manualshive.com logo in svg

Cisco WAP121, Administration Manual

The Cisco WAP121 is a cutting-edge networking device designed for small businesses. With its intuitive setup and administration features, this product ensures seamless connectivity. Enhance your user experience with our free Administration Manual - available for download at manualshive.com. Discover the full potential of your Cisco WAP121 today!

Share
Download
background image

9

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE

143

Captive Portal

This chapter describes the Captive Portal (CP) feature, which allows you to block 
wireless clients from accessing the network until user verification has been 
established. You can configure CP verification to allow access for both guest and 
authenticated users.

NOTE

The Captive Portal feature is available only on the Cisco WAP321 device.

Authenticated users must be validated against a database of authorized Captive 
Portal groups or users before access is granted. The database can be stored 
locally on the WAP device or on a RADIUS server.

Captive Portal consists of two CP instances. Each instance can be configured 
independently, with different verification methods for each VAP or SSID. Cisco 
WAP321 devices operate concurrently with some VAPs configured for CP 
authentication and other VAPs configured for normal wireless authentication 
methods, such as WPA or WPA Enterprise.

This chapter includes these topics:

Captive Portal Global Configuration

Instance Configuration

Instance Association

Web Portal Customization

Local Groups

Local Users

Authenticated Clients

Failed Authentication Clients

Summary of Contents for WAP121

Page 1: ...Cisco Small Business WAP121 Wireless N Access Point with PoE and WAP321 Wireless N Selectable Band Access Point with PoE ADMINISTRATION GUIDE ...

Page 2: ...Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 1110R ...

Page 3: ...ion 13 Configuration Utility Header 13 Navigation Pane 13 Management Buttons 14 Chapter 2 Status and Statistics 15 System Summary 15 Network Interfaces 17 Traffic Statistics 18 WorkGroup Bridge Transmit Receive 18 Associated Clients 19 TSPEC Client Associations 21 TSPEC Status and Statistics 23 TSPEC AP Statistics 24 Radio Statistics 25 Email Alert Status 26 Log 27 Chapter 3 Administration 28 Syst...

Page 4: ...Upgrade Firmware 41 TFTP Upgrade 41 HTTP Upgrade 42 Firmware Recovery 43 Download Backup Configuration File 45 Backing Up a Configuration File 45 Downloading a Configuration File 46 Configuration Files Properties 47 Copy Save Configuration 47 Reboot 48 Discovery Bonjour 49 Packet Capture 49 Packet Capture Configuration 50 Local Packet Capture 51 Remote Packet Capture 52 Packet Capture File Downloa...

Page 5: ...iguring Security Settings 77 None Plain text 77 Static WEP 77 Dynamic WEP 79 WPA Personal 81 WPA Enterprise 83 Scheduler 85 Adding Scheduler Profiles 85 Configuring Scheduler Rules 86 Scheduler Association 87 Bandwidth Utilization 88 MAC Filtering 88 Configuring a MAC Filter List Locally on the WAP Device 88 Configuring MAC Authentication on the RADIUS Server 89 WDS Bridge 90 WEP on WDS Links 92 W...

Page 6: ...WPS Version 1 0 105 Configuring WPS Settings 105 Instance Status 107 WPS Process 107 Enrolling a Client Using the PIN Method 107 Enrolling a Client Using the Push Button Method 108 Viewing Instance Status Information 109 Viewing Instance Summary Information 109 Chapter 6 System Security 110 RADIUS Server 110 802 1X Supplicant 112 Password Complexity 114 WPA PSK Complexity 115 Chapter 7 Client Qual...

Page 7: ...tion 145 Instance Association 148 Web Portal Customization 148 Uploading and Deleting Images 151 Local Groups 152 Local Users 153 Authenticated Clients 154 Failed Authentication Clients 155 Chapter 10 Single Point Setup 157 Single Point Setup Overview 157 Managing Single Point Setup Across WAP Devices 158 Single Point Setup Negotiation 159 Operation of a WAP Device Dropped From a Single Point Setu...

Page 8: ...ngle Point Setup Cluster 165 Navigating to Configuration Information for a Specific WAP Device 165 Navigating to a WAP Device Using its IP Address in a URL 166 Sessions 166 Channel Management 167 Viewing Channel Assignments and Setting Locks 169 Current Channel Assignments Table 169 Proposed Channel Assignments Table 170 Configuring Advanced Settings 170 Wireless Neighborhood 171 Viewing Details f...

Page 9: ...rted Browsers Internet Explorer 7 0 or later Chrome 5 0 or later Firefox 3 0 or later Safari 3 0 or later Browser Restrictions If you are using Internet Explorer 6 you cannot directly use an IPv6 address to access the WAP device You can however use the Domain Name System DNS server to create a domain name that contains the IPv6 address and then use that domain name in the address bar in place of t...

Page 10: ...he Cisco FindIT Network Discovery Utility This tool enables you to automatically discover all supported Cisco Small Business devices in the same local network segment as your computer For more information go to cisco com and enter www cisco com go findit For further instructions on how to locate the IP address of your WAP device see the WAP device Quick Start Guide STEP 2 Enter the user name and p...

Page 11: ... The Configure Device IP Address window appears STEP 2 Click Dynamic IP Address DHCP if you want the WAP device to receive an IP address from a DHCP server Or select Static IP Address to configure IP Address manually For a description of these fields see VLAN and IPv4 Address Settings STEP 3 Click Next The Single Point Setup Set a Cluster window appears For a description of Single Point Setup see ...

Page 12: ...ss network STEP 11 Click Next The Enable Security Secure Your Wireless Network window appears STEP 12 Choose a security encryption type and enter a security key For a description of these options see System Security STEP 13 Click Next The Wizard displays the Enable Security Assign the VLAN ID For Your Wireless Network window STEP 14 Enter a VLAN ID for traffic received on the wireless network It i...

Page 13: ...om the management VLAN ID STEP 22 Click Next The Wizard displays the Enable Captive Portal Enable Redirect URL window STEP 23 Select Enable Redirect URL and specify a fully qualified domain name or IP address in the Redirect URL field including http If specified guest network users are redirected to the specified URL after authenticating STEP 24 Click Next The Wizard displays the Summary Confirm Y...

Page 14: ... Wizard Using the Access Point Setup Wizard Configure Radio Settings Radio Configure Wireless Network Settings Networks Configure LAN Settings LAN Run WPS WPS Setup Configure Single Point Setup Single Point Setup Device Status System Summary System Summary Wireless Status Network Interfaces Quick Access Change Account Password User Accounts Upgrade Device Firmware Upgrade Firmware Backup Restore C...

Page 15: ...tures of the WAP devices If a main menu item is preceded by an arrow select to expand and display the submenu of each group You can then select on the desired submenu item to open the associated page Buttons Button Name Description User The account name Administrator or Guest of the user logged into the WAP device The factory default user name is cisco Log Out Click to log out of the configuration...

Page 16: ...s Button Name Description Add Adds a new entry to the table or database Cancel Cancels the changes made to the page Clear All Clears all entries in the log table Delete Deletes an entry in a table Select an entry first Edit Edits or modifies an existing entry Select an entry first Refresh Redisplays the current page with the latest data Save Saves the settings or configuration Update Updates the n...

Page 17: ...s TSPEC Status and Statistics TSPEC AP Statistics Radio Statistics Email Alert Status Log System Summary The System Summary page shows basic information such as the hardware model description software version and the time that has elapsed since the last reboot To view system information select Status and Statistics System Summary in the navigation pane Or select System Summary under Device Status ...

Page 18: ...e if available Protocol The underlying transport protocol that the service uses TCP or UDP Local IP Address The IP address if any of a remote device that is connected to this service on the WAP device All indicates that any IP address on the device can use this service Local Port The port number for the service Remote IP Address The IP address of a remote host if any that is using this service All...

Page 19: ...ether or not Green Ethernet mode is enabled To change any of these settings click the Edit link After you click Edit you are redirected to the VLAN and IPv4 Address Settings page See VLAN and IPv4 Address Settings for descriptions of these fields Radio Status These settings include the Wireless Radio mode Enabled or Disabled the MAC address associated with the radio interface the 802 11 mode a b g...

Page 20: ...erface name is followed by its SSID in parentheses Total Packets The total packets sent in Transmit table or received in Received table by this WAP device Total Bytes The total bytes sent in Transmit table or received in Received table by this WAP device Total Dropped Packets The total number of dropped packets sent in Transmit table or received in Received table by this WAP device Total Dropped B...

Page 21: ...transmit and receive direction for each WorkGroup Bridge interface Total Packets The total number of packets bridged between the wired clients in the WorkGroup Bridge and the wireless network Total Bytes The total number of bytes bridged between the wired clients in the WorkGroup Bridge and the wireless network You can click Refresh to refresh the screen and show the most current information Assoc...

Page 22: ... security From Station To Station For the From Station the counters indicate the packets or bytes received by the wireless client For the To Station the counters indicate the number of packets and bytes transmitted from the WAP device to the wireless client Packets Number of packets received transmitted from the wireless client Bytes Number of bytes received transmitted from the wireless client Dr...

Page 23: ...telephone handset that marks its codec generated data packets as voice priority traffic An example of a video traffic stream is a video player application on a wireless laptop that prioritizes a video conference feed from a corporate server To view TSPEC client association statistics select Status and Statistics TSPEC Client Associations in the navigation pane The TSPEC Client Associations page sh...

Page 24: ...he traffic direction for this TS Direction can be one of these options uplink From client to device downlink From device to client bidirectional From Station Shows the number of packets and bytes received from the wireless client and the number of packets and bytes that were dropped after being received Packets Number of packets in excess of an admitted TSPEC Bytes Number of bytes when no TSPEC ha...

Page 25: ...information for the WLAN Radio and VAP interfaces Network Interface Name of the Radio or VAP interface Access Category Current Access Category associated with this Traffic Stream voice or video Status Whether the TSPEC session is enabled up or not down for the corresponding Access Category NOTE Status is a configuration status it does not necessarily represent the current session activity Active T...

Page 26: ... this WAP device for this VAP Total Video Packets Total number of TS video packets sent in Transmit table or received in Received table by this WAP device for this VAP Total Video Bytes Total TS video bytes sent in Transmit table or received in Received table by this WAP device for this VAP You can click Refresh to refresh the screen and show the most current information TSPEC AP Statistics The TS...

Page 27: ...f packets transmitted by the WAP device that were dropped Bytes Receive Dropped Number of bytes received by the WAP device that were dropped Bytes Transmit Dropped Number of bytes transmitted by the WAP device that were dropped Fragments Received Number of fragmented frames received by the WAP device Fragments Transmitted Number of fragmented frames sent by the WAP device Multicast Frames Received...

Page 28: ...ame Multiple Retry Count Number of times an MSDU is successfully transmitted after more than one retry Frames Transmitted Count Count of each successfully transmitted MSDU You can click Refresh to refresh the screen and show the most current information Email Alert Status The Email Alert Status page provides information about the email alerts sent based on the syslog messages generated in the WAP ...

Page 29: ...wn Older entries are removed from the list as needed to make room for new events To view the Log page select Status and Statistics Log Status in the navigation pane Time Stamp The system time when the event occurred Severity Whether the event is due to an error err or is informational info Service The software component associated with the event Description A description of the event You can click...

Page 30: ...ings and perform diagnostics It contains these topics System Settings User Accounts Time Settings Log Settings Email Alert HTTP HTTPS Service Management Access Control Upgrade Firmware Firmware Recovery Download Backup Configuration File Configuration Files Properties Copy Save Configuration Reboot Discovery Bonjour Packet Capture Support Information ...

Page 31: ...ls can contain only letters digits and hyphens Host Name labels cannot begin or end with a hyphen No other symbols punctuation characters or blank spaces are permitted The Host Name can be 1 to 63 characters long System Contact A contact person for the WAP device The System Contact can be 0 to 255 characters long and can include spaces and special characters System Location Description of the phys...

Page 32: ... Only numbers 0 to 9 and letters a to z upper or lower are allowed for user names STEP 5 Enter a New Password between 1 and 64 characters and then enter the same password in the Confirm New Password text box As you enter a password the number and color of vertical bars changes to indicate the password strength as follows Red The password fails to meet the minimum complexity requirements Orange The...

Page 33: ... meets the minimum complexity requirements but the password strength is weak Green The password is strong STEP 4 Click Save The changes are saved to the Startup Configuration NOTE If you change your password you must log in again to the system Time Settings A system clock provides a network synchronized time stamping service for software events such as message logs You can configure the system clo...

Page 34: ...light Savings Start Select the week day month and time when daylight savings time starts Daylight Savings End Select the week day month and time when daylight savings time ends Daylight Savings Offset Specify the number of minutes to move the clock forward when daylight savings time begins and backward when it ends STEP 4 Click Save The changes are saved to the Startup Configuration To manually co...

Page 35: ... However log messages are erased when the system reboots unless you enable persistent logging CAUTION Enabling persistent logging can wear out the flash nonvolatile memory and degrade network performance Only enable persistent logging to debug a problem Make sure that you disable persistent logging after you finish debugging the problem To configure persistent logging STEP 1 Select Administration ...

Page 36: ...ion Remote Log Server The Kernel Log is a comprehensive list of system events shown in the System Log and kernel messages such as error conditions You cannot view kernel log messages directly from the web interface You must first set up a remote log server to receive and capture logs Then you can configure the WAP device to log to the remote log server Remote log server collection for WAP device s...

Page 37: ...ing on your configurations If you disabled a Remote Log host clicking Save disables remote logging NOTE After new settings are saved the corresponding processes may be stopped and restarted When this happens the WAP device may lose connectivity We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients Email Alert Use the email alert featur...

Page 38: ...e configured email address immediately Select from these values None Emergency Alert Critical Error Warning Notice Info and Debug If set to None then no urgent severity messages are sent The default is Alert STEP 3 In the Mail Server Configuration area configure these parameters Server IPv4 Address Name Enter the IP address or hostname of the outgoing SMTP server You can check with your email prov...

Page 39: ... character alphanumeric string STEP 5 Click Test Mail to send a test email to validate the configured email account STEP 6 Click Save The changes are saved to the Startup Configuration Email Alert Examples The following example shows how to fill in the Mail Server Configuration parameters Gmail Server IPv4 Address Name smtp gmail com Data Encryption TLSv1 Port 465 Username Your full email address ...

Page 40: ...rvice page to enable and configure web based management connections If HTTPS is used for secure management sessions you also use the HTTP HTTPS Service page to manage the required SSL certificates Configuring HTTP and HTTPS Services To configure HTTP and HTTP services STEP 1 Select Administration HTTP HTTPS Service in the navigation pane STEP 2 Configure these Global Settings Maximum Sessions The ...

Page 41: ...logical port number to use for HTTP connections from 1025 to 65535 The default port number for HTTP connections is the well known IANA port number 443 Redirect HTTP to HTTPS Redirects management HTTP access attempts on the HTTP port to the HTTPS port This field is available only when HTTP access is disabled STEP 4 Click Save The changes are saved to the Startup Configuration Managing SSL Certifica...

Page 42: ... upload a certificate file with a pem extension from your computer to the WAP device In the Upload SSL Certificate From PC to Device area select HTTP or TFTP for the Upload Method For HTTP browse to the network location select the file and click Upload For TFTP enter the File Name as it exists on the TFTP server and the TFTP Server IPv4 Address then click Upload The filename cannot contain the fol...

Page 43: ...nter up to five IPv4 and five IPv6 addresses that will be allowed access STEP 4 Verify the IP addresses are correct STEP 5 Click Save The changes are saved to the Startup Configuration Upgrade Firmware As new versions of the WAP device firmware become available you can upgrade the firmware on your devices to take advantage of new features and enhancements The WAP device uses a TFTP or HTTP client ...

Page 44: ... and two or more successive periods STEP 4 Enter the TFTP Server IPv4 Address and click Upgrade Uploading the new software may take several minutes Do not refresh the page or navigate to another page while uploading the new software or the software upload is aborted When the process is complete the access point restarts and resumes normal operation STEP 5 To verify that the firmware upgrade comple...

Page 45: ... not usable the boot loader file that loads the firmware image from flash memory to RAM should continue to be functional An HTTP server is embedded in the boot loader file enabling the administrator to connect to the WAP device over the LAN port and use a web browser to download and install a new firmware image The WAP device enters the HTTP firmware recovery mode when it is booted and the boot lo...

Page 46: ...ul download 100 Complete File downloaded successfully Please wait while the file is being written to flash System will automatically reboot The file selected by administrator is downloaded to RAM and is validated for the following conditions The CRC of the file is good The STK file is built for this platform The STK file size is within the partition limits 4 5 MB is reserved for this file If these...

Page 47: ...r Configuration file is a snapshot of a past Startup Configuration The Mirror Configuration is preserved across factory resets so it can be used to recover a system configuration after a factory reset by copying the Mirror Configuration to the Startup Configuration NOTE In addition to downloading and uploading these files to another system you can copy them to different file types on the WAP devic...

Page 48: ...tion to the Startup Configuration STEP 7 Click Save to begin the backup For HTTP backups a window appears to enable you to browse to the desired location for saving the file Downloading a Configuration File You can download a file to the WAP device to update the configuration or to restore the WAP device to a previously backed up configuration To download a configuration file to the WAP device STE...

Page 49: ...n file the file is lost and the process must be restarted Configuration Files Properties The Configuration Files Properties page enables you to clear the Startup or Backup Configuration file If you clear the Startup Configuration file the Backup Configuration file becomes active the next time that you reboot the WAP device To delete the Startup Configuration or Backup Configuration file STEP 1 Sel...

Page 50: ...Mirror Configuration is preserved across factory resets so it can be used to recover a system configuration after a factory reset by copying the Mirror Configuration to the Startup Configuration STEP 3 For the Destination File Name select the file type to be replaced with the file you are copying STEP 4 Click Save to begin the copy process When complete a window shows the message Copy Operation Su...

Page 51: ... any Bonjour client can discover and get access to the configuration utility without prior configuration A system administrator can use an installed Internet Explorer plug in to discover the WAP device The web based configuration utility shows up as a tab in the browser Bonjour works in both IPv4 and IPv6 networks To enable the WAP device to be discovered through Bonjour STEP 1 Select Administrati...

Page 52: ... Capture to show the Packet Capture page From the Packet Capture page you can Configure packet capture parameters Start a local or remote packet capture View the current packet capture status Download a packet capture file Packet Capture Configuration The Packet Capture Configuration area enables you to configure parameters and initiate a packet capture To configure packet capture settings STEP 1 ...

Page 53: ... time to an external computer running the Wireshark tool STEP 2 Depending on the selected method refer to the steps in the Local Packet Capture or Remote Packet Capture section to continue NOTE Changes to packet capture configuration parameters take affect after packet capture is restarted Modifying the parameters while the packet capture is running does not affect the current packet capture sessi...

Page 54: ... capture file reaches its maximum size The administrator stops the capture The Packet Capture Status area of the page shows the status of a packet capture if one is active on the WAP device Current Capture Status Whether packet capture is running or stopped Packet Capture Time Elapsed capture time Packet Capture File Size The current capture file size Click Refresh to show the latest data from the...

Page 55: ...ministration Packet Capture STEP 2 Enable Promiscuous Capture STEP 3 For the Packet Capture Method select Remote STEP 4 For the Remote Capture Port use the default port 2002 or if you are using a port other than the default enter the desired port number used for connecting Wireshark to the WAP device The port range is from 1025 to 65530 STEP 5 If you want to save the settings for use at another ti...

Page 56: ... you must start a separate Wireshark session for each interface To initiate additional remote capture sessions repeat the Wireshark configuration steps no configuration needs to be done on the WAP device NOTE The system uses four consecutive port numbers starting with the configured port for the remote packet capture sessions Verify that you have four consecutive port numbers available We recommen...

Page 57: ...acket capture feature can create a security issue Unauthorized clients may be able to connect to the WAP device and trace user data The performance of the WAP device also is negatively impacted during packet capture and this impact continues to a lesser extent even when there is no active Wireshark session To minimize the performance impact on the WAP device during traffic capture install capture ...

Page 58: ...lick OK A dialog box displays that enables you to choose a network location to save the file Support Information The Support Information page enables you to download a text file that contains detailed configuration information about the AP The file includes software and hardware version information MAC and IP addresses the administrative and operational status of features user configured settings ...

Page 59: ...tings in the navigation area The Operational Status area shows the type of port used for the LAN port and the Link characteristics as configured in the Administrative Settings area If the settings change through configuration or auto negotiation you can click Refresh to show the latest settings STEP 2 Enable or disable Auto Negotiation When enabled the port negotiates with its link partner to set ...

Page 60: ...t LAN VLAN and IPv4 Address in the navigation area The page shows Global Settings and IPv4 Settings The Global Settings area shows the MAC address of the LAN interface port This field is read only STEP 2 Configure these Global Settings Untagged VLAN Enables or disables VLAN tagging When enabled the default all traffic is tagged with a VLAN ID By default all traffic on the access point uses VLAN 1 ...

Page 61: ...from the list DHCP The WAP device acquires its IP address from a DHCP server on the LAN Static IP You manually configure the IPv4 address The IPv4 address should be in a form similar to xxx xxx xxx xxx 192 0 2 10 Static IP Address Subnet Mask and Default Gateway If you elected to assign a static IP address enter the IP information Domain Name Servers Select an option from the list Dynamic The WAP ...

Page 62: ...have multiple autoconfigured IPv6 addresses Static IPv6 Address The static IPv6 address The WAP device can have a static IPv6 address even if addresses have already been configured automatically Static IPv6 Address Prefix Length The prefix length of the static address which is an integer in the range of 0 to 128 The default is 0 Static IPv6 Address Status One of the following values appears Operat...

Page 63: ...ateway IPv6 DNS Nameservers Select one of the following values Dynamic The DNS name servers are learned dynamically through DHCPv6 Manual You specify up to two IPv6 DNS name servers in the fields provided STEP 3 Click Save The changes are saved to the Startup Configuration NOTE After new settings are saved the corresponding processes may be stopped and restarted When this happens the WAP device ma...

Page 64: ...topics Radio Rogue AP Detection Networks Scheduler Scheduler Association Bandwidth Utilization MAC Filtering WDS Bridge WorkGroup Bridge Quality of Service WPS Setup WPS Process Radio Radio settings directly control the behavior of the radio in the WAP device and its interaction with the physical medium that is how and what type of signal the WAP device emits To configure radio settings ...

Page 65: ...requency the radio uses Select one of the available modes 802 11a Only 802 11a clients can connect to the WAP device 802 11b g 802 11b and 802 11g clients can connect to the WAP device 802 11a n 802 11a clients and 802 11n clients operating in the 5 GHz frequency can connect to the WAP device 802 11b g n default 802 11b 802 11g and 802 11n clients operating in the 2 4 GHz frequency can connect to ...

Page 66: ...ns available channels and selects a channel where the least amount of traffic is detected Each mode offers a number of channels depending on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission FCC or the International Telecommunication Union ITU R STEP 4 In the Advanced Settings area configure these settings Short Guard Interval Supp...

Page 67: ... behavior is to send a beacon frame once every 100 milliseconds or 10 per second Enter an integer from 20 to 2000 milliseconds The default is 100 milliseconds DTIM Period The Delivery Traffic Information Map DTIM period Enter an integer from 1 to 255 beacons The default is 2 beacons The DTIM message is an element included in some Beacon frames It indicates which client stations currently sleeping ...

Page 68: ...n an MPDU below which an RTS CTS handshake is not performed Changing the RTS threshold can help control traffic flow through the WAP device especially one with a lot of clients If you specify a low threshold value RTS packets are sent more frequently which consumes more bandwidth and reduces the throughput of the packet However sending more RTS packets can help the network recover from interferenc...

Page 69: ... automatically chooses the most efficient rate based on factors such as error rates and the distance of client stations from the WAP device Basic Rate Sets indicate rates that the WAP device advertises to the network for the purposes of setting up communication with other access points and client stations on the network It is generally more efficient to have a WAP device broadcast a subset of its ...

Page 70: ...se this setting if the WAP device handles traffic from QoS capable devices such as a Wi Fi CERTIFIED phone Off The WAP device ignores TSPEC requests from client stations Use this setting if you do not want to use TSPEC to give QoS capable devices priority for time sensitive traffic TSPEC Voice ACM Mode Regulates mandatory admission control ACM for the voice access category By default TSPEC Voice A...

Page 71: ...ds and the default is 30 seconds TSPEC Station Inactivity Timeout The amount of time for a WAP device to detect an uplink traffic specification as idle before deleting it The valid integer range is from 0 to 120 seconds and the default is 30 seconds TSPEC Legacy WMM Queue Map Mode Enables or disables the intermixing of legacy traffic on queues operating as ACM By default this mode is off STEP 5 Cl...

Page 72: ...tion and then click Save Information about detected and trusted rogue access points appears You can click Refresh to refresh the screen and show the most current information Action If the AP is in the Detected Rogue AP List you can click Trust to move the AP to the Trusted AP List If the AP is in the Trusted AP list you can click Untrust to move the AP to the Detected Rogue AP List NOTE The Detect...

Page 73: ...e rogue device has some security in place NOTE You can use the Networks page to configure security on the AP WPA Whether WPA security is on or off for the rogue AP Band The IEEE 802 11 mode being used on the rogue AP For example IEEE 802 11a IEEE 802 11b IEEE 802 11g The number shown indicates the mode 2 4 indicates IEEE 802 11b 802 11g or 802 11n mode or a combination of the modes 5 indicates IEE...

Page 74: ...P List click Trust for APs that are known to you The Trusted APs move to the Trusted AP List STEP 2 In the Download Backup Trusted AP List area select Backup AP to PC STEP 3 Click Save The list contains the MAC addresses of all APs that have been added to the Known AP List By default the filename is Rogue2 cfg You can use a text editor or web browser to open the file and view its contents Importin...

Page 75: ...orks Virtual Access Points VAPs segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of Ethernet VLANs VAPs simulate multiple access points in one physical WAP device Up to four VAPs are supported on the WAP121 and up to eight VAPs are supported on the WAP321 Each VAP can be independently enabled or disabled with the exception of VAP0 VAP0 is the physical radio...

Page 76: ...s five active VLANs four for WLAN plus one management VLAN The WAP321 supports nine active VLANs eight for WLAN plus one management VLAN By default the VID assigned to the configuration utility for the WAP device is 1 which is also the default untagged VID If the management VID is the same as the VID assigned to a VAP then the WLAN clients associated with this specific VAP can administer the WAP d...

Page 77: ...u are connected as a wireless client to the same WAP device that you are administering resetting the SSID will cause you to lose connectivity to the WAP device You need to reconnect to the new SSID after you save this new setting Broadcast SSID Enables and disables the broadcast of the SSID Specify whether to allow the WAP device to broadcast the SSID in its beacon frames The Broadcast SSID parame...

Page 78: ...n select one of these types of MAC filtering Disabled Do not use MAC filtering Local Use the MAC Authentication list that you configure on the MAC Filtering page RADIUS Use the MAC Authentication list on an external RADIUS server Channel Isolation Enables and disables station isolation When disabled wireless clients can communicate with one another normally by sending traffic through the WAP devic...

Page 79: ...ic WEP Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks All wireless stations and access points on the network are configured with a static 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared Key for data encryption Static WEP is not the most secure mode available but it offers more protection than setting t...

Page 80: ...atically based on how you set the key length and key type 802 1X Authentication The authentication algorithm defines the method used to determine whether a client station is allowed to associate with WAP device when static WEP is the security mode Specify the authentication algorithm you want to use by choosing one of these options Open System authentication allows any client station to associate ...

Page 81: ... as WEP key 3 then the client stations must define that same string as WEP key 3 Client stations can use different keys to transmit data to the access point Or they can all use the same key but using the same key is less secure because it means one station can decrypt the data being sent by another On some wireless client software you can configure multiple WEP keys and define a client station tra...

Page 82: ...rver for the VAP uncheck the check box and enter the RADIUS server IP address and key in these fields Server IP Address Type The IP version that the RADIUS server uses You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings but the WAP device contacts only the RADIUS server or servers for the address type you select in this field Server IP Address 1 or Se...

Page 83: ...he WAP device attempt to contact each configured server in sequence and choose the first server that is up Broadcast Key Refresh Rate The interval at which the broadcast group key is refreshed for clients associated with this VAP The default is 300 The valid range is from 0 to 86400 seconds A value of 0 indicates that the broadcast key is not refreshed Session Key Refresh Rate The interval at whic...

Page 84: ...associate with the WAP device A valid TKIP key A valid AES CCMP key Clients not configured to use WPA Personal are not able to associate with the WAP device Key The shared secret key for WPA Personal security Enter a string of at least 8 characters to a maximum of 63 characters Acceptable characters include uppercase and lowercase alphabetic letters the numeric digits and special symbols such as a...

Page 85: ...have a mix of clients some of which support WPA2 and others which support only the original WPA select both WPA and WPA2 This setting lets both WPA and WPA2 client stations associate and authenticate but uses the more robust WPA2 for clients who support it This WPA configuration allows more interoperability in place of some security Enable pre authentication If for WPA Versions you select only WPA...

Page 86: ...ver or servers for the address type that you select in this field Server IP Address 1 or Server IPv6 Address 1 The address for the primary RADIUS server for this VAP If IPv4 is selected as the Server IP Address Type enter the IP address of the RADIUS server that all VAPs use by default for example 192 168 10 23 If IPv6 is selected enter the IPv6 address of the primary global RADIUS server for exam...

Page 87: ...al at which the WAP device refreshes session unicast keys for each client associated with the VAP The valid range is from 0 to 86400 seconds A value of 0 indicates that the session key is not refreshed Scheduler The Radio and VAP Scheduler allows you to configure a rule with a specific time interval for VAPs or radios to be operational which automates the enabling or disabling of the VAPs and radi...

Page 88: ...er a profile name in the Scheduler Profile Configuration text box and click Add The profile name can be up to 32 alphanumeric characters Configuring Scheduler Rules You can configure up to 16 rules for a profile Each rule specifies the start time end time and day or days of the week the radio or VAP can be operational The rules are periodic in nature and are repeated every week A valid rule must c...

Page 89: ...o be in effect See the Scheduler Association page NOTE To delete a rule select the profile from the Profile Name column and click Delete Scheduler Association The Scheduler profiles need to be associated with the WLAN interface or a VAP interface to be effective By default there are no Scheduler profiles created and no profile is associated with any radio or VAP Only one Scheduler profile can be a...

Page 90: ...he changes are saved to the Startup Configuration NOTE After new settings are saved the corresponding processes may be stopped and restarted When this happens the WAP device may lose connectivity We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients MAC Filtering Media Access Control MAC filtering can be used to exclude or allow only l...

Page 91: ...MAC address to allow or block and click Add The MAC address appears in the Stations List STEP 4 Continue entering MAC addresses until the list is complete and then click Save The changes are saved to the Startup Configuration NOTE To remove a MAC address from the Stations List select it and then click Remove NOTE After new settings are saved the corresponding processes may be stopped and restarted...

Page 92: ...ode one WAP device acts as the common link between multiple access points In this mode the central WAP device accepts client associations and communicates with the clients and other repeaters All other access points associate only with the central WAP device that forwards the packets to the appropriate wireless bridge for routing purposes The WAP device can also act as a repeater In this mode the ...

Page 93: ...P device To configure a WDS bridge STEP 1 Select Wireless WDS Bridge in the navigation pane STEP 2 Select Enable for Spanning Tree Mode When enabled STP helps prevent switching loops STP is recommended if you configure WDS links STEP 3 Select Enable for WDS Interface STEP 4 Configure the remaining parameters Remote MAC Address Specifies the MAC address of the destination WAP device that is the WAP...

Page 94: ...ocesses may be stopped and restarted When this happens the WAP device may lose connectivity We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients WEP on WDS Links These additional fields appear when you select WEP as the encryption type Key Length If WEP is enabled specify the length of the WEP key as 64 bits or 128 bits Key Type If WE...

Page 95: ...twork In WorkGroup Bridge mode the WAP device acts as a wireless station STA on the wireless LAN It can bridge traffic between a remote wired network or associated wireless clients and the wireless LAN that is connected using the WorkGroup Bridge mode The WorkGroup Bridge feature enables support for STA mode and AP mode operation simultaneously The WAP device can operate in one Basic Service Set B...

Page 96: ...interface should match that of the infrastructure client interface WorkGroup Bridge mode can be used as range extender to enable the BSS to provide access to remote or hard to reach networks A single radio can be configured to forward packets from associated STAs to another WAP device in the same ESS without using WDS Before you configure WorkGroup Bridge on the WAP device note these guidelines Al...

Page 97: ...tials The WAP device may obtain its IP address from a DHCP server on the upstream link Alternatively you can assign a static IP address The Connection Status field indicates whether the WAP is connected to the upstream WAP device You can click the Refresh button at the top of the page to view the latest connection status STEP 4 Configure the following additional fields for the Access Point Interfa...

Page 98: ...he Startup Configuration The associated downstream clients now have connectivity to the upstream network Quality of Service The quality of service QoS settings provide you with the ability to configure transmission queues for optimized throughput and better performance when handling differentiated wireless traffic such as Voice over IP VoIP other types of audio video streaming media and traditiona...

Page 99: ...treaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 Best Effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitiv...

Page 100: ...mum burst length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The decreased overhead results in higher throughput and better performance Valid values are 0 0 through 999 Wi Fi MultiMedia WMM Select Enable to enable Wi Fi MultiMedia WMM extensions This field is enabled by default With WMM enabled QoS prior...

Page 101: ...that you change WAP device settings when a loss of connectivity will least affect your wireless clients WPS Setup This section describes the Wi Fi Protected Setup WPS protocol and its configuration on the WAP device WPS Overview WPS is a standard that enables simple establishment of wireless networks without compromising network security It relieves both the wireless client users and the WAP devic...

Page 102: ... triggers the device enrollment The new enrollee and the WAP device exchange WPS messages including a new security configuration disassociate reassociate and authenticate A WAP device administrator purchases a new WAP device that has been certified by the Wi Fi Alliance to be compliant with WPS version 2 0 and wishes to add the WAP device to an existing wired or wireless network The administrator ...

Page 103: ...dentials to enrollees and configures APs The WAP devices act as AP devices and support a built in registrar They do not function as an enrollee Enabling and Disabling WPS on a VAP The administrator can enable or disable WPS on only one VAP WPS is operational only if this VAP meets these conditions The WAP device is configured to broadcast the VAP SSID MAC address filtering is disabled on the VAP W...

Page 104: ...ion Number PIN method The PBC method is when the user of a prospective client pushes a button on the enrolling device and the administrator of the WAP device with an enabled built in registrar pushes a similar hardware or software button This sequence begins the enrollment process and the client device joins the network Although the Cisco WAP devices do not support an actual hardware button the ad...

Page 105: ...lue in NVRAM is corrupted erased or missing a new PIN is generated by the WAP device and stored in NVRAM The PIN method of enrollment is potentially vulnerable by way of brute force attacks A network intruder could try to pose as an external registrar on the wireless LAN and attempt to derive the PIN value of the WAP device by exhaustively applying WPS compliant PINs To address this vulnerability ...

Page 106: ...d wireless LAN On the WLAN external registrars advertise their capabilities within WPS specific Information Elements IEs of their beacon frames on the wired LAN external registrars announce their presence through UPnP WPS v2 0 does not require registration with an ER through the user interface The administrator can register the WAP device with an ER by STEP 1 Entering the ER PIN on the WAP device ...

Page 107: ...ees and registrars that are certified by the Wi Fi Alliance to conform to version 1 0 of the WPS protocol Configuring WPS Settings You can use the WPS Setup page to enable the WAP device as a WPS capable device and configure basic settings When you are ready to use the feature to enroll a new device or add the WAP device to a WPS enabled network use the WPS Process page CAUTION For security reason...

Page 108: ...Built in Registrar Enables the built in registrar function When enabled enrollees typically WLAN clients can register with the WAP device When disabled the registrar functionality in the WAP device is turned off and the enrollee needs to register with another registrar on the network In this case another device on the network acts as the registrar and the WAP device serves as a proxy for forwardin...

Page 109: ...ear AP Lockdown Duration The duration in minutes for which the WAP is locked When the WAP is permanently locked this value is set to 1 AP Lockdown Timestamp The time when the WAP device was locked You can click Refresh to update the page with the most recent status information WPS Process You can use the WPS Process page to use WPA to enroll a client station on the network You can enroll a client ...

Page 110: ... for security reasons as it enables the client to configure the SSID and security settings on the AP The administrator should only share the PIN with trusted devices Enrolling a Client Using the Push Button Method To enroll a client station using the push button method STEP 1 Click Start next to PBC Enrollment STEP 2 Push the hardware button on the client station NOTE You can alternatively initiat...

Page 111: ...nt WPS transaction The possible values are Disabled Ready Configuring Proxying and Adding Enrollee When no WPS transactions have occurred since WPS was enabled Ready appears AP Lockdown Status Whether the instance is currently in lockdown state Failed Attempts with Invalid PIN The number of times an attempt at authenticating an external registrar has failed due to an invalid password Viewing Insta...

Page 112: ...DIUS server to authenticate clients The MAC address filtering feature where client access is restricted to a list may also be configured to use a RADIUS server to control access The Captive Portal feature also uses RADIUS to authenticate clients You can use the Radius Server page to configure the RADIUS servers that are used by these features You can configure up to four globally available IPv4 or...

Page 113: ...nt to the address specified Server IP Address 2 through 4 or Server IPv6 Address 2 through 4 Up to three backup IPv4 or IPv6 RADIUS server addresses If authentication fails with the primary server each configured backup server is tried in sequence Key 1 The shared secret key that the WAP device uses to authenticate to the primary RADIUS server You can use from 1 to 64 standard alphanumeric and spe...

Page 114: ...ertificate File Status and Certificate File Upload The Supplicant Configuration area enables you to configure the 802 1X operational status and basic settings STEP 1 Select System Security 802 1X Supplicant in the navigation pane STEP 2 Enter the parameters Administrative Mode Enables the 802 1X supplicant functionality EAP Method The algorithm to be used for encrypting authentication user names a...

Page 115: ... affect your wireless clients The Certificate File Status area shows whether a current certificate exists Certificate File Present Indicates whether the HTTP SSL Certificate file is present The field shows Yes if it is present The default setting is No Certificate Expiration Date Indicates when the HTTP SSL Certificate file will expire The range is a valid date The Certificate File Upload area ena...

Page 116: ...he four possible character classes are uppercase letters lowercase letters numbers and special characters available on a standard keyboard Password Different From Current Select to have users enter a different password when their current password expires If not selected users can reenter the same password when it expires Maximum Password Length The maximum password character length is a range from...

Page 117: ... uncheck the box none of these settings are used WPA PSK Complexity is disabled by default STEP 3 Configure the parameters WPA PSK Minimum Character Class The minimum number of character classes that must be represented in the key string The four possible character classes are uppercase letters lowercase letters numbers and special characters available on a standard keyboard Three is the default W...

Page 118: ...QoS Global Settings page to enable or disable quality of service functionality on the WAP device If you disable Client QoS Mode all ACLs rate limiting and DiffServ configurations are globally disabled If you enable this mode you can also enable or disable Client QoS mode on particular VAPs See the Client QoS Mode setting on the Client QoS Association page ACL ACLs are a collection of permit and de...

Page 119: ...ecommended to add a permit rule within the ACL to allow traffic MAC ACLs MAC ACLs are Layer 2 ACLs You can configure the rules to inspect fields of a frame such as the source or destination MAC address the VLAN ID or the class of service When a frame enters or exits the WAP device port depending on whether the ACL is applied in the up or down direction the WAP device inspects the frame and checks ...

Page 120: ...ACL The page shows additional fields for configuring the ACL STEP 4 Configure the rule parameters ACL Name ACL Type The ACL to configure with the new rule The list contains all ACLs added in the ACL Configuration section Rule The action to be taken Select New Rule to configure a new rule for the selected ACL If rules already exist even if created for use with other ACLs you can select the rule num...

Page 121: ...field in IPv6 packets If you select Protocol select one of these options Select From List Select one of these protocols IP ICMP IGMP TCP or UDP Match to Value Enter a standard IANA assigned protocol ID from 0 to 255 Choose this method to identify a protocol not listed by name in the Select From List Source IP Address Requires a packet s source IP address to match the address listed here Enter an I...

Page 122: ...sk of 255 255 255 255 indicates that no bit is important A wildcard of 0 0 0 0 indicates that all bits are important This field is required when Source IP Address is selected A wildcard mask is basically the inverse of a subnet mask For example to match the criteria to a single host address use a wildcard mask of 0 0 0 0 To match the criteria to a 24 bit subnet for example 192 168 10 0 24 use a wi...

Page 123: ...iated Services Code Point DSCP value IP TOS Mask Enter an IP TOS Mask value to identify the bit positions in the IP TOS Bits value that are used for comparison against the IP TOS field in a packet The IP TOS Mask value is a two digit hexadecimal number from 00 to FF representing an inverted that is wildcard mask The zero valued bits in the IP TOS Mask denote the bit positions in the IP TOS Bits va...

Page 124: ...number IPv6 Flow Label A 20 bit number that is unique to an IPv6 packet It is used by end stations to signify QoS handling in routers range 0 to 1048575 IP DSCP Matches packets based on their IP DSCP value If selected choose one of these options as the match criteria Select From List DSCP Assured Forwarding AS Class of Service CS or Expedited Forwarding EF values Match to Value A custom DSCP value...

Page 125: ...MAC Address Select this field and enter the destination MAC address to compare against an Ethernet frame Destination MAC Mask Enter the destination MAC address mask to specify which bits in the destination MAC to compare against an Ethernet frame For each bit position in the MAC mask a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored F...

Page 126: ...edia any degradation of service has undesirable effects A DiffServ configuration begins with defining class maps which classify traffic according to their IP protocol and other criteria Each class map can then be associated with a policy map which defines how to handle the traffic class Classes that include time sensitive traffic can be assigned to policy maps that give precedence over other traff...

Page 127: ...r 3 packet When selected all Layer 3 packets will match the condition Protocol Use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field in IPv6 packets If you select this field choose the protocol to match by keyword or enter a protocol ID Select From List Match the selected protocol IP ICMP IPv6 ICMPv6 IGMP TCP UDP Matc...

Page 128: ...ask of 255 255 255 255 indicates that all bits are important and a mask of 0 0 0 0 indicates that no bits are important The opposite is true with an ACL wildcard mask For example to match the criteria to a single host address use a mask of 255 255 255 255 To match the criteria to a 24 bit subnet for example 192 168 10 0 24 use a mask of 255 255 255 0 Destination IPv6 Prefix Length IPv6 only The pr...

Page 129: ...nd includes three different types of ports 0 to 1023 Well Known Ports 1024 to 49151 Registered Ports 49152 to 65535 Dynamic and or Private Ports EtherType Compares the match criteria against the value in the header of an Ethernet frame Select an EtherType keyword or enter an EtherType value to specify the match criteria Select from List Matches the Ethertype in the datagram header with the selecte...

Page 130: ...sed A MAC mask of 00 00 00 00 00 00 checks all address bits and is used to match a single MAC address VLAN ID A VLAN ID to be matched for packets The VLAN ID range is from 0 to 4095 The following Service Type fields show for IPv4 only You can specify one type of service to use in matching packets to class criteria IP DSCP A differentiated services code point DSCP value to use as a match criterion ...

Page 131: ... page refreshes with additional fields for configuring the policy map STEP 4 In the Policy Class Definition area ensure that the newly created policy map shows in the Policy Map Name list STEP 5 In the Class Map Name list select the class map to apply this policy STEP 6 Configure the parameters Police Simple Establishes the traffic policing style for the class The simple form of the policing style...

Page 132: ... Map Name list Member Classes Lists all DiffServ classes currently defined as members of the selected policy If no class is associated with the policy the field is empty STEP 7 Click Save The changes are saved to the Startup Configuration NOTE To delete a policy map select it in the Policy Map Name list and click Delete Client QoS Association The Client QoS Association page provides additional con...

Page 133: ... valid range is from 0 to 300 Mbps ACL Type Down The type of ACL to apply to traffic in the outbound WAP device to client direction which can be one of these options IPv4 The ACL examines IPv4 packets for matches to ACL rules IPv6 The ACL examines IPv6 packets for matches to ACL rules MAC The ACL examines Layer 2 frames for matches to ACL rules ACL Name Down The name of the ACL applied to traffic ...

Page 134: ... Client QoS Status in the navigation pane Use these fields to configure Client QoS Status Station The Station menu contains the MAC address of each client currently associated with the WAP device To view the QoS settings applied to a client select its MAC address from the list Global QoS Mode Whether QoS is enabled globally on the WAP device This status is configured on the Client QoS Association ...

Page 135: ...d WAP to client direction which can be one of these options IPv4 The ACL examines IPv4 packets for matches to ACL rules IPv6 The ACL examines IPv6 packets for matches to ACL rules MAC The ACL examines Layer 2 frames for matches to ACL rules ACL Name Down The name of the ACL applied to traffic in the outbound direction After switching the packet or frame to the outbound interface the ACL rules are ...

Page 136: ...P facilitates network management troubleshooting and maintenance The WAP device supports SNMP versions 1 2 and 3 Unless specifically noted all configuration parameters apply to SNMPv1 and SNMPv2c only Key components of any SNMP managed network are managed devices SNMP agents and a management system The agents store data about their devices in Management Information Bases MIBs and return this data ...

Page 137: ...ity name acts as a simple authentication feature to restrict the machines on the network that can request data to the SNMP agent The name functions as a password and the request is assumed to be authentic if the sender knows the password Read write Community A read write community name to be used for SNMP set requests The valid range is from 1 to 256 alphanumeric and special characters Setting a c...

Page 138: ...e the machines with addresses from 192 168 1 1 through 192 168 1 254 can execute SNMP commands on the device The address identified by suffix 0 in a subnetwork range is always reserved for the subnet address and the address identified by 255 in the range is always reserved for the broadcast address As another example if you enter a range of 10 10 1 128 25 machines with IP addresses from 10 10 1 12...

Page 139: ...may lose connectivity We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients Views An SNMP MIB view is a family of view subtrees in the MIB hierarchy A view subtree is identified by the pairing of an Object Identifier OID subtree value with a bit string mask value Each MIB view is defined by two sets of view subtrees included in or excl...

Page 140: ... a colon Only hex characters are accepted in this field For example OID mask FA 80 is 11111010 10000000 A family mask is used to define a family of view subtrees The family mask indicates which subidentifiers of the associated family OID string are significant to the family s definition A family of view subtrees enables efficient control access to one row in a table STEP 4 Click Save The view is a...

Page 141: ... configure an SNMP group STEP 1 Select SNMP Groups in the navigation pane STEP 2 Click Add to create a new row in the SNMPv3 Groups table STEP 3 Check the box for the new group and click Edit STEP 4 Configure the parameters Group Name A name that identifies the group The default group names are RO and RW Group names can contain up to 32 alphanumeric characters Security Level Sets the security leve...

Page 142: ... group in the list and click Delete Users You can use the SNMP Users page to define users associate a security level to each user and configure security keys per user Each user is mapped to an SNMPv3 group either from the predefined or user defined groups and optionally is configured for authentication and encryption For authentication only the MD5 type is supported For encryption only the DES typ...

Page 143: ...y to use on SNMP requests from the user which can be one of these options DES Use DES encryption on SNMPv3 requests from the user None SNMPv3 requests from this user require no privacy Encryption Pass Phrase If you specify DES as the privacy type A pass phrase to use to encrypt the SNMP requests The pass phrase must be between 8 and 32 characters in length STEP 5 Click Save The user is added to th...

Page 144: ...k Edit STEP 4 Configure the parameters IP Address Enter the IPv4 address of the remote SNMP manager to receive the target UDP Port Enter the UDP port to use for sending SNMPv3 targets Users Enter the name of the SNMP user to associate with the target To configure SNMP users see the Users page STEP 5 Click Save The user is added to the SNMPv3 Targets list and your changes are saved to the Startup C...

Page 145: ...horized Captive Portal groups or users before access is granted The database can be stored locally on the WAP device or on a RADIUS server Captive Portal consists of two CP instances Each instance can be configured independently with different verification methods for each VAP or SSID Cisco WAP321 devices operate concurrently with some VAPs configured for CP authentication and other VAPs configure...

Page 146: ... to refresh the web authentication page The default authentication timeout is 300 seconds The range is from 60 to 600 seconds Additional HTTP Port HTTP traffic uses the HTTP management port which is 80 by default You can configure an additional port for HTTP traffic Enter a port number between 1025 and 65535 or 80 The HTTP and HTTPs ports cannot be the same Additional HTTPS Port HTTP traffic over ...

Page 147: ...in the navigation pane STEP 2 Ensure that Create is selected from the Captive Port Instances list STEP 3 Enter an Instance Name from 1 to 32 alphanumeric characters and click Save STEP 4 Select the instance name from the Captive Port Instances list The Captive Portal Instance Parameters fields reappear with additional options STEP 5 Configure the parameters Instance ID The instance ID This field i...

Page 148: ...n the Local Users page has precedence over the value configured here unless the value is set to 0 the default A value of 0 indicates to use the instance timeout value Session Timeout The time remaining in seconds for the CP session to be valid After the time reaches zero the client is deauthenticated The range is from 0 to 1440 minutes The default value is 0 Maximum Bandwidth Upstream The maximum ...

Page 149: ... 2001 DB8 CAD5 7D91 When the first wireless client tries to authenticate with a VAP the WAP device sends an authentication request to the primary server If the primary server responds to the authentication request the WAP device continues to use this RADIUS server as the primary server and authentication requests are sent to the specified address Server IP Address 2 through 4 or Server IPv6 Addres...

Page 150: ...he Startup Configuration Web Portal Customization Once your CP instance is associated with a VAP you need to create a locale an authentication web page and map it to the CP instance When a user accesses a VAP that is associated with a captive portal instance the user sees an authentication page You use the Web Portal Customization page to create unique pages for different locales on your network a...

Page 151: ...nd You can click Upload Delete Custom Image to upload images for Captive Portal instances See Uploading and Deleting Images Logo Image Name The image file to show on the top left corner of the page This image is used for branding purposes such as the company logo If you uploaded a custom logo image to the WAP device you can select it from the list Foreground color The HTML code for the foreground ...

Page 152: ...rowser title bar The range is from 1 to 128 characters The default is Captive Portal Browser Content The text that shows in the page header to the right of the logo The range is from 1 to 128 characters The default is Welcome to the Wireless Network Content The instructive text that shows in the page body below the user name and password text boxes The range is from 1 to 256 characters The default...

Page 153: ...letes the current locale STEP 8 Click Save Your changes are saved to the Startup Configuration STEP 9 Click Preview to view the updated page NOTE You can click Preview to show the text and images that have already been saved to the Startup Configuration If you make a change click Save before clicking Preview to see your changes Uploading and Deleting Images When users initiate access to a VAP that...

Page 154: ... Logo Image Name or Account Image fields select the newly uploaded image STEP 7 Click Save NOTE To delete an image on the Web Portal Custom Image page select it from the Delete Web Customization Image list and click Delete You cannot delete the default images Local Groups Each local user is assigned to a user group Each group is assigned to a CP instance The group facilitates managing the assignme...

Page 155: ...ted with a different VAP than guest users You can use the Local Users page to configure up to 128 authorized users in the local database To add and configure a local user STEP 1 Select Captive Portal Local Users in the navigation pane STEP 2 Enter a User Name and click Save Additional fields appear to configure the user STEP 3 Enter the parameters User Password Enter the password from 8 to 64 alph...

Page 156: ...ad speed in megabits per second that a client can receive traffic when using the captive portal This setting limits the bandwidth used to receive data from the network The range is from 0 to 300 Mbps The default is 0 Delete User Deletes the current user STEP 4 Click Save The changes are saved to the Startup Configuration Authenticated Clients The Authenticated Clients page provides information abo...

Page 157: ...the client dissociates from the CP After the time reaches zero the client is deauthenticated Received Packets The number of IP packets received by the WAP device from the user station Transmitted Packets The number of IP packets transmitted from the WAP device to the user station Received Bytes The number of bytes received by the WAP device from the user station Transmitted Bytes The number of byt...

Page 158: ...local database to authenticated users RADIUS The WAP device uses a database on a remote RADIUS server to authenticate users VAP ID The VAP that the user is associated with Radio ID The ID of the radio Because the WAP321 has a single radio this field shows Radio1 Captive Portal ID The ID of the Captive Portal instance to which the user is associated Failure Time The time that the authentication fai...

Page 159: ...l wireless services across multiple devices You use Single Point Setup to create a single group or cluster of wireless devices After the WAP devices are clustered you can view deploy configure and secure the wireless network as a single entity After a wireless cluster is created Single Point Setup also facilitates channel planning across your wireless services to reduce radio interference and maxi...

Page 160: ...er they are manually set or set by default are propagated to other devices as they join the cluster To form a cluster make sure the following prerequisites or conditions are met STEP 1 Plan your Single Point Setup cluster Be sure the two or more WAP devices you want to cluster are the same model For example Cisco WAP121 devices can only cluster with other Cisco WAP121 devices It is strongly recomm...

Page 161: ...l clustered WAP devices If a WAP device in a cluster does not receive advertisements from a WAP device for more than 60 seconds for example if the device loses connectivity to other devices in the cluster the device is removed from the cluster If a WAP device in Single Point Setup mode loses connectivity it is not immediately dropped from the cluster If it regains connectivity and rejoins the clus...

Page 162: ... with the device with no interruption of the wireless connection In other words loss of contact with the cluster does not necessarily prevent wireless clients associated with that WAP device from continued access to network resources If the loss of contact with the cluster is due to a physical or logical disconnect with the LAN infrastructure network services out to the wireless clients may be imp...

Page 163: ... and Parameters that are Propagated in Single Point Setup Radio Configuration Settings and Parameters that are Propagated in Single Point Setup Mode Fragmentation Threshold RTS Threshold Rate Sets Primary Channel Protection Fixed Multicast Rate Broadcast or Multicast Rate Limiting Channel Bandwidth Short Guard Interval Supported Radio Configuration Settings and Parameters that are Not Propagated i...

Page 164: ...P address of a member to configure and view data on that device Configuring the WAP Device for Single Point Setup To configure the location and name of an individual Single Point Setup cluster member Transmit Power Radio Configuration Settings and Parameters that are Not Propagated in Single Point Setup Other Configuration Settings and Parameters That Are Not Propagated in Single Point Setup Bandw...

Page 165: ...for example Reception The location field is optional Cluster Name Enter the name of the cluster for the WAP device to join for example Reception_Cluster The cluster name is not sent to other WAP devices You must configure the same name on each device that is a member The cluster name must be unique for each Single Point Setup you configure on the network The default is ciscosb cluster Clustering I...

Page 166: ...evice automatically forms a cluster with other WAP devices with the same configuration On the Access Points page the WAP devices detected are listed in a table and the following information is shown Location Description of where the access point is physically located MAC Address Media Access Control MAC address of the access point The address is the MAC address for the bridge br0 and is the addres...

Page 167: ...ess Points in the navigation pane STEP 3 Click Disable Single Point Setup The Single Point Setup status field for that access point will now show Disabled Navigating to Configuration Information for a Specific WAP Device All WAP devices in a Single Point Setup cluster reflect the same configuration if the configurable items can be propagated It does not matter which WAP device you connect to for a...

Page 168: ...ge directly on that device To view a particular statistic for a WLAN client session select an item from the Display list and click Go You can view information about idle time data rate and signal strength A session in this context is the period of time in which a user on a client device station with a unique MAC address maintains a connection with the wireless network The session begins when the W...

Page 169: ...dication RSSI and is a value between 0 and 100 Receive Total The number of total packets received by the WLAN client during the current session Transmit Total The number of total packets transmitted to the WLAN client during this session Error Rate The percentage of time frames are dropped during transmission on this access point To sort the information shown in the tables by a particular indicato...

Page 170: ...n the navigation pane From the Channel Management page you can view channel assignments for all WAP devices in the cluster and stop or start automatic channel management You can also use the advanced settings to modify the interference reduction potential that triggers channel reassignment change the schedule for automatic updates and reconfigure the channel set used for assignments STEP 2 To star...

Page 171: ...reless Radio The MAC address of the radio Band The band on which the access point is broadcasting Channel The radio channel on which this access point is currently broadcasting Locked Forces the access point to remain on the current channel Status Shows the status of the wireless radio in the device Some WAP devices may have more than one wireless radio each radio is displayed on a separate line i...

Page 172: ...matically reassigned once every hour but only if interference can be reduced by 25 percent or more Channels are reassigned even if the network is busy The default settings are designed to satisfy most scenarios where you would need to implement channel management You can change the Advanced settings to configure the following settings Change channels if interference is reduced by at least The mini...

Page 173: ...less domain so that you can take action to limit associated risks Verify coverage expectations By assessing which WAP devices are visible and at what signal strength from other devices you can verify that the deployment meets your planning goals Detect faults Unexpected changes in the coverage pattern are evident at a glance in the color coded table To view neighboring devices select Single Point ...

Page 174: ...ices as detected by the cluster member whose IP address is shown at the top of the column The color of the bar indicates the signal strength Dark Blue Bar A dark blue bar and a high signal strength number for example 50 indicates good signal strength detected from the neighbor as seen by the device whose IP address is listed above that column Lighter Blue Bar A lighter blue bar and a lower signal ...

Page 175: ...the neighboring access point MAC Address The MAC address of the neighboring access point Channel The channel on which the access point is currently broadcasting Rate The rate in megabits per second at which this access point is currently transmitting The current rate is always one of the rates shown in Supported Rates Signal The strength of the radio signal detected from the access point measured ...

Page 176: ...e Meaning 0 Reserved 1 Unspecified reason 2 Previous authentication no longer valid 3 Deauthenticated because sending station STA is leaving or has left Independent Basic Service Set IBSS or ESS 4 Disassociated due to inactivity 5 Disassociated because WAP device is unable to handle all currently associated STAs 6 Class 2 frame received from nonauthenticated STA 7 Class 3 frame received from nonas...

Page 177: ...s standard for which the content does not meet the specifications in Clause 8 14 Message integrity code MIC failure 15 4 Way Handshake timeout 16 Group Key Handshake timeout 17 Element in 4 Way Handshake different from Re Association Request Probe Response Beacon frame 18 Invalid group cipher 19 Invalid pairwise cipher 20 Invalid AKMP 21 Unsupported RSNE version 22 Invalid RSNE capabilities 23 IEE...

Page 178: ...nter_contacts html Cisco Small Business Firmware Downloads www cisco com go smallbizfirmware Select a link to download firmware for Cisco Small Business Products No login is required Downloads for all other Cisco Small Business products including Network Storage Systems are available in the Download area on Cisco com at www cisco com go software registration login required Cisco Small Business Ope...

Page 179: ...ll Business WAP121 and WAP321 Wireless N Access Point with PoE 177 B Cisco Small Business Cisco Partner Central for Small Business Partner Login Required www cisco com web partners sell smb Cisco Small Business Home www cisco com smb ...

Reviews:

No comments

Related manuals for WAP121

Qixiang Technology QX310 Installation And Configuration Quick Manual preview
QX310
Brand: Qixiang Technology Pages: 11
Samsung CY-SWR1100 Product Highlights preview
CY-SWR1100
Brand: Samsung Pages: 1
Ebyte E18-MS1PA-PCB User Manual preview
E18-MS1PA-PCB
Brand: Ebyte Pages: 16
3Com 3CRWEASYG73 - 11g Wireless LAN Outdoor Datasheet preview
3CRWEASYG73 - 11g Wireless LAN Outdoor
Brand: 3Com Pages: 4
Edimax BR-622nC User Manual preview
BR-622nC
Brand: Edimax Pages: 147
Avaya WAO9122 Installation Manual preview
WAO9122
Brand: Avaya Pages: 16
Ovislink Airlive WIAS-3200N Faq preview
Airlive WIAS-3200N
Brand: Ovislink Pages: 7
Linksys LAPAC1750 User Manual preview
LAPAC1750
Brand: Linksys Pages: 125
Digi ConnectPort X2e Wi-Fi Quick Start Manual preview
ConnectPort X2e Wi-Fi
Brand: Digi Pages: 2
Linksys MAX-STREAM AX4500 Quick Start Manual preview
MAX-STREAM AX4500
Brand: Linksys Pages: 6
Billion BiPAC 6300NX Features & Specifications preview
BiPAC 6300NX
Brand: Billion Pages: 2
Samsung WEA524i Quick Installation Manual preview
WEA524i
Brand: Samsung Pages: 2
Samsung WEA512i Quick Installation Manual preview
WEA512i
Brand: Samsung Pages: 2
Samsung WEA463e Quick User Manual preview
WEA463e
Brand: Samsung Pages: 2
Samsung WiDT30Q User Manual preview
WiDT30Q
Brand: Samsung Pages: 6
Samsung WEA412i Quick Installation Manual preview
WEA412i
Brand: Samsung Pages: 2
Samsung WISP30 Manual preview
WISP30
Brand: Samsung Pages: 8
Samsung WEA453e AP Quick User Manual preview
WEA453e AP
Brand: Samsung Pages: 2

Brands by name

Popular brands

Load more brands