312 CCNA Wireless Official Exam Certification Guide Figure 16-19 Profile Management in ADU manually. To see what APs are nearby, select the Profile Management tab in ADU (see Figure 16-19), and then click the Scan button. To connect to an AP in the scan list, select it and click Activate. A Profile Management window appears. Its three tabs—General, Security, and Advanced—allow any special AP settings to be entered into the profile and saved. The General tab sets up options such as the name of the connection and general parameters. The Security tab is where you configure the security settings for the WLAN, and the Advanced tab is where you config- ure advanced settings such as power levels and wireless modes for the WLAN. Manually Creating a Profile To create a profile, you can click the New button on the Profile Management tab of ADU. A Profile Management window appears with three tabs—General, Security, and Ad- vanced. Give the profile a name and enter up to three SSIDs. After you have named the profile, select the Security tab. From the Security tab, you can choose from WPA/WPA2/CCKM, WPA/WPA2 Passphrase, 802.1x, Pre-Shared Key (Static WEP), or None, as shown in Figure 16-20. Unsecure Profiles By leaving the default option (None), you would essentially be creating an unsecure pro- file. This is not a recommended practice. 802.1x Profiles You can also create an 802.1x profile, but understand that it is authentication only. This means that your data is not encrypted. It does, however, use a central authentication server. To talk to this server, you must choose between Lightweight Extensible Authenti- cation Protocol (LEAP), which is the default, Extensible Authentication Protocol Trans- port Layer Security (EAP-TLS), Protected Extensible Authentication Protocol (PEAP), Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 312 Chapter 16: Wireless Clients 313 Figure 16-20 Security Options Extensible Authentication Protocol Generic Token Card (EAP-GTC), PEAP with EAP Mi- crosoft Challenge Handshake Authentication Protocol Version 2 (EAP MS-CHAP V2), EAP Flexible Authentication via Secure Tunneling (EAP-FAST), and Host-Based EAP. Click Configure to add a temporary username and password or to use a saved username and password. WPA/WPA2/CCKM Profiles WPA/WPA2/CCKM lets you select an EAP type, as shown in Figure 16-21. This method performs encryption with a rotated encryption key and authentication with 802.1x. WPA/WPA2 Passphrase Profiles You can choose to use WPA/WPA2 Passphrase. This method uses encryption with a ro- tated encryption key and a common authentication key, called a passphrase. To configure the passphrase, click the Configure button and enter the ASCII or hexadecimal passphrase, as shown in Figure 16-22. By following the preceding steps, you can create any of the available profiles. Table 16-3 compares the different security options. Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 313 314 CCNA Wireless Official Exam Certification Guide Figure 16-22 WPA/WPA2 Passphrase Table 16-3 Security Options Comparison Security Option Encryption Authentication WPA/WPA2/CCKM Rotating key EAP methods (see 802.1x) WPA/WPA2 Passphrase Rotating key 8 to 63 ASCII or 64 hexadecimal passphrase 802.1x None EAP-TLS, PEAP, LEAP, EAP-FAST, host- based EAP (host-based is not an option for WPA/WPA2/CCKM) Pre-Shared Key (Static WEP) Weak None None None None Figure 16-21 WPA/WPA2/CCKM Key Topi c Key Topi c Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 314 Chapter 16: Wireless Clients 315 Figure 16-23 Adapter Information Managing Profiles You can manage profiles from the Profile Management tab in ADU. You can create a new profile, as already discussed. You can also modify existing profiles. You can import exist- ing profiles by clicking the Import button and browsing to the location of a .prf file. You can also export profiles and move them to other computers. To do this, simply click the Export button, define a name for the profile (if you want to change it), and browse to where you want to save it. This might be an external USB drive or even the desktop. As soon as you have the location where you want it, click Save. As discussed previously in this chapter, you can scan for nearby networks. You also can change the order of your profiles by clicking the Order Profiles button and moving them up or down in the order you want. Using Diagnostic Tools After you have created a profile and it is in use, there are likely times when you will need to troubleshoot connectivity issues. If this is the case, a number of tools are available in the ADU. The following sections discuss options that you may find helpful in trou- bleshooting. Adapter Information Begin by looking at the adapter information shown in Figure 16-23. You find this informa- tion by clicking the Adapter Information button on the Diagnostics tab in the ADU inter- face. Two important pieces of information that you get from this output are the driver version and the card’s MAC address. These can be used in troubleshooting. On the con- troller, you can enable a debug based on the client’s MAC address to get specific informa- tion for that client. Also, the driver information can be used to look for bug reports in Cisco’s support center. 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 315 316 CCNA Wireless Official Exam Certification Guide Figure 16-24 Advanced Statistics Advanced Statistics The Advanced Statistics button gives information about the frames transmitted and re- ceived, as demonstrated in the sample output shown in Figure 16-24. If you note a high count of retries, it is probably due to a high number of collisions. High numbers of RTS/CTS (provided in relation to the total number of frames transmitted) may indicate frame errors and bad link quality. You can use the Advanced Statistics to trou- bleshoot authentication issues as well as encryption problems. Authentication Rejects in- dicates that you are in fact talking to a server that is rejecting the authentication attempt. Authentication Time-Outs could indicate a connectivity issue with the AAA server. Choose Options > Display Settings to change how the values appear, selecting either rel- ative or cumulative values. For the most part, the default values (cumulative) are preferred. Test Utility An additional set of tools for troubleshooting includes a driver installation test, card inser- tion test, card enable test, radio test, association test, authentication test, and network test. You access these tests by selecting the Action menu in ADU and then choosing the Client Managed Test link. Figure 16-25 shows the completed test output. To begin the test, click the Start Test button. The following tests are run sequentially: 1. Driver Installation test 2. Card Insertion test 3. Card Enable test 4. Radio test Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 316 Chapter 16: Wireless Clients 317 Figure 16-25 Client Managed Tests 5. Association test 6. Authentication test 7. Network test The information gained from each of these tests can quickly point you in the direction of the issue. If the driver is not installed, this could indicate that it was inadvertently re- moved. If the driver is not installed, the ADU does not work. If the card is not inserted, it does not work. If the card has been disabled, it does not work. Also, if the radio is dis- abled, it does not function. The Association test indicates if open association is functioning; the same goes for the Authentication test. These two tests can indicate where the connection is failing. Finally, the Network test helps determine if the issue lies with the network rather than the wireless connection. Sometimes you get associated but still can’t send if the network itself is having issues. Troubleshooting is discussed more in Chapter 20, “Troubleshooting Wire- less Networks.” Site Survey Utility The Site Survey Utility (CSSU) is the optional software set that you select using a check- box during installation. This can be a handy tool for troubleshooting. As stated earlier in this chapter, it doesn’t link to a map; however, it can give you handy information about the signal you are receiving. To access the CSSU, choose Start > All Programs > Cisco Aironet > Aironet Site Survey Utility. The utility dynamically represents your connection to the wireless network. As shown in Figure 16-26, it displays the AP MAC address, channel, signal strength (RSSI), noise level, 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 317 318 CCNA Wireless Official Exam Certification Guide Figure 16-26 CSSU Display in dBm Figure 16-27 CSSU Display in Percentage SNR, and speed of the connection. The connection quality is represented with the follow- ing colors: ■ Green = excellent ■ Yellow = good ■ Orange = fair ■ Red = poor By default, the output is displayed in dB or dBm, as shown in Figure 16-26. You can change this to display as a percentage, as shown in Figure 16-27. The decibels display unit is recommended because it gives a much more precise view. You can also maximize the window and increase the Time in seconds value (up to 60 seconds) to view more informa- tion over a greater period of time. Also, Cisco’s TAC asks for the information in dB or dBm. Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 318 Chapter 16: Wireless Clients 319 Figure 16-28 ACAU Interface You can configure the CSSU with thresholds that can trigger an alert or logging. You set thresholds by choosing Thresholds > Configure Thresholds. The AP scan list reports all the APs that your adapter detects. You don’t use this informa- tion to associate with an AP. Instead, you would use this information to determine the characteristics of the APS around you. Again, this is a troubleshooting utility, so it can help you determine sources of interference. Another neat feature of the CSSU is the ability to enable a proximity beeper. It beeps more quickly as you get a better signal. To enable it, choose Action > enable proximity beeper. You can change what triggers the proximity beeper under the Action drop-down menu by selecting Options. The ACAU The Aironet Configuration Administration Utility (ACAU) is designed to help automate the process of deploying the ADU and client profiles. The main interface, shown in Figure 16-28, has four configuration families under the Global Settings tab. These configuration families include Setup Settings, User Settings, Profile Settings, and ASTU Settings. If you double-click these, they expand, allowing you to use radio buttons to control the capabili- ties of the ADU and how it is installed. On the Profile Management tab, you can add up to 16 new profiles, modify them, remove them, import and export them, and reorder them. The profile configuration looks very similar to that of the ADU profile configuration. The difference between the two is that these profiles are not considered local. When you have the Global Settings arranged the way you want them, and then the Profiles set up the way you want them, choose File > Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 319 320 CCNA Wireless Official Exam Certification Guide Save As. The default name for the file is CiscoAdminConfig.dat. Save this file and then place it in the same directory as the ADU installation executable. When the ADU install executes, it looks for a .dat file and uses it for its setup, automatically bringing in the pro- files you configured in the ACAU. The Cisco Secure Services Client The Cisco Secure Services Client (SSC) is client software that provides 802.1x (Layer 2) user and device authentication for access to both wired and wireless networks. The SSC does not need a Cisco wireless card to operate the software. It’s really an alternative to the WZC, with some major benefits. From the wired network side, it provides 802.1x capabili- ties for user and device authentication, which is more extensive than the standard wired LAN connection. On the wireless side, it provides all the security capabilities needed for enterprise class connectivity. The interface is very simple, making it easy for customers and guests to connect to a Cisco network. The CSSC provides a unified wired and wireless supplicant that can provide services across many different vendor network cards as well as provide the ability to centralize management of client adapters. The CSSC also provides a tremendous amount of flexibil- ity for authenticating to the wired and wireless network, not restricted to simply open, WEP, PEAP, and EAP-TLS. One other key advantage is the client’s capability to disable the wired interface automatically if the wireless adapter associates to a wireless network. This ensures that IP address space is used efficiently and split tunneling is avoided. There are three pieces of SSC software: ■ The SSC itself: Client software that provides 802.1x user and device authentication for access to both wired and wireless networks. ■ The Cisco Secure Services Client Administration Utilities: Allow you to create complex profiles. ■ The Cisco Secure Services Client Log Packager: Connects system information for support. An administrator would create profiles using the Cisco Secure Services Client Administration Utilities, which then generate an XML file that can be deployed network-wide to all the client machines. Licensing There are three SSC license types: ■ 90-day trial ■ Nonexpiring wired only ■ Nonexpiring wired and wireless The 90-day trial offers full features for wired and wireless. When the 90 days are up, you must purchase a license, or it will automatically convert to a nonexpiring wired only. This is a limited feature set. If you purchase a license for the wireless features, you will have the full set of capabilities for both wired and wireless enabled. 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 320 Chapter 16: Wireless Clients 321 Figure 16-29 Installing the SSC Figure 16-30 Right-Click Menu of SSC Installation The installation process uses a Microsoft Installer (MSI), which you can obtain from Cisco.com. You must have administrative rights on the computer you are installing on. Figure 16-29 shows the install wizard of the SSC. Configuring Profiles The SSC runs as a service and appears in the systray whether or not it is connected. You can hover the mouse cursor over the systray icons to find out the status. Right-click to ac- cess the menu. Any existing profiles or networks that have been detected appear, as shown in Figure 16-30. 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 321 . 312 CCNA Wireless Official Exam Certification Guide Figure 16-19 Profile Management in ADU manually. To see what APs are. security options. Key Topi c 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 313 314 CCNA Wireless Official Exam Certification Guide Figure 16-22 WPA/WPA2 Passphrase Table 16-3 Security Options Comparison Security. in Cisco’s support center. 18_1587202115_ch16.qxp 9/29/08 2:42 PM Page 315 316 CCNA Wireless Official Exam Certification Guide Figure 16-24 Advanced Statistics Advanced Statistics The Advanced Statistics