manualshive.com logo in svg

Cisco Wap581, Administration Manual

Introducing the Cisco Wap581, a high-performance wireless access point designed for seamless connectivity. Get started in a breeze with the comprehensive Quick Start Manual, available for free download at manualshive.com. This essential manual provides step-by-step instructions to configure your device, ensuring optimal network performance and user satisfaction.

Share
Download
background image

This security mode is backwards-compatible with the wireless clients that support the original WPA.

The dynamic VLAN mode is enabled by default, which allows RADIUS authentication server to decide which
VLAN is used for the stations.

These parameters configure WPA Enterprise:

WPA Versions

— Choose the types of client stations to be supported. The options are:

WPA-TKIP

— The network has some client stations that only support original WPA and TKIP

security protocol. Note that selecting only WPA-TKIP for the access point is not allowed as per the
latest Wi-Fi Alliance requirement.

WPA2-AES

— All client stations on the network support WPA2 version and AES-CCMP cipher/

security protocol. This provides the best security per the IEEE 802.11i standard. As per the latest
Wi-Fi Alliance requirement, the AP has to support this mode all the time.

Enable Pre-authentication

— If you choose only WPA2 or both WPA and WPA2 as the WPA version,

you can enable pre-authentication for the WPA2 clients.

Check this option if you want the WPA2 wireless clients to send the pre-authentication packets. The
pre-authentication information is relayed from the WAP device that the client is currently using to the
target WAP device. Enabling this feature can help speed up the authentication for roaming clients who
connect to multiple APs.

This option does not apply if you selected WPA for WPA versions because the original WPA does not
support this feature.

Client stations configured to use WPA with RADIUS must have one of these addresses and keys:

• A valid TKIP RADIUS IP address and RADIUS key

• A valid CCMP (AES) IP address and RADIUS key

PMF (Protection Management Frame)

— Provides security for the unencrypted 802.11 management

frames. When Security Mode is disabled or WEP, the PMF is set to

No PMF

and is not editable (Hidden

or Grey).When the security Mode is set to

WPA2-xxx

, the PMF is

Capable

by default and is editable.

The following three check box values can be configured for it.

Not Required

Capable

Required

WiFi Alliance requires PMF to be enabled with default setting of

Capable

. You

may disable it when non-compliant wireless clients experience instability or
connectivity issues.

Note

Use Global RADIUS Server Settings

— By default, each VAP uses the global RADIUS settings that

you define for the WAP device. However, you can configure each VAP to use a different set of RADIUS
servers.

Check this option to use the global RADIUS server settings, or uncheck this option to use a separate
RADIUS server for the VAP and enter the RADIUS server IP address and key in the appropriate fields.

Cisco WAP581 Wireless-AC/N Dual Radio Access Point with 2.5GbE LAN Administration Guide

55

Wireless

Configuring Security Settings

Summary of Contents for Wap581

Page 1: ...t with 2 5GbE LAN Administration Guide First Published 2016 11 23 Last Modified 2019 07 09 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ...COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any Internet Protocol IP addresses and ...

Page 3: ...The Java logo is a trademark or registered trademark of Sun Microsystems Inc in the U S or other countries 2019 Cisco Systems Inc All rights reserved ...

Page 4: ......

Page 5: ...gation 9 Navigation Pane 9 Management Buttons 9 Administration 11 C H A P T E R 2 Firmware 11 Swapping the Firmware Image 11 HTTP HTTPS Upgrade 12 TFTP Upgrade 12 Reboot 13 Schedule Reboot 13 Configuration Management 13 Backup Configuration Files 14 Download Configuration Files 14 Copying Configuration Files 15 Clearing Configuration Files 15 System Configuration 17 C H A P T E R 3 Cisco WAP581 Wi...

Page 6: ...og Settings 25 Remote Log Server Table 26 View System Log 27 Email Alert Mail Server Message Configuration 27 Email Alert Examples 28 User Accounts 29 Adding a User 29 Changing a User Password 30 Management 30 System Settings 31 Connect Session Settings HTTP HTTPS Service 31 SSL Certificate File Status 32 SNMP SNMPv2c Settings 33 SNMPv3 Views 34 SNMPv3 Groups 35 SNMPv3 Users 36 SNMPv3 Targets 37 P...

Page 7: ...t Filter 56 Configuring a Client Filter List Locally on the WAP device 56 Configuring MAC Authentication on the Radius Server 57 Scheduler 57 Scheduler Profile Configuration 58 Profile Rule Configuration 58 QoS 59 Wireless Bridge 63 C H A P T E R 5 Wireless Bridge 63 Configuring WDS Bridge 64 WPA PSK on WDS Links 64 WorkGroup Bridge 65 Fast Roaming 69 C H A P T E R 6 Fast Roaming 69 Configuring Fa...

Page 8: ...iguring Advanced Settings 79 Channel Assignment Table 80 Access Control 81 C H A P T E R 8 ACL 81 IPv4 and IPv6 ACLs 81 Workflow to Configure ACLs 82 Configure IPv4 ACLs 82 Configure IPv6 ACLs 84 Configure MAC ACLs 87 Client QoS 88 Configuring IPv4 Traffic Classes 89 Configuring IPv6 Traffic Classes 91 Configuring MAC Traffic Classes 93 QoS Policy 94 QoS Association 95 Guest Access 96 Guest Access...

Page 9: ...ket Capture 115 Stream to a Remote Host 115 Stream to CloudShark 116 Wireshark 117 Packet Capture File Download 119 Using HTTP 119 Support Information 119 Download CPU RAM Data 120 DeAuthentication Message Reason Codes 121 A P P E N D I X A Deauthentication Message Reason Codes 121 Deauthentication Reason Code Table 121 Where to Go from Here 123 A P P E N D I X B Where to Go from Here 123 Cisco WA...

Page 10: ...Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide x Contents ...

Page 11: ...ty make sure that you have a computer with one of the following browsers Internet Explorer 11 Microsoft Edge or later Firefox 64 or later Chrome 72 or later Safari 5 1 or later Browser Restrictions If using Internet Explorer 11 configure the following security settings Select Tools Internet Options and then select the Security tab Next select Local Intranet and then select Sites Select Advanced an...

Page 12: ...onjour plug in or the Apple Mac Safari browser you can find the WAP device on your local network without knowing its IP address You can download the complete Bonjour for Microsoft Internet Explorer browser from Apple s website by visiting http www apple com bonjour 3 Locate the IP address assigned by your DHCP server by accessing your router or DHCP server See your DHCP server instructions for mor...

Page 13: ...h the same cluster name and enable the Single Point Setup mode on other WAP devices they automatically join the group If you already have a cluster on your network you can add this device to it by clicking Join an Existing Cluster and then enter the Existing Cluster Name If you do not want this device to participate in a Single Point Setup at this time click Do not Enable Single Point Setup Option...

Page 14: ...rs Step 24 Choose a security encryption type for the guest network and enter a security key For a description of these options see Configuring Security Settings on page 53 Step 25 Click Next The Enable Captive Portal Assign the VLAN ID window appears Step 26 Specify a VLAN ID for the guest network The guest network VLAN ID should be different from the management VLAN ID Step 27 Click Next The Enab...

Page 15: ...ld Step 7 Click Next The Configure Your Wireless Network window appears a Enter a Network Name which serves as the SSID for the default wireless network b Enter a Security key security type WPA2 Personal AES is by default c Enter the VLAN ID for traffic received on the wireless network Check the check box to apply same configuration to Radio 2 or switch to another radio tab and repeat Step 7 to co...

Page 16: ...he new password conforms to the following complexity settings Is different from the username Is different from the current password Has a minimum length of eight characters Contains characters from at least three character classes uppercase letters lowercase letters numbers and special characters available on a standard keyboard Check Disable to disable the password complexity rules However we str...

Page 17: ...System Status The System Status page displays the hardware model description software version and the various configuration parameters such as PID VID The hardware model and version of the WAP device Serial Number The serial number of the WAP device Host Name The host name assigned to the WAP device MAC Address The MAC address of the WAP device IPv4 Address The IP address of the WAP device IPv6 Ad...

Page 18: ... on the Page Category Using the Access Point Setup Wizard on page 2 Setup Wizard Quick Access Adding a User on page 29 Change Account Password Configuration Management on page 13 Backup Restore Configuration Firmware on page 11 Upgrade Device Firmware Radio on page 45 Wireless Settings Advanced Configuration System Settings on page 31 Management Setting IPv4 Configuration on page 17 LAN Setting Co...

Page 19: ...ion utility Click to show the WAP device type and version number Click to show the context sensitive online help The online help is designed to be viewed with browsers using UTF 8 encoding If the online help shows errant characters verify that the encoding settings on your browser are set to UTF 8 Navigation Pane A navigation pane or main menu is located on the left of each page The navigation pan...

Page 20: ...xisting entry Edit Refreshes the current page with the latest data Refresh Applies Saves the settings or configuration Apply Updates the new information to the startup configuration Update Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 10 Getting Started Management Buttons ...

Page 21: ...vantage of new features and enhancements The WAP device uses a TFTP or HTTP HTTPS client for firmware upgrades After you upload the new firmware and the system reboots the newly added firmware becomes the primary image If the upgrade fails the original firmware remains as the primary image When you upgrade the firmware the WAP device retains the existing configuration settings Note Swapping the Fi...

Page 22: ... and view the active firmware version TFTP Upgrade To upgrade the firmware on the WAP device using TFTP Step 1 Select TFTP as the transfer method Step 2 Enter a name 1 to 256 characters for the image file in the Source File Name field including the path to the directory that contains the image to upload For example to upload the ap_upgrade tar image located in the share builds ap directory enter s...

Page 23: ...d Note Step 3 Click Apply Configuration Management The WAP device configuration files are in XML format and contain all the information about the WAP device settings You can back up upload the configuration files to a network host or TFTP server to manually edit the content or create backups After you edit a backed up configuration file you can upload it to the WAP device to modify the configurati...

Page 24: ...figuration is not modified for at least 24 hours it is automatically saved to a mirror configuration file The Mirror Configuration is a snapshot of a past Startup Configuration The Mirror Configuration is preserved across factory resets so it can be used to recover a system configuration after a factory reset by copying the Mirror Configuration to the Startup Configuration Step 6 Click Apply to be...

Page 25: ...lect one of the following source file types that you want to copy Startup Configuration Configuration file used for the startup Backup Configuration Backup configuration file saved on the WAP device Mirror Configuration If the Startup Configuration is not modified for at least 24 hours it is automatically saved to a Mirror Configuration file The Mirror Configuration is a snapshot of a past Startup...

Page 26: ...Step 4 Click Yes Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 16 Administration Clearing Configuration Files ...

Page 27: ...gure the following IPv4 settings Connection Type By default the DHCP client on the WAP device automatically broadcasts the requests for network information If you want to use a static IP address you must disable the DHCP client and manually configure the IP address and other network information Choose one of the following options DHCP The WAP device acquires its IP address from a DHCP server on th...

Page 28: ...osen configuration file is given preference In any other cases of rebooting the AP such as firmware upgrade or reboot operations existing Auto Configuration settings will be effective Note TFTP Server IPv4 Address Host Name If you configure TFTP server address it is used in case of failure to retrieve file from other TFTP Servers specified by DHCP server during Auto Configuration Enter IPv4 addres...

Page 29: ...device can have a static IPv6 address even if addresses have already been configured automatically Static IPv6 Address Prefix Length Enter the prefix length of the static address which is an integer in the range of 0 to 128 The default is 0 Static IPv6 Address Status It can be one of the following status Operational The IP address has been verified as unique and is usable on the LAN interface Tent...

Page 30: ...e current port link status Port Speed When in review mode it lists the current port speed When in edit mode and the Auto Negotiation is disabled select a port speed such as 100 Mbps or 10 Mbps The 1000 Mbps speed is the only supported when Auto Negotiation is enabled Duplex Mode When in review mode it lists the current port duplex mode When in edit mode and the Auto Negotiation is disabled select ...

Page 31: ...list Untagged or Tagged VLAN By default all traffic on the WAP device uses the VLAN 1 the default untagged VLAN This means that all traffic is untagged until you disable the untagged VLAN change the untagged traffic VLAN ID or change the VLAN ID for a VAP or client using RADIUS Step 3 Click Apply The changes are saved to the Startup Configuration Neighbor Discover Bonjour enables the WAP device an...

Page 32: ...nt Devices LLDP MED which standardizes additional information elements that devices can pass to each other to improve network management Step 1 To configure the LLDP settings select LAN More LLDP Step 2 Configure the following parameters LLDP Mode Check Enable to enable the LLDP Once enabled the AP transmits LLDP Protocol Data Units to the neighbor devices By default this mode is enabled TX Interv...

Page 33: ...d send the router solicitation messages to the ISATAP routers The WAP device sends the router solicitation messages only when there is no active ISATAP router The valid range is 120 to 3600 seconds The default value is 120 seconds 5 ISATAP IPv6 Link Local Address The IPv6 address used by the local physical link The link local address is not configurable and is assigned by using the IPv6 Neighbor D...

Page 34: ...ard when Daylight Savings Time begins and backward when it ends Step 4 Click Apply The changes are saved to the Startup Configuration Manually Configuring the Time Settings To manually configure the time settings Step 1 Select System Configuration Time Step 2 In the System Clock Source area choose Manual Step 3 Click Sync Time with PC to clone the system time settings from your local PC Step 4 You...

Page 35: ...gured in the Wireless Scheduler page When the LED is associated to a Scheduler Profile this column shows the status depending on the presence or absence of an active profile rule at that time of the day Step 4 Click Apply Log Settings Use the Log Settings page to enable log messages to be saved in permanent memory You can also send logs to a remote host If the system unexpectedly reboots the log m...

Page 36: ...he remote log server collection for the syslog messages provides these features Allows aggregation of syslog messages from multiple APs Stores a longer history of messages than is kept on a single WAP device Triggers scripted management operations and alerts To specify a host on your network to serve as a remote log server Step 1 Select Notification Log Settings Step 2 In the Remote Log Server Tab...

Page 37: ...st current information Click Clear All to clear all entries from the log Click Download to download all entries from the log Email Alert Mail Server Message Configuration The email alert feature supports mail server configuration message severity configuration and up to three email addresses to send urgent and non urgent email alerts Use the Email Alert to send messages to the configured email add...

Page 38: ...riod The entire series of labels and periods can be up to 253 characters long Data Encryption Choose the mode of security from the drop down list Open or TLSv1 for the outbound email alert Using the secure TLSv1 protocol can prevent eavesdropping and tampering during the communication across the public network Port Enter the SMTP port number to use for outbound emails The range is a valid port num...

Page 39: ...Name without yahoo com Password Your Yahoo account password The following example shows a sample format of a general log email From AP 192 168 2 10 mailserver com Sent Wednesday September 09 2009 11 16 AM To administrator mailserver com Subject log message from AP TIME Priority Process Id Message Sep 8 03 48 25 info login 1457 root login on ttyp0 Sep 8 03 48 26 info mini_http ssl 1175 Max concurre...

Page 40: ...elect System Configuration User Accounts The User Account Table shows the currently configured users The user cisco is preconfigured in the system to have Read Write privileges The password for the user cisco can be changed Step 2 Select the user to configure and click Edit Step 3 Enter a new password between 0 and 127 characters and confirm the same password in the appropriate fields The Password...

Page 41: ...gement connections If the HTTPS is used for secure management sessions you can also use this page to manage the required SSL certificates To configure the HTTP and HTTPS services Step 1 Select Management Management Step 2 In the Connect Session Settings area configure the following parameters Maximum Sessions Enter the number of web sessions including both the HTTP and HTTPS that can be in use at ...

Page 42: ...ation interface We recommend that you give the administrative computer a static IP address so the address does not change over time Note Step 4 Click Apply SSL Certificate File Status To use the HTTPS services the WAP device must have a valid SSL certificate The WAP device can generate a certificate or you can download it from your network or from a TFTP server In the Generate SSL Certificate area...

Page 43: ...r the SNMP traffic The default is 161 However you can configure it so that the agent listens to the requests on a different port The valid range is from 1025 to 65535 Step 4 In the SNMPv2c Settings area configure the SNMPv2c settings Read only Community Enter a read only community name for the SNMPv2 access The valid range is 1 to 256 alphanumeric and special characters The community name acts as ...

Page 44: ... SNMPv2c trap settings Trap Community Enter a global community string associated with SNMP traps Traps sent from the device provide this string as a community name The valid range is from 1 to 60 alphanumeric and special characters Trap Destination Table Enter a list of up to three IP addresses or host names to receive the SNMP traps Check the box and choose a Host IP Address Type IPv4 or IPv6 bef...

Page 45: ...family mask indicates which sub identifiers of the associated family OID string are significant to the family s definition A family of view subtrees enables efficient control access to one row in a table Step 3 Click Apply To remove a view check the view in the list and click Delete Note SNMPv3 Groups The SNMPv3 groups allow you to combine users into groups of different authorization and access pr...

Page 46: ...encryption authPriv Authentication and data encryption With this security level users send the MD5 key or password for authentication and a DES for encryption For groups that require authentication encryption or both you must define the SHA DES and AES128 keys or passwords on the SNMP Users page Write Views Choose the write access for the group s MIBs from one of the following options view all The...

Page 47: ...as the authentication type enter the pass phrase to enable the SNMP agent to authenticate the requests sent by the user The pass phrase must be between 8 and 32 characters in length Encryption Type Choose the encryption privacy type applied to the user s SNMP requests from the following options DES Uses DES encryption on the SNMPv3 requests from the user AES128 Uses AES128 encryption on the SNMPv3...

Page 48: ...a software application running on a Cisco SMB device When a device is powered on the Open Plug n Play agent discovery process which is embedded in the device attempts to discover the address of the Open Plug n Play server which helps automate the process of deploying and provisioning new devices into the network This helps to apply configuration and install the required image without manual interv...

Page 49: ... a specific set of RADIUS servers See Networks on page 50 Note Configuring Global RADIUS Servers Step 1 Select Security Radius Server Step 2 Configure these parameters Server IP Address Type Select the IP version that the RADIUS server uses You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings but the WAP device contacts only the RADIUS server or server...

Page 50: ... 1X Supplicant Step 2 In the 802 1x Supplicant area check Enable to enable the Administrative Mode Step 3 Configure the 802 1X operational status and basic settings EAP Method Choose the algorithm to be used for encrypting authentication user names and passwords The options are MD5 A hash function defined in RFC 3748 that provides basic security PEAP Protected Extensible Authentication Protocol wh...

Page 51: ...t information about rogue APs Step 1 Select Security Rogue AP Detection Step 2 Check Enable to enable the AP Detection for Radio 1 and Radio 2 Step 3 Click Apply The Detected Rogue AP List table displays all detected rogue APs The Trusted AP List displays all trusted APs The following settings are displayed for each or the Rogue AP lists MAC Address The MAC address of the rogue AP Radio Indicates ...

Page 52: ...shown in megabits per second Mbps All Supported Rates are listed with Basic Rates shown in bold Rate sets are configured on the Radio on page 45 page Step 4 Check the AP List then click the Move to Trusted AP List in order to move the AP to the Trusted AP List If the AP is in the Trusted AP List click the Move to Rogue AP List in order to move the AP to the Detected Rogue AP List Step 5 Click Refr...

Page 53: ...te the screen refreshes and the MAC addresses of the APs in the imported file appear in the Trusted AP List Configure Password Complexity Use the Password Complexity page to modify the complexity requirements for passwords used to access the configuration utility Complex passwords increase security To configure the password complexity requirements follow the subsequent steps Step 1 Select Security...

Page 54: ...A PSK keys against the configured criteria If disabled none of the configured settings are used The WPA PSK Complexity is disabled by default Step 3 Configure these parameters WPA PSK Minimum Character Class Choose the minimum number of character classes that must be represented in the key string The four possible character classes are uppercase letters lowercase letters numbers and special charac...

Page 55: ...ce area select the radio interface to which the configuration parameters will be applied Step 4 In the Basic Settings area configure these parameters for the selected radio interface Local regulations may prohibit the use of certain radio modes Not all modes are available in all countries Note Radio Check Enable to enable the radio interface Wireless Network Mode The IEEE 802 11 standard and frequ...

Page 56: ... only a 20 MHz channel bandwidth and for legacy clients Choose one of these options Upper Sets the primary channel as the upper 20 MHz channel in the 40 MHz band Lower Sets the primary channel as the lower 20 MHz channel in the 40 MHz band Lower is the default selection Channel The portion of the radio spectrum that the radio uses for transmitting and receiving The range of available channels is d...

Page 57: ...terval Choose one of these options Yes The WAP device transmits data using a 400 nanosecond guard interval when communicating with clients that also support the short guard interval This is the default selection No The WAP device transmits data using an 800 nanosecond guard interval Protection The protection feature contains rules to guarantee that 802 11 transmissions do not cause interference wi...

Page 58: ... and 200 The default is 200 stations Transmit Power A percentage value for the transmit power level for the WAP device The default value of Full 100 can be more cost efficient than a lower percentage because it gives the WAP device a maximum broadcast range and reduces the number of access points needed To increase the capacity of the network place the WAP devices closer together and reduce the va...

Page 59: ...nd maximum rate limit burst setting is 75 packets per second Spectrum Analysis Mode The Spectrum Analysis Mode status can be one of the following Dedicated Spectrum Analyzer In dedicated mode the radio is used for spectrum analysis for more than 10 of the time and the client connections may work but are not guaranteed Hybrid Spectrum Analyzer In hybrid mode client connections are guaranteed but de...

Page 60: ...at the WAP device attempts to transmit on the wireless medium using a video AC to gain access The default limit is 15 percent of total traffic TSPEC AP Inactivity Timeout The amount of time for a WAP device to detect a downlink traffic specification as idle before deleting it The valid integer range is from 0 to 120 seconds and the default is 30 seconds TSPEC Station Inactivity Timeout The amount ...

Page 61: ...e only VAP configured on the system and you want to add a VAP click Then check the VAP Step 4 Configure the following VLAN ID Specify the VLAN ID of the VLAN to associate with the VAP Be sure to enter a VLAN ID that is properly configured on the network Network problems can result if the VAP associates the wireless clients with an improperly configured VLAN When a wireless client connects to the W...

Page 62: ...WPA Enterprise as the authentication type as it provides stronger security protection Static WEP can be used for wireless computers or devices that do not support WPA Personal and WPA Enterprise To set security with Static WEP configure the radio as 802 11a or 802 11b g mode The 802 11n mode restricts the use of Static as the security Note Client Filter Specifies whether the stations that can acce...

Page 63: ...e security setting options to choose from None WPA Personal and WPA Enterprise None If you select None as your security mode no additional security settings are required on the device This mode means that any data transferred to and from the WAP device is not encrypted This security mode can be used during initial network configuration or for troubleshooting but the same is not recommended for a r...

Page 64: ...s Note Key The shared secret key for WPA Personal security Enter a string of at least 8 characters to a maximum of 63 characters Acceptable characters include uppercase and lowercase alphabetic letters the numeric digits and special symbols such as and Show Key as Clear Text When enabled the text you type is visible When disabled the text is not masked as you enter it Key Strength Meter The WAP de...

Page 65: ...authentication for roaming clients who connect to multiple APs This option does not apply if you selected WPA for WPA versions because the original WPA does not support this feature Client stations configured to use WPA with RADIUS must have one of these addresses and keys A valid TKIP RADIUS IP address and RADIUS key A valid CCMP AES IP address and RADIUS key PMF Protection Management Frame Provi...

Page 66: ...trative selection of the active RADIUS server rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up Broadcast Key Refresh Rate The interval at which the broadcast group key is refreshed for clients associated with this VAP The default is 86400 seconds The valid range is from 0 to 86400 seconds A value of 0 indicates that the ...

Page 67: ...characters that uniquely identifies a wireless local area network It is also referred to as the Network Name Step 4 Click Apply Configuring MAC Authentication on the Radius Server If one or more VAPs are configured to use a Client filter you must configure the station list on the RADIUS server The format for the list is described in this table Value Description RADIUS Server Attribute Valid Ethern...

Page 68: ...ecifies the start time end time and day or days of the week that the radio or VAP can be operational The rules are periodic in nature and are repeated every week A valid rule must contain all of the following parameters days of the week hour and minute for the start and end time Rules cannot conflict for example you can configure one rule to start on each weekday and another to start on each weeke...

Page 69: ... these values affects the QoS provided To configure the WAP device and EDCA parameters Step 1 Select Wireless QoS Step 2 Choose the radio interface Radio 1 5 GHz or Radio 2 2 4 GHz Step 3 Choose one of these options from the EDCA Enhanced Distributed Channel Access Template WFA Defaults Populates the WAP device and the Station EDCA parameters with Wi Fi Alliance default values which are best for g...

Page 70: ...Doubling continues until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid values are 1 3 7 15 31 63 127 255 511 or 1023 This value must be lower than the value for the Maximum Contention Window Maximum Contention Window The upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data fra...

Page 71: ...livery Check Enable to enable APSD The APSD is recommended if VoIP phones access the network through the WAP device Step 7 Click Apply Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 61 Wireless QoS ...

Page 72: ...Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 62 Wireless QoS ...

Page 73: ...evice In the point to multipoint bridge mode one WAP device acts as the common link between multiple access points In this mode the central WAP device accepts the client associations and communicates with the clients All other access points associate only with the central WAP device that forwards the packets to the appropriate wireless bridge for routing purposes The WAP device can also act as a r...

Page 74: ...cal WAP device to which data is transmitted from Remote MAC Address Specifies the MAC address of the destination WAP device You can find the MAC address on the Monitor Dashboard Wireless page Encryption Select the type of encryption to use on the WDS link None or WPA Personal If you are not concerned about the security issues on the WDS link you may decide not to set any type of encryption Alterna...

Page 75: ...de only when the WDS bridge feature cannot be operational with a peer WAP device WDS is a better solution and is preferred over the Work Group Bridge solution Use WDS if you are bridging the Cisco WAP150 and Cisco WAP361 devices If you are not then consider the Work Group Bridge When the Work Group Bridge feature is enabled the VAP configurations are not applied only the Work Group Bridge configur...

Page 76: ...tructure Client Interface Enabled Specifies the Radio Id Radio 1 2 4 GHz or Radio 2 5GHz Specifies the Radio Id Radio 1 2 4 GHz or Radio 2 5GHz Radio The SSID for the Access Point Interface cannot be the same as the Infrastructure Client SSID Specifies the current SSID of the BSS There is an arrow next to SSID for SSID Scanning This feature is disabled by default and is enabled only if AP Detectio...

Page 77: ...wing options Disabled The set of clients in the APs BSS that can access the upstream network is not restricted to the clients specified in a MAC address list Local The set of clients in the APs BSS that can access the upstream network is restricted to the clients specified in a locally defined MAC address list RADIUS The set of clients in the APs BSS that can access the upstream network is restric...

Page 78: ...Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 68 Wireless Bridge WorkGroup Bridge ...

Page 79: ...mless manner In order to ensure voice quality and network security a portable station must be able to maintain a secure low latency voice call while roaming between APs that are handling other traffic This device supports the FBT Fast BSS Transition as defined in 802 11r for fast handoff with WPA2 Enterprise security For Voice over WI FI Enterprise only a subset of the features defined in 802 11r ...

Page 80: ...mote Key Holder List Select a Remote Key Holder List from the drop down menu that you have created Step 4 Click Apply To delete or modify a roaming setting select it and then click Delete or Edit After configuring the FBT settings click Apply to save the settings Changing some settings might cause the AP to stop and restart the system processes If this happens wireless clients will temporarily los...

Page 81: ...hat names the holder of PMK R1 in the authenticator RRB Key Key used to encrypt RRM protocol messages After you configure the Remote Key Holder Data List settings you can click Restore to restore the old settings or click Apply to save the settings Click Cancel to go back before Fast Roaming page Click Apply after copying or deleting a profile Note Clicking Export for selected profile s will expor...

Page 82: ...Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 72 Fast Roaming Configuring Remote Key Holder List Profiles ...

Page 83: ...ss network When you first set up your WAP device you can use the Setup Wizard to configure Single Point Setup or join an existing Single Point Setup If you prefer not to use the Setup Wizard you can use the web based configuration utility Managing Single Point Setup Across Access Points Single Point Setup creates a dynamic configuration aware cluster or group of WAP devices in the same subnet of a...

Page 84: ...ngle Point Setup Negotiation When a AP is enabled and configured for Single Point Setup it begins sending periodic advertisements every 10 seconds to announce its presence If there are other WAP devices that match the criteria for the cluster arbitration begins to determine which WAP device will distribute the master configuration to the rest of the members of the cluster The following rules apply...

Page 85: ...er The wireless clients associated with the non clustered WAP device continue to associate with the device with no interruption of the wireless connection In other words the loss of contact with the cluster does not necessarily prevent the wireless clients associated with that WAP device from continued access to network resources If the loss of contact with the cluster is due to a physical or logi...

Page 86: ...ulticast Rate Limiting Wireless Band Selection Short Guard Interval Supported Radio Configuration Settings and Parameters that are Not Propagated in Single Point Setup Channel Beacon Interval DTIM Period Maximum Stations Transmit Power Other Configuration Settings and Parameters that are Not Propagated in Single Point Setup Port Settings Utilization Threshold VLAN and IPv4 Bonjour Bridge IPv6 Addr...

Page 87: ...that the WAP devices in the cluster use to communicate with other members of the cluster The default is IPv4 If you choose IPv6 Single Point Setup can use the link local address auto configured IPv6 global address and statically configured IPv6 global address When using IPv6 ensure that all WAP devices in the cluster either use link local addresses only or use global addresses only Single Point Se...

Page 88: ...arted Downloaded Success Fail Abort_admin Abort_local Dap_resigned Firmware transfer progress bar Shows the progress bar for firmware download To select the cluster member for upgrade 1 Select Single Point Setup Firmware Management in the navigation pane 2 Select the check box of the AP to be upgraded 3 Click Apply To get the latest cluster firmware upgrade status Click Refresh To upgrade the firm...

Page 89: ...nel Assignment feature is enabled by default The state of channel management enabled or disabled is propagated to the other devices in the Single Point Setup cluster Configuring Advanced Settings The Advanced area enables you to customize and schedule the channel plan for the Single Point Setup By default channels are automatically reassigned once every hour but only if the interference can be red...

Page 90: ...a separate line in the table The radio status is up operational or down not operational Current Channel The radio channel on which the WAP device is currently broadcasting Lock Current Channel When selected for a WAP device the automated channel management plans do not reassign the WAP device to a different channel as a part of the optimization strategy Instead the WAP devices with locked channels...

Page 91: ... given field should be used to permit or deny access to the network Rules can be based on various criteria and may apply to one or more fields within a packet such as the source or destination IP address the source or destination port or the protocol carried in the packet The IP ACLs classify traffic for Layers 3 and 4 There is an implicit deny at the end of every rule created To avoid denying all...

Page 92: ...based on the Layer 3 and Layer 4 criteria Step 5 Click and select the associated interfaces to apply the ACL Click OK If you want to change the associated interfaces you can click to delete the selected interface and click to choose new associated interfaces Step 6 Click More to view the configuration parameters Click to add a rule and configure the following If no rules are added the WAP denies a...

Page 93: ...source port is identified in the datagram header All Traffic Allows all traffic that meets the rule criteria Select From List Choose the keyword associated with the source port to match ftp ftpdata http smtp snmp telnet tftp www Each of these keywords translates into its equivalent port number Custom Enter the IANA port number to match to the source port identified in the datagram header The port ...

Page 94: ...d Precedence Matches the packets based on their IP precedence value If selected enter an IP Precedence value from 0 to 7 ToS Mask Enter an IP ToS Mask value to identify the bit positions in the IP ToS Bits value that are used for comparison against the IP ToS field in a packet The IP ToS Mask value is a two digit hexadecimal number from 00 to FF representing an inverted that is wild card mask The ...

Page 95: ...d of every ACL traffic that is not explicitly permitted is dropped Service Protocol Uses a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field You can choose one of these options All Traffic Allows all traffic that meets the rule criteria Select From List Choose one of these protocols IPv6 ICMPv6 IGMP TCP or UDP Custom Enter a standard IANA assigned protocol ID ...

Page 96: ... 0 0 0 255 Destination Port Includes a destination port in the match condition for the rule The destination port is identified in the datagram header Any Any port that meets the rule criteria Select From List Choose the keyword associated with the destination port to match ftp ftpdata http smtp snmp telnet tftp www Each of these keywords translates into its equivalent port number Custom Enter the ...

Page 97: ...it the action The default action is Deny When you choose Permit the rule allows all traffic that meets the rule criteria to enter the WAP device Traffic that does not meet the criteria is dropped When you choose Deny the rule blocks all traffic that meets the rule criteria from entering the WAP device Traffic that does not meet the criteria is forwarded unless this rule is the final rule Because t...

Page 98: ...anges are saved to the Startup Configuration To delete or modify an ACL select the ACL and then click Delete or Edit To delete or modify a rule select the rule in the Details Of Rule s area and click Delete or Edit Note Step 8 Click Apply Client QoS Client Quality Of Service QoS is used to control the wireless clients connected to the network and manages the bandwidth that is used Client QoS can c...

Page 99: ...ource address Single Address Enter a single IPv4 address to apply this criteria Address Mask Enter the source IPv4 address mask The mask for DiffServ is a network style bit mask in IP dotted decimal format indicating which part s of the destination IP address to use for matching against packet content A DiffServ mask of 255 255 255 255 indicates that all bits are important and mask of 0 0 0 0 indi...

Page 100: ... the source port ftp ftpdata http smtp snmp telnet tftp or www Each of these keywords translates into its equivalent port number Custom Matches the source port number in the datagram header to an IANA port number that you specify The port range is from 0 to 65535 and includes three different types of ports 0 to 1023 Well known ports 1024 to 49151 Registered ports 49152 to 65535 Dynamic and or priv...

Page 101: ...fic on the WAP device Step 5 Configure the following Source Address Requires a packet s source IPv6 address to match the IPv6 address defined in the appropriate fields Any Any IPv6 address to be used as the source address Single Address Enter the IPv6 address to apply this criteria Address Mask Enter the prefix length of the source IPv6 address Destination Address Requires a packet s destination I...

Page 102: ...eader Any Any port is allowed as the destination port Select From List Matches a keyword associated with the source port ftp ftpdata http smtp snmp telnet tftp or www Each of these keywords translates into its equivalent port number Custom Matches the source port number in the datagram header to an IANA port number that you specify The port range is from 0 to 65535 and includes three different typ...

Page 103: ...he address bit is ignored For example to check only the first four octets of a MAC address a MAC mask of ff ff ff ff 00 00 is used A MAC mask of ff ff ff ff ff ff checks all address bits and is used to match a single MAC address Step 6 Destination Address Includes a destination MAC address in the match condition for the rule Any Any MAC address to be used as the destination address Single Address ...

Page 104: ...s defined by a policy attributes on the QoS Policy page Policy attributes may be defined on a per class instance basis and determine how traffic that matches the class criteria is handled The WAP device can hold up to 50 policies and up to 10 classes in each policy To add and configure a policy map Step 1 Select Client QoS QoS Policy Step 2 Click to add a QoS Policy In the QoS Policy Name field en...

Page 105: ...dit Note QoS Association The QoS Association page provides additional control over certain QoS aspects of the wireless and Ethernet interface In addition to controlling the general traffic categories the QoS allows you to configure the per client conditioning of the various microflows through the QoS Policy Name The QoS Policy Name is a useful tool for establishing general microflow definition and...

Page 106: ...elect Guest Access Guest Access Instance Table Step 2 Specify a name for the CP instance in the Guest Access Instance field The name can contain up to 32 alphanumeric characters Step 3 Configure the following parameters Protocol Choose either HTTP or HTTPS as the protocol for the CP instance to use during the verification process HTTP Does not use encryption during verification HTTPS Uses the Secu...

Page 107: ...IUS server as the primary server and the authentication requests are sent to the specified address Server IP Address 2 or Server IPv6 Address 2 Enter up to three IPv4 or IPv6 backup RADIUS server addresses If the authentication fails with the primary server each configured backup server is tried in sequence Key 1 Enter the shared secret key that the WAP device uses to authenticate to the primary R...

Page 108: ...SIA PACIFIC in Purple Wi Fi Walled Garden Specify a list of domains that users can access before passing through the Web portal page Items in the list should be separated by a comma and domains can include wildcards in the form of an asterisk The length of each domain cannot be greater than 100 Ensure that the total length of the Walled Garden must be less than 4096 The following options should be...

Page 109: ... set to Local Database or Radius Authenticated select a Guest Group that was created previously All users who belong to the group are permitted to access the network through this portal Redirect URL To enable the URL Redirect enter the URL including http The range is from 0 to 256 characters Session Timeout min Enter the time remaining in minutes for the CP session to be valid After the time reach...

Page 110: ...m 0 to 1733 Mbps The default is 0 Maximum Bandwidth Down Enter the maximum download speed in megabits per second that a client can receive traffic when using the Captive Portal This setting limits the bandwidth used to receive data from the network The range is from 0 to 1733 Mbps The default is 0 Total Guest Users Displays the number of total guest users Click the value link on the Total Guest Us...

Page 111: ...go images The filesize must be 64K or less Foreground Color Enter the HTML code for the foreground color in 6 digit hexadecimal format The range is from 1 to 32 characters The default is FFFFFF Background Color Enter the HTML code for the background color in 6 digit hexadecimal format The range is from 1 to 32 characters The default is FFFFFF Separator Color Enter the HTML code for the color of th...

Page 112: ...ecting the Acceptance Use Policy check box The range is from 1 to 128 characters Work In Progress Prompting The text that appears during the authentication process The range is from 1 to 128 characters Invalid Credentials Prompting The text that appears when a user fails the authentication The range is from 1 to 128 characters Connect Success Prompting The text that appears when the client has aut...

Page 113: ...the dashboard Navigate to Admin Platform API Keys to add a name and create the Secret and Key information Note Step 3 Enter the domain name you trust in the Local Domains to Bypass optional field and the packets will reach the destination without going through the Umbrella Items in the list should be separated by a comma while the domains can include wildcards in the form of an asterisk For exampl...

Page 114: ... The status of the registration is indicated in the Registration Status field The status can be Successful Registering or Failed Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 104 Cisco Umbrella Cisco Umbrella ...

Page 115: ...ery 30 seconds Connected Clients The total number of clients currently associated with the WAP device Click the box to be redirected to the Clients page Internet LAN Wireless Round icons on the top right of the page show Internet LAN and wireless connection status Internet Red round No Internet connection Green round Internet connection is good LAN Red round No wired connection Green round Wired c...

Page 116: ... bar chart displays the top 5 Traffic clients devices Upload Throughput of the last 30 seconds transmitted Download Throughput of the last 30 seconds received Click Upload or Download to not display data SSID Utilization According to the traffic order this pie chart displays the top 5 Traffic SSID Traffic total number of bytes transmitted and received Network Usage This line chart displays the eth...

Page 117: ...ddress of the IPv6 DNS server 2 used by the WAP device These settings apply to the LAN interface Click Edit to change any of these settings You will be redirected to the LAN page Click Refresh to refresh the screen and show the most current information Click Back to return to the Dashboard page Note Wireless Status Click the Wireless circle to display the wireless radio interfaces such as Wireless...

Page 118: ...atistics The following information is displayed Interface Name of the Ethernet interface each VAP interface and each WDS interface The name for each VAP interface is followed by its SSID in parentheses Total Packets The total number of packets sent and received by the WAP device is displayed in the Transmit Traffic Statistics table and the Receive Traffic Statistics table respectively Total Bytes ...

Page 119: ...P address The table provides the following details on the current channel assignments AP Location The physical location of the WAP device Wireless Channel The radio channel on which the WAP device is currently broadcasting IP Address The IP address for the WAP device Traffic Up Down The total number of bytes sent Up or received Down to the client device Client Connections 2 4G 5G The number of cli...

Page 120: ...sed on the client such as IEEE 802 11a IEEE 802 11b IEEE 802 11g IEEE 802 11n or IEEE 802 11ac Data Rate The current transmitting data rate Channel The channel on which the Client is currently in connection with The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving You can use the Radio page to set the channel Traffic Up Down The total number of b...

Page 121: ...work SSID and so on Note Guests The Guests page provides two tables One is the Authenticated Clients table which displays the clients that have authenticated on any Captive Portal instance The other one is the Failed Clients table which displays information on the clients that attempted to authenticate on a Captive Portal and failed To view the list of authenticated clients or the list of clients ...

Page 122: ...valid After the time reaches zero the client is de authenticated Away Time The time remaining in seconds for the client entry to be valid The timer starts when the client dissociates from the CP After the time reaches zero the client is de authenticated UP Down MB The number of bytes transmitted and received by the WAP device from the user station Failure Time The time at which the authentication ...

Page 123: ...ce Step 2 Select the radio interface then click Set button to start spectrum intelligence Step 3 Click View Spectrum Data to see details on Channel Quality and Non WLAN Channel Utilization View Spectrum Data This launches the spectrum viewer when scan mode is set to Dedicated Spectrum Analyzer or Hybrid Spectrum Analyzer or 3 1 Spectrum Analyzer radio status is On and the web page accessed only th...

Page 124: ...arameters of the packet capture start a local or remote packet capture view the current packet capture status and download a packet capture file Local Packet Capture To initiate a local packet capture Step 1 Select Troubleshoot Packet Capture Step 2 Ensure that Save File on this Device is selected for the Packet Capture Method Step 3 Configure these parameters Interface Enter a capture interface t...

Page 125: ...ured packets through a TCP connection to the Wireshark tool Wireshark is an open source tool and is available for free it can be downloaded from https www wireshark org A Microsoft Windows computer running the Wireshark tool allows you to display log and analyze the captured traffic The remote packet capture facility is a standard feature of the Wireshark tool for Windows While the remote packet c...

Page 126: ...on Step 3 Configure the following parameters a Interface Enter a capture interface type for packet capture b Ethernet 802 3 traffic on the Ethernet port c Radio 1 2 4GHz Radio 2 5GHz 802 11 traffic on the radio interface d Duration Enter the time duration in seconds for capture No duration limitation from CloudShark The default is 60 e CloudShark URL Enter the host name of CloudShark The default U...

Page 127: ...ld enter the port number of the WAP device For example enter 2002 if you used the default or enter the port number if you used a port other than the default Step 6 Click OK Step 7 Select the interface from which you need to capture the packets At the Wireshark popup window next to the IP address there is a drop down menu to select the interfaces The interface can be one of the following Linux brid...

Page 128: ...xample if the Wireshark IP port is configured to be 58000 then this capture filter is automatically installed on the WAP device not port range 58000 58004 Due to performance and security issues the packet capture mode is not saved in NVRAM on the WAP device If the WAP device resets the capture mode is disabled and then you must enable it again to resume capturing traffic Packet capture parameters ...

Page 129: ...mation pop up message will appear Step 2 Click Yes A pop up enables you to select a network location to save the file Support Information This Support Information page displays the status of the CPU and RAM To record and display the CPU RAM activity follow these steps Step 1 Select Troubleshoot Support Information Step 2 Click CPU The device to record and display the CPU activity To stop the recor...

Page 130: ...tion check Enable and Apply to enable the download Step 3 Select the time you wish to perform the download Today Last 7 Days Last 30 Days All Custom Step 4 Complete the To and From fields with the yyyy mm dd and then set the time with the hh mm ss Step 5 Click Download to generate the file based on the current system settings After a short pause a window appears to enable you to save the file to y...

Page 131: ...ore information see Deauthentication Reason Code Table on page 121 Deauthentication Reason Code Table The following table describes the deauthentication reason codes Table 4 Deauthentication Reason Code Table Meaning Reason code Reserved 0 Unspecified reason 1 Previous authentication no longer valid 2 Deauthenticated because sending station STA is leaving or has left Independent Basic Service Set ...

Page 132: ... the content does not meet the specifications in Clause 8 13 Message integrity code MIC failure 14 4 Way Handshake timeout 15 Group Key Handshake timeout 16 Element in 4 Way Handshake different from Re Association Request Probe Response Beacon frame 17 Invalid group cipher 18 Invalid pairwise cipher 19 Invalid AKMP 20 Unsupported RSNE version 21 Invalid RSNE capabilities 22 IEEE 802 1X authenticat...

Page 133: ...ads If you wish to receive a copy of the source code to which you are entitled under the applicable free open source license s such as the GNU Lesser General Public License please send your request to external opensource requests cisco com In your requests please include the Cisco product name version and the 18 digit reference number for example 7XEEX17D99 3X49X08 1 found in the product open sour...

Page 134: ...Cisco WAP581 Wireless AC N Dual Radio Access Point with 2 5GbE LAN Administration Guide 124 Where to Go from Here Where to Go from Here ...

Reviews:

No comments

Related manuals for Wap581

T-Mobile tm-g5240 - T-mobile Hotspot Wireless Quick Install Manual preview
tm-g5240 - T-mobile Hotspot Wireless
Brand: T-Mobile Pages: 2
Tenda W541R User Manual preview
W541R
Brand: Tenda Pages: 57
Nexxt Nyx300 Quick Installation Manual preview
Nyx300
Brand: Nexxt Pages: 2
UNICOM WEP-72104G User Manual preview
WEP-72104G
Brand: UNICOM Pages: 56
Buffalo Tech Nfiniti Airstation WHR-G300N User Manual preview
Nfiniti Airstation WHR-G300N
Brand: Buffalo Tech Pages: 48
Kozumi air force one 2 lite User Manual preview
air force one 2 lite
Brand: Kozumi Pages: 35
Sierra Wireless AirPrime BX3100 Hardware Integration Manual preview
AirPrime BX3100
Brand: Sierra Wireless Pages: 33
Arista AP-C230E Getting Started Manual preview
AP-C230E
Brand: Arista Pages: 4
MC Technologies MC PMRL User Manual preview
MC PMRL
Brand: MC Technologies Pages: 26
Fluidmesh Videomesh 2200 Series User Manual preview
Videomesh 2200 Series
Brand: Fluidmesh Pages: 30
Astronics Sierra E71-314 User Manual preview
Sierra E71-314
Brand: Astronics Pages: 56
EnGenius ECB600 Quick Installation Manual preview
ECB600
Brand: EnGenius Pages: 2
P2 Mobile Technologies Z500 User Manual preview
Z500
Brand: P2 Mobile Technologies Pages: 15
AmbiCom WL250N-AR Quick Installation Manual preview
WL250N-AR
Brand: AmbiCom Pages: 8
EnGenius ENS500-ACv2 User Manual preview
ENS500-ACv2
Brand: EnGenius Pages: 71
PHICOMM FIR series Quick Start Manual preview
FIR series
Brand: PHICOMM Pages: 5
Gigafast EE400-R User Manual preview
EE400-R
Brand: Gigafast Pages: 54
SIRETTA QUARTZ-LITE Series Software Manual preview
QUARTZ-LITE Series
Brand: SIRETTA Pages: 46

Brands by name

Popular brands

Load more brands