manualshive.com logo in svg

Cisco WAP125, Administrator'S Manual

The Cisco WAP125 is a high-performance wireless access point designed for small businesses. With its advanced features and easy setup, this product ensures fast and reliable Wi-Fi connectivity. To get started, simply visit our website and download the free Quick Start Manual for hassle-free installation and configuration.

Share
Download
background image

WPA-TKIP

This network has client stations that only support the original WPA and TKIP

security protocol. Note that selecting the WPA-TKIP only is not allowed as per the latest Wi-Fi
Alliance requirements.

WPA2-AES

All client stations on the network support WPA2 and AES-CCMP cipher/security

protocol. This provides the best security per IEEE 802.11i standard. As per the latest Wi-Fi Alliance
requirement, the AP has to support this mode all the time.

If the network has a mix of clients, some of which support WPA2 and others which support only
the original WPA, select both. This lets both WPA and WPA2 client stations associate and
authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration
allows more interoperability in place of some security.

WPA clients must have one of these keys to be able to associate with the WAP device:

A valid TKIP key

A valid AES-CCMP key

PMF (Protection Management Frame)

Provides security for the unencrypted 802.11 management

frames. When Security Mode is disabled, the PMF is set to No PMF and is not editable (Hidden or
Grey).When the security Mode is set to WPA2-xxx, the PMF is Capable by default and is editable. The
following three check box values can be configured for it.

Not Required

Capable

Required

The WiFi Alliance requires the PMF to be enabled and set to Capable (Default). You
may disable it when the non-compliant wireless clients experience instability or
connectivity issues.

Note

Key

The shared secret key for WPA Personal security. Enter a string of at least 8 characters to a

maximum of 63 characters. Acceptable characters include uppercase and lowercase alphabetic letters,
the numeric digits, and special symbols such as @ and #.

Show Key as Clear Text

When enabled, the text you type is visible. When disabled, the text is not

masked as you enter it.

Key Strength Meter

The WAP device checks the key against complexity criteria such as how many

different types of characters (uppercase and lowercase alphabetic letters, numbers, and special characters)
are used and how long is the string. If the WPA-PSK complexity check feature is enabled, the key is
not accepted unless it meets the minimum criteria. See

Configure WAP-PSK Complexity, on page 36

for information on configuring the complexity check.

Broadcast Key Refresh Rate

The interval at which the broadcast (group) key is refreshed for clients

associated with this VAP. The default is 86400 seconds and the valid range is from 0 to 86400 seconds.
A value of 0 indicates that the broadcast key is not refreshed.

Cisco WAP125 Wireless-AC/N Dual Band Desktop Access Point with PoE    

47

Wireless

Configuring Security Settings

Summary of Contents for WAP125

Page 1: ...sktopAccessPointwith PoE First Published 2016 10 12 Last Modified 2017 06 08 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ...NTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN A...

Page 3: ...tons 7 C H A P T E R 2 System Configuration 9 LAN 9 IPv4 Configuration 9 DHCP Auto Configuration Settings 10 IPv6 Configuration 11 Port Settings Table 12 Spanning Tree Protocol 13 VLANs Setting 13 Neighbor Discover 13 LLDP 14 IPv6 Tunnel 14 Time 15 Automatically Acquiring the Time Settings through NTP 16 Manually Configuring the Time Settings 16 Notification 17 LED Display 17 Log Settings 17 Cisco...

Page 4: ...RADIUS Server 30 802 1x Supplicant 31 Rogue AP Detection 32 Viewing the Rogue AP List 33 Saving the Trusted AP List 34 Importing a Trusted AP List 34 Configure Password Complexity 35 Configure WAP PSK Complexity 36 C H A P T E R 3 Wireless 37 Radio 37 Networks 42 Configuring VAPs 43 Configuring Security Settings 45 Client Filter 49 Configuring a Client Filter List Locally on the WAP device 49 Conf...

Page 5: ...Access Control 65 ACL 65 IPv4 and IPv6 ACLs 65 Workflow to Configure ACLs 66 Configure IPv4 ACLs 66 Configure IPv6 ACLs 69 Configure MAC ACLs 71 Client QoS 73 Configuring IPv4 Traffic Classes 73 Configuring IPv6 Traffic Classes 75 Configuring MAC Traffic Classes 77 QoS Policy 79 QoS Association 80 Guest Access 80 Guest Access Instance Table 81 Guest Group Table 83 Guest User Account 84 Web Portal ...

Page 6: ...iguration Files 96 Copying Configuration Files 96 Clearing Configuration Files 97 Reboot 98 Schedule Reboot 98 C H A P T E R 9 Troubleshoot 99 Packet Capture 99 Local Packet Capture 100 Remote Packet Capture 101 Wireshark 101 Packet Capture File Download 103 Using HTTP 104 Support Information 104 Download CPU RAM Data 105 C H A P T E R 1 0 Where to Go from Here 107 Where to Go from Here 107 Cisco ...

Page 7: ...9 or later Firefox 46 or later Chrome 49 or later Safari 5 0 or later Browser Restrictions If using Internet Explorer 9 configure the following security settings Select Tools Internet Options and then select the Security tab Next select Local Intranet and then select Sites Select Advanced and then select Add Add the intranet address of the WAP device http ip address to the local intranet zone The ...

Page 8: ...e complete Bonjour for Microsoft Internet Explorer browser from Apple s website by visiting http www apple com bonjour c Locate the IP address assigned by your DHCP server by accessing your router or DHCP server See your DHCP server instructions for more information 3 Launch a web browser such as Microsoft Internet Explorer 4 In the address bar enter the default DHCP address and press Enter 5 Ente...

Page 9: ...er to segregate it from the management traffic on VLAN 1 Step 13 Click Next Repeat the step 9 to step 14 to configure the settings for Radio 2 interface Step 14 Click Next The Enable Captive Portal Create Your Guest Network window appears Step 15 Select whether or not to set up an authentication method for guests on your network and click Next If you click No skip to Step 23 If you click Yes the E...

Page 10: ... the following complexity settings Is different from the user name Is different from the current password Has a minimum length of eight characters Contains characters from at least three character classes uppercase letters lowercase letters numbers and special characters available on a standard keyboard Check Disable to disable the password complexity rules However we strongly recommend that you k...

Page 11: ...g Started page Note System Status The System Status page displays the hardware model description software version and the various configuration parameters such as PID VID The hardware model and version of the WAP device Serial Number The serial number of the WAP device Hostname The host name assigned to the WAP device MAC Address The MAC address of the WAP device IPv4 Address The IP address of the...

Page 12: ...are Radio on page 37 Wireless Settings Advanced Configuration Management on page 23 Management Setting IPv4 Configuration on page 9 LAN Setting Guest Access on page 80 Guest Access Dashboard on page 87 Dashboard More Information TCP UDP Service on page 4 TCP UDP Service LED Display on page 17 View System Log Traffic Statistics on page 90 Traffic Statistics For additional information on the device ...

Page 13: ...p shows errant characters verify that the encoding settings on your browser are set to UTF 8 Navigation Pane A navigation pane or main menu is located on the left side of each page The navigation pane is a list on the top level features of the WAP device If a main menu item is preceded by an arrow select to expand and display the submenu of each group You can then select the desired submenu item t...

Page 14: ...rent page with the latest data Refresh Saves the settings or configuration Save Updates the new information to the startup configuration Update Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 8 Getting Started Management Buttons ...

Page 15: ...on Use the IPv4 Setting page to configure the IPv4 address Step 1 Select LAN IPv4 Configuration Step 2 Configure the following IPv4 settings Connection Type By default the DHCP client on the WAP device automatically broadcasts the requests for network information If you want to use a static IP address you must disable the DHCP client and manually configure the IP address and other network informat...

Page 16: ...nfigure use a static IP address or disabling DHCP Auto Configuration Options immediately aborts Auto configuration DHCP client automatically broadcasts requests for DHCP options 66 and 67 If DHCP and DHCP Auto Configuration Options are enabled Access Point is Auto configured during next reboot considering the information received from DHCP Server for DHCP requests Configuration upload operation by...

Page 17: ...e in a form similar to xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2001 DB8 CAD5 7D91 IPv6 Administrative Mode Check Enable to enable IPv6 administrative mode IPv6 Auto Configuration Administrative Mode Check Enable to enable the IPv6 automatic address configuration When the IPv6 automatic address configuration is enabled the WAP device recognizes its IPv6 addresses and gateway by processing the route...

Page 18: ...h as 100 Mbps or 10 Mbps The 1000 Mbps speed is the only supported when Auto Negotiation is enabled Duplex Mode When in review mode it lists the current port duplex mode When in edit mode and the Auto Negotiation is disabled select either Half or Full duplex mode Auto Negotiation When enabled the port negotiates with its link partner to set the fastest link speed and duplex mode available When dis...

Page 19: ...ult untagged VLAN This means that all traffic is untagged until you disable the untagged VLAN change the untagged traffic VLAN ID or change the VLAN ID for a VAP or client using RADIUS Step 3 Click Save The changes are saved to the Startup Configuration Neighbor Discover Bonjour enables the WAP device and its services to be discovered by using multicast DNS mDNS Bonjour advertises services to the ...

Page 20: ... Devices LLDP MED which standardizes additional information elements that devices can pass to each other to improve network management Step 1 To configure the LLDP settings select LAN LLDP Step 2 Configure the following parameters LLDP Mode Check Enable to enable the LLDP Once enabled the AP transmits LLDP Protocol Data Units to the neighbor devices TX Interval The number of seconds between each L...

Page 21: ...lid range is 120 to 3600 seconds The default value is 120 seconds ISATAP Solicitation Interval Enter how often the WAP device should send the router solicitation messages to the ISATAP routers The WAP device sends the router solicitation messages only when there is no active ISATAP router The valid range is 120 to 3600 seconds The default value is 120 seconds ISATAP IPv6 Link Local Address The IPv...

Page 22: ...ts Ends Select the week day month and time when the Daylight Savings time ends Daylight Saving Offset Specify the number of minutes to move the clock forward when Daylight Savings Time begins and backward when it ends Step 4 Click Save The changes are saved to the Startup Configuration Manually Configuring the Time Settings To manually configure the time settings Step 1 Select System Configuration...

Page 23: ...nable to enable the LEDs Select Disable to disable the LEDs Select Associate Scheduler and go to Step 3 Step 3 Select a profile name from the drop down list for the Associate Scheduler LED Display By default there is no profile associated to the LEDs The drop down selection will show the configured Scheduler Profile Names configured in the Wireless Scheduler page When the LED is associated to a Sc...

Page 24: ...0 that can be stored in volatile memory When the number that you configure in this field is reached the oldest log event is overwritten by the newest log event Step 3 Click Save Remote Log Server The kernel log is a comprehensive list of system events shown in the System Log and kernel messages You cannot view the kernel log messages directly from the configuration utility You must first set up a ...

Page 25: ...server click Save to disable remote logging Note View System Log The View System Log page displays the list of system events occurring on the device The log is cleared upon a reboot and can be cleared by an administrator Up to 1000 events can be shown Older entries are removed from the list as needed to make room for new events To view the system logs select Notification View System Log The follow...

Page 26: ...ely The default severity is Alert Step 3 In the Mail Server Configuration area configure these parameters Server IPv4 Address Name Enter the IP address or host name of the outgoing SMTP server The server address must be a valid IPv4 address or host name The IPv4 address should be in a form similar to xxx xxx xxx xxx 192 0 2 10 A host name can consist of one or more labels which are sets of up to 6...

Page 27: ... email address such as myName hotmail com or myName myDomain com Password Your Windows Live account password Yahoo Mail Yahoo requires using a paid account for this type of service Yahoo recommends the following settings Data Encryption TLSv1 SMTP Server plus smtp mail yahoo com SMTP Port 465 or 587 Username Your email address without the domain name such as myName without yahoo com Password Your ...

Page 28: ...ength is weak Green The password is strong Step 5 Click Save To delete a user select the user name and click Delete To edit an existing user select the user name and click Edit then click Save to save all changes made to the configurations Note Changing a User Password To change a user password Step 1 Select System Configuration User Accounts The User Account Table shows the currently configured u...

Page 29: ...m Contact Enter the contact person for the WAP device The system contact can be 0 to 255 characters long and can include spaces and special characters System Location Enter the physical location of the WAP device The system location can be 0 to 255 characters long and can include spaces and special characters Step 3 Click Save The changes are saved to the Startup Configuration Connect Session Sett...

Page 30: ...TPS connections from 1025 to 65535 The default port number for the HTTPS connections is the IANA port number 443 Management ACL Mode If the Mode is enabled access through the web and SNMP is restricted to the specified IP hosts If this feature is disabled anyone can access the configuration utility from any network client by supplying the correct user name and password of the WAP device Verify any...

Page 31: ...he upload was successful SNMP SNMPv2c Settings SNMP defines a standard for recording storing and sharing information about network devices SNMP facilitates network management troubleshooting and maintenance The WAP supports SNMP and can function as an SNMP managed device for seamless integration into network management systems Use the SNMP SNMPv2c Settings page to enable SNMP and configure the bas...

Page 32: ...mask of 255 255 255 0 NMS IPv6 Address Name The IPv6 address DNS host name or subnet of the devices that can execute get and set requests to the managed devices The IPv6 address should be in a form similar to xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 2001 DB8 CAD5 7D91 A host name can consist of one or more labels which are sets of up to 63 alphanumeric characters If a host name includes multiple la...

Page 33: ...of subtrees from the MIB view OID Enter an OID string for the subtree to include or exclude from the view For example the system subtree is specified by the OID string 1 3 6 1 2 1 1 Mask Enter an OID mask The mask is 47 characters in length The format of the OID mask is xx xx xx or xx xx xx and is 16 octets in length Each octet is two hexadecimal characters separated by either a period or a colon ...

Page 34: ...llowing parameters Group Name Enter the name of the group The default group names are RO and RW Group names can contain up to 32 alphanumeric characters Security Level Choose the security level for the group from the following options noAuthNoPriv No authentication and no data encryption no security authNoPriv Authentication but no data encryption With this security level users send SNMP messages ...

Page 35: ... group that the user is mapped to The default groups are RW and RO You can define additional groups on the SNMP Groups page Authentication Type Choose the type of authentication to use on the SNMPv3 requests from the user from the following options SHA Requires SHA authentication on SNMP requests from the user None SNMPv3 requests from this user require no authentication Authentication Pass Phrase...

Page 36: ...3 Check the check box in the new row and configure the following parameters IP Address Enter the IPv4 or IPv6 address of the remote SNMP manager to receive the target UDP Port Enter the UDP port to use for sending SNMPv3 targets Users Enter the name of the SNMP user to associate with the target To configure SNMP users see the SNMPv3 Users on page 29 page Step 4 Click Save The user is added to the ...

Page 37: ... WAP device the WAP device sends an authentication request to the primary server If the primary server responds to the authentication request the WAP device continues to use this RADIUS server as the primary server and authentication requests are sent to the address specified Server IP Address 2 or Server IPv6 Address 2 Enter the addresses for up to backup IPv4 or IPv6 RADIUS servers If authentica...

Page 38: ...ep 4 In the Certificate File Upload area you can upload a certificate file to the WAP device a Choose either HTTP or TFTP as the transfer method b If you selected HTTP click Browse to select the file See Connect Session Settings HTTP HTTPS Service Task for more information on configuring the HTTP server settings c If you selected TFTP enter the filename and the TFTP Server IPv4 Address d Click Upl...

Page 39: ...acon frames are transmitted by an AP at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second The Beacon Interval is set on the Radio page Type The type of the device The options are AP An AP rogue device that supports the IEEE 802 11 Wireless Networking Framework in infrastructure mode Ad hoc...

Page 40: ...ogue AP List in order to move the AP to the Detected Rogue AP List Step 5 Click Refresh to refresh the screen and display the most current information Saving the Trusted AP List To create a Trusted AP List and save it to a file Step 1 Select Security and click View Rogue AP List in the Rogue AP Detection section The Rogue AP Detection page is displayed Step 2 In the Detected Rogue AP List click Mo...

Page 41: ...d Complexity Use the Password Complexity page to modify the complexity requirements for passwords used to access the configuration utility Complex passwords increase security To configure the password complexity requirements follow the subsequent steps Step 1 Select Security Configure Password Complexity Step 2 Check Enable to enable password complexity Step 3 Configure these parameters Password M...

Page 42: ...keys against the configured criteria If disabled none of the configured settings are used The WPA PSK Complexity is disabled by default Step 3 Configure these parameters WPA PSK Minimum Character Class Choose the minimum number of character classes that must be represented in the key string The four possible character classes are uppercase letters lowercase letters numbers and special characters a...

Page 43: ... 4G Only Support 2 4G Radio with a 2x2 MIMO mode 5G Only Support 5G Radio with a 2x2 MIMO mode Dual Band Support 2 4G and 5G Radio with two 1x1 SISO chains This is a single silicon solution for operating the radio in either a 2x2 MIMO mode or as two 1x1 chains This enables the user to perform different tasks in two different bands or in the same bands with some restrictions simultaneously Step 3 I...

Page 44: ... selection to a 20 MHz band For the 802 11ac mode set the field to 40 MHz to prevent the radio from using the 80 MHz wireless band selection Primary Channel 802 11n modes with 20 40 MHz bandwidth only A 40 MHz channel can be considered to consist of two 20 MHz channels that are contiguous in the frequency domain These two 20 MHz channels are often referred to as the primary and secondary channels ...

Page 45: ...nce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second Enter an integer from 20 to 2000 milliseconds The default is 100 milliseconds DTIM Period The Delivery Traffic Information Map DTIM period Enter an integer from 1 to 255 beacons The default is 2 beacons The DTIM message is an element included in some beacon frames I...

Page 46: ...urst support improves the radio performance in the downstream direction Airtime Fairness Mode The airtime fairness ATF feature was implemented to address the issue of slower data transfers throttling the higher speed ones Maximum Utilization Threshold Enter the percentage of network bandwidth utilization allowed on the radio before the WAP device stops accepting new client associations The valid i...

Page 47: ...o page Off The WAP device ignores TSPEC requests from client stations TSPEC Voice ACM Mode Regulates mandatory admission control ACM for the voice access category By default TSPEC Voice ACM mode is off The options are On A station is required to send a TSPEC request for bandwidth to the WAP device before sending or receiving a voice traffic stream The WAP device responds with the result of the req...

Page 48: ... Service Set Identifier SSID Multiple VAPs cannot have the same SSID name SSID broadcasts can be enabled or disabled independently on each VAP SSID broadcast is enabled by default SSID Naming Conventions The default SSID for VAP0 is ciscosb Every additional VAP created has a blank SSID name The SSIDs for all VAPs can be configured to other values The SSID can be any alphanumeric case sensitive ent...

Page 49: ...e same WAP device that you are administering resetting the SSID will cause you to lose connectivity to the WAP device You will need to reconnect to the new SSID after you save this new setting SSID Broadcast Enables and disables the broadcast of the SSID Specify whether to allow the WAP device to broadcast the SSID in its beacon frames The Broadcast SSID parameter is enabled by default When the VA...

Page 50: ...her wireless clients associated with a different VAP but not among the wireless clients Band Steer Check to enable the band steer when both the radios are up It effectively utilizes the 5 GHz band by steering dual band supported clients from the 2 4 GHz band to the 5 GHz band It is configured on a per VAP basis and needs to be enabled on both the radios It is not encouraged on the VAPs with time s...

Page 51: ... through 4 are available The default is 1 The Transfer Key Index indicates which WEP key the WAP device uses to encrypt the data it transmits Key Length Choose either 64 bits or 128 bits as the length of the key Key Type Choose either ASCII or Hex as the key type WEP Keys You can specify up to four WEP keys In each text box enter a string of characters for each key The keys you enter depend on the...

Page 52: ...issions The same key must occupy the same slot on all nodes AP and clients For example if the WAP device defines abc123 key as WEP key 3 then the client stations must define that same string as WEP key 3 The client stations can use different keys to transmit data to the access point Or they can all use the same key but using the same key is less secure because it means one station can decrypt the ...

Page 53: ...be configured for it Not Required Capable Required The WiFi Alliance requires the PMF to be enabled and set to Capable Default You may disable it when the non compliant wireless clients experience instability or connectivity issues Note Key The shared secret key for WPA Personal security Enter a string of at least 8 characters to a maximum of 63 characters Acceptable characters include uppercase a...

Page 54: ...ersion you can enable pre authentication for the WPA2 clients Check this option if you want the WPA2 wireless clients to send the pre authentication packets The pre authentication information is relayed from the WAP device that the client is currently using to the target WAP device Enabling this feature can help speed up the authentication for roaming clients who connect to multiple APs This optio...

Page 55: ... Enable RADIUS Accounting Tracks and measures the resources a particular user has consumed such as system time amount of data transmitted and received and so on If you enable RADIUS accounting it is enabled for the primary RADIUS server and all backup servers Active Server Enables the administrative selection of the active RADIUS server rather than having the WAP device attempt to contact each con...

Page 56: ...remark Note Configuring MAC Authentication on the Radius Server If one or more VAPs are configured to use a Client filter you must configure the station list on the RADIUS server The format for the list is described in this table Value Description RADIUS Server Attribute Valid Ethernet MAC address MAC address of the client station User Name 1 NOPASSWORD A fixed global password used to look up a cl...

Page 57: ...ers Profile Rule Configuration You can configure up to 16 rules for a profile Each rule specifies the start time end time and day or days of the week that the radio or VAP can be operational The rules are periodic in nature and are repeated every week A valid rule must contain all of the following parameters days of the week hour and minute for the start and end time Rules cannot conflict for exam...

Page 58: ...client station The station EDCA parameters affect the traffic flowing from the client station to the WAP device In normal use the default values for the WAP device and the station EDCA should not be changed Changing these values affects the QoS provided To configure the WAP device and EDCA parameters Step 1 Select Wireless QoS Step 2 Choose the radio interface Radio 1 or Radio 2 Step 3 Choose one ...

Page 59: ...mber generated is a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling continues until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid values are 1 3 7 15 31 63 127 255 511 or 1023 This ...

Page 60: ... not acknowledge frames with QosNoAck as the service class value Unscheduled Automatic Power Save Delivery APSD Check Enable to enable APSD The APSD is recommended if VoIP phones access the network through the WAP device Step 7 Click Save Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 54 Wireless QoS ...

Page 61: ... as a simple OSI Layer 2 network device In the point to multipoint bridge mode one WAP device acts as the common link between multiple access points In this mode the central WAP device accepts the client associations and communicates with the clients All other access points associate only with the central WAP device that forwards the packets to the appropriate wireless bridge for routing purposes ...

Page 62: ...l MAC Address Specifies the physical or MAC address of the current or local WAP device to which data is transmitted from Remote MAC Address Specifies the MAC address of the destination WAP device You can find the MAC address on the Monitor Dashboard Wireless page Encryption Select the type of encryption to use on the WDS link None Static WEP or WPA Personal If you are not concerned about the secur...

Page 63: ...key is a string of at least 8 characters to a maximum of 63 characters Acceptable characters include uppercase and lowercase alphabetic letters the numeric digits and special symbols such as and WorkGroup Bridge The Work Group Bridge feature enables the WAP device to extend the accessibility of a remote network In the Work Group Bridge mode the WAP device acts as a wireless station STA on the wire...

Page 64: ...kets from associated STAs to another WAP device in the same ESS without using WDS Before you configure Work Group Bridge on the WAP device note these guidelines All WAP devices participating in Work Group Bridge must have the following identical settings Radio IEEE 802 11 Mode Channel Bandwidth Channel Auto is not recommended See Radio on page 37 Basic Settings for information on configuring these...

Page 65: ...terprise Encryption Not Applicable N A Indicates whether the WAP is connected to the upstream WAP device Connection Status Configure the Access Point Interface with the same VLAN ID as advertised on the Infrastructure Client Interface Specifies the VLAN associated with the BSS VLAN ID The Infrastructure Client Interface will be associated with the upstream WAP device with the configured credential...

Page 66: ...locally defined MAC address list RADIUS The set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a MAC address list on a RADIUS server Not Applicable N A Client Filter If you choose Local or RADIUS see Client Filter for instructions on creating the Client filter list Note Step 5 Click Save The associated downstream clients now have connectivi...

Page 67: ...us connectivity aboard wireless devices in motion with fast and secure handoffs from an AP to another managed AP in a seamless manner In order to ensure voice quality and network security a portable station must be able to maintain a secure low latency voice call while roaming between APs that are handling other traffic This device supports the FBT Fast BSS Transition as defined in 802 11r for fas...

Page 68: ...ssociation procedure with the next APs in the same domain Choose one of the following methods of FT Over Air In the Over Air method the Mobile Station communicates over a direct 802 11 link to the new AP Over DS In the Over DS method the MS communicates with the new AP via the old AP R0 Key Holder Specifies the NAS identifier to be sent in the radius Access Request Message The NAS Identifier is us...

Page 69: ...re the R1 key holder in the Remote R1 Key Holder Data List A maximum of 10 entries of R1 key holders are allowed to be configured per VAP The key holder data is configured per VAP MAC Address Destination s VAP MAC address which is the R1 Key holder The PMKR1 is sent in RRB PUSH message to this AP MAC address This MAC Address must be unique across all the VAPs R1 Key Holder The R1 key Holder ID tha...

Page 70: ...Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 64 Fast Roaming Configuring Remote Key Holder List Profiles ...

Page 71: ...es applied to traffic received by the WAP device Each rule specifies whether the contents of a given field should be used to permit or deny access to the network Rules can be based on various criteria and may apply to one or more fields within a packet such as the source or destination IP address the source or destination port or the protocol carried in the packet The IP ACLs classify traffic for ...

Page 72: ...nfigure an IPv4 ACL Step 1 Select Access Control ACL Step 2 Click to add an ACL Step 3 In the ACL name field enter the name of the ACL The name is limited to 31 alphanumeric and special characters without any space Step 4 Choose IPv4 as the ACL type from the ACL Type list The IPv4 ACL s control access to the network resources are based on the Layer 3 and Layer 4 criteria Step 5 Click and select th...

Page 73: ...its are ignored A wild card mask of 255 255 255 255 indicates that no bit is important A wild card of 0 0 0 0 indicates that all bits are important This field is required when the Source IP Address is checked A wild card mask is basically the inverse of a subnet mask For example to match the criteria to a single host address use a wild card mask of 0 0 0 0 To match the criteria to a 24 bit subnet ...

Page 74: ... and or private port Type Of Service Matches the packets based on specific service type Any Any type of service Select From List Matches the packets based on their DSCP Assured Forwarding AS Class of Service CS or Expedited Forwarding EF values DSCP Matches the packets based on a custom DSCP value If selected enter an value from 0 to 63 in this field Precedence Matches the packets based on their I...

Page 75: ... priority Action Choose whether to Deny or Permit the action The default action is Deny When you choose Permit the rule allows all traffic that meets the rule criteria to enter the WAP device Traffic that does not meet the criteria is dropped When you choose Deny the rule blocks all traffic that meets the rule criteria from entering the WAP device Traffic that does not meet the criteria is forward...

Page 76: ... IP address to match the address defined in the appropriate fields Any Enter any IP address Single Address Enter an IP address to apply this criteria Address Mask Enter the destination IP address wild card mask The wild card mask determines which bits are used and which bits are ignored A wild card mask of 255 255 255 255 indicates that no bit is important A wild card of 0 0 0 0 indicates that all...

Page 77: ... based on Layer 2 criteria Step 5 Click and select the associated interfaces to apply the ACL and click OK If you want to change the associated interfaces you can click to delete the selected interface and then click to choose new associated interfaces Step 6 Then click More to view the configuration parameters Click to add a rule and configure the following parameters Rule Priority When an ACL ha...

Page 78: ...a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored For example to check only the first four octets of a MAC address a MAC mask of 00 00 00 00 ff ff is used A MAC mask of 00 00 00 00 00 00 checks all address bits and is used to match a single MAC address Destination MAC Address Requires the packet s destination MAC address to match the ...

Page 79: ...ent sporadically or dropped For typical Internet applications such as email and file transfer a slight degradation in service is acceptable and in many cases unnoticeable However on applications with strict timing requirements such as voice or multimedia any degradation of service has undesirable effects A DiffServ configuration begins with defining class maps which classify traffic according to t...

Page 80: ...kets Choose the protocol to match by keyword or enter a protocol ID All Traffic Allows all traffic from any protocol Select From List Matches the selected protocol IP ICMP IGMP TCP UDP Custom Matches a protocol that is not listed by name Enter the protocol ID The protocol ID is a standard value assigned by IANA The range is a number from 0 to 255 If Protocol is All Traffic Source Address and Desti...

Page 81: ...in the IP header as the match criteria The IP ToS bit value ranges between 00 to FF The high order three bits represent the IP precedence value The high order six bits represent the IP DSCP value IP ToS Mask Enter an IP ToS Mask value to identify the bit positions in the IP ToS Bits value that are used for comparison against the IP ToS field in a packet The IP ToS Mask value is a two digit hexadec...

Page 82: ...tch condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field in IPv6 packets Choose the protocol to match by keyword or enter a protocol ID All Traffic Allows all traffic from any protocol Select From List Matches the selected protocol IP ICMP IGMP TCP UDP Custom Matches a protocol that is not listed by name Enter the protocol ID The protocol ID is a standard ...

Page 83: ...efined Enter a 20 bit number that is unique to an IPv6 packet It is used by end stations to signify QoS handling in routers range 0 to FFFFF Service Type Specifies the type of service to use in matching the packets to the class criteria Any Allows for any type of service as a match criterion IP DSCP Select from List Choose a DSCP value to use as a match criterion IP DSCP Match to Value Enter a cus...

Page 84: ...Ethernet frame Address Mask Enter the destination MAC address mask specifying which bits in the destination MAC address to compare against an Ethernet frame Step 7 Click More and configure the following parameters Protocol Compares the match criteria against the value in the header of an Ethernet frame Choose an EtherType keyword or enter an EtherType value to specify the match criteria All Traffi...

Page 85: ...ate in Kbps to which traffic must conform The range is from 1 to 1000000 Kbps Committed Burst The committed burst size in bytes to which traffic must conform The range is from 1 to 1600000Kbps Action Select from one of the following options Send Specifies that all packets for the associated traffic stream are to be forwarded if the traffic class criteria is met Drop Specifies that all packets for ...

Page 86: ...ck to add a QoS association Step 3 From the QoS Policy Name drop down list choose a QoS Policy name Step 4 Configure the following Association Interface Select the interface from the drop down list 2 4G ciscosb 5G ciscosb or LAN0 Rate Limit From AP to Client The maximum allowed transmission rate from the WAP device to the client in bits per second bps The valid range is from 0 to 866Mbps Rate Limi...

Page 87: ...ification process HTTP Does not use encryption during verification HTTPS Uses the Secure Sockets Layer SSL which requires a certificate to provide encryption The certificate is presented to the user at connection time Authentication Method Choose the authentication method for CP to use to verify the clients The options are Local Database The WAP device uses a local database to authenticate the use...

Page 88: ...dress Server IP Address 2 or Server IPv6 Address 2 Enter up to three IPv4 or IPv6 backup RADIUS server addresses If the authentication fails with the primary server each configured backup server is tried in sequence Key 1 Enter the shared secret key that the WAP device uses to authenticate to the primary RADIUS server You can use up to 63 standard alphanumeric and special characters The key is cas...

Page 89: ...is from 0 to 1440 minutes The default value is 60 The timeout value configured here has precedence over the value configured for the CP instance unless the user value is set to 0 When it is set to 0 the timeout value configured for the CP instance is used Maximum Bandwidth Up Enter the maximum upload speed in megabits per second that a client can transmit traffic when using the Captive Portal This...

Page 90: ...to customize the text and images on the pages Step 1 Select Guest Access Web Portal Locale Table Step 2 In this table click add to access the Captive Portal Customization page To modify the locale check the row and click Edit or click Delete to delete You can create up to three different authentication pages with different locales on your network Step 3 In the Captive Portal Web Locale Parameters ...

Page 91: ...from 1 to 128 characters The default is Welcome to the Wireless Network Account Tips Prompting The text that appears in the page body below the user name and password text boxes The range is from 1 to 256 characters The default is To start using this service enter your credentials and click the connect button Acceptance Policy The text that appears in the Acceptance Use Policy box The range is fro...

Page 92: ...ages that have already been saved to the Startup Configuration If you make a change click Save before clicking Preview to see your changes Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 86 Access Control Web Portal Customization ...

Page 93: ...onds Connected Clients The total number of clients currently associated with the WAP device Click the box to be redirected to the Clients page Internet LAN Wireless Round icons on the top right of the page show Internet LAN and wireless connection status Internet Red round No Internet connection Green round Internet connection is good LAN Red round No wired connection Green round Wired connection ...

Page 94: ...t of the last 30 seconds transmitted Download Throughput of the last 30 seconds received Click Upload or Download to not display data SSID Utilization According to the traffic order this pie chart displays the top 5 Traffic SSID Traffic total number of bytes transmitted and received Network Usage This line chart displays the eth throughput Upload Throughput of the last 30 seconds transmitted Downl...

Page 95: ...to change any of these settings You will be redirected to the LAN page Click Refresh to refresh the screen and show the most current information Click Back to return to the Dashboard page Note Wireless Status Click the Wireless circle to display the wireless radio interfaces such as Wireless Radio The wireless radio mode is enabled or disabled for the radio interface MAC Address The MAC address as...

Page 96: ...llowing information is displayed Interface Name of the Ethernet interface each VAP interface and each WDS interface The name for each VAP interface is followed by its SSID in parentheses Total Packets The total number of packets sent in Transmit table or received in Received table by the WAP device Total Bytes The total number of bytes sent in Transmit table or received in Received table by the WA...

Page 97: ... identifies a wireless local area network It is also referred to as the Network Name Mode The IEEE 802 11 mode being used on the client such as IEEE 802 11a IEEE 802 11b IEEE 802 11g Data Rate The current transmitting data rate Channel The channel on which the Client is current in connection with The channel defines the portion of the radio spectrum that the radio uses for transmitting and receivi...

Page 98: ...by a database Local The WAP device uses a local database to authenticate the users RADIUS The WAP device uses a database on a remote RADIUS server to authenticate the users VAP Radio ID The VAP and radio that the user is associated with Timeout The time remaining in seconds for the CP session to be valid After the time reaches zero the client is de authenticated Away Time The time remaining in sec...

Page 99: ... can upgrade the firmware on your WAP device to take advantage of new features and enhancements The WAP device uses a TFTP or HTTP HTTPS client for firmware upgrades After you upload the new firmware and the system reboots the newly added firmware becomes the primary image If the upgrade fails the original firmware remains as the primary image When you upgrade the firmware the WAP device retains t...

Page 100: ...ading the new firmware or the firmware upload is aborted When the process is complete the WAP device restarts and resumes normal operation Step 4 To verify that the firmware was upgraded successfully log into the web based Configuration Utility open the Upgrade Firmware page and view the active firmware version TFTP Upgrade To upgrade the firmware on the WAP device using TFTP Step 1 Select TFTP as...

Page 101: ...east 24 hours it is automatically saved to a Mirror Configuration file The Mirror Configuration file is a snapshot of the past Startup Configuration The Mirror Configuration is preserved across factory resets so it can be used to recover a system configuration after a factory reset by copying the Mirror Configuration to the Startup Configuration In addition to downloading and uploading these files...

Page 102: ...t Download PC to Access Point to backup the configuration data to the PC Step 4 For a TFTP backup enter the Destination File Name with an xml extension Also include the path where the file is to be stored on the server and then enter the TFTP Server IPv4 Address The filename cannot contain the following characters spaces and two or more successive periods Step 5 Select Startup Configuration or Bac...

Page 103: ...ecover a system configuration after a factory reset by copying the Mirror Configuration to the Startup Configuration Step 3 In the To field select the file type to be replaced with the file that you are copying Step 4 Click Save to begin the copy process Clearing Configuration Files You can clear the Startup Configuration or Backup Configuration file If you clear the Startup Configuration file the...

Page 104: ...you to confirm or cancel the reboot Step 4 Click OK to reboot Schedule Reboot To schedule a reboot on the WAP device follow these steps Step 1 Check the Schedule Reboot check box to enable the schedule reboot function Step 2 There are two options to schedule a reboot Date Set the exact date and time when to reboot the device In Set the reboot time for the reboot to occur after the function is enab...

Page 105: ...xamined using Wireshark You can click Save File on this Device to select the local capture method Remote Capture Method Captured packets are redirected in real time to an external computer running Wireshark You can click Stream to a Remote Host to select the remote capture method The WAP device can capture these types of packets 802 11 packets received and transmitted on the radio interfaces Packe...

Page 106: ...ailable Ignore beacons Filter on client Filter on SSID Ignore Beacons Enables or disables the capturing of 802 11 beacons detected or transmitted by the radio Filter on Client Specifies the MAC address for WLAN client filter Note that the Client filter is active only when a capture is performed on an 802 11 interface Filter on SSID Select a SSID name for packet capture Step 6 Click Save Settings T...

Page 107: ...hoot Packet Capture Step 2 For the Packet Capture Method click Stream to a Remote Host radio button Step 3 In the Remote Capture Port field use the default port 2002 or if you are using a port other than the default enter the desired port number used to connect Wireshark to the WAP device The port range is from 1025 to 65530 Step 4 There are two modes for packet capture All Wireless Traffic captur...

Page 108: ...n0vap1 wlan0vap7 At WAP150 VAP1 VAP3 traffic rpcap 192 168 1 220 2002 wlan0vap1 wlan0vap3 You can trace up to four interfaces on the WAP device simultaneously However you must start a separate Wireshark session for each interface To initiate additional remote capture sessions repeat the Wireshark configuration steps No configuration required on the WAP device The system uses four consecutive port ...

Page 109: ...n when there is no active Wireshark session To minimize the performance impact on the WAP device during traffic capture install capture filters to limit which traffic is sent to the Wireshark tool When capturing 802 11 traffic a large portion of the captured frames tend to be beacons typically sent every 100 ms by all access points Although Wireshark supports a display filter for beacon frames it ...

Page 110: ...p 2 Click CPU The device to record and display the CPU activity To stop the recording re click CPU Step 3 Click RAM The device to record and display the RAM activity To stop the recording re click RAM The chart displays the CPU RAM status as follows A blue line shows the CPU activity A red line show RAM activity The first line chart update data every 1 seconds It will show the CPU RAM activity in ...

Page 111: ...ownload Data section check Enable to enable the download Step 3 Select the time you wish to perform the download Today Last 7 Days Last 30 Days All Custom Step 4 Complete the To and From fields with the YYYY MM DD and then set the time with the HH mm ss Step 5 Click Download to generate the file based on the current system settings After a short pause a window appears to enable you to save the fil...

Page 112: ...Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 106 Troubleshoot Download CPU RAM Data ...

Page 113: ...o login is required Cisco Firmware Downloads If you wish to receive a copy of the source code to which you are entitled under the applicable free open source license s such as the GNU Lesser General Public License please send your request to external opensource requests cisco com In your requests please include the Cisco product name version and the 18 digit reference number for example 7XEEX17D99...

Page 114: ...Cisco WAP125 Wireless AC N Dual Band Desktop Access Point with PoE 108 Where to Go from Here Where to Go from Here ...

Reviews:

No comments

Related manuals for WAP125

Extreme Networks EN-SLX 9640-24S-12C Installation Manual preview
EN-SLX 9640-24S-12C
Brand: Extreme Networks Pages: 113
HAC HAC-MLW User Manual preview
HAC-MLW
Brand: HAC Pages: 28
TRENDnet TEW-656BRG User Manual preview
TEW-656BRG
Brand: TRENDnet Pages: 44
Arris RUCKUS ZoneDirector 1200 Quick Setup Manual preview
RUCKUS ZoneDirector 1200
Brand: Arris Pages: 2
Aruba AP-100 Series Installation Manual preview
AP-100 Series
Brand: Aruba Pages: 2
TP-Link deco W7200 User Manual preview
deco W7200
Brand: TP-Link Pages: 35
Ubee DDW3611 Setup Manual preview
DDW3611
Brand: Ubee Pages: 2
Loopcomm LP-7516H User Manual preview
LP-7516H
Brand: Loopcomm Pages: 68
Linksys MAX-STREAM AX4500 Quick Start Manual preview
MAX-STREAM AX4500
Brand: Linksys Pages: 6
MC Crypt MC Crypt Free1 User Manual preview
MC Crypt Free1
Brand: MC Crypt Pages: 5
BAZOO 27213 User Manual preview
27213
Brand: BAZOO Pages: 2
Belkin F5D7632EA4A User Manual preview
F5D7632EA4A
Brand: Belkin Pages: 504
Avaya AP-3 User Manual preview
AP-3
Brand: Avaya Pages: 425
YUNKE CHINA DCWL-7962OT Installation Manual preview
DCWL-7962OT
Brand: YUNKE CHINA Pages: 35
HPE Aruba AP12-RW Product End-Of-Life Disassembly Instructions preview
Aruba AP12-RW
Brand: HPE Pages: 4
HPE Aruba AP-575 Product End-Of-Life Disassembly Instructions preview
Aruba AP-575
Brand: HPE Pages: 4
Watchguard WatchGuard AP Series Quick Start Manual preview
WatchGuard AP Series
Brand: Watchguard Pages: 9
SKSpruce WOA5300-20 Operation Instruction Manual preview
WOA5300-20
Brand: SKSpruce Pages: 12

Brands by name

Popular brands

Load more brands