ADMINISTRATION GUIDE Cisco Small Business WAP121 Wireless-N Access Point with PoE and WAP321 Wireless-N Selectable-Band Access Point with PoE
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) © 2012 Cisco Systems, Inc. All rights reserved.
Contents Chapter 1: Getting Started Starting the Web-Based Configuration Utility 7 7 Launching the Web-Based Configuration Utility 8 Logging Out 9 Using the Access Point Setup Wizard 9 Getting Started 12 Window Navigation 13 Configuration Utility Header 13 Navigation Pane 13 Management Buttons 14 Chapter 2: Status and Statistics 15 System Summary 15 Network Interfaces 17 Traffic Statistics 18 WorkGroup Bridge Transmit/Receive 18 Associated Clients 19 TSPEC Client Associations
Contents Log Settings 33 Configuring the Persistent Log 33 Remote Log Server 34 Email Alert Email Alert Examples HTTP/HTTPS Service 35 37 38 Configuring HTTP and HTTPS Services 38 Managing SSL Certificates 39 Management Access Control 40 Upgrade Firmware 41 TFTP Upgrade 41 HTTP Upgrade 42 Firmware Recovery 43 Download/Backup Configuration File 45 Backing Up a Configuration File 45 Downloading a Configuration File 46 Configuration Files Properties 47 Copy/Save Configuration
Contents Chapter 5: Wireless 62 Radio 62 Rogue AP Detection 69 Viewing the Rogue AP List 70 Creating and Saving a Trusted AP List 72 Importing a Trusted AP List 72 Networks 73 SSID Naming Conventions 73 VLAN IDs 74 Configuring VAPs 74 Configuring Security Settings 77 None (Plain-text) 77 Static WEP 77 Dynamic WEP 79 WPA Personal 81 WPA Enterprise 83 Scheduler 85 Adding Scheduler Profiles 85 Configuring Scheduler Rules 86 Scheduler Association 87 Bandwidth Utilization
Contents WPS Roles 101 Enabling and Disabling WPS on a VAP 101 External and Internal Registration 102 Client Enrollment 102 Optional Use of Built-In Registrar 103 Lockdown Capability 103 VAP Configuration Changes 104 External Registration 104 Exclusive Operation of WPS Transactions 105 Backward Compatibility with WPS Version 1.
Contents Client QoS Association 130 Client QoS Status 132 Chapter 8: Simple Network Management Protocol 134 SNMP Overview 134 General SNMP Settings 135 Views 137 Groups 138 Users 140 Targets 141 Chapter 9: Captive Portal 143 Captive Portal Global Configuration 144 Instance Configuration 145 Instance Association 148 Web Portal Customization 148 Uploading and Deleting Images 151 Local Groups 152 Local Users 153 Authenticated Clients 154 Failed Authentication Clients 155
Contents Viewing Single Point Setup Information 164 Adding a New Access Point to a Single Point Setup Cluster 164 Removing an Access Point from a Single Point Setup Cluster 165 Navigating to Configuration Information for a Specific WAP Device 165 Navigating to a WAP Device Using its IP Address in a URL 166 Sessions 166 Channel Management 167 Viewing Channel Assignments and Setting Locks 169 Current Channel Assignments Table 169 Proposed Channel Assignments Table 170 Configuring Advanced
1 Getting Started This chapter provides an introduction to the Wireless Access Point (WAP) devices web-based configuration utility, and includes these topics: • Starting the Web-Based Configuration Utility • Using the Access Point Setup Wizard • Getting Started • Window Navigation Starting the Web-Based Configuration Utility This section describes system requirements and how to navigate the web-based configuration utility. Supported Browsers • Internet Explorer 7.0 or later • Chrome 5.
Getting Started Starting the Web-Based Configuration Utility 1 address>) to the local intranet zone. The IP address can also be specified as the subnet IP address, so that all addresses in the subnet are added to the local intranet zone. • If you have multiple IPv6 interfaces on your management station, use the IPv6 global address instead of the IPv6 local address to access the WAP device from your browser.
Getting Started Using the Access Point Setup Wizard 1 Logging Out By default, the configuration utility logs out after 10 minutes of inactivity. See HTTP/HTTPS Service for instructions on changing the default timeout period. To log out, click Logout in the top right corner of the configuration utility.
Getting Started Using the Access Point Setup Wizard 1 STEP 6 Select your time zone, and then set the system time manually or set up the WAP device to get its time from an NTP server. For a description of these options, see Time Settings. STEP 7 Click Next. The Enable Security - Set Password window appears. STEP 8 Enter a New Password and enter it again in the Confirm Password text box. For more information about passwords, see User Accounts.
Getting Started Using the Access Point Setup Wizard 1 STEP 18 Click Next. The Wizard displays the Enable Captive Portal - Secure Your Guest Network window. STEP 19 Choose a security encryption type for the guest network and enter a security key. For a description of these options, see System Security. STEP 20 Click Next. The Wizard displays the Enable Captive Portal - Assign the VLAN ID window. STEP 21 Specify a VLAN ID for the guest network.
1 Getting Started Getting Started Getting Started To simplify device configuration through quick navigation, the Getting Started page provides links for performing common tasks. The Getting Started page is the default window every time you log into the configuration utility.
1 Getting Started Window Navigation Window Navigation This section describes the features of the configuration utility. Configuration Utility Header The Configuration Utility header contains standard information and appears at the top on every page. It provides these buttons: Buttons Button Name Description (User) The account name (Administrator or Guest) of the user logged into the WAP device. The factory default user name is cisco. Log Out Click to log out of the configuration utility.
1 Getting Started Window Navigation Management Buttons The table below describes the commonly used buttons that appear on various pages in the system. Management Buttons Button Name Description Add Adds a new entry to the table or database. Cancel Cancels the changes made to the page. Clear All Clears all entries in the log table. Delete Deletes an entry in a table. Select an entry first. Edit Edits or modifies an existing entry. Select an entry first.
2 Status and Statistics This chapter describes how to display status and statistics and contains these topics: • System Summary • Network Interfaces • Traffic Statistics • WorkGroup Bridge Transmit/Receive • Associated Clients • TSPEC Client Associations • TSPEC Status and Statistics • TSPEC AP Statistics • Radio Statistics • Email Alert Status • Log System Summary The System Summary page shows basic information such as the hardware model description, software version, and the time th
2 Status and Statistics System Summary • Serial Number—The serial number of the Cisco WAP device. • Base MAC Address—The WAP MAC address. • Firmware Version—The firmware version number of the active image. • Firmware MD5 Checksum—The checksum for the active image. • Host Name—A name assigned to the device. • System Uptime—The time that has elapsed since the last reboot. • System Time—The current system time.
2 Status and Statistics Network Interfaces - Established—A connection session is established between the WAP device and a server or client, depending on the role of each device with respect to this protocol. - Time Wait—The closing sequence has been initiated and the WAP is waiting for a system-defined timeout period (typically 60 seconds) before closing the connection. You can click Refresh to refresh the screen and show the most current information.
2 Status and Statistics Traffic Statistics Traffic Statistics Use the Traffic Statistics page to view basic information about the WAP. It also provides a real-time display of transmit and receive statistics for the Ethernet interface, the Virtual Access Points (VAPs), and any WDS interfaces. All transmit and receive statistics reflect the totals since the WAP was last started. If you reboot the WAP, these figures indicate transmit and receive totals since the reboot.
2 Status and Statistics Associated Clients Each network interface that is configured as a WorkGroup Bridge interface shows these fields: • Network Interface—Name of the Ethernet or VAP interface. • Status and Statistics—Whether the interface is disconnected or is administratively configured as up or down. • VLAN ID—Virtual LAN (VLAN) ID. You can use VLANs to establish multiple internal and guest networks on the same WAP device. The VLAN ID is set on the VAP tab.See Configuring VAPs.
2 Status and Statistics Associated Clients • Status—The Authenticated and Associated Status shows the underlying IEEE 802.11 authentication and association status, which is present no matter which type of security the client uses to connect to the WAP device. This status does not show IEEE 802.1X authentication or association status.
2 Status and Statistics TSPEC Client Associations TSPEC Client Associations The TSPEC Client Associations page provides real-time information about the TSPEC client data transmitted and received by this access point. The tables on the TSPEC Client Associations page show voice and video packets transmitted and received since the association started, along with status information.
2 Status and Statistics TSPEC Client Associations The value may differ depending on other priority traffic sessions. • Medium Time—Time that the TS traffic occupies the transmission medium. • Excess Usage Events—Number of times that the client has exceeded the medium time established for its TSPEC. Minor, infrequent violations are ignored. • VAP MAC Address—Virtual Access Point MAC address. Statistics: • Network Interface—Radio interface used by the client. • Station—Client station MAC address.
2 Status and Statistics TSPEC Status and Statistics TSPEC Status and Statistics The TSPEC Status and Statistics page provides this information: • Summary information about TSPEC sessions by radio. • Summary information about TSPEC sessions by VAP. • Real-time transmit and receive statistics for the radio interface and the network interface(s). All of the transmit and receive statistics shown are totals since the WAP device was last started.
2 Status and Statistics TSPEC AP Statistics • Access Category—The Access Category associated with this Traffic Stream (voice or video). • Total Packets—Total number of TS packets sent (in Transmit table) or received (in Received table) by this Radio for the specified Access Category. • Total Bytes—Total number of bytes received in the specified access category.
2 Status and Statistics Radio Statistics Radio Statistics You can use the Radio Statistics page to show packet-level and byte-level statistics for the wireless radio interface. To view the Radio Statistics page, select Status and Statistics > Radio Statistics in the navigation pane. • Packets Received—Total packets received by the WAP device. • Packets Transmitted—Total packets transmitted by the WAP device. • Bytes Received—Total bytes received by the WAP device.
2 Status and Statistics Email Alert Status • FCS Error Count—Count of FCS errors detected in a received MPDU frame. • Transmit Retry Count—Number of times an MSDU is successfully transmitted after one or more retries. • ACK Failure Count—Count of ACK frames not received when expected. • RTS Failure Count—Count of CTS frames not received in response to an RTS frame. • WEP Undecryptable Count—Number of frames discarded because they could not be decrypted by the radio.
2 Status and Statistics Log Log The Log page shows a list of system events that generated a log entry, such as login attempts and configuration changes. The log is cleared upon a reboot and can be cleared by an administrator. Up to 512 events can be shown. Older entries are removed from the list as needed to make room for new events. To view the Log page, select Status and Statistics > Log Status in the navigation pane. • Time Stamp—The system time when the event occurred.
3 Administration This chapter describes how to configure global system settings and perform diagnostics.
3 Administration System Settings System Settings The System Settings page enables you to configure information that identifies the WAP device within the network. To configure system settings: STEP 1 Select Administration > System Settings in the navigation pane. STEP 2 Enter the parameters: • Host Name—Administratively assigned name for the WAP device. By convention, the name is the fully qualified domain name of the node.
3 Administration User Accounts Adding a User To add a new user: STEP 1 Select Administration > User Accounts in the navigation pane. The User Account Table shows the currently configured users. The user cisco is preconfigured in the system to have Read/Write privileges. All other users can have Read Only Access, but not Read/Write access. STEP 2 Click Add. A new row of text boxes appears. STEP 3 Check the box for the new user and select Edit.
3 Administration Time Settings STEP 1 Select Administration > User Accounts in the navigation pane. The User Account Table shows the currently configured users. The user cisco is preconfigured in the system to have Read/Write privileges. The password for the user cisco can be changed. STEP 2 Select the user to configure and click Edit. STEP 3 Enter a New Password between 1 and 64 characters and then enter the same password in the Confirm New Password text box.
3 Administration Time Settings STEP 1 For the System Clock Source field, select Network Time Protocol (NTP). STEP 2 Configure these parameters: • NTP Server/IPv4/IPv6 Address Name—Specify the IPv4 address, IPv6 address, or hostname of an NTP server. A default NTP server is listed. A hostname can consist of one or more labels, which are sets of up to 63 alphanumeric characters. If a hostname includes multiple labels, each is separated by a period (.).
3 Administration Log Settings • Daylight Savings End—Select the week, day, month, and time when daylight savings time ends. • Daylight Savings Offset—Specify the number of minutes to move the clock forward when daylight savings time begins and backward when it ends. STEP 4 Click Save. The changes are saved to the Startup Configuration. Log Settings You can use the Log Settings page to enable log messages to be saved in permanent memory. You can also send logs to a remote host.
3 Administration Log Settings • Severity—The minimum severity that an event must have for it to be written to the log in nonvolatile memory. For example, if you specify 2 (critical), then critical, alert, and emergency events are logged to nonvolatile memory. Error messages with a severity level of 3 to 7 are written to volatile memory. • Depth—The maximum number of messages, up to 512, that can be stored in volatile memory.
3 Administration Email Alert A hostname can consist of one or more labels, which are sets of up to 63 alphanumeric characters. If a hostname includes multiple labels, each is separated by a period (.). The entire series of labels and periods can be up to 253 characters long. • UDP Port—The logical port number for the syslog process on the remote host. The range is from 1 to 65535. The default port is 514. Using the default port is recommended.
3 Administration Email Alert STEP 1 Select Administration > Email Alert in the navigation pane. STEP 2 In the Global Configuration area, configure these parameters: • Administrative Mode—Choose to enable the email alert feature globally. • From Email Address—Enter the address to show as the sender of the email. The address is a 255 character string with only printable characters. No address is configured by default. • Log Duration—Choose the frequency at which scheduled messages are sent.
3 Administration Email Alert • Username—Enter the username for the email account that will be used to send these emails. Typically (but not always) the username is the full email address including the domain (such as Name@example.com). The specified account will be used as the email address of the sender. The username can be from 1 to 64 alphanumeric characters. • Password—Enter the password for the email account that will be used to send these emails. The password can be from 1 to 64 characters.
3 Administration HTTP/HTTPS Service SMTP Port: 465 or 587 Username: Your email address, without the domain name such as myName (without @yahoo.com) Password: Your Yahoo account password The following example shows a sample format of a general log email: From: AP-192.168.2.10@mailserver.com Sent: Wednesday, September 09, 2009 11:16 AM To: administrator@mailserver.
3 Administration HTTP/HTTPS Service • Session Timeout—The maximum amount of time, in minutes, an inactive user remains logged on to the WAP device configuration utility. When the configured timeout is reached, the user is automatically logged off. The range is from 1 to 60 minutes. The default is 10 minutes. STEP 3 Configure HTTP and HTTPS services: • HTTP Server—Enables access through HTTP. By default, HTTP access is enabled.
3 Administration Management Access Control • Certificate File Present • Certificate Expiration Date • Certificate Issuer Common Name If an SSL certificate (with a .pem extension) exists on the WAP device, you can download it to your computer as a backup. In the Download SSL Certificate (From Device to PC) area, select HTTP or TFTP for the Download Method and click Download.
3 Administration Upgrade Firmware ! CAUTION Verify any IP address that you enter. If you enter an IP address that does not match your Administrative computer, you will lose access to the configuration interface. It is highly recommend to give the Administrative computer a static IP address, so the address does not change over time. To create an access list: STEP 1 Select Administration > Management Access Control in the navigation pane. STEP 2 Select Enable for the Management ACL Mode.
3 Administration Upgrade Firmware STEP 1 Select Administration > Update Firmware in the navigation pane. The Product ID (PID) and active and inactive firmware versions appear. STEP 2 Select TFTP for Transfer Method. STEP 3 Enter a name (1 to 256 characters) for the image file in the Source File Name field, including the path to the directory that contains the image to upload. For example, to upload the ap_upgrade.tar image located in the /share/builds/ap directory, enter: /share/builds/ap/ap_upgrade.
3 Administration Firmware Recovery Uploading the new software may take several minutes. Do not refresh the page or navigate to another page while uploading the new software, or the software upload is aborted. When the process is complete, the access point restarts and resumes normal operation. STEP 4 To verify that the firmware upgrade completed successfully, log into the user interface, display the Upgrade Firmware page, and view the active firmware version.
3 Administration Firmware Recovery NOTE You can access the system across a network if the default gateway IP address is 192.168.1.1. STEP 3 Open a web browser and enter the IP address of the switch in the address bar (192.168.1.254). NOTE The HTTP firmware recovery features support the following browsers: - Firefox 3.0 and later versions - Internet Explorer 6 and later versions A Firmware Recovery page appears. No authentication is required.
Administration Download/Backup Configuration File 3 Download/Backup Configuration File The WAP device configuration files are in XML format and contain all the information about the WAP device settings. You can back up (upload) the configuration files to a network host or TFTP server to manually edit the content or create backups. After you edit a backed-up configuration file, you can download it to the access point to modify the configuration.
Administration Download/Backup Configuration File 3 STEP 6 Select which configuration file you want to back up: • Startup Configuration—Configuration file type used when the WAP device last booted. This does not include any configuration changes applied but not yet saved to the WAP device. • Backup Configuration—Backup configuration file type saved on the WAP device.
Administration Configuration Files Properties 3 If the downloaded file overwrites the Startup Configuration file, and the file passes a validity check, then the downloaded configuration takes effect the next time the WAP device reboots. STEP 6 Click Save to begin the upgrade or backup. For HTTP downloads, a window appears to enable you to browse to select the file to download. When the download is finished, a window indicates success.
3 Administration Reboot STEP 1 Select Administration > Copy/Save Configuration in the navigation pane. STEP 2 Select the Source File Name: • Startup Configuration—Configuration file type used when the WAP device last booted. This does not include any configuration changes applied but not yet saved to the WAP device. • Backup Configuration—Backup configuration file type saved on the WAP device.
3 Administration Discovery—Bonjour Discovery—Bonjour Bonjour enables the WAP device and its services to be discovered by using multicast DNS (mDNS). Bonjour advertises services to the network and answers queries for the service types that it supports, simplifying network configuration in small business environments.
3 Administration Packet Capture formatted in pcap format and can be examined using tools such as Wireshark and OmniPeek. • Remote capture method—Captured packets are redirected in real time to an external computer running the Wireshark tool. The WAP device can capture these types of packets: • 802.11 packets received and transmitted on radio interfaces. Packets captured on radio interfaces include the 802.11 header. • 802.3 packets received and transmitted on the Ethernet interface. • 802.
3 Administration Packet Capture As soon as the capture is completed, the radio reverts to nonpromiscuous mode operation. • Radio Client Filter—Enables or disables the WLAN client filter to capture only frames that are transmitted to, or received from, a WLAN client with a specified MAC address. • Client Filter MAC Address—Specifies the MAC address for WLAN client filtering. NOTE The MAC filter is active only when a capture is performed on an 802.11 interface.
3 Administration Packet Capture - brtrunk—Linux bridge interface in the WAP device. • Capture Duration—Enter the time duration in seconds for the capture. The range is from 10 to 3600. The default is 60. • Max Capture File Size—Enter the maximum allowed size for the capture file in KB. The range is from 64 to 4096. The default is 1024. STEP 3 Click Save. The changes are saved to the Startup Configuration. STEP 4 Click Start Capture.
3 Administration Packet Capture A Microsoft Windows computer running the Wireshark tool allows you to display, log, and analyze captured traffic. The remote packet capture facility is a standard feature of the Wireshark tool for Windows. Linux version does not work with the WAP device. When remote capture mode is in use, the WAP device does not store any captured data locally in its file system.
3 Administration Packet Capture STEP 7 Select the interface from which you need to capture packets. At the Wireshark popup window, next to the IP address, there is a pull-down list for you to select the interfaces. The interface can be one of the following: Linux bridge interface in the wap device --rpcap://[192.168.1.220]:2002/brtrunk Wired LAN interface -- rpcap://[192.168.1.220]:2002/eth0 VAP0 traffic on radio 1 -- rpcap://[192.168.1.220]:2002/wlan0 802.11 traffic -- rpcap://[192.168.1.
3 Administration Packet Capture • All traffic to and from a specific client: wlan.addr == 00:00:e8:4e:5f:8e In remote capture mode, traffic is sent to the computer running Wireshark through one of the network interfaces. Depending on the location of the Wireshark tool, the traffic can be sent on an Ethernet interface or one of the radios.
3 Administration Support Information STEP 1 Select Use TFTP to download the capture file. STEP 2 Enter the TFTP Server Filename to download if different from the default. By default, the captured packets are stored in the folder file /tmp/apcapture.pcap on the WAP device. STEP 3 Specify a TFTP Server IPv4 Address in the field provided. STEP 4 Click Download. To download a packet capture file using HTTP: STEP 1 Clear Use TFTP to download the captured file. STEP 2 Click Download.
4 LAN This chapter describes how to configure the port, network, and clock settings of the WAP devices. It includes these topics: • Port Settings • VLAN and IPv4 Address Settings • IPv6 Addresses Port Settings The Port Settings page enables you to view and configure settings for the port that physically connects the WAP device to a local area network. To view and configure LAN settings: STEP 1 Select LAN > Port Settings in the navigation area.
4 LAN VLAN and IPv4 Address Settings STEP 4 Enable or disable Green Ethernet Mode (WAP321 only). • Green Ethernet Mode is an auto-power-down mode that reduces chip power when the signal from a link partner is not present. Green Ethernet Mode works whether the port has auto-negotiation enabled or disabled. • When Green Ethernet Mode is enabled, the WAP device automatically enters a low-power mode when energy on the line is lost, and it resumes normal operation when energy is detected.
4 LAN IPv6 Addresses • Management VLAN ID—The VLAN associated with the IP address you use to access the WAP device. Provide a number between 1 and 4094 for the Management VLAN ID. The default is 1. This VLAN is also the default untagged VLAN. If you already have a management VLAN configured on your network with a different VLAN ID, you must change the VLAN ID of the management VLAN on the WAP device.
4 LAN IPv6 Addresses To configure IPv6 address settings: STEP 1 Select LAN > IPv6 Addresses in the navigation area. STEP 2 Configure the following settings: • IPv6 Connection Type—Choose how the WAP device obtains an IPv6 address: - DHCPv6—The IPv6 address is assigned by a DHCPv6 server. - Static IPv6—You manually configure the IPv6 address. The IPv6 address should be in a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (2001:DB8::CAD5:7D91).
4 LAN IPv6 Addresses • IPv6 Link Local Address—The IPv6 address used by the local physical link. The link local address is not configurable and is assigned by using the IPv6 Neighbor Discovery process. • Default IPv6 Gateway—The statically configured default IPv6 gateway. • IPv6 DNS Nameservers—Select one of the following values: - Dynamic—The DNS name servers are learned dynamically through DHCPv6. - Manual—You specify up to two IPv6 DNS name servers in the fields provided. STEP 3 Click Save.
5 Wireless This chapter describes how to configure properties of the wireless radio operation.
5 Wireless Radio STEP 1 Select Wireless > Radio in the navigation pane. STEP 2 In the Global Settings area, configure the TSPEC Violation Interval, which is the time interval in seconds for the WAP device to report associated clients that do not adhere to mandatory admission control procedures. The reporting occurs through the system log and SNMP traps. Enter a time from 0 to 900 seconds. The default is 300 seconds.
5 Wireless Radio • Primary Channel (802.11n modes with 20/40 MHz bandwidth only)—A 40 MHz channel can be considered to consist of two 20 MHz channels that are contiguous in the frequency domain. These two 20 MHz channels are often referred to as the Primary and Secondary channels. The Primary Channel is used for 802.11n clients that support only a 20 MHz channel bandwidth and for legacy clients.
5 Wireless Radio • No—The WAP device transmits data using an 800-nanosecond guard interval. Protection—The protection feature contains rules to guarantee that 802.11 transmissions do not cause interference with legacy stations or applications. By default, protection is enabled (Auto). With protection enabled, protection is invoked if legacy devices are within range of the WAP device. You can disable protection (Off); however, legacy clients or WAP devices within range can be affected by 802.
5 Wireless Radio If the packet being transmitted is equal to or less than the threshold, fragmentation is not used. Setting the threshold to the largest value (2,346 bytes, which is the default) effectively disables fragmentation. Fragmentation involves more overhead both because of the extra work of dividing up and reassembling of frames it requires, and because it increases message traffic on the network. However, fragmentation can help improve network performance and reliability if properly configured.
5 Wireless Radio Some channel ranges and country code combinations have relatively low maximum transmit power. When attempting to set the transmit power to the lower ranges (for example, 25% or 12%), the expected drop in power may not occur, because certain power amplifiers have minimum transmit power requirements. • Fixed Multicast Rate—The transmission rate in Mbps for broadcast and multicast packets.
5 Wireless Radio By default, the Multicast/Broadcast Rate Limiting option is disabled. Until you enable Multicast/Broadcast Rate Limiting, these fields are disabled: • • - Rate Limit—The rate limit for multicast and broadcast traffic. The limit should be greater than 1, but less than 50 packets per second. Any traffic that falls below this rate limit will always conform and be transmitted to the appropriate destination. The default and maximum rate limit setting is 50 packets per second.
5 Wireless Rogue AP Detection - On — A station is required to send a TSPEC request for bandwidth to the WAP device before sending or receiving a video traffic stream. The WAP device responds with the result of the request, which includes the allotted medium time if the TSPEC was admitted. - Off — A station can send and receive video priority traffic without requiring an admitted TSPEC; the WAP device ignores video TSPEC requests from client stations.
5 Wireless Rogue AP Detection The WAP device performs an RF scan on all channels to detect all APs in the vicinity of the network. If rogue APs are detected, they are shown on the Rogue AP Detection page. If an AP listed as a rogue is legitimate, you can add it to the Known AP List. NOTE The Detected Rogue AP List and Trusted AP List provide information that you can use to take further action.
5 Wireless Rogue AP Detection - • Ad hoc indicates a rogue station running in Ad hoc mode. Stations set to Ad hoc mode communicate with each other directly, without the use of a traditional AP. Ad hoc mode is an IEEE 802.11 Wireless Networking Framework also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS). SSID—The Service Set Identifier (SSID) for the WAP device.
5 Wireless Rogue AP Detection • Beacons—The total number of beacons received from the rogue AP since it was first discovered. • Last Beacon—The date and time of the last beacon received from the rogue AP. • Rates—Supported and basic (advertised) rate sets for the rogue AP. Rates are shown in megabits per second (Mbps). All Supported Rates are listed, with Basic Rates shown in bold. Rate sets are configured on the Radio page.
5 Wireless Networks The file that you import must be a plain-text file with a .txt or .cfg extension. Entries in the file are MAC addresses in hexadecimal format with each octet separated by colons, for example 00:11:22:33:44:55. You must separate entries with a single space. For the AP to accept the file, it must contain only MAC addresses. STEP 3 Choose whether to replace the existing Trusted AP List or add the entries in the imported file to the Trusted AP List. a.
5 Wireless Networks ?, ", $, [, \, ], and +. The allowable characters are: ASCII 0x20, 0x21, 0x23, 0x25 through 0x2A, 0x2C through 0x3E, 0x40 through 0x5A, 0x5E through 0x7E. In addition, these three characters cannot be the first character: !, #, and ; (ASCII 0x21, 0x23, and 0x3B, respectively). Trailing and leading spaces (ASCII 0x20) are not permitted. NOTE This means that spaces are allowed within the SSID, but not as the first or last character, and the period "." (ASCII 0x2E) is also allowed.
5 Wireless Networks ! CAUTION Be sure to enter a VLAN ID that is properly configured on the network. Network problems can result if the VAP associates wireless clients with an improperly configured VLAN. When a wireless client connects to the WAP device by using this VAP, the WAP device tags all traffic from the wireless client with the VLAN ID you enter in this field, unless you enter the port VLAN ID or use a RADIUS server to assign a wireless client to a VLAN.
5 Wireless Networks - Dynamic WEP - WPA Personal - WPA Enterprise If you select a security mode other than None, additional fields appear. These fields are explained in Configuring Security Settings. NOTE We recommend using WPA Personal or WPA Enterprise as the authentication type as it provides stronger security protection. Use Static WEP or Dynamic WEP only for legacy wireless computers or devices that do not support WPA Personal/Enterprise.
5 Wireless Networks NOTE To delete a VAP, select the VAP and click Delete. To save your deletion permanently, click Save when complete. Configuring Security Settings These sections describe the security settings that you configure, depending on your selection in the Security list on the Networks page. None (Plain-text) If you select None as your security mode, no additional security settings are configurable on the WAP device.
5 Wireless Networks • - ASCII - Hex WEP Keys—You can specify up to four WEP keys. In each text box, enter a string of characters for each key. The keys you enter depend on the key type selected: - ASCII—Includes uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @ and #. - Hex—Includes digits 0 to 9 and the letters A to F. Use the same number of characters for each key as specified in the Characters Required field.
5 Wireless Networks - Both Open System and Shared Key. When you select both authentication algorithms, client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the WAP device. Also, client stations configured to use WEP as an open system (shared key mode not enabled) can associate with the WAP device even if they do not have the correct WEP key.
5 Wireless Networks This mode requires the use of an external RADIUS server to authenticate users. The WAP device requires a RADIUS server that supports EAP, such as the Microsoft Internet Authentication Server. To work with Microsoft Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2. You can use any of a variety of authentication methods that the IEEE 802.1X mode supports, including certificates, Kerberos, and public key authentication.
5 Wireless Networks • Key—The shared secret key that the WAP device uses to authenticate to the primary RADIUS server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive and must match the key configured on the RADIUS server. The text you enter is shown as asterisks. • Key 2 to Key 4—The RADIUS key associated with the configured backup RADIUS servers.
5 Wireless Networks - WPA—The network has client stations that support the original WPA and none that support the newer WPA2. - WPA2—All client stations on the network support WPA2. This protocol version provides the best security per the IEEE 802.11i standard. If the network has a mix of clients, some of which support WPA2 and others which support only the original WPA, select both of the check boxes.
5 Wireless Networks WPA Enterprise WPA Enterprise with RADIUS is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes CCMP (AES), and TKIP encryption. The Enterprise mode requires the use of a RADIUS server to authenticate users. This security mode is backwards-compatible with wireless clients that support the original WPA.
5 Wireless Networks By default both TKIP and CCMP are selected. When both TKIP and CCMP are selected, client stations configured to use WPA with RADIUS must have one of these addresses and keys: • - A valid TKIP RADIUS IP address and RADIUS Key - A valid CCMP (AES) IP address and RADIUS Key Use Global RADIUS Server Settings—By default, each VAP uses the global RADIUS settings that you define for the WAP device (see RADIUS Server).
5 Wireless Scheduler • Enable RADIUS Accounting—Tracks and measures the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers. • Active Server—Enables the administrative selection of the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.
5 Wireless Scheduler STEP 1 Select Wireless > Scheduler in the navigation pane. STEP 2 Ensure that the Administrative Mode is enabled. By default it is disabled. The Scheduler Operational Status area indicates the current operation status of the Scheduler: • Status—The operational status of the Scheduler. The range is Up or Down. The default is Down. • Reason—The reason for the scheduler operational status. Possible values are: - IsActive—The scheduler is administratively enabled.
5 Wireless Scheduler Association STEP 4 From the Day of the Week menu, select the recurring schedule for the rule. You can configure the rule to occur daily, each weekday, each weekend day (Saturday and Sunday), or any single day of the week. STEP 5 Set the start and end times: • Start Time—The time when the radio or VAP is operationally enabled. The time is in HH:MM 24-hour format. The range is <00-23>:<00-59>. The default is 00:00.
5 Wireless Bandwidth Utilization Bandwidth Utilization Use the Bandwidth Utilization page to configure how much of the radio bandwidth can be used before the WAP device stops allowing new client associations. This feature is disabled by default. To enable bandwidth utilization: STEP 1 Select Wireless > Bandwidth Utilization in the navigation pane. STEP 2 Click Enable for the Bandwidth Utilization setting.
5 Wireless MAC Filtering Up to 512 MAC addresses can be added to the filter list. To configure MAC filtering: STEP 1 Select Wireless > MAC Filtering in the navigation pane. STEP 2 Select how the WAP device uses the filter list: • Allow only stations in the list—Any station that is not in the Stations List is denied access to the network through the WAP device. • Block all stations in list—Only the stations that appear in the list are denied access to the network through the WAP device.
5 Wireless WDS Bridge RADIUS Server Attribute Description Value User-Password (2) A fixed global password used to look up a client MAC entry. NOPASSWORD WDS Bridge The Wireless Distribution System (WDS) allows you to connect multiple WAP121 and WAP321 devices. With WDS, access points communicate with one another without wires. This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks.
5 Wireless WDS Bridge - Radio - IEEE 802.11 Mode - Channel Bandwidth - Channel (Auto is not recommended) NOTE When operating bridging in the 802.11n 2.4 GHz band, set the Channel Bandwidth to 20 MHz, rather than the default 20/40 MHz. In the 2.4 GHz 20/40 MHz band, the operating bandwidth can change from 40 MHz to 20 MHz if any 20 MHz WAP devices are detected in the area. The mismatched channel bandwidth can cause the link to disconnect.
5 Wireless WDS Bridge Personal mode, the WAP device uses WPA2-PSK with CCMP (AES) encryption over the WDS link. See WEP on WDS Links or WPA/PSK on WDS Links following this procedure for more information about encryption options. STEP 5 Repeat these steps for up to three additional WDS interfaces. STEP 6 Click Save. The changes are saved to the Startup Configuration. STEP 7 Replicate this procedure on the other device or devices connecting to the bridge.
5 Wireless WorkGroup Bridge • WDS ID—Enter an appropriate name for the new WDS link you have created. It is important that the same WDS ID is also entered at the other end of the WDS link. If this WDS ID is not the same for both WAP devices on the WDS link, they will not be able to communicate and exchange data. The WDS ID can be any alphanumeric combination. • Key—Enter a unique shared key for the WDS bridge.
5 Wireless WorkGroup Bridge In WorkGroup Bridge mode, the BSS managed by the WAP device while operating in WAP device mode is referred to as the access point interface, and associated STAs as downstream STAs. The BSS managed by the other WAP device (that is, the one to which the WAP device associates as an STA) is referred to as the infrastructure client interface, and the other WAP device is referred as the upstream AP.
5 Wireless WorkGroup Bridge NOTE There is an arrow next to SSID for SSID Scanning; this feature is disabled by default, and is enabled only if AP Detection is enabled in Rogue AP Detection (which is also disabled by default). • Security—The type of security to use for authenticating as a client station on the upstream WAP device. Choices are: - None - Static WEP - WPA Personal - WPA Enterprise See Configuring Security Settings for information about WEP and WPA Personal security settings.
5 Wireless Quality of Service - Disabled—The set of clients in the APs BSS that can access the upstream network is not restricted to the clients specified in a MAC address list. - Local—The set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a locally defined MAC address list. - RADIUS—The set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a MAC address list on a RADIUS server.
5 Wireless Quality of Service STEP 1 Select Wireless > QoS in the navigation pane. STEP 2 Select an option from the EDCA Template list: • WFA Defaults—Populates the WAP device and Station EDCA parameters with WiFi Alliance default values, which are best for general, mixed traffic. • Optimized for Voice—Populates the WAP device and Station EDCA parameters with values that are best for voice traffic. • Custom—Enables you to choose custom EDCA parameters.
5 Wireless Quality of Service If the first random backoff wait time expires before the data frame is sent, a retry counter is incremented and the random backoff value (window) is doubled. Doubling continues until the size of the random backoff value reaches the number defined in the Maximum Contention Window. Valid values are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1024. This value must be lower than the value for the Maximum Contention Window.
5 Wireless WPS Setup STEP 4 Configure the following additional settings: • No Acknowledgement—Select Enable to specify that the WAP device should not acknowledge frames with QosNoAck as the service class value. • Unscheduled Automatic Power Save Delivery—Select Enable to enable APSD, which is a power management method. APSD is recommended if VoIP phones access the network through the WAP device. STEP 5 Click Save. The changes are saved to the Startup Configuration.
5 Wireless WPS Setup WPS maintains network security by requiring both the users of new client devices and WLAN administrators to have either physical access to their respective devices or secure remote access to these devices. Usage Scenarios These are typical scenarios for using WPS: • A user wishes to enroll a client station on a WPS-enabled WLAN. (The enrolling client device may detect the network, and prompt the user to enroll, although this is not necessary.
5 Wireless WPS Setup manually configures the device with the SSID, public shared key, and cryptography modes of the WPS-enabled WAP device. The device joins the network. The PIN is either an eight-digit number that uses its last digit as a checksum value, or a four-digit number with no checksum. Each of these numbers may contain leading zeroes. WPS Roles The WPS standard assigns specific roles to the various components in its architecture: • Enrollee—A device that can join the wireless network.
5 Wireless WPS Setup External and Internal Registration It is not necessary for the WAP devices to handle the registration of clients on the network themselves. The WAP device can either use its built-in registrar, or act as a proxy for an external registrar. The external registrar may be accessed through the wired or wireless LAN. An external registrar may also configure the SSID, encryption mode, and public shared key of a WPS-enabled BSS.
5 Wireless WPS Setup As with the PBC method, if the WAP device begins the enrollment transaction and no client attempts to enroll after 120 seconds, the WAP device terminates the pending transaction. Optional Use of Built-In Registrar Although the WAP device supports a built-in registrar for WPS, its use is optional.
5 Wireless WPS Setup VAP Configuration Changes The WPS protocol can configure the following parameters for a WPS-enabled VAP on a WAP device: • Network SSID • Key management options (WPA-PSK, or WPA-PSK and WPA2-PSK) • Cryptography options (CCMP/AES, or TKIP and CCMP/AES) • Network (public shared) key If a VAP is enabled for WPS, these configuration parameters are subject to change, and are persistent between reboots of the WAP device.
5 Wireless WPS Setup Exclusive Operation of WPS Transactions Any one VAP on the WAP device can be enabled for WPS. At most, one WPS transaction (for example, enrollment and association of an 802.11 client) can be in progress at a time on the WAP device. The WAP device administrator can terminate the transaction in progress from the web-based configuration utility.
5 Wireless WPS Setup • WPS Device Name—Provides a default device name. You can assign a different name from 1 to 32 characters, including spaces and special characters. • WPS Global Operational Status—Whether the WPS protocol is enabled or disabled on the WAP device. It is enabled by default. • WPS Device PIN—A system-generated eight-digit WPS PIN for the WAP device. The administrator may use this generated PIN to register the WAP device with an external registrar.
5 Wireless WPS Process Instance Status The Instance Status area shows the following information about the selected WPS instance: • WPS Operational Status—Whether or not the WPS instance is operational. • AP Lockdown Status—Whether the AP is in lockdown mode, in which external registrars are blocked from registering with the AP. When in lockdown status, this field reports the start time of the lockdown, whether it is temporary or permanent, and if temporary, the duration of the lockdown period.
5 Wireless WPS Process When you enter the PIN on the client device, the WPS Operational Status changes to Adding Enrollee. When the enrollment process is complete, the WPS Operational Status changes to Ready and the Transaction Status changes to Success. When the client is enrolled, either the built-in registrar of the WAP device or the external registrar on the network proceeds to configure the client with the SSID, encryption mode, and public shared key of a WPS-enabled BSS.
5 Wireless WPS Process Viewing Instance Status Information The Instance Status section shows the following information about the WPS instance selected in the WPS Instance ID list: • WPS Status—Whether the selected WPS instance is enabled or disabled. • WPS Configuration State—Whether the VAP will be configured from the external registrar as a part of the WPS process. • Transaction Status—The status of the last WPS transaction. The possible values are None, Success, WPS Message Error, and Timed Out.
6 System Security This chapter describes how to configure security settings on the WAP device device. It contains these topics: • RADIUS Server • 802.1X Supplicant • Password Complexity • WPA-PSK Complexity RADIUS Server Several features require communication with a RADIUS authentication server. For example, when you configure Virtual Access Points (VAPs) on the WAP device, you can configure security methods that control wireless client access (see the Radio page).
6 System Security RADIUS Server STEP 1 Select Security > RADIUS Server in the navigation pane. STEP 2 Enter the parameters: • Server IP Address Type—The IP version that the RADIUS server uses. You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers of the address type you select in this field. • Server IP Address 1 or Server IPv6 Address 1—The addresses for the primary global RADIUS server.
6 System Security 802.1X Supplicant 802.1X Supplicant IEEE 802.1X authentication enables the access point to gain access to a secured wired network. You can enable the access point as an 802.1X supplicant (client) on the wired network. A user name and password that are encrypted using the MD5 algorithm can be configured to allow the access point to authenticate using 802.1X. On networks that use IEEE 802.1X port-based network access control, a supplicant cannot gain access to the network until the 802.
6 System Security 802.1X Supplicant • Password—The WAP device uses this MD5 password when responding to requests from an 802.1X authenticator. The password can be 1 to 64 characters in length. ASCII-printable characters are allowed, which includes uppercase and lowercase alphabetic letters, numeric digits, and all special characters except quotation marks. STEP 3 Click Save. The changes are saved to the Startup Configuration.
6 System Security Password Complexity Password Complexity You can configure complexity requirements for passwords used to access the WAP device configuration utility. Complex passwords increase security. To configure password complexity requirements: STEP 1 Select Security > Password Complexity in the navigation pane. STEP 2 For the Password Complexity setting, select Enable.
6 System Security WPA-PSK Complexity WPA-PSK Complexity When you configure VAPs on the WAP device, you can select a method of securely authenticating clients. If you select the WPA Personal protocol (also known as WPA pre-shared key or WPA-PSK) as the security method for any VAP, you can use the WPA-PSK Complexity page to configure complexity requirements for the key used in the authentication process. More complex keys provide increased security.
7 Client Quality of Service This chapter provides an overview of Client quality of service (QoS) and explains the QoS features available from the Client QoS menu. It contains these topics: • Client QoS Global Settings • ACL • Class Map • Policy Map • Client QoS Association • Client QoS Status Client QoS Global Settings You can use the Client QoS Global Settings page to enable or disable quality of service functionality on the WAP device.
Client Quality of Service ACL 7 The WAP device supports up to 50 IPv4, IPv6, and MAC ACLs. IPv4 and IPv6 ACLs IP ACLs classify traffic for Layers 3 and 4. Each ACL is a set of up to 10 rules applied to traffic sent or received by the WAP device. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network.
7 Client Quality of Service ACL STEP 7 Use the Client QoS Association page to apply the ACL to one or more VAPs. These steps give a detailed description of how to configure ACLs: STEP 1 Select Client QoS > ACL in the navigation pane. STEP 2 Enter these parameters to create a new ACL: • ACL Name—A name to identify the ACL. The name can contain from 1 to 31 alphanumeric and special characters. Spaces are not allowed.
7 Client Quality of Service ACL When you select Deny, the rule blocks all traffic that meets the rule criteria from entering or exiting the WAP device (depending on the ACL direction you select). Traffic that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule at the end of every ACL, traffic that is not explicitly permitted is dropped.
7 Client Quality of Service ACL - Select From List—The keyword associated with the source port to match: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number. - Match to Port—The IANA port number to match to the source port identified in the datagram header.
7 Client Quality of Service ACL 49152 to 65535—Dynamic and/or Private Ports • IP DSCP—Matches packets based on their IP DSCP value. If you select IP DSCP, choose one of these options as the match criteria: - Select From List—DSCP Assured Forwarding (AS), Class of Service (CS), or Expedited Forwarding (EF) values. - Match to Value—A custom DSCP value, from 0 to 63. • IP Precedence—Matches packets based on their IP Precedence value. If selected, enter an IP Precedence value from 0 to 7.
7 Client Quality of Service ACL • Source IPv6 Prefix Length—Enter the prefix length of the source IPv6 address. • Source Port—Select this option to include a source port in the match condition for the rule. The source port is identified in the datagram header. If selected, choose the port name or enter the port number. • Destination IPv6 Address—Select this field to require a packet's destination IPv6 address to match the address listed here.
7 Client Quality of Service ACL • Source MAC Address—Select this field and enter the source MAC address to compare against an Ethernet frame. • Source MAC Mask—Select this field and enter the source MAC address mask specifying which bits in the source MAC to compare against an Ethernet frame. For each bit position in the MAC mask, a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored.
7 Client Quality of Service Class Map Class Map The Client QoS feature contains Differentiated Services (DiffServ) support that allows traffic to be classified into streams and given a certain QoS treatment in accordance with defined per-hop behaviors. Standard IP-based networks are designed to provide best-effort data delivery service. Best-effort service implies that the network delivers the data in a timely fashion, although there is no guarantee that it will.
7 Client Quality of Service Class Map Use the fields in the Match Criteria Configuration area to match packets to a class. Select the check box for each field to be used as a criterion for a class and enter data in the related field. You can have multiple match criteria in a class. The match criteria fields that are available depend on whether the class map is an IPv4 or IPv6 class map. Defining a Class Map To configure a class map: STEP 1 Select the class map from the Class Map Name list.
7 Client Quality of Service Class Map A DiffServ mask of 255.255.255.255 indicates that all bits are important, and a mask of 0.0.0.0 indicates that no bits are important. The opposite is true with an ACL wildcard mask. For example, to match the criteria to a single host address, use a mask of 255.255.255.255. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24), use a mask of 255.255.255.0. • Source IPv6 Prefix Length (IPv6 only)—The prefix length of the source IPv6 address.
7 Client Quality of Service Class Map 0 to 1023—Well-Known Ports 1024 to 49151—Registered Ports 49152 to 65535—Dynamic and/or Private Ports • Destination Port—Includes a destination port in the match condition for the rule. The destination port is identified in the datagram header. If you select this field, choose the port name or enter the port number. - Select From List—Matches the destination port in the datagram header with the selected keyword: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www.
7 Client Quality of Service Class Map For each bit position in the MAC mask, a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored. For example, to check only the first four octets of a MAC address, a MAC mask of 00:00:00:00:ff:ff is used. A MAC mask of 00:00:00:00:00:00 checks all address bits and is used to match a single MAC address. • Destination MAC Address—The destination MAC address to compare against an Ethernet frame.
7 Client Quality of Service Policy Map Policy Map Packets are classified and processed based on defined criteria. The classification criteria is defined by a class on the Class Map page. The processing is defined by a policy's attributes on the Policy Map page. Policy attributes may be defined on a per-class instance basis and determine how traffic that matches the class criteria is handled. The WAP device supports up to 50 policy maps. A policy map can contain up to 10 class maps.
7 Client Quality of Service Client QoS Association • Mark Class of Service—Marks all packets for the associated traffic stream with the specified class of service value in the priority field of the 802.1p header. If the packet does not already contain this header, one is inserted. The CoS value is an integer from 0 to 7. • Mark IP DSCP—Marks all packets for the associated traffic stream with the IP DSCP value you select from the list or specify. - Select from List—A list of DSCP types.
7 Client Quality of Service Client QoS Association To configure client QoS association parameters: STEP 1 Select Client QoS > Client QoS Association in the navigation pane. STEP 2 From the VAP list, select the VAP on which you want to configure client QoS parameters. STEP 3 Select Enable for the Client QoS Global to enable this feature. STEP 4 Configure these parameters for the selected VAP: • Client QoS Mode—Select Enable to enable client QoS functionality on the selected VAP.
7 Client Quality of Service Client QoS Status When a packet or frame is received by the WAP device, the ACL's rules are checked for a match. The packet or frame is processed if it is permitted and discarded if it is denied. • DiffServ Policy Down—The name of the DiffServ policy applied to traffic from the WAP device in the outbound (WAP-to-client) direction. • DiffServ Policy Up—The name of the DiffServ policy applied to traffic sent to the WAP device in the inbound (client-to-WAP) direction.
7 Client Quality of Service Client QoS Status - IPv6: The ACL examines IPv6 packets for matches to ACL rules. - MAC: The ACL examines Layer 2 frames for matches to ACL rules. • ACL Name Up—The name of the ACL applied to traffic entering the WAP in the inbound direction. When a packet or frame is received by the WAP, the ACL rules are checked for a match. The packet or frame is processed if it is permitted and discarded if it is denied.
8 Simple Network Management Protocol This chapter describes how to configure the Simple Network Management Protocol (SNMP) to perform configuration and statistics gathering tasks. It contains these topics: • SNMP Overview • General SNMP Settings • Views • Groups • Users • Targets SNMP Overview SNMP defines a standard for recording, storing, and sharing information about network devices. SNMP facilitates network management, troubleshooting, and maintenance.
Simple Network Management Protocol General SNMP Settings 8 General SNMP Settings You can use the General page to enable SNMP and configure basic protocol settings. To configure general SNMP settings: STEP 1 Select SNMP > General in the navigation pane. STEP 2 Select Enabled for the SNMP setting. SNMP is disabled by default. STEP 3 Specify a UDP Port for SNMP traffic. By default, an SNMP agent listens only to requests from port 161.
Simple Network Management Protocol General SNMP Settings 8 A DNS hostname can consist of one or more labels, which are sets of up to 63 alphanumeric characters. If a hostname includes multiple labels, each is separated by a period (.). The entire series of labels and periods can be up to 253 characters long. As with community names, this setting provides a level of security on SNMP settings. The SNMP agent only accepts requests from the IP address, hostname, or subnet specified here.
Simple Network Management Protocol Views • 8 Trap Destination Table—A list of up to three IP addresses or hostnames to receive SNMP traps. Check the box and choose a Host IP Address Type (IPv4 or IPv6) before adding the Hostname/IP Address. An example of a DNS hostname is snmptraps.foo.com. Because SNMP traps are sent randomly from the SNMP agent, it makes sense to specify where exactly the traps should be sent. You can have a maximum of three DNS hostnames.
Simple Network Management Protocol Groups 8 STEP 3 Check the box in the new row and click Edit: • View Name—Enter a name that identifies the MIB view. View names can contain up to 32 alphanumeric characters. • Type—Choose whether to include or exclude the view subtree or family of subtrees from the MIB view. • OID—Enter an OID string for the subtree to include or exclude from the view. For example, the system subtree is specified by the OID string .1.3.6.1.2.1.1. • Mask—Enter an OID mask.
Simple Network Management Protocol Groups 8 • RO—A read-only group using authentication and data encryption. Users in this group use an MD5 key/password for authentication and a DES key/ password for encryption. Both the MD5 and DES key/passwords must be defined. By default, users of this group have read access to the default all MIB view. • RW—A read/write group using authentication and data encryption.
Simple Network Management Protocol Users • • 8 Write Views—The write access to MIBs for the group, which can be one of these options: - write-all—The group can create, alter, and delete MIBs. - write-none—The group cannot create, alter, or delete MIBs. Read Views—The read access to MIBs for the group: - view-all—The group is allowed to view and read all MIBs. - view-none—The group cannot view or read MIBs. STEP 5 Click Save.
Simple Network Management Protocol Targets 8 • Group—The group that the user is mapped to. The default groups are RWAuth, RWPriv, and RO. You can define additional groups on the SNMP Groups page. • Authentication Type—The type of authentication to use on SNMPv3 requests from the user, which can be one of these options: - MD5—Require MD5 authentication on SNMP requests from the user. - None—SNMPv3 requests from this user require no authentication.
Simple Network Management Protocol Targets 8 To add SNMP targets: STEP 1 Select SNMP > Targets in the navigation pane. STEP 2 Click Add. A new row is created in the table. STEP 3 Check the box in the new row and click Edit. STEP 4 Configure the parameters: • IP Address—Enter the IPv4 address of the remote SNMP manager to receive the target. • UDP Port—Enter the UDP port to use for sending SNMPv3 targets. • Users—Enter the name of the SNMP user to associate with the target.
9 Captive Portal This chapter describes the Captive Portal (CP) feature, which allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. NOTE The Captive Portal feature is available only on the Cisco WAP321 device. Authenticated users must be validated against a database of authorized Captive Portal groups or users before access is granted.
9 Captive Portal Captive Portal Global Configuration Captive Portal Global Configuration You can use the Global CP Configuration page to control the administrative state of the CP feature and configure global settings that affect all captive portal instances configured on the WAP device. To configure CP Global settings: STEP 1 Select Captive Portal > Global Configuration in the navigation pane. STEP 2 Configure the parameters: • Captive Portal Mode—Enables CP operation on the WAP device.
9 Captive Portal Instance Configuration Instance Configuration You can create up to two Captive Portal instances; each CP instance is a defined set of instance parameters. Instances can be associated with one or more VAPs. Different instances can be configured to respond differently to users as they attempt to access the associated VAP. NOTE Before you create an instance, review these bullets first: • Do you need to add a new VAP? If yes, go to Networks to add a VAP.
9 Captive Portal Instance Configuration - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users. • Redirect—Specifies that CP should redirect the newly authenticated client to the configured URL. If this option is clear, the user sees the locale-specific welcome page after a successful verification. • Redirect URL—Enter the URL (including http://) to which the newly authenticated client is redirected if the URL Redirect Mode is enabled.
9 Captive Portal Instance Configuration • Global RADIUS—If the Verification Mode is RADIUS, select this option to the default Global RADIUS server list to authenticate clients. (See RADIUS Server for information about configuring the global RADIUS servers.) If you want the CP feature to use a different set of RADIUS servers, uncheck the box and configure the servers in the fields on this page.
9 Captive Portal Instance Association STEP 6 Click Save. Your changes are saved to the Startup Configuration. Instance Association Once you create an instance, you can use the Instance Association page to associate a CP instance to a VAP. The associated CP instance settings applies to users who attempt to authenticate on the VAP. To associate an instance to a VAP: STEP 1 Select Captive Portal > Instance Association in the navigation pane.
9 Captive Portal Web Portal Customization STEP 4 From the Captive Portal Instances list, select the CP instance that this locale is associated with. You can associate multiple locales with an instance. When a user attempts to access a particular VAP that is associated with a CP instance, the locales that are associated with that instance show as links on the authentication page. The user can select a link to switch to that locale. STEP 5 Click Save. The changes are saved to the Startup Configuration.
9 Captive Portal Web Portal Customization • Account Label—The text that instructs the user to enter a user name. The range is from 1 to 32 characters. • User Label—The label for the user name text box. The range is from 1 to 32 characters. • Password Label—The label for the user password text box. The range is from 1 to 64 characters. • Button Label—The label on the button that users click to submit their user name/password for authentication. The range is from 2 to 32 characters.
9 Captive Portal Web Portal Customization • Work In Progress Text—The text that shows during authentication. The range is from 1 to 128 characters. The default is Connecting, please be patient.... • Denied Text—The text that shows when a user fails authentication. The range is from 1 to 128 characters. The default is Error Invalid Credentials, please try again! • Welcome Title—The text that shows when the client has authenticated to the VAP. The range is from 1 to 128 characters.
9 Captive Portal Local Groups Image Type Use Default Width by Height Logo Shows at top left of page to provide branding information. 168 by 78 pixels Account Shows above the login field to depict an authenticated login. 295 by 55 pixels To upload binary graphic files to the WAP device: STEP 1 On the Web Portal Customization page, click Upload/Delete Custom Image next to the Background Image Name, Logo Image Name, or Account Image fields. The Web Portal Custom Image page appears.
9 Captive Portal Local Users STEP 1 Select Captive Portal > Local Groups in the navigation pane. STEP 2 Enter a Group Name and click Save. The changes are saved to the Startup Configuration. NOTE To delete a group, select it in the Captive Portal Groups list, select the Delete Group check box, and click Save. Local Users You can configure a captive portal instance to accommodate either guest users and authorized users. Guest users do not have assigned user names and passwords.
9 Captive Portal Authenticated Clients minutes. The default value is 60. The timeout value configured here has precedence over the value configured for the captive portal instance, unless the user value is set to 0. When set to 0, the timeout value configured for the CP instance is used. • Group Name—The assigned user group. Each CP instance is configured to support a particular group of users.
9 Captive Portal Failed Authentication Clients - Local—The WAP device uses a local database to authenticated users. - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users. • VAP ID—The VAP that the user is associated with. • Radio ID—The ID of the radio. Because the WAP321 has a single radio, this field always shows Radio1. • Captive Portal ID—The ID of the Captive Portal instance to which the user is associated.
9 Captive Portal Failed Authentication Clients • Verification—The method the client attempted to use to authenticate on the Captive Portal, which can be one of these values: - Guest—The user does not need to be authenticated by a database. - Local—The WAP device uses a local database to authenticated users. - RADIUS—The WAP device uses a database on a remote RADIUS server to authenticate users. • VAP ID—The VAP that the user is associated with. • Radio ID—The ID of the radio.
10 Single Point Setup This chapter describes how to configure Single Point Setup over multiple WAP devices. It includes these topics: • Single Point Setup Overview • Access Points • Sessions • Channel Management • Wireless Neighborhood Single Point Setup Overview The Cisco WAP121 and WAP321 devices support Single Point Setup. Single Point Setup provides a centralized method to administer and control wireless services across multiple devices.
10 Single Point Setup Single Point Setup Overview Managing Single Point Setup Across WAP Devices Single Point Setup creates a dynamic, configuration-aware cluster, or group, of WAP devices in the same subnet of a network. A cluster supports only a group of configured WAP121 devices or a group of configured WAP321 devices. A single cluster does not support a mix of WAP121 and WAP321 devices in the same group.
10 Single Point Setup Single Point Setup Overview Single Point Setup Negotiation When a WAP device is enabled and configured for Single Point Setup, it begins sending periodic advertisements every 10 seconds to announce its presence. If there are other WAP devices that match the criteria for the cluster, arbitration begins to determine which WAP device will distribute the master configuration to the rest of the members of the cluster.
10 Single Point Setup Single Point Setup Overview Operation of a WAP Device Dropped From a Single Point Setup When a WAP device that was previously a member of a cluster becomes disconnected from the cluster, the following guidelines apply: • Loss of contact with the cluster prevents the WAP device from receiving the latest operational configuration settings. The disconnection results in a halt to proper seamless wireless service across the production network.
10 Single Point Setup Single Point Setup Overview Common Configuration Settings and Parameters that are Propagated in Single Point Setup MAC Filtering Scheduler Management Access Control SNMP General and SNMPv3 Networks WPA-PSK Complexity Time Settings Radio Configuration Settings and Parameters that are Propagated in Single Point Setup Mode Fragmentation Threshold RTS Threshold Rate Sets Primary Channel Protection Fixed Multicast Rate Broadcast or Multicast Rate Limiting Channel Bandwidth Short Gu
10 Single Point Setup Access Points Radio Configuration Settings and Parameters that are Not Propagated in Single Point Setup Transmit Power Other Configuration Settings and Parameters That Are Not Propagated in Single Point Setup Bandwidth Utilization Port Settings Bonjour VLAN and IPv4 IPv6 Address WDS Bridge IPv6 Tunnel WPS Packet Capture WorkGroup Bridge Access Points The Access Points page allows you to enable or disable Single Point Setup on a WAP device, view the cluster members, and con
10 Single Point Setup Access Points STEP 1 Select Single Point Setup > Access Points in the navigation pane. Single Point Setup is disabled by default on the WAP device. When disabled, the Enable Single Point Setup button is visible. If Single Point Setup is enabled, the Disable Single Point Setup button is visible. You can edit Single Point Setup options only when Single Point Setup is disabled.
10 Single Point Setup Access Points The WAP device begins searching for other WAP devices in the subnet that are configured with the same cluster name and IP version. A potential cluster member sends advertisements every 10 seconds to announce its presence. While searching for other cluster members, the status indicates that the configuration is being applied. Refresh the page to see the new configuration.
10 Single Point Setup Access Points STEP 4 (Optional) In the Location field, enter a description of where the access point is physically located, for example, Reception. STEP 5 Click Enable Single Point Setup. The access point automatically joins the Single Point Setup.
10 Single Point Setup Sessions Navigating to a WAP Device Using its IP Address in a URL You can also link to the web-based configuration utility of a specific WAP device by entering the IP address for that access point as a URL directly into a web browser address bar in the following form: http://IPAddressOfAccessPoint (if using HTTP) https://IPAddressofAccessPoint (if using HTTPS) Sessions The Sessions page shows information on WLAN clients that are associated with the WAP devices in the Single Point Se
10 Single Point Setup Channel Management • User MAC—The MAC address of the wireless client. A MAC address is a hardware address that uniquely identifies each node of a network. • Idle—The amount of time this WLAN client has remained inactive. A WLAN client is considered to be inactive when it is not receiving or transmitting data. • Rate—The negotiated data rate. Actual transfer rates can vary depending on overhead. The data transmission rate is measured in megabits per second (Mbps).
10 Single Point Setup Channel Management The automatic channel assignment feature is disabled by default. The state of channel management (enabled or disabled) is propagated to the other devices in the Single Point Setup cluster. At a specified interval, the channel manager (that is, the device that provided the configuration to the cluster) maps all clustered WAP devices to different channels and measures interference levels of the cluster members.
10 Single Point Setup Channel Management No channel usage maps or channel reassignments are made. Only manual updates affect the channel assignment. Viewing Channel Assignments and Setting Locks When channel management is enabled, the page shows the Current Channel Assignations table and the Proposed Channel Assignments table. Current Channel Assignments Table The Current Channel Assignments table shows a list of all WAP devices in the Single Point Setup cluster by IP address.
10 Single Point Setup Channel Management Proposed Channel Assignments Table The Proposed Channel Assignments table shows the proposed channels that are to be assigned to each WAP device when the next update occurs. Locked channels are not reassigned—the optimization of channel distribution among devices takes into account that locked devices must remain on their current channels.
10 Single Point Setup Wireless Neighborhood The default is one hour, meaning that channel usage is reassessed and the resulting channel plan is applied every hour. If you change these settings, click Save. The changes are saved to the active configuration and the Startup Configuration. Wireless Neighborhood The Wireless Neighborhood page shows up to 20 devices within range of each wireless radio in the cluster.
10 Single Point Setup Wireless Neighborhood • Cluster—The list at the top of the table shows IP addresses for all WAP devices that are clustered together. (This list is the same as the members list on the Single Point Setup > Access Points page.) If there is only one WAP device in the cluster, only a single IP address column shows, indicating that the WAP device is grouped with itself. You can click on an IP address to view more details on a particular WAP device.
10 Single Point Setup Wireless Neighborhood Viewing Details for a Cluster Member To view details on a cluster member, click the IP address of a member at the top of the page. The following details for the device appear below the Neighbors list. • SSID—The Service Set Identifier for the neighboring access point. • MAC Address—The MAC address of the neighboring access point. • Channel—The channel on which the access point is currently broadcasting.
A Deauthentication Message Reason Codes When a client deauthenticates from the WAP device, a message is sent to the system log. The message includes a reason code that may be helpful in determining why a client was deauthenticated. You can view log messages when you click Status and Statistics > Log Status. The following table describes the deauthentication reason codes.
Deauthentication Message Reason Codes A Reason code Meaning 11 Disassociated because the information in the Supported Channels element is unacceptable 12 Disassociated due to BSS Transition Management 13 Invalid element, i.e.
B Where to Go From Here Cisco provides a wide range of resources to help you and your customer obtain the full benefits of the Cisco WAP121 and WAP321 Access Point. Support Cisco Small Business Support Community www.cisco.com/go/smallbizsupport Cisco Small Business Support and Resources www.cisco.com/go/smallbizhelp Phone Support Contacts www.cisco.com/en/US/support/ tsd_cisco_small_business _support_center_contacts.html Cisco Small Business Firmware Downloads www.cisco.
B Where to Go From Here Cisco Small Business Cisco Partner Central for Small Business (Partner Login Required) www.cisco.com/web/partners/sell/smb Cisco Small Business Home www.cisco.