ADMINISTRATION GUIDE Cisco Small Business WAP551 Wireless-N Access Point with PoE and WAP561 Wireless-N Selectable-Band Access Point with PoE
Contents Chapter 1: Getting Started 5 Starting the Web-Based Configuration Utility 5 Using the Access Point Setup Wizard 6 Getting Started 9 Window Navigation Chapter 2: Status and Statistics 10 12 System Summary 12 Network Interfaces 14 Traffic Statistics 15 WorkGroup Bridge Transmit/Receive 16 Associated Clients 16 TSPEC Client Associations 18 TSPEC Status and Statistics 20 TSPEC AP Statistics 22 Radio Statistics 22 Email Alert Status 24 Log 24 Chapter 3: Administration
Contents Copy/Save Configuration 42 Reboot 43 Discovery—Bonjour 44 Packet Capture 44 Support Information 51 Chapter 4: LAN 52 Port Settings 52 VLAN and IPv4 Address Settings 53 IPv6 Addresses 54 IPv6 Tunnel 56 Chapter 5: Wireless 58 Radio 58 Rogue AP Detection 66 Networks 69 Scheduler 81 Scheduler Association 83 Bandwidth Utilization 83 MAC Filtering 84 WDS Bridge 85 WorkGroup Bridge 89 Quality of Service 92 WPS Setup 95 WPS Process Chapter 6: System Security 10
Contents WPA-PSK Complexity Chapter 7: Client Quality of Service 110 111 Client QoS Global Settings 111 ACL 111 Class Map 118 Policy Map 123 Client QoS Association 125 Client QoS Status 127 Chapter 8: Simple Network Management Protocol 129 General SNMP Settings 129 Views 132 Groups 133 Users 135 Targets 136 Chapter 9: Captive Portal 138 Captive Portal Global Configuration 139 Instance Configuration 140 Instance Association 143 Web Portal Customization 143 Local Groups
Contents Sessions 160 Channel Management 161 Wireless Neighborhood 165 Chapter A: Deauthentication Message Reason Codes Deauthentication Reason Code Table Appendix B: Where to Go From Here Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 168 168 170 4
1 Getting Started This chapter provides an introduction to the Wireless Access Point (WAP) devices web-based configuration utility, and includes these topics: • Starting the Web-Based Configuration Utility • Using the Access Point Setup Wizard • Getting Started • Window Navigation Starting the Web-Based Configuration Utility This section describes system requirements and how to navigate the web-based configuration utility. Supported Browsers • Internet Explorer 7.0 or later • Chrome 5.
Getting Started Using the Access Point Setup Wizard 1 address>) to the local intranet zone. The IP address can also be specified as the subnet IP address, so that all addresses in the subnet are added to the local intranet zone. • If you have multiple IPv6 interfaces on your management station, use the IPv6 global address instead of the IPv6 local address to access the WAP device from your browser. By default, the web-based AP configuration utility logs out after 10 minutes of inactivity.
Getting Started Using the Access Point Setup Wizard 1 If you already have a cluster on your network, you can add this device to it by clicking Join an Existing Cluster, and then entering the Existing Cluster Name. If you do not want this device to participate in a Single Point Setup at this time, click Do not Enable Single Point Setup. (Optional) You can enter text in the AP Location field to note the physical location of the WAP device. STEP 5 Click Next.
Getting Started Using the Access Point Setup Wizard 1 STEP 16 For the WAP561 device, the Network Name, Wireless Security, and VLAN ID pages show to enable configuring Radio 2. When finished with configuring Radio 2, click Next. The Wizard displays the Enable Captive Portal - Create Your Guest Network window. STEP 17 Select whether or not to set up an authentication method for guests on your network, and click Next. If you click No, skip to STEP 25.
1 Getting Started Getting Started Getting Started To simplify device configuration through quick navigation, the Getting Started page provides links for performing common tasks. The Getting Started page is the default window every time you log into the web-based AP configuration utility.
1 Getting Started Window Navigation Window Navigation This section describes the features of the web-based AP configuration utility. The Configuration Utility header contains standard information and appears at the top on every page. It provides these buttons: Buttons Button Name Description (User) The account name (Administrator or Guest) of the user logged into the WAP device. The factory default user name is cisco. Log Out Click to log out of the web-based AP configuration utility.
1 Getting Started Window Navigation Management Buttons (Continued) Button Name Description Edit Edits or modifies an existing entry. Select an entry first. Refresh Redisplays the current page with the latest data. Save Saves the settings or configuration. Update Updates the new information to the startup configuration.
2 Status and Statistics This chapter describes how to display status and statistics and contains these topics: • System Summary • Network Interfaces • Traffic Statistics • WorkGroup Bridge Transmit/Receive • Associated Clients • TSPEC Client Associations • TSPEC Status and Statistics • TSPEC AP Statistics • Radio Statistics • Email Alert Status • Log System Summary The System Summary page shows basic information such as the hardware model description, software version, and the time th
2 Status and Statistics System Summary • Serial Number—The serial number of the Cisco WAP device. • Base MAC Address—The WAP MAC address. • Firmware Version (Active Image)—The firmware version number of the active image. • Firmware MD5 Checksum (Active Image)—The checksum for the active image. • Firmware Version (Non-active)—The firmware version number of the backup image. • Firmware MD5 Checksum (Non-active)—The checksum for the backup image. • Host Name—A name assigned to the device.
2 Status and Statistics Network Interfaces - Active—A connection session is established and packets are being transmitted and received. - Established—A connection session is established between the WAP device and a server or client, depending on the role of each device with respect to this protocol. - Time Wait—The closing sequence has been initiated and the WAP is waiting for a system-defined timeout period (typically 60 seconds) before closing the connection.
2 Status and Statistics Traffic Statistics If the VAP has been configured, the table lists the SSID, the administrative status (up or down), the MAC address of the radio interface, the VLAN ID, the name of any associated scheduler profile, and the current state (active or inactive). The state indicates whether the VAP is exchanging data with a client. You can click Refresh to refresh the screen and show the most current information.
Status and Statistics WorkGroup Bridge Transmit/Receive 2 WorkGroup Bridge Transmit/Receive The WorkGroup Bridge Transmit/Receive page shows packet and byte counts for traffic between stations on a WorkGroup Bridge. For information on configuring WorkGroup Bridges, see WorkGroup Bridge. To show the WorkGroup Bridge Transmit/Receive page, select Status and Statistics > WorkGroup Bridge in the navigation pane.
2 Status and Statistics Associated Clients The associated stations are shown along with information about packet traffic transmitted and received for each station. • Total Number of Associated Clients—The total number of clients currently associated with the WAP device. • Network Interface—The VAP the client is associated with. On WAP561 devices, WLAN0 and WLAN1 precede the VAP interface name to indicate the radio interface (WLAN0 represents radio 1 and WLAN1 represents radio 2).
2 Status and Statistics TSPEC Client Associations • - TS Violate Packets (From Station)—Number of packets sent from a client STA to the WAP device in excess of its active Traffic Stream (TS) uplink bandwidth, or for an access category requiring admission control to which the client STA has not been admitted.
2 Status and Statistics TSPEC Client Associations • TS Identifier—TSPEC Traffic Session Identifier (range 0 to 7). • Access Category—TS Access Category (voice or video). • Direction—Traffic direction for this TS. Direction can be one of these options: • - uplink—From client to device. - downlink—From device to client. - bidirectional User Priority—User Priority (UP) for this TS. The UP is sent with each packet in the UP portion of the IP header.
2 Status and Statistics TSPEC Status and Statistics • • From Station—Shows the number of packets and bytes received from the wireless client and the number of packets and bytes that were dropped after being received. - Packets—Number of packets in excess of an admitted TSPEC. - Bytes—Number of bytes when no TSPEC has been established and admission is required by the WAP device.
2 Status and Statistics TSPEC Status and Statistics • Status—Whether the TSPEC session is enabled (up) or not (down) for the corresponding Access Category. NOTE Status is a configuration status (it does not necessarily represent the current session activity). • Active Traffic Stream—Number of currently active TSPEC Traffic Streams for this radio and Access Category. • Traffic Stream Clients—Number of Traffic Stream clients associated with this radio and Access Category.
2 Status and Statistics TSPEC AP Statistics TSPEC AP Statistics The TSPEC AP Statistics page provides information on the voice and video Traffic Streams accepted and rejected by the WAP device. To view the TSPEC AP Statistics page, select Status and Statistics > TSPEC AP Statistics in the navigation pane. • TSPEC Statistics Summary for Voice ACM—The total number of accepted and the total number of rejected voice traffic streams.
2 Status and Statistics Radio Statistics • Fragments Transmitted—Number of fragmented frames sent by the WAP device. • Multicast Frames Received—Count of MSDU frames received with the multicast bit set in the destination MAC address. • Multicast Frames Transmitted—Count of successfully transmitted MSDU frames where the multicast bit was set in the destination MAC address. • Duplicate Frame Count—Number of times a frame was received and the Sequence Control field indicates it was a duplicate.
2 Status and Statistics Email Alert Status Email Alert Status The Email Alert Status page provides information about the email alerts sent based on the syslog messages generated in the WAP device. To view the Email Alert Status page, select Status and Statistics > Email Alert Status in the navigation pane. • Email Alert Status—The Email Alert configured status. The status is either Enabled or Disabled. The default is Disabled. • Number of Emails Sent—The total number of emails sent.
3 Administration This chapter describes how to configure global system settings and perform diagnostics.
3 Administration System Settings System Settings The System Settings page enables you to configure information that identifies the WAP device within the network. To configure system settings: STEP 1 Select Administration > System Settings in the navigation pane. STEP 2 Enter the parameters: • Host Name—Administratively assigned name for the WAP device. By convention, the name is the fully qualified domain name of the node.
3 Administration User Accounts STEP 1 Select Administration > User Accounts in the navigation pane. The User Account Table shows the currently configured users. The user cisco is preconfigured in the system to have Read/Write privileges. All other users can have Read Only Access, but not Read/Write access. STEP 2 Click Add. A new row of text boxes appears. STEP 3 Check the box for the new user and select Edit. STEP 4 Enter a User Name between 1 to 32 alphanumeric characters.
3 Administration Time Settings As you enter a password, the number and color of vertical bars changes to indicate the password strength, as follows: • Red—The password fails to meet the minimum complexity requirements. • Orange—The password meets the minimum complexity requirements but the password strength is weak. • Green—The password is strong. STEP 4 Click Save. The changes are saved to the Startup Configuration. NOTE If you change your password, you must log in again to the system.
3 Administration Time Settings STEP 3 Select Adjust Time for Daylight Savings if daylight savings time is applicable to your time zone. When selected, configure these fields: • Daylight Savings Start—Select the week, day, month, and time when daylight savings time starts. • Daylight Savings End—Select the week, day, month, and time when daylight savings time ends.
3 Administration Log Settings Log Settings You can use the Log Settings page to enable log messages to be saved in permanent memory. You can also send logs to a remote host. If the system unexpectedly reboots, log messages can be useful to diagnose the cause. However, log messages are erased when the system reboots unless you enable persistent logging. ! CAUTION Enabling persistent logging can wear out the flash (nonvolatile) memory and degrade network performance.
3 Administration Log Settings The Kernel Log is a comprehensive list of system events (shown in the System Log) and kernel messages such as error conditions. You cannot view kernel log messages directly from the web interface. You must first set up a remote log server to receive and capture logs. Then you can configure the WAP device to log to the remote log server.
3 Administration Email Alert NOTE After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity. We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients. Email Alert Use the email alert feature to send messages to the configured email addresses when particular system events occur.
3 Administration Email Alert Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. If set to None, then no scheduled severity messages are sent. The default severity is Warning. • Urgent Message Severity—Log messages of this severity level or higher are sent to the configured email address immediately. Select from these values: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug. If set to None, then no urgent severity messages are sent. The default is Alert.
3 Administration Email Alert STEP 5 Click Test Mail to send a test email to validate the configured email account. STEP 6 Click Save. The changes are saved to the Startup Configuration. The following example shows how to fill in the Mail Server Configuration parameters: Gmail Server IPv4 Address/Name = smtp.gmail.
3 Administration HTTP/HTTPS Service HTTP/HTTPS Service Use the HTTP/HTTPS Service page to enable and configure web-based management connections. If HTTPS is used for secure management sessions, you also use the HTTP/HTTPS Service page to manage the required SSL certificates. To configure HTTP and HTTP services: STEP 1 Select Administration > HTTP/HTTPS Service in the navigation pane.
3 Administration HTTP/HTTPS Service • Redirect HTTP to HTTPS—Redirects management HTTP access attempts on the HTTP port to the HTTPS port. This field is available only when HTTP access is disabled. STEP 4 Click Save. The changes are saved to the Startup Configuration. To use HTTPS services, the WAP device must have a valid SSL certificate. The WAP device can generate a certificate or you can download it from your network or from a TFTP server.
3 Administration Management Access Control • For TFTP, enter the File Name as it exists on the TFTP server and the TFTP Server IPv4 Address, then click Upload. The filename cannot contain the following characters: spaces, <, >, |, \, : , (, ), &, ; , #, ? , *, and two or more successive periods. A confirmation appears when the upload was successful.
3 Administration Manage Firmware Manage Firmware The WAP device maintains two firmware images. One image is active and the other is inactive. If the active image fails to load during bootup, the inactive image is loaded and becomes the active image. You can also swap the primary and secondary images. As new versions of the WAP device firmware become available, you can upgrade the firmware on your devices to take advantage of new features and enhancements.
3 Administration Manage Firmware STEP 3 Enter a name (1 to 256 characters) for the image file in the Source File Name field, including the path to the directory that contains the image to upload. For example, to upload the ap_upgrade.tar image located in the /share/builds/ap directory, enter: /share/builds/ap/ap_upgrade.tar The firmware upgrade file supplied must be a tar file. Do not attempt to use bin files or files of other formats for the upgrade; these types of files do not work.
Administration Download/Backup Configuration File 3 Download/Backup Configuration File The WAP device configuration files are in XML format and contain all the information about the WAP device settings. You can back up (upload) the configuration files to a network host or TFTP server to manually edit the content or create backups. After you edit a backed-up configuration file, you can download it to the access point to modify the configuration.
Administration Download/Backup Configuration File 3 • Startup Configuration—Configuration file type used when the WAP device last booted. This does not include any configuration changes applied but not yet saved to the WAP device. • Backup Configuration—Backup configuration file type saved on the WAP device. • Mirror Configuration—If the Startup Configuration is not modified for at least 24 hours, it is automatically saved to a Mirror Configuration file.
3 Administration Configuration Files Properties ! CAUTION Ensure that power to the WAP device remains uninterrupted while the configuration file is downloading. If a power failure occurs while downloading the configuration file, the file is lost and the process must be restarted. Configuration Files Properties The Configuration Files Properties page enables you to clear the Startup or Backup Configuration file.
3 Administration Reboot • Backup Configuration—Backup configuration file type saved on the WAP device. • Mirror Configuration—If the Startup Configuration is not modified for at least 24 hours, it is automatically saved to a Mirror Configuration file. The Mirror Configuration file is a snapshot of a past Startup Configuration.
3 Administration Discovery—Bonjour Discovery—Bonjour Bonjour enables the WAP device and its services to be discovered by using multicast DNS (mDNS). Bonjour advertises services to the network and answers queries for the service types that it supports, simplifying network configuration in small business environments.
3 Administration Packet Capture formatted in pcap format and can be examined using tools such as Wireshark and OmniPeek. • Remote capture method—Captured packets are redirected in real time to an external computer running the Wireshark tool. The WAP device can capture these types of packets: • 802.11 packets received and transmitted on radio interfaces. Packets captured on radio interfaces include the 802.11 header. • 802.3 packets received and transmitted on the Ethernet interface. • 802.
3 Administration Packet Capture • Radio Client Filter—Enables or disables the WLAN client filter to capture only frames that are transmitted to, or received from, a WLAN client with a specified MAC address. • Client Filter MAC Address—Specifies the MAC address for WLAN client filtering. NOTE The MAC filter is active only when a capture is performed on an 802.11 interface. • Packet Capture Method—Select one of these options: - Local File—Captured packets are stored in a file on the WAP device.
3 Administration Packet Capture - brtrunk—Linux bridge interface in the WAP device. • Capture Duration—Enter the time duration in seconds for the capture. The range is from 10 to 3600. The default is 60. • Max Capture File Size—Enter the maximum allowed size for the capture file in KB. The range is from 64 to 4096. The default is 1024. STEP 3 Click Save. The changes are saved to the Startup Configuration. STEP 4 Click Start Capture.
3 Administration Packet Capture When remote capture mode is in use, the WAP device does not store any captured data locally in its file system. If a firewall is installed between the Wireshark computer and the WAP device, the traffic for these ports must be allowed to pass through the firewall. The firewall must also be configured to allow the Wireshark computer to initiate a TCP connection to the WAP device. To initiate a remote capture on a WAP device: STEP 1 Click Administration > Packet Capture.
3 Administration Packet Capture -- rpcap://[192.168.1.220]:2002/wlan0 802.11 traffic -- rpcap://[192.168.1.220]:2002/radio1 At WAP561, VAP1 ~ VAP7 traffic -- rpcap://[ 192.168.1.220]:2002/wlan0vap1 ~ wlan0vap7 At WAP561, VAP1 ~ VAP3 traffic -- rpcap://[ 192.168.1.220]:2002/wlan0vap1 ~ wlan0vap3 You can trace up to four interfaces on the WAP device at the same time. However, you must start a separate Wireshark session for each interface.
3 Administration Packet Capture In remote capture mode, traffic is sent to the computer running Wireshark through one of the network interfaces. Depending on the location of the Wireshark tool, the traffic can be sent on an Ethernet interface or one of the radios. To avoid a traffic flood caused by tracing the packets, the WAP device automatically installs a capture filter to filter out all packets destined to the Wireshark application.
3 Administration Support Information STEP 4 Click Download. To download a packet capture file using HTTP: STEP 1 Clear Use TFTP to download the captured file. STEP 2 Click Download. A confirmation window appears. STEP 3 Click OK. A dialog box displays that enables you to choose a network location to save the file. Support Information The Support Information page enables you to download a text file that contains detailed configuration information about the AP.
4 LAN This chapter describes how to configure the port, network, and clock settings of the WAP devices. It includes these topics: • Port Settings • VLAN and IPv4 Address Settings • IPv6 Addresses • IPv6 Tunnel Port Settings The Port Settings page enables you to view and configure settings for the port that physically connects the WAP device to a local area network. To view and configure LAN settings: STEP 1 Select LAN > Port Settings in the navigation area.
4 LAN VLAN and IPv4 Address Settings STEP 3 If autonegotiation is disabled, select a Port Speed (10/100/1000 Mb/s) and the duplex mode (Half- or Full-duplex). STEP 4 Enable or disable the Green Ethernet Mode. When enabled, the WAP device automatically enters a low-power mode when energy on the line is lost, and it resumes normal operation when energy is detected. STEP 5 Click Save. The changes are saved to the Startup Configuration.
4 LAN IPv6 Addresses This VLAN is also the default untagged VLAN. If you already have a management VLAN configured on your network with a different VLAN ID, you must change the VLAN ID of the management VLAN on the WAP device. STEP 3 Configure these IPv4 settings: • Connection Type—By default, the DHCP client on the Cisco WAP551 and WAP561 Access Point automatically broadcasts requests for network information.
4 LAN IPv6 Addresses STEP 1 Select LAN > IPv6 Addresses in the navigation area. STEP 2 Configure the following settings: • IPv6 Connection Type—Choose how the WAP device obtains an IPv6 address: - DHCPv6—The IPv6 address is assigned by a DHCPv6 server. - Static IPv6—You manually configure the IPv6 address. The IPv6 address should be in a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (2001:DB8::CAD5:7D91). • IPv6 Administration Mode—Enables IPv6 management access.
4 LAN IPv6 Tunnel • IPv6 Link Local Address—The IPv6 address used by the local physical link. The link local address is not configurable and is assigned by using the IPv6 Neighbor Discovery process. • Default IPv6 Gateway—The statically configured default IPv6 gateway. • IPv6 DNS Nameservers—Select one of the following values: - Dynamic—The DNS name servers are learned dynamically through DHCPv6. - Manual—You specify up to two IPv6 DNS name servers in the fields provided. STEP 3 Click Save.
4 LAN IPv6 Tunnel To configure an IPv6 tunnel using ISATAP: STEP 1 Select LAN > IPv6 Tunnel in the navigation area. STEP 2 Configure the following parameters: • ISATAP Status—Enables or disables the administrative mode of ISATAP on the WAP device. • ISATAP Capable Host—The IP address or DNS name of the ISATAP router. The default value is isatap.
5 Wireless This chapter describes how to configure properties of the wireless radio operation.
5 Wireless Radio STEP 1 Select Wireless > Radio in the navigation pane. STEP 2 In the Global Settings area, configure the TSPEC Violation Interval, which is the time interval in seconds for the WAP device to report associated clients that do not adhere to mandatory admission control procedures. The reporting occurs through the system log and SNMP traps. Enter a time from 0 to 900 seconds. The default is 300 seconds. STEP 3 For WAP561 devices, select the Radio interface to configure (Radio 1 or Radio 2).
5 Wireless Radio By default, when the radio mode includes 802.11n, the channel bandwidth is set to 20/40 MHz to enable both channel widths. Set the field to 20 MHz to restrict the use of the channel bandwidth to a 20 MHz channel. • Primary Channel (802.11n modes with 20/40 MHz bandwidth only)—A 40 MHz channel can be considered to consist of two 20 MHz channels that are contiguous in the frequency domain. These two 20 MHz channels are often referred to as the Primary and Secondary channels.
5 Wireless Radio • - Yes—The WAP device transmits data using a 400-nanosecond guard Interval when communicating with clients that also support the short guard interval. Yes is the default selection. - No—The WAP device transmits data using an 800-nanosecond guard interval. Protection—The protection feature contains rules to guarantee that 802.11 transmissions do not cause interference with legacy stations or applications. By default, protection is enabled (Auto).
5 Wireless Radio The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network. If a packet exceeds the fragmentation threshold you set, the fragmentation function is activated and the packet is sent as multiple 802.11 frames. If the packet being transmitted is equal to or less than the threshold, fragmentation is not used. Setting the threshold to the largest value (2,346 bytes, which is the default) effectively disables fragmentation.
5 Wireless Radio The default value of 100 percent can be more cost-efficient than a lower percentage because it gives the WAP device a maximum broadcast range and reduces the number of access points needed. To increase the capacity of the network, place WAP devices closer together and reduce the value of the transmit power. This helps reduce overlap and interference among access points.
5 Wireless Radio The WAP device supports MCS indexes 0 to 23. MSC index 23 allows for a maximum transmission rate of 450 Mbps. If no MCS index is selected, the radio operates at MCS index 0, which allows for a maximum transmission rate of 15 Mbps. The MCS settings can be configured only if the radio mode includes 802.11n support.
5 Wireless Radio - Off—A station can send and receive voice priority traffic without requiring an admitted TSPEC; the WAP device ignores voice TSPEC requests from client stations. • TSPEC Voice ACM Limit—The upper limit on the amount of traffic the WAP device attempts to transmit on the wireless medium using a voice AC to gain access. The default limit is 20 percent of total traffic. • TSPEC Video ACM Mode —Regulates mandatory admission control for the video access category.
5 Wireless Rogue AP Detection ! CAUTION After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity. We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients. Rogue AP Detection A Rogue AP is an access point that has been installed on a secure network without explicit authorization from a system administrator.
5 Wireless Rogue AP Detection NOTE The Detected Rogue AP List and Trusted AP List provide information. The WAP device does not have any control over the APs on the list and cannot apply any security policies to APs detected through the RF scan. • MAC Address—The MAC address of the rogue AP. • Beacon Interval—The beacon interval used by the rogue AP. Beacon frames are transmitted by an AP at regular intervals to announce the existence of the wireless network.
5 Wireless Rogue AP Detection • 5 indicates IEEE 802.11a or 802.11n mode (or both modes). Channel—The channel on which the rogue AP is currently broadcasting. The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving. NOTE You can use the Radio page to set the channel. • Rate—The rate in megabits per second at which the rogue AP is currently transmitting. The current rate is always one of the rates shown in Supported Rates.
5 Wireless Networks To import an AP list from a file, use these steps: STEP 1 In the Download/Backup Trusted AP List area, select Download (PC to AP). STEP 2 Click Browse and choose the file to import. The file that you import must be a plain-text file with a .txt or .cfg extension. Entries in the file are MAC addresses in hexadecimal format with each octet separated by colons, for example 00:11:22:33:44:55. You must separate entries with a single space.
5 Wireless Networks The SSID can be any alphanumeric, case-sensitive entry from 2 to 32 characters. The printable characters plus the space (ASCII 0x20) are allowed, but these six characters are not: ?, ", $, [, \, ], and +. The allowable characters are: ASCII 0x20, 0x21, 0x23, 0x25 through 0x2A, 0x2C through 0x3E, 0x40 through 0x5A, 0x5E through 0x7E. In addition, these three characters cannot be the first character: !, #, and ; (ASCII 0x21, 0x23, and 0x3B, respectively).
5 Wireless Networks ! CAUTION Be sure to enter a VLAN ID that is properly configured on the network. Network problems can result if the VAP associates wireless clients with an improperly configured VLAN. When a wireless client connects to the WAP device by using this VAP, the WAP device tags all traffic from the wireless client with the VLAN ID you enter in this field, unless you enter the port VLAN ID or use a RADIUS server to assign a wireless client to a VLAN.
5 Wireless Networks - Dynamic WEP - WPA Personal - WPA Enterprise If you select a security mode other than None, additional fields appear. NOTE We recommend using WPA Personal or WPA Enterprise as the authentication type as it provides stronger security protection. Use Static WEP or Dynamic WEP only for legacy wireless computers or devices that do not support WPA Personal/Enterprise. If you need to set security as Static WEP or Dynamic WEP, configure Radio as 802.11a or 802.11b/g mode (see Radio).
5 Wireless Networks NOTE To delete a VAP, select the VAP and click Delete. To save your deletion permanently, click Save when complete. These sections describe the security settings that you configure, depending on your selection in the Security list on the Networks page. If you select None as your security mode, no additional security settings are configurable on the WAP device. This mode means that any data transferred to and from the WAP device is not encrypted.
5 Wireless Networks - ASCII—Includes uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @ and #. - Hex—Includes digits 0 to 9 and the letters A to F. Use the same number of characters for each key as specified in the Characters Required field. These are the RC4 WEP keys shared with the stations using the WAP device. Each client station must be configured to use one of these same WEP keys in the same slot as specified on the WAP device.
5 Wireless Networks If you use Static WEP, these rules apply: • All client stations must have the Wireless LAN (WLAN) security set to WEP, and all clients must have one of the WEP keys specified on the WAP device in order to decode AP-to-station data transmissions. • The WAP device must have all keys used by clients for station-to-AP transmit so that it can decode the station transmissions. • The same key must occupy the same slot on all nodes (AP and clients).
5 Wireless Networks • Use Global RADIUS Server Settings—By default, each VAP uses the global RADIUS settings that you define for the WAP device (see RADIUS Server). However, you can configure each VAP to use a different set of RADIUS servers. To use the global RADIUS server settings, ensure that the check box is selected.
5 Wireless Networks • Enable RADIUS Accounting—Enables tracking and measuring of the resources a particular user has consumed, such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers. • Active Server—Enables administratively selecting the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.
5 Wireless Networks • Cipher Suites—The cipher suite you want to use: - TKIP - CCMP (AES) You can select either or both. Both TKIP and AES clients can associate with the WAP device. WPA clients must have one of these keys to be able to associate with the WAP device: - A valid TKIP key - A valid AES-CCMP key Clients not configured to use WPA Personal are not able to associate with the WAP device. • Key—The shared secret key for WPA Personal security.
5 Wireless Networks • - WPA2—If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. - WPA and WPA2—If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both WPA and WPA2. This setting lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it.
5 Wireless Networks To use a separate RADIUS server for the VAP, uncheck the box and enter the RADIUS server IP address and key in these fields: • Server IP Address Type—The IP version that the RADIUS server uses. You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers for the address type that you select in this field.
5 Wireless Scheduler The default is 300 seconds. The valid range is from 0 to 86400 seconds. A value of 0 indicates that the broadcast key is not refreshed. • Session Key Refresh Rate—The interval at which the WAP device refreshes session (unicast) keys for each client associated with the VAP. The valid range is from 0 to 86400 seconds. A value of 0 indicates that the session key is not refreshed.
5 Wireless Scheduler - Administrative Mode is disabled—Operational status is down because global configuration is disabled. STEP 3 To add a profile, enter a profile name in the Scheduler Profile Configuration text box and click Add. The profile name can be up to 32 alphanumeric characters. You can configure up to 16 rules for a profile. Each rule specifies the start time, end time and day (or days) of the week the radio or VAP can be operational.
5 Wireless Scheduler Association Scheduler Association The Scheduler profiles need to be associated with the WLAN interface or a VAP interface to be effective. By default, there are no Scheduler profiles created, and no profile is associated with any radio or VAP. Only one Scheduler profile can be associated with the WLAN interface or each VAP. A single profile can be associated with multiple VAPs.
5 Wireless MAC Filtering The valid integer range is from 0 to 100 percent. The default is 70 percent. When set to 0, all new associations are allowed regardless of the utilization rate. STEP 4 Click Save. The changes are saved to the Startup Configuration. NOTE After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity.
5 Wireless WDS Bridge The MAC address appears in the Stations List. STEP 4 Continue entering MAC addresses until the list is complete, and then click Save. The changes are saved to the Startup Configuration. NOTE To remove a MAC address from the Stations List, select it and then click Remove. NOTE After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity.
5 Wireless WDS Bridge In the point-to-multipoint bridge mode, one WAP device acts as the common link between multiple access points. In this mode, the central WAP device accepts client associations and communicates with the clients and other repeaters. All other access points associate only with the central WAP device that forwards the packets to the appropriate wireless bridge for routing purposes. The WAP device can also act as a repeater.
5 Wireless WDS Bridge STEP 1 Select Wireless > WDS Bridge in the navigation pane. STEP 2 Select Enable for Spanning Tree Mode. When enabled, STP helps prevent switching loops. STP is recommended if you configure WDS links.For WAP561 devices, select Radio 1 or Radio 2 for each WDS link that you configure. STEP 3 Select Enable for WDS Interface.
5 Wireless WDS Bridge ! CAUTION After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity. We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients. These additional fields appear when you select WEP as the encryption type. • Key Length—If WEP is enabled, specify the length of the WEP key as 64 bits or 128 bits.
5 Wireless WorkGroup Bridge WorkGroup Bridge The WAP device WorkGroup Bridge feature enables the WAP device to extend the accessibility of a remote network. In WorkGroup Bridge mode, the WAP device acts as a wireless station (STA) on the wireless LAN. It can bridge traffic between a remote wired network or associated wireless clients and the wireless LAN that is connected using the WorkGroup Bridge mode. The WorkGroup Bridge feature enables support for STA-mode and AP-mode operation simultaneously.
5 Wireless WorkGroup Bridge Before you configure WorkGroup Bridge on the WAP device, note these guidelines: • All WAP devices participating in WorkGroup Bridge must have the following identical settings: - Radio - IEEE 802.11 Mode - Channel Bandwidth - Channel (Auto is not recommended) See Radio (Basic Settings) for information on configuring these settings. • WorkGroup Bridge mode currently supports only IPv4 traffic. • WorkGroup Bridge mode is not supported across a Single Point Setup.
5 Wireless WorkGroup Bridge - • WPA Enterprise VLAN ID—The VLAN associated with the BSS. NOTE The Infrastructure Client Interface will be associated with the upstream WAP device with the configured credentials. The WAP device may obtain its IP address from a DHCP server on the upstream link. Alternatively, you can assign a static IP address. The Connection Status field indicates whether the WAP is connected to the upstream WAP device.
5 Wireless Quality of Service • VLAN ID—Configure the Access Point Interface with the same VLAN ID as advertised on the Infrastructure Client Interface. STEP 6 Click Save. The changes are saved to the Startup Configuration. The associated downstream clients now have connectivity to the upstream network.
5 Wireless Quality of Service These four queues are defined for different types of data transmitted from WAPto-station. If you choose a Custom template, the parameters that define the queues are configurable; otherwise, they are set to predefined values appropriate to your selection. The four queues are: • Data 0 (Voice)—High priority queue, minimum delay. Time-sensitive data such as VoIP and streaming media are automatically sent to this queue. • Data 1 (Video)—High priority queue, minimum delay.
5 Wireless Quality of Service After the Maximum Contention Window size is reached, retries continue until a maximum number of retries allowed is reached. Valid values are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1023. This value must be higher than the value for the Minimum Contention Window. • Maximum Burst (WAP only)—A WAP EDCA parameter that applies only to traffic flowing from the WAP to the client station.
5 Wireless WPS Setup ! CAUTION After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity. We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients. WPS Setup This section describes the Wi-Fi Protected Setup (WPS) protocol and its configuration on the WAP device.
5 Wireless WPS Setup The two devices disassociate, and then reassociate and authenticate with the new settings. • A user wishes to enroll a client station on a WPS-enabled WLAN by supplying the WAP device administrator with the PIN of the client device. The administrator enters this PIN in the configuration utility of the WAP device and triggers the device enrollment.
5 Wireless WPS Setup The WAP devices act as AP devices and support a built-in registrar. They do not function as an enrollee. The administrator can enable or disable WPS on only one VAP. WPS is operational only if this VAP meets these conditions: • The WAP device is configured to broadcast the VAP SSID. • MAC address filtering is disabled on the VAP. • WEP encryption is disabled on the VAP. • The VAP is configured to use either WPA-Personal security or none.
5 Wireless WPS Setup The PBC method is when the user of a prospective client pushes a button on the enrolling device, and the administrator of the WAP device with an enabled built-in registrar pushes a similar (hardware or software) button. This sequence begins the enrollment process, and the client device joins the network.
5 Wireless WPS Setup The PIN method of enrollment is potentially vulnerable by way of brute force attacks. A network intruder could try to pose as an external registrar on the wireless LAN and attempt to derive the PIN value of the WAP device by exhaustively applying WPS-compliant PINs.
5 Wireless WPS Setup NOTE The registration process can also configure the WAP device as specified in the VAP Configuration Changes section, if the WAP device has declared within the WPSspecific IEs of its beacon frames or UPnP messages that it requires such configuration. The WAP device can serve as a proxy for up to three external registrars simultaneously. Any one VAP on the WAP device can be enabled for WPS. At most, one WPS transaction (for example, enrollment and association of an 802.
5 Wireless WPS Setup • WPS Device Name—Provides a default device name. You can assign a different name from 1 to 32 characters, including spaces and special characters. • WPS Global Operational Status—Whether the WPS operational status is Up or Down on the WAP device. • WPS Device PIN—A system-generated eight-digit WPS PIN for the WAP device. The administrator may use this generated PIN to register the WAP device with an external registrar. You can click Generate to generate a new PIN.
5 Wireless WPS Process The operational status of the instance and the reason for that status appears. See Enabling or Disabling WPS on a VAP for information about conditions that may cause the instance to be disabled. The Instance Status area shows the following information about the selected WPS instance: • WPS Operational Status—Whether or not the WPS instance is operational.
5 Wireless WPS Process STEP 4 Within two minutes, enter the WAP pin on the software interface of the client device. The WAP pin is configured on the WPS Setup page. When you enter the PIN on the client device, the WPS Operational Status changes to Adding Enrollee. When the enrollment process is complete, the WPS Operational Status changes to Ready and the Transaction Status changes to Success.
5 Wireless WPS Process • WPS Configuration State—Whether the VAP will be configured from the external registrar as a part of the WPS process. • Transaction Status—The status of the last WPS transaction. The possible values are None, Success, WPS Message Error, and Timed Out. • WPS Operational Status—The status of the current or most recent WPS transaction. The possible values are Disabled, Ready, Configuring, Proxying, and Adding Enrollee.
6 System Security This chapter describes how to configure security settings on the WAP device device. It contains these topics: • RADIUS Server • 802.1X Supplicant • Password Complexity • WPA-PSK Complexity RADIUS Server Several features require communication with a RADIUS authentication server. For example, when you configure Virtual Access Points (VAPs) on the WAP device, you can configure security methods that control wireless client access (see the Radio page).
6 System Security RADIUS Server STEP 1 Select System Security > RADIUS Server in the navigation pane. STEP 2 Enter the parameters: • Server IP Address Type—The IP version that the RADIUS server uses. You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers of the address type you select in this field. • Server IP Address 1 or Server IPv6 Address 1—The addresses for the primary global RADIUS server.
6 System Security 802.1X Supplicant 802.1X Supplicant IEEE 802.1X authentication enables the access point to gain access to a secured wired network. You can enable the access point as an 802.1X supplicant (client) on the wired network. A user name and password that are encrypted using the MD5 algorithm can be configured to allow the access point to authenticate using 802.1X. On networks that use IEEE 802.1X port-based network access control, a supplicant cannot gain access to the network until the 802.
6 System Security 802.1X Supplicant • Password—The WAP device uses this MD5 password when responding to requests from an 802.1X authenticator. The password can be 1 to 64 characters in length. ASCII-printable characters are allowed, which includes uppercase and lowercase alphabetic letters, numeric digits, and all special characters except quotation marks. STEP 4 Click Save. The changes are saved to the Startup Configuration.
6 System Security Password Complexity Password Complexity You can configure complexity requirements for passwords used to access the WAP device configuration utility. Complex passwords increase security. To configure password complexity requirements: STEP 1 Select Syetem Security > Password Complexity in the navigation pane. STEP 2 For the Password Complexity setting, select Enable.
6 System Security WPA-PSK Complexity WPA-PSK Complexity When you configure VAPs on the WAP device, you can select a method of securely authenticating clients. If you select the WPA Personal protocol (also known as WPA pre-shared key or WPA-PSK) as the security method for any VAP, you can use the WPA-PSK Complexity page to configure complexity requirements for the key used in the authentication process. More complex keys provide increased security.
7 Client Quality of Service This chapter provides an overview of Client quality of service (QoS) and explains the QoS features available from the Client QoS menu. It contains these topics: • Client QoS Global Settings • ACL • Class Map • Policy Map • Client QoS Association • Client QoS Status Client QoS Global Settings You can use the Client QoS Global Settings page to enable or disable quality of service functionality on the WAP device.
Client Quality of Service ACL 7 The WAP device supports up to 50 IPv4, IPv6, and MAC ACLs. IP ACLs classify traffic for Layers 3 and 4. Each ACL is a set of up to 10 rules applied to traffic sent or received by the WAP device. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network.
7 Client Quality of Service ACL • ACL Name—A name to identify the ACL. The ACL name can include from 1 to 31 alphanumeric characters and the following special characters: hyphen, underscore, backslash, and colon. Spaces are not allowed. • ACL Type—The type of ACL to configure: - IPv4 - IPv6 - MAC IPv4 and IPv6 ACLs control access to network resources based on Layer 3 and Layer 4 criteria. MAC ACLs control access based on Layer 2 criteria. STEP 3 Click Add ACL.
7 Client Quality of Service ACL If you select this field, you cannot configure any additional match criteria. The Match Every Packet option is selected by default for a new rule. You must clear the option to configure other match fields. For IPv4 ACLs, configure these parameters: • Protocol—The Protocol field to use an Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field in IPv6 packets.
7 Client Quality of Service ACL 0 to 1023—Well Known Ports 1024 to 49151—Registered Ports 49152 to 65535—Dynamic and/or Private Ports • Destination IP Address—Requires a packet's destination IP address to match the address listed here. Enter an IP address in the appropriate field to apply this criteria. • Wild Card Mask—The destination IP address wildcard mask. The wildcard mask determines which bits are used and which bits are ignored. A wildcard mask of 255.255.255.
7 Client Quality of Service ACL - Match to Value—A custom DSCP value, from 0 to 63. • IP Precedence—Matches packets based on their IP Precedence value. If selected, enter an IP Precedence value from 0 to 7. • IP TOS Bits—Specifies a value to use the packet's Type of Service bits in the IP header as match criteria. The IP TOS field in a packet is defined as all eight bits of the Service Type octet in the IP header. The IP TOS Bits value is a two-digit hexadecimal number from 00 to ff.
7 Client Quality of Service ACL • Destination IPv6 Address—Select this field to require a packet's destination IPv6 address to match the address listed here. Enter an IPv6 address in the appropriate field to apply this criteria. • Destination IPv6 Prefix Length—Enter the prefix length of the destination IPv6 address. • Destination Port—Select this option to include a destination port in the match condition for the rule. The destination port is identified in the datagram header.
7 Client Quality of Service Class Map For each bit position in the MAC mask, a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored. For example, to check only the first four octets of a MAC address, a MAC mask of 00:00:00:00:ff:ff is used. A MAC mask of 00:00:00:00:00:00 checks all address bits and is used to match a single MAC address.
7 Client Quality of Service Class Map applications, such as email and file transfer, a slight degradation in service is acceptable and in many cases unnoticeable. However, on applications with strict timing requirements, such as voice or multimedia, any degradation of service has undesirable effects. A DiffServ configuration begins with defining class maps, which classify traffic according to their IP protocol and other criteria.
7 Client Quality of Service Class Map • Match Every Packet—The match condition is true to all the parameters in a Layer 3 packet. When selected, all Layer 3 packets will match the condition. • Protocol—Use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field in IPv6 packets. If you select this field, choose the protocol to match by keyword or enter a protocol ID.
7 Client Quality of Service Class Map A DiffServ mask of 255.255.255.255 indicates that all bits are important, and a mask of 0.0.0.0 indicates that no bits are important. The opposite is true with an ACL wildcard mask. For example, to match the criteria to a single host address, use a mask of 255.255.255.255. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24), use a mask of 255.255.255.0. • Destination IPv6 Prefix Length (IPv6 only)—The prefix length of the destination IPv6 address.
7 Client Quality of Service Class Map 0 to 1023—Well Known Ports 1024 to 49151—Registered Ports 49152 to 65535—Dynamic and/or Private Ports • EtherType—Compares the match criteria against the value in the header of an Ethernet frame. Select an EtherType keyword or enter an EtherType value to specify the match criteria. - Select from List—Matches the Ethertype in the datagram header with the selected protocol types: appletalk, arp, ipv4, ipv6, ipx, netbios, pppoe.
7 Client Quality of Service Policy Map • VLAN ID—A VLAN ID to be matched for packets. The VLAN ID range is from 0 to 4095. The following Service Type fields show for IPv4 only. You can specify one type of service to use in matching packets to class criteria. • IP DSCP—A differentiated services code point (DSCP) value to use as a match criterion: - Select from List—A list of DSCP types. - Match to Value—A DSCP value that you specify, from 0 to 63.
7 Client Quality of Service Policy Map STEP 1 Select Client QoS > Policy Map in the navigation pane. STEP 2 Enter a Policy Map Name The name can include from 1 to 31 alphanumeric characters and the following special characters: hyphen, underscore, backslash, and colon. Spaces are not allowed. STEP 3 Click Add Policy Map. The page refreshes with additional fields for configuring the policy map.
7 Client Quality of Service Client QoS Association • Mark IP Precedence—Marks all packets for the associated traffic stream with the specified IP precedence value. The IP precedence value is an integer from 0 to 7. • Disassociate Class Map—Removes the class selected in the Class Map Name list from the policy selected in the Policy Map Name list. • Member Classes—Lists all DiffServ classes currently defined as members of the selected policy.
7 Client Quality of Service Client QoS Association • Client QoS Mode—Select Enable to enable client QoS functionality on the selected VAP. • Bandwidth Limit Down—The maximum allowed transmission rate from the WAP device to the client in bits per second (bps). The valid range is from 0 to 300 Mbps. • Bandwidth Limit Up—The maximum allowed transmission rate from the client to the WAP device in bits per second (bps). The valid range is from 0 to 300 Mbps.
7 Client Quality of Service Client QoS Status STEP 6 Click Save. The changes are saved to the Startup Configuration. Client QoS Status The Client QoS Status page shows the client QoS settings that are applied to each client currently associated with the WAP device. To show the Client QoS Status page, select Client QoS > Client QoS Status in the navigation pane.
7 Client Quality of Service Client QoS Status • ACL Type Down—The type of ACL to apply to traffic in the outbound (WAP-to-client) direction, which can be one of these options: - IPv4: The ACL examines IPv4 packets for matches to ACL rules. - IPv6: The ACL examines IPv6 packets for matches to ACL rules. - MAC: The ACL examines Layer 2 frames for matches to ACL rules. • ACL Name Down—The name of the ACL applied to traffic in the outbound direction.
8 Simple Network Management Protocol This chapter describes how to configure the Simple Network Management Protocol (SNMP) to perform configuration and statistics gathering tasks. It contains these topics: • General SNMP Settings • Views • Groups • Users • Targets General SNMP Settings You can use the General page to enable SNMP and configure basic protocol settings. To configure general SNMP settings: STEP 1 Select SNMP > General in the navigation pane.
Simple Network Management Protocol General SNMP Settings 8 The community name acts as a simple authentication feature to restrict the machines on the network that can request data to the SNMP agent. The name functions as a password, and the request is assumed to be authentic if the sender knows the password. • Read-write Community—A read-write community name to be used for SNMP set requests. The valid range is from 1 to 256 alphanumeric and special characters.
Simple Network Management Protocol General SNMP Settings 8 in a subnetwork range is always reserved for the subnet address, and the address identified by .255 in the range is always reserved for the broadcast address.) As another example, if you enter a range of 10.10.1.128/25, machines with IP addresses from 10.10.1.129 through 10.10.1.254 can execute SNMP requests on managed devices. In this example, 10.10.1.128 is the network address and 10.10.1.255 is the broadcast address.
Simple Network Management Protocol Views 8 Views An SNMP MIB view is a family of view subtrees in the MIB hierarchy. A view subtree is identified by the pairing of an Object Identifier (OID) subtree value with a bit string mask value. Each MIB view is defined by two sets of view subtrees, included in or excluded from the MIB view. You can create MIB views to control the OID range that SNMPv3 users can access. The WAP device supports a maximum of 16 views.
Simple Network Management Protocol Groups 8 A family mask is used to define a family of view subtrees. The family mask indicates which subidentifiers of the associated family OID string are significant to the family's definition. A family of view subtrees enables efficient control access to one row in a table. STEP 4 Click Save. The view is added to the SNMPv3 Views list and your changes are saved to the Startup Configuration. NOTE To remove a view, select the view in the list and click Delete.
Simple Network Management Protocol Groups 8 STEP 1 Select SNMP > Groups in the navigation pane. STEP 2 Click Add to create a new row in the SNMPv3 Groups table. STEP 3 Check the box for the new group and click Edit. STEP 4 Configure the parameters: • Group Name—A name that identifies the group. The default group names are RO and RW. Group names can contain up to 32 alphanumeric characters.
Simple Network Management Protocol Users 8 Users You can use the SNMP Users page to define users, associate a security level to each user, and configure security keys per-user. Each user is mapped to an SNMPv3 group, either from the predefined or userdefined groups, and, optionally, is configured for authentication and encryption. For authentication, only the MD5 type is supported. For encryption, only the DES type is supported.
Simple Network Management Protocol Targets • 8 Encryption Pass Phrase—(If you specify DES as the privacy type) A pass phrase to use to encrypt the SNMP requests. The pass phrase must be between 8 and 32 characters in length. STEP 5 Click Save. The user is added to the SNMPv3 Users list and your changes are saved to the Startup Configuration. NOTE To remove a user, select the user in the list and click Delete. Targets SNMPv3 targets send SNMP notifications using Inform messages to the SNMP Manager.
Simple Network Management Protocol Targets 8 NOTE To remove an SMMP target, select the user in the list and click Delete.
9 Captive Portal This chapter describes the Captive Portal (CP) feature, which allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. NOTE The Captive Portal feature is available on the WAP5xx devices and the Cisco WAP321 device. Authenticated users must be validated against a database of authorized Captive Portal groups or users before access is granted.
9 Captive Portal Captive Portal Global Configuration Captive Portal Global Configuration You can use the Global CP Configuration page to control the administrative state of the CP feature and configure global settings that affect all captive portal instances configured on the WAP device. To configure CP Global settings: STEP 1 Select Captive Portal > Global Configuration in the navigation pane. STEP 2 Configure the parameters: • Captive Portal Mode—Enables CP operation on the WAP device.
9 Captive Portal Instance Configuration Instance Configuration You can create up to two Captive Portal instances; each CP instance is a defined set of instance parameters. Instances can be associated with one or more VAPs. Different instances can be configured to respond differently to users as they attempt to access the associated VAP. NOTE Before you create an instance, review these bullets first: • Do you need to add a new VAP? If yes, go to Networks to add a VAP.
9 Captive Portal Instance Configuration - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users. • Redirect—Specifies that CP should redirect the newly authenticated client to the configured URL. If this option is clear, the user sees the locale-specific welcome page after a successful verification. • Redirect URL—Enter the URL (including http:// or https://) to which the newly authenticated client is redirected if the URL Redirect Mode is enabled.
9 Captive Portal Instance Configuration • Global RADIUS—This field is available if the Verification Mode is RADIUS. By default, the CP instance uses the global RADIUS settings that you define for the WAP device (see RADIUS Server). However, you can configure each instance to use a different set of RADIUS servers. To use the global RADIUS server settings, ensure that the check box is selected.
9 Captive Portal Instance Association Instance Association Once you create an instance, you can use the Instance Association page to associate a CP instance to a VAP. The associated CP instance settings applies to users who attempt to authenticate on the VAP. To associate an instance to a VAP: STEP 1 Select Captive Portal > Instance Association in the navigation pane. STEP 2 For WAP561 devices, select the radio interface on which you want to configure an instance association.
9 Captive Portal Web Portal Customization You can associate multiple locales with an instance. When a user attempts to access a particular VAP that is associated with a CP instance, the locales that are associated with that instance show as links on the authentication page. The user can select a link to switch to that locale. STEP 5 Click Save. The changes are saved to the Startup Configuration. STEP 6 From the Captive Portal Web Locale list, select the locale you created.
9 Captive Portal Web Portal Customization • Account Label—The text that instructs the user to enter a user name. The range is from 1 to 32 characters. • User Label—The label for the user name text box. The range is from 1 to 32 characters. • Password Label—The label for the user password text box. The range is from 1 to 64 characters. • Button Label—The label on the button that users click to submit their user name/password for authentication. The range is from 2 to 32 characters.
9 Captive Portal Web Portal Customization • Work In Progress Text—The text that shows during authentication. The range is from 1 to 128 characters. The default is Connecting, please be patient.... • Denied Text—The text that shows when a user fails authentication. The range is from 1 to 128 characters. The default is Error Invalid Credentials, please try again! • Welcome Title—The text that shows when the client has authenticated to the VAP. The range is from 1 to 128 characters.
9 Captive Portal Local Groups Image Type Use Default Width by Height Account Shows above the login field to depict an authenticated login. 295 by 55 pixels To upload binary graphic files to the WAP device: STEP 1 On the Web Portal Customization page, click Upload/Delete Custom Image next to the Background Image Name, Logo Image Name, or Account Image fields. The Web Portal Custom Image page appears. STEP 2 Browse to select the image. STEP 3 Click Upload.
9 Captive Portal Local Users STEP 1 Select Captive Portal > Local Groups in the navigation pane. STEP 2 Enter a Group Name and click Save. The changes are saved to the Startup Configuration. NOTE To delete a group, select it in the Captive Portal Groups list, select the Delete Group check box, and click Save. Local Users You can configure a captive portal instance to accommodate either guest users and authorized users. Guest users do not have assigned user names and passwords.
9 Captive Portal Authenticated Clients minutes. The default value is 60. The timeout value configured here has precedence over the value configured for the captive portal instance, unless the user value is set to 0. When set to 0, the timeout value configured for the CP instance is used. • Group Name—The assigned user group. Each CP instance is configured to support a particular group of users.
9 Captive Portal Failed Authentication Clients - Local—The WAP device uses a local database to authenticated users. - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users. • VAP ID—The VAP that the user is associated with. • Radio ID—The ID of the radio. For the single-radio WAP551 device, this field shows Radio 1. For the dual radio WAP561 device, this field shows Radio 1 or Radio 2.
9 Captive Portal Failed Authentication Clients • User Name—The Captive Portal user name of the client. • Verification—The method the client attempted to use to authenticate on the Captive Portal, which can be one of these values: - Guest—The user does not need to be authenticated by a database. - Local—The WAP device uses a local database to authenticated users. - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users.
10 Single Point Setup This chapter describes how to configure Single Point Setup over multiple WAP devices. It includes these topics: • Single Point Setup Overview • Access Points • Sessions • Channel Management • Wireless Neighborhood Single Point Setup Overview The WAP551 and WAP561 devices support Single Point Setup. Single Point Setup provides a centralized method to administer and control wireless services across multiple devices.
10 Single Point Setup Single Point Setup Overview Single Point Setup allows the management of more than one cluster in the same subnet or network; however, they are managed as single independent entities. The table below shows Single Point Setup wireless service limits.
10 Single Point Setup Single Point Setup Overview Single Point Setup Single- and Dual-Radio APs A Single Point Setup can contain a mixture of dual-radio and single-radio APs. When the configuration of a single-radio device in the cluster changes, the device propagates the change to the first radio of all members. The configuration of the second radio on any dual-radio APs in the cluster is not affected.
10 Single Point Setup Single Point Setup Overview secondarily, the most recent change, will be selected to propagate its configuration to the cluster. (That is, if WAP1 has more changes, but WAP2 has the most recent change, WAP1 is selected. If they have an equal number of changes, but WAP2 has the most recent change, then WAP2 is selected.
10 Single Point Setup Single Point Setup Overview Common Configuration Settings and Parameters that are Propagated in Single Point Setup Management Access Control SNMP General and SNMPv3 Networks WPA-PSK Complexity Time Settings Radio Configuration Settings and Parameters that are Propagated in Single Point Setup Mode Fragmentation Threshold RTS Threshold Rate Sets Primary Channel Protection Fixed Multicast Rate Broadcast or Multicast Rate Limiting Channel Bandwidth Short Guard Interval Supported Ra
10 Single Point Setup Access Points Other Configuration Settings and Parameters That Are Not Propagated in Single Point Setup Bandwidth Utilization Port Settings Bonjour VLAN and IPv4 IPv6 Address WDS Bridge IPv6 Tunnel WPS Packet Capture WorkGroup Bridge Access Points The Access Points page allows you to enable or disable Single Point Setup on a WAP device, view the cluster members, and configure the location and cluster name for a member.
10 Single Point Setup Access Points The cluster name is not sent to other WAP devices. You must configure the same name on each device that is a member. The cluster name must be unique for each Single Point Setup you configure on the network. The default is ciscosb-cluster. • Clustering IP Version—Specify the IP version that the WAP devices in the cluster use to communicate with other members of the cluster. The default is IPv4.
10 Single Point Setup Access Points Note that the Single Point Setup status and the number of WAP devices are shown graphically on the right side of the page. To add a new access point that is currently in standalone mode into a Single Point Setup cluster: STEP 1 Go to the web-based configuration utility on the standalone access point. STEP 2 Select Single Point Setup > Access Points in the navigation pane. STEP 3 Set the Cluster name to the same name that is configured for the cluster members.
10 Single Point Setup Sessions You can also link to the web-based configuration utility of a specific WAP device by entering the IP address for that access point as a URL directly into a web browser address bar in the following form: http://IPAddressOfAccessPoint (if using HTTP) https://IPAddressofAccessPoint (if using HTTPS) Sessions The Sessions page shows information on WLAN clients that are associated with the WAP devices in the Single Point Setup cluster.
10 Single Point Setup Channel Management A MAC address is a hardware address that uniquely identifies each node of a network. • Idle—The amount of time this WLAN client has remained inactive. A WLAN client is considered to be inactive when it is not receiving or transmitting data. • Rate—The negotiated data rate. Actual transfer rates can vary depending on overhead. The data transmission rate is measured in megabits per second (Mbps).
10 Single Point Setup Channel Management The automatic channel assignment feature is disabled by default. The state of channel management (enabled or disabled) is propagated to the other devices in the Single Point Setup cluster. At a specified interval, the channel manager (that is, the device that provided the configuration to the cluster) maps all clustered WAP devices to different channels and measures interference levels of the cluster members.
10 Single Point Setup Channel Management No channel usage maps or channel reassignments are made. Only manual updates affect the channel assignment. When channel management is enabled, the page shows the Current Channel Assignations table and the Proposed Channel Assignments table. The Current Channel Assignments table shows a list of all WAP devices in the Single Point Setup cluster by IP address. The table provides the following details on the current channel assignments.
10 Single Point Setup Channel Management For each WAP device in the Single Point Setup, the Proposed Channel Assignments table shows the location, IP Address, and Wireless Radio, as in the Current Channel Assignations table. It also shows the Proposed Channel, which is the radio channel to which this WAP device would be reassigned if the channel plan is applied. The Advanced settings area enables you to customize and schedule the channel plan for the Single Point Setup.
10 Single Point Setup Wireless Neighborhood Wireless Neighborhood The Wireless Neighborhood page shows up to 20 devices per radio within range of each wireless radio in the cluster. (For example, if a WAP device has two wireless radios, 40 devices would be displayed for that device.) The Wireless Neighborhood page also distinguishes between cluster members and nonmembers.
10 Single Point Setup Wireless Neighborhood If there is only one WAP device in the cluster, only a single IP address column shows, indicating that the WAP device is grouped with itself. You can click on an IP address to view more details on a particular WAP device. • Neighbors—Devices that are neighbors of one or more of the clustered devices are listed in the left column by SSID (network name). A device that is detected as neighbor can also be a cluster member itself.
10 Single Point Setup Wireless Neighborhood • MAC Address—The MAC address of the neighboring access point. • Channel—The channel on which the access point is currently broadcasting. • Rate—The rate in megabits per second at which this access point is currently transmitting. The current rate is always one of the rates shown in Supported Rates. • Signal—The strength of the radio signal detected from the access point, measured in decibels (dB).
A Deauthentication Message Reason Codes When a client deauthenticates from the WAP device, a message is sent to the system log. The message includes a reason code that may be helpful in determining why a client was deauthenticated. You can view log messages when you click Status and Statistics > Log. For more information see: • Deauthentication Reason Code Table Deauthentication Reason Code Table The following table describes the deauthentication reason codes.
Deauthentication Message Reason Codes Deauthentication Reason Code Table A Reason code Meaning 9 STA requesting (re)association is not authenticated with responding STA 10 Disassociated because the information in the Power Capability element is unacceptable 11 Disassociated because the information in the Supported Channels element is unacceptable 12 Disassociated due to BSS Transition Management 13 Invalid element, i.e.
B Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the Cisco WAP551 and WAP561 Access Point. Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.com/en/US/support/ tsd_cisco_small_business _support_center_contacts.html Cisco Small Business Firmware Downloads www.cisco.
B Where to Go From Here Cisco Small Business Cisco Partner Central for Small Business (Partner Login Required) www.cisco.com/web/partners/sell/smb Cisco Small Business Home www.cisco.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2013 Cisco Systems, Inc. All rights reserved.