formats like PNG. If the native library cannot be loaded, NCS returns the “unable to convert the auto-cad file” message. If you receive this error, make sure all the required dependencies are met for the native library. To find any dependency problems, use ldd on Linux platforms. The following dlls must be present under the /webnms/rfdlls NCS installation directory: LIBGFL254.DLL, MFC71.DLL, MSVCR71.DLL, and MSVCP71.DLL. If dependency problems occurred, you may need to install the required libraries and restart NCS.6-29 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note An imported auto-cad file can become blurred when you zoom. Without the zoom, the clarity is about the same as the original auto-cad file. Make sure all relevant sections are clearly visible in the original auto-cad file (DWG/DXF) and then import the auto-cad file into PNG/GIF format rather than JPEG or JPG. Step 3 Choose Monitor > Site Maps. The Maps page opens. (See Figure 6-15) Figure 6-15 Monitor > Site Maps Step 4 From the Maps Tree View or the Monitor > Site Maps list, click the applicable campus building to open the Building View page. Step 5 Hover your cursor over the name within an existing building rectangle to highlight it. Note You can also access the building from the Campus View page. From the Campus View page, click the building name to open the Building View page. Step 6 From the Select a command drop-down list, choose New Floor Area. Step 7 Click Go. The New Floor Area page opens. (See Figure 6-16) Figure 6-16 New Floor Area 6-30 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 8 In the New Floor Area page, follow these steps to add floors to a building in which to organize related floor plan maps: a. Enter the floor area and contact names. b. Choose the floor or basement number from the Floor drop-down list. c. Choose the floor or basement type (RF Model). d. Enter the floor-to-floor height in feet. Note To change the unit of measurement (feet or meters), click Monitor > Site Maps and choose Properties from the Select a command drop-down list. e. Select the Image or CAD File check box. f. Browse to and choose the desired floor or basement image or CAD filename, and click Open. Note If you are importing a CAD file, use the Convert CAD File drop-down list to determine the image file for conversion. Tip A JPEG (JPG) format is not recommended for an auto-cad conversion. Unless a JPEG is specifically required, use a PNG or GIF format for higher quality images. g. Click Next. At this point, if a CAD file was specified, a default image preview is generated and loaded. Note NCS uses a native image conversion library to convert auto-cad files into raster formats like .PNG. When there are issues loading the native library, NCS throws the following error: "Unable to convert the auto-cad file. Reason: Error while loading the auto-cad image conversion library. Please refer online or NCS documentation for more information." The names of the CAD file layers are listed, with check boxes to the right side of the image indicating which are enabled. Note When you choose the floor or basement image filename, NCS displays the image in the building-sized grid. Note The maps can be any size because NCS automatically resizes the maps to fit the workspace. Note The map must be saved in .PNG, .JPG, .JPEG, or .GIF format. h. If you have CAD file layers, you can select or deselect as many as you want and click Preview to view an updated image. Click Next when you are ready to proceed with the selected layers. Enter the remaining parameters for the floor area.6-31 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-17 Floor Area Parameters i. Either leave the Maintain Aspect Ratio check box selected to preserve the original image aspect ratio or unselect the check box to change the image aspect ratio. j. Enter an approximate floor or basement horizontal and vertical span (width and depth on the map) in feet. Note The horizontal and vertical spans should be smaller than or the same size as the building horizontal and vertical spans in the NCS database. k. If applicable, enter the horizontal position (distance from the corner of the outdoor area rectangle to the left edge of the campus map) and vertical position (distance from the corner of the outdoor area rectangle to the top edge of the campus map) in feet or meters. Tip Use Ctrl-click to resize the image within the building-sized grid. l. If desired, select the Launch Map Editor after floor creation check box to rescale the floor and draw walls. m. Click OK to save this floor plan to the database. The floor is added to the Maps Tree View and the Monitor > Site Maps list.6-32 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note Use different floor names in each building. If you are adding more than one building to the campus map, do not use a floor name that exists in another building. This overlap causes incorrect mapping information between a floor and a building. Step 9 Click any of the floor or basement images to view the floor plan or basement map. Note You can zoom in or out to view the map at different sizes and you can add access points. See the “Adding Access Points to a Floor Area” section on page 6-34 for more information. Adding Floor Plans to a Standalone Building After you have added a standalone building to the NCS database, you can add individual floor plan maps to the building. To add floor plans to a standalone building, follow these steps: Step 1 Save your floor plan maps in .PNG, .JPG, or .GIF format. Note The maps can be any size because NCS automatically resizes the maps to fit the workspace. Step 2 Browse to and import the floor plan maps from anywhere in your file system. You can import CAD files in DXF or DWG formats or any of the formats you created in Step 1. Note If there are problems converting the auto-cad file, an error message is displayed. NCS uses a native image conversion library to convert auto-cad files into raster formats link PNG. If the native library cannot be loaded, NCS returns the “unable to convert the auto-cad file” message. If you receive this error, make sure all the required dependencies are met for the native library. To find any dependency problems, use ldd on Linux platforms. The following dlls must be present under the /webnms/rfdlls NCS installation directory: LIBGFL254.DLL, MFC71.DLL, MSVCR71.DLL, and MSVCP71.DLL. If dependency problems occurred, you may need to install the required libraries and restart NCS. Note An imported auto-cad file can become blurred when you zoom. Without the zoom, the clarity is about the same as the original auto-cad file. Make sure all relevant sections are clearly visible in the original auto-cad file (DWG/DXF) and then import the auto-cad file into PNG/GIF format rather than JPEG or JPG. Step 3 Choose Monitor > Site Maps. Step 4 From the Maps Tree View or the Monitor > Site Maps list, choose the desired building to display the Building View page. Step 5 From the Select a command drop-down list, choose New Floor Area. Step 6 Click Go. Step 7 In the New Floor Area page, add the following information:6-33 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • Enter the floor area and contact names. • Choose the floor or basement number from the Floor drop-down list. • Choose the floor or basement type (RF Model). • Enter the floor-to-floor height in feet. • Select the Image or CAD File check box. • Browse to and choose the desired floor or basement Image or CAD file, and click Open. Note If you are importing a CAD file, use the Convert CAD File drop-down list to determine the image file for conversion. Tip A JPEG (JPG) format is not recommended for an auto-cad conversion. Unless a JPEG is specifically required, use a PNG or GIF format for higher quality images. Step 8 Click Next. At this point, if a CAD file was specified, a default image preview is generated and loaded. Note NCS uses a native image conversion library to convert auto-cad files into raster formats like .PNG. When there are issues loading the native library, NCS throws the following error: "Unable to convert the auto-cad file. Reason: Error while loading the auto-cad image conversion library. Please refer online or NCS documentation for more information." The names of the CAD file layers are listed, with check boxes to the right side of the image indicating which are enabled. Note When you choose the floor or basement image filename, NCS displays the image in the building-sized grid. Note The maps can be any size because NCS automatically resizes the maps to fit the workspace. Note The map must be saved in .PNG, .JPG, .JPEG, or .GIF format. If you have CAD file layers, you can select or deselect as many as you want and click Preview to view an updated image. Click Next when you are ready to proceed with the selected layers. Step 9 Enter the remaining parameters for the floor area. • Either leave the Maintain Aspect Ratio check box selected to preserve the original image aspect ratio or unselect the check box to change the image aspect ratio. • Enter an approximate floor or basement horizontal and vertical span (width and depth on the map) in feet. Note The horizontal and vertical spans should be smaller than or the same size as the building horizontal and vertical spans in the NCS database.6-34 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • If applicable, enter the horizontal position (distance from the corner of the outdoor area rectangle to the left edge of the campus map) and vertical position (distance from the corner of the outdoor area rectangle to the top edge of the campus map) in feet or meters. Tip Use Ctrl-click to resize the image within the building-sized grid. • Adjust the floor characteristics with the NCS map editor by selecting the check box next to Launch Map Editor. See the “Map Editor” section on page 6-4 for more information regarding the map editor feature. Step 10 Click OK to save this floor plan to the database. The floor is added to the Maps Tree View and the Monitor > Site Maps list. Step 11 Click any of the floor or basement images to view the floor plan or basement map. Note You can zoom in or out to view the map at different sizes and you can add access points. See the “Adding Access Points to a Floor Area” section on page 6-34 for more information. Adding Access Points to a Floor Area After you add the .PNG, .JPG, .JPEG, or .GIF format floor plan and outdoor area maps to the NCS database, you can position lightweight access point icons on the maps to show where they are installed in the buildings. To add access points to a floor area and outdoor area, follow these steps: Step 1 Choose Monitor > Site Maps. The Maps page opens. (See Figure 6-18) Figure 6-18 Monitor Site Maps Step 2 From the Maps Tree View or the Monitor > Site Maps list, click the applicable floor to open the Floor View page.6-35 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-19 Floor View Step 3 From the Select a command drop-down list, choose Add Access Points, and click Go. Step 4 From the Add Access Points page, select the check boxes of the access points that you want to add to the floor area. Figure 6-20 Add Access Point Note Only access points which are not yet assigned to any floor or outdoor area appear in the list.6-36 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note Select the check box at the top of the list to select all access points. Note NCS allows a maximum of 100 access points per floor map. Step 5 When all of the applicable access points are selected, click OK located at the bottom of the access point list. The Position Access Points page opens. Figure 6-21 Position Access Points Each access point you have chosen to add to the floor map is represented by a gray circle (differentiated by access point name or MAC address) and is lined up in the upper left part of the floor map. Step 6 Click and drag each access point to the appropriate location. Access points turn blue when selected. Note When you drag an access point on the map, its horizontal and vertical position appears in the boxes above. Note The small black arrow at the side of each access point represents Side A of each access point, and each access point arrow must correspond with the direction in which the access points were installed. Side A is clearly noted on each 1000 series access point and has no relevance to the 802.11a/n radio. To adjust the directional arrow, choose the appropriate orientation on the Antenna Angle drop-down list. 6-37 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps When selected, the access point details display on the left side of the page. Access point details include the following: • AP Model—Indicates the model type of the selected access point. • Protocol—Choose the protocol for this access point from the drop-down list. • Antenna—Choose the appropriate antenna type for this access point from the drop-down list. • Antenna/AP Image—The antenna image reflects the antenna selected from the Antenna drop-down list. Click the arrow at the top right of the antenna image to expand the image size. • Antenna Orientation—Depending on the antenna type, enter the Azimuth and the Elevation orientations in degrees. Note The Azimuth option does not appear for Omnidirectional antennas because their pattern is nondirectional in azimuth. Note For internal antennas, the same elevation angle applies to both radios. The antenna angle is relative to the map X axis. Because the origin of the X (horizontal) and Y (vertical) axes is in the upper left corner of the map, 0 degrees points side A of the access point to the right, 90 degrees points side A down, 180 degrees points side A to the left, and so on. The antenna elevation is used to move the antenna vertically, up or down, to a maximum of 90 degrees. Note Make sure each access point is in the correct location on the map and has the correct antenna orientation. Accurate access point positioning is critical when you use the maps to find coverage holes and rogue access points. Refer the following URL for further information about the antenna elevation and azimuth patterns: http://www.cisco.com/en/US/products/hw/wireless/ps469/tsd_products_support_series_home.html6-38 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-22 Selected Access Point Details Step 7 When you are finished placing and adjusting each access point, click Save. Note Clicking Save causes the antenna gain on the access point to correspond to the selected antenna. This may cause radio reset. NCS computes the RF prediction for the coverage area. These RF predictions are popularly known as heat maps because they show the relative intensity of the RF signals on the coverage area map. Note This display is only an approximation of the actual RF signal intensity because it does not take into account the attenuation of various building materials, such as drywall or metal objects, nor does it display the effects of RF signals bouncing off obstructions. Note Antenna gain settings have no effect on heatmaps and location calculations. Antenna gain is implicitly associated to the antenna name. Because of this, the following apply: – If an antenna is used and marked as “Other” in NCS, it is ignored for all heatmap and location calculations; – If an antenna is used and marked as a Cisco antenna in NCS, that antenna gain setting (internal value on NCS) is used no matter what gain is set on the controller. 6-39 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-23 RF Prediction heatmaps Note See the “Placing Access Points” section on page 6-40 for more information on placing access points on a map. Note You can change the position of access points by importing or exporting a file. See the “Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File” section on page 6-54 for more information. Editing Floor Areas To edit a current floor area, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the floor area to open its details page. Step 3 From the Select a command drop-down list, choose Edit Floor Area. Step 4 Make any necessary changes to Floor Area Name, Contact, Floor, Floor Height (feet), Floor Type (RF Model), Existing Image File, or Import New Image File. Step 5 Click OK. Deleting Floor Areas To delete a current floor area, follow these steps:6-40 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 1 Choose Monitor > Site Maps. Step 2 Select the check box for the applicable floor area. Step 3 From the Select a command drop-down list, choose Delete Maps. Step 4 Click Go. Step 5 Click OK to confirm the deletion. Placing Access Points To determine the best location of all devices in the wireless LAN coverage areas, you need to consider the access point density and location. Ensure that no fewer than 3 access points, and preferably 4 or 5, provide coverage to every area where device location is required. The more access points that detect a device, the better. This high level guideline translates into the following best practices, ordered by priority: 1. Most importantly, access points should surround the desired location. 2. One access point should be placed roughly every 50 to 70 linear feet (about 17 to 20 meters). This translates into one access point every 2,500 to 5000 square feet (about 230 to 450 square meters). Note The access point must be mounted so that it is under 20 feet high. For best performance, a mounting at 10 feet would be ideal. Following these guidelines makes it more likely that access points will detect tracked devices. Rarely do two physical environments have the same RF characteristics. Users may need to adjust those parameters to their specific environment and requirements. Note Devices must be detected at signals greater than –75 dBm for the controllers to forward information to the location appliance. No fewer than three access points should be able to detect any device at signals below –75 dBm. Note If you have a ceiling-mounted AP with an integrated omni-directional antenna, the antenna orientation does not really need to be set in NCS. However, if you mount that same AP on the wall, you have to set the antenna orientation to 90 degrees. Table 6-2 describes the orientation of the access points.6-41 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Configuring Floor Settings You can modify the appearance of the floor map by selecting or unselecting various floor settings check boxes. The selected floor settings appears in the map image. Note Depending on whether or not a mobility services engine is present in NCS, some of the floor settings may not display. Clients, 802.11 Tags, Rogue APs, Adhoc Rogues, Rouge Clients and Interferers are visible only if a MSE is present in NCS. The Floor Settings options include the following: • Access Points—Filtering Access Point Floor Settings, page 6-46 • AP Heatmaps—Filtering Access Point Heatmap Floor Settings, page 6-49 • AP Mesh Info—Filtering AP Mesh Info Floor Settings, page 6-49 • Clients—Filtering Client Floor Settings, page 6-50 • 802.11 Tags— Filtering 802.11 Tag Floor Settings, page 6-51 • Rogue APs—Filtering Rogue AP Floor Settings, page 6-51 • Rogue Adhocs— Filtering Rogue Adhoc Floor Settings, page 6-52 • Rogue Clients— Filtering Rogue Client Floor Settings, page 6-52 • Coverage Areas • Location Regions • Rails • Markers • Chokepoints • Wi-Fi TDOA Receivers Ta b l e 6-2 Antenna Orientation of the Access Points Access Point Antenna Orientation 1140 monunted on the ceiling The Cisco Logo should be pointing to the floor. Elevation: 0 degrees. 1240 monunted on the ceiling The Antenna should be perpendicular to the access point. Elevation: 0 degrees. 1240 mounted on the wall The Antenna should be parallel to the access point. Elevation: 0 degrees. If the antenna is perpendicular to AP then the angle will be 90 degree (up or down does not matter as dipole is omni). 6-42 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • Interferers—Filtering Interferer Settings, page 6-53 Use the blue arrows to access floor setting filters for access points, access point heatmaps, clients, 802.11 tags, rogue access points, rogue adhocs, and rogue clients. When filtering options are selected, click OK. Use the Show MSE data within last drop-down list to select the timeframe for mobility services engine data. Choose to view mobility services engine data from a range including the past two minutes up to the past 24 hours. This option only appears if a mobility services engine is present on the NCS. Click Save Settings to make the current view and filter settings your new default for all maps. Figure 6-24 Floor Settings Parameters Defining Inclusion and Exclusion Regions on a Floor To further refine location calculations on a floor, you can define the areas that are included (inclusion areas) in the calculations and those areas that are not included (exclusion areas). For example, you might want to exclude areas such as an atrium or stairwell within a building but include a work area (such as cubicles, labs, or manufacturing floors). Note If the MSE to which the floor is synchronized, is running the Aeroscout tag engine, then inclusion and exclusion regions are not calculated for tags. Viewing Floor Component Details To view details regarding the components displayed on the Floor View, hover your mouse cursor over the applicable icon. A dialog box displays detailed information. Table 6-3 displays floor map icons.6-43 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Ta b l e 6-3 Floor Map Icons Icon Description Access point icon. The color of the circle indicates the alarm status of the Cisco radios. Note Each access point contains two Cisco radios. When a single protocol is selected in the Access Point filter page, the entire icon represents this radio. If both protocols are selected, the top half of the icon represents the state of the 802.11a/n radio and the bottom half represents the state of the 802.11b/g/n radio. Note If a Cisco radio is disabled, a small “x” appears in the middle of the icon. Note Monitor mode access points are shown with gray label to distinguish from other access points. AP heatmaps icon. Client icon. Hover your mouse cursor over the icon to view client details. See the “Client Details” section on page 6-105 for more information. Tag icon. Hover your mouse cursor over the icon to view tag details. See the “Tag Details” section on page 6-106 for more information. Rogue access point icon. The color of the icon indicates the type of rogue access point. For example, red indicates a malicious rogue access point and blue indicates an unknown type. Hover your mouse cursor over the icon to view rogue access point details. See the “Rogue Access Point Details” section on page 6-106 for more information. Rogue adhoc icon. Hover your mouse cursor over the icon to view rogue adhoc details. See the “Rogue Adhoc Details” section on page 6-107 for more information. Rogue client icon. Hover your mouse cursor over the icon to view rogue client details. See the “Rogue Client Details” section on page 6-107 for more information. Coverage icon. Location regions icon. Rails icon. Marker icon. Chokepoint icon. See the “Chokepoints” section on page 6-4 for more information.6-44 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Cisco 1000 Series Lightweight Access Point Icons The icons indicate the present status of an access point. The circular part of the icon can be split in half horizontally. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. Note When the icon is representing 802.11a/n and 802.11b/n, the top half displays the 802.11a/n status, and the bottom half displays the 802.11b/g/n status. When the icon is representing only 802.11b/g/n, the whole icon displays the 802.11b/g/n status. The triangle gets whatever color is more severe. Table 6-4 shows the icons used in the Cisco NCS user interface Map displays. Wi-Fi TDOA receiver icon. See the “Adding WiFi TDOA Receivers to a Map” section on page 6-60 for more information. Interferer device icon. See the “Interferer Details” section on page 6-107 for more information. Icon Description Ta b l e 6-4 Access Points Icons Description Icon Description The green icon indicates an access point (AP) with no faults. The top half of the circle represents the optional 802.11a Cisco Radio. The bottom half of the circle represents the state of the 802.11b/g Cisco Radio. The yellow icon indicates an access point with a minor fault. The top half of the circle represents the optional 802.11a Cisco Radio. The bottom half of the circle represents the state of the 802.11b/g Cisco Radio. Note A flashing yellow icon indicates that there has been an 802.11a or 802.11b/g interference, noise, coverage or load Profile Failure. A flashing yellow icon indicates that there have been 802.11a and 802.11b/g Profile Failures. The red icon indicates an access point (AP) with a major or critical fault. The top half of the circle represents the optional 802.11a Cisco Radio. The bottom half of the circle represents the state of the 802.11b/g Cisco Radio. The grayed-out icon with a question mark in the middle represents an unreachable access point. It is gray since its status cannot be determined. The grayed-out icon with no question mark in the middle represents an unassociated access point. The icon with a red “x” in the center of the circle represents an access point that has been administratively disabled. 6-45 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Each of the access point icons includes a small black arrow that indicates the direction in which the internal Side A antenna points. Table 6-5 shows some arrow examples used in the Cisco NCS user interface map displays. The icon with the top half green and the lower half yellow indicates that the optional 802.11a Cisco Radio (top) has no faults, and the 802.11b/g Cisco Radio (bottom) has a minor fault. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with the top half green and the lower half red indicates that the optional 802.11a Cisco Radio (top) is operational with no faults, and the 802.11b/g Cisco Radio (bottom) has a major or critical fault. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with the top half yellow and the lower half red indicates that the optional 802.11a Cisco Radio (top) has a minor fault, and the 802.11b/g Cisco Radio (bottom) has a major or critical fault. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with the top half yellow and the lower half green indicates that the optional 802.11a Cisco Radio (top) has a minor fault, and the 802.11b/g Cisco Radio (bottom) is operational with no faults. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with the top half red and the lower half green indicates that the optional 802.11a Cisco Radio (top) has a major or critical fault, and the 802.11b/g Cisco Radio (bottom) is operational with no faults. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with the top half red and the lower half yellow indicates that the optional 802.11a Cisco Radio (top) has major or critical faults, and the 802.11b/g Cisco Radio (bottom) has a minor fault. The worst of the two Cisco Radio colors determines the color of the large triangular pointer. The icon with a red “x” on the top half (optional 802.11a) shows that the indicated Cisco Radio has been administratively disabled. The rest of the color coding is as described above. There are six possibilities as shown. Table 6-4 Access Points Icons Description (continued) Icon Description6-46 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Filtering Access Point Floor Settings If you enable the Access Point floor setting and then click the blue arrow to the right of the Floor Settings, the Access Point Filter dialog box opens with filtering options. Figure 6-25 Access Point Filter Access point filtering options include: • Show—Select the option to display the radio status or to access point status. Note Because the access point icon color is based on the access point status, the icon color may vary depending on the status selected. The default on floor maps is radio status. • Protocol—From the drop-down list, choose which radio types to display (802.11a/n, 802.11b/g/n, or both). Note The displayed heatmaps correspond with the selected radio type(s). Ta b l e 6-5 Arrows Arrow Examples Direction Zero degrees, or to the right of the map. 45 degrees, or to the lower right on the map. 90 degrees, or down on the map. These examples show the first three 45-degree increments allowed, with an additional five at 45-degree increments. 6-47 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • Display—From the drop-down list, choose what identifying information is displayed for the access points on the map image. – Channels—Displays the Cisco Radio channel number or Unavailable (if the access point is not connected). Note The available channels are defined by the country code setting and are regulated by country. Refer the following URL for more information: http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sh eet0900aecd80537b6a_ps430_Products_Data_Sheet.html – TX Power Level—Displays the current Cisco Radio transmit power level (with 1 being high) or Unavailable (if the access point is not connected). Note The power levels differ depending on the type of access point. The 1000 series access points accept a value between 1 and 5, the 1230 access points accept a value between 1 and 7, and the 1240 and 1100 series access points accept a value between 1 and 8. Table 6-6 lists the transmit power level numbers and their corresponding power setting. Ta b l e 6-6 Transmit Power Level Values Note The power levels are defined by the country code setting and are regulated by country. Refer the following URL for more information: http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/product_data_sh eet0900aecd80537b6a_ps430_Products_Data_Sheet.html – Channel and Tx Power—Displays both the channel and transmit power level (or Unavailable if the access point is not connected). – Coverage Holes—Displays a percentage of clients whose signal has become weaker until the client lost its connection, Unavailable for unconnected access points, or MonitorOnly for access points in monitor-only mode. Transmit Power Level Number Power Setting 1 Maximum power allowed per country code setting 2 50% power 3 25% power 4 12.5 to 6.25% power 5 6.25 to 0.195% power6-48 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note Coverage holes are areas in which clients cannot receive a signal from the wireless network. When you deploy a wireless network, you must consider the cost of the initial network deployment and the percentage of coverage hole areas. A reasonable coverage hole criterion for launch is between 2 and 10 percent. This means that between two and ten test locations out of 100 random test locations might receive marginal service. After launch, Cisco Unified Wireless Network Solution Radio Resource Management (RRM) identifies these coverage hole areas and reports them to the IT manager, who can fill holes based on user demand. – MAC Addresses—Displays the MAC address of the access point, whether or not the access point is associated to a controller. – Names—Displays the access point name. This is the default value. – Controller IP—Displays the IP address of the controller to which the access point is associated or Not Associated for disassociated access points. – Utilization—Displays the percentage of bandwidth used by the associated client devices (including receiving, transmitting, and channel utilization). Displays Unavailable for disassociated access points and MonitorOnly for access points in monitor-only mode. – Profiles—Displays the load, noise, interference, and coverage components of the corresponding operator-defined thresholds. Displays Okay for thresholds not exceeded, Issue for exceeded thresholds, or Unavailable for unconnected access points. Note Use the Profile Type drop-down list to select Load, Noise, Interference, or Coverage. – CleanAir Status—Displays the CleanAir status of the access point, whether or not CleanAir is enabled on the access point. – Average Air Quality—Displays the average air quality on this access point. The details include, the band, and the average air quality. – Minimum Air Quality—Displays the minimum air quality on this access point. The details include, the band and the minimum air quality. – Average and Minimum Air Quality—Displays the average and minimum air quality on this access point. The details include, the band, average air quality, and minimum air quality. – Associated Clients—Displays the number of associated clients, Unavailable for unconnected access points, or MonitorOnly for access points in monitor-only mode. Note Click the client number to view client details. See “Monitoring Clients and Users” section on page 10-10 for more information. – Bridge Group Names • RSSI Cutoff—From the drop-down list, select the RSSI cutoff level. The RSSI cutoff ranges from -60 dBm to -90 dBm. • Show Detected Interferers—Select the check box to display all interferers detected by the access point. • Max. Interferers/label—Select the maximum number of interferer to be displayed per label from the drop-down list.6-49 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Click OK when all applicable filtering criteria are selected. Filtering Access Point Heatmap Floor Settings A RF heatmap is a graphical representation of RF wireless data where the values taken by variables are represented in maps as colors. The current heatmap is computed based on the RSSI prediction model, Antenna Orientation and AP transmit power. If you enable the Access Point Heatmap floor setting and click the blue arrow to the right of the Floor Settings, the Contributing APs dialog opens with heatmap filtering options. See Understanding RF Heatmap Calculation, page 6-109 for more information. Cisco NCS introduces dynamic heatmaps. When dynamic heatmaps are enabled, NCS recomputes the heatmaps to represent changed RSSI values. To configure the dynamic heatmaps, refer Editing Map Properties, page 6-14. Access point heatmap filtering options include: • Heatmap Type—Select Coverage, or Air Quality. If you choose Air Quality, you can further filter the heat map type for access points with average air quality or minimum air quality. Select the appropriate radio button. Note If you have monitor mode access points on the floor plan, you have a choice between IDS or coverage heatmap types. A coverage heatmap excludes monitor mode access points. Note Only APs in 'Local', 'H-REAP', or 'Bridge' mode can contribute to the Coverage and Air Quality Heatmap. • Total APs—Displays the number of access points positioned on the map. • Select the access point check box(es) to determine which heatmaps display on the image map. Click OK when all applicable filtering criteria are selected. Filtering AP Mesh Info Floor Settings Note The AP Mesh Info option only appears when bridging access points are added to the floor. When this option is selected, Cisco NCS initiates a contact with the controllers and displays information about bridging access points. The following information is displayed: – Link between the child and the parent access point. – An arrow that indicates the direction from child to parent access point. – A color coded link that indicates the signal-to-noise ratio (SNR). A green link represents a high SNR (above 25 dB), an amber represents an acceptable SNR (20-25 dB), and a red link represents a very low SNR (below 20 dB). If you enable the AP Mesh Info floor setting and click the blue arrow to the right of the floor settings, the Mesh Parent-Child Hierarchical View page opens with mesh filtering options. You can update the map view by choosing the access points you want to see on the map. From the Quick Selections drop-down list, choose to select only root access point, various hops between the first and the fourth, or select all access points.6-50 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note For a child access point to be visible, its parent must also be selected. Click OK when all applicable filtering criteria are selected. Filtering Client Floor Settings Note The Clients option only displays if a mobility server is added in NCS. If you enable the Clients floor setting and click the blue arrow to the right, the Client Filter dialog opens. Figure 6-26 Client Filter Client filtering options include the following: • Show All Clients—Select the check box to display all clients on the map. • Small Icons—Select the check box to display icons for each client on the map. Note If you select the Show All Clients check box and Small Icons check box, all other drop-down list options are dimmed out. If you unselect the Small Icons check box, you can choose if you want the label to display MAC address, IP address, username, asset name, asset group, or asset category. If you unselect the Show All Clients check box, you can specify how you want the clients filtered and enter a particular SSID. • Display—Choose the client identifier (IP address, username, MAC address, asset name, asset group, or asset category) to display on the map. • Filter By—Choose the parameter by which you want to filter the clients (IP address, username, MAC address, asset name, asset group, asset category, or controller). Once selected, type the specific device in the text box. • SSID—Enter the client SSID in the available text box. • Protocol—Choose All, 802.11a/n, or 802.11b/g/n from the drop-down list. – All—Displays all the access points in the area.6-51 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps – 802.11a/n—Displays a colored overlay depicting the coverage patterns for the clients with 802.11a/n radios. The colors show the received signal strength from red (–35 dBm) through dark blue (–85 dBm). – 802.11b/g/n—Displays a colored overlay depicting the coverage patterns for the clients with 802.11b/g/n radios. The colors show the received signal strength from red (–35 dBm) through dark blue (–85 dBm). This is the default value. • State—Choose All, Idle, Authenticated, Probing, or Associated from the drop-down list. Click OK when all applicable filtering criteria are selected. Filtering 802.11 Tag Floor Settings If you enable the 802.11 Tags floor setting and then click the blue arrow to the right, the Tag Filter dialog opens. Tag filtering options include the following: • Show All Tags—Select the check box to display all tags on the map. • Small Icons—Select the check box to display icons for each tag on the map. Note If you select the Show All Tags check box and Small Icons check box, all other drop-down list options are dimmed out. If you unselect the Small Icons check box, you can choose if you want the label to display MAC address, asset name, asset group, or asset category. If you unselect the Show All Tags check box, you can specify how you want the tags filtered. • Display—Choose the tag identifier (MAC address, asset name, asset group, or asset category) to display on the map. • Filter By—Choose the parameter by which you want to filter the clients (MAC address, asset name, asset group, asset category, or controller). Once selected, type the specific device in the text box. Click OK when all applicable filtering criteria are selected. Filtering Rogue AP Floor Settings If you enable the Rogue APs floor setting and then click the blue arrow to the right, the Rogue AP filter dialog opens. Rogue AP filtering options include the following: • Show All Rogue APs—Select the check box to display all rogue access points on the map. • Small Icons—Select the check box to display icons for each rogue access point on the map. Note If you select the Show All Rogue APs check box and Small Icons check box, all other drop-down list options are dimmed out. If you unselect the Show All Rogue APs check box, you can specify how you want the rogue access points filtered. • MAC Address—If you want to view a particular MAC address, enter it in the MAC Address text box.6-52 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • State—Use the drop-down list to choose from Alert, Known, Acknowledged, Contained, Threat, or Unknown contained states. • On Network—Use the drop-down list to specify whether or not you want to display rogue access points on the network. Click OK when all applicable filtering criteria are selected. Filtering Rogue Adhoc Floor Settings If you enable the Rogue Adhocs floor setting and then click the blue arrow to the right, the Rogue Adhoc filter dialog opens. Rogue Adhoc filtering options include the following: • Show All Rogue Adhocs—Select the check box to display all rogue adhoc on the map. • Small Icons—Select the check box to display icons for each rogue adhoc on the map. Note If you select the Show All Rogue Adhocs check box and Small Icons check box, all other drop-down list options are dimmed out. If you unselect the Show All Rogue Adhocs check box, you can specify how you want the rogue adhocs filtered. • MAC Address—If you want to view a particular MAC address, enter it in the MAC Address text box. • State—Use the drop-down list to select from Alert, Known, Acknowledged, Contained, Threat, or Unknown contained states. • On Network—Use the drop-down list to specify whether or not you want to display rogue adhocs on the network. Click OK when all applicable filtering criteria are selected. Filtering Rogue Client Floor Settings If you enable the Rogue Clients floor setting and then click the blue arrow to the right, the Rogue Clients filter dialog opens. Rogue Clients filtering options include the following: • Show All Rogue Clients—Select the check box to display all rogue clients on the map. • Small Icons—Select the check box to display icons for each rogue client on the map. Note If you select the Show All Rogue Clients check box and Small Icons check box, all other drop-down list options are dimmed out. If you unselect the Show All Rogue Clients check box, you can specify how you want the rogue clients filtered. • Assoc. Rogue AP MAC Address—If you want to view a particular MAC address, enter it in the MAC Address text box. • State—Use the drop-down list to choose from Alert, Contained, Threat, or Unknown contained states. Click OK when all applicable filtering criteria are selected.6-53 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Filtering Interferer Settings If you enable Interferer floor setting and then click the blue arrow to the right, the Interferers filter dialog opens. Interferer filtering options include: • Show active interferers only—Select the check box to display all active interferers. • Small Icons—Select the check box to display icons for each interferer on the map. • Show Zone of Impact—Displays the approximate interference impact area. The opacity of the circle denotes its severity. A solid red circle represents a very strong interferer that will likely disrupt WiFi communications, a light pink circle represents a weak interferer. • Click OK when all applicable filtering criteria are selected. Import Map and AP Location Data When converting from autonomous to lightweight access points and from WLSE to NCS, one of the conversion steps is to manually re-enter the access point-related information into NCS. To speed up this process, you can export the information about access points from WLSE and import it into NCS. Note NCS expects a .tar file and checks for a .tar extension before importing the file. If the file you are trying to import is not a .tar file, NCS displays an error message and prompts you to import a different file. Note For more information on the WLSE data export functionality (WLSE version 2.15), see http://:1741/debug/export/exportSite.jsp. To map properties and import a tar file containing WLSE data using the NCS web interface, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose Import Maps, and Click Go. Step 3 Choose the WLSE Map and AP Location Data option and click Next.6-54 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Figure 6-27 Import WLSE Map and AP Location Data Step 4 In the Import WLSE Map and AP Location data page, click Browse to select the file to import. Step 5 Find and select the .tar file to import and click Open. NCS displays the name of the file in the Import From text box. Step 6 Click Import. NCS uploads the file and temporarily saves it into a local directory while it is being processed. If the file contains data that cannot be processed, NCS prompts you to correct the problem and retry. Once the file has been loaded, NCS displays a report of what will be added to NCS. The report also specifies what cannot be added and why. If some of the data to be imported already exists, NCS either uses the existing data in the case of campuses or overwrites the existing data using the imported data in the cases of buildings and floors. Note If there are duplicate names between a WLSE site and building combination and a NCS campus (or top-level building) and building combination, NCS displays a message in the Pre Execute Import Report indicating that it will delete the existing building. Step 7 Click Import to import the WLSE data. NCS displays a report indicating what was imported. Step 8 Choose Monitor > Site Maps to view the imported data. Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File To change an access point, Wi-Fi TDOA receiver, or chokepoint position, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose Properties. Step 3 At the Unit of Dimension drop-down list, choose feet or meters. Step 4 Select the Advanced Debug Mode Enable radio button. Step 5 Click OK.6-55 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 6 From the Select a command drop-down list, choose Export/Import AP/WiFi TDOA Receiver/Chokepoint Placement. Step 7 In the Import/Export AP/WiFi TDOA Receiver/Chokepoint Placement page, click Browse to find the file you want to import. Note The file must already be created and added to NCS. Note The following is the correct file format: [BuildingName], [FloorName], [AP/WiFi TDOA Receiver/Chokepoint Name], (aAngle), (bAngle), [X], [Y], ([aAngleElevation, bAngleElevation, Z]), (aAntennaType, aAntennaMode, (aAntennaPattern, (aAntennaGain)), bAntennaType, bAntennaDiversity, (bAntennaPattern, bAntennaGain))))) The parameters in square brackets are mandatory, and those in parentheses are optional. Note Angles must be entered in radians (X,Y), and the height is entered in feet. The aAngle and bAngle range is from –2Pi (-6.28...) to 2Pi (6.28...), and the elevation ranges from –Pi (-3.14...) to Pi (3.14...). Step 8 Click Import. The RF calculation takes approximately two seconds per component. Changing Access Point Positions by Importing and Exporting a File You can change an access point position by importing or exporting a file. The file contains only the lines describing the access point you want to move. This option takes less time than manually changing multiple access point positions. Follow these steps to change access point positions using the importing or exporting of a file. Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose Import AP/WiFi TDOA Receiver/Chokepoint Placement or Export AP/WiFi TDOA Receiver/Chokepoint Placement and click Go. Step 3 In Import Data from File or Export Data from File, click Browse to find the file you want to import. The file in the [BuildingName], [FloorName], [APName], (aAngle), (bAngle), [X], [Y], ([aAngleElevation, bAngleElevation, Z]), (aAntennaType, aAntennaMode, (aAntennaPattern, (aAntennaGain)), bAntennaType, bAntennaDiversity, (bAntennaPattern, bAntennaGain))))) format must have already been created and added to NCS. (See the “Inspect VoWLAN Readiness” section on page 6-77.) Note The parameters in square brackets are mandatory, and those in parentheses are optional.6-56 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note Angles must be entered in radians (X,Y), and the height is entered in feet. The aAngle and bAngle range is from –2Pi (-6.28...) to 2Pi (6.28...), and the elevation ranges from –Pi (-3.14...) to Pi (3.14...). Step 4 Click Import. The RF calculation takes approximately two seconds per access point. Configuring ChokePoints Using chokepoints in conjunction with active compatible extensions compliant tags provides immediate location information on a tag and its asset. When a Cisco Compatible Extension tag moves out of the range of a chokepoint, its subsequent beacon frames do not contain any identifying chokepoint information. Location determination of the tag defaults to the standard calculation methods based on RSSIs reported by the access point associated with the tag. This section contains the following topics: • Using Chokepoints to Enhance Tag Location Reporting, page 6-56 • Adding Chokepoints to the NCS Database, page 6-56 • Adding a Chokepoint to a NCS Map, page 6-57 • Positioning Chokepoints, page 6-58 • Removing Chokepoints from the NCS Database and Map, page 6-59 Using Chokepoints to Enhance Tag Location Reporting Installation of chokepoints provides enhanced location information for RFID tags. When an active Cisco Compatible Extensions version 1 compliant RFID tag enters the range of a chokepoint, it is stimulated by the chokepoint. The MAC address of this chokepoint is then included in the next beacon sent by the stimulated tag. All access points that detect this tag beacon then forward the information to the controller and location appliance. Using chokepoints in conjunction with active compatible extensions compliant tags provides immediate location information on a tag and its asset. When a Cisco Compatible Extension tag moves out of the range of a chokepoint, its subsequent beacon frames do not contain any identifying chokepoint information. Location determination of the tag defaults to the standard calculation methods based on RSSIs reported by the access point associated with the tag. Adding Chokepoints to the NCS Database Chokepoints are installed and configured as recommended by the Chokepoint vendor. After the chokepoint installation is complete and operational, the chokepoint can be entered into the location database and plotted on a NCS map. To add a chokepoint to the NCS database, follow these steps: Step 1 Choose Configure > Chokepoints. Step 2 From the Select a command drop-down list, choose Add Chokepoints. Step 3 Click Go.6-57 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 4 Enter the MAC address and name for the chokepoint. Step 5 Select the Entry/Exit Chokepoint check box. Step 6 Enter the coverage range for the chokepoint. Note Chokepoint range is a visual representation only. It is product-specific. The actual range must be configured separately using the applicable chokepoint vendor software. Step 7 Click OK. Note After the chokepoint is added to the database, it can be placed on the appropriate NCS floor map. Adding a Chokepoint to a NCS Map To add the chokepoint to a map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 In the Maps page, choose the link that corresponds to the floor location of the chokepoint. Step 3 From the Select a command drop-down list, choose Add Chokepoints. Step 4 Click Go. Note The Add Chokepoints summary page lists all recently-added chokepoints that are in the database but not yet mapped. Step 5 Select the check box next to the chokepoint that you want to place on the map. Step 6 Click OK. A map appears with a chokepoint icon located in the top-left hand corner. You are now ready to place the chokepoint on the map. Step 7 Left-click the chokepoint icon and drag it to the proper location. Note The MAC address, name, and coverage range of the chokepoint appear in the left pane when you click the chokepoint icon for placement. Step 8 Click Save. You are returned to the floor map and the added chokepoint appears on the map. Note The newly created chokepoint icon may or may not appear on the map depending on the display settings for that floor.6-58 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note The rings around the chokepoint icon indicate the coverage area. When a CCX tag and its asset passes within the coverage area, location details are broadcast, and the tag is automatically mapped on the chokepoint coverage circle. When the tag moves out of the chokepoint range, its location is calculated as before and is no longer mapped on the chokepoint rings. Note The MAC address, name, entry/exit chokepoint, static IP address, and range of the chokepoint appears when you hover a mouse cursor over its map icon. Step 9 If the chokepoint does not appear on the map, select the Chokepoints check box located in the Floor Settings menu. Note Do not click Save Settings unless you want to save this display criteria for all maps. Note You must synchronize network design to the mobility services engine or location server to push chokepoint information. Positioning Chokepoints To position chokepoints on the map, follow these steps: Step 1 Left-click the chokepoint icon and drag it to the proper location. Note The MAC address, name, and coverage range of the chokepoint appear in the left pane when you click the chokepoint icon for placement. Step 2 Click Save when the icon is correctly placed on the map. Step 3 The newly created chokepoint icon may or may not appear on the map depending on the display settings for that floor. If the icon does not appear, repeat Step 11. Note The rings around the chokepoint icon indicate the coverage area. When a Cisco Compatible Extensions tag and its asset passes within the coverage area, location details are broadcast, and the tag is automatically mapped on the chokepoint coverage circle. The chokepoint range is given as a visual only, but chokepoint vendor software is required to actually configure the range. When the tag moves out of the chokepoint range, its location is calculated as before and is no longer mapped on the chokepoint rings. Note MAC address, name, and range of a chokepoint display when you hover your mouse cursor over its map icon.6-59 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 4 If the chokepoint does not appear on the map, choose Layers to view a drop-down list of possible elements to display on the map. Select the Chokepoints check box. Step 5 Click X to close the Layers page. Note Do not click Save Settings unless you want to save this display criteria for all maps. Note You can change the position of chokepoints by importing or exporting a file. See the “Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File” section on page 6-54 for more information. Removing Chokepoints from the NCS Database and Map You can remove one or multiple chokepoints at a time. Follow these steps to delete a chokepoint. Step 1 Choose Configure > Chokepoints: Step 2 Select the box(es) next to the chokepoint(s) to be deleted. Step 3 From the Select a command drop-down list, choose Remove Chokepoints. Step 4 Click Go. Step 5 Click OK to confirm the chokepoint deletion. Step 6 From the Select a command drop-down list on the applicable NCS floor map page, choose Remove Chokepoints. Step 7 Click Go. Step 8 Select the check box(es) next to the chokepoint(s) to be deleted. Step 9 Click OK. Configuring WiFi TDOA Receivers This section contains the following topics: • Adding WiFi TDOA Receivers to the NCS Database, page 6-60 • Adding WiFi TDOA Receivers to a Map, page 6-60 • Positioning WiFi TDOA Receivers, page 6-60 • Removing WiFi TDOA Receivers from the Map, page 6-61 • Removing WiFi TDOA Receivers from the NCS Database, page 6-616-60 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Adding WiFi TDOA Receivers to the NCS Database To add WiFi TDOA receivers to the NCS database, follow these steps: Step 1 Choose Configure > WiFi TDOA Receivers. Step 2 From the Select a command drop-down list, choose Add WiFi TDOA Receivers. Step 3 Click Go. Step 4 Enter the MAC address, name, and static IP address for the WiFi TDOA receiver. Note WiFi TDOA receivers are configured separately using the WiFi TDOA receiver vendor software. Step 5 Click OK to save the WiFi TDOA receiver entry to the database. Note After the WiFi TDOA receiver is added to the database, place it on the appropriate NCS floor map. See the “Adding WiFi TDOA Receivers to the NCS Database” section on page 6-60 for more information. Adding WiFi TDOA Receivers to a Map To add a WiFi TDOA receiver to a map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Choose the link that corresponds to the floor location of the WiFi TDOA receiver. Step 3 From the Select a command drop-down list, choose Add WiFi TDOA Receivers. Step 4 Click Go. Note The Add WiFi TDOA Receivers summary page lists all recently-added WiFi TDOA receivers that are in the database but not yet mapped. Step 5 Select the check box next to the WiFi TDOA receiver to be added to the map. Step 6 Click OK. A map appears with a green WiFi TDOA receiver icon located in the top-left hand corner. You are now ready to position the WiFi TDOA receiver on the map. Positioning WiFi TDOA Receivers To position WiFi TDOA receivers on the map, follow these steps: Step 1 Left-click the WiFi TDOA receiver icon and drag it to the proper location.6-61 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note The MAC address and name of the WiFi TDOA receiver appear in the left pane when you click the WiFi TDOA receiver icon for placement. Step 2 Click Save when icon is correctly placed on the map. Note The MAC address of the WiFi TDOA receiver appears when you hover a mouse cursor over its map icon. Step 3 If the chokepoint does not appear on the map, click Layers to view a drop-down list of possible elements to display on the map. Select the WiFi TDOA Receivers check box. Step 4 Click X to close the Layers page. Note Do not select Save Settings unless you want to save this display criteria for all maps. Note You can change the position of Wi-Fi TDOA Receivers by importing or exporting a file. See the “Positioning Access Points, Wi-Fi TDOA Receivers, and Chokepoints by Importing or Exporting a File” section on page 6-54 for more information. Removing WiFi TDOA Receivers from the Map To remove a WiFi TDOA receiver from a floor map, follow these steps: Step 1 From the Select a command drop-down list on the applicable NCS floor map page, choose Remove WiFi TDOA Receivers. Step 2 Click Go. Step 3 Select the check box(es) next to the WiFi TDOA receiver(s) to be deleted. Note You can remove multiple WiFi TDOA receivers at a time from a map. Step 4 Click OK. Removing WiFi TDOA Receivers from the NCS Database To remove a WiFi TDOA receiver from the NCS database, follow these steps: Step 1 Choose Configure > WiFi TDOA Receivers. Step 2 Select the check box(es) next to the WiFi TDOA receiver(s) to be deleted.6-62 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note You can remove multiple WiFi TDOA receivers at a time from the database. Step 3 From the Select a command drop-down list, choose Remove WiFi TDOA Receivers. Step 4 Click Go. Step 5 Click OK to confirm the deletion. Managing RF Calibration Models If the provided RF models do not sufficiently characterize the floor layout, you can create a calibration model that is applied to the floor and better represents the attenuation characteristics of that floor. The calibration models are used as RF overlays with measured RF signal characteristics that can be applied to different floor areas. This enables the Cisco WLAN solution installation team to lay out one floor in a multi-floor area, use the RF calibration tool to measure, save the RF characteristics of that floor as a new calibration model, and apply that calibration model to all the other floors with the same physical layout. You can collect data for a calibration using one of two methods: • Point mode data collection—Calibration points are selected and their coverage area is calculated one location at a time. • Linear mode data collection—A series of linear paths are selected and then calculated as you traverse the path. This approach is generally faster than the point mode data collection. You can also employ point mode data collection to augment data collection for locations missed by the linear paths. Note Calibration models can only be applied to clients, rogue clients, and rogue access points. Calibration for tags is done using the Aeroscout System Manager. Refer to the following link for details on tag calibration at: http://support.aeroscout.com. Note A client device that supports both 802.11a/n and 802.11b/g/n radios is recommended to expedite the calibration process for both spectrums. Use a laptop or other wireless device to open a browser to the NCS server and perform the calibration process. This section contains the following topics: • Access Current Calibration Models, page 6-63 • Apply Calibration Models to Maps, page 6-63 • Calibration Model Properties, page 6-63 • Calibration Model Details, page 6-63 • Create New Calibration Models, page 6-64 • Start Calibration Process, page 6-64 • Calibrating, page 6-676-63 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps • Apply to Maps, page 6-67 • Delete Calibration Models, page 6-67 Access Current Calibration Models To access current calibration models, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose RF Calibration Models. The Model Name and Status for each calibration model is listed. Step 3 Click the Model Name to access a specific calibration model. Apply Calibration Models to Maps To apply a current calibration model to a map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose RF Calibration Models. Step 3 Click the Model Name to access the applicable calibration model. Step 4 From the Select a command drop-down list, choose Apply to Maps. Step 5 Click Go. Calibration Model Properties To view or edit current calibration models, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose RF Calibration Models. Step 3 Click the Model Name to access the applicable calibration model. Step 4 From the Select a command drop-down list, choose Properties. Step 5 Click Go to view or edit calibration model details. See “Calibration Model Properties” section on page 6-63 for more information. Calibration Model Details To edit calibration model details, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose RF Calibration Models.6-64 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Step 3 Click the Model Name to access the applicable calibration model. Step 4 From the Select a command drop-down list, choose Properties. Step 5 Click Go. Step 6 The following parameters may be edited: • Sweep Client Power for Location—Click to enable. You may want to enable this if a high density of access points exists and transmit power is reduced or unknown. The sweeping range of client transmit power may improve accuracy but scalability is negatively affected. • HeatMap Binsize—Choose 4, 8, 16, or 32 from the drop-down list. • HeatMap Cutoff—Determine the heatmap cutoff. A low heatmap cutoff is recommended especially if the access point density is high and RF propagation conditions are favorable. A higher cutoff value increases scalability but may cause difficulty when locating clients. Step 7 When any necessary changes have been made or to exit the page, click OK. Create New Calibration Models To create a new calibration model, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 From the Select a command drop-down list, choose RF Calibration Models. Step 3 Click Go. Step 4 From the Select a command drop-down list, choose Create New Model. Step 5 Click Go. Step 6 Enter a Model Name and click OK. The new model appears along with the other RF calibration models with a status of Not Yet Calibrated. Start Calibration Process To start the calibration process, follow these steps: Step 1 Click the Model Name to open the Calibration Model > Model Name page. Step 2 From the Select a command drop-down list, choose Add Data Points. Step 3 Click Go. Step 4 Enter the MAC address of the device being used to perform the calibration. Manually-entered MAC addresses must be delimited with colons (such as FF:FF:FF:FF:FF:FF). Note If this process is being performed from a mobile device connected to NCS through the Cisco Centralized architecture, the MAC address text box is automatically populated with the device address. Step 5 Choose the appropriate campus, building, floor, or outdoor area where the calibration is performed.6-65 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note The calibration in outdoor area is supported from 1.0.x release onwards. You can use this option to add the calibration data points to the outdoor area. The data points can be added to the outdoor area using the same procedure for calibration. Step 6 Click Next. Step 7 When the chosen floor map and access point locations display, a grid of plus marks (+) indicates the locations where data collection for calibration is performed. Using these locations as guidelines, you can perform either a point or linear collection of data by appropriate placement of either the Calibration Point pop-up (point) or the Start and Finish pop-ups (linear) that display on the map when the respective options are displayed. If you want to do a point collection of data for the calibration, do the following: a. Choose Point from the Collection Method drop-down list and select the Show Data points check box if not already selected. A calibration point pop-up appears on the map. b. Position the tip of the calibration point pop-up at a data point (+), and click Go. A pane appears showing the progress of the data collection. Note Rotate the calibrating client laptop during data collection so that the client is heard evenly by all access points in the vicinity. c. When the data collection is complete for a selected data point and the coverage area is plotted on the map, move the calibration point pop-up to another data point, and click Go. Note The coverage area plotted on the map is color-coded and corresponds with the specific wireless LAN standard used to collect that data. Information on color-coding is provided in legend on the left side of the page. Additionally, the progress of the calibration process is indicated by two status bars above the legend, one for 802.11a/n and one for 802.11b/g/n. Note To delete data points for locations selected in error, click Delete and move the black square that appears over the appropriate data points. Resize the square as necessary by pressing Ctrl and moving the mouse. d. Repeat point collection steps a to c until the calibrations status bar of the relevant spectrums (802.11a/n, 802.11b/g/n) display as ‘done.’ Note The calibration status bar indicates data collection for the calibration as done, after roughly 50 distinct locations and 150 measurements have been gathered. For every location point saved in the calibration process, more than one data point is gathered. The progress of the calibration process is indicated by two status bars above the legend, one for 802.11b/g/n and one for 802.11a/n. If you want to do a linear collection of data for the calibration, do the following: a. Choose Linear from the Collection Method drop-down list, and select the Show Data points check box if not already selected. A line appears on the map with both Start and Finish pop-ups. b. Position the tip of the Start pop-up at the starting data point.6-66 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps c. Position the Finish pop-up at the ending data point. d. Position yourself with your laptop at the starting data point, and click Go. Walk steadily towards the end point along the defined path. A pane displays to show that data collection is in process. Note Do not stop data collection until you reach the end point even if the data collection bar indicates completion. Note Only Intel and Cisco adapters have been tested. Make sure Enable Cisco Compatible Extensions and Enable Radio Management Support are enabled in the Cisco Compatible Extension Options. e. Press the space bar (or Done on the data collection panel) when you reach the end point. The collection pane displays the number of samples taken before it closes to reveal the map. The map displays all the coverage areas where data was collected. Note To delete data points for locations selected in error, click Delete and move the black square that appears over the appropriate data points. Resize the square as necessary by pressing the Ctrl and moving the mouse. Note The coverage area is color-coded and corresponds with the specific wireless LAN standard used to collect that data. Information on color-coding is provided in legend on the left-hand side of the page. f. Repeat linear collection Steps b to e until the status bar for the respective spectrum is filled in (done). Note You can augment linear collection with point mode data collection to address missed coverage areas. Step 8 Click the name of the calibration model at the top of the page to return to the main page for that model to calibrate the data points. Step 9 Select Calibrate from the Select a command drop-down list, and click Go. Step 10 Click the Inspect Location Quality link when calibration completes. A map displays showing RSSI readings displays. Step 11 To use the newly created calibration model, you must apply the model to the floor on which it was created (and on any other floors with similar attenuation characteristics as well). Navigate to Monitor > Site Maps and find the specific floor to which the model is applied. At the floor map interface, choose Edit Floor Area from the drop-down list, and click Go. Step 12 From the Floor Type (RF Model) drop-down list, choose the newly created calibration model. Click OK to apply the model to the floor.6-67 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Note This process can be repeated for as many models and floors as needed. After a model is applied to a floor, all location determination performed on that floor is done using the specific collected attenuation data from the calibration model. Calibrating To compute the collected data points, follow these steps: Step 1 Click the Model Name to open the Calibration Model > Model Name page. Step 2 In the Calibration Model > Model Name page, choose Calibrate from the Select a command drop-down list. Step 3 Click Go. Apply to Maps To use the newly created calibration model, you must apply the model to the floor on which it was created (along with other floors with similar attenuation characteristics). To apply the model to the floor, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Locate the specific floor to which the model is applied. Step 3 From the Select a command drop-down list, choose Edit Floor Area. Step 4 Click Go. Step 5 From the Floor Type (RF Model) drop-down list, choose the newly-created calibration model. Step 6 Click OK to apply the model to the floor. This process can be repeated for as many models and floors as needed. After a model is applied to a floor, all location determination performed on that floor is done using the specific collected attenuation data from the calibration model. Delete Calibration Models To delete a calibration model, follow these steps: Step 1 Click the Model Name to open the Calibration Model > Model Name page. Step 2 From the Select a command drop-down list, choose Delete Model. Step 3 Click Go. 6-68 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Maps Managing Location Presence Information You can enable location presence through mobility services engine to provide expanded Civic (city, state, postal code, country) and GEO (longitude, latitude) location information beyond the Cisco default setting (campus, building, floor, and X, Y coordinates). This information can then be requested by clients on a demand basis for use by location-based services and applications. See the “Enabling Location Presence for Mobility Services” section on page 16-47 for more information on enabling location presence. To view or edit current location presence information for a current map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the check box of the map. Step 3 From the Select a command drop-down list, choose Location Presence. Step 4 Click Go. The Location Presence page appears. Note The current map location information (Area Type, Campus, Building, and Floor) refer to the map you selected from the Monitor > Site Maps page. To select a different map, use the Select a Map to Update Presence Information drop-down lists to select the new map location. Figure 6-28 Location Presence Step 5 Click either the Civic Address, GPS Markers, or Advanced tab. – Civic Address—Identifies the campus, building, or floor by name, street, house number, house number suffix, city (address line2), state, postal code, and country. – GPS Markers—Identify the campus, building, or floor by longitude and latitude. – Advanced—Identifies the campus, building, or floor with expanded civic information such as neighborhood, city division, county, and postal community name.6-69 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Searching Maps Note Each selected parameter is inclusive of all of those above it. For example, if you select Advanced, it can also provide GPS and Civic location information upon client demand. The selected setting must match what is set on the mobility services engine level. See the Enabling Location Presence for Mobility Services, page 16-47 for more information. Note If a client requests location information such as GPS Markers for a campus, building, floor, or outdoor area that is not configured for that parameter, an error message appears. Note By default, the Override Child Element Presence Info check box is selected. Searching Maps You can use the following parameters in the Search Maps page: • Search for • Map Name • Search in • Save Search • Items per page After you click Go, the map search results page appears (see Table 6-7): Using the Map Editor You can use the NCS map editor to define, draw, and enhance floor plan information. This section contains the following topics: • Opening Map Editor, page 6-70 • Using the Map Editor to Draw Polygon Areas, page 6-70 Ta b l e 6-7 Map Search Results Parameter Options Name Clicking an item in the Name list gives a map of an existing building with individual floor area maps for each floor. Type Campus, building, or floor area. Total APs Displays the total number of Cisco radios detected. a/n Radios Displays the number of 802.11a/n Cisco radios. b/g/n Radios Displays the number of 802.11b/g/n Cisco radios.6-70 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor • Defining an Inclusion Region on a Floor, page 6-73 • Defining an Exclusion Region on a Floor, page 6-74 • Defining a Rail Line on a Floor, page 6-75 Opening Map Editor Follow these steps to use the map editor: Step 1 Choose Monitor > Site Maps to display the Maps page. Step 2 Click the desired campus. NCS displays the Site Maps > Campus Name page. Step 3 Click a campus and then a building. Step 4 Click the desired floor area. NCS displays the Site Maps > Campus Name > Building Name > Floor Area Name page. Step 5 From the Select a command drop-down list, choose Map Editor, and click Go. NCS displays the Map Editor page. Note Make sure that the floor plan images are properly scaled so that all white space outside of the external walls is removed. To make sure that floor dimensions are accurate, choose the compass tool from the toolbar. Step 6 Position the reference length. When you do, the Scale menu appears with the line length supplied. Enter the dimensions (width and height) of the reference length, and click OK. Step 7 Determine the propagation pattern at the Antenna Mode drop-down list. Step 8 Make antenna adjustments by sliding the antenna orientation bar to the desired degree of direction. Step 9 Choose the desired access point. Step 10 Click Save. Using the Map Editor to Draw Polygon Areas If you have a building that is non-rectangular or you want to mark a non-rectangular area within a floor, you can use the map editor to draw a polygon-shaped area. Step 1 Add the floor plan if it is not already represented in NCS (see the “Adding Floor Areas to a Campus Building” section on page 6-28). Step 2 Choose Monitor > Site Maps. Step 3 Click the Map Name that corresponds to the outdoor area, campus, building, or floor you want to edit. Step 4 From the Select a command drop-down list, choose Map Editor, and click Go. Step 5 It the Map Editor page, click the Add Perimeter icon on the toolbar (see Figure 6-29). A pop-up appears.6-71 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor Figure 6-29 Map Editor Page Step 6 Enter the name of the area that you are defining. Click OK. A drawing tool appears. Step 7 Move the drawing tool to the area you want to outline. • Click the left mouse button to begin and end drawing a line. • When you have completely outlined the area, double-click the left mouse button and the area is highlighted in the page (see Figure 6-30). The outlined area must be a closed object to appear highlighted on the map.6-72 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor Figure 6-30 Polygon Area Step 8 Click the disk icon on the toolbar to save the newly drawn area. Step 9 Choose Command > Exit to close the window. You are returned to the original floor plan. Note When you return to the original floor plan view, after exiting the map editor, the newly drawn area is not seen; however, it appears in the Planning Model page when you add elements. Step 10 Choose Planning Mode from the Select a command drop-down list to begin adding elements to the newly defined polygon-shaped area. The Table 6-8 explains the color coding of obstacles. Ta b l e 6-8 Obstacle color coding Type of obstacle Color coding Loss (in dB) Thick wall 13 Light wall 2 Heavy door 15 Light door 4 Cubicle 1 Glass 1.56-73 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor Note The RF prediction heatmaps for access points approximates of the actual RF signal intensity. It takes into account the attenuation of obstacles drawn using the Map Editor but it does not take into account the attenuation of various building materials, such as drywall or metal objects, nor does it display the effects of RF signals bouncing off obstructions. The thick wall (color-coded orange) with a loss of 13 dB may not be enough to contain the RF signal beyond the walls of the heatmap. Defining an Inclusion Region on a Floor To define an inclusion area, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the appropriate floor area. Step 3 From the Select a command drop-down list, choose Map Editor. Step 4 Click Go. Step 5 At the map, click the aqua box on the toolbar. Note A message box appears reminding you that only one inclusion area can be defined at a time. Defining a new inclusion region automatically removes the previously defined inclusion region. By default, an inclusion region is defined for each floor when it is added to NCS. The inclusion region is indicated by a solid aqua line and generally outlines the region. Step 6 Click OK in the message box that appears. A drawing icon appears to outline the inclusion area. Step 7 To begin defining the inclusion area, move the drawing icon to a starting point on the map and click once. Step 8 Move the cursor along the boundary of the area you want to include and click to end a border line. Click again to define the next boundary line. Step 9 Repeat Step 8 until the area is outlined and then double-click the drawing icon. A solid aqua line defines the inclusion area. Step 10 Choose Save from the Command menu or click the disk icon on the toolbar to save the inclusion region. Note If you made an error in defining the inclusion area, click the area. The selected area is outlined by a dashed aqua line. Next, click the X icon on the toolbar. The area is removed from the floor map. Step 11 To return to the floor map to enable inclusion regions on heatmaps, select Exit from the Command menu. Step 12 At the floor map, select the Layers drop-down list. Step 13 Select the Location Regions check box if it is not already selected. If you want it to apply to all floor maps, click Save settings. Close the Layers configuration pane. Step 14 To resynchronize the NCS and MSE databases, choose Services > Synchronize Services.6-74 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor Note If the two DBs are already synchronized then a resynch will happen automatically every time there is a change. There is no need for an explicit resynch. Step 15 At the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click Synchronize. Check the Sync. Status column to ensure that the synchronization is successful (two green arrows). Note Newly defined inclusion and exclusion regions appear on heatmaps only after the mobility services engine recalculates location. Defining an Exclusion Region on a Floor To further refine location calculations on a floor, you can define areas that are excluded (exclusion areas) in the calculations. For example, you might want to exclude areas such as an atrium or stairwell within a building. As a rule, exclusion areas are generally defined within the borders of an inclusion area. To define an exclusion area, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the appropriate floor area. Step 3 From the Select a command drop-down list, select Map Editor. Step 4 Click Go. Step 5 At the map, click the purple box on the toolbar. Step 6 Click OK in the message box that appears. A drawing icon appears to outline the exclusion area. Step 7 To begin defining the exclusion area, move the drawing icon to the starting point on the map, and click once. Step 8 Move the drawing icon along the boundary of the area you want to exclude and click once to start a boundary line and click again to end the boundary line. Step 9 Repeat Step 8 until the area is outlined and then double-click the drawing icon. The defined exclusion area is shaded in purple. when the area is completely defined. The excluded area is shaded in purple. Step 10 To define additional exclusion regions, repeat Step 5 to Step 9. Step 11 When all exclusion areas are defined, choose Save from the Command menu or the disk icon on the toolbar to save the exclusion region. Note To delete an exclusion area, click the area to be deleted. The selected area is outlined by a dashed purple line. Next, click the X icon on the toolbar. The area is removed from the floor map. Step 12 To return to the floor map to enable exclusion regions on heatmaps, choose Exit from the Command menu. Step 13 At the floor map, choose the Layers drop-down list.6-75 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using the Map Editor Step 14 Select the Location Regions check box if it is not already selected, click Save settings, and close the Layers configuration pane when complete. Step 15 To resynchronize the NCS and location databases, choose Services > Synchronize Services. Step 16 At the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click Synchronize. Check the Sync. Status column to ensure that the synchronization is successful (two green arrows). Defining a Rail Line on a Floor You can define a rail line on a floor that represents a conveyor belt. Additionally, you can define an area around the rail area known as the snap-width to further assist location calculations. This represents the area in which you expect clients to appear. Any client located within the snap-width area is plotted on the rail line (majority) or just outside of the snap-width area (minority). Note Rail line configurations do not apply to tags. The snap-width area is defined in feet or meters (user-defined) and represents the distance that is monitored on either side (east and west or north and south) of the rail. To define a rail with a floor, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the name of the appropriate floor area. Step 3 Choose Map Editor from the Select a command drop-down list. Step 4 Click Go. Step 5 At the map, click the rail icon (to the right of the purple exclusion icon) on the toolbar. Step 6 In the message pane that appears, enter a snap-width (feet or meters) for the rail and then click OK. A drawing icon appears. Step 7 Click the drawing icon at the starting point of the rail line. Click again when you want to stop drawing the line or change the direction of the line. Step 8 Click the drawing icon twice when the rail line is completely drawn on the floor map. The rail line appears on the map and is bordered on either side by the defined snap-width region. Note To delete a rail line, click the area to be deleted. The selected area is outlined by a dashed purple line. Next, click the X icon on the toolbar. The area is removed from the floor map. Step 9 To return to the floor map to enable rails on heatmaps, choose Exit from the Command menu. Step 10 At the floor map, choose the Layers drop-down list. Step 11 Select the Rails check box for if it is not already selected, click Save settings, and close the Layers configuration panel when complete. Step 12 To resynchronize the NCS and mobility services engine, choose Services > Synchronize Services. Step 13 At the Synchronize page, choose Network Designs from the Synchronize drop-down list and then click Synchronize.6-76 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Inspecting Location Readiness and Quality Check the Sync. Status column to ensure that the synchronization is successful (two green arrows). Inspecting Location Readiness and Quality You can configure NCS to verify the ability of the existing access point deployment to estimate the true location of a client, rogue client, rogue access point, or tag within 10 meters at least 90% of the time. The location readiness calculation is based on the number and placement of access points. You can also check the location quality and the ability of a given location to meet the location specification (10 m, 90%) based on data points gathered during a physical inspection and calibration. Inspect Location Readiness The Inspect Location Readiness feature is a distance-based predictive tool that can point out problem areas with access point placement. To access the Inspect Location Readiness tool, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the applicable floor area name to view the map. Note If RSSI is not displayed, you can enable AP Heatmaps under the Layer menu (top-left). Note If clients, tags, and access points are not displayed, verify that their respective check boxes are selected in the Layers menu. Licenses for both clients and tags must also be purchased for each to be tracked. Step 3 From the Select a command drop-down list, choose Inspect Location Readiness. Step 4 Click Go. A color-coded map appears showing those areas that meet (indicated by Yes) and do not meet (indicated by No) the ten meter, 90% location specification. Inspecting Location Quality Using Calibration Data After completing a calibration model based on data points generated during a physical tour of the area, you can inspect the location quality of the access points. To inspect location quality based on calibration, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Choose RF Calibration Model from the Select a command list. Click Go.6-77 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Inspecting Location Readiness and Quality A list of calibration models appears. Step 3 Click the appropriate calibration model. Details on the calibration including date of last calibration, number of data points by signal type (802.11a, 802.11 b/g) used in the calibration, location, and coverage are displayed. Step 4 In the same page, click the Inspect Location Quality link found under the Calibration Floors heading. A color-coded map noting percentage of location errors appears. Note You can modify the distance selected to see the effect on the location errors. Inspect VoWLAN Readiness Voice readiness tool (the VoWLAN Readiness tool) allows you to check the RF coverage to see if it is sufficient for your voice needs. This tool verifies RSSI levels after access points have been installed. To access the VoWLAN Readiness Tool (VRT), follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the applicable floor area name. Step 3 From the Select a command drop-down list, choose Inspect VoWLAN Readiness. Step 4 Choose the applicable Band, AP Transmit Power, and Client parameters from the drop-down lists. Note By default the region map displays the region map for b/g/n band for Cisco Phone based RSSI threshold. The new settings cannot be saved. Step 5 Depending on the selected client, the RSSI values may not be editable. • Cisco Phone—RSSI values are not editable. • Custom—RSSI values are editable with the following ranges: – Low threshold between -95dBm to -45dBm – High threshold between -90dBm to -40dBm Step 6 The following color schemes indicate whether or not the area is Voice Ready: • Green—Yes • Yellow—Marginal • Red—No Note The accuracy of the Green/Yellow/Red regions depends on the RF environment and whether or not the floor is calibrated. If the floor is calibrated, the accuracy of the regions is enhanced.6-78 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Troubleshooting Voice RF Coverage Issues • Floors with either calibration or no calibration data: – Set the AP Transmit parameter to Max (the maximum downlink power settings). If the map still shows some yellow or red regions, more access points are required to cover the floor. – If calibrated model shows red or yellow regions (where voice is expected to be deployed) with the AP Transmit parameter set to Current, increasing the power level of the access points may help. Monitoring Mesh Networks Using Maps You can access and view details for the following elements from a mesh network map in Cisco NCS: • Mesh Link Statistics • Mesh Access Points • Mesh Access Point Neighbors Details on how this information is accessed and displayed for each of these items is detailed in this sections. This section contains the following topics: • Monitoring Mesh Link Statistics Using Maps, page 6-78 • Monitoring Mesh Access Points Using Maps, page 6-81 • Monitoring Mesh Access Point Neighbors Using Maps, page 6-83 • Viewing the Mesh Network Hierarchy, page 6-85 • Using Mesh Filters to Modify Map Display of Maps and Mesh Links, page 6-87 Monitoring Mesh Link Statistics Using Maps You can view the SNR for a specific mesh network link, view the number of packets transmitted and received on that link, and initiate a link test in the Monitor > Site Maps page. To view details on a specific mesh link between two mesh access points or a mesh access point and a root access point, perform the following: Step 1 Choose Monitor > Site Maps. Step 2 Click the Map Name that corresponds to the outdoor area, campus, building, or floor you want to monitor. Step 3 From the left sidebar menu, click the arrow to the right of AP Mesh Info (see Figure 6-31). A Mesh Filter dialog box appears. 6-79 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Figure 6-31 Mesh Filter Page Step 4 Move the cursor over the colored dot next to each mesh access point child to view details on the link between it and its parent. Table 6-9 summarizes the parameters that appear. The color of the dot also provides a quick reference point of the SNR strength. • A green dot represents a high SNR (above 25 dB). • An amber dot represents an acceptable SNR (20-25 dB). • A red dot represents a low SNR (below 20 dB). • A black dot indicates a root access point. The Bridging Link information appears. Step 5 Click either Link Test, Child to Parent or Link Test, Parent to Child. After the link test is complete, a results page appears. Ta b l e 6-9 Bridging Link Information Parameter Description Information fetched on Date and time that information was compiled. Link SNR Link signal-to-noise ratio (SNR). Link Type Hierarchical link relationship. SNR Up Signal-to-noise radio for the uplink (dB). SNR Down Signal-to-noise radio for the downlink (dB). PER The packet error rate for the link. Tx Parent Packets The TX packets to a node while acting as a parent. Rx Parent Packets The RX packets to a node while acting as a parent. Time of Last Hello Date and time of last hello.6-80 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Note A link test runs for 30 seconds. Note You cannot run link tests for both links (child-to-parent and parent-to-child) at the same time. Step 6 To view a graphical representation of SNR statistics over a period of time, click the arrow on the link. A page with multiple SNR graphs appears (see Figure 6-32). The following graphs are displayed for the link: • SNR Up—Plots the RSSI values of the neighbor from the perspective of the access point. • SNR Down—Plots the RSSI values that the neighbor reports to the access point. • Link SNR—Plots a weighed and filtered measurement based on the SNR Up value. • The Adjusted Link Metric—Plots the value used to determine the least cost path to the root access point. This value is the ease to get to the rooftop access point and accounts for the number of hops. The lower the ease value, the less likely the path is used. • The Unadjusted Link Metric—Plots the least cost path to get to the root access point unadjusted by the number of hops. The higher the value for the unadjusted link, the better the path. Figure 6-32 Mesh SNR Graphs Page (Top)6-81 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Monitoring Mesh Access Points Using Maps You can view the following summary information for a mesh access point from a mesh network map: • Parent • Number of children • Hop count • Role • Group name • Backhaul interface • Data Rate • Channel Note This information is in addition to the information shown for all access points (MAC address, access point model, controller IP address, location, height of access point, access point up time, and LWAPP up time). Note You can also view detailed configuration and access alarm and event information from the map. For detailed information on the Alarms and Events displayed, see the “Alarm and Event Dictionary” section on page 13-1. To view summary and detailed configuration information for a mesh access point from a mesh network map, perform the following: Step 1 In NCS, choose Monitor > Site Maps. Step 2 Click the Map Name that corresponds to the outdoor area, campus, building, or floor location of the access point you want to monitor. Step 3 To view summary configuration information for an access point, move the cursor over the access point that you want to monitor. A dialog box with configuration information for the selected access point appears (see Figure 6-33).6-82 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Figure 6-33 Mesh AP Summary Dialog Box Step 4 To view detailed configuration information for an access point, double-click the access point appearing on the map. The configuration details for the access point appears (see Figure 6-34). Note For more details on the View Mesh Neighbors link in the access point dialog box (see Figure 6-33), see the “Monitoring Mesh Access Point Neighbors Using Maps” section on page 6-83. If the access point has an IP address, a Run Ping Test link is also visible at the bottom of the mesh access point pane. Figure 6-34 Mesh AP Detail Page Step 5 In the Access Point configuration page, follow these steps to view configuration details for the mesh access point. a. Click the General tab to view the overall configuration of the mesh access point such as AP name, MAC address, AP Up time, associated controllers (registered and primary) operational status, and software version.6-83 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Note The software version for mesh access points is appended the letter m and the word mesh in parentheses. b. Click the Interface tab to view configuration details for the interfaces supported on the mesh access point. Interface options are radio and Ethernet. c. Click the Mesh Links tab to view parent and neighbor details (name, MAC address, packet error rate, and link details) for the mesh access point. You can also initiate link tests from this page. d. Click the Mesh Statistics tab to view details on the bridging, queue, and security statistics for the mesh access point. For more details on mesh statistics, see the “Mesh Statistics for an Access Point” section on page 5-78. Monitoring Mesh Access Point Neighbors Using Maps To view details on neighbors of a mesh access point from a mesh network map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Click the Map Name that corresponds to the outdoor area, campus, building, or floor you want to monitor. Step 3 To view detailed information on mesh links for a mesh access point, click the arrow portion of the access point label. The Access Points screen appears. Step 4 Click the Mesh Links tab (see Figure 6-35). Figure 6-35 Access Points > Mesh Links Page Note You can also view mesh link details for neighbors of a selected access point by clicking the View Mesh Neighbors link on the Mesh tab of the access point configuration summary page, which appears when you hover your mouse over an access point on a map (see Figure 6-36).6-84 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Figure 6-36 Access Point Configuration Summary Dialog Box Note Signal-to-noise (SNR) appears on the View Mesh Neighbors page (see Figure 6-37). Figure 6-37 View Mesh Neighbors Dialog Box6-85 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Note In addition to listing the current and past neighbors in the pane that appears, labels are added to the mesh access points map icons to identify the selected access point, the neighbor access point, and the child access point. Click the clear link of the selected access point to remove the relationship labels from the map. Note The drop-down lists at the top of the mesh neighbors page indicate the resolution of the map (100%) displayed and how often the information displayed is updated (5 mins). You can modify these default values. Viewing the Mesh Network Hierarchy You can view the parent-child relationship of mesh access points within a mesh network in an easily navigable display. You can also filter which access points display on the Map view by selecting only access points of interest. To view the mesh network hierarchy for a selected network, perform the following: Step 1 Choose Monitor > Site Maps. Step 2 Select the map you want to display. Step 3 Select the AP Mesh Info check box in the left sidebar menu if it is not already selected. Note The AP Mesh Info check box is only selectable if mesh access points are present on the map. It must be selected to view the mesh hierarchy. Step 4 Click the blue arrow to the right of the AP Mesh Info to display the mesh parent-child hierarchy (see Figure 6-38).6-86 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Figure 6-38 Mesh Parent-Child hierarchical View Step 5 Click the plus (+) sign next to a mesh access point to display its children. All subordinate mesh access points are displayed when a negative (-) sign displays next to the parent mesh access point entry. For example, in Figure 6-38, the access point, indoor-mesh-45-rap2, has only one child, indoor-mesh-44-map2. Step 6 Move the cursor over the colored dot next to each mesh access point child to view details on the link between it and its parent. Table 6-10 summarizes the parameters that appear. The color of the dot also provides a quick reference point of the SNR strength. • A green dot represents a high SNR (above 25 dB). • An amber dot represents an acceptable SNR (20-25 dB). • A red dot represents a low SNR (below 20 dB). • A black dot indicates a root access point. Ta b l e 6-10 Bridging Link Information Parameter Description Information fetched on Date and time that information was compiled. Link SNR Link signal-to-noise ratio (SNR). Link Type Hierarchical link relationship. SNR Up Signal-to-noise radio for the uplink (dB). SNR Down Signal-to-noise radio for the downlink (dB). PER The packet error rate for the link. Tx Parent Packets The TX packets to a node while acting as a parent. Rx Parent Packets The RX packets to a node while acting as a parent. Time of Last Hello Date and time of last hello.6-87 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps Using Mesh Filters to Modify Map Display of Maps and Mesh Links In the mesh hierarchical page, you can also define mesh filters to determine which mesh access points display on the map based on hop values as well as what labels display for mesh links. Mesh access points are filtered by the number of hops between them and their root access point. To use mesh filtering, follow these steps: Step 1 To modify what label and color displays for a mesh link, follow these steps: a. In the Mesh Parent-Child Hierarchical View, choose an option from the Link Label drop-down list. Options are None, Link SNR, and Packet Error Rate. b. In the Mesh Parent-Child Hierarchical View, choose an option from the Link Color drop-down list to define which parameter (Link SNR or Packet Error Rate) determines the color of the mesh link on the map. Note The color of the link provides a quick reference point of the SNR strength or Packet Error Rate. Table 6-11 defines the different link colors. Note The Link label and color settings are reflected on the map immediately (see Figure 6-39). You can display both SNR and PER values simultaneously. Step 2 To modify which mesh access points display based on the number of hops between them and their parents, do the following: a. In the Mesh Parent-Child Hierarchical View, choose the appropriate options from the Quick Selections drop-down list. A description of the options is provided in Table 6-12. Ta b l e 6-11 Definition for SNR and Packet Error Rate Link Color Link Color Link SNR Packet Error Rate (PER) Green Represents a SNR above 25 dB (high value) Represents a PER of one percent (1%) or lower Amber Represents a SNR between 20 and 25 dB (acceptable value) Represents a PER that is less than ten percent (10%) and greater than one percent (1%) Red Represents a SNR below 20 dB (low value) Represents a PER that is greater than ten percent (10%) Ta b l e 6-12 Quick Selection Options Parameter Description Select only Root APs Choose this setting if you want the map view to display root access points only. Select up to 1st hops Choose this setting if you want the map view to display 1st hops only.6-88 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Mesh Networks Using Maps b. Click Update Map View to refresh the screen and display the map view with the selected options. Note Map view information is retrieved from the NCS database and is updated every 15 minutes. Note You can also select or unselect the check boxes of access points in the mesh hierarchical view to modify which mesh access points are displayed. For a child access point to be visible, the parent access point to root access point must be selected. Note If you want to have the MAC address appear with the client logo in the Monitor > Site Maps page, follow these steps: a) Go to the Maps Tree View. b) Click the > beside Clients. c) Unselect the Small Icons check box. Figure 6-39 Mesh Filter and Hop Count Configuration Page Select up to 2nd hops Choose this setting if you want the map view to display 2nd hops only. Select up to 3rd hops Choose this setting if you want the map view to display 3rd hops only. Select up to 4th hops Choose this setting if you want the map view to display 4th hops only. Select All Select this setting if you want the map view to display all access points. Table 6-12 Quick Selection Options (continued)6-89 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Tags Using Maps Monitoring Tags Using Maps On an NCS map, you can review the name of the access point that generated the signal for a tagged asset, its strength of signal and when the location information was last updated for the asset. This information is displayed by simply hovering the mouse cursor over the asset tag icon on the map. To enable tag location status on a map, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Choose Campus > Building > Floor for the applicable mobility services engine and tag. Step 3 Select the 802.11 Tags check box in the Floor Settings pane (left), if not already selected. Note Do not click Save Settings unless you want to save changes made to the Floor Settings across all maps. Step 4 Hover the mouse cursor over a tag icon (yellow tag) and a summary of its configuration appears in a dialog box. Step 5 Click the tag icon to see tag details in a new window. Using Planning Mode You can calculate the recommended number and location of access points based on whether data and/or voice traffic and/or location are active. Note Based on the throughput specified for each protocol (802.11a or 802.11 b/g), planning mode calculates the total number of access points required that would provide optimum coverage in your network. Accessing Planning Mode To access the Planning Mode feature, follow these steps: Step 1 Choose Monitor > Site Maps. Step 2 Select the desired campus or building from the Name list. Step 3 Click the desired floor area in the Building. Step 4 From the Select a command drop-down list, choose Planning Mode. Step 5 Click Go.6-90 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode Note Planning mode does not use AP type or Antenna pattern information for calculating the number of access points required. The calculation is based on the access point coverage area or the number of users per access point. Planning Mode options: • Add APs—Enables you to add access points on a map. See the “Adding Access Points to a Floor Area” section on page 6-34 for details. • Delete APs—Deletes the selected access points. • Map Editor—Opens the Map Editor window. See the “Using the Map Editor” section on page 6-69 for more details. • Synchronize with Deployment—Synchronizes your planning mode access points with the current deployment scenario. • Generate Proposal—View a planning summary of the current access points deployment. • Planned AP Association Tool—Allows you to perform add, delete or import an AP Association from an excel or CSV file. Once an access point is defined, it can be associated to a base radio MAC address using the Planned AP Association Tool. If the AP is not discovered they get pushed into a standby bucket and get associated when discovered. Note AP association is subjected to a limitation that AP should not belong to any floor or outdoor area. If the AP is already assigned to a floor or outdoor area, then the standby bucket will hold the AP and when removed from the floor or outdoor, get positioned to the given floor. One Mac address cannot be put into bucket for multiple floor or outdoor areas. Note The map synchronizations works only if the AP is associated to a base radio MAC address and not to its ethernet MAC address. Using Planning Mode to Calculate Access Point Requirements The NCS planning mode enables you to calculate the number of access points required to cover an area by placing fictitious access points on a map and allowing you to view the coverage area. Based on the throughput specified for each protocol (802.11a/n or 802.11b/g/n), planning mode calculates the total number of access points required to provide optimum coverage in your network. You can calculate the recommended number and location of access points based on the following criteria: • traffic type active on the network: data or voice traffic or both • location accuracy requirements • number of active users • number of users per square footage To calculate the recommended number and placement of access points for a given deployment, follow these steps:6-91 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode Step 1 Choose Monitor > Site Maps. The Site Map page appears (see Figure 6-40). Figure 6-40 Monitor > Site Maps Page Step 2 Select the appropriate location link from the list that appears. A color-coded map appears showing placement of all installed elements (access points, clients, tags) and their relative signal strength (see Figure 6-41).6-92 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode Figure 6-41 Selected Floor Area Showing Current Access Point Assignments Step 3 Choose Planning Mode from the Select a command drop-down list (top-right), and click Go. A blank floor map appears. Step 4 Click Add APs. Step 5 In the page that appears, drag the dashed-line rectangle over the map location for which you want to calculate the recommended access points (see Figure 6-42). Note Adjust the size or placement of the rectangle by selecting the edge of the rectangle and holding down the Ctrl key. Move the mouse as necessary to outline the targeted location.6-93 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode Figure 6-42 Add APs page Step 6 Choose Automatic from the Add APs drop-down list. Step 7 Choose the AP Type and the appropriate antenna and protocol for that access point. Step 8 Choose the target throughput for the access point. Step 9 Select the check box(es) next to the service(s) that will be used on the floor. Options are Data/Coverage (default), Voice, Location, and Location with Monitor Mode APs. (see Table 6-13). Note You must select at least one service or an error occurs. Note If you select the Advanced Options check box, two additional access point planning options appear: Demand and Override Coverage per AP. Additionally, a Safety Margin parameter appears for the Data/Coverage and Voice safety margin options. Ta b l e 6-13 Definition of Services Option Service Options Description Data/Coverage Select this check box if data traffic is transmitted on the wireless LAN. The following densities are used depending on the band and data rates: Band Path Loss Model (dBm) Date Rate (Mb/s) Area (Sq. ft.) 802.11a –3.3 10-12 6000 802.11a –3.3 15-18 45006-94 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode 802.11a –3.5 10-12 5000 802.11a –3.5 15-18 3250 802.11bg –3.3 5 6500 802.11bg –3.3 6 4500 802.11bg –3.5 5 5500 802.11bg –3.5 6 3500 If you select the Advanced Options check box, you can select the desired safety margin (aggressive, safe, or very safe) of the signal strength threshold for data. • Aggressive = Minimum (–3 dBm) • Safe = Medium (0 dBm) • Very Safe = Maximum (+3 dBm) Vo ice Select the Voice check box, if voice traffic is transmitted on the wireless LAN. If you select the Advanced Options check box, you can select the desired safety margin (aggressive, safe, very safe or 7920-enabled) of the signal strength threshold for voice. • Aggressive = Minimum [–78 dBm (802.11a/b/g)] • Safe = Medium [–75 dBm (802.11a/b/g)] • Very Safe = Maximum [(–72 dBm (802.11a/b/g)] • 7920_enabled = [(–72 dBm (802.11a); –67 dBm (802.11b/g)] Location Select this check box to ensure that the recommended access point calculation provides the true location of an element within 10 meters at least 90% of the time. To meet the criteria, access points are collocated within 70 feet of each other in a hexagonal pattern employing staggered and perimeter placement. Note Each service option includes all services that are listed above it. For example, if you select the Location check box, the calculation considers data/coverage, voice, and location in determining the optimum number of access points required. Ta b l e 6-14 Definition of Advanced Services Service Options Description Data/Coverage Select this check box, if data traffic is transmitted on the wireless LAN. The following densities are used depending on the band and data rates: Band Path Loss Model (dBm) Date Rate (Mb/s) Area (Sq. ft.) Table 6-13 Definition of Services Option (continued) Service Options Description6-95 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode 802.11a –3.3 10-12 6000 802.11a –3.3 15-18 4500 802.11a –3.5 10-12 5000 802.11a –3.5 15-18 3250 802.11bg –3.3 5 6500 802.11bg –3.3 6 4500 802.11bg –3.5 5 5500 802.11bg –3.5 6 3500 If you select the Advanced Options check box, you can select the desired safety margin (aggressive, safe, or very safe) of the signal strength threshold for data. • Aggressive = Minimum (–3 dBm) • Safe = Medium (0 dBm) • Very Safe = Maximum (+3 dBm) Vo ice Select the voice check box, if voice traffic is transmitted on the wireless LAN. If you select the Advanced Options check box, you can select the desired safety margin (aggressive, safe, very safe or 7920-enabled) of the signal strength threshold for voice. • Aggressive = Minimum [–78 dBm (802.11a/b/g)] • Safe = Medium [–75 dBm (802.11a/b/g)] • Very Safe = Maximum [(–72 dBm (802.11a/b/g)] 7920_enabled = [(–72 dBm (802.11a); –67 dBm (802.11b/g)] Location Select this check box to ensure that the recommended access point calculation provides the true location of an element within 10 meters at least 90% of the time. To meet the criteria, access points are collocated within 70 feet of each other in a hexagonal pattern employing staggered and perimeter placement. Note Each service option includes all services that are listed above it. For example, if you select the Location check box, the calculation considers data/coverage, voice, and location in determining the optimum number of access points required. Demand Select this check box, if you want to use the total number of users or user ratio per access point as a basis for the access point calculation. Table 6-14 Definition of Advanced Services (continued) Service Options Description6-96 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Using Planning Mode Step 10 Click Calculate. The recommended number of access points given the selected services appears (see Figure 6-43). Figure 6-43 Recommended Number of Access Points Given Selected Services and Parameters Note Recommended calculations assume the need for consistently strong signals unless adjusted downward by the safety margin advanced option. In some cases, the recommended number of access points is higher than what is required. Override Coverage per AP Select this check box, if you want to specify square foot coverage as the basis for access point coverage. Safety Margin Select this check box to qualify relative signal strength requirements for data and voice service in the access point calculation. Options are: Aggressive, Safe, Very Safe, and 7920-enabled (voice only). Select Aggressive to require minimal signal strength requirements in the calculation and Very Saf e to request the highest signal strength. Table 6-14 Definition of Advanced Services (continued) Service Options Description6-97 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Refresh Options Note Walls are not used or accounted for in planning mode calculations. Step 11 Click Apply to generate a map that shows proposed deployment of the recommended access points in the selected area based on the selected services and parameters (see Figure 6-44). Figure 6-44 Recommended Access Point Deployment Given Selected Services and Parameters Step 12 Choose Generate Proposal to display a textual and graphical report of the recommended access point number and deployment based on the given input. Refresh Options To prepare for monitoring your wireless LANs, become familiar with the various refresh options for a map. • Load—The Load option in the left sidebar menu refreshes map data from the NCS database on demand (see callout 1 in Figure 6-45). • Auto Refresh—The Auto Refresh option (see callout 2 in Figure 6-45) provides an interval drop-down list to set how often to refresh the map data from the database. • Refresh from network—By clicking the Refresh from network icon to the right of the Auto Refresh drop-down list (see callout 2 in Figure 6-45), you can refresh the map status and statistics directly from the controller through an SNMP fetch rather than polled data from the NCS database that is five to fifteen minutes older.6-98 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Creating a Network Design Note If you have monitor mode access points on the floor plan, you have a choice between IDS or coverage heatmap types. A coverage heatmap excludes monitor mode access points, and an IDS heatmap includes them. • Refresh browser—Above the map next to the Logout and Print option is another refresh option (see callout 3 in Figure 6-45). Clicking this refreshes the complete page, or the map and its status and statistics if you are on a map page. Figure 6-45 Refresh Options Creating a Network Design After access points have been installed and have joined a controller, and NCS has been configured to manage the controllers, set up a network design. A network design is a representation within NCS of the physical placement of access points throughout facilities. A hierarchy of a single campus, the buildings that comprise that campus, and the floors of each building constitute a single network design. These steps assume that the location appliance is set to poll the controllers in that network, as well as be configured to synchronize with that specific network design, to track devices in that environment. The concept and steps to perform synchronization between NCS and the mobility service engine are explained in the Cisco 3350 Mobility Services Engine Configuration Guide. Designing a Network Follow these steps to design a network: Step 1 Open the NCS web interface and log in.6-99 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Creating a Network Design Note To create or edit a network design, you must log into NCS and have SuperUser, Admin, or ConfigManager access privileges. Step 2 Choose Monitor > Site Maps. Step 3 From the drop-down list on the right-hand side, choose either New Campus or New Building, depending on the size of the network design and the organization of maps. If you chose New Campus, continue to Step 4. To create a building without a campus, skip to Step 14. Step 4 Click Go. Step 5 Enter a name for the campus network design, a contact name, and the file path to the campus image file. .bmps and .jpgs are importable. Note You can use the Browse... button to navigate to the location. Step 6 Click Next. Step 7 Select the Maintain Aspect Ratio check box. Enabling this check box causes the horizontal span of the campus to be 5000 feet and adjusts the vertical span according to the aspect ratio of the image file. Adjusting either the horizontal or vertical span changes the other field in accordance with the image ratio. You should unselect the Maintain Aspect Ratio check box if you want to override this automatic adjustment. You could then adjust both span values to match the real world campus dimensions. Step 8 Click OK. Step 9 In the Monitor > Site Maps page, click the hyperlink associated with the above-made campus map. A page showing the new campus image is displayed. Step 10 From the Select a command menu on the upper right of the page, choose New Building, and click Go. Step 11 Enter the name of the building, the contact person, the number of floors and basements in the building, and the dimensions. Click OK. Step 12 Indicate which building on the campus map is the correct building by clicking the blue box in the upper left of the campus image and dragging it to the intended location (see Figure 6-46). To resize the blue box, hold down the Ctrl key and click and drag to adjust its horizontal size. You can also enter dimensions of the building by entering numerical values in the Horizontal Span and Vertical Span fields and click Place. After resizing, reposition the blue box if necessary by clicking on it and dragging it to the desired location. Click Save. Figure 6-46 Repositioning Building Highlighted in Blue6-100 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Creating a Network Design Step 13 NCS is then returned to the campus image with the newly created building highlighted in a green box. Click the green box (see Figure 6-47). Figure 6-47 Newly Created Building Highlighted in Blue Step 14 To create a building without a campus, choose New Building and click Go. Step 15 Enter the building’s name, contact information, number of floors and basements, and dimension information. Click Save. NCS is returned to the Monitor > Site Maps page. Step 16 Click the hyperlink associated with the newly created building. Step 17 In the Monitor > Site Maps > [Campus Name] > [Building Name] page, go to the drop-down list and choose New Floor Area. Click Go. Step 18 Enter a name for the floor, a contact, a floor number, floor type, and height at which the access points are installed and the path of the floor image. Click Next.6-101 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Creating a Network Design Note The Floor Type (RF Model) field specifies the type of environment on that specific floor. This RF Model indicates the amount of RF signal attenuation likely to be present on that floor. If the available models do not properly characterize a floor's makeup, details on how to create RF models specific to a floor's attenuation characteristics are available in the Cisco 3350 Mobility Services Engine Configuration Guide. Step 19 If the floor area is a different dimension than the building, adjust floor dimensions by either making numerical changes to the text fields under the Dimensions heading or by holding the Ctrl key and clicking and dragging the blue box around the floor image. If the floor's location is offset from the upper left corner of the building, change the placement of the floor within the building by either clicking and dragging the blue box to the desired location or by altering the numerical values under the Coordinates of top left corner heading (see Figure 6-48). After making changes to any numerical values, click Place. Figure 6-48 Repositioning Using Numerical Value Fields 6-102 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Importing or Exporting WLSE Map Data Step 20 Adjust the floor’s characteristics with the NCS map editor by selecting the check box next to Launch Map Editor. For an explanation of the map editor feature, see the “Using the Map Editor” section on page 6-69. Step 21 At the new floor’s image (Monitor > Site Maps > [CampusName] > [BuildingName] > [FloorName]), go to the drop-down list on the upper right and choose Add Access Points. Click Go. Step 22 All access points that are connected to controllers are displayed. Even controllers that NCS is configured to manage but which have not yet been added to another floor map are displayed. Select the access points to be placed on the specific floor map by checking the boxes to the left of the access point entries. Select the box to the left of the Name column to select all access points. Click OK. Step 23 Each access point you have chosen to add to the floor map is represented by a gray circle (differentiated by access point name or MAC address) and is lined up in the upper left part of the floor map. Drag each access point to the appropriate location. (Access points turn blue when you click them to relocate them.) The small black arrow at the side of each access point represents Side A of each access point, and each access point’s arrow must correspond with the direction in which the access points were installed. (Side A is clearly noted on each 1000 series access point and has no relevance to the 802.11a/n radio.) Step 24 To adjust the directional arrow, choose the appropriate orientation on the Antenna Angle drop-down list. Click Save when you are finished placing and adjusting each access point’s direction. Note Access point placement and direction must directly reflect the actual access point deployment or the system cannot pinpoint the device location. Step 25 Repeat these steps to create campuses, buildings, and floors until each device location is properly detailed in a network design. Importing or Exporting WLSE Map Data When you convert an access point from autonomous to CAPWAP and from WLSE to NCS, one of the conversion steps is to manually re-enter the access point information into NCS. This can be a time-consuming step. To speed up the process, you can export the information about access points from WLSE and import it into NCS. Note NCS expects a .tar file and checks for a .tar extension before importing the file. If the file you are trying to import is not a .tar file, NCS displays an error message and prompts you to import a different file. To map properties and import a tar file containing WLSE data using the NCS web interface, follow these steps. For more information on the WLSE data export functionality (WLSE version 2.15), see http://:1741/debug/export/exportSite.jsp. Step 1 Choose Monitor > Site Maps. Step 2 Choose Properties from the Select a command drop-down list, and click Go. Step 3 In the Export/Import AP/LS/SP Placement, click Browse to select the file to import. Step 4 Find and select the .tar file to import and click Open. NCS displays the name of the file in the Import From field.6-103 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details Step 5 Click Import. NCS uploads the file and temporarily saves it into a local directory while it is being processed. If the file contains data that cannot be processed, NCS prompts you to correct the problem and retry. After the file has been loaded, NCS displays a report of what will be added to NCS. The report also specifies what cannot be added and why. If some of the data to be imported already exists, NCS either uses the existing data in the case of campuses or overwrites the existing data using the imported data in the cases of buildings and floors. If there are duplicate names between a WLSE site and building combination and a NCS campus (or top-level building) and building combination, NCS displays a message in the Pre Execute Import Report indicating that it will delete the existing building. Step 6 Click Import to import the WLSE data. NCS displays a report indicating what was imported. Note Because a WLSE file has no floor number information, the structure of the floor index calculation after WLSE is imported into NCS is in descending order. You can click the floor image to go directly to the appropriate floor screen. Step 7 Choose Monitor > Site Maps to verify the imported data. Monitoring Device Details Access Point Details Hover your mouse cursor over an access point icon to view access point details (Figure 6-49). Click the appropriate tab to view access point and radio information. Note Monitor mode access points are shown with gray labels to distinguish them from other access points. Figure 6-49 Access Point Details The AP Info tab includes the following access point information:6-104 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details • MAC address • Access point model • Controller • Location • Access point height • Access point uptime • LWAPP uptime Note From the AP Info tab, you can run a ping test by clicking the Run Ping Test link. The 802.11 tabs (Figure 6-50) includes the following radio information: • Channel number • Extension channel • Channel width • Transmit power level • Client count Note The number of clients associated to access points may not match the total number of clients. • Receiving and transmitting utilization percentages • Channel utilization percentage Note Total utilization = (Rx + Tx + Channel utilization) scaled to 100%. • Antenna name and angle • Elevation angle Note From either of the 802.11 tabs, you can view Rx neighbors and radio details for this access point by clicking the appropriate link (View Rx Neighbors or View Radio Details). • Dot11n Enabled • CleanAir Status—Displays the CleanAir status of the access point, whether or not CleanAir is enabled on the access point. • Average Air Quality—Displays the average air quality on this access point. • Minimum Air Quality—Displays the minimum air quality on this access point.6-105 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details Figure 6-50 802.11 Tabs Client Details Hover your mouse cursor over a client icon to view client details (Figure 6-51). Figure 6-51 Client Details Client details information includes the following: • Username • IP address6-106 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details • Asset name, group, and category • Status • Auth • SSID • Access point name • Protocol • Port number • Last location Tag Details Hover your mouse cursor over a tag icon to view tag details (Figure 6-52). Figure 6-52 Tag Details Tag details includes the following: • Asset name, group, and category • Type • Battery life • Last located Rogue Access Point Details Hover your mouse cursor over an access point icon to view rogue access point details (Figure 6-53). 6-107 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details Figure 6-53 Rogue Access Point Details Rogue access point details includes the following: • Classification type—Friendly, malicious, or unknown. • State • Detecting access points • Type • Rogue clients • First seen • Last seen • On network • Last located Rogue Adhoc Details Hover your mouse cursor over an access point icon to view rogue ad hoc details. Rogue Client Details Hover your mouse cursor over an access point icon to view rogue client details (Figure 6-54). Interferer Details Hover your mouse cursor over an interferer icon to view its details. Interferer details includes the following: • Interferer Name—The name of the interfering device. • Affected Channels—The channel the interfering device is affecting.6-108 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details • Detected Time—The time at which the interference was detected. • Severity—The severity index of the interfering device. • Duty Cycle—The duty cycle (in percentage) of the interfering device. • RSSI (dBm)—The Received Signal Strength Indicator of the interfering device. Figure 6-54 Rogue Client Details Rogue client details includes the following: • State • Associated rogue access point • Detecting access points • First seen • Last seen • Last located Floor View Navigation The main Floor View navigation pane (Figure 6-55) provides access to multiple map functions. Figure 6-55 Floor View Navigation Pane This navigation pane includes the following functionality:6-109 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details • Zoom In/Zoom Out—Click the magnifying glass icon with the plus sign (+) to enlarge the map view. Click the magnifying glass icon with the minus sign (-) to decrease the size of the map view. • Map Size—Use the map size drop-down list to manually select the map view size (ranging from 50% to 800%). • Show Grid—Click to show or hide the grid that displays distance in feet on the map. • RSSI Legend—Hover your mouse cursor over the RSSI Legend icon to display the RSSI color scheme (ranging from red/-35 dBm to dark blue/-90 dBm). • Add Access Points—Click to open the Add Access Points page. See the “Adding Access Points to a Floor Area” section on page 6-34 for more information. • Remove Access Points—Click to open the Remove Access Points page. Select the access points that you want to remove and click OK. • Position Access Points—Click to open the Position Access Points page. See “Placing Access Points” section on page 6-40 for more information. • Add Chokepoints—Click to open the Add Chokepoints page. Refer to the Cisco Context-Aware Services Configuration Guide for more information. • Add WiFi TDOA Receivers—Click to open the Add Wi-Fi TDOA Receivers page. Refer to the Cisco Context-Aware Services Configuration Guide for more information. • Auto Refresh—From the drop-down list, choose the length of time between each system refresh. • Refresh from Network—Click to initiate an immediate refresh of the current data. • Planning Mode—Click to open the Planning Mode window. See the “Using Planning Mode” section on page 6-89 for more information. • Map Editor—Click to open the Map Editor. Full Screen—Click to increase the size of the map to full screen. Once there, click Exit Full Screen to return to the normal view. Understanding RF Heatmap Calculation A radio frequency heat map is a graphical representation of the strength of the RF signals. Because WLANs are very dynamic and nondeterministic in nature, administrators can never be certain of the coverage at a particular moment. To help combat this challenge, NCS provides a map of your floor plan along with visual cues as to the WiFi coverage of the floor. These maps are called heatmaps because they are similar to the colored maps used to show varying levels of heat in oceanography or geographical sciences. Color is used to show the various levels of signal strength. The different shades in the "heatmap" reflect differing signal strengths. This color visualization is extremely useful. At one glance, you can see the current state of coverage (without having to walk around measuring it), the signal strength, and any gaps or "holes" in the WLAN. Because floor plans and heat maps are very intuitive, this system greatly enhances the speed and ease with which you support your organization and troubleshoot specific problems. The RF heatmap calculation is based on an internal grid. Depending on the exact positioning of an obstacle in that grid, the RF heatmap, within a few feet or meters of the obstacle, may or may not account for the obstacle attenuation. In detail, grid squares partially affected by an obstacle crossing the grid square may or may not incorporate the obstacle attenuation according to the geometry of the access point, obstacle, and grid.6-110 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Device Details For example, consider a wall crossing one grid square. The midpoint of the grid square is behind the wall from the AP, so the whole grid square is colored with attenuation, including (unfortunately) the top left corner that is actually in front of the wall (see Figure 6-56). Figure 6-56 Access Point/Grid Example One (Actual Attenuation) Figure 6-57 displays how the attenuation would ideally appear in this situation. Figure 6-57 Access Point/Grid Example One (Ideal Attenuation) The midpoint of the grid square is on the same side of the wall as the AP, so the whole grid square is not colored with attenuation, including (unfortunately) the bottom right corner that is actually behind the wall from the AP (see Figure 6-58). Figure 6-58 Access Point/Grid Example Two (Actual Attenuation) Figure 6-59 displays how the attenuation would ideally appear in this situation.6-111 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps Figure 6-59 Access Point/Grid Example Two (Ideal Attenuation) Dynamic Heatmap Calculation The RF heatmap calculation can be static or dynamic. By default it is dynamic, to configure it to be static, disable the dynamic heatmap option in the map properties page.The NCS server maintains the current list of all APs RSSI strength for all APs. The neighbor AP RSSI strength is used to modify the RF heatmaps for all APs. The main purpose of the dynamic heatmap feature is to recompute the RF heatmaps due to obstacles. Figure 6-60 shows the difference between static and dynamic heatmaps. Figure 6-60 Static Vs Dynamic Heatmap Calculation Monitoring Google Earth Maps Within Monitor > Google Earth Maps, you can create an outdoor location, import a file, view Google Earth maps, and specify Google Earth settings. This chapter contains the following sections:6-112 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps • Creating an Outdoor Location Using Google Earth, page 6-112 • Importing a File into NCS, page 6-116 • Viewing Google Earth Maps, page 6-117 • Adding Google Earth Location Launch Points to Access Point Pages, page 6-117 • Google Earth Settings, page 6-118 Creating an Outdoor Location Using Google Earth To group the access points together into outdoor locations, use the Latitude/Longitude geographical coordinates for each access point. These coordinates are provided in two ways: • Importing a KML (Google Keyhole Markup Language) File • Importing a CSV File (Spreadsheet format with comma-separated values) This section contains the following topics: • Understanding Geographical Coordinates for Google Earth, page 6-112 • Creating and Importing Coordinates in Google Earth (KML File), page 6-113 • Creating and Importing Coordinates as a CSV File, page 6-115 Understanding Geographical Coordinates for Google Earth The following geographical information is required for each access point: Note Adding an AP to Google Earth map without having the AP associated on a standard map, you will not see any heatmap when you view the AP in Google Earth. • Longitude (East or West)—Angular distance in degrees relative to Prime Meridian. Values west of Meridian range from –180 to 0 degrees. Values east of Meridian range from 0 to 180 degrees. The default is 0. Coordinates in degrees, minutes, seconds, direction: – Degrees (–180 to 180) – Minutes (0 to 59) – Seconds (00.00 to 59.99) – Direction—East or West (E, W) Decimal format (converted from degrees, minutes, and seconds): – Longitude can range from –179.59.59.99 W to 179.59.59.99 E • Latitude (North or South)—Angular distance in degrees relative to the Equator. Values south of the Equator range from –90 to 0 degrees. Values north of the Equator range from 0 to 90 degrees. The default is 0. Coordinates in degrees, minutes, seconds, direction: – Degrees (–90 to 90) – Minutes (0 to 59) – Seconds (00.00 to 59.99)6-113 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps – Direction—North or South (N, S) Decimal format (converted from degrees, minutes, and seconds): – Latitude can range from –89.59.59.99 S to 89.59.59.99 N • Altitude—Height or distance of the access point from the earth’s surface in meters. If not provided, value defaults to 0. Values range from 0 to 99999. • Tilt—Values range from 0 to 90 degrees (cannot be negative). A tilt value of 0 degrees indicates viewing from directly above the access point. A tilt value of 90 degrees indicates viewing along the horizon. Values range from 0 to 90. The default azimuth angle is 0. • Range—Distance in meters from the point specified by longitude and latitude to the point where the access point is being viewed (the Look At position) (camera range above sea level). Values range from 0 to 999999. • Heading—Compass direction in degrees. The default is 0 (North). Values range from 0 to ±180 degrees. • Altitude Mode—Indicates how the specified for the Look At point is interpreted. – Clamped to ground—Ignores the specification and places the Look At position on the ground. This is the default. – Relative to ground—Interprets the as a value in meters above the ground. – Absolute—Interprets the as a value in meters above sea level. • Extend to ground—Indicates whether or not the access point is attached to a mast. Creating and Importing Coordinates in Google Earth (KML File) The geographical coordinates can be created in Google Earth and imported. Either a folder or individual placemarks can be created. Creating a folder helps group all the Placemarks into a single folder and allows you to save the folder as a single KML (a.k.a. XML) file. If individual Placemarks are created, each Placemark must be individually saved. Follow these steps to create a folder in Google Earth: Step 1 Launch Google Earth. Step 2 In the Places page on the left sidebar menu, choose My Places or Temporary Places. Step 3 Right-click Temporary Places and select Add > Folder from the drop-down lists. Note By using a KML file, folders can be created hierarchically to any depth. For example, you can create folders and placemarks organized by country, city, state, zip. This is not applicable for CSV. In CSV there can be only one level of hierarchy. Step 4 Enter the following information (optional): • Name—Folder name • Description—Folder description • View—Includes latitude, longitude, range, heading, and tilt6-114 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps Note If the View coordinates (latitude, longitude, range, heading, and tilt) are specified, this information is used to “fly” or advance to the correct location when Google Earth is first loaded. If no coordinates are specified, the latitude and longitude information is derived using the minimum and maximum latitude and longitude of all access points within this group or folder. Step 5 Click OK to save the folder. After the folder is created, it can be selected from the Places page to create Placemarks. To create Placemarks, follow these steps: Step 1 Launch Google Earth. Step 2 In the Places page on the left sidebar, select My Places or Temporary Places. Step 3 Select the folder that you previously created. Step 4 Right-click your created folder and select Add > Placemark from the drop-down lists. Step 5 Configure the following parameters, if applicable: • Name—The Placemark name must contain the name, MAC address, or IP address of the appropriate access point. Note The MAC address refers to base radio MAC not Ethernet MAC. • Latitude—Provides the current coordinate for the folder if the placemark is created inside the folder or the coordinate for the placemark (if not created inside a folder). This parameter is automatically filled depending on where the yellow Placemark icon is located on the map. Use your mouse to move the Placemark to the correct location or enter the correct coordinate in the Latitude text box. • Longitude—Provides the current coordinate for the folder if the placemark is created inside the folder or the coordinate for the placemark (if not created inside a folder). This parameter is automatically filled depending on where the yellow Placemark icon is located on the map. Use your mouse to move the Placemark to the correct location or enter the correct coordinate in the Longitude text box. • Description (optional)—Parameter is ignored by NCS. • Style, Color (optional)—Parameter is ignored by NCS. • View—Allows you to configure the Latitude, Longitude, Range, Heading and Tilt coordinates. See the “Understanding Geographical Coordinates for Google Earth” section on page 6-112” for more information on these geographical coordinates. – Longitude and latitude are automatically filled depending on where the yellow Placemark icon is located on the map. Use your mouse to click and move the Placemark to the correct location. – All of the coordinates can be entered manually. • Altitude—Enter the altitude in meters in the text box or use the Ground to Space slide bar to indicate the altitude. – Clamped to ground—Indicates that the Look At position is on the ground. This is the default.6-115 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps – Relative to ground—Interprets the as a value in meters above the ground. – Absolute—Interprets the as a value in meters above sea level. – Extend to ground—For Relative to ground or Absolute settings, indicates whether or not the access point is attached to a mast. Step 6 When all coordinates are entered, click Snapshot current view or click Reset to return the coordinates to the original settings. Note For more information regarding Google Earth, refer to the Google Earth online help. Step 7 Click OK. Step 8 Repeat these steps for all placemarks you want to add. Step 9 When all placemarks are created, save the folder as a .kmz file (KML Zip file) or as a .kml file. Note A .kmz file should contain only one .kml file. Note To save the folder, right-click the folder, select Save as from the drop-down list, navigate to the correct location on your computer, and click Save. Both .kmz and .kml files can be imported into NCS. Creating and Importing Coordinates as a CSV File To create a CSV file to import into NCS, follow these steps: Step 1 Open a flat file and provide the necessary information as a comma-separated list. The Table 6-15 lists the potential data, whether the data is optional or required, and the parameters of the data. Note For more information regarding the geographical coordinates listed below, see the “Understanding Geographical Coordinates for Google Earth” section on page 6-112. Ta b l e 6-15 Potential Fields for the CSV File "FolderName" "Value Optional" Max Length: 32 "FolderState" "Value Optional" Permitted Values: true/false "FolderLongitude" "Value Optional" Range: 0 to ±180 "FolderLatitude" "Value Optional" Range: 0 to ±90 "FolderAltitude" "Value Optional" Range: 0 to 99999 "FolderRange" "Value Optional" Range: 0 to 99999 "FolderTilt" "Value Optional" Range: 0 to 90 "FolderHeading" "Value Optional" Range: 0 to ±1806-116 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps Step 2 Save the .csv file. The file is now ready to import into NCS. Importing a File into NCS To import a Google KML or a CSV into the Google Earth Maps feature of NCS, follow these steps: Step 1 Log in to NCS. Step 2 Choose Monitor > Google Earth Maps. Step 3 From the Select a command drop-down list, choose Import Google KML or Import CSV. Step 4 Click Go. Step 5 Use the Browse button to navigate to the .kml, .kmz, or .csv file on your computer. Step 6 When the file name path is displayed in the text box, click Next. The input file is parsed and validated for the following: • Access points specified in the uploaded file are validated (the specified access points must be available within NCS). • Range validations are performed for tilt, heading, range, and other geographical coordinates fields.If longitude and latitudeare provided, range validations are performed; if not, the value is defaulted to 0. Note In KML, the longitude and latitude ranges can only be entered in decimal format. In CSV, different formats are supported (refer to the CSV sample under Google Maps > Import CSV). Note If the input file does not validate for completeness, an error page appears. The uploaded information cannot be saved until all errors are corrected. Step 7 After the files pass all validation checks, review the file details and click Save. If the uploaded information was saved previously, the information is overwritten accordingly: "FolderGeoAddress" "Value Optional" Max Length: 128 "FolderGeoCity" "Value Optional" Max Length: 64 "FolderGeoState" "Value Optional" Max Length: 40 "FolderGeoZip" "Value Optional" Max Length: 12 "FolderGeoCountry" "Value Optional" Max Length: 64 "AP_Name" "Value Required" Max Length: 32 "AP_Longitude" "Value Required" Range: 0 to ±180 "AP_Latitude" "Value Required" Range: 0 to ±90 Table 6-15 Potential Fields for the CSV File (continued) "FolderName" "Value Optional" Max Length: 326-117 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps • If the folder was uploaded previously, the coordinates are updated for the folder. • If access points were uploaded previously, the coordinates are updated for the access points. • Existing access points in the folder are not removed. • New folders, as needed, are created and access points are placed accordingly. Viewing Google Earth Maps To view Google Earth maps, follow these steps: Step 1 Log in to NCS. Step 2 Choose Monitor > Google Earth Maps. The Google Earth Maps page displays all folders and the number of access points included within each folder. Step 3 Click Launch for the map you want to view. Google Earth opens in a separate page and displays the location and its access points. Note To use this feature, you must have Google Earth installed on your computer and configured to auto-launch when data is sent from the server. You can download Google Earth from Google’s website: http://www.google.com/earth/index.html. Viewing Google Earth Map Details To view details for a Google Earth Map folder, follow these steps: Step 1 In the Google Earth Map page, click the folder name to open the details page for this folder. The Google Earth Details provide the access point names and MAC or IP addresses. Note To delete an access point, select the applicable check box and click Delete. To delete the entire folder, select the check box next to Folder Name and click Delete. Deleting a folder also deletes all subfolders and access points inside the folder. Step 2 Click Cancel to close the details page. Adding Google Earth Location Launch Points to Access Point Pages You can expand the number of Google Earth Location launch points within Cisco NCS by adding it to the Access Point summary and detail pages. Follow these steps to add a Google Earth Location launch point to the Access Point summary and details page:6-118 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps Step 1 Click Monitor > Access Points (see Figure 6-61). Step 2 At Access Point summary page, click the Edit View link next to page heading. Figure 6-61 Monitor > Access Points Page Step 3 In the Edit View page, highlight Google Earth Location in the left-hand column. Click Show. The Google Earth Location column heading moves into the View Information column. Note The View Information listings, top-to-bottom, reflect the left-to-right order of the columns as they appear on the Access Point summary page. Step 4 To change the display order of the columns, highlight the Google Earth Location entry and click the Up and Down buttons as needed. Click Submit. You are returned to the Access Points summary page, and a Google Earth launch link is in the display. Note The launch link also appears on the general summary page of the Access Points details page (Monitor > Access Points > AP Name). Google Earth Settings Access point related settings can be defined from the Google Earth Settings page. To configure access point settings for the Google Earth Maps feature, follow these steps: Step 1 Choose Monitor > Google Earth Maps. Step 2 Configure the following parameters: • Refresh Settings—Select the Refresh from Network check box to enable this on-demand refresh. This option is applied only once and then disabled.6-119 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth Maps Caution Because this refresh occurs directly from the network, it could take a long period of time to collect data according to the number of access points. • Layers—Layer filters for access points, access point heat maps, and access point mesh information can be selected and saved. Select the check box to activate the applicable layer and click > to open the filter page. Note These settings apply when Google Earth sends the request for the next refresh. – Access Points—From the AP Filter drop-down list, choose to display channels, Tx power level, coverage holes, MAC addresses, names, controller IP, utilization, profiles, or clients. Note If the access point layer is not checked, no data is returned, and an error message is returned to Google Earth as a Placemark without an icon. – AP Heatmap—From the Protocol drop-down list, choose 802.11a/n, 802.11b/g/n, 802.11a/n & 802.11b/g/n, or None. Select the cutoff from the RSSI Cutoff drop-down list (- 60 to - 90 dBm). Note If the protocol chosen is both 802.11a/n and 802.11b/g/n, the heat maps are generated for both and overlaid on top of each other. The order cannot be defined. To prevent this overlay, you must turn off individual overlay in Google Earth or change it in the Google Earth Settings on NCS. – AP Mesh Info—Choose Link SNR, Packet Error Rate, or none from the Link Label drop-down list. Choose Link SNR or Packet Error Rate from the Link Color drop-down list. Note When the AP Mesh Info check box is chosen, Mesh Links are also automatically shown. Step 3 Click Save Settings to confirm these changes or Cancel to close the page without saving the changes.6-120 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 6 Monitoring Maps Monitoring Google Earth MapsC H A P T E R 7-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 7 Managing NCS User Accounts The Administration enables you to schedule tasks, administer accounts, and configure local and external authentication and authorization. Also, set logging options, configure mail servers, and data management related to configuring the data retain periods. Information is available about the types of NCS licenses and how to install a license. Organizations need an easy and cost-effective method to manage and control wireless network segments using a single management platform. They need a solution that supports limiting an individual administrator to manage or control the wireless LAN. This chapter describes the administrative tasks to perform with Cisco NCS. It contains the following sections: • Managing NCS User Accounts, page 7-1 • Viewing the Audit Trail, page 7-8 • Managing NCS Guest User Accounts, page 7-11 • Adding a New User, page 7-14 • Managing Lobby Ambassador Accounts, page 7-16 Managing NCS User Accounts This section describes how to configure global e-mail parameters and manage Cisco NCS user accounts. It contains the following topics: • Adding NCS User Accounts, page 7-2 • Deleting NCS User Accounts, page 7-3 • Changing Passwords, page 7-4 • Monitoring Active Sessions, page 7-4 • Viewing or Editing User Account Information, page 7-5 • Viewing or Editing Group Information, page 7-7 • Viewing the Audit Trail, page 7-8 • Creating Guest User Accounts, page 7-9 • Logging in to the NCS User Interface as a Lobby Ambassador, page 7-107-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts Adding NCS User Accounts This section describes how to configure a NCS user. The accounting portion of the AAA framework is not implemented at this time. Besides complete access, you can give administrative access with differentiated privileges to certain user groups. NCS supports external user authentication using these access restrictions and authenticates the users against the TACACS+ and RADIUS servers. The username and password supplied by you at install time are always authenticated, but the steps you take here create additional superusers. If the password is lost or forgotten, you must run a utility to reset the password to another user-defined password. To add a new user account to NCS, follow these steps: Step 1 Start NCS server by following the instructions in the “Starting the NCS Server” section on page 2-10. Step 2 Log into the NCS user interface as root. Note We recommend that you create a new superuser assigned to the SuperUsers group. Step 3 Choose Administration > AAA. The Change Password page appears (see Figure 7-1). Figure 7-1 Change Password Page Step 4 In the Old Password text box, enter the current password that you want to change. Step 5 Enter the username and password for the new NCS user account. You must enter the password twice. Note These entries are case sensitive. Step 6 Click User Groups from the left sidebar menu. The All Groups page displays the following group names (see Figure 7-4). Note Some usergroups cannot be combined with other usergroups. For instance, you cannot choose both lobby ambassador and monitor lite. • System Monitoring—Allows users to monitor NCS operations. • ConfigManagers—Allows users to monitor and configure NCS operations.7-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts • Admin—Allows users to monitor and configure NCS operations and perform all system administration tasks. Note If you choose admin account and log in as such on the controller, you can also see the guest users under Local Net Admin. • SuperUsers—Allows users to monitor and configure NCS operations and perform all system administration tasks including administering NCS user accounts and passwords. Superusers tasks can be changed. • Users Assistant—Allows only local net user administration. User assistants cannot configure or monitor controllers. They must access the Configure > Controller page to configure these local net features. Note If you create a user assistant user, login as that user, and choose Monitor > Controller, you receive a permission denied message as expected behavior. • Lobby Ambassador—Allows access for configuration and management of only Guest User user accounts. • Monitor lite—Allows monitoring of assets location. • Root—Allows users to monitor and configure NCS operations and perform all system administration tasks including changing any passwords. Only one user can be assigned to this group and is determined upon installation. It cannot be removed from the system, and no task changes can be made for this user. Step 7 Click the name of the user group to which you assigned the new user account. The Group Detail > User Group page shows a list of this group’s permitted operations. From this page you can also show an audit trail of login and logout patterns or export a task list. Step 8 Make any desired changes by selecting or unselecting the appropriate check boxes for task permissions and members. Note Any changes you make will affect all members of this user group. Note To view complete details in the Monitor > Client details page and to perform operations such as Radio Measurement, users in User Defined groups need permission for Monitor Clients, View Alerts & Events, Configure Controllers, and Client Location. Step 9 Click Submit to save your changes or Cancel to leave the settings unchanged. Deleting NCS User Accounts To delete a NCS user account, follow these steps: Step 1 Start NCS server by following the instructions in the “Starting the NCS Server” section on page 2-10.7-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts Step 2 Log into the NCS user interface as a user assigned to the SuperUsers group. Step 3 Choose Administration > AAA. Step 4 Click Users from the left sidebar menu to display the Users page. Step 5 Select the check box to the left of the user account(s) to be deleted. Step 6 From the Select a command drop-down list, choose Delete User(s), and click Go. When prompted, click OK to confirm your decision. The user account is deleted and can no longer be used. Changing Passwords To change the password for a NCS user account, follow these steps: Step 1 Start NCS server by following the instructions in the “Starting the NCS Server” section on page 2-10. Step 2 Log into the NCS user interface as a user assigned to the SuperUsers group. Step 3 Click Administration > AAA to display the Change Password page. Step 4 Enter your old password. Step 5 Enter the new password in both the New Password and Confirm New Password text boxes. Step 6 Click Save to save your changes. The password for this user account has been changed and can be used immediately. Monitoring Active Sessions To view a list of active users, follow the steps: Step 1 Choose Administration > AAA. Step 2 From the left sidebar menu, choose Active Sessions. The Active Sessions page appears. The user highlighted in red represents your current login. If a column heading is a hyperlink, click the heading to sort the list of active sessions in descending or ascending order along that column. The sort direction is toggled each time the hyperlink is clicked. The Active Sessions page has the following columns: • Username— The logged in username. • IP/Host Name—The IP address or the hostname of the machine on which the browser is running. If the hostname of the user machine is not in DNS, the IP address is displayed. • Login Time—The time at which the user logged in to NCS. All times are based on the NCS server machine time. • Last Access Time—The time at which the user last accessed NCS. All times are based on the NCS server machine time.7-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts Note The time displayed in this column is usually a few seconds behind the current system time because Last Access Time is updated frequently by the updates to the alarm status pane. • Login Method: – Regular: Sessions created for users who log into NCS directly through a browser. • User Groups: The list of groups to which the user belongs. • Audit trail icon: Link to page that displays the audit trail (previous login times) for that user. Viewing or Editing User Account Information To see the group the user is assigned to or to adjust a password or group assignment for that user, follow these steps: Step 1 Choose Administration > AAA. Step 2 From the left sidebar menu, choose Users. Step 3 Click a user in the User Name column. The User Detail : User Group page appears (see Figure 7-2). Figure 7-2 Detailed Users Page7-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts You can see which group is assigned to this user or change a password or group assignment. Setting the Lobby Ambassador Defaults If you choose a Lobby Ambassador from the User Name column, a Lobby Ambassador Defaults tab appears (see Figure 7-3). All of the guest user accounts created by the lobby ambassador have these credentials by default. If the default values are not specified, the lobby ambassador must provide the required guest user credential fields. Note If no default profile is chosen on this tab, the defaults do not get applied to this lobby ambassador. The lobby ambassador account does get created, and you can create users with any credentials you choose. Figure 7-3 Lobby Ambassador Default Tab Step 1 Use the Profile drop-down list to choose the guest user to connect to. Wired-guest is an example of a profile that might be defined to indicate traffic that is originating from wired LAN ports. See the “Configuring Wired Guest Access” section on page 9-46. Step 2 Choose a user role to manage the amount of bandwidth allocated to specific users within the network. They are predefined by the administrator and are associated with the guests’ access (such as contractor, customer, partner, vendor, visitor, and so on). Step 3 Choose Limited or Unlimited at the Lifetime parameter. 7-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS User Accounts • For the limited option, you choose the period of time that the guest user account is active using the hours and minutes drop-down lists. The default value for Limited is one day (8 hours). • When unlimited is chosen, no expiration date for the guest account exists. Step 4 Use the Apply to drop-down list to choose from the following options. What you choose determines what additional parameters appear. • Indoor area—A campus, building, or floor. • Outdoor area—A campus or outdoor area. • Controller list—A list of controller(s) with the selected profile created. • Config Group—Those config group names configured on NCS. Step 5 Enter the e-mail ID of the host to whom the guest account credentials are sent. Step 6 Provide a brief description of the account. Step 7 If you want to supply disclaimer text, enter it. a. Select the Defaults Editable check box if you want to allow the lobby ambassador to override these configured defaults. This allows the Lobby Ambassadors to modify Guest User default settings while creating guest account from the Lobby Ambassador portal. Note If no default profile is selected on this tab, the defaults are not applied to this Lobby Ambassador. However, the Lobby Ambassador account is created, and the Lobby Ambassador can create users with credentials as desired. Step 8 Select the Max User Creations Allowed check box to set limits on the number of guest users that can be created by the lobby ambassador in a given time period. The time period is defined in hours, days, or weeks. Step 9 Click the Preview Current Logo link to see what is currently being used as a logo, and then you can click to enable it or browse to another location to update the logo. Step 10 If you want additional page header text, you can enter it at the Print Page Header Text parameter. Step 11 Click Submit. Viewing or Editing Group Information To see specific tasks the user is permitted to do within the defined group or make changes to the tasks, follow these steps: Step 1 Choose Administration > AAA. Step 2 Choose Users from the left sidebar menu. Step 3 Click the group link in the Member Of column. The Group Detail: User Group page appears (see Figure 7-4). Note The detailed page varies based on what group you choose (see Figure 7-4).7-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Viewing the Audit Trail Figure 7-4 Detailed Group Page You can see the specific tasks the user is permitted to do within the defined group or make changes to the tasks. Editing the Guest User Credentials Click the NCS username of the guest user whose credentials you want to edit. The Lobby Ambassador Default tab appears, and you can modify the credentials. Note While editing, if the Profile selection is removed (changed to Select a profile), the defaults are removed for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them. Viewing the Audit Trail Click the icon in the Users page to view the configuration changes performed by individual users. The Audit Trail page appears. This page enables you to view the following data: • User—User login name • Operation—Type of operation audited • Time—Time operation was audited • Status—Success or failure • Reason—Indicates any login failure reason, for example, invalid password.7-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Creating Guest User Accounts • Configuration Changes—This field provides a Details link if there are any configuration changes. Click the Details link for more information on the configuration changes done by an individual user. The entries will list out the change of values for individual parameters between NCS and Controller. For more information on Audit Trail Details, see “Audit Trail Details Page” section on page 7-9. Note The audit trail entries could be logged for individual Controller changes. For example, If a template is applied on multiple Controllers, then there will be multiple audit entries for each Controller to which the template has been applied to. Audit Trail Details Page The Configuration Changes column under the Audit Trail list page would contain a Details link if there are changes to the configuration. Click the Details link to view the Audit Trail Details for a specific User. The Audit Trail Details dialog box shows the attribute-level differences when a User changes the configuration from either the Templates or Configuration side. Table 7-1 describes the fields in the Audit Trail Details dialog box: Creating Guest User Accounts You can use the Cisco Lobby Ambassador to create guest user accounts in NCS. A guest network provided by an enterprise allows access to the Internet for a guest without compromising the host. The web authentication is provided with or without a supplicant or client, so a guest needs to initiate a VPN tunnel to their desired destinations. Both wired and wireless guest user access is supported. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are added to the network using the lobby ambassador feature. Ta b l e 7-1 Parameters in the Audit Trail Details Page Parameters Description NCS Username The Username who had triggered this audit trail. Object Name The name of the object that has triggered this audit trail. Operation Time The date and time at which the audit entry was made. Configuration Changes Lists the attributes that have been changed as a result of a User action in NCS and Controller. For example, the attributes could be: • Quality of Service • Admin Status • MAC Filters7-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Creating Guest User Accounts The network administrator must first set up a lobby ambassador account. Guest user accounts are for visitors, temporary workers, and so on. who need network access. A lobby ambassador account has limited configuration privileges and only allows access to the screens used to configure and manage guest user accounts. The lobby ambassador can create the following types of guest user accounts: • A guest user account with a limited lifetime. After the specified time period, the guest user account automatically expires. • A guest user account with an unlimited lifetime. This account never expires. • A guest user account that is activated at a predefined time in the future. The lobby ambassador defines the beginning and end of the valid time period. To create guest user accounts in NCS, follow these steps: Note A group that has the SuperUser/administrator privileges (by default) can create a lobby ambassador account. Multiple lobby ambassador accounts can be created by the administrator with varying profiles and permissions. Note A root group, which is created during installation, has only one assigned user, and no additional users can be assigned after installation. This root user cannot be changed. Also, unlike a super user, no task changes are allowed. Step 1 Log into the NCS user interface as an administrator. Step 2 Choose Administration > AAA. Step 3 From the left sidebar menu, choose Users. Step 4 From the Select a command drop-down list, choose Add User, and click Go. The Users page appears. Step 5 Enter the username. Step 6 Enter the password. The minimum is six characters. Reenter and confirm the password. Note The password must include at least three of the following four types of elements: lowercase letters, uppercase letters, numbers, and special characters. Step 7 In the Groups Assigned to this User section, select the LobbyAmbassador check box to access the Lobby Ambassador Defaults tab. Step 8 Follow the steps in the “Setting the Lobby Ambassador Defaults” section on page 7-6. Logging in to the NCS User Interface as a Lobby Ambassador When you log in as a lobby ambassador, you have access to the guest user template page in NCS. You can then configure guest user accounts (through templates). To log into the NCS user interface through a web browser, follow these steps:7-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS Guest User Accounts Step 1 Launch Internet Explorer 7.0 or later on your computer. Note Some NCS features may not function properly if you use a web browser other than Internet Explorer 7.0 or later on a Windows workstation. Step 2 In the browser’s address line, enter https://NCS-ip-address (such as https://209.165.200.224), where NCS-ip-address is the IP address of the computer on which NCS is installed. Your administrator can provide this IP address. Step 3 When the NCS user interface displays the Login page, enter your username and password. Note All entries are case sensitive. Note The lobby ambassador can only define guest users templates. Step 4 Click Submit to log into NCS. The NCS user interface is now active and available for use. The Guest Users page is displayed. This page provides a summary of all created Guest Users. To exit the NCS user interface, close the browser page or click Logout in the upper right corner of the page. Exiting a NCS user interface session does not shut down NCS on the server. Note When a system administrator stops the NCS server during a NCS session, the session ends, and the web browser displays this message: “The page cannot be displayed.” Your session does not reassociate to NCS when the server restarts. You must restart the NCS session. Managing NCS Guest User Accounts NCS guest user accounts are managed with the use of templates. This section describes how to manage NCS user accounts. It contains the following topics: • Adding NCS Guest User Accounts (see the “Configuring a Guest User Template” section on page 11-56) • Scheduling NCS Guest User Accounts, page 7-11 • Printing or E-mailing NCS Guest User Details, page 7-13 • Saving Guest Accounts on a Device, page 7-13 Scheduling NCS Guest User Accounts A lobby ambassador is able to schedule automatic creation of a guest user account. The validity and recurrence of the account can be defined. The generation of a new password on every schedule is optional and is enabled by selecting a check box. For scheduled users, the password is automatically generated and is automatically sent by e-mail to the host of the guest. The e-mail address for the host is configured on the New User page. After clicking Save, the Guest User Details page displays the password. From this page, you can e-mail or printer the account credentials.7-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS Guest User Accounts To schedule a recurring guest user account in NCS, follow these steps: Step 1 Log in to the NCS user interface as lobby ambassador. Step 2 Choose Schedule Guest User from the Guest User page. Note You can also schedule guest users from the Configure > Controller Template Launch Pad > Security > Guest User option. Step 3 On the Guest Users > Scheduling page, enter the guest username. The maximum is 24 characters. Step 4 Select the check box to generate a username and password on every schedule. If this is enabled, a different password is supplied for each day (up to the number of days chosen). If this is disabled (unselected), one password is supplied for a span of days. The generation of a new password on every schedule is optional. Step 5 Select a Profile ID from the drop-down list. This is the SSID to which this guest user applies and must be a WLAN that has Layer 3 authentication policy configured. Your administrator can advise which Profile ID to use. Step 6 Enter a description of the guest user account. Step 7 Choose limited or unlimited. • Limited: From the drop-down list, choose days, hours, or minutes for the lifetime of this guest user account. The maximum is 35 weeks. – Start time: Date and time when the guest user account begins. – End time: Date and time when the guest user account expires. • Unlimited: This user account never expires. • Days of the week: Select the check box for the days of the week that apply to this guest user account. Step 8 Choose Apply To to restrict a guest user to a confined area by selecting a campus, building, or floor so that when applied, only those controllers and associated access points are available. You can use AP grouping to enforce access point level restrictions that determine which SSIDs to broadcast. Those access points are then assigned to the respective floors. You can also restrict the guest user to specific listed controllers or a configuration group, which is a group of controllers that has been preconfigured by the administrator. From the drop-down lists, choose one of the following: • Controller List: select the check box for the controller(s) to which the guest user account is associated. • Indoor Area: choose the applicable campus, building, and floor. • Outdoor Area: choose the applicable campus and outdoor area. • Config group: choose the configuration group to which the guest user account belongs. Step 9 Enter the e-mail address to send the guest user account credentials. Each time the scheduled time comes up, the guest user account credentials are e-mailed to the specified e-mail address. Step 10 Review the disclaimer information. Use the scroll bar to move up and down. Step 11 Click Save to save your changes or Cancel to leave the settings unchanged.7-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing NCS Guest User Accounts Printing or E-mailing NCS Guest User Details The lobby ambassador can print or e-mail the guest user account details to the host or person who welcomes guests. The e-mail and print copy shows the following details: • Username: Guest user account name. • Password: Password for the guest user account. • Start time: Data and time when the guest user account begins. • End time: Date and time when the guest user account expires. • Profile ID: Profile assigned to the guest user. Your administrator can advise which Profile ID to use. • Disclaimer: Disclaimer information for the guest user. When creating the guest user account and applying the account to a list of controllers, area, or configuration group, a link is provided to e-mail or print the guest user account details. You can also print guest user account details from the Guest Users List page. To print guest user details from the Guest Users List page, follow these steps: Step 1 Log into the NCS user interface as lobby ambassador. Step 2 On the Guest User page, select the check box next to User Name, choose Print/E-mail User Details from the Select a command drop-down list, and click Go. • If printing, click Print and from the print page, select a printer, and click Print or Cancel. • If e-mailing, click E-mail and from the e-mail page, enter the subject text and the recipient’s e-mail address. Click Send or Cancel. Note You can also print or email user details from the Configure > Controller Template Launch Pad > Security > Guest User option. Saving Guest Accounts on a Device Select the Save Guest Accounts on Device check box to save guest accounts to a WLC flash so that they are maintained across WLC reboots. Note In the Configure > Controller Template Launch Pad > Security > Guest page, you choose Save Guest Accounts on device from the Select a command drop-down list. Editing the Guest User Credentials Click the NCS username of the guest user whose credentials you want to edit. The Lobby Ambassador Default tab appears, and you can modify the credentials. While editing, if the Profile selection is removed (changed to Select a profile), the defaults are removed for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them.7-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Adding a New User Adding a New User The Add User page allows the administrator to set up a new user login including username, password, groups assigned to the user, and virtual domains for the user. Note You can only assign virtual domains to a newly created user which you own. By assigning virtual domains to a user, the user is restricted to information applicable to those virtual domains. This section contains the following topics: • Adding User Names, Passwords, and Groups, page 7-14 • Assigning a Virtual Domain, page 7-15 Adding User Names, Passwords, and Groups To add a new user, follow these steps: Step 1 Choose Administration > AAA. Step 2 From the left sidebar menu, select Users. Step 3 From the Select a command drop-down list, choose Add User. Step 4 Click Go. The Users page appears (see Figure 7-5). Figure 7-5 Users Page Step 5 Enter a new Username. Step 6 Enter and confirm a password for this account. Step 7 Select the check box(es) of the groups to which this user will be assigned. Note If the user belongs to Lobby Ambassador, Monitor Lite, Northbound API, or Users Assistant group, the user cannot belong to any other group. • Admin—Allows users to monitor and configure NCS operations and perform all system administration tasks.7-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Adding a New User • ConfigManagers—Allows users to monitor and configure NCS operations. • System Monitoring—Allows users to monitor NCS operations. • Users Assistant—Allows local net user administration only. • Lobby Ambassador—Allows guest access for configuration and management only of user accounts. If Lobby Ambassador is selected, a Lobby Ambassador Defaults tab appears. • Monitor Lite—Allows monitoring of assets location. • North Bound API User—A user group used by the NCS Web Service consumers. That is, any North Bound APIs. Note If you are creating a North Bound API user from TACACS or RADIUS, the default user domain should be root. Note North Bound API Users cannot be assigned a Virtual Domain. When a North Bound API group is selected, the Virtual Domains tab is not available. • SuperUsers—Allows users to monitor and configure NCS operations and perform all system administration tasks including administering NCS user accounts and passwords. Superuser tasks can be changed. • Root—This group is only assignable to 'root' user and that assignment cannot be changed. • User Defined. Assigning a Virtual Domain To assign a virtual domain to this user, follow these steps: Step 1 Click the Virtual Domains tab. This tab displays all virtual domains available and assigned to this user (see Figure 7-6).7-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing Lobby Ambassador Accounts Figure 7-6 Users Virtual Domains Tab Note The Virtual Domains tab enables the administrator to assign virtual domains for each user. By assigning virtual domains to a user, the user is restricted to information applicable to those virtual domains. Note North Bound API Users cannot be assigned a Virtual Domain. When a North Bound API group is selected, the Virtual Domains tab is not available. Step 2 Click to highlight the virtual domain in the Available Virtual Domains list that you want to assign to this user. Note You can select more than one virtual domain by holding down the Shift or Control key. Step 3 Click Add >. The virtual domain moves from the Available Virtual Domains to the Selected Virtual Domains list. To remove a virtual domain from the Selected Virtual Domains list, click to highlight the domain in the Selected Virtual Domains list, and click Remove. The virtual domain moves from the Selected Virtual Domains to the Available Virtual Domains list. Step 4 Click Submit to save the changes or Cancel to close the page without adding or editing the current user. Managing Lobby Ambassador Accounts You can use the Cisco Lobby Ambassador to create guest user accounts in NCS. A guest network provided by an enterprise allows access to the Internet for a guest without compromising the host. The web authentication is provided with or without a supplicant or client, so a guest needs to initiate a VPN tunnel to their desired destinations.7-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing Lobby Ambassador Accounts Both wired and wireless guest user access is supported. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are added to the network using the lobby ambassador feature. The network administrator must first set up a lobby ambassador account. Guest user accounts are for visitors, temporary workers, and so on. who need network access. A lobby ambassador account has limited configuration privileges and only allows access to the pages used to configure and manage guest user accounts. The lobby ambassador can create the following types of guest user accounts: • A guest user account with a limited lifetime. After the specified time period, the guest user account automatically expires. • A guest user account with an unlimited lifetime. This account never expires. • A guest user account that is activated at a predefined time in the future. The lobby ambassador defines the beginning and end of the valid time period. This section contains the following topics: • Creating a Lobby Ambassador Account, page 7-17 • Editing a Lobby Ambassador Account, page 7-18 • Logging in to the NCS User Interface as a Lobby Ambassador, page 7-19 • Logging the Lobby Ambassador Activities, page 7-19 Creating a Lobby Ambassador Account Note A group that has the SuperUser/administrator privileges (by default) can create a lobby ambassador account. To create a lobby ambassador account in NCS, follow these steps: Step 1 Log into the NCS user interface as an administrator. Step 2 Choose Administration > AAA. Step 3 From the left sidebar menu, click Users. Step 4 From the Select a command drop-down list, choose Add User. Step 5 Click Go. Step 6 Enter the username. Step 7 Enter the password. Reenter to confirm the password. Password requirements include the following: • The password must have a minimum of eight characters. • The password must include at least three of the following elements: lowercase letters, uppercase letters, numbers, or special characters. Step 8 In the Groups Assigned to this User section, select the LobbyAmbassador check box to access the Lobby Ambassador Defaults tab. The Lobby Ambassador Defaults tab has the following parameters:7-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing Lobby Ambassador Accounts • Profile—The default profile to which the guest users would connect. • Lifetime—Limited or Unlimited. Note By default, the lifetime is limited to eight hours. • Apply to—From the drop-down list, choose one of the following: – Indoor Area—Campus, Building, and Floor. – Outdoor Area—Campus, Outdoor Area. – Controller List—List of controller(s) on which the selected profile is created. – Config Groups—Config group names configured on NCS. • Email ID—The email ID of the host to whom the guest account credentials are sent. • Description—A brief description of this account. • Disclaimer—The default disclaimer text. • Defaults Editable—Select this check box if you want to allow the lobby ambassador to override these configured defaults. This allows the lobby ambassador to modify these Guest User Account default settings while creating Guest Accounts from the Lobby Ambassador portal. Note If no default profile is selected on this tab, the defaults are not applied to this Lobby Ambassador. However, the Lobby Ambassador account is created and the Lobby Ambassador can create users with credentials as desired. • Max User Creation Allowed—Select this check box to set limits on the number of guest users that can be created by the Lobby Ambassador in a given time period. The time period is defined in hours, days, or weeks. • Click Submit. The name of the new lobby ambassador account is listed and the account can be used immediately. Editing a Lobby Ambassador Account The Lobby Ambassador default credentials can be edited from the username link on the NCS user list page. To edit the Lobby Ambassador default credentials, follow these steps: Step 1 Log into the NCS user interface as an administrator. Step 2 Choose Administration > AAA. Step 3 From the left sidebar menu, click Users. Step 4 Click the applicable Lobby Ambassador account from the User Name column. Step 5 From the Lobby Ambassador Defaults page, edit the credentials as necessary.7-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing Lobby Ambassador Accounts Note While editing, if the Profile selection is removed (changed to Select a profile), the defaults are removed for this Lobby Ambassador. The user must reconfigure the defaults to reinforce them. Step 6 Click Submit. Logging in to the NCS User Interface as a Lobby Ambassador When you log in as a lobby ambassador, you have access to the guest user template page in NCS. You can then configure guest user accounts (through templates). To log into the NCS user interface through a web browser, follow these steps: Step 1 Launch Internet Explorer 7.0 or later on your computer. Note Some NCS features may not function properly if you use a web browser other than Internet Explorer 7.0 or later on a Windows workstation. Step 2 In the browser address line, enter https://NCS-ip-address (such as https://1.1.1.1), where NCS-ip-address is the IP address of the computer on which NCS is installed. Your administrator can provide this IP address. Step 3 When the NCS user interface displays the Login window, enter your username and password. Note All entries are case sensitive. Note The lobby ambassador can only define guest users templates. Step 4 Click Submit to log into NCS. The NCS user interface is now active and available for use. The Guest Users page is displayed. This page provides a summary of all created Guest Users. To exit the NCS user interface, close the browser window or click Logout in the upper right corner of the page. Exiting a NCS user interface session does not shut down NCS on the server. Note When a system administrator stops the NCS server during a NCS session, the session ends, and the web browser displays this message: “The page cannot be displayed.” Your session does not reassociate to NCS when the server restarts. You must restart the NCS session. Logging the Lobby Ambassador Activities The following activities are logged for each lobby ambassador account: • Lobby ambassador login—NCS logs the authentication operation results for all users.7-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 7 Managing NCS User Accounts Managing Lobby Ambassador Accounts • Guest user creation—When a lobby ambassador creates a guest user account, NCS logs the guest username. • Guest user deletion—When a lobby ambassador deletes the guest user account, NCS logs the deleted guest username. • Account updates—NCS logs the details of any updates made to the guest user account. For example, increasing the life time. To view the lobby ambassador activities, follow these steps: Note You must have administrative permissions to open this window. Step 1 Log into the NCS user interface as an administrator. Step 2 Choose Administration > AAA > Groups from the left sidebar menu to display the All Groups page. Step 3 On the All Groups page, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail page for the lobby ambassador appears. This page enables you to view a list of lobby ambassador activities over time. • User—User login name • Operation—Type of operation audited • Time—Time operation was audited • Status—Success or failure Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down list, and click Go.C H A P T E R 8-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 8 Configuring Mobility Groups This chapter describes mobility groups and explains how to configure them on Cisco NCS. It contains the following sections: • Information About Mobility, page 8-1 • Symmetric Tunneling, page 8-5 • Overview of Mobility Groups, page 8-5 • Configuring Mobility Groups, page 8-8 • Mobility Anchors, page 8-12 • Configuring Multiple Country Codes, page 8-14 • Configuring Controller Config Groups, page 8-16 • Reporting Config Groups, page 8-22 • Downloading Software, page 8-23 Information About Mobility Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. This section explains how mobility works when controllers are included in a wireless network. When a wireless client associates and authenticates to an access point, the access point’s controller places an entry for that client in its client database. This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLANs, and the associated access point. The controller uses this information to forward frames and manage traffic to and from the wireless client. Figure 8-1 illustrates a wireless client roaming from one access point to another when both access points are joined to the same controller.8-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Information About Mobility Figure 8-1 Intra-Controller Roaming When the wireless client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point. If necessary, new security context and associations are established as well. The process becomes more complicated, however, when a client roams from an access point joined to one controller to an access point joined to a different controller. The process also varies based on whether the controllers are operating on the same subnet. Figure 8-2 illustrates inter-controller roaming, which occurs when the controllers’ wireless LAN interfaces are on the same IP subnet.8-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Information About Mobility Figure 8-2 Inter-Controller Roaming When the client associates to an access point joined to a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security context and associations are established if necessary, and the client database entry is updated for the new access point. This process remains invisible to the user. Note All clients configured with 802.1X/Wi-Fi Protected Access (WPA) security complete a full authentication in order to comply with the IEEE standard. Figure 8-3 illustrates inter-subnet roaming, which occurs when the controllers’ wireless LAN interfaces are on different IP subnets.8-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Information About Mobility Figure 8-3 Inter-Subnet Roaming Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on how the client roams. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains invisible to the wireless client, and the client maintains its original IP address. After an inter-subnet roam, data flows in an asymmetric traffic path to and from the wireless client. Traffic from the client to the network is forwarded directly into the network by the foreign controller. Traffic to the client arrives at the anchor controller, which forwards the traffic to the foreign controller in an EtherIP tunnel. The foreign controller then forwards the data to the client. If a wireless client roams to a new foreign controller, the client database entry is moved from the original foreign controller to the new foreign controller, but the original anchor controller is always maintained. If the client moves back to the original controller, it becomes local again. In inter-subnet roaming, WLANs on both anchor and foreign controllers need to have the same network access privileges and no source-based routing or source-based firewalls in place. Otherwise, the clients may have network connectivity problems after the handoff. Note Currently, multicast traffic cannot be passed during inter-subnet roaming. In other words, avoid designing an inter-subnet network for Spectralink phones that need to send multicast traffic while using push to talk. Note Both inter-controller roaming and inter-subnet roaming require the controllers to be in the same mobility group. See the next two sections for a description of mobility groups and instructions for configuring them.8-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Symmetric Tunneling Symmetric Tunneling With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has reverse path filtering (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled. You enable or disable symmetric tunneling by choosing Configure > Controller and then System > General from the left sidebar menu. Note All controllers in a mobility group should have the same symmetric tunneling mode. Note For symmetric tunneling to take effect, a reboot is required. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller. See the “Configuring Controller Templates” section on page 11-4 for instructions on configuring this feature within a template. Overview of Mobility Groups A set of controllers can be configured as a mobility group to allow seamless client roaming within a group of controllers. By creating a mobility group, you can enable multiple controllers in a network to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers can share the context and state of client devices and controller loading information. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy. Note Clients do not roam across mobility groups. Figure 8-4 shows an example of a mobility group.8-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Overview of Mobility Groups Figure 8-4 A Single Mobility Group As shown in Figure 8-4, each controller is configured with a list of the other members of the mobility group. Whenever a new client joins a controller, the controller sends out a unicast message to all of the controllers in the mobility group. The controller to which the client was previously connected passes on the status of the client. All mobility exchange traffic between controllers is carried over a CAPWAP tunnel. Examples: 1. A 4404-100 controller supports up to 100 access points. Therefore, a mobility group consisting of 24 4404-100 controllers supports up to 2400 access points (24 * 100 = 2400 access points). 2. A 4402-25 controller supports up to 25 access points, and a 4402-50 controller supports up to 50 access points. Therefore, a mobility group consisting of 12 4402-25 controllers and 12 4402-50 controllers supports up to 900 access points (12 * 25 + 12 * 50 = 300 + 600 = 900 access points). Mobility groups enable you to limit roaming between different floors, buildings, or campuses in the same enterprise by assigning different mobility group names to different controllers within the same wireless network. Figure 8-5 shows the results of creating distinct mobility group names for two groups of controllers.8-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Overview of Mobility Groups Figure 8-5 Two Mobility Groups The controllers in the ABC mobility group recognize and communicate with each other through their access points and through their shared subnets. The controllers in the ABC mobility group do not recognize or communicate with the XYZ controllers, which are in a different mobility group. Likewise, the controllers in the XYZ mobility group do not recognize or communicate with the controllers in the ABC mobility group. This feature ensures mobility group isolation across the network. Note Clients may roam between access points in different mobility groups, provided they can detect them. However, their session information is not carried between controllers in different mobility groups. When to Include Controllers in a Mobility Group If it is possible for a wireless client in your network to roam from an access point joined to one controller to an access point joined to another controller, both controllers should be in the same mobility group. Messaging among Mobility Groups The controller provides inter-subnet mobility for clients by sending mobility messages to other member controllers. There can be up to 72 members in the list with up to 24 in the same mobility group. In NCS and controller software releases 5.0, two improvements have been made to mobility messaging, each of which is especially useful when sending messages to the full list of mobility members:8-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Mobility Groups • Sending Mobile Announce messages within the same group first and then to other groups in the list The controller sends a Mobile Announce message to members in the mobility list each time a new client associates to it. In NCS and controller software releases prior to 5.0, the controller sends this message to all members in the list irrespective of the group to which they belong. However, in controller software release 5.0, the controller sends the message only to those members that are in the same group as the controller and then includes all of the other members while sending retries. • Sending Mobile Announce messages using multicast instead of unicast In NCS and controller software releases prior to 5.0, the controller may be configured to use multicast to send the mobile announce messages, which requires sending a copy of the messages to every mobility member. This behavior is not efficient because many messages (such as Mobile Announce, PMK Update, AP List Update, and IDS Shun) are meant for all members in the group. In NCS and controller software releases 5.0, the controller uses multicast mode to send the Mobile Announce messages. This behavior allows the controller to send only one copy of the message to the network, which destines it to the multicast group containing all the mobility members. To derive the maximum benefit from multicast messaging, We recommend that it be enabled or disabled on all group members. Configuring Mobility Groups This section provides instructions for configuring mobility groups. Note You can also configure mobility groups using the controller. See the Cisco Wireless LAN Controller Configuration Guide for instructions. Prerequisites Before you add controllers to a mobility group, you must verify that the following requirements have been met for all controllers that are to be included in the group: • All controllers must be configured for the same LWAPP transport mode (Layer 2 or Layer 3). Note You can verify and, if necessary, change the LWAPP transport mode on the System > General page. • IP connectivity must exist between the management interfaces of all devices. Note You can verify IP connectivity by pinging the controllers. • All controllers must be configured with the same mobility group name. Note For the Cisco WiSM, both controllers should be configured with the same mobility group name for seamless routing among 300 access points. • All devices must be configured with the same virtual interface IP address.8-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Mobility Groups Note If all the controllers within a mobility group are not using the same virtual interface, inter-controller roaming may appear to work, but the hand-off does not complete, and the client loses connectivity for a period of time. • You must have gathered the MAC address and IP address of every controller that is to be included in the mobility group. This information is necessary because you will be configuring all controllers with the MAC address and IP address of all the other mobility group members. Note You can find the MAC and IP addresses of the other controllers to be included in the mobility group on the Configure > Controllers page. To add each WLC controller into mobility groups and configure them, follow these steps: Step 1 Choose Configure > Controllers (see Figure 8-6). Figure 8-6 Configure > Controllers This page shows the list of all the controllers you added in Step 1. The mobility group names and the IP address of each controller that is currently a member of the mobility group is listed. Step 2 Choose the first controller by clicking the WLC IP address. You will then access the controller templates interface for the controller you are managing. Step 3 Choose System > Mobility Groups from the left sidebar menu. The existing Mobility Group members are listed in the page (see Figure 8-7). 8-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Mobility Groups Figure 8-7 Existing Mobility Groups Step 4 You will see a list of available controllers. From the Select a command drop-down list in the upper right-hand corner, choose Add Group Members and then click Go. Step 5 If no controllers were found to add to the mobility group, you can add the members manually by clicking the “To add members manually to the Mobility Group click here” message. The Mobility Group Member page appears (see Figure 8-8). Figure 8-8 Mobility Group Member Page Step 6 In the Member MAC Address text box, enter the MAC address of the controller to be added. Step 7 In the Member IP Address text box, enter the management interface IP address of the controller to be added. Note If you are configuring the mobility group in a network where Network Address Translation (NAT) is enabled, enter the IP address sent to the controller from the NAT device rather than the controller’s management interface IP address. Otherwise, mobility will fail among controllers in the mobility group.8-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Mobility Groups Step 8 Enter the multicast group IP address to be used for multicast mobility messages in the Multicast Address text box. The local mobility member’s group address must be the same as the local controller’s group address. Step 9 In the Group Name text box, enter the name of the mobility group. Step 10 Click Save. Step 11 Repeat the above steps for the remaining WLC devices. Setting the Mobility Scalability Parameters To set the mobility message parameters, follow these steps: Note You must complete the steps in the “Configuring Mobility Groups” section on page 8-8 prior to setting the mobility scalability parameters. Step 1 Choose Configure > Controllers. Step 2 Choose an IP address of a controller whose software version is 5.0 or later. Step 3 Choose System > Multicast from the left sidebar menu. The Multicast page appears (see Figure 8-9). Figure 8-9 Multicast Page Step 4 At the Ethernet Multicast Support parameter, specify if you want to disable the ability for the controller to use multicast mode to send Mobile Announce messages to mobility members. Otherwise, you can choose Multicast or Unicast. Step 5 If you chose multicast in Step 4, you must enter the group IP address at the Multicast Group Address parameter to begin multicast mobility messaging. You must configure this IP address for the local mobility group, but it is optional for other groups within the mobility list. If you do not configure the IP address for other (non-local) groups, the controllers use unicast mode to send mobility messages to those members. Step 6 Select the Enable Global Multicast Mode check box to make the multicast mode available globally. Step 7 Select the Enable IGMP Snooping check box to enable IGMP snooping.8-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Mobility Anchors Step 8 Select Enable from the Multicast Mobility Mode drop-down list to change the IGMP snooping status or to set the IGMP timeout. When IGMP snooping is enabled, the controller gathers IGMP reports from the clients and then sends each access point a list of the clients listening to any multicast group. The access point then forwards the multicast packets only to those clients. The timeout interval has a range of 3 to 300 and a default value of 60. When the timeout expires, the controller sends a query to all WLANs. Those clients which are listening in the multicast group then send a packet back to the controller. Step 9 If you enabled the Multicast Mobility Mode, enter the mobility group multicast address. Step 10 Select the Multicast Direct check box to enable videos to be streamed over a wireless network. Step 11 Specify the Session Banner information, which is the error information sent to the client if the client is denied or dropped from a Media Stream. a. State—Select the check box to activate the Session Banner. If not activated, the Session Banner is not sent to the client b. URL—A web address reported to the client c. Email—An email address reported to the client d. Phone—A telephone number reported to the client e. Note—A note reported to the client Note All Media Streams on a Controller share this configuration. Step 12 Click Save. Mobility Anchors Mobility anchors are a subset of a mobility group specified as the anchor controllers for a WLAN. This feature can be used to restrict a WLAN to a single subnet, regardless of the client’s entry point into the network. In this way, users can access a public or guest WLAN throughout an enterprise but still be restricted to a specific subnet. Guest WLAN can also be used to provide geographic load balancing because WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so on). When a client first associates to a controller of a mobility group that has been preconfigured as a mobility anchor for a WLAN, the client associates to the controller locally, and a local session is created for the client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group. When a client first associates to a controller of a mobility group that has not been configured as a mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for the client, and the controller is announced to the other controllers in the same mobility group. If the announcement is not answered, the controller contacts one of the anchor controllers configured for the WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller decapsulates the packets and forwards them to the client.8-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Mobility Anchors Note A 2000 series controller cannot be designated as an anchor for a WLAN. However, a WLAN created on a 2000 series controller can have a 4100 series controller or a 4400 series controller as its anchor. Note The L2TP Layer 3 security policies are unavailable for WLANs configured with a mobility anchor. Configuring Mobility Anchors To create a new mobility anchor for a WLAN, follow these steps: Step 1 Click Configure > Controllers. Step 2 Choose a controller by clicking an IP address. Step 3 Choose WLANs > WLAN Configuration from the left sidebar menu. Step 4 Select the check box of the desired WLAN ID URL (see Figure 8-10). Figure 8-10 WLAN Page Step 5 After choosing a WLAN ID, a tabbed page appears (see Figure 8-11). Click the Advanced tab.8-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Multiple Country Codes Figure 8-11 Advanced Page Step 6 Click the Mobility Anchors link at the bottom of the page. The Mobility Anchors page appears. Step 7 Select the IP address check box of the controller to be designated a mobility anchor, and click Save. Step 8 Repeat Step 6 and Step 7 to set any other controllers as anchors for this WLAN. Step 9 Configure the same set of anchor controllers on every controller in the mobility group. Configuring Multiple Country Codes You can configure one or more countries on a controller. After countries are configured on a controller, the corresponding 802.11a/n DCA channels are available for selection. At least one DCA channel must be selected for the 802.11a/n network. When the country codes are changed, the DCA channels are automatically changed in coordination. Note 802.11a/n and 802.11b/n networks for controllers and access points must be disabled before configuring a country on a controller. To disable 802.11a/n or 802.11b/n networks, choose Configure > Controllers, select the desired controller you want to disable, choose 802.11a/n or 802.11b/g/n from the left sidebar menu, and then choose Parameters. The Network Status is the first check box. Note To configure multiple country codes outside of a mobility group, see the “Configuring Security Parameters” section on page 9-81. To add multiple controllers that are defined in a configuration group and then set the DCA channels, follow these steps: Step 1 Choose Configure > Controller Config Groups.8-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Multiple Country Codes Step 2 Choose Add Config Groups from the Select a command drop-down list, and click Go. Step 3 Create a config group by entering the group name and mobility group name. Step 4 Click Save. The Config Groups page appears (see Figure 8-12). Figure 8-12 Config Groups Page Step 5 Click the Controllers tab. The Controllers page appears (see Figure 8-13). Figure 8-13 Controller Tab Step 6 Highlight the controllers you want to add, and click the Add button. The controller is added to the Group Controllers page. Step 7 Click the Country/DCA tab. The Country/DCA page appears (see Figure 8-14). Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller. 8-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups Figure 8-14 Country/DCA Tab Step 8 Select the Update Countries/DCA check box to display a list of countries from which to choose. Step 9 Those DCA channels that are currently configured on the controller for the same mobility group are displayed in the Select Country Codes page. The corresponding 802.11a/n and 802.11b/n allowable channels for the chosen country is displayed as well. You can add or delete any channels in the list by selecting or deselecting the channel and clicking Save Selection. Note A minimum of 1 and a maximum of 20 countries can be configured for a controller. Configuring Controller Config Groups By creating a config group, you can group controllers that should have the same mobility group name and similar configuration. You can assign templates to the group and push templates to all the controllers in a group. You can add, delete, or remove config groups, and download software, IDS signatures, or a customized web authentication page to controllers in the selected config groups. You can also save the current configuration to nonvolatile (flash) memory to controllers in selected config groups. Note A controller cannot be a member of more than one mobility group. Adding a controller to one mobility group removes that controller from any other mobility group to which it is already a member. For information about applying templates to either individual controllers or controllers in selected Config Groups, see the “Using Templates” section on page 11-1. By choosing Configure > Controller Config Groups, you can view a summary of all config groups in the Cisco NCS database. When you choose Add Config Groups from the Select a command drop-down list, the page displays a table with the following columns: • Group Name: Name of the config group.8-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups • Templates: Number of templates applied to config group. Adding New Group To add a config group, follow these steps: Step 1 Choose Configure > Controller Config Groups. Step 2 From the Select a command drop-down list, choose Add Config Group, and click Go. The Add New Group page appears. Step 3 Enter the new config group name. It must be unique across all groups. If Enable Background Audit is selected, the network and controller audits occur for this config group. If Enable Enforcement is selected, the templates are automatically applied during the audit if any discrepancies are found. Note If the Enable Background Audit option is chosen, the network and controller audit is performed on this config group. Step 4 Other templates created in NCS can be assigned to a config group. The same WLAN template can be assigned to more than one config group. Choose from the following: • Select and add later: Click to add template at a later time. • Copy templates from a controller: Click to copy templates from another controller. Choose a controller from a list of current controllers to copy its applied template to the new config group. Only the templates are copied. Note The order of the templates is important when dealing with radio templates. For example, if the template list includes radio templates that require the radio network to be disabled prior to applying the radio parameters, the template to disable the radio network must be added to the template first. Step 5 Click Save. The Config Groups page appears (see Figure 8-15). Figure 8-15 Config Groups Page8-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups Configuring Config Groups To configure a config group, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. The Config Group page shown in Figure 8-15 appears. Step 2 Click the General tab. The following options for the config group appear: • Group Name: Name of the config group – Enable Background Audit—If selected, all the templates that are part of this group are audited against the controller during network and controller audits. – Enable Enforcement—If selected, the templates are automatically applied during the audit if any discrepancies are found. Note The audit and enforcement of the config group template happens when the selected audit mode is Template based audit. – Enable Mobility Group—If selected, the mobility group name is pushed to all controllers in the group. • Mobility Group Name: Mobility Group Name that is pushed to all controllers in the group. The Mobility Group Name can also be modified here. Note A controller can be part of multiple config groups. • Last Modified On: Date and time config group was last modified. • Last Applied On: Date and time last changes were applied. Step 3 You must click the Apply/Schedule tab to distribute the specified mobility group name to the group controllers and to create mobility group members on each of the group controllers. Step 4 Click Save. Adding or Removing Controllers from a Config Group To add or remove controllers from a config group, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. Step 2 Click the Controllers tab. The columns in the table display the IP address of the controller, the config group name the controller belongs to, and the controller’s mobility group name. Step 3 Click to highlight the row of the controller you want to add to the group. Step 4 Click Add. 8-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups Note If you want to remove a controller from the group, highlight the controller in the Group Controllers box and click Remove. Step 5 You must click the Apply/Schedule tab, and click Apply to add or remove the controllers to the config groups. Step 6 Click Save Selection.8-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups Adding or Removing Templates from the Config Group To add or remove templates from the config group, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. Step 2 Click the Templates tab. The Remaining Templates table displays the item number of all available templates, the template name, and the type and use of the template. Step 3 Click to highlight the row of the template you want to add to the group. Step 4 Click Add to move the highlighted template to the Group Templates column. Note If you want to remove a template from the group, highlight the template in the Remaining Templates box, and click the Remove button. Step 5 You must click the Apply/Schedule tab and click Apply to add or remove the templates to the config groups. Step 6 Click Save Selection. Applying or Scheduling Config Groups Note The scheduling function allows you to schedule a start day and time for provisioning. To apply the mobility groups, mobility members, and templates to all the controllers in a config group, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name in the Group Name column. Step 2 Click the Apply/Schedule tab to access this page. Step 3 Click Apply to start the provisioning of mobility groups, mobility members, and templates to all the controllers in the config group. After you apply, you can leave this page or log out of Cisco NCS. The process continues, and you can return later to this page to view a report. Note Do not perform any other config group functions during the apply provisioning. A report is generated and appears in the Recent Apply Report page. It shows which mobility group, mobility member, or template were successfully applied to each of the controllers. Note If you want to print the report as shown on the page, you must choose landscape page orientation. Step 4 Enter a starting date in the text box or use the calendar icon to choose a start date. Step 5 Choose the starting time using the hours and minutes drop-down lists.8-21 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Configuring Controller Config Groups Step 6 Click Schedule to start the provisioning at the scheduled time. Auditing Config Groups The Config Groups Audit page allows you to verify if the controller’s configuration complies with the group templates and mobility group. During the audit, you can leave this screen or logout of Cisco NCS. The process continues, and you can return to this page later to view a report. Note Do not perform any other config group functions during the audit verification. To perform a config group audit, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. Step 2 Click the Audit tab to access this page. Step 3 Click to highlight a controller from the Controllers tab, choose >> (Add), and Save Selection. Step 4 Click to highlight a template from the Templates tab, choose >> (Add), and Save Selection. Step 5 Click Audit to begin the auditing process (see Figure 8-16). A report is generated and the current configuration on each controller is compared with that in the config group templates. The report displays the audit status, the number of templates in sync, and the number of templates out of sync. Note This audit does not enforce the NCS configuration to the device. It only identifies the discrepancies. Figure 8-16 Config Groups Audit Tab8-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Reporting Config Groups Step 6 Click Details to view the Controller Audit Report details. Step 7 Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value in NCS, and its value in the controller. Note Click Retain NCS Value to push all attributes in the Attribute Differences page to the device. Step 8 Click Close to return to the Controller Audit Report page. Rebooting Config Groups To reboot a config group, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. Step 2 Click the Reboot tab. Step 3 Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that controller to come up before rebooting the next controller. Step 4 Click Reboot to reboot all controllers in the config group at the same time. During the reboot, you can leave this page or logout of Cisco NCS. The process continues, and you can return later to this page and view a report. The Recent Reboot Report page shows when each controller was rebooted and what the controller status is after the reboot. If NCS is unable to reboot the controller, a failure is shown. Note If you want to print the report as shown on the page, you must choose landscape page orientation. Reporting Config Groups To display all recently applied reports under a specified group name, follow these steps: Step 1 Choose Configure > Controller Config Groups, and click a group name under the Group Name column. Step 2 Click the Report tab. The Recent Apply Report page displays all recently applied reports including the apply status, the date and time the apply was initiated, and the number of templates. The following information is provided for each individual IP address: • Apply Status—Indicates success, partial success, failure, or not initiated. • Successful Templates—Indicates the number of successful templates associated with the applicable IP address. • Failures—Indicates the number of failures with the provisioning of mobility group, mobility members, and templates to the applicable controller.8-23 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Downloading Software • Details—Click Details to view the individual failures and associated error messages. Step 3 If you want to view the scheduled task reports, click the click here link at the bottom of the page. You are then redirected to the Configure > Scheduled Configuration Tasks > Config Group menu where you can view reports of the scheduled config groups. Downloading Software To download software to all controllers in the selected groups after you have a config group established, follow these steps: Step 1 Choose Configure > Controller Config Groups. Step 2 Select the check box to choose one or more config groups names on the Config Groups page. Step 3 Choose Download Software from the Select a command drop-down list, and click Go. Step 4 The Download Software to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed. Choose local machine from the File is Located On parameter. Step 5 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries parameter. Step 6 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout parameter. Step 7 The signature files are uploaded to the c:\tftp directory. Specify the local file name in that directory or use the Browse button to navigate to it. The controller uses this local file name as a base name and then adds _custom.sgi as a suffix. If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name is populated for you and retried. Step 8 Click OK. Downloading IDS Signatures To download Intrusion Detection System (IDS) signature files from your config group to a local TFTP server, follow these steps: Step 1 Choose Configure > Controller Config Groups. Step 2 Select the check box to choose one or more config groups on the Config Groups page. Step 3 Choose Download IDS Signatures from the Select a command drop-down list, and click Go. Step 4 The Download IDS Signatures to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed. Choose local machine from the File is Located On parameter. Step 5 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries parameter.8-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 8 Configuring Mobility Groups Downloading Software Step 6 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout parameter. Step 7 The signature files are uploaded to the c:\tftp directory. Specify the local file name in that directory or use the Browse button to navigate to it. The controller uses this local file name as a base name and then adds _custom.sgi as a suffix. If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On parameter, and the Server File Name is populated for you and retried. Step 8 Click OK. Downloading Customized WebAuth To download customized web authentication, follow these steps: Step 1 Choose Configure > Controller Config Groups. Step 2 Select the check box to choose one or more config groups on the Config Groups page. Step 3 Choose Download Customized WebAuth from the Select a command drop-down list, and click Go. Step 4 The Download Customized Web Auth Bundle to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed. Step 5 Choose local machine from the File is Located On parameter.C H A P T E R 9-1 Cisco Prime Network Control System Configuration Guide OL-25451-01 9 Configuring Devices This chapter describes how to configure devices in the NCS database. It contains the following sections: • Configuring Controllers, page 9-1 • Configuring Existing Controllers, page 9-23 • Configuring Access Points, page 9-151 • Configuring Switches, page 9-190 • Configuring Spectrum Experts, page 9-200 • Configuring Chokepoints, page 9-204 • Configuring WiFi TDOA Receivers, page 9-207 • Configuring Scheduled Configuration Tasks, page 9-211 • Configuring wIPS Profiles, page 9-220 • Configuring ACS View Servers, page 9-229 • Configuring TFTP Servers, page 9-230 • Interactive Graphs, page 9-230 Configuring Controllers This section describes how to configure controllers in the NCS database. Choose Configure > Controllers to access the following: • A summary of all controllers in the NCS database. • The ability to add, remove, and reboot selected controllers. • The ability to download software from the NCS server to selected controllers. • The ability to save the current configuration to nonvolatile (Flash) memory on selected controllers. • The ability to view audit reports for selected controllers. The controllers data table contains the following columns: • Check box—Select the applicable controller. • IP Address—Local network IP address of the controller . – Click the title to sort the list items. 9-2 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers – Click a list item to display parameters for that IP address. See the “Viewing Controllers Properties, page 9-23”. – Click the icon to the right of the IP address to launch the controller Web user interface in a new browser window. • Device Name—Indicates the name of the controller. Click the Controller Name link to sort the list by controller name. • Device Type—Click to sort by type. Based on the series, device types are grouped. For example: – WLC2100—21xx Series Wireless LAN Controllers – 2500—25xx Series Wireless LAN Controllers – 4400—44xx Series Wireless LAN Controllers – 5500—55xx Series Wireless LAN Controllers – 7500—75xx Series Wireless LAN Controllers – WiSM—WiSM (slot number, port number) – WiSM2—WiSM2 (slot number, port number) • Location—Indicates the location of the controller. • Software Version—The operating system release.version.dot.maintenance number of the code currently running on the controller. • Mobility Group Name—Name of the mobility or WPS group. • Reachability Status—Reachable or not reachable. Note Reachability status is updated based on the last execution information of the Device Status background task. For updating the current status, choose Administration > Background Tasks, and choose Execute Now from the Select a command drop-down list. • Audit Status – Not Available—No audit occurred on this switch. – Identical—No configuration differences were discovered. – Mismatch—Configuration differences were discovered. Click the Audit Status link to access the audit report. In the Audit Report page, choose Audit Now from the Select a command drop-down list to run a new audit for this controller. See the “Understanding the Controller Audit Report, page 9-3” for more information on audit reports. Note Audit status is updated based on the last execution information of either the Configuration Sync background task or the Audit Now option located in the Controllers page. To get the current status, either choose Administration > Background Tasks and choose Execute Now or Audit Now from the Select a command drop-down list. Note Use the Search feature to search for a specific controller. See the “Using the Search Feature” section on page 2-33 for more information. This section contains the following topics:9-3 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers • Understanding the Controller Audit Report, page 9-3 • Adding Controllers, page 9-4 • Bulk Update of Controller Credentials, page 9-7 • Removing Controllers from NCS, page 9-8 • Rebooting Controllers, page 9-8 • Downloading Software to Controllers, page 9-9 • Downloading Software to Controllers, page 9-9 • Downloading IDS Signatures, page 9-14 • Downloading a Customized WebAuthentication Bundle to a Controller, page 9-15 • Downloading a Vendor Device Certificate, page 9-16 • Downloading a Vendor CA Certificate, page 9-17 • Saving the Configuration to Flash, page 9-18 • Refreshing the Configuration from the Controller, page 9-18 • Discovering Templates from the Controller, page 9-19 • Updating Credentials in NCS, page 9-19 • Viewing Templates Applied to a Controller, page 9-20 • Using the Audit Now Feature, page 9-20 • Viewing the Latest Network Audit Report, page 9-22 Understanding the Controller Audit Report The Controller Audit Report displays the following information depending on the type of audit selected in Administration > Settings > Audit and on which parameters the audit is performed: • Applied template discrepancies (Template Based Audit only) • Config group template discrepancies (Template Based Audit only) • Total enforcements for config groups with background audit enabled (Template Based Audit only) – If the total enforcement count is greater than zero, this number appears as a link. Click the link to view a list of the enforcements made from NCS. • Failed for config groups with background audit enabled (Template Based Audit only) – If the failed enforcement count is greater than zero, this number appears as a link. Click the link to view the failures returned from the device. • Other NCS discrepancies Note The controller audit report indicates if the audit was performed on all parameters or on a selected set of parameters. Note See the “Configuring an Audit” section on page 15-74 for more in depth information on the two types of audits and how to manage specific parameters for the audit.9-4 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a value in the Audit Status column. You can audit a controller by choosing Audit Now from the Select a command drop-down list in the Configure > Controllers page (See the “Using the Audit Now Feature” section on page 9-20 for more information) or by clicking Audit Now in the Controller Audit Report. Adding Controllers You can add controllers one at a time or in batches. To add controllers, follow these steps: Step 1 Choose Configure > Controllers. Step 2 From the Select a command drop-down list, choose Add Controllers, and click Go. The Add Controller page appears (see Figure 9-1). Figure 9-1 Add Controller Page Step 3 Choose one of the following: If you want to add one controller or use commas to separate multiple controllers, leave the Add Format Type drop-down list at Device Info. If you want to add multiple controllers by importing a CSV file, choose File from the Add Format Type drop-down list. The CSV file allows you to generate your own import file and add the devices you want.9-5 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note When a controller is removed from the system, the associated access points are not removed automatically and therefore remain in the system. These disassociated access points must be removed manually. Note If you are adding a controller into NCS across a GRE link using IPsec or a lower MTU link with multiple fragments, you may need to adjust the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU. If it is set too high, the controller may fail to be added into NCS. To adjust the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU, do the following: Stop NCS, choose Administration > Settings > SNMP Settings, and edit the Maximum VarBinds per Get PDU and Maximum VarBinds per Set PDU values to 50 or lower. Note If you reduce the Maximum VarBinds per Get PDU or Maximum VarBinds per Set PDU value, applying the configurations to the device might fail. Step 4 If you chose Device Info, enter the IP address of the controller you want to add. If you want to add multiple controllers, use a comma between the string of IP addresses. Note If a partial byte boundary is used and the IP address appears to be broadcast (without regard to the partial byte boundary), there is a limitation on adding the controllers into NCS. For example, 10.0.2.255/23 cannot be added but 10.0.2.254/23 can. If you chose File, click Browse to find the location of the CSV file you want to import. The first row of the CSV file is used to describe the columns included. The first row of the CSV file is used to describe the columns included. The IP Address column is mandatory. The following example shows a sample CSV file. ip_address,network_mask,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmp v3_auth_password,snmpv3_privacy_type,snmpv3_privacy_password,snmp_retries,snmp_timeout,pro tocol,telnet_username,telnet_password,enable_password,telnet_timeout 209.165.200.225,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60 209.165.200.226,255.255.255.224,v2,public,,,,,,3,10,,cisco,cisco,cisco,60 209.165.200.227,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60 The CSV files can contain the following fields: • ip_address • network_mask • snmp_version • snmp_community • snmpv3_user_name • snmpv3_auth_type • snmpv3_auth_password • snmpv3_privacy_type • snmpv3_privacy_password • snmp_retries9-6 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers • snmp_timeout • protocol • telnet_username • telnet_password • enable_password • telnet_timeout Step 5 Select the Verify Telnet/SSH Credentials check box if you want this controller to verify Telnet/SSH credentials. You may want to leave this unselected (or disabled) because of the substantial time it takes for discovery of the devices. Step 6 Use the Version drop-down list to choose v1, v2, or v3. Step 7 In the Retries parameter, enter the number of times that attempts are made to discover the controller. Step 8 Provide the client session timeout value in seconds. This determines the maximum amount of time allowed for a client before it is forced to reauthenticate. Step 9 In the Community parameter, enter either public or private (for v1 and v2 only). Note If you go back and later change the community mode, you must perform a refresh config for that controller. Step 10 Choose None, HMAC-SHA, or HMAC-MD5 (for v3 only) for the authorization type. Step 11 Enter the authorization password (for v3 only). Step 12 Enter None, CBC-DES, or CFB-AES-128 (for v3 only) for the privacy type. Step 13 Enter the privacy password (for v3 only). Step 14 Enter the Telnet credentials information for the controller. If you chose the File option and added multiple controllers, the information will apply to all specified controllers. If you added controllers from a CSV file, the username and password information is obtained from the CSV file. Note The Telnet/SSH username must have sufficient privileges to execute commands in CLI templates. The default username and password is admin. Step 15 Enter the retries and timeout values. The default retries number is 3, and the default retry timeout is 1 minute. Step 16 Click OK. Note If you fail to add a device to NCS, and if the error message ‘Sparse table not supported' occurs, verify that NCS and WLC versions are compatible and retry. For information on compatible versions, see http://www.cisco.com/en/US/docs/wireless/controller/4400/tech_notes/Wireless_Software_Co mpatibility_Matrix.html.9-7 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note When a controller is added to the NCS, the NCS acts as a TRAP receiver and the following traps are enabled on the controller: 802.11 Disassociation, 802.11 Deauthentication, and 802.11 Authenticated. Note To update the credentials of multiple controllers in a bulk, choose Bulk Update Controllers from the Select a command drop-down list. The Bulk Update Controllers page appears. You can choose a CSV file. The CSV file contains a list of controllers to be updated, one controller per line. Each line is a comma separated list of controller attributes. The first line describes the attributes included. The IP address attribute is mandatory. For details, see the NCS Configuration Guide. Bulk Update of Controller Credentials You can update multiple controllers credentials by importing a CSV file. To update controller(s) information in a bulk, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Bulk Update Controller. The Bulk Update Controller page appears. Step 4 Click Choose File to select a CSV file, and then find the location of the CSV file you want to import. Step 5 Click Update and Sync. Sample CSV File for the Bulk Update of Controller Credentials The first row of the CSV file is used to describe the columns included. The IP Address column is mandatory. The following example shows a sample CSV file. ip_address,network_mask,snmp_version,snmp_community,snmpv3_user_name,snmpv3_auth_type,snmp v3_auth_password,snmpv3_privacy_type,snmpv3_privacy_password,snmp_retries,snmp_timeout,pro tocol,telnet_username,telnet_password,enable_password,telnet_timeout 209.165.200.225,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60 209.165.200.226,255.255.255.224,v2,public,,,,,,3,10,,cisco,cisco,cisco,60 209.165.200.227,255.255.255.224,v2,public,,,,,,3,10,telnet,cisco,cisco,cisco,60 The CSV files can contain the following fields: • ip_address • network_mask • snmp_version • snmp_community • snmpv3_user_name9-8 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers • snmpv3_auth_type • snmpv3_auth_password • snmpv3_privacy_type • snmpv3_privacy_password • snmp_retries • snmp_timeout • protocol • telnet_username • telnet_password • enable_password • telnet_timeout Removing Controllers from NCS To remove a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Remove Controllers. Step 4 Click Go. Step 5 Click OK in the pop-up dialog box to confirm the deletion. Note When a controller is removed from the system, the associated access points are not removed automatically and, therefore, remain in the system. These disassociated access points must be removed manually. Rebooting Controllers To reboot a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Reboot Controllers. Step 4 Click Go. The Reboot Controllers page appears (see Figure 9-2). Note Save the current controller configuration prior to rebooting.9-9 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Figure 9-2 Reboot Controllers Page Step 5 Select the Reboot Controller options that must be applied. • Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved. • Reboot APs—Select the check box to enable a reboot of the access point after making any other updates. • Swap AP Image—Indicates whether or not to reboot controllers and APs by swapping AP images. This could be either Yes or No. Note Options are disabled unless the Reboot APs check box is selected Step 6 Click OK to reboot the Controller with optional configuration selected. Downloading Software to Controllers Both File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) are supported for uploading and downloading files to and from NCS. In previous software releases, only TFTP was supported. This section contains the following topics: • Download Software (FTP), page 9-9 • Download Software (TFTP), page 9-11 • Configure IPaddr Upload Configuration/Logs from Controller, page 9-13 Download Software (FTP) To download software to a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Download Software (FTP). Step 4 Click Go.9-10 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note Software can also be downloaded by choosing Configure > Controllers > IPaddr > System > Commands > Upload/Download Commands > Download Software. The IP address of the controller and its current status appears in the Download Software to Controller page. Step 5 Select the download type. Note The pre-download option is displayed only when all selected controllers are using the version 7.0.x.x or later. • Now—Executes the download software operation immediately. If you select this option, proceed with Step 7. Note After the download is successful, reboot the controllers to enable the new software. • Scheduled—Specify the scheduled download options. – Schedule download to controller—Select this check box to schedule download software to controller. – Pre-download software to APs—Select this check box to schedule the pre-download software to APs. The APs download the image and then reboot when the controller reboots. Note To see Image Predownload status per AP, enable the task in the Administration > Background Task > AP Image Predownload Task page, and run an AP Image Predownload report from the Report Launch Pad. Step 6 If you selected the Scheduled option under Download type, enter the Schedule Details. • Task Name—Enter a Scheduled Task Name to identify this scheduled software download task. • Reboot Type—Indicates whether the reboot type is manual, automatic, or scheduled. Note Reboot Type Automatic can be set when the only Download software to controller option is selected. • Download date/time—Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date. Choose the time from the hours and minutes drop-down lists. • Reboot date/time—This option appears only if you select the reboot type as “Scheduled”. Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date to reboot the controller. Choose the time from the hours and minutes drop-down lists. Note Schedule enough time (at least 30mins) between Download and Reboot so that all APs can complete the software pre-download.9-11 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note If any one of the AP is in pre-download progress state at the time of scheduled reboot, the controller will not reboot. In such a case, wait for the pre-download to finish for all the APs and reboot the controller manually. • Notification (Optional)—Enter the e-mail address of recipient to send notifications via e-mail. Note To receive email notifications, configure the NCS mail server in the Administration > Settings > Mail Server Configuration page. Step 7 Enter the FTP credentials including username, password, and port. Step 8 In the File is located on parameter, click either the Local machine or FTP Server. Note If you choose FTP Server, choose Default Server or New from the Server Name drop-down list. Note The software files are uploaded to the FTP directory specified during the install. Step 9 Specify the local file name or click Browse to navigate to the appropriate file. Note If you chose FTP Server previously, specify the server filename. Step 10 Click Download. Note If the transfer times out for some reason, you can choose the FTP server option in the File is located on parameter; the server filename is populated and retried. Download Software (TFTP) To download software to a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 In the Select a command drop-down list, choose Download Software (TFTP). Step 4 Click Go. Note Software can also be downloaded from Configure > Controllers > IPaddr > System > Commands > Upload/Download Commands > Download Software. The IP address of the controller and its current status are displayed in the Download Software to Controller page.9-12 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Step 5 Select the download type. Note The pre-download option is displayed only when all selected controllers are using the version 7.0.x.x or later. • Now—Executes the download software operation immediately. If you select this option, proceed with Step 7. Note After the download is successful, reboot the controllers to enable the new software. • Scheduled—Specify the scheduled download options. – Download software to controller—Select this option to schedule download software to controller. – Pre-download software to APs—Select this option to schedule the pre-download software to APs. The APs download the image and then reboot when the controller reboots. Note To see Image Predownload status per AP, enable the task in the Administration > Background Task > AP Image Predownload Task page, and run an AP Image Predownload report from the Report Launch Pad. Step 6 If you selected the Scheduled option under Download type, enter the Schedule Detail. • Task Name—Enter a Scheduled Task Name to identify this scheduled software download task. • Reboot Type—Indicates whether the reboot type is manual, automatic, or scheduled. Note Reboot Type Automatic can be set when only Download software to controller option is selected. • Download date/time—Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date. Choose the time from the hours and minutes drop-down lists. • Reboot date/time—This option appears only if you select the reboot type as “Scheduled”. Enter a date in the provided text box or click the calendar icon to open a calendar from which you can choose a date to reboot the controller. Choose the time from the hours and minutes drop-down lists. Note Schedule enough time (at least 30 minutes) between Download and Reboot so that all APs can complete the software pre-download. Note If any one of the AP is in pre-download progress state at the time of scheduled reboot, the controller will not reboot. In such a case, wait for the pre-download to finish for all the APs and reboot the controller manually. • Notification (Optional)—Enter the e-mail address of recipient to send notifications via e-mail.9-13 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note To receive email notifications, configure the NCS mail server in the Administration > Settings > Mail Server Configuration page. Step 7 From the File is located on parameter, choose Local machine or TFTP server. Note If you choose TFTP server, select the Default Server or add a New server using the Server Name drop-down list. Step 8 From the Maximum Retries parameter, enter the maximum number of tries the controller should attempt to download the software. Step 9 In the Timeout parameter, enter the maximum amount of time (in seconds) before the controller times out while attempting to download the software. Note The software files are uploaded to the TFTP directory specified during the install. Step 10 Specify the local file name or click Browse to navigate to the appropriate file. Note If you selected TFTP server previously, specify the Server File Name. Step 11 Click Download. Tip If the transfer times out for some reason, you can choose the TFTP server option in the File is located on parameter; the Server File Name is populated and retried. Configure IPaddr Upload Configuration/Logs from Controller To upload files from the controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address under the IP address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 Select the FTP or TFTP radio button. Note Both File Transfer Protocol (FTP) and Trivial Transfer Protocol (TFTP) are supported for uploading and downloading files to and from NCS. In previous software releases, only TFTP was supported. Step 5 From the Upload/Download Commands drop-down list, choose Upload File from Controller. Step 6 Click Go to access this page.9-14 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers • FTP Credentials Information—Enter the FTP username, password, and port if you selected the FTP radio button previously. • TFTP or FTP Server Information: – Server Name—From the drop-down list, choose Default Server or New. – IP Address—IP address of the controller. This is automatically populated if the default server is selected. – File Type—Select from configuration, event log, message log, trap log, crash file, signature files, or PAC. – Enter the Upload to File from /(root)/NCS-tftp/ or /(root)/NCS-ftp/ filename. – Select whether or not Cisco NCS saves before backing up the configuration. Note The Cisco NCS uses an integral TFTP and FTP server. This means that third-party TFTP and FTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party servers use the same communication port. Step 7 Click OK. The selected file will be uploaded to your TFTP or FTP server and named what you entered in the File Name text box. Downloading IDS Signatures To download Intrusion Detection System (IDS) signature files to a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Download IDS Signatures. Step 4 Click Go. Note IDS signature files can also be downloaded from Configure > Controllers > IPaddr > System > Commands > Upload/Download Commands > Download IDS Signatures. In the Download IDS Signatures to Controller page, the controller IP address and its current status appears. Step 5 Copy the signature file (*.sig) to the default directory on your TFTP server. Step 6 In the File is located on parameter, select the Local machine radio button. Note If you know the filename and path relative to the server root directory, you can also select the TFTP server radio button. Step 7 In the Maximum Retries text box, enter the maximum number of tries the controller should attempt to download the signature file.9-15 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Step 8 In the Timeout text box, enter the maximum amount of time (in seconds) before the controller times out while attempting to download the signature file. Note The signature files are uploaded to the c:\tftp directory. Step 9 Specify the local file name or click Browse to navigate to the appropriate file. The controller uses this local file name as a base name and adds _custom.sgi as a suffix. Note If you chose TFTP server previously, specify the server file name. Step 10 Click Download. Tip If the transfer times out for some reason, you can choose the TFTP server option in the File is located on parameter; the server file name is populated and retried. Note The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to NCS own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the NCS server TFTP directory, and the downloaded web page now automatically populates the filename. Downloading a Customized WebAuthentication Bundle to a Controller To download customized web authentication bundle to a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) of the applicable controller(s). Step 3 From the Select a command drop-down list, choose Download Customized WebAuth. Step 4 Click Go. Note A customized web authentication bundle can also be downloaded from Configure > Controllers > IPaddr > System > Commands > Upload/Download Commands > Download Customized Web Auth. In the Download Customized WebAuth bundle to Controller page, the controller IP address and its current status appears. Step 5 Select the Local machine radio button in the File is located on parameter. Note If you know the file name and path relative to the server root directory, you can also select the TFTP server radio button.9-16 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note For a local machine download, either .zip or .tar file options exists but the NCS does the conversion of .zip to .tar automatically. If you choose a TFTP server download, only .tar files are specified. Step 6 In the Maximum Retries text box, enter the maximum number of tries the controller should attempt to download the file. Step 7 In the Timeout text box, enter the maximum amount of time (in seconds) before the controller times out while attempting to download the file. Note The NCS Server Files In parameter specifies where the NCS server files are located. Step 8 Specify the local file name or click Browse to navigate to the appropriate file. The controller uses this local file name as a base name and adds _custom.sgi as a suffix. Step 9 Click Download. Tip If the transfer times out for some reason, you can select the TFTP server radio button in the File is located on parameter; the server file name is populated and retried. Step 10 The local machine option initiates a two-step operation. First, the local file is copied from the administrator workstation to NCS own built-in TFTP server. Then the controller retrieves that file. For later operations, the file is already in the NCS server TFTP directory, and the downloaded web page now automatically populates the filename. Step 11 After completing the download, you are directed to a new page and are able to authenticate. Downloading a Vendor Device Certificate Each wireless device (controller, access point, and client) has its own device certificate. If you wish to use your own vendor-specific device certificate, it must be downloaded to the controller. To download a vendor device certificate to a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 You can download the certificate in one of two ways: a. Select the check box(es) of the applicable controller(s). b. From the Select a command drop-down list, choose Download Vendor Device Certificate. c. Click Go. -ora. Click the IP address of the desired controller. b. Choose System > Commands from the left sidebar menu. c. From the Upload/Download Commands drop-down list, choose Download Vendor Device Certificate.9-17 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers d. Click Go. Step 3 In the Certificate Password text box, enter the password used to protect the certificate. Step 4 Re-enter the password in the Confirm Password text box. Step 5 In the File is located on parameter, select the Local machine or TFTP server radio button. Note If the certificate is located on the TFTP server, enter the Server File Name. If it is located on the local machine, enter the local file name by clicking Browse. Step 6 Enter the TFTP server name in the Server Name parameter. The default is the NCS server. Step 7 Enter the server IP address. Step 8 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate. Step 9 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate. Step 10 In the Local File Name text box, enter the directory path of the certificate. Step 11 In the Server File Name text box, enter the name of the certificate. Step 12 Click Download. Downloading a Vendor CA Certificate Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific CA certificate, it must be downloaded to the controller. To download a vendor CA certificate to the controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 You can download the certificate in one of two ways: a. Select the check box(es) of the applicable controller(s). b. From the Select a command drop-down list, choose Download Vendor CA Certificate. c. Click Go. -ora. Click the IP address of the desired controller. b. Choose System > Commands from the left sidebar menu. c. From the Upload/Download Commands drop-down list, choose Download Vendor CA Certificate. d. Click Go. Step 3 In the File is located on parameter, Select the Local machine or TFTP server radio button.9-18 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note If the certificate is located on the TFTP server, enter the server file name. If it is located on the local machine, enter the local file name by clicking the Browse button. Step 4 Enter the TFTP server name in the Server Name text box. The default is the NCS server. Step 5 Enter the server IP address. Step 6 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate. Step 7 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate. Step 8 In the Local File Name text box, enter the directory path of the certificate. Step 9 In the Server File Name text box, enter the name of the certificate. Step 10 Click OK. Saving the Configuration to Flash To save the configuration to flash memory, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) for the applicable controller(s). Step 3 From the Select a command drop-down list, choose Save Config to Flash. Step 4 Click Go. Refreshing the Configuration from the Controller To refresh the configuration from the controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box(es) for the applicable controller(s). Step 3 From the Select a command drop-down list, choose Refresh Config from Controller. Step 4 Click Go. Step 5 At the Configuration Change prompt, select the Retain or Delete radio button. Step 6 Click Go.9-19 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Discovering Templates from the Controller Prior to software release 5.1, templates were detected when a controller was detected, and every configuration found on NCS for a controller had an associated template. Now templates are not automatically detected with controller discovery, and you can specify which NCS configurations you want to have associated templates. Note The templates that are discovered do not retrieve management or local user passwords. The following rules apply for template discovery: • Template Discovery discovers templates that are not found in NCS. • Existing templates are not discovered. To discover current templates, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box of the controller for which you want to discover templates. Step 3 From the Select a command drop-down list, choose Discover Templates from Controller. Step 4 Click Go. The Discover Templates page displays the number of discovered templates, each template type and each template name. Note You can choose the Enabling this option will create association between discovered templates and the device listed above check box so that discovered templates will be associated to the configuration on the device and will be shown as applied on that controller. Note Template discovery refreshes configuration from the controller prior to discovering templates. Click OK in the warning dialog box to continue with the discovery. Updating Credentials in NCS To update SNMP/Telnet credential details in NCS for multiple controllers, there is no configuration available. To perform this mass update, you need to go to each device and update the SNMP and Telnet credentials. To update the SNMP/Telnet credentials, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box for each controller to which you want to update SNMP/Telenet credentials. Step 3 From the Select a command drop-down list, choose Update Credentials in NCS. The Update Credentials in NCS page appears. Step 4 Select the SNMP Parameters check box and specify the following parameters:9-20 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note SNMP write access parameters are needed for modifying controller configuration. With read-only access parameters, configuration can only be displayed. • Version—Choose from v1, v2, or v3. • Retries—Indicates the number of controller discovery attempts. • Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The valid range is 2 to 90 seconds. The default is 2 seconds. • Community—Public or Private. • Verify SNMP Credentials—Select this check box to verify SNMP credentials. Step 5 Select the Telnet/SSH Parameters check box and specify the following parameters: • User Name—Enter the user name. • Password/Confirm Password—Enter and confirm the password. • Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The valid range is 2 to 90 seconds. The default is 60 seconds. Viewing Templates Applied to a Controller You can view all templates currently applied to a specific controller. Note Only templates applied in this partition are displayed. To view applied templates, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box for the applicable controller. Step 3 From the Select a command drop-down list, choose Templates Applied to a Controller. Step 4 Click Go. The Templates Applied to a Controller page displays each applied template name, template type, the date the template was last saved, and the date the template was last applied. Note Click the template name link to view the template details. See “Using Templates” for more information. Using the Audit Now Feature You can audit a controller by choosing Audit Now from the Select a command drop-down list in the Configure > Controllers page or by choosing Audit Now directly from the Select a command drop-down list.9-21 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers Note A current Controller Audit Report can be accessed in the Configure > Controllers page by clicking a value in the Audit Status column. To audit a controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box for the applicable controller. Step 3 From the Select a command drop-down list, choose Audit Now. Step 4 Click Go. Step 5 Click OK in the pop-up dialog box if you want to remove the template associations from configuration objects in the database as well as template associations for this controller from associated config groups (Template based audit only). The Audit Report displays: • Device Name • Time of Audit • Audit Status • Applied and Config Group Template Discrepancies information including: – Template type (template name) – Template application method – Audit status (For example, mismatch, identical) – Template attribute – Valu e in NCS – Value in Controller • Other NCS Discrepancies including: – Configuration type (name) – Audit Status (For example, mismatch, identical) – Attribute – Valu e in NCS – Value in Controller • Total enforcements for config groups with background audit enabled—If discrepancies are found during the audit in regards to the config groups enabled for background audit and if the enforcement is enabled, this section lists the enforcements made during the controller audit. Choose Config Groups > General for more information on enabling the background audit. • Failed Enforcements for Config Groups with background audit enabled—Click the link to view a list of failure details (including the reason for the failure) returned by the device. See “Config Groups > General” for more information on enabling the background audit (ConfigAuditSet). • Restore NCS Values to Controller or Refresh Config from Controller—If there are config differences found as a result of the audit, you can either click Restore NCS Values to controller or Refresh Config from controller to bring the NCS configuration in sync with the controller. – Choose Restore NCS Values to Controller to push the discrepancies to the device.9-22 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Controllers – Choose Refresh config from controller to pick up the device for this configuration from the device. Note Templates are not refreshed as a result of clicking Refresh Config from Controller. Viewing the Latest Network Audit Report The Network Audit Report shows the time of the audit, the IP address of the selected controller, and the synchronization status. Note This method shows the report from the network audit task and not an on-demand audit per controller. To view the latest network audit report for the selected controllers, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Select the check box for the applicable controller. Step 3 From the Select a command drop-down list, choose View Latest Network Configuration Audit Report. Step 4 Click Go. The Audit Summary displays the time of the audit, the IP address of the selected controller, and the audit status. The Audit Details display the config differences, if applicable. Note Use the General and Schedule tabs to revise Audit Report parameters. See “Configuration Audit Report” section for more information. Command Buttons • Save—Click to save changes made to the current parameters. • Save and Run—Click to save the changes to the current parameters and run the report. • Run Now—Click to run the audit report based on existing parameters. • Export Now—Click to export the report results. The supported export formats is PDF and CSV. • Cancel—Click to cancel any changes made to the existing parameters. Note From the All Controllers page, click the Audit Status column value to view the latest audit details page for the selected controller. This method has similar information as the Network Audit report on the Reports menu, but this report is interactive and per controller.9-23 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note To run an on-demand audit report, choose which controller you want to run the report on and choose Audit Now from the Select a command drop-down list. If you run an on-demand audit report and configuration differences are detected, you are given the option to retain the existing controller or NCS values. Configuring Existing Controllers This section contains the following topics: • Viewing Controllers Properties, page 9-23 • Configuring Controller System Parameters, page 9-25 • Configuring Controller WLANs, page 9-64 • Configuring Hybrid REAP Parameters, page 9-79 • Configuring Security Parameters, page 9-81 • Configuring Cisco Access Points, page 9-110 • Configuring 802.11 Parameters, page 9-112 • Configuring 802.11a/n Parameters, page 9-117 • Configuring 802.11b/g/n Parameters, page 9-129 • Configuring Mesh Parameters, page 9-139 • Configuring Port Parameters, page 9-142 • Configuring Controllers Management Parameters, page 9-143 • Configuring Location Configurations, page 9-149 Viewing Controllers Properties To view the properties for current controllers, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose Properties > Settings. The following parameters appear: • General Parameters: – Name—Name assigned to the controller. – Type—Controller type. – Restore on Cold Start Trap—Select to enable a restore on a cold start trap. – Auto Refresh on Save Config Trap—Select to enable an automatic refresh on a Save Config trap. – Trap Destination Port—Read-only. – Software Version—Read-only. – Location—Location of the controller.9-24 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers – Contact—The contact person for this controller. – Most Recent Backup—The date and time of the most recent backup. – Save Before Backup—Select to enable a save before backup. • SNMP Parameters: Note SNMP write access parameters are needed for modifying controller configuration. With read-only access parameters, configuration can only be displayed. – Version—Choose from v1, v2, or v3. – Retries—Indicates the number of controller discovery attempts. – Timeout (seconds)—Client Session timeout. Sets the maximum amount of time allowed a client before it is forced to reauthenticate. – Community—Public or Private. – Access Mode—Read Write Note Community settings only apply to v1 and v2. – User Name—Enter a username. – Auth. Type—Choose an authentication type from the drop-down list or choose None. – Auth. Password—Enter an authentication password. – Privacy Type—Choose a privacy type from the drop-down list or choose None. – Privacy Password—Enter a privacy password. Note User Name, Auth. Type, Auth. Password, Privacy Type, and Privacy Password only display for v3. • Telnet/SSH Parameters: – User Name—Enter the user name. (Default username is admin.) Note The Telnet/SSH username must have sufficient privileges to execute commands in CLI templates. – Password/Confirm Password—Enter and confirm the password. (Default password is admin.) – Retries—Indicate the number of allowed retry attempts. The default is three. – Timeout—Indicate the amount of time (in seconds) allowed before the process time outs. The default is 60 seconds. Note Default values are used if the Telnet/SSH parameters are left blank. 9-25 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 4 If you made changes to this controller properties, click OK to confirm the changes, Reset to return to the previous or default settings, or Cancel to return to the Configure > Controllers page without making any changes to these settings. Configuring Controller System Parameters This section describes how to configure the controller system parameters and includes the following topics: • Managing General System Properties for Controllers, page 9-25 • Configuring Controller System Commands, page 9-31 • Configuring Controller System Interfaces, page 9-38 • Configuring Controller System Interface Groups, page 9-41 • Configuring Controller Network Routes, page 9-49 • Configuring Controller Spanning Tree Protocol Parameters, page 9-50 • Configuring Controller Mobility Groups, page 9-50 • Configuring Controller Network Time Protocol, page 9-53 • Configuring Controller QoS Profiles, page 9-56 • Configuring Controller DHCP Scopes, page 9-56 • Configuring Controller User Roles, page 9-57 • Configuring a Global Access Point Password, page 9-59 • Configuring AP 802.1X Supplicant Credentials • Configuring Controller DHCP, page 9-61 • Configuring Controller Multicast Mode, page 9-62 • Configuring Access Point Timer Settings, page 9-63 Managing General System Properties for Controllers To view the general system parameters for a current controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > General. The following parameters appear: • 802.3x Flow Control Mode—Disable or enable. See the ““802.3x Flow Control” section on page 9-29” for more information. • 802.3 Bridging—Disable or enable. See the ““Configuring 802.3 Bridging” section on page 9-29” for more information. • Web Radius Authentication—Choose PAP, CHAP, or MD5-CHAP. – PAP—Password Authentication Protocol. Authentication method where user information (username and password) is transmitted in clear text. 9-26 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers – CHAP—Challenge Handshake Authentication Protocol. Authentication method where user information is encrypted for transmission. – MD5-CHAP—Message Digest 5 Challenge Handshake Authentication Protocol. With MD5, passwords are hashed using the Message Digest 5 algorithm. • AP Primary Discovery Timeout—Enter a value between 30 and 3600 seconds. The access point maintains a list of backup controllers and periodically sends primary discovery requests to each entry in the list. When configured, the primary discovery request timer specifies the amount of time that a controller has to respond to the discovery request of the access point before the access point assumes that the controller cannot be joined and waits for a discovery response from the next controller in the list. • CAPWAP Transport Mode—Layer 3 or Layer 2. See the “Lightweight Access Point Protocol Transport Mode, page 9-29” for more information. • Current LWAPP Operating Mode—Automatically populated. • Broadcast Forwarding—Disable or enable. • LAG Mode—Choose Disable if you want to disable LAG. Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user. Note LAG is disabled by default on the Cisco 5500 and 4400 series controllers but enabled by default on the Cisco WiSM and the controller in the Catalyst 3750G Integrated Wireless LAN Controller Switch. See the “Link Aggregation” section on page 9-31 for more information. • Ethernet Multicast Support – Disable—Select to disable multicast support on the controller. – Unicast—Select if the controller, upon receiving a multicast packet, forwards the packets to all the associated access points. Note H-REAP supports only unicast mode. – Multicast—Select to enable multicast support on the controller. • Aggressive Load Balancing—Disable or enable. See the ““Aggressive Load Balancing” section on page 9-30” for more information on load balancing. • Peer to Peer Blocking Mode – Disable—Same-subnet clients communicate through the controller. – Enable—Same-subnet clients communicate through a higher-level router. • Over Air Provision AP Mode—Disable or enable.9-27 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Over-the-air provisioning (OTAP) is supported by Cisco 5500 and 4400 series controllers. If this feature is enabled on the controller, all associated access points transmit wireless CAPWAP or LWAPP neighbor messages, and new access points receive the controller IP address from these messages. This feature is disabled by default and should remain disabled when all access points are installed. Note Disabling OTAP on the controller does not disable it on the access point. OTAP cannot be disabled on the access point. Note You can find additional information about OTAP at this URL: http://www.ciscosystems.com/en/US/products/ps6366/products_tech_note09186a008093d 74a.shtml • AP Fallback—Disable or enable. Note Enabling AP Fallback causes an access point which lost a primary controller connection to automatically return to service when the primary controller returns. • AP Failover Priority—Disable or enable. Note To configure failover priority settings for access points, you must first enable the AP Failover Priority feature. See the “AP Failover Priority” section on page 9-28 for more information. • AppleTalk Bridging—Disable or enable. • Fast SSID change—Disable or enable. When fast SSID changing is enabled, the controller allows clients to move between SSIDs. When the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID. When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID. Note If enabled, the client connects instantly to the controller between SSIDs without having appreciable loss of connectivity. • Master Controller Mode—Disable or enable. Note Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or OS code upgrade. • Wireless Management—Disable or enable. See the “Wireless Management” section on page 9-31 for more information. • Symmetric Tunneling Mode9-28 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers • ACL Counters—Disable or enable. The number of hits are displayed in the ACL Rule page. See the “Configuring Access Control Lists” section on page 9-98 or the “Configure IPaddr > Access Control List > listname Rules” section on page 9-98 for more information. • Multicast Mobility Mode—Disable or enable. See the ““Setting the Mobility Scalability Parameters” section on page 9-52” for more information. • Default Mobility Domain Name—Enter domain name. • Mobility Anchor Group Keep Alive Interval—Enter the amount of delay time allowed between tries for a client attempting to join another access point. See the ““Mobility Anchor Group Keep Alive Interval” section on page 9-31” for more information. Tip When you hover your mouse cursor over the parameter text box, the valid range for that field appears. • Mobility Anchor Group Keep Alive Retries—Enter number of allowable retries. Tip When you hover your mouse cursor over the parameter text box, the valid range for that field appears. • RF Network Name—Enter network name. • User Idle Timeout (seconds)—Enter timeout in seconds. • ARP Timeout (seconds)—Enter timeout in seconds. AP Failover Priority When a controller fails, the backup controller configured for the access point suddenly receives a number of Discovery and Join requests. If the controller becomes overloaded, it may reject some of the access points. By assigning failover priority to an access point, you have some control over which access points are rejected. When the backup controller is overloaded, join requests of access points configured with a higher priority levels take precedence over lower-priority access points. To configure failover priority settings for access points, you must first enable the AP Failover Priority feature. To enable the AP Failover Priority feature, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > General. Step 4 From the AP Failover Priority drop-down, select Enabled. To configure an access point failover priority, follow these steps: Step 1 Choose Configure > Access Points > .9-29 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 2 From the AP Failover Priority drop-down list, choose the applicable priority (Low, Medium, High, Critical). Note The default priority is Low. Configuring 802.3 Bridging The controller supports 802.3 frames and applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3 frames must be bridged on the controller. Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP. Only this raw 802.3 frame format is currently supported. To configure 802.3 bridging using NCS release 4.1 or later, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 Choose System > General to access the General page. Step 4 From the 802.3 Bridging drop-down list, choose Enable to enable 802.3 bridging on your controller or Disable to disable this feature. The default value is Disable. Step 5 Click Save to confirm your changes. 802.3x Flow Control Flow control is a technique for ensuring that a transmitting entity, such as a modem, does not overwhelm a receiving entity with data. When the buffers on the receiving device are full, a message is sent to the sending device to suspend the transmission until the data in the buffers has been processed. By default, flow control is disabled. You can only enable a Cisco switch to receive PAUSE frames but not to send them. Lightweight Access Point Protocol Transport Mode Lightweight Access Point Protocol transport mode indicates the communications layer between controllers and access points. Selections are Layer 2 or Layer 3. To convert a Cisco Unified Wireless Network Solution from Layer 3 to Layer 2 lightweight access point transport mode using the NCS user interface, follow these steps: Note Cisco IOS-based lightweight access points do not support Layer 2 lightweight access point mode. These access points can only be run with Layer 3. Note This procedure causes your access points to go offline until the controller reboots and the associated access points reassociate to the controller.9-30 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 1 Make sure that all controllers and access points are on the same subnet. Note You must configure the controllers and associated access points to operate in Layer 2 mode before completing the conversion. Step 2 Log into the NCS user interface. Then follow these steps to change the lightweight access point transport mode from Layer 3 to Layer 2: a. Choose Configure > Controllers. b. Click the IP address of the applicable controller. c. Choose System > General to access the General page. d. Change lightweight access point transport mode to Layer2 and click Save. e. If NCS displays the following message, click OK: Please reboot the system for the CAPWAP Mode change to take effect. Step 3 To restart NCS, follow these steps: a. Choose System > Commands. b. From the Administrative Commands drop-down list, choose Save Config To Flash, and click Go to save the changed configuration to the controller. c. Click OK to continue. d. From the Administrative Commands drop-down list, choose Reboot, and click Go to reboot the controller. e. Click OK to confirm the save and reboot. Step 4 After the controller reboots, follow these steps to verify that the CAPWAP transport mode is now Layer 2: a. Choose Configure> Controllers. b. Click the IP address of the applicable controller. c. Verify that the current CAPWAP transport mode is Layer2 from the general drop-down list. You have completed the CAPWAP transport mode conversion from Layer 3 to Layer 2. The operating system software now controls all communications between controllers and access points on the same subnet. Aggressive Load Balancing In routing, load balancing refers to the capability of a router to distribute traffic over all its network ports that are the same distance from the destination address. Good load-balancing algorithms use both line speed and reliability information. Load balancing increases the use of network segments, thus increasing effective network bandwidth. Aggressive load balancing actively balances the load between the mobile clients and their associated access points.9-31 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Link Aggregation Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG). In a 4402 model, two ports are combined to form a LAG whereas in a 4404 model, all four ports are combined to form a LAG. If LAG is enabled on a controller, the following configuration changes occur: • Any dynamic interfaces that you have created are deleted. This is done to prevent configuration inconsistencies in the interface database. • Interfaces cannot be created with the “Dynamic AP Manager” flag set. Note You cannot create more than one LAG on a controller. The advantages of creating a LAG include: • Assurance that, if one of the links goes down, the traffic is moved to the other links in the LAG. As long as one of the physical ports is working, the system remains functional. • No need to configure separate backup ports for each interface. • Multiple AP-manager interfaces are not required because only one logical port is visible to the application. Note When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect. Tip When you hover your mouse over the parameter text box, the valid range for that field appears. Wireless Management Because of IPSec operation, management via wireless is only available to operators logging in across WPA, Static WEP, or VPN Pass Through WLANs. Wireless management is not available to clients attempting to log in via an IPSec WLAN. Mobility Anchor Group Keep Alive Interval Indicate the delay between tries for clients attempting to join another access point. This decreases the time it takes for a client to join another access point following a controller failure because the failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller. Tip When you hover your mouse over the parameter text box, the valid range for that field appears. Configuring Controller System Commands To view the System Command parameters for current controllers, follow these steps:9-32 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Commands. The following parameters appear: • Administrative – Reboot—This command enables you to confirm the restart of your controller after saving your configuration changes. Open and confirm a new session and log into the controller to avoid loosing a system connection. – Save Config to Flash—Data is saved to the controller in non-volatile RAM (NVRAM) and is preserved in the event of a power cycle. If the controller is rebooted, all applied changes are lost unless the configuration has been saved. – Reset to Factory Default—Choose this command to return the controller to its original settings. See the “Restoring Factory Defaults” section on page 9-33 for more information. – Ping From Controller—Send a ping to a network element. This pop-up dialog box allows you to tell the controller to send a ping request to a specified IP address. This is useful for determining if there is connectivity between the controller and a particular IP station. If you click OK, three pings are sent and the results of the ping are displayed in the pop-up. If a reply to the ping is not received, it will show No Reply Received from IP xxx.xxx.xxx.xxx, otherwise it shows Reply received from IP xxx.xxx.xxx.xxx: (send count =3, receive count = n). • Configuration – Audit Config—See the “Viewing the Latest Network Audit Report” section on page 9-22. – Refresh Config From Controller—See the “Refreshing the Configuration from the Controller” section on page 9-18. – Restore Config To Controller—Choose this command to restore the configuration from the NCS database to the controller. – Set System Time—See the “Setting Controller Time and Date” section on page 9-34. • Upload/Download Commands Note Select the FTP or TFTP radio button. Both File Transfer Protocol (FTP) and Trivial Transfer Protocol (TFTP) are supported for uploading and downloading files to and from NCS. In previous software releases, only TFTP was supported. – Upload File from Controller—See the “Uploading Configuration/Logs from Controllers” section on page 9-34. – Download Config—See the “Downloading Configurations to Controllers” section on page 9-35. – Download Software—Choose this command to download software to the selected controller or all controllers in the selected groups after you have a configuration group established. See the “Downloading Software to a Controller” section on page 9-35. – Download Web Auth Cert—Choose this command to access the Download Web Auth Certificate to Controller page. See the “Downloading a Web Admin Certificate to a Controller” section on page 9-36. – Download Web Admin Cert—Choose this command to access the Download Web Admin Certificate to Controller page. See the “Downloading a Web Admin Certificate to a Controller” section on page 9-36.9-33 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers – Download IDS Signatures—Choose this command to download customized signatures to the standard signature file currently on the controller. See the “Downloading Signature Files” section on page 9-106 for more information. – Download Customized Web Auth—Choose this command to download a customized Web authentication page to the controller. A customized web page is created to establish a username and password for user web access. See the “Downloading a Customized WebAuthentication Bundle to a Controller” section on page 9-15. – Download Vendor Device Certificate—Choose this command to download your own vendor-specific device certificate to the controller to replace the current wireless device certificate. See the “Downloading a Vendor Device Certificate” section on page 9-16. – Download Vendor CA Certificate—Choose this command to download your own vendor-specific certificate authority (CA) to the controller to replace the current CA. See the “Downloading a Vendor CA Certificate” section on page 9-17. • RRM Commands – RRM 802.11a/n Reset—Resets Remote Radio Management for 802.11a/n Cisco Radios. – 802.11b/g/n Reset—Resets Remote Radio Management for 802.11b/g/n Cisco Radios. – 802.11a/n Channel Update—Updates access point dynamic channel algorithm for 802.11a/n Cisco Radios. – 802.11b/g/n Channel Update—Updates access point dynamic channel algorithm for 802.11b/g/n Cisco Radios. – 802.11a/n Power Update—Updates access point dynamic transmit power algorithm for 802.11a/n Cisco Radios. – 802.11b/g/n Power Update—Updates access point dynamic transmit power algorithm for 802.11b/g/n Cisco Radios. Restoring Factory Defaults Choose Configure > Controllers, and click an IP address in the IP Address column. From the left sidebar menu, choose System > Commands, and from the Administrative Commands drop-down list, choose Reset to Factory Default, and click Go to access this page. This command enables you to reset the controller configuration to the factory default. This overwrites all applied and saved configuration parameters. You are prompted for confirmation to re-initialize your controller. All configuration data files are deleted, and upon reboot, the controller is restored to its original non-configured state. This will remove all IP configuration, and you will need a serial connection to restore its base configuration. Note After confirming configuration removal, you must reboot the controller and select the “Reboot Without Saving” option.9-34 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Setting Controller Time and Date Choose Configure > Controllers, and click an IP address under the IP Address column. From the left sidebar menu, choose System > Commands, and from the Configuration Commands drop-down list choose Set System Time, and click Go to access this page. Use this command to manually set the current time and date on the controller. To use a Network Time Server to set or refresh the current time, see the “Configuring an NTP Server Template” section on page 11-10 page. The following parameters appear: • Current Time—Shows the time currently being used by the system. • Month/Day/Year—Choose the month/day/year from the drop-down list. • Hour/Minutes/Seconds—Choose the hour/minutes/seconds from the drop-down list. • Delta (hours)—Enter the positive or negative hour offset from GMT (Greenwich Mean Time). • Delta (minutes)—Enter the positive or negative minute offset from GMT. • Daylight Savings—Select to enable Daylight Savings Time. Command Buttons • Set Date and Time • Set Time Zone • Cancel Uploading Configuration/Logs from Controllers To upload files from the controller, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Upload File from Controller. Step 5 Click Go to access this page. Use this command to upload files from your controller to a local TFTP (Trivial File Transfer Protocol) server. The following parameter appears: • IP Address—IP address of the controller. • Status—Upload NOT_INITIATED, or other state. • Enter the TFTP server name, or New and the new TFTP server name. • Verify and/or enter the IP Address of the TFTP server. • Select the file type—Configuration file, Event Log, Message Log, Trap Log, Crash File. • Enter the Upload to File from /(root)/NCS-tftp/ filename. • Choose whether or not Cisco NCS saves before backing up the configuration. Step 6 Click OK. The selected file will be uploaded to your TFTP server and named what you entered in the File Name text box.9-35 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port. Downloading Configurations to Controllers To download configuration files, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download Config. Step 5 Click Go to access this page. Use this command to download and install a configuration file to your controller from a local TFTP (Trivial File Transfer Protocol) server. The following parameters appear: Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port. • IP Address—IP address of the controller. • Status—Status of the certificate, for example, NOT_INITIATED. TFTP Servers • Server Name—Choose Default Server or New from the drop-down list. When you choose New, type in the IP address. • Server Address—IP address of the server. • Maximum Retries—How many times to retry if the download fails. • Timeout—How long to allow between retries. • File Name—Enter or choose the filename to download by clicking the Browse button. Downloading Software to a Controller To download software, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download Software.9-36 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 5 Click Go to access this page. Use this command to download and install a new Operating System software to your controller from a local TFTP (Trivial File Transfer Protocol) server. Note The Cisco NCS uses an integral TFTP server. This means that third-party TFTP servers cannot run on the same workstation as the Cisco NCS, because the Cisco NCS and the third-party TFTP servers use the same communication port. • IP Address—IP address of the controller to receive the software. • Current Software Version—The software version currently running on the controller. • Status—Status of the software, for example, NOT_INITIATED. • TFTP Server on Cisco NCS System—Select the check box enable the built-in Cisco NCS TFTP server. • Server IP Address—When you have disabled the built-in Cisco NCS TFTP server, IP Address of the TFTP server to send the software to the controller. • Maximum Retries—Maximum number of unsuccessful attempts before the download is abandoned. • Timeout—Maximum number of seconds before the download is abandoned. • File Name—Enter or select the filename to download using the Browse button. Downloading a Web Admin Certificate to a Controller To download a Web Admin Certificate, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download WEB Admin Cert. Step 5 Click Go to access this page. This page enables you to download a web administration certificate to the controller. The following parameters appear: Caution Each certificate has a variable-length embedded RSA Key. The RSA key length varies from 512 bits, which is relatively insecure, to thousands of bits, which is very secure. When you are obtaining a new certificate from a certificate authority (such as the Microsoft CA), Make sure the RSA key embedded in the certificate is at least 768 Bits. • IP Address—IP address of the controller to receive the certificate. • Status—Status of the certificate, for example, NOT_INITIATED. TFTP Servers • Server Name—Use the drop-down list to choose the Default Server or New. When you select New, type in the IP address. • Server Address—IP address of the server.9-37 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers • Maximum Retries—Maximum number of times each download operation can be attempted. • Timeout (seconds)—The amount of time allowed for each download operation. • File Name—File name of the certificate. • Password—Password to access the certificate. Downloading IDS Signatures To download a IDS Signature, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download IDS Signatures. Step 5 Click Go to access this page. Use this command to download IDS (Intrusion Detection System) signature files from your controller to a local TFTP (Trivial File Transfer Protocol) server. The following parameters appear: • IP Address—IP address of the controller. • Status—Download NOT_INITIATED, TRANSFER_SUCCESSFUL or other state. Downloading a Customized Web Auth Bundle to a Controller To download a customized Web authentication page to the controller, follow these steps: Step 1 Choose Configure > Controllers Step 2 Click an IP address in the IP Address column. Step 3 From the left sidebar menu, choose System > Commands. Step 4 From the Upload/Download Commands drop-down list, choose Download Customized Web Auth. The following parameters appear: • IP Address—IP address of the controller to receive the bundle. • Status—State of download: NOT_INITIATED, TRANSFER_SUCCESSFUL, TRANSFER_FAILED, NOT_RESPONDING. Before downloading the customized Web authentication bundle, follow these steps: Step 1 Click the indicated link to download the example login.tar bundle file from the server. The link is the highlighted word “here” near the bottom of the page. Step 2 Edit the login.html file and save it as a .tar or .zip file. Step 3 Download the .tar or .zip file to the controller. The file contains the pages and image files required for the Web authentication display.9-38 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note The controller accepts a .tar or .zip file of up to 1 MB in size. The 1 MB limit includes the total size of uncompressed files in the bundle. TFTP Servers To set up one or more TFTP servers, configure the following parameters: • File is located on—Choose Local machine or TFTP server. The default is local machine (NCS internal server). • Server Name—Use the drop-down list to choose one of the following: – New—Set up a new server. Enter the server name and IP address in the text boxes provided. – Default Server—server name (editable) IP address (read-only) are automatically added. • Server IP Address—IP address of the server. • Maximum Retries—Maximum number of unsuccessful attempts before the download is abandoned. • Timeout—Maximum number of seconds before the download is abandoned. • NCS Server Files In—C:\tftp or other specified file directory on the local machine. • Local File Name—Filename of the Web authentication bundle on the local machine. Click Browse to locate the file. • Server File Name—Filename on a remote TFTP server. When completed, these fields and settings are repopulated in the page and do not need to be entered again. Command Buttons • OK—The file is downloaded from the local machine or TFTP server with the name shown in the File Name text box. • Cancel Configuring Controller System Interfaces This section describes how to configure controller system interfaces and includes the following topics: • Adding an Interface, page 9-39 • Viewing Current Interface Details, page 9-40 • Deleting a Dynamic Interface, page 9-41 • NAC Integration, page 9-43 • Configuring Wired Guest Access, page 9-46 To view existing interfaces, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interfaces. The following parameters appear:9-39 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers • Check box—Select the dynamic interface for deletion. Choose Delete Dynamic Interfaces from the Select a command drop-down list. • Interface Name—User-defined name for this interface (For example, Management, Service-Port, Virtual). • VLAN Identifier—VLAN identifier between 0 (untagged) and 4096, or N/A. • Quarantine—Select the check box if the interface has a quarantine VLAN ID configured on it. • IP Address—IP address of this interface. • Interface Type—Static (Management, AP-Manager, Service-Port, and Virtual interfaces) or Dynamic (operator-defined interfaces). • AP Management Status—Displays the status of AP Management interfaces. The parameters include Enabled, Disabled, and N/A. Adding an Interface To add an interface, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interfaces. Step 4 From the Select a command drop-down list, choose Add Interface. Step 5 Enter the necessary parameters: • Interface Name—User-defined name for this interface (Management, Service-Port, Virtual, and VLAN n). • Wired Interface—Select the check box to mark the interface as wired. • Interface Address – VLAN Identifier—1 through 4096, or 0 = untagged. – Quarantine—Enable/disable to quarantine a VLAN. Select the check box to enable. – IP Address—IP address of the interface. – Gateway—Gateway address of the interface. • Physical Information – Port Number—The port that is used by the interface. – Primary Port Number (active)—The port that is currently used by the interface. – Secondary Port Number—The port that is used by the interface when the primary port is down. Note Primary and secondary port numbers are only present in Cisco 4400 Series Wireless LAN Controllers.9-40 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note The secondary port is used when the primary port shuts down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN Controller transfers the interfaces back to the primary port. – AP Management—Select to enable access point management. • DHCP Information – Primary DHCP Server—IP address of the primary DHCP server. – Secondary DHCP Server—IP address of the secondary DHCP server. • Access Control List—User-defined ACL name (or none). Viewing Current Interface Details To view details for a current interface, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interfaces. Step 4 Select the Interface Name for the applicable interface. The Interface Details page opens. Step 5 View or edit the following interface parameters: Note Changing the Interface parameters causes the WLANs to be temporarily disabled and thus may result in loss of connectivity for some clients. • Interface Address – VLAN Identifier—1 through 4096, or 0 = untagged. – Guest LAN – Quarantine—Enable/disable to quarantine a VLAN. Select the check box to enable. – IP Address—IP address of the interface. – Gateway—Gateway address of the interface. • Physical Information – Primary Port Number (active)—The port that is currently used by the interface. – Secondary Port Number—The port that is used by the interface when the primary port is down. Note Primary and secondary port numbers are only present in Cisco 4400 Series Wireless LAN Controllers.9-41 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note The secondary port is used when the primary port shuts down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN Controller transfers the interfaces back to the primary port. – AP Management—Select to enable access point management. • DHCP Information – Primary DHCP Server—IP address of the primary DHCP server. – Secondary DHCP Server—IP address of the secondary DHCP server. • Access Control List – ACL Name—User-defined name of the access control list (or none). Step 6 Click Save to confirm any changes made. Click Audit to audit the device values. Deleting a Dynamic Interface To delete a dynamic interface, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interfaces. Step 4 Select the check box of the dynamic interface that you want to delete. Step 5 From the Select a command drop-down list, choose Delete Dynamic Interfaces. Step 6 Click OK to confirm the deletion. Note The dynamic interface cannot be deleted if it is been assigned to interface group. Configuring Controller System Interface Groups This section describes how to configure controller system interface groups and introduces the following topics: • Adding an Interface Group, page 9-41 • Deleting an Interface Group, page 9-42 • Viewing Interface Groups, page 9-43 Adding an Interface Group To add an interface group, follow these steps:9-42 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interface Groups. Step 4 From the Select a command drop-down list, choose Add Interface Group. Step 5 Enter the necessary parameters: • Name—User-defined name for this interface group (group1, group2). • Interface Group Type—Select/deselect to quarantine a VLAN. • Description—(Optional) Description for the Interface group. Step 6 Click Add. The Interface dialog box appears. Step 7 Select the interfaces that you want to add to the group and click OK. To remove an Interface from the Interface group, from the Interface Group page, select the Interface and click Remove. Step 8 Once you are done with adding the interfaces, in the Interface Group page, click any of these buttons: • Save to confirm any changes made. • Audit to audit the device values. • Cancel to discard the changes. Note • The number of interfaces that could be added to an interface group depends upon the type of the controller. • Guest LAN interfaces cannot be part of interface groups. • An Interface group name must be different from the Interface name. Deleting an Interface Group To delete an interface group, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interface Groups. Step 4 Select the check box of the interface group that you want to delete. Step 5 From the Select a command drop-down list, choose Delete Interface Group, and click Go. Step 6 Click OK to confirm the deletion. Note • The Interface Group cannot be deleted if it has been assigned to WLAN(s). • The Interface Group cannot be deleted if it has been assigned to AP Group(s). • The Interface Group cannot be deleted if it has been assigned to Foreign Controller Mapping for the WLAN(s).9-43 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers • The Interface Group Template cannot be deleted if it has been assigned to WLAN Template(s). • The Interface Group Template cannot be deleted if it has been assigned to AP Group Template(s). • You cannot enable/disable quarantine for an interface if it has been assigned to an interface group. Viewing Interface Groups To view existing interface groups, follow these steps: Step 1 Choose Configure > Controllers. Step 2 Click the IP address of the applicable controller. Step 3 From the left sidebar menu, choose System > Interface Groups. The following parameters appear: • Name—User-defined name for the interface group (For example, group1, group2). • Description—(Optional) Description for the Interface Group. • Interfaces—Count of the number of interfaces belonging to the group. Step 4 Click the Interface group name link. The Interface Groups Details page appears with the Interface group details as well as the details of the Interfaces that form part of that particular Interface group. NAC Integration The Cisco NAC appliance, also known as Cisco Clean Access (CCA), is a network admission control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network. The NAC appliance is available in two modes: in-band and out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for supporting wired users, for example). For more information on NAC Out-of-Band Integration, see the applicable section in the Cisco Network Control System Configuration Guide. • Guidelines for Using SNMP NAC, page 9-43 • Configuring NAC Out-of-Band Integration (SNMP NAC), page 9-44 Guidelines for Using SNMP NAC Follow these guidelines when using SNMP NAC out-of-band integration: • The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Therefore, multiple NAC appliances might need to be deployed. • Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine VLAN for each interface configured on the controller. For example, you might configure a quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However, 9-44 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers if two WLANs or guest LANs use the same distribution system interface, they must use the same quarantine VLAN, provided they have one NAC appliance deployed in the network. The NAC appliance supports unique quarantine-to-access VLAN mapping. • For posture reassessment based on session expiry, you must configure the session timeout on both the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than that on the NAC appliance. • When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine state is determined by the timer on the NAC appliance. Once the session timeout expires for WLANs using web authentication, clients deauthenticate from the controller and must perform posture validation again. • NAC out-of-band integration is supported only on WLANs configured for hybrid-REAP central switching. It is not supported for use on WLANs configured for hybrid-REAP local switching. • If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well. • NAC out-of-band integration is not supported for use with the WLAN AAA override feature. • All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web authentication, you must configure the NAC appliance to allow HTTP traffic to and from external web servers and to allow the redirect URL in the quarantine VLAN. Note See the Cisco NAC appliance configuration guides for configuration instructions: http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides _list.html. Guidelines for Using RADIUS NAC Follow these guidelines when using RADIUS NAC: • RADIUS NAC is available only for WLAN with 802.1x/WPA/WPA2 Layer 2 security. • RADIUS NAC cannot be enabled when HREAP local switching is enabled. • AAA override should be enabled to configure RADIUS NAC. Configuring NAC Out-of-Band Integration (SNMP NAC) To configure SNMP NAC out-of-band integration, follow these steps: Step 1 To configure the quarantine VLAN for a dynamic interface, follow these steps: a. Choose Configure > Controller. b. Choose which controller you are configuring for out-of-band integration by clicking it in the IP Address column. c. Choose System > Interfaces from the left sidebar menu. d. Choose Add Interface from the Select a command drop-down list. e. In the Interface Name text box, enter a name for this interface, such as “quarantine.” f. In the VLAN Identifier text box, enter a non-zero value for the access VLAN ID, such as “10.” g. Select the Quarantine check box if the interface has a quarantine VLAN ID configured on it.9-45 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Note We recommend that you configure unique quarantine VLANs throughout your network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in the same subnet, it is mandatory to have the same quarantine VLAN if there is only one NAC appliance in the network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in different subnets, it is mandatory to have different quarantine VLANs if there is only one NAC appliance in the network. h. Configure any remaining fields for this interface, such as the IP address, netmask, and default gateway. i. Enter an IP address for the primary and secondary DHCP server. j. Click Save. You are now ready to create a NAC-enabled WLAN or Guest LAN. Step 2 To configure NAC out-of-band support on a WLAN or guest LAN, follow these steps: a. Choose WLANs > WLAN from the left sidebar menu. b. Choose Add a WLAN from the Select a command drop-down list and click Go. c. If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template. For more information on setting up the template, see the “Configuring Wired Guest Access” section on page 9-46 section. d. Click the Advanced tab. e. To configure SNMP NAC support for this WLAN or guest LAN, select SNMP NAC from the NAC Stage drop-down list. To disable SNMP NAC support, select None from the NAC Stage drop-down list, which is the default value. f. Click Apply to commit your changes. Step 3 To configure NAC out-of-band support for a specific AP group, follow these steps: a. Choose WLANs > AP Groups VLAN from the left sidebar menu to open the AP Groups page. Note AP Groups (for 5.2 and later controllers) is referred to as AP Group VLANs for controllers prior to 5.2. b. Click the name of the desired AP group. c. From the Interface Name drop-down list, choose the quarantine enabled interface. d. To configure SNMP NAC support for this AP group, select SNMP NAC from the Nac State drop-down list. To disable NAC out-of-band support, select None from the Nac State drop-down list, which is the default value. e. Click Apply to commit your changes. Step 4 To see the current state of the client (either Quarantine or Access), follow these steps: a. Choose Monitor > Clients to open the Clients. Perform a search for Clients. b. Click the MAC address of the desired client to open the Clients > Detail page. The NAC state appears as access, invalid, or quarantine in the Security Information section.9-46 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Configuring Wired Guest Access Wired Guest Access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are added to the network using the Lobby Ambassador feature. See the “Configuring a Guest Account” section on page 15-82. Wired Guest Access can be configured in a standalone configuration or in a dual controller configuration employing an anchor and foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access. Wired Guest Access ports initially terminate on a Layer 2 access switch or switch port which is configured with VLAN interfaces for wired guest access traffic. The wired guest traffic is then trunked from the access switch to a wireless LAN controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch. If two controllers are being used, the controller (foreign) that receives the wired guest traffic from the switch then forwards the wired guest traffic to an anchor controller that is also configured for wired guest access. After successful hand off of the wired guest traffic to the anchor controller, a bidirectional Ethernet over IP (EoIP) tunnel is established between the foreign and anchor controllers to handle this traffic. Note Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller. Note You can specify how much bandwidth a wired guest user is allocated in the network by configuring and assigning a role and bandwidth contract. For details on configuring these features, see the “Configuring a Guest Account” section on page 15-82. To configure and enable wired guest user access on the network, follow these steps: Step 1 To configure a dynamic interface for wired guest user access, choose Configure > Controllers and after IP address, choose System > Interfaces. Step 2 Choose Add Interface from the Select a command drop-down list, and click Go. Step 3 Enter a name and VLAN ID for the new interface. Step 4 Select the Guest LAN check box. Step 5 Enter the primary and secondary port number. Step 6 Click Save. You are now ready to create a wired LAN for guest access. Step 7 To configure a wired LAN for guest user access, choose WLANs > WLAN configuration from the left sidebar menu. Step 8 Choose Add a WLAN from the Select a command drop-down list, and click Go. Step 9 If you have a template established that you want to apply to this controller, choose the guest LAN template name from the drop-down list. Otherwise, click the click here link to create a new template.9-47 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 10 In the WLAN > New Template general page, enter a name in the Profile Name text box that identifies the guest LAN. Do not use any spaces in the name entered. Step 11 Select the Enabled check box for the WLAN Status parameter. Step 12 From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch. Step 13 From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic. Note If you have only one controller in the configuration, choose management from the Egress Interface drop-down list. Step 14 Choose Security > Layer 3 tab to modify the default security policy (web authentication) or to assign WLAN specific web authentication (login, logout, login failure) pages and the server source. a. To change the security policy to passthrough, select the Web Policy check box and select the Passthrough radio button. This option allows users to access the network without entering a username or password. An Email Input check box appears. Select this check box if you want users to be prompted for their email address when attempting to connect to the network. b. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enabled check box. When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users: Default Internal—Displays the default web login page for the controller. This is the default value. Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option. These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files. For specifics on downloading custom pages, see the “Downloading a Customized WebAuthentication Bundle to a Controller” section on page 9-15. External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box. You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA pane. To do so, continue with Step 17. Note The RADIUS and LDAP external servers must be already configured to have selectable options in the Security > AAA pane. You can configure these servers on the RADIUS Authentication Servers, TACACS+ Authentication Servers page, and LDAP Servers page. Step 15 If you selected External as the Web Authentication Type in Step 15, choose Security > AAA and choose up to three RADIUS and LDAP servers using the drop-down lists. Step 16 Click Save.9-48 Cisco Prime Network Control System Configuration Guide OL-25451-01 Chapter 9 Configuring Devices Configuring Existing Controllers Step 17 Repeat this process if a second (anchor) controller is being used in the network. Creating an Ingress Interface To create an Ingress interface, follow these step: Step 1 Choose Add Interface from the Select a command drop-down list, and click Go. Step 2 Click an interface name. The Interfaces Details : New Config page appears (see Figure 9-3). Figure 9-3 Interfaces Details : New Config Page Step 3 In the Interface Name text box, enter a name for this interface, such as guestinterface. Step 4 Enter a VLAN identifier for the new interface. Step 5 Select the Guest LAN check box. Step 6 Enter the primary an