service (wlan-config-context)
Invokes service commands applicable in the WLAN
configuration mode
Supported in the following platforms:
- Access Points —
AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502,
AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662,
AP8163, AP8543, AP8533.
- Service Platforms
— NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
service [allow-ht-only|allow-open-passpoint|client-load-balancing|cred-cache|eap-mac-mode|
eap-mac-multicopy|eap-mac-multikeys|eap-throttle|enforce-pmkid-validation|key-index|monitor|
radio-crypto|reauthentication|session-timeout|tx-deauth-on-roam-detection|unresponsive-client|
wpa-wpa2|show]
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|clear-on-disconnect]|
eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|reauthentication seamless|
session-timeout mac|tx-deauth-on-roam-detection|show cli]
service eap-mac-mode [mac-always|normal]
service eap-throttle <0-254>
service key-index eap-wep-unicast <1-4>
service monitor [aaa-server|adoption|captive-portal|dhcp|dns]
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|timeout <1-60>]
service wpa-wpa2 exclude-ccmp
Parameters
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|
clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-validation|radio-crypto|
reauthentication seamless|session-timeout mac|tx-deauth-on-roam-detection|show cli]
| allow-ht-only |
Only allows clients capable of High Throughput (802.11n) data rates to
associate. This option is disabled by default. |
| allow-open-passpoint |
Enables non-WPA2 security for passpoint WLANs. This option is disabled
by default. For more information on passpoint policy and configuration,
see Passpoint Policy.
|
| cred-cache [clear-on-4way-timeout| clear-on-disconnect] |
Clears credential cache based on the parameter passed
- clear-on-4way-timeout
– Clears cached client credentials after the 4way handshake with a
client has timed out. This option is enabled by default.
- clear-on-disconnect –
Clears cached client credentials after the client has disconnected
from the network. This option is disabled by default.
|
| eap-mac-multicopy |
Enables sending of multiple copies of broadcast and unicast messages.
This option is disabled by default. |
| eap-mac-multikeys |
Enables configuration of different key indices for MAC authentication.
This option is disabled by default. |
| enforce-pmkid-validation |
Validates the Predictive real-time Pairwise Master Key Identifier
(PMKID) contained in a client‘s association request against the one
present in the wpa-wpa2 handshake. This option is enabled by default. This
functionality is based on the Proactive Key Caching (PKC)
extension of the 802.11i EEEE standard. Whenever a wireless client
successfully authenticates with a AP it receives a Pairwise Master Key
(PMK). PKC allows clients to cache this PMK and reuse it for future
re-authentications with the same AP. The PMK is unique for every client
and is identified by the PMKID. The PMKID is a combination of the hash of
the PMK, a string, the station and the MAC addresses of the
AP.
|
| radio-crypto |
Uses radio hardware for encryption and decryption. This is applicable
only for devices using Counter Cipher Mode with Block Chaining Message
Authentication Code Protocol (CCMP) encryption mode. |
| reauthentication seamless |
Enables seamless EAP client reauthentication without disconnecting
client after the session has timed out. This option is enabled by
default. |
| session-timeout mac |
Enables reauthentication of MAC authenticated clients without
disconnecting client after the session has timed out. This option is enabled
by default. |
| tx-deauth-on-roam-detection |
Transmits a de-authentication on the air while disassociating a client
because its roam is detected on the wired side. This option is disabled by
default. |
| show cli |
Displays the CLI tree of the current mode. When used in the WLAN mode,
this command displays the WLAN CLI structure. |
service eap-mac-mode [mac-always|normal]
| eap-mac-mode |
Configures the EAP and/or MAC authentication mode used with this WLAN.
This option is enabled by default. |
| mac-always |
Enables both EAP and MAC authentication. MAC authentication is performed
first, followed by EAP authentication. Clients are granted access based on
the EAP authentication result. If a client does not have EAP, the MAC
authentication result is used to grant access. |
| normal |
Grants client access if the client clears either EAP or MAC
authentication. This is the default setting. |
service eap-throttle <0-254>
| eap-throttle <0-254> |
Enables EAP request throttling. Use this command to specify the maximum
number of parallel EAP sessions allowed on this WLAN. Once this specified
value is exceeded, all incoming EAP session requests are throttled. This
option is enabled by default.
- <0-254> –
Specify a value from 0 - 254. This default value is 0.
|
|
service key-index eap-wep-unicast <1-4>
| key-index eap-wep-unicast <1-4> |
Configures an index with each key during EAP authentication with WEP.
This option is enabled by default.
- <1-4> – Select a
index from 1 - 4. The default value is 1.
|
service wpa-wpa2 exclude-ccmp
| wpa-wpa2 exclude-ccmp |
Configures exclusion of CCMP requests when the authentication mode is
set to tkip-ccmp. When enabled, it provides compatibility for client devices
not compliant with tkip-ccmp. This option is disabled by default. |
|
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
| monitor |
Enables critical resource monitoring. In a WLAN, service monitoring
enables regular monitoring of external AAA servers, captive portal servers,
access point adoption, DHCP and DNS servers. When enabled, it allows
administrators to notify users of a service‘s availability and make resource
substitutions in case of unavailability of a service. |
| aaa-server |
Enables external AAA server failure monitoring. When enabled monitors an
external RADIUS server resource‘s AAA activity and ensures its adoption and
availability. This feature is disabled by default. |
| adoption vlan <1-4094> |
Enables adoption failure monitoring on an adopted AP. Also configures a
adoption failover VLAN. This feature is disabled by default.
- VLAN <1-4094> –
Specify the VLAN on which clients are placed when the connectivity
between the AAP and the controller is lost.
Configure a DHCP pool and gateway for the failover VLAN. Ensure the
DHCP server is running on the AP. Also ensure that the DHCP pool is
configured to have less lease time.
When this feature is enabled on
a WLAN, it allows adopted APs to monitor their connectivity with the
controller. If and when this connectivity is lost, all new clients are
placed in the configured adoption failover VLAN. They are served an IP by
the DHCP server running on the AP. In this situation if a client tries to
access a Web URL, the AP redirects the client to a page stating that the
service is down.
When the AAP‘s link to the switch is restored,
clients are placed back in the WLAN‘s configured VLAN, and are served an
IP from the corresponding configured DHCP server (external or on the
AP/controller).
|
| captive-portal external-server |
Enables external captive portal server failure monitoring. When enabled,
monitors externally hosted captive portal activity, and user access to the
controller or service platform managed network. This feature is disabled by
default. When enabled, this feature enables APs to display, to an
externally located captive portal‘s user, the no-service page when the
captive portal‘s server is not reachable.
|
service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
| monitor |
Enables DHCP and/or DNS server monitoring on this WLAN. |
| dhcp |
Enables monitoring of a specified DHCP server. When the connection to
the DHCP server is lost, captive portal users automatically migrate to a
pre-defined VLAN. The feature is disabled by default. Use the crm
keyword to specify the DHCP server to monitor.
|
| dns |
Enables monitoring of a specified DNS server. When the connection to the
DNS server is lost, captive portal users automatically migrate to a
pre-defined VLAN. The feature is disabled by default. Use the crm
keyword to specify the DNS server to monitor.
|
| crm <RESOURCE-NAME> |
This keyword is common to the ‘dhcp‘ and ‘dns‘ parameters.
- crm – Identifies the DHCP and/or DNS server to monitor
- <RESOURCE-NAME> – Specify the name of the DHCP or DNS
server.
Once enabled, the CRM server monitors the DHCP/DNS server and
updates their status as ‘up‘ or ‘down‘ depending on the availability of
the resource. When either of these resources is down the wireless client
is mapped to the failover VLAN and served with the ‘no-service‘ page
through the access point.
|
| vlan <1-4094> |
This keyword is common to the ‘dhcp‘ and ‘dns‘ parameters. After
specifying the DHCP/DNS sever resource, specify the failover VLAN.
- VLAN <1-4094> – Configures the failover VLAN from 1 - 4094.
When the DHCP server resource becomes unavailable, the device
falls back to the VLAN defined here. This VLAN has a DHCP server
configured that provides a pool of IP addresses with a lease
time less than the main DHCP server.
When this DNS server
resource becomes unavailable, the device falls back to the VLAN
defined here. This VLAN has a DNS server configured that
provides DNS address resolution until the main DNS server
becomes available.
|
|
service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|
timeout <1-60>]
| unresponsive |
Configures handling of unresponsive clients |
| attempts <1-1000> |
Configures the maximum number of successive packets that failed
transmission
- <1-1000> –
Specify a value from 1 - 1000. The default is 7.
|
| ps-detect {threshold <1-1000>} |
Enables the detection of power-save mode clients, whose PS stats has not
been updated on the AP. This option is enabled by default.
- threshold – Optional.
Configures the threshold at which power-save client detection is
triggered
- <1-1000> –
Configures the number of successive unacknowledged packets
received before power-save detection is triggered. Specify a
value from 1 - 1000. The default is 3.
|
| timeout <1-60> |
Configures the interval, in seconds, for successive packets not
acknowledged by the client
- <1-60> – Specify
a value from 1 - 60 seconds. The default is 3 seconds.
|
Examples
rfs4000-229D58(config-wlan-test)#service allow-ht-only
rfs4000-229D58(config-wlan-test)#service monitor aaa-server
rfs4000-229D58(config-wlan-test)#show context
wlan test
ssid test
vlan 1
bridging-mode tunnel
encryption-type none
authentication-type none
service monitor aaa-server
service allow-ht-only
controller-assisted-mobility
rfs4000-229D58(config-wlan-test)#
Print
this page
Email this topic
Feedback
View PDF
Download EPUB