无线控制器的管理
思科无线控制器可以通过多种方式进行管理。包括Console、SSH、Telnet、HTTP、HTTPS等方式;
1、Console
A direct serial connection to the controller console port,The default username is admin, and the default password is admin
You need these items to connect to the serial port:
-
A computer that is running a terminal emulation program such as Putty, SecureCRT, or similar
-
A standard Cisco console serial cable with an RJ45 connector
Configure terminal emulator program with default settings:
-
9600 baud (你可以通过命令去WLC上修改对应的波特率)
-
(Cisco Controller) >config serial baudrate
[1200/2400/4800/9600/19200/38400/57600/115200] Enter serial speed.
-
-
8 data bits
-
1 stop bit
-
No parity
-
No hardware flow control
To log on to the controller CLI through the serial port, follow these steps:
如下是WLC5508, 5520,8510,8540以及新的Catalyst Wireless Controller 9800的Console port:
系统提示符可以是最多31个字符的任何字母数字字符串。 您可以通过输入config prompt命令进行更改。
eg:
(Cisco Controller) >config prompt Test-vWLC
(Test-vWLC) >
(Test-vWLC) >
(Test-vWLC) >
(Test-vWLC) >
1、HTTP和HTTPS
如果使用HTTP和HTTPS去管理无线控制器,需要开启WEB和WEB-Secure
Choose HTTP-HTTPS Configuration page is displayed.
The
如果通过CLI来配置:
(Test-vWLC) >config network webmode enable
(Test-vWLC) >config network secureweb enable
You must reboot for the change to take effect. 《注意开启secureweb开启,需要重启!默认就是开启的》
- Enable or disable secure web mode with increased security by entering this command:
config network secureweb cipher-option high {enable | disable}
This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.
When high ciphers is enabled, SHA1, SHA256, SHA384 keys continue to be listed and TLS 1.0 is disabled. This is applicable to webauth and webadmin but not for NMSP.
- Enable or disable SSLv2 for web administration by entering this command:
config network secureweb cipher-option sslv2 {enable | disable}
If you disable SSLv2, users cannot connect using a browser configured with SSLv2 only. They must use a browser that is configured to use a more secure protocol such as SSLv3 or later. The default value is disabled.
- Enable 256 bit ciphers for a SSH session by entering this command:
config network ssh cipher-option high {enable | disable}
- (Optional) Generate a new certificate by entering this command:
config certificate generate webadmin
After a few seconds, the controller verifies that the certificate has been generated
查看命令:
(Test-vWLC) >show network summary
RF-Network Name............................. MG
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
.......
(Test-vWLC) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... Locally Generated
Certificate compatibility mode:.................. off
3、Telnet和SSH
Choose
CLI配置:
(Test-vWLC) >config network telnet enable
(Test-vWLC) >config network ssh enable
(Test-vWLC) >config sessions timeout 0 《关闭会话超时》
(Test-vWLC) >config sessions maxsessions
[0-5] Enter sessions as integer. 《最大会话只能是5个》
(Test-vWLC) >config loginsession
close Close active telnet session(s).
(Test-vWLC) >config loginsession close
[<session ID>/all] Enter session ID.
Configure SSH access host-key by entering these commands:
- Generate or regenerate SSH host key by entering this command:
config network ssh host-key generate
This command generates a 1024-bit key.
- Use device certificate private key as SSH host key by entering this command:
config network ssh host-key use-device-certificate-key
This command generates a 2048-bit key.
查看命令:
(Test-vWLC) >show network summary
RF-Network Name............................. MG
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Enable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
查看会话情况,并关闭某会话session
(Test-vWLC) >show loginsession
ID User Name Login Type Connection From Idle Time Session Time
-- --------------- ---------- --------------------------------------------- ------------ ------------
01 lcj Ssh 10.0.0.1 00:00:00 00:48:58
(Test-vWLC) >config loginsession close 01
****此时断开了连接****
4、为特定的用户配置Telnet权限
你必须全局启用Telnet权限。 默认情况下,所有管理用户都启用了Telnet权限。SSH sessions are not affected by this feature.
CLI配置:
config mgmtuser telnet user-name {enable | disable}
5、配置通过无线管理WLC
The management over wireless feature allows you to monitor and configure local controllers using a wireless client. This feature is supported for all management tasks except uploads to and downloads from (transfers to and from) the controller.(除了从WLC上传和下载任务)
限制情况:
-
Management over Wireless can be disabled only if clients are on central switching.(默认关闭)
-
Management over Wireless is not supported for FlexConnect local switching clients. However, Management over Wireless works for non-web authentication clients if you have a route to the controller from the FlexConnect site.(Flex 本地转发的客户端不支持;如果你从Flex站点到WLC有路由,除了WEB认证的客户端外,可以实现无线管理WLC)
配置:
Choose Management > Mgmt Via Wireless to open the Management Via Wireless page.
CLI配置:
(Test-vWLC) >config network mgmt-via-wireless enable
查看状态:
(Test-vWLC) >show network summary
RF-Network Name............................. MG
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
.....
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
.....
开启通过动态Dynamic Interfaces 管理WLC:
默认情况下禁用动态接口,如果需要也可以启用大多数或所有管理功能。 启用后,所有动态接口都可用于管理员访问控制器。 您可以根据需要使用访问控制列表(ACL)来限制此访问。
应该只能通过CLI:config network mgmt-via-dynamic-interface {enable | disable}
注意:通过Remote管理(如Web或SSH等)方式管理WLC,需要注意web管理或SSH等管理方式是否enable,如果没有打开需要开启,另外,值得注意的是,如果本地安装有VMware虚拟机等应用,应该避免VMware的网卡和WLC的mangement interface处于同一个网段。