DOCSLIB.ORG

CCNA Wireless Official Exam Certification Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CCNA Wireless Official Exam Certification Guide

CCNA Wireless Official Exam Certification Guide First Edition

Copyright © 2008 Cisco Systems, Inc.

ISBN-10: 1-58720-211-5

ISBN-13: 978-1-58720-211-7

Warning and Disclaimer

Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an "as is" basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the CD or programs accompanying it.

When reviewing corrections, always check the print number of your book. Corrections are made to printed books with each subsequent printing.

First Printing: October 2008

Corrections for all Printings – Chapter 16 through Chapter 20

Through out this book the abbreviation for Cisco Replace all abbreviations for CSSC with: Secure Services Client is listed as CSSC Cisco Secure Services Client - Cisco SSC

Though out this book the abbreviation for Cisco Replace all abbreviation for Cisco Aironet Site Survey Aironet Site Survey Utility (CASSU) is listed Utility (CASSU) with: Cisco Aironet Site Survey Utility - (SSU) Though out this book 802.1x is listed incorrectly Correct way to list is: 802.1X

1 Updated 08/04/2009 Though out this book the abbreviation for MS- Correct way to list is: CHAPv2 I listed incorrectly MSCHAPv2 296 Chapter 16, Question 2, answer b Should read: Reads: b. WPA/WPA2 Enterprise b. WPA/WPA2/CCKM 297 Chapter 16, Question 9 Should read: Reads: 9. When you perform a site survey with the Cisco Site 9. When you perform a site survey with the CCSU, Survey Utility, what indicates a good SNR? what indicates a good SNR? 297 Chapter 16, Question 12 Should read: Reads: 12. What program is designed for vendors to create 12. What program is designed for vendors to compatible client hardware? create compatible hardware? 301 Chapter 16, after second full paragraph, under Add: Figure 16-4 add paragraph and bullet points This section on the WZC was written based on WZC in Windows Vista. The IUWNE course and CCNA Wireless test are built around WZC in Windows XP, which is visually different. The book should focus on the Windows XP version. It should show screenshots and give explanation of: . The pop-up window in the system tray, when you mouse over the wireless connection icon . The View Available Networks program and how to use it . Examples of how to configure enterprise and personal profiles in the WZC, explaining what the different configuration options entail 2 Updated 08/04/2009 305 Chapter 16, Configuring a Profile, second sentence Should read: Reads: It just means that the profile contains more security It just means that the profile contains more options, options. most likely security options and such. 307 Chapter 16, Table 16-2, First line Should read: Reads: Scan different channels Yes Yes Scan different channels No Yes 308 Chapter 16, Installing the ADU, first sentence Replace with: Delete and Replace The process is pretty simple. You must start by inserting the card. You may see the Windows Found New Hardware Wizard, as shown in Figure 16-13. If you see this, close it. You don’t need it. Instead, you will use an executable you downloaded from Cisco’s download site. After you have closed the Found New Hardware Wizard, double-click the install executable. The opening dialog box will tell you that you are installing the ADU. Click “next” and continue with the installation by selecting the type of install you want to perform. In this case, it’s the default option: Install Client Utilities and Driver. When you install the ADU, you have three options, as shown in Figure 16-12: 308 Chapter 16, after Figure 16-12, after bullet points, Replace with: second, third and fourth paragraphs As the installation progresses (as you click the Next Delete and replace button), you are given the option to install the SSU, as shown in Figure 16-14. 310 Chapter 16, Configuring a Profile, first paragraph, Should read: second sentence The ADU did this because the WLAN allowed open Reads: authentication without any need for RADIUS authentication afterwards. 3 Updated 08/04/2009 The ADU did this because the Windows client was associated with it before the ADU was even installed. 312 Chapter 16, Manually Creating a Profile, first Should read: paragraph, last sentence From the Security tab, you can choose from Reads: WPA/WPA2/CCKM, WPA/WPA2 Passphrase, 802.1X, Pre- From the Security tab, you can choose from Shared Key (Static WEP), or None, as shown in Figure WPA/WPA2/CCKM, WPA/WPA2 Passphrase, 802.1x, 16-20. Pre-Shared Key (Static WEP), or None, as shown in Figure 16-20. 312 Chapter 16, 802.1x Profiles, first sentence Replace with: Delete and replace 802.1X Profiles You can also create an 802.1X profile, but understand that encryption of user data is optional. If encryption is used, it will be dynamic WEP and you must choose between 40-bit and 104-bit keys. 313 Chapter 16, WPA/WPA2/CCKM Profiles, second Should read: sentence This method performs encryption with a rotated Reads: encryption key and RADIUS-based authentication similar This method performs encryption with a rotated to 802.1X, but the encryption types will be either WPA- encryption key and authentication with 802.1x. TKIP or AES. 314 Chapter 16, Table 16-3 Replace with: Delete and replace Security Option Encryption Authentication WPA/WPA2/CCKM WPA-TKIP or AES Rotating key

EAP methods (see 802.1X)

WPA/WPA2 Passphrase WPA-TKIP or AES Rotating key

8 to 63 ASCII or 64 hexadecimal passphrase

802.1X Dynamic WEP optional

EAP-TLS, PEAP, LEAP, EAP- 4 Updated 08/04/2009 FAST, host-based EAP (host- based is not an option for WPA/WPA2/CCKM)

Pre-Shared Key (Static WEP) Static WEP (weak) Open or Shared Key

None None None 316 Chapter 16, after Figure 16-24, first and second Replace with: sentence: If you note a high count of retries, it may be due to Delete and replace collisions, noise, or interference. High numbers of RTS/CTS (provided in relation to the total number of frames transmitted) frames indicate the protection mechanism is being used. 318 Chapter 16, Figure titles Should read: Reads: Figure 16-26 SSU Display in dBm Figure 16-26 CSSU Display in dBm Figure 16-27 SSU Display in Percentage Figure 16-27 CSSU Display in Percentage 320 Chapter 16, after first paragraph, insert Insert: The section on the ADU still leaves several things unaddressed: . An explanation of different pieces of data on the ADU’s Current Status Tab, such as link status, network type, and wireless mode, and what do the colors mean for the boxes in the Signal Strength field? . How to configure different authentication types (LEAP, EAP-FAST, PEAP, EAP-TLS) – they should be described in more detail, with pictures so students can see what’s being configured and descriptions of what the different options entail

5 Updated 08/04/2009 . 802.1X and WPA/WPA2/CCKM are very similar in the way they are configured in the ADU – so how do you know which one to configure on the client? Part of it is based on the encryption protocol you want to use and part of it has to match settings configured on the controller. This needs to be explained. . How many profiles can you have in the ADU? . The Advanced tab was never discussed, but can be used to limit which radio a profile uses, transmit power, power save modes, and to set up ad hoc networks. . Installing the ADU through Microsoft Active Directory Group Policy Objects. 320 Chapter 16, The Cisco Secure Services Client, first Replace with: paragraph, first four sentences The Cisco Secure Services Client (SSC) is client software Delete and replace that provides 802.1X (Layer 2) user and device authentication for access to both wired and wireless networks. The Cisco SSC does not need a Cisco wireless card to operate the software – it works with all wired and wireless network interface cards. From the wired network side, it provides 802.1X capabilities for user and device authentication, which is more extensive than the standard wired LAN connection. 322 Chapter 16, SSC Groups, first paragraph, third Should read: sentence You can also add basic wireless connections (PSK- Reads: based), but not secured wireless or wired connections. You can also add basic wireless connections (PSK- based), but not secured or wired connections.

6 Updated 08/04/2009 322 Chapter 16, SSCAU Overview, after second bullet Insert: point, insert the following . Via an MSI that will also install the Cisco SSC This section leaves out several pieces of information the student may need. . What kind of profiles are users allowed to create with the SSC? . What kind of profiles are admins allowed to create with the admin utility? An example of how the tool is used should be shown for visual reference. . If an administrator uses the administration utility to build a profile, can a client make changes to it? . Once you’ve bought the non-expiring wireless license, how do you deploy it to the user? 322 Chapter 16, The Cisco Client Extension Program, add Add: under last paragraph Should include information on: . How the CCX program is used with Wi-Fi tags, including the types of information that a Wi-Fi tag can deliver to a third party app. . Some of the benefits achieved with CCX (CCKM, DTPC, roaming enhancements, MFPv2) . Features implemented at different levels of CCX compatibility (Note: if it looks like I’ve indicated a lot of things are missing, its because this chapter uses 28 pages to summarize 105 pages from the IUWNE course.)

7 Updated 08/04/2009 327 Chapter 17, Securing the Wireless Network, first Should read: paragraph, first sentence It’s usually obvious that the medium of wireless Reads: networks can be more easily accessed from the outside It’s usually obvious that the medium of wireless than wired networks. networks can be less secure than wired networks. 328 Chapter 17, Question 4, answers Should read: Reads: a. v1 a. v1.x b. v2 b. v2.x c. v5 c. v5.x d. v6 d. v6.x 329 Chapter 17, Question 8 Should read: Reads: 8. In centralized authentication, a certificate can be 8. In centralized authentication, a certificate is based used based on information from a trusted third party. on information from a trusted third party. What What information is not included in a certificate? information is not included in a certificate? 329 Chapter 17, Question 9, answer d Should read: Reads: d. 802.1X d. 802.1x 329 Chapter 17, Question 11 Should read: Reads: 11. Which EAP method must use certificates on both the 11. Which EAP method uses certificates on both the client and the server? client and the server?

8 Updated 08/04/2009 331 Chapter 17, Rogue APs, Replace with: Delete first and second paragraphs and replace A rogue AP is not A part of the corporate infrastructure. It could be an AP that’s been brought in from home or an AP that’s in a neighboring network. A rogue AP is not always bad. It could be an AP that’s part of the corporate domain yet still operating in autonomous mode (any access point not managed by a controller in a mobility group will be identified by the controllers in that mobility group as a potential rogue access point). Part of an administrator’s job is determining if the AP is supposed to be there. Fortunately, you don’t have to do all the work yourself. A few functions of the controller- based network can detect rogue APs and even indicate if they are on your network. Something to consider when looking for rogue APs is what happens to clients that can connect to those rogue APs. If a client connects to a rogue AP, it is considered to be a rogue client. The reason rogue APs on your wired network pose a threat is that rogue APs typically are installed with default configurations, meaning that any client that connects bypasses any corporate security policy. So you do not know if the client is a corporate user or an attacker. 332 Chapter 17, Management Frame Protection, first Replace with: paragraph One method of Management Frame Protection (MFP) is Delete and replace Infrastructure MFP, or MFP version 1. With this method, each management frame includes a cryptographic hash called a Message Integrity Check (MIC). The MIC is added to each frame before the Frame Check Sequence (FCS). When this is enabled, each WLAN has a unique key sent to each radio on the AP. Then, the AP sends management frames, and the network knows that this 9 Updated 08/04/2009 AP is in protection mode. Detecting APs can identify if a frame was altered, or if someone spoofs the SSID of the WLAN and doesn’t have the unique key, then the detecting AP invalidates the message. APs that hear invalid frames report them to the controller. 332 Chapter 17, Management Frame Protection, second Should read: paragraph, first sentence The other method of MFP is called Client MFP, or MFP Reads: version 2. The other method of MFP is called Client MFP. 332 Chapter 17, Management Frame Protection, fourth Should read: paragraph, third sentence You don’t have to worry about your client associating Reads: with the rogue AP, because your client identifies and You don’t have to worry about your client associating drops invalid frames. with the rogue AP, because it drops invalid frames. 332 Chapter 17, Management Frame Protection, sixth Replace with: paragraph To enable Client MFP you must then open the properties Delete and replace for the individual WLANs that will support Client MFP. Navigate to WLANs> WLAN_name> Advanced tab and use the MFP Client Protection drop down menu to select either Optional or Required, depending on how you want the service to run. 334 Chapter 17, second bullet point, second sentence Replace with: Delete and replace The problems with WEP today are that the keys are not scalable for large networks and that they can be broken in 4 to 7 minutes. 334 Chapter 17, first paragraph after bullet points, first Should read: sentence The mitigation methods used to prevent attacks Reads: mentioned here cover a wide range of capabilities, some more powerful than others. 10 Updated 08/04/2009 The mitigation methods used to prevent attacks mentioned here are not very advanced and are considered weak by today’s standards. 334 Chapter 17, Open Authentication, last two sentences Replace with: Delete and replace WEP encryption, if used, begins immediately after association is granted. Everything is “open” in the sense that no credentials are passed. 334 Chapter 17, Preshared Key Authentication with Wired Replace with: Equivalent Privacy, second paragraph The process of preshared key authentication used with Delete and replace static WEP is as follows: 335 Chapter 17, Step 3 Replace with: Delete and replace Step 3. The client encrypts the text received and sends the encrypted version of the challenge as a response. The encryption is done using one of the client’s static WEP keys. 336 Chapter 17, Note box Do not replace Delete 336 Chapter 17, MAC Address Filtering, last two Replace with: sentences This method is not recommended for use by itself. To Delete and replace configure MAC address filtering, you simply check a box on the Layer 2 Security Policy configuration page, as shown in Figure 17-6. 336 Chapter 17, Centralized Authentication, second Should read: sentence In this scenario, a Public Key Infrastructure (PKI) may Reads: be used. In this scenario, a Public Key Infrastructure (PKI) is usually in place.

11 Updated 08/04/2009 338 Chapter 17, first paragraph after bullet points, first Should read: sentence When you use digital certificates, you have a CA Reads: certificate, a server certificate, and possibly a client When you use digital certificates, you have a CA certificate that is issued by the CA. certificate and a server certificate that is issued by the CA. 338 Chapter 17, first paragraph after bullet points, third Should read: sentence If the signature matches, you accept the certificate as Reads: valid. If the signature matches, you authenticate. 338 Chapter 17, third paragraph after bullet points Replace with: Delete and replace Certificates can also be used for encrypting LWAPP control data, but it’s not the same certificate that is used for 802.1X; in this case certificates at the controller and access point are used to create an AES encrypted TLS tunnel. Additionally, certificates are used for web authentication, but again, it’s not the same certificate as the one used by 802.1X. With web authentication, the controller uses its self-signed certificate to create a TLS tunnel to protect credentials passed during authentication, but the credentials are verified against accounts on the controller and not an AAA server. 339 Chapter 17, first sentence after Figure 17-8 Should read: Reads: Until the user authenticates, no frames other than Until the user authenticates, no frames can be authentication frames can be passed to the wireless passed to the wireless network. network.

12 Updated 08/04/2009 339 Chapter 17, Step 1, 2, 3, 4, and 5 Replace with: Delete and replace Step 1. The client selects an AP to associate with. Step 2. The client sends an authentication request. Step 3. The AP returns an authentication response. Step 4. The client sends an association request. Step 5. The AP sends an association response. 339 Chapter 17, Numbers 4, 5, 6, 7, 8, 9, and 10 Replace with: Delete and replace 4. The client sends a challenge for the RADIUS server, which is forwarded by the access point. 5. The RADIUS server responds to the challenge, validating its identity, and the response is forwarded to the client by the access point. 6. During the communication, the client and the RADIUS server derive unique session keys. 7. The RADIUS server sends an access success message back to the AP, along with a session encryption key. 8. The AP keeps the session encryption key to use between the client and itself. 9. The AP exchanges random numbers (nonces) with the client, which are then combined with the session encryption key at both client and AP, finalizing the actual session encryption key to be used. Using the finalized session key, the AP forwards its broadcast/multicast encryption key, to the client. 10. The client and AP can use the session encryption keys to encrypt traffic. 339 Chapter 17, last paragraph Replace with: 13 Updated 08/04/2009 Delete and replace The AP keeps the session encryption key so that it can encrypt traffic between the AP and the client protecting the connection. The AP sends a broadcast/multicast encryption key because each session encryption key is unique. So if the client were to use it to encrypt a broadcast or multicast, only the AP would be able to decipher it. 340 Chapter 17, The EAP Process, second paragraph Replace with: Delete and replace EAP controls how the user credentials are sent under the premise that no matter what EAP method you use, the RADIUS server and the client will all use the same process. It involves the following steps: 340 Chapter 17, The Authentication Server, first Should read: paragraph, second sentence It really doesn’t matter what you use as an Reads: authentication server, as long as it supports the EAP It really doesn’t matter what you use as an method used by the supplicant. authentication server, as long as it supports the EAP method configured on the controller and used by the supplicant and AP. 340 Chapter 17, The Authentication Server, second Replace with: paragraph When you define the RADIUS server, enter the server’s Delete and replace IP address and the shared secret (a predefined passphrase that you determine and configure) to be used with the server. You configure the port number, the server’s status, whether it supports RFC 3576 (identity based networking), the server timeout (how long a controller waits for the server to respond before trying the server again), and what type of authentication the RADIUS server will perform (network users, management users, or IPSec users). Then click Next. 342 Chapter 17, first paragraph after Figure 17-12 Replace with: 14 Updated 08/04/2009 Delete and replace As you can see, the process begins with an EAP Start message. Next, the AP requests the client’s identity. The client responds with its identity, and this is sent via EAP over LAN (EAPOL) to the authentication server. The authentication server sends its certificate, proving its identity to the client. The client creates a session key and encrypts it with the public key from the authentication server’s certificate, then forwards the encrypted version of the key to the authentication server. This allows the authentication server to securely receive a copy of a session key and create a TLS tunnel with the client. Once the tunnel is created, the client sends its certificate, thus proving its identity to the authentication server. 343 Chapter 17, EAP-FAST, last sentence of first Replace with: paragraph and second paragraph Instead, EAP-FAST uses a strong shared secret key Delete and replace stored within a Protected Access Credential (PAC) file that is unique on every client. EAP-FAST negotiation normally happens in two phases, phase 1 and phase 2, though there is an optional phase 0 that can be used to provision the PAC file. If an EAP- FAST client does not have a PAC file, they can request it during Phase 0 if anonymous PAC provisioning has been configured at the RADIUS server and the client. After the PAC has been distributed, phase 1 can happen. In phase 1, the AAA server sends an Authority-ID, allowing the client to pick the PAC file that corresponds to that server. The client then sends the encrypted portion of the PAC file, known as the PAC-opaque, which contains a session key; the client already has a copy of this session key in unencrypted form. The AAA server and the client use this session key to establish a TLS tunnel. 15 Updated 08/04/2009 After phase 1 establishes the secure TLS tunnel, phase 2 authenticates the user to the AAA server using another EAP method, with either passwords, generic token cards, or a certificate. 343 Chapter 17, EAP-FAST, Number 5 Replace with: Delete and replace 5. The client selects a PAC based on the received A-ID. The client sends a PAC Opaque reply to the server. The PAC Opaque is a variable-length field that can be interpreted only by the authentication server. The PAC Opaque is used to transport a session key to the authentication server. Because the PAC Opaque is encrypted with a key possessed only by the authentication server, the session key is secure in transit.

344 Chapter 17, Numbers 4, 5, 6, and 7 Replace with: & Delete and replace 4. The client returns a premaster secret, encrypted with 345 the public key from the AAA server’s certificate. 5. The AAA server decrypts the premaster secret using its private key and the tunnel is established. 6. The AAA server sends an identity request to the client, negotiating which inner authentication method will be used. 7. The AAA client sends an identity response, indicating which inner authentication method it will use. 345 Chapter 17, LEAP, first sentence Should read: Reads: Lightweight Extensible Authentication Protocol (LEAP) Lightweight Extensible Authentication Protocol gets honorable mention here mainly because it is a (LEAP) gets honorable mention here mainly because Cisco EAP method that is still seen in some networks. it is a Cisco EAP method that is still seen in 802.11b 16 Updated 08/04/2009 networks. 345 Chapter 17, Authentication and Encryption, first Should read: paragraph, third sentence The problems with WEP are that it can be broken easily Reads: and it is not scalable. The problem with WEP is that it can be broken easily. 346 Chapter 17, WPA Overview, first paragraph Replace with: Delete and replace WPA was introduced in 2003 by the Wi-Fi Alliance as a temporary replacement for WEP while waiting for 802.11i to release. WPA uses Temporal Key Integrity Protocol (TKIP) to automatically change the keys. TKIP still uses RC4; it just improves how it’s done by implementing per-user, per-session dynamic keys. This is a major improvement over static WEP where every user had to be configured with the same WEP key. WPA is based on 802.11i draft version 3. WEP uses RC4 encryption, which is very weak. TKIP uses a larger IV than WEP. This would make it more difficult to guess the keys while not requiring new hardware. Instead, you could simply perform a firmware upgrade in most cases. 346 Chapter 17, first bullet point Replace with: Delete and replace Enterprise mode: Enterprise mode WPA requires an authentication server. RADIUS is used for authentication and key distribution, and TKIP is used for encryption. 347 Chapter 17, Last paragraph under WPA Overview, Replace with: after Figure 17-16 To configure WPA, set the Layer 2 security method by Delete and replace choosing WLANs > Edit. Then select the Security tab and choose WPA+WPA2 from the drop-down, as shown in Figure 17-17. To allow WPA check the WPA Policy check box. This will automatically enable support for

17 Updated 08/04/2009 TKIP with a WPA-style handshake, though AES can optionally be used. 347 Chapter 17, WPA2 Overview, first paragraph, first Should read: and second sentences WPA2, as its name implies, is the second generation of Reads: WPA. WPA was designed to be implemented through a WPA2, as its name implies, is the second attempt at firmware upgrade but WPA2 has more stringent WPA. WPA was not designed to be just a firmware hardware requirements. upgrade; instead, you might need hardware to use it. 348 Chapter 17, first full paragraph Replace with: Delete and replace It was mentioned that AES is used for encryption. AES is the commonly used abbreviation for Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol (AES/CCMP). 348 Chapter 17, last paragraph, first sentence Should read: Reads: To configure WPA2, from the WLANs > Edit page, To configure WPA2, from the WLANs > Edit page, select WPA+WPA2 from the layer 2 security policy select WPA2 Policy option. drop down menu, then the WPA2 Policy option. 354 Chapter 18, Question 4, answers a and b Should read: Reads: a. Windows 2003 Server a. Windows Server b. Red Hat Linux AS/ES 4 b. Red Hat Linux 355 Chapter 18, Question 11, answer a Should read: Reads: a. Administration > AAA > Users a. Administration > AAA 356 Chapter 18, Question 16, answer c Should read: Reads: c. Use the Audit tool. 18 Updated 08/04/2009 c. Use the Audit Config page. 357 Chapter 18, Question 21, answer c Should read: Reads: c. Floor area c. Floor 358 Chapter 18, Introduction to the WCS, first paragraph Should read: after first set of bullet points, second sentence Licensing enables single-server deployments of up to Reads: Licensing enables single-server deployments 3000 APs being supported. of up to 500 APs to 2500 APs being supported. 358 Chapter 18, Introduction to the WCS, second Insert: paragraph after first set of bullet points By itself, WCS can allow an administrator to track the Insert first sentence current location of a single wireless device at a time; if using WCS Location you can use the added feature of RF fingerprinting to achieve better location accuracy. 358 Chapter 18. Introduction to the WCS, second Should read: paragraph after first set of bullet points, original first The Cisco Wireless Location Appliance, accessed via the sentence WCS interface, provides mapping of multiple clients and Reads: assistance in enforcing security policies. The Cisco Wireless Location Appliance, accessed via the WCS interface, provides mapping of clients and assistance in enforcing security policies. 358 Chapter 18, Introduction to the WCS, second set of Replace with: bullet points . Real-time tracking of up to 2500 clients Delete and replace . Historical information going back for 30 days . A single point of management

19 Updated 08/04/2009 358 Chapter 18, Installing and Configuring the WCS, first Should read: two paragraphs The WCS has two deployment possibilities: a Linux- Reads: based deployment (using Red Hat Enterprise ES/AS The WCS has two deployment possibilities: a Linux- Linux Release 4, the Cisco WCS can be installed as a based deployment and a Windows deployment. In service under Linux) and a Windows 2003/SP1-based large deployments, Cisco recommends the Linux- deployment. In large deployments, Cisco recommends based deployment. the Linux-based deployment. The requirements for a Linux-based deployment are The requirements for a high-end server are as follows: as follows: 358 Installing and Configuring the WCS, Should read: Delete first bullet point . Intel Xeon Quad 3.15-GHz CPU . 8-GB RAM, 200-GB HD 359 Chapter 18, first two paragraphs, and first set of Replace with: bullet points In a mid-grade server, you can use the following: Delete and replace . Intel dual-core 3.2-GHz CPU . 4-GB RAM, 80-GB hard drive With a deployment using these specifications, you can support up to 2000 APs and 150 controllers. In a low-end server, you can use the following: . Pentium 4/3.06 GHz (minimum) . 2-GB RAM, 30-GB hard drive With a deployment using these specifications, you can support up to 500 APs and 50 controllers.

20 Updated 08/04/2009 359 Chapter 18, Table 18-2, line 3 through 12 Should read: Reads: 1315 Solid SQL Database 1315 Java 1299 Java – Remote Method Invocation (RMI) 1299 Java 6789 — 6789 — 8009 Java – Web Container 8009 Java 8456 Java – HTTP Connector 8456 Java 8005 — 8005 — 69 TFTP 69 TFTP 21 FTP 21 FTP 162 SNMP traps 162 SNMP traps 8457 HTTP Connector Redirect 8457 — 360 Chapter 18, bullet points number 2, 3, 4, 5 Should read: Reads: . Verify the server ports. Only the ports for http and https access (80 and 443, respectively) can be . Verify the server ports. changed – all others are fixed and cannot be changed. . Enter the passwords. . Enter the passwords. The passwords must be . Choose the FTP and TFTP root folders. strong passwords (minimum of 8 characters, no “cisco”, “ocsis”, or “public”, no more than two . Select whether this is a multihomed server repeated characters, and at least have three of the (two NIC cards). following characteristics: upper case letters, lower case letters, numbers, or special characters). . Choose the FTP and TFTP root folders. Choosing a folder outside the WCS installation folders is recommended. . Select whether this is a multihomed server (two or more NIC cards); if so, choose the NIC that will be used for supporting WCS FTP and TFTP services.

21 Updated 08/04/2009 360 Chapter 18, third paragraph, third sentence Should read: Reads: You might encounter problems if the WCS and IIS are You might encounter problems if the WCS and IIS installed on the same machine, because both would try are installed on the same machine, because both to use port 80. would try to secure port 80. 360 Chapter 18, third paragraph Add: Add sentence at end of paragraph These tabs are configurable to meet the needs of different administrative users and those user’s settings will be keyed to their individual login accounts. 360 Chapter 18, Administration Options in the WCS, first Should read: sentence In the WCS interface, you have horizontal menus across Reads: the top that access various configuration elements, In the WCS interface, you have tabs or horizontal including these: menus across the top that access various configuration elements, including these: 360 Chapter 18, Administration Options in the WCS, Replace with: bullet points . Monitor Delete and replace . Reports . Configure . Location . Administration . Tools . Help 361 Chapter 18, third paragraph, fifth sentence Should read: Reads: To see a list of who is logging into the WCS, go to To see a list of who is logging into the WCS, go to Administration > AAA > Users > Audit Trail; note that Administration > AAA > Users > Audit Trail. audit trail is only accessible to members of the 22 Updated 08/04/2009 Superusers group. 362 Chapter 18, Adding controllers to the WCS, first Should read: sentence To add controllers to the WCS, use the Configure drop- Reads: down menu. To add controllers to the WCS, use the Configure tab. 364 Chapter 18, second paragraph, fifth sentence Should read: Reads: Select a controller and then, using the Administrative Select a controller and then, using the drop-down, Commands drop-down, choose Audit Now and click choose Audit Now and click Go. Go. 364 Chapter 18, Working with Templates Add: Add last sentence to first paragraph Templates also help you keep controller and AP configuration consistent across the enterprise. 365 Chapter 18, Step 5 of Working with Templates Replace with: Delete and replace Step 5. Configure the template’s options. Step 6. Click Save. 368 Chapter 18, Maps and APs in the WCS, third Should read: paragraph, first sentence You start by adding a campus, then a building and then Reads: adding floors. You start by adding a building and then adding floors. 368 Chapter 18, Maps and APs in the WCS, fourth Should read: paragraph, first sentence If you wish to support wireless networking outdoors, the Reads: maps begin in the context of a campus The maps begin in the context of a campus 368 Chapter 18, Maps and APs in the WCS, fourth Should read:

23 Updated 08/04/2009 paragraph, seventh sentence If you know you are not going to support outdoor Reads: wireless networking, they can be standalone. They can be standalone. 370 Chapter 18, Note box Replace with: Delete and replace Note: When adding buildings to a campus map, consider that the building’s horizontal and vertical span must be larger than or the same size as any floors that you might add later. You cannot create any floor if it is larger than the building. The WCS will not allow the larger level to then be added. You can find more information in the section “Adding and Using Maps” in the Cisco Wireless Control System Configuration Guide, Release 4.1 at http://tinyurl.com/6f8apm. 370 Chapter 18, fifth bullet point Should read: Reads: . Horizontal and vertical dimensions (dimensions can be entered in feet or meters, but the same unit . Horizontal and vertical dimensions in feet of measure must be used for all maps in WCS)

371 Chapter 18, first paragraph, fourth sentence Should read: Reads: The floor types include Cubes and Walled Offices, The floor types include Cubes and Walled Offices, Drywall Office Only, Outdoor Area, and user-defined RF Drywall Office Only, and Outdoor Open Space. models. 371 Chapter 18, last paragraph, third sentence Should read: Reads: A site survey is a measurement of how RF signals A site survey is a measurement of a certain point in propagate at a certain point in time. time. 372 Chapter 18, first paragraph, last sentence Should read: Reads: The WCS bases its information on what you tell it the environment will look like combined with the RF model 24 Updated 08/04/2009 The WCS can base its information on what you tell it (floor type) you have programmed for that floor or the environment will look like. outdoor area. 372 Chapter 18, Planning Mode, first paragraph, second Should read: sentence It allows you to choose whether you will manually place Reads: hypothetical APs on the map or have WCS do it for you, It places hypothetical APs on the map or lets you based on input you add in, such as desired throughput view the coverage area based on the placement of and application, and then it lets you view the coverage the hypothetical APs. area based on the placement of the hypothetical APs 373 Chapter 18, first paragraph after Figure 18-15 Replace with: Delete and replace You move this around to determine the coverage area. You want to trace the outer edge of the area you intend to cover. Know that this may give you coverage that extends beyond your walls, depending on the size/shape of your building and the service type you are supporting; this is known as “service bulge” and is very common. 376 Chapter 18, Monitoring with the WCS, second Replace with: paragraph An alarm summary, shown in Figure 18-20, is available Delete and replace and refreshes every 15 seconds by default, though you can adjust this. Alarms are broken down into categories of information and their severities. The categories include malicious AP, unclassified AP, coverage hole, security, controllers, access points, and mesh links. WCS servers that support Location also include a location alarm category. Fields that are clear indicate no alarms. Red is critical, orange is a major alarm, and yellow is a minor alarm. By clicking a colored alarm square, you can get more details on the alarm(s) that fit that category and severity level, starting with the most recent and working

25 Updated 08/04/2009 your way back in time. 376 Chapter 18, Monitoring with the WCS, fourth Replace with: paragraph You can also monitor rogue APs, security settings, and Delete and replace Radio Resource Management (RRM). In addition, you can monitor Location Appliances. The Location Appliance tightly integrates with the WCS and can provide real- time location tracking. While the WCS performs this function on demand for a single device, the location appliance, once added to a WCS server, performs this function for up to 2500 devices simultaneously. Location accuracy in a server running WCS Base only determines the closest AP, but WCS Location can determine the location of a wireless client to within 10 meters 90 percent of the time, and to within 5 meters 50 percent of the time. This is an added benefit when troubleshooting issues related to interference and rogues. 381 Chapter 19, Maintaining Wireless Networks, first Should read: paragraph, second sentence Cisco recommends that all controllers in a mobility Reads: group run the same version of code. Cisco recommends that all controllers run the same version of code. 383 Chapter 19, Question 5 Should read: Reads: 5. Which protocols are used to upgrade a controller? 5. Which protocols are used to upgrade a controller? (Choose two.) 384 Chapter 19, Question 7, answers ‘b’ and ‘c’ Should read: Reads: b. How many available AP licenses the controller has b. How many licenses the controller has c. The software version the controller is running

26 Updated 08/04/2009 c. The version the controller is running 391 Chapter 19, Step 6, second sentence Should read: Reads: WCS downloads the software to the controller, and the WCS downloads the software to the controller, and controller writes the code to RAM first, and then to flash. the controller writes the code to flash RAM. 391 Chapter 19, Upgrading an AP, first paragraph, last Should read: sentence Remember that after upgrading the software on the Reads: controller, the APs automatically upgrade their software Remember that after upgrading the software on the as well, but only 10 APs can upgrade at any given time. controller, the APs automatically upgrade their software as well, but only 20 APs can upgrade at any given time. 391 Chapter 19, Upgrading an AP, last bullet point Should read: Reads: . If the AP leaves one controller and associates with another, the AP checks the controller version and . If the AP leaves one controller and associates with another, the AP checks the controller upgrades/downgrades as needed. This upgrade or version and upgrades/downgrades as needed. downgrade takes about two minutes. 392 Chapter 19, Upgrading WCS, Add: Add last sentence Performing a backup prior to upgrading WCS is recommended. 394 Chapter 19, first paragraph, last sentence Replace with: Delete and replace The file has been backed up and can now be used on this or other controllers. Keep in mind that the controller you download the configuration file to must be the same model and running compatible code.

27 Updated 08/04/2009 394 Chapter 19, third paragraph Replace with: Also, the show running-config command can be copied Delete and replace fourth and fifth sentences and pasted into notepad, edited (if you wish), and then pasted back to host if you want to make changes to the config. It’s important to note the difference between this command and the show run-config command, because they produce very different output. show running-config displays the contents of the configuration line by line. show run-config provides information about the state of the system. show run- config can not be pasted to host. 398 Chapter 19, Resetting the Controller to the Defaults, Should read: third sentence The controller needs to reboot for this to occur, because Reads: the configuration is not only stored in NVRAM, but it is The controller needs to reboot for this to occur, also active in RAM and is cleared only with a reboot; because the configuration is not only stored in resetting the controller to factory defaults erases the NVRAM, but it is also active in RAM and is cleared startup config file but not the running config, so only with a reboot. rebooting the server without saving changes is required to complete the job. This errata sheet is intended to provide updated technical information. Spelling and grammar misprints are updated during the reprint process, but are not listed on this errata sheet.

28 Updated 08/04/2009

Load more

Recommended publications