CISCO-LWAPP-WLAN-POLICY-MIB: View SNMP OID List / Download MIB

This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Cisco Light-weight LWAPP Access Points. This MIB helps to manage the WLANs on the controller. The relationship between CC and the LWAPP APs can be depicted as follows: +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, that includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends it to the controller to which it is logically connected to. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity also referred to as 'controller'. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the controllers. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Access Control List ( ACL ) A list of rules used to restrict the traffic reaching an interface or the CPU or WLAN. Each ACL is an ordered set of rules and actions. If a rule matches then the action for that rule is applied to the packet. 802.1x The IEEE ratified standard for enforcing port based access control. This was originally intended for use on wired LANs and later extended for use in 802.11 WLAN environments. This defines an architecture with three main parts - a supplicant (Ex. an 802.11 wireless client), an authenticator (the AP) and an authentication server(a Radius server). The authenticator passes messages back and forth between the supplicant and the authentication server to enable the supplicant get authenticated to the network. Temporal Key Integrity Protocol ( TKIP ) A security protocol defined to enhance the limitations of WEP. Message Integrity Check and per-packet keying on all WEP-encrypted frames are two significant enhancements provided by TKIP to WEP. Cisco Key Integrity Protocol ( CKIP ) A proprietary implementation similar to TKIP. CKIP implements key permutation for protecting the CKIP key against attacks. Other features of CKIP include expansion of encryption key to 16 bytes of length for key protection and MIC to ensure data integrity. Wired Equivalent Privacy ( WEP ) A security method defined by 802.11. WEP uses a symmetric key stream cipher called RC4 to encrypt the data packets. Wi-Fi Protected Access ( WPA ) Wi-Fi Protected Access (WPA and WPA2) are security systems created in response to several serious weaknesses found in Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WLAN Layer 2 Security WLAN layer 2 (MAC) security defines the encryption and authentication approaches such as 802.1x, WPA, WPA2, CKIP and WEP. Delivery Traffic Indication Map ( DTIM ) DTIM is measured in beacon intervals and is the time period during which multicast/broadcast packets are sent to clients. This helps client to go in Power Saving mode and helps to save battery power. Network Admission Control (NAC) Cisco NAC uses the network infrastructure to enforce security policy compliance on all devices that seek to access network computing resources. With the Cisco NAC appliance, network administrators can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access. The Cisco NAC appliance identifies whether networked devices such as laptops, IP phones, or game consoles are compliant with network security policies, and repairs any vulnerabilities before it permits access to the network. Out of Band (OOB) Out-of-band deployments require user traffic to traverse through the NAC appliance only within authentication, posture assessment, and remediation. When a user is authenticated and passes all policy checks, the traffic is switched normally through the network and bypasses the NAC server. Band Select The 2.4 GHz band is congested and clients have to contend with numerous performance challenges. These consist of interference from Bluetooth, microwave ovens, cordless phones, etc.; protection mechanisms from 802.11b legacy clients; and co-channel interference from other access points due to 802.11bg?s limit of three non-overlapping channels. Allowing client Wi-Fi radios capable of dual band (2.4 and 5 GHz) operation move to the less congested 5 GHz radios would improve the overall performance of the network. The Band Select algorithm is based on probe response suppression on clients 2.4G radio. The feature is OFF by default and has to be manually switched ON globally for a WLC. It can be optionally over-ridden per-SSID to disallow it. Network Access Identifier ( NAI ) In order to provide roaming services, it is necessary to have a standardized method for identifying users. NAI is actually the user identity submitted by the client during network authentication. KTS (Key Telephone System) Key Telephone System is an alternative to a private branch exchange (PBX) phone system. A KTS is equipped with several buttons that allow a caller to directly select outgoing lines or incoming calls, and use intercom and conference facilities. NAS-ID (Network Access Server Identifier) NAS-ID string is sent to Radius server by WLC (as radius client) via authentication request, which can be used to classify users to different groups then radius server can reply a customized authentication response. Quality of Service (QoS) The quality of service (QoS) refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements. In particular, much technology has been developed to allow computer networks to become as useful as telephone networks for audio conversations, as well as supporting new applications with even stricter service demands. Virtual LAN (VLAN) In computer networking, virtual local area network, virtual LAN or VLAN is a concept of partitioning a physical network, so that distinct broadcast domains are created. This is usually achieved on switch or router devices. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications. [2] Draft-obara-capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol [3] IEEE 802.11 - The original 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard.

This table represents the WLAN policy configuration sent by the controller to the LWAPP APs for their operation. LWAPP APs exchange configuration messages with the controller and get the required configuration for their 802.11 related operations. As part of these messages, the WLAN configuration is pushed by the controller to the LWAPP APs. Rows are added or deleted by explicit management actions initiated by the user from a network management station through the cLWlanPlcyRowStatus object.

Each entry in this table represents the WLAN policy configuration sent by the controller to LWAPP APs for use during their operations. Entries can be added/deleted by explicit management actions by NMS or by user console.

This object specifies one instance of a WLAN policy on the controller.

This object specifies the status column for this row and used to create, modify and delete specific instances of rows in this table. This table supports modification of writable objects when the RowStatus is 'active'. The following objects are mandatory for successful creation of an entry: cLWlanPolicyName.

This object specifies the description associated to this WLAN policy.This can be any user defined string.

This object represents the interface attached to the wireless lan.

This object allows the user to enable or disable Central switching for wlan. A value of 'true' indicates Central Switching is enabled and Local Switching is disabled. A value of 'false' indicates Cental Switching is disabled and Local Switching is enabled.

This object allows the user to enable or disable central authentication for the wlan. A value of 'true' indicates central authentication is enabled. A value of 'false' indicates local authentication is disabled.

This object indicates the behavior of the Access Point when switching the data frames of the clients associated to it through the WLAN policy identified by policy profile name. A value of 'true' indicates dhcp central is enabled. A value of 'false' indicates dhcp central is disabled. Note that the value of 'true' will be effective only if the WLAN is configured on a Access Point.

This object specifies whether Network Address Translation (NAT) and Port Address Translation (PAT) are enabled on this WLAN. This can be enabled only when cLReapWlanDhcpCentral is set to 'true'. A value of 'true' indicates NATPAT is enabled. A value of 'false' indicates NATPAT is disabled. Note that the value of 'true' will be effective only if the WLAN is configured as Locally Switched.

This object indicates the behavior of the REAP when handling the (re-)association management frames from associated to it through the WLAN policy identified by policy profile name. A value of 'true' indicates AssocCentral is enabled. A value of 'false' indicates AssocCentral is disabled. Note that the value of 'true' will be effective only if the WLAN is configured on a REAP.

This object specifies the IPV4 ACL Name for wlan.

This object specifies the IPV6 ACL Name for wlan.

This object specifies the name of the L2ACL applied to this WLAN. If it is required to remove the ACL name for a WLAN, it should be set to 'none'.

This object specifies the session timeout to be applied on client using a Policy.

This object specifies the timeout value of user for a WLAN.

This object specifies the client exclusiontimeout value of user for a WLAN. Modifying the timeout to zero (0) means the client will be excluded indefinitely until it is manually removed from the exclusion list

This object specfies to enable or disable client device classification. A value of 'true' indicates native profiling is enabled. A value of 'false' indicates native profiling is disabled.

This object specifies a native profiling classification policy configured on the Wireless LAN Controller.

This object specfies the client local profiling on a wlan. A value of 'true' indicates http device profiling is enabled. A value of 'false' indicate http device profiling is disabled.

This object specfies the client dhcp profiling on a wlan. A value of 'true' indicates dhcp device profiling is enabled. A value of 'false' indicates dhcp device profiling is disabled.

This object specifies the input IPv4 Netflow Monitor name assigned to this WLAN. An empty string specifies no flow monitor is being associated to WLAN policy profile. An empty flow monitor name should be used to de-associate the monitor from the profile.

This object specifies the output IPv4 Netflow Monitor name assigned to this WLAN. An empty string specifies no flow monitor is being associated to WLAN policy profile. An empty flow monitor name should be used to de-associate the monitor from the profile.

This object specifies the input IPv6 Netflow Monitor name assigned to this WLAN. An empty string specifies no flow monitor is being associated to WLAN policy profile. An empty flow monitor name should be used to de-associate the monitor from the profile.

This object specifies the output IPv6 Netflow Monitor name assigned to this WLAN. An empty string specifies no flow monitor is being associated to WLAN policy profile. An empty flow monitor name should be used to de-associate the monitor from the profile.

This object specifies the per ssid ingress service name.

This object specifies the per ssid egress service name.

This object specifies the per client ingress service name.

This object specifies the per client egress service name.

This object specifies the timeout for blacklisted Mobile Stations after which the mobile station will be automatically de-authenticated. Mobile Station are blacklisted by MAC address and their status can be obtained from bsnMobileStationStatus. A timeout setting of 0 indicates no blacklist timeout is set and administrative control ( bsnMobileStationDeleteAction ) is required to deauthenticate the station.

This object specifies that one can enable or disable the client backlisting feature for a WLAN. A value of 'true' indicates that the clients can be blacklisted by the controller in case of repetitive auth failure and other reasons like it. A value of 'false' indicates that the clients cannot be blacklisted by the controller. The blacklist timeout value will only be effective if this feature is turned on.

This object specifies the DHCP requirement for all clients on this WLAN. Enumeration: 'enable': 1, 'disable': 0.

This object specifies the IP Address of the DHCP Server. Make it 0.0.0.0 or 0:0:0:0:0:0:0:0 to disable DHCP Relay. Any value other than 0.0.0.0 or 0:0:0:0:0:0:0:0 it will be assumed that DHCP Relay is turned on.

This object specifies to set when aaa override is enabled. A value of 'true' indicates aaa override is enabled. A value of 'false' indicates aaa override is disabled.

This object specifies to enabling/disabling NAC.

This object specifies whether the policy profile is shutdown or active. A value of 'true' indicates Wlan policy is active. A value of 'false' indicates Wlan policy is shutdown.

This object specifies the Radius http profiling.

This object specifies a threshold triggered timeout where if a client has not sent a threshold quota of data within the specified user idle timeout, the client is considered to be inactive and is deauthenticated. If the data sent by the client is more than the threshold quota specified within the user idle timeout, the client is considered to be active and the controller refreshes for another timeout period. If the threshold quota is exhausted within the timeout period, the timeout period is refreshed.

This object specifies the user to enable or disable Auto Qos mode in wireless policy profile. disable - Disable of AutoQos Wireless Enterprise Policy. enterprise - Enable AutoQos Wireless Enterprise Policy. voice - Enabling Auto QoS Voice will enable call-snooping. guest - Enable AutoQos Wireless Guest Policy. fastlane - Enable AutoQos Wireless Fastlane Policy Enumeration: 'voice': 2, 'disable': 0, 'fastlane': 4, 'guest': 3, 'enterprise': 1.

This object specifies the DHCP Option82 Ascii option. A value of 'true' enable DHCP 82 Ascii option. A value of 'false' disable DHCP 82 Ascii option.

This object specifies the DHCP Option82 Rid option. A value of 'true' enable DHCP 82 option RID. A value of 'false' disable DHCP 82 option RID.

This object specifies the DHCP Option82 state. A value of 'true' enable DHCP 82 option . A value of 'false' disable DHCP 82 option.

This object specifies the DHCP Option82 format Ap mac option. A value of 'true' enable DHCP 82 option based on AP radio mac. A value of 'false' disable DHCP 82 option based on AP radio mac.

This object specifies the DHCP Option82 format Ap ethmac option. A value of 'true' enable DHCP 82 option based on AP eth mac. A value of 'false' disable DHCP 82 option based on AP eth mac.

This object specifies the DHCP Option82 format Ap name option. A value of 'true' enable DHCP 82 option based on AP name. A value of 'false' disable DHCP 82 option based on AP name.

This object specifies the DHCP Option82 format Policy tag option A value of 'true' enable DHCP 82 option based on policy tag. A value of 'false' disable DHCP 82 option based on policy tag.

This specifies represents the DHCP Option82 format Ap location option A value of 'true' enable DHCP 82 option based on Ap Location. A value of 'false' disable DHCP 82 option based on Ap Location.

This object specifies the DHCP Option82 format Vlan_id option. A value of 'true' enable DHCP 82 option based on vlanid A value of 'false' disable DHCP 82 option based on vlanid.

This object specifies the DHCP Option82 format SSID option. A value of 'true' enable DHCP 82 option based on ssid. A value of 'false' disable DHCP 82 option based on ssid. Folowing are the combination for dhcp option82 format- AP MAC alone AP ethernet MAC alone SSID alone Policy tag alone AP location alone AP name and SSID together AP MAC and Vlan-ID together AP name and Vlan-ID together Ethernet MAC and SSID together.

This object specifies the ACL name for the split tunnel.

This object specifies whether switching will be local or central when the flag is set. A value of 'true' enable vlan based central switching. A value of 'false' disable vlan based central switching.

This object specifies whether passive-client support is enabled or not on a policy.

This object allows the user to enable or disable NBAR Protocol discovery for a wlan. A value of 'true' indicates NBAR protocol discovery is active, A value of 'false' indicates NBAR protocol discovery is disabled.

This object specifies whether static ip mobility support is enabled or not on a policy.

The compliance statement for the SNMP entities that implement the ciscoCapwapWlanPolicyMIB module.

This collection of objects represent the Policy configuration of WLAN to be passed to LWAPP AP