無線控制器的管理

時間 2019-11-16

標籤無線控制器管理欄目無線简体版

原文原文鏈接

思科無線控制器能夠經過多種方式進行管理。包括Console、SSH、Telnet、HTTP、HTTPS等方式；web

一、Consolesession

A direct serial connection to the controller console port，The default username is admin, and the default password is adminapp

You need these items to connect to the serial port:less

A computer that is running a terminal emulation program such as Putty, SecureCRT, or similarssh
A standard Cisco console serial cable with an RJ45 connectorui

Configure terminal emulator program with default settings:this

9600 baud （你能夠經過命令去WLC上修改對應的波特率）spa
- (Cisco Controller) >config serial baudrate
  
  [1200/2400/4800/9600/19200/38400/57600/115200] Enter serial speed.3d
8 data bitsblog
1 stop bit
No parity
No hardware flow control

To log on to the controller CLI through the serial port, follow these steps:

以下是WLC5508, 5520,8510,8540以及新的Catalyst Wireless Controller 9800的Console port:

系統提示符能夠是最多31個字符的任何字母數字字符串。您能夠經過輸入config prompt命令進行更改。

eg:

(Cisco Controller) >config prompt Test-vWLC

(Test-vWLC) >
(Test-vWLC) >
(Test-vWLC) >
(Test-vWLC) >

一、HTTP和HTTPS

若是使用HTTP和HTTPS去管理無線控制器，須要開啓WEB和WEB-Secure

Choose Management > HTTP-HTTPS.The HTTP-HTTPS Configuration page is displayed.

若是經過CLI來配置：

(Test-vWLC) >config network webmode enable

(Test-vWLC) >config network secureweb enable
You must reboot for the change to take effect. 《注意開啓secureweb開啓，須要重啓！默認就是開啓的》

Enable or disable secure web mode with increased security by entering this command:

config network secureweb cipher-option high {enable | disable}

This command allows users to access the controller GUI using 「https://ip-address」 but only from browsers that support 128-bit (or larger) ciphers. The default value is disabled.

When high ciphers is enabled, SHA1, SHA256, SHA384 keys continue to be listed and TLS 1.0 is disabled. This is applicable to webauth and webadmin but not for NMSP.

Enable or disable SSLv2 for web administration by entering this command:

config network secureweb cipher-option sslv2 {enable | disable}

If you disable SSLv2, users cannot connect using a browser configured with SSLv2 only. They must use a browser that is configured to use a more secure protocol such as SSLv3 or later. The default value is disabled.

Enable 256 bit ciphers for a SSH session by entering this command:

config network ssh cipher-option high {enable | disable}

(Optional) Generate a new certificate by entering this command:

config certificate generate webadmin

After a few seconds, the controller verifies that the certificate has been generated

查看命令：

(Test-vWLC) >show network summary

RF-Network Name............................. MG
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable

.......

(Test-vWLC) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... Locally Generated
Certificate compatibility mode:.................. off

三、Telnet和SSH

Choose Management > Telnet-SSH to open the Telnet-SSH Configuration page.

CLI配置：

(Test-vWLC) >config network telnet enable

(Test-vWLC) >config network ssh enable

(Test-vWLC) >config sessions timeout 0 《關閉會話超時》

(Test-vWLC) >config sessions maxsessions

[0-5] Enter sessions as integer. 《最大會話只能是5個》

(Test-vWLC) >config loginsession

close Close active telnet session(s).

(Test-vWLC) >config loginsession close

[<session ID>/all] Enter session ID.

Configure SSH access host-key by entering these commands:

Generate or regenerate SSH host key by entering this command:
config network ssh host-key generate

This command generates a 1024-bit key.
Use device certificate private key as SSH host key by entering this command:
config network ssh host-key use-device-certificate-key

This command generates a 2048-bit key.

查看命令：

(Test-vWLC) >show network summary

查看會話狀況，並關閉某會話session

(Test-vWLC) >show loginsession

ID User Name Login Type Connection From Idle Time Session Time
-- --------------- ---------- --------------------------------------------- ------------ ------------
01 lcj Ssh 10.0.0.1 00:00:00 00:48:58

(Test-vWLC) >config loginsession close 01

****此時斷開了鏈接****

四、爲特定的用戶配置Telnet權限

你必須全局啓用Telnet權限。默認狀況下，全部管理用戶都啓用了Telnet權限。SSH sessions are not affected by this feature.

CLI配置：

config mgmtuser telnet user-name {enable | disable}

五、配置經過無線管理WLC

The management over wireless feature allows you to monitor and configure local controllers using a wireless client. This feature is supported for all management tasks except uploads to and downloads from (transfers to and from) the controller.（除了從WLC上傳和下載任務）

限制狀況：

Management over Wireless can be disabled only if clients are on central switching.（默認關閉）
Management over Wireless is not supported for FlexConnect local switching clients. However, Management over Wireless works for non-web authentication clients if you have a route to the controller from the FlexConnect site.（Flex 本地轉發的客戶端不支持；若是你從Flex站點到WLC有路由，除了WEB認證的客戶端外，能夠實現無線管理WLC）

配置：

Choose Management > Mgmt Via Wireless to open the Management Via Wireless page.

CLI配置：

(Test-vWLC) >config network mgmt-via-wireless enable

查看狀態：

(Test-vWLC) >show network summary

.....

AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable

.....

開啓經過動態Dynamic Interfaces 管理WLC：

默認狀況下禁用動態接口，若是須要也能夠啓用大多數或全部管理功能。啓用後，全部動態接口均可用於管理員訪問控制器。您能夠根據須要使用訪問控制列表（ACL）來限制此訪問。

應該只能經過CLI：config network mgmt-via-dynamic-interface {enable | disable}

注意：經過Remote管理（如Web或SSH等）方式管理WLC，須要注意web管理或SSH等管理方式是否enable，若是沒有打開須要開啓，另外，值得注意的是，若是本地安裝有VMware虛擬機等應用，應該避免VMware的網卡和WLC的mangement interface處於同一個網段。