Sercomm WAP121 Wireless-N Access Point with Power over Ethernet User Manual

Sercomm Corporation Wireless-N Access Point with Power over Ethernet

User manual 2 of 4

Download: Sercomm WAP121 Wireless-N Access Point with Power over Ethernet User Manual
Mirror Download [FCC.gov]Sercomm WAP121 Wireless-N Access Point with Power over Ethernet User Manual
Document ID1592040
Application IDkNIe6n/l55ReI3/Mx/yytA==
Document DescriptionUser manual 2 of 4
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize23.23kB (290395 bits)
Date Submitted2011-12-01 00:00:00
Date Available2011-12-01 00:00:00
Creation Date2011-11-29 15:27:29
Producing SoftwareAcrobat Distiller 6.0 (Windows)
Document Lastmod2011-11-29 15:27:40
Document Titleuntitled

:LUHOHVV6HWWLQJV
WPS Setup
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
PIN Control
A client may also enroll with a registrar by using a PIN. For example, the AP
administrator may start an enrollment transaction for a particular VAP by entering
the PIN of a client. When the client detects the WPS-enabled device, its user can
then supply its PIN to the AP to continue the enrollment process. After the WPS
protocol has completed, the client securely joins the network. The client can also
initiate this process.
As with the PBC method, if the AP begins the enrollment transaction and no client
attempts to enroll after 120 seconds, the AP terminates the pending transaction.
2SWLRQDO8VHRI,QWHUQDO5HJLVWUDU
Although the AP supports an internal registrar for WPS, its use is optional. After an
external registrar has configured the AP, the AP acts as a proxy for that external
registrar, regardless of whether the AP’s internal registrar is enabled (it is enabled
by default).
/RFNGRZQ&DSDELOLW\
Each AP stores a WPS-compatible device PIN in nonvolatile RAM. WPS requires
this PIN if an administrator wants to allow an unconfigured AP (that is, one with
only factory defaults, including WPS being enabled on a VAP) to join a network. In
this "out-of-box" scenario, the administrator obtains the PIN value from the UI of the
AP.
The administrator may wish to change the PIN if network integrity has been
compromised in some way. The AP provides a method for generating a new PIN
and storing this value in NVRAM. In the event that the value in NVRAM is corrupted,
erased, or missing, a new PIN is generated by the AP and stored in NVRAM.
The PIN method of enrollment is potentially vulnerable by way of "brute force"
attacks. A network intruder could, in theory, try to pose as an external registrar on
the wireless LAN and attempt to derive the AP's PIN value by exhaustively
applying WPS-compliant PINs. To address this vulnerability, in the event that a
registrar fails to supply a correct PIN in three attempts within 60 seconds, the AP
prohibits any further attempts by an external registrar to register the AP on the
WPS-enabled VAP for 60 seconds. However, wireless client stations may enroll
with the AP's internal registrar, if enabled, during this “lockdown” period. The AP
also continues to provide proxy services for enrollment requests to external
registrars.
The AP adds an additional security mechanism for protecting its device PIN. Once
the AP has completed registration with an external registrar, and the resulting WPS
transaction has concluded, the device PIN is automatically regenerated.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
71
:LUHOHVV6HWWLQJV
WPS Setup
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
9$3&RQILJXUDWLRQ&KDQJHV
The WPS protocol on a WPS-enabled VAP may configure the following
parameters:
•
Network SSID
•
Key management options (WPA-PSK, or WPA-PSK and WPA2-PSK)
•
Cryptography options (CCMP/AES, or TKIP and CCMP/AES)
•
Network (public shared) key
If a VAP is enabled for WPS, these configuration parameters are subject to change,
and are persistent between reboots of the AP.
([WHUQDO5HJLVWUDWLRQ
The AP supports the registration with WPS external registrars (ER) on the wired
and wireless LAN. On the WLAN, external registrars advertise their capabilities
within WPS-specific information elements (IEs) of their beacon frames; on the
wired LAN, external registrars announce their presence via UPnP.
WPS v2.0 does not require registration with an ER to be done explicitly through the
AP’s user interface. The AP administrator can register the AP with an ER by:
1. Initiating the registration process on the AP by entering the ER’s PIN on the AP.
2. Registering the AP by entering the AP's PIN on the user interface of the ER.
127( The registration process can also configure the AP as specified in 9$3
&RQILJXUDWLRQ&KDQJHVSDJH if the AP has declared within the WPS-specific
IEs of its beacon frames or UPnP messages that it requires such configuration.
The AP is capable of serving as a proxy for up to three external registrars
simultaneously.
([FOXVLYH2SHUDWLRQRI:367UDQVDFWLRQV
Any one VAP on the AP can be enabled for WPS. At most, one WPS transaction (for
example, enrollment and association of an 802.11 client) can be in progress at a
time on the AP. The AP administrator can terminate the transaction in progress
from the web-based AP configuration utility. The configuration of the VAP,
however, should not be changed during the transaction; nor should the VAP be
changed during the authentication process. This restriction is recommended but
not enforced on the AP.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
72
:LUHOHVV6HWWLQJV
WPS Setup
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
%DFNZDUG&RPSDWLELOLW\ZLWK:369HUVLRQ
Although the WAP121 supports WPS version 2.0, the AP interoperates with
enrollees and registrars that are certified by the Wi-Fi Alliance to conform to
version 1.0 of the WPS protocol.
&RQILJXULQJ:366HWWLQJV
You can use the WPS Setup page to enable the AP as a WPS-capable device and
configure basic settings. When you are ready to use the feature to enroll a new
device or add the AP to a WPS-enabled network, use the WPS Process page.
&$87,21 For security reasons, it is recommended, but not required, that you use an HTTPS
connection to the web-based AP configuration utility when configuring WPS.
To configure the AP as a WPS-capable device:
67(3  Click :LUHOHVV > :366HWXS in the navigation window.
The WPS Setup page shows global parameters and status, and parameters and
status of the WPS instance. An instance is an implementation of WPS that is
associated with a VAP on the network. The AP supports one instance only.
67(3  Configure the global parameters:
•
6XSSRUWHG:369HUVLRQ—The WPS protocol version that the AP supports.
•
:36'HYLFH1DPH—A default device name displays. You can assign a
different name of up to 32 characters, including spaces and special
characters.
•
:36*OREDO2SHUDWLRQDO6WDWXV—Whether the WPS protocol is enabled or
disabled on the AP. It is enabled by default.
•
:36'HYLFH3,1—A system-generated eight-digit WPS PIN for the AP. The
administrator may need to enter the PIN at the registrar to add the AP to a
WPS-enabled network.
You can click *HQHUDWH to generate a new PIN. This is advisable if network
integrity has been compromised.
67(3  Configure the WPS instance parameters:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
73
:LUHOHVV6HWWLQJV
WPS Process
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
:36,QVWDQFH,'—An identifier for the instance. As there is only one
instance, the only option is wps1.
•
:360RGH—Enables or disables the instance.
•
:369$3—The VAP associated with this WPS instance.
•
:36%XLOWLQ5HJLVWUDU—Select to enable the built-in registrar function.
When disabled, another device on the network can act as the registrar and
the AP can serve as a proxy for forwarding client registration requests and
the registrar’s responses.
•
:36&RQILJXUDWLRQ6WDWH—Whether the VAP will be configured from the
external registrar as a part of WPS process. It can be set to one of the
following values:
8QFRQILJXUHG—VAP settings will be configured using WPS, after which
the state will be change to Configured.
&RQILJXUHG—VAP settings will not be configured by the external
registrar and will retain the existing configuration.
67(3  Click 8SGDWH. The changes are saved to the Running Configuration and to the
Startup Configuration.
The operational status of the instance and the reason for that status also display.
See (QDEOLQJDQGGLVDEOLQJ:36RQD9$3SDJH for information about
conditions that may cause the instance to be disabled.
127( The Instance Status area displays the :362SHUDWLRQDO6WDWXV as Enabled or
Disabled. You can click 5HIUHVK to update the page with the most recent status
information.
:363URFHVV
You can use the WPS Process page to use WPA to enroll a client station on the
network. You can enroll a client using a pin or using the push button method, if
supported on the client station.
(QUROOLQJD&OLHQW8VLQJWKH3,10HWKRG
To enroll a client station using the PIN method:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
74
:LUHOHVV6HWWLQJV
WPS Process
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Obtain the PIN from the client device. The PIN may be printed on the hardware
itself, or may be obtained from the device’s software interface.
67(3  Click :LUHOHVV > :363URFHVVin the navigation window.
67(3  Enter the client’s PIN in the 3,1(QUROOPHQW text box and click 6WDUW.
67(3  Within two minutes, enter the AP’s pin on the client station’s software interface.
The AP’s pin is configured on the :366HWXS page.
When you enter the PIN on the client device, the The WPS Operational Status
changes to Adding Enrollee. When the enrollment process is complete, the WPS
Operational Status changes to Ready and the Transaction Status changes to
Success.
127( This enrollment sequence may also work in reverse; that is, you may be able to
initiate the process on the client station by entering the AP’s pin, and then entering
the client’s PIN on the AP.
When the client is enrolled, either the AP’s internal registrar or the external
registrar on the network proceeds to configure the client with the SSID, encryption
mode, and public shared key of a WPS-enabled BSS.
(QUROOLQJD&OLHQW8VLQJWKH3XVK%XWWRQ0HWKRG
To enroll a client station using the push method:
67(3  Click 6WDUW next to 3%&(QUROOPHQW.
67(3  Push the hardware button on the client station.
127( You can alternatively initiate this process on the client station, and then click the
PBC Enrollment Start button on the AP.
When you push the button on the client station, the The WPS Operational Status
changes to Adding Enrollee. When the enrollment process is complete, the WPS
Operational Status changes to Ready and the Transaction Status changes to
Success.
When the client is enrolled, either the AP’s internal registrar or the external
registrar on the network proceeds to configure the client with the SSID, encryption
mode, and public shared key of a WPS-enabled BSS.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
75
:LUHOHVV6HWWLQJV
WPS Process
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
9LHZLQJ,QVWDQFH6XPPDU\,QIRUPDWLRQ
The following information displays for WPS instance:
•
:365DGLR
•
:369$3
•
66,'
•
6HFXULW\
If the WPS Configuration State field on the WPS Setup page is set to
Unconfigured, then the SSID and Security values are configured by the external
registrar. If the field is set to Configured, then these values are configured by the
administrator.
127( You can click 5HIUHVK to update the page with the most recent status information.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
76
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
6103Y
This chapter describes how to configure the Simple Network Management
Protocol to perform configuration and statistics gathering tasks.
It contains the following topics:
•
61032YHUYLHZ
•
*HQHUDO61036HWWLQJV
•
61039LHZV
•
6103*URXSV
•
61038VHUV
•
61037DUJHWV
61032YHUYLHZ
Simple Network Management Protocol (SNMP) defines a standard for recording,
storing, and sharing information about network devices. SNMP facilitates network
management, troubleshooting, and maintenance.
The AP supports SNMP versions 1, 2, and 3. Unless specifically noted, all
configuration parameters apply to SNMPv1 and SNMPv2c only. Key components
of any SNMP-managed network are managed devices, SNMP agents, and a
management system. The agents store data about their devices in Management
Information Bases (MIBs) and return this data to the SNMP manager when
requested. Managed devices can be network nodes such as APs, routers,
switches, bridges, hubs, servers, or printers.
The AP can function as an SNMP managed device for seamless integration into
network management systems.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
77
6103Y
General SNMP Settings
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
*HQHUDO61036HWWLQJV
You can use the General page to enable SNMP and configure basic protocol
settings.
To configure general SNMP settings:
67(3  Click 6103> *HQHUDO in the navigation window.
67(3  Select (QDEOHG for the 6103 setting. SNMP is enabled by default.
67(3  Configure the parameters:
•
5HDGRQO\&RPPXQLW\1DPH—A read-only community name for SNMPv2
access. The valid range is 1–256 characters.
The community name acts as a simple authentication mechanism to restrict
the machines on the network that can request data to the SNMP agent. The
name functions as a password, and the request is assumed to be authentic
if the sender knows the password.
The community name can be in any alphanumeric format.
•
8'33RUW—By default an SNMP agent only listens to requests from logical
port 161. However, you can configure this so the agent listens to requests on
another port. The valid range is
1-65535.
•
61036HW—When enabled, machines on the network can execute
configuration changes via an SNMP agent to the System MIB on the AP.
•
5HDGZULWH&RPPXQLW\1DPH—Sets a read-write community name to be
used for SNMP Set requests. The valid range is 1-256 characters.
Setting a community name is similar to setting a password. Only requests
from the machines that identify themselves with this community name will
be accepted.
The community name can be in any alphanumeric format.
•
0DQDJHPHQW6WDWLRQ—Determines which stations can access the AP via
SNMP: Select one of the following:
$OO—The set of stations that can access the AP via SNMP is not restricted.
8VHU'HILQHG—Restricts the source of permitted SNMP requests to
those specified in the following lists.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
78
6103Y
General SNMP Settings
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
106+RVWQDPH,3Y$GGUHVV1DPH—The IPv4 DNS hostname or subnet
of the machines that can execute get and set requests to the managed
devices. The valid range is 1–256 characters.
As with community names, this provides a level of security on SNMP
settings. The SNMP agent will only accept requests from the hostname or
subnet specified here.
To specify a subnet, enter one or more subnetwork address ranges in the
form address/mask_length where address is an IP address and
mask_length is the number of mask bits. Both formats address/mask and
address/mask_length are supported. Individual hosts can be provided for
this, i.e. I.P Address or Hostname. For example, if you enter a range of
192.168.1.0/24 this specifies a subnetwork with address 192.168.1.0 and
a subnet mask of 255.255.255.0.
The address range is used to specify the subnet of the designated NMS.
Only machines with IP addresses in this range are permitted to execute get
and set requests on the managed device. Given the example above, the
machines with addresses from 192.168.1.1 through 192.168.1.254 can
execute SNMP commands on the device. (The address identified by suffix .0
in a subnetwork range is always reserved for the subnet address, and the
address identified by .255 in the range is always reserved for the broadcast
address).
As another example, if you enter a range of 10.10.1.128/25 machines with
IP addresses from 10.10.1.129 through 10.10.1.254 can execute SNMP
requests on managed devices. In this example, 10.10.1.128 is the network
address and 10.10.1.255 is the broadcast address. 126 addresses would
be designated.
•
106,3Y$GGUHVV1DPH—The IPv6 DNS hostname or subnet of the
machines that can execute get and set requests to the managed devices.
•
7UDS&RPPXQLW\1DPH—A global community string associated with SNMP
traps. Traps sent from the device will provide this string as a community
name.
The community name can be in any alphanumeric format. Special characters
are not permitted. The valid range is 1–256 characters
•
7UDS'HVWLQDWLRQ7DEOH—A list of up to three IP addresses or hostnames to
receive SNMP traps. The valid range is 1-256 characters. Select the
checkbox and choose a +RVW7\SH (IPv4 or IPv6) before adding the ,3
$GGUHVV+RVWQDPH.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
79
6103Y
SNMP Views
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
An example of a DNS hostname is: snmptraps.foo.com. Since SNMP traps
are sent randomly from the SNMP agent, it makes sense to specify where
exactly the traps should be sent. You can add up to a maximum of three DNS
hostnames. Ensure you select the Enabled check box and select the
appropriate Host Type.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
127( Changing some settings might cause the AP to stop and restart system processes.
If this happens, wireless clients will temporarily lose connectivity. We recommend
that you change AP settings when WLAN traffic is low.
61039LHZV
An SNMP MIB view is a family of view subtrees in the MIB hierarchy. A view
subtree is identified by the pairing of an object identifier (OID) subtree value with a
bit string mask value. Each MIB view is defined by two sets of view subtrees,
included in or excluded from the MIB view. You can create MIB views to control the
OID range that SNMPv3 users can access.
The AP supports a maximum of 16 views.
The following notes summarize some critical guidelines regarding SNMPv3 view
configuration. Please read all the notes before proceeding.
127( A MIB view called all is created by default in the system. This view contains all
management objects supported by the system.
127( By default, view-all and view-none SNMPv3 views are created on the AP. These
views cannot be deleted, but the OID, Mask, and Type fields can be modified.
To configure an SNMP view:
67(3  Click 6103Y > 9LHZV in the navigation window.
67(3  Configure the parameters:
•
9LHZ1DPH—A name that identifies the MIB view. View names can contain
up to 32 alphanumeric characters.
•
7\SH—Whether to include or exclude the view subtree or family of subtrees
from the MIB view.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
80
6103Y
SNMP Groups
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
2,'—An OID string for the subtree to include or exclude from the view.
For example, the system subtree is specified by the OID string .1.3.6.1.2.1.1.
•
0DVN—An OID mask. The mask is 47 characters in length. The format of the
OID mask is xx.xx.xx (.)... or xx:xx:xx.... (:) and is 16 octets in length. Each octet
is two hexadecimal characters separated by either . (period) or : (colon). Only
hex characters are accepted in this field.
For example, OID mask FA.80 is 11111010.10000000.
A family mask is used to define a family of view subtrees. The family mask
indicates which sub-identifiers of the associated family OID string are
significant to the family's definition. A family of view subtrees enables
efficient control access to one row in a table.
67(3  Click $GG, and then click 6DYH. The view is added to the SNMPv3 Views list and
your changes are saved to the Running Configuration and to the Startup
Configuration.
127( To remove a view, select the view in the list and click 5HPRYH.
6103*URXSV
SNMPv3 groups allow you to combine users into groups of different authorization
and access privileges. Each group is associated with one of three security levels:
•
.noAuthNoPriv.
•
.authNoPriv.
•
.authPriv.
Access to management objects (MIBs) for each group is controlled by associating
a MIB view to a group for read or write access, separately.
By default, the AP has three groups:
•
52—A read-only group with no authentication and no data encryption. No
security is provided by this group. By default, users of this group have read
access to the default all MIB view, which can be modified by the user.
•
5:$XWK—A read/write group using authentication, but no data encryption.
Users in this group send SNMP messages that use an MD5 key/password
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
81
6103Y
SNMP Groups
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
for authentication, but not a DES key/password for encryption. By default,
users of this group will have read and write access to the default all MIB
view, which can be modified by the user.
•
5:3ULY—A read/write group using authentication and data encryption.
Users in this group use an MD5 key/password for authentication and a DES
key/password for encryption. Both the MD5 and DES key/passwords must
be defined. By default, users of this group have read and write access to the
default all MIB view, which can be modified by the user.
127( The default groups RO, RWAuth, and RWPriv cannot be deleted.
127( The AP supports a maximum of eight groups.
To add an SNMP group:
67(3  Click 6103 > *URXSV in the navigation window.
67(3  Configure the parameters:
•
1DPH—A name that identifies the group. The default group names are
RWPriv, RWAuth, and RO.
Group names can contain up to 32 alphanumeric characters.
•
•
6HFXULW\/HYHO—The security level for the group, which can be one of the
following:
noAuthentication-noPrivacy—No authentication and no data encryption
(no security).
Authentication-noPrivacy—Authentication, but no data encryption. With
this security level, users send SNMP messages that use an MD5 key/
password for authentication, but not a DES key/password for encryption.
$XWKHQWLFDWLRQ3ULYDF\—Authentication and data encryption. With this
security level, users send an MD5 key/password for authentication and a
DES key/password for encryption.
For groups that require authentication, encryption, or both, you must define
the MD5 and DES key/passwords on the SNMP Users page.
•
:ULWH9LHZV—The write access to management objects (MIBs) for the
group, which can be one of the following:
ZULWHDOO—The group can create, alter, and delete MIBs.
ZULWHQRQH—The group cannot create, alter, or delete MIBS.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
82
6103Y
SNMP Users
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
5HDG9LHZV—The read access to management objects (MIBs) for the group:
YLHZDOO—The group is allowed to view and read all MIBs.
YLHZQRQH—The group cannot view or read MIBs.
67(3  Click $GG, and then click 6DYH. The group is added to the SNMPv3 Groups list and
your changes are saved to the Running Configuration and to the Startup
Configuration.
127( To remove a group, select the group in the list and click 5HPRYH.
61038VHUV
You can use the SNMP Users page to define users, associate a security level to
each user, and configure per-user security keys.
Each user is mapped to an SNMPv3 group, either from the predefined or userdefined groups, and, optionally, is configured for authentication and encryption.
For authentication, only the MD5 type is supported. For encryption, only the DES
type is supported. There are no default SNMPv3 users on the AP.
To add SNMP users:
67(3  Click 6103Y > 8VHUV in the navigation window.
67(3  Configure the parameters:
•
1DPH—A name that identifies the SNMPv3 user.
User names can contain up to 32 alphanumeric characters.
•
*URXS—The group that the user is mapped to. The default groups are
RWAuth, RWPriv, and RO. You can define additional groups on the SNMP
Groups page.
•
$XWKHQWLFDWLRQ7\SH—The type of authentication to use on SNMP requests
from the user, which can be one of the following:
0'—Require MD5 authentication on SNMPv3 requests from the user.
1RQH—SNMPv3 requests from this user require no authentication.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
83
6103Y
SNMP Targets
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
$XWKHQWLFDWLRQ.H\—(If you specify MD5 as the authentication type) A
password to enable the SNMP agent to authenticate requests sent by the
user.
The password must be between 8 and 32 characters in length.
•
•
(QFU\SWLRQ7\SH—The type of privacy to use on SNMP requests from the
user, which can be one of the following:
'(6—Use DES encryption on SNMPv3 requests from the user.
1RQH—SNMPv3 requests from this user require no privacy.
(QFU\SWLRQ.H\—(If you specify DES as the privacy type) A key to use to
encrypt the SNMP requests.
The key must be between 8 and 32 characters in length.
67(3  Click $GG, and then click 6DYH. The user is added to the SNMPv3 Users list and
your changes are saved to the Running Configuration and to the Startup
Configuration.
127( To remove a user, select the user in the list and click 5HPRYH.
61037DUJHWV
SNMPv3 targets send trap messages to the SNMP manager. Inform messages are
not supported. Each target is defined with a target IP address, UDP port, and
SNMPv3 user name.
127( SNMPv3 user configuration (see 61038VHUVSDJH) should be completed
before configuring SNMPv3 targets.
127( The AP supports a maximum of eight targets.
To add SNMP targets:
67(3  Click 6103Y > 7DUJHWV in the navigation window.
67(3  Configure the parameters:
•
,3Y,3Y$GGUHVV—Enter the IP address of the remote SNMP manager to
receive the target.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
84
6103Y
SNMP Targets
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
3RUW—Enter the UDP port to use for sending SNMP targets.
•
8VHUV—Enter the name of the SNMP user to associate with the target. To
configure SNMP users, see “Configuring SNMPv3 Users” on page 125.
•
6103Y7DUJHWV—This field shows the SNMPv3 Targets on the AP. To
remove a target, select it and click Remove.
67(3  Click $GG, and then click 6DYH. The user is added to the SNMPv3 Targets list and
your changes are saved to the Running Configuration and to the Startup
Configuration.
127( To remove a user, select the user in the list and click 5HPRYH.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
85
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
$GPLQLVWUDWLRQ
This chapter describes how to configure global system settings and perform
diagnostics.
It contains the following topics.
•
6\VWHP6HWWLQJV
•
8VHU$FFRXQWV
•
)LUPZDUH8SJUDGH
•
3DFNHW&DSWXUH
•
/RJ6HWWLQJV
•
(PDLO$OHUW
•
'LVFRYHU\{%RQMRXU
•
+773+77366HUYLFH
•
7HOQHW66+6HUYLFH
•
0DQDJHPHQW$FFHVV&RQWURO
•
'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH
•
&RQILJXUDWLRQ)LOHV3URSHUWLHV
•
&RS\LQJDQG6DYLQJWKH&RQILJXUDWLRQ
•
5HERRWLQJ
6\VWHP6HWWLQJV
The System Settings page enables you to configure information that identifies the
switch within the network.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
86
$GPLQLVWUDWLRQ
User Accounts
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
To configure system settings:
67(3  Click $GPLQLVWUDWLRQ > 6\VWHP6HWWLQJV in the navigation window.
67(3  Enter the parameters:
•
+RVW1DPH—Administratively-assigned name for the AP. By convention, this
is the fully-qualified domain name of the node. The default host name is
"wap" concatenated with the last 6 hex digits of the MAC address of the
switch. Host Name labels contain only letters, digits and hyphens. Host
Name labels cannot begin or end with a hyphen. No other symbols,
punctuation characters, or blank spaces are permitted.
•
6\VWHP&RQWDFW—A contact person for the switch.
•
6\VWHP/RFDWLRQ—Description of the physical location of the switch.
67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup
Configuration.
8VHU$FFRXQWV
One management user is configured on the switch by default:
•
User Name: FLVFR
•
Password: FLVFR
You can use the User Accounts page configure up to five additional users and to
change a user password.
$GGLQJD8VHU
To add a new user:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
87
$GPLQLVWUDWLRQ
Firmware Upgrade
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
Red—The password fails to meet the minimum complexity requirements.
•
Orange—The password meets the minimum complexity requirements but
the password strength is weak.
•
Green—The password is strong.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
)LUPZDUH8SJUDGH
As new versions of the AP firmware become available, you can upgrade the
firmware on your devices to take advantage of new features and enhancements.
The AP uses a TFTP or HTTP client for firmware upgrades.
After you upload new firmware and the system reboots, the newly added
firmware becomes the primary image. If the upgrade fails, the original firmware
remains as the primary image.
127( When you upgrade the firmware, the access point retains the existing configuration
information.
7)738SJUDGH
To upgrade the firmware on an access point using TFTP:
67(3  Click $GPLQLVWUDWLRQ > 8SJUDGH)LUPZDUH in the navigation window.
The Product ID (PID), Vender ID (VID), and current Firmware Version display.
67(3  Select TFTP for Transfer Method.
67(3  Enter a name (1 to 256 characters) for the image file in the 6RXUFH)LOH1DPH field,
including the path to the directory that contains the image to upload.
For example, to upload the ap_upgrade.tar image located in the /share/builds/ap
directory, enter /share/builds/ap/ap_upgrade.tar.
The firmware upgrade file supplied must be a tar file. Do not attempt to use bin
files or files of other formats for the upgrade; these types of files will not work.
67(3  Enter the 7)736HUYHU,3Y$GGUHVV and click 8SJUDGH.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
89
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
Uploading the new software may take several minutes. Do not refresh the page or
navigate to another page while uploading the new software, or the software
upload will be aborted. When the process is complete the access point will restart
and resume normal operation.
67(3  To verify that the firmware upgrade completed successfully, log into the user
interface and display the Upgrade Firmware page and view the active firmware
version.
+7738SJUDGH
To upgrade using HTTP:
67(3  Select HTTP for Transfer Method.
67(3  If you know the name and path to the new file, enter it in the 6RXUFH)LOH1DPH
field. Otherwise, click the Browse button and locate the firmware image file on
your network.
The firmware upgrade file supplied must be a tar file. Do not attempt to use bin
files or files of other formats for the upgrade; these types of files will not work.
67(3  Click Upgrade to apply the new firmware image.
Uploading the new software may take several minutes. Do not refresh the page or
navigate to another page while uploading the new software, or the software
upload will be aborted. When the process is complete the access point will restart
and resume normal operation.
67(3  To verify that the firmware upgrade completed successfully, log into the user
interface and display the Upgrade Firmware page and view the active firmware
version.
3DFNHW&DSWXUH
The wireless packet capture feature enables capturing and storing packets
received and transmitted by the AP. The captured packets can then be analyzed
by a network protocol analyzer, for troubleshooting or performance optimization.
Packet capture can operate in either of two modes:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
90
$GPLQLVWUDWLRQ
User Accounts
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click $GPLQLVWUDWLRQ > 8VHU$FFRXQWVin the navigation window.
The User Account Table displays the currently configured users. The user FLVFR is
preconfigured in the system to have Read/Write privileges. This user cannot be
deleted. However, you can change the password.
All other user can have Read Only Access, but not Read/Write access.
67(3  Click $GG. A new row of text boxes displays.
67(3  Select the checkbox for the new user and click (GLW.
67(3  Enter a 8VHU1DPH between 1 to 32 alphanumeric characters. Only numbers 0-9
and letters a-z (upper or lower) are allowed for user names.
67(3  Enter a 1HZ3DVVZRUG between 1 and 64 characters and then enter the same
password in the &RQILUP1HZ3DVVZRUG text box.
As you enter a password, the number and color of vertical bars changes to
indicate the password strength, as follows:
•
Red—The password fails to meet the minimum complexity requirements.
•
Orange—The password meets the minimum complexity requirements but
the password strength is weak.
•
Green—The password is strong.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
127( To delete a user, select the check box next to the user name and click 'HOHWH.
&KDQJLQJD8VHU3DVVZRUG
To change a user password:
67(3  Click $GPLQLVWUDWLRQ > 8VHU$FFRXQWVin the navigation window.
67(3  Select the user to configure and click (GLW.
67(3  Enter a 1HZ3DVVZRUG between 1 and 64 characters and then enter the same
password in the &RQILUP1HZ3DVVZRUG text box.
As you enter a password, the number and color of vertical bars changes to
indicate the password strength, as follows:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
88
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
Capture file mode— Captured packets are stored in a file on the AP. The AP
can transfer the file to a TFTP server. The file is formatted in pcap format
and can be examined using tools such as Wireshark and OmniPeek.
•
Remote capture mode—Captured packets are redirected in real time to an
external PC running the Wireshark tool.
The AP can capture the following types of packets:
•
802.11 packets received and transmitted on radio interfaces. Packets
captured on radio interfaces include the 802.11 header.
•
802.3 packets received and transmitted on the Ethernet interface.
•
802.3 packets received and transmitted on the internal logical interfaces
such as VAPs and WDS interfaces.
Click Administration > Packet Capture to display the Packet Capture page. From
this page you can:
•
Configure packet capture parameters.
•
Start a local or remote packet capture.
•
View the current packet capture status.
•
Download a packet capture file.
3DFNHW&DSWXUH&RQILJXUDWLRQ
The Packet Capture Configuration area of page enables you to configure
parameters and initiate a packet capture.
To configure packet capture settings:
67(3  Configure the following parameters:
•
&DSWXUH%HDFRQV—Enables or disables the capturing of 802.11 beacons
detected or transmitted by the radio.
•
3URPLVFXRXV&DSWXUH—Enables or disables promiscuous mode when the
capture is active.
In promiscuous mode, the radio receives all traffic on the channel, including
traffic that is not destined to this AP. While the radio is operating in
promiscuous mode, it continues serving associated clients. Packets not
destined to the AP are not forwarded.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
91
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
As soon as the capture is completed, the radio reverts to non-promiscuous
mode operation.
•
5DGLR&OLHQW)LOWHU—Enables or disables the WLAN client filter to capture
only frames that are transmitted to, or received from, a WLAN client with a
specified MAC address.
•
&OLHQW)LOWHU0$&$GGUHVV—The MAC address for WLAN client filtering.
127(: The MAC filter is active only when capture is performed on an 802.11
interface.
•
3DFNHW&DSWXUH0HWKRG—Select one of the following:
/RFDO)LOH—Captured packets are stored in a file on the AP.
5HPRWH—Captured packets are redirected in real time to an external PC
running the Wireshark tool.
67(3  Depending on the selected method, refer to the steps in either of the following
sections to continue.
127( Changes to packet capture configuration parameters take affect after packet
capture is restarted. Modifying the parameters while the packet capture is running
does not affect the current packet capture session. In order to begin using new
parameter values, an existing packet capture session must be stopped and restarted.
/RFDO3DFNHW&DSWXUH
To initiate a local packet capture:
67(3  Ensure that /RFDO)LOH is selected for the 3DFNHW&DSWXUH0HWKRG.
67(3  Configure the following parameters:
•
&DSWXUH,QWHUIDFH—The AP capture interface names eligible for packet
capture are:
radio1—802.11 traffic.
eth0—802.3 traffic on the Ethernet port.
wlan0—VAP0 traffic on radio 1.
wlan0vap1 to wlan0vap15—VAP1 through VAP15 traffic (if configured).
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
92
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
brtrunk—Linux bridge interface in the AP.
•
&DSWXUH'XUDWLRQ—The time duration in seconds for the capture (range 10
to 3600).
•
0D[&DSWXUH)LOH6L]H—The maximum allowed size for the capture file in KB
(range 64 to 4096).
67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup
Configuration.
67(3  Click 6WDUW&DSWXUH.
In Packet File Capture mode, the AP stores captured packets in the RAM file
system. Upon activation, the packet capture proceeds until one of the following
occurs:
•
The capture time reaches configured duration.
•
The capture file reaches its maximum size.
•
The administrator stops the capture.
The Packet Capture Status area of the page shows the status of a packet capture,
if one is active on the AP. The following fields display:
•
&XUUHQW&DSWXUH6WDWXV—Whether packet capture is running or stopped.
•
3DFNHW&DSWXUH7LPH—Elapsed capture time.
•
3DFNHW&DSWXUH)LOH6L]H—The current capture file size.
Click Refresh to display the latest data from the AP.
127( To stop a packet file capture, click 6WRS&DSWXUH.
5HPRWH3DFNHW&DSWXUH
The Remote Packet Capture feature enables you to specify a remote port as the
destination for packet captures. This feature works in conjunction with the
Wireshark network analyzer tool for Windows. A packet capture server runs on the
AP and sends the captured packets via a TCP connection to the Wireshark tool.
A Windows PC running the Wireshark tool allows you to display, log, and analyze
captured traffic.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
93
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
When the remote capture mode is in use, the AP does not store any captured data
locally in its file system.
Your can trace up to five interfaces on the AP at the same time. However, you must
start a separate Wireshark session for each interface. You can configure the IP
port number used for connecting Wireshark to the AP. The default port number is
2002. The system uses five consecutive port numbers, starting with the
configured port for the packet capture sessions.
If a firewall is installed between the Wireshark PC and the AP, these ports must be
allowed to pass through the firewall. The firewall must also be configured to allow
the Wireshark PC to initiate TCP connection to the AP.
To configure Wireshark to use the AP as the source for captured packets, you must
specify the remote interface in the "Capture Options" menu. For example to
capture packets on an AP with IP address 192.168.1.10 on radio 1 using the default
IP port, specify the following interface:
rpcap://192.168.1.10/radio1
To capture packets on the Ethernet interface of the AP and VAP0 on radio 1 using
IP port 58000, start two Wireshark sessions and specify the following interfaces:
rpcap://192.168.1.10:58000/eth0
rpcap://192.168.1.10:58000/wlan0
When you are capturing traffic on the radio interface, you can disable beacon
capture, but other 802.11 control frames are still sent to Wireshark. You can set up
a display filter to show only:
•
Data frames in the trace
•
Traffic on specific BSSIDs
•
Traffic between two clients
Some examples of useful display filters are:
•
Exclude beacons and ACK/RTS/CTS frames:
!(wlan.fc.type_subtype == 8 || wlan.fc.type == 1)
•
Data frames only:
wlan.fc.type == 2
•
Traffic on a specific BSSID:
wlan.bssid == 00:02:bc:00:17:d0
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
94
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
All traffic to and from a specific client:
wlan.addr == 00:00:e8:4e:5f:8e
In remote capture mode, traffic is sent to the PC running Wireshark via one of the
network interfaces. Depending on where the Wireshark tool is located, the traffic
can be sent on an Ethernet interface or one of the radios. To avoid a traffic flood
caused by tracing the trace packets, the AP automatically installs a capture filter to
filter out all packets destined to the Wireshark application. For example if the
Wireshark IP port is configured to be 58000 then the following capture filter is
automatically installed on the AP:
not portrange 58000-58004.
Enabling the packet capture feature impacts performance of the AP and can
create a security issue (unauthorized clients may be able to connect to the AP and
trace user data). The AP performance is negatively impacted even if there is no
active Wireshark session with the AP. The performance is negatively impacted to a
greater extent when packet capture is in progress.
Due to performance and security issues, the packet capture mode is not saved in
NVRAM on the AP; if the AP resets, the capture mode is disabled and the you must
reenable it in order to resume capturing traffic. Packet capture parameters (other
than mode) are saved in NVRAM.
In order to minimize performance impact on the AP while traffic capture is in
progress, you should install capture filters to limit which traffic is sent to the
Wireshark tool. When capturing 802.11 traffic, large portion of the captured frames
tend to be beacons (typically sent every 100 ms by all APs). Although Wireshark
supports a display filter for beacon frames, it does not support a capture filter to
prevent the AP from forwarding captured beacon packets to the Wireshark tool. In
order to reduce the performance impact of capturing the 802.11 beacons, you can
disable the capture beacons mode.
The remote packet capture facility is a standard feature of the Wireshark tool for
Windows.
127( Remote packet capture is not standard on the Linux version of Wireshark; the Linux
version does not work with the AP.
Wireshark is an open source tool and is available for free; it can be downloaded
from http://www.wireshark.org.
To start a remote packet capture:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
95
$GPLQLVWUDWLRQ
Packet Capture
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Ensure that 5HPRWHis selected for the 3DFNHW&DSWXUH0HWKRG.
67(3  Specify the 5HPRWH&DSWXUH3RUW to use as the destination for packet captures.
(range 1 to 65530).
67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup
Configuration.
67(3  Click 6WDUW&DSWXUH.
A confirmation window displays to remind you to make sure the monitoring
application is ready.
67(3  Click 2..
127( To stop a remote packet capture, click 6WRS&DSWXUH.
3DFNHW&DSWXUH)LOH'RZQORDG
You can download a capture file by TFTP to a configured TFTP server, or by
HTTP(S) to a PC. A capture is automatically stopped when the capture file
download command is triggered.
Because the capture file is located in the RAM file system, it disappears if the AP is
reset.
To download a packet capture file using TFTP:
67(3  Select 8VH7)73WRGRZQORDGWKHFDSWXUHILOH.
67(3  Enter the 7)736HUYHU)LOHQDPH to download, if different from the default. By
default, the captured packets are stored in the folder file /tmp/apcapture.pcap on
the AP.
67(3  Specify a 7)736HUYHU,3Y$GGUHVVin the field provided.
67(3  Click 'RZQORDG.
To download a packet capture file using HTTP:
67(3  Clear 8VH7)73WRGRZQORDGWKHFDSWXUHGILOH.
67(3  Click 'RZQORDG. A confirmation window displays.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
96
$GPLQLVWUDWLRQ
Log Settings
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click 2.. A dialog box displays to enable you to choose a network location to save
the file.
/RJ6HWWLQJV
You can use the Log Settings page to enable log messages to be saved in
permanent memory and to specify a remote host that provides syslog relay
services.
&RQILJXULQJWKH3HUVLVWHQW/RJ
If the system unexpectedly reboots, log messages can be useful to diagnose the
cause. However, log messages are erased when the system reboots unless you
enable persistent logging.
&$87,21 Enabling persistent logging can wear out the flash (non-volatile) memory and
degrade network performance. You should only enable persistent logging to debug
a problem. Make sure you disable persistent logging after you finish debugging the
problem.
To configure persistent log settings:
67(3  Click $GPLQLVWUDWLRQ > /RJ6HWWLQJVin the navigation window.
parameters and initiate a packet capture.
67(3  Configure the parameters:
•
3HUVLVWHQFH—Click Enable to save system logs to nonvolatile memory so
that the logs are not erased when the AP reboots. Clear this field to save
system logs to volatile memory. Logs in volatile memory are deleted when
the system reboots.
•
6HYHULW\—The minimum severity that an event must have for it to be written
to the log in nonvolatile memory. For example, if you specify 2, critical, then
critical, alert and emergency events are logged to nonvolatile memory. Error
messages with a severity level of 3–
– 7 are written to volatile memory. The
severity levels are as follows:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
97
$GPLQLVWUDWLRQ
Log Settings
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
0—emergency
1—alert
2—critical
3—error
4—warning
5—notice
6—info
7—debug
'HSWK—You can store up to 512 messages in memory. When the number
you configure in this field is reached, the oldest log event is overwritten by
the new log event.
67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup
Configuration.
5HPRWH/RJ6HUYHU
The Kernel Log is a comprehensive list of system events (shown in the System
Log) and kernel messages such as error conditions, such as dropped frames.
You cannot view kernel log messages directly from the Web interface. You must
first set up a remote server running a syslog process and acting as a syslog log
relay host on your network. Then, you can configure the AP to send syslog
messages to the remote server.
Remote log server collection for AP syslog messages provides the following
features:
•
Allows aggregation of syslog messages from multiple APs
•
Stores a longer history of messages than kept on a single AP
•
Triggers scripted management operations and alerts
To use Kernel Log relaying, you must configure a remote server to receive the
syslog messages. The procedure to configure a remote log host depends on the
type of system you use as the remote host.
To specify a host on your network that serves as a syslog relay host:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
98
$GPLQLVWUDWLRQ
Email Alert
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click $GPLQLVWUDWLRQ > /RJ6HWWLQJVin the navigation window.
67(3  Configure the parameters:
•
5HOD\/RJ—Enables the AP to send log messages to a remote host. When
disabled, all log messages are kept on the local system.
•
6HUYHU,3Y$GGUHVV1DPH—The IP address or DNS name of the remote
log server.
•
8'33RUW—The logical port number for the syslog process on the relay host.
The default port is 514.
Using the default port is recommended. However; If you choose to
reconfigure the log port, make sure that the port number you assign to
syslog is not being used by another process.
67(3  Click Save. The changes are saved to the Running Configuration and to the Startup
Configuration.
If you enabled the Log Relay Host, clicking Save will activate remote logging. The
AP will send its kernel messages real-time for display to the remote log server
monitor, a specified kernel log file, or other storage, depending on how you
configured the Log Relay Host.
If you disabled the Log Relay Host, clicking Save will disable remote logging.
127( Changing some settings might cause the AP to stop and restart system processes.
If this happens, wireless clients will temporarily lose connectivity. We recommend
that you change AP settings when WLAN traffic is low.
(PDLO$OHUW
Use the email alert feature to send messages to the configured email addresses
when particular system events occur.
The feature supports mail server configuration, message severity configuration,
and up to three email address configurations to send urgent and non-urgent email
alerts.
To configure the AP to send email alerts:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
99
$GPLQLVWUDWLRQ
Email Alert
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click $GPLQLVWUDWLRQ > (PDLO$OHUW in the navigation window.
67(3  In the Global Configuration area, configure the following parameters:
•
$GPLQ0RGH—Enables the email alert feature globally.
•
)URP$GGUHVV—Email alert From Address configuration. The address is a
255 character string with only printable characters. The default is null.
•
/RJ'XUDWLRQ—The email alert log duration in minutes. The range is 30-1440
minutes. The default is 30 minutes.
•
6FKHGXOHG0HVVDJH6HYHULW\—Log messages of this severity level or
higher are grouped and sent periodically to the configuration email address.
Select from the following values: None, Emergency, Alert, Critical, Error,
Warning, Notice, Info, Debug. If set to None, then no scheduled severity
messages are sent.
•
8UJHQW0HVVDJH6HYHULW\—Log messages of this severity level or higher
are are sent to the configured email address immediately. Possible values
are: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. If set
to None, then no urgent severity messages are sent. The default is Alert.
67(3  In the Mail Server Configuration area, configure the following parameters:
•
$GGUHVV—Configures the SMTP server IP address. The server address
must be a valid IPv4 address or hostname.
•
'DWD(QFU\SWLRQ—Configures the mode of security. Possible values are
Open or TLSv1.
•
3RUW—Configures the SMTP port. The range is a valid Port number from 0 to
65535. The default is 25.
•
8VHUQDPH—The username for authentication. The username is a 64-byte
character string with all printable characters.
•
3DVVZRUG—The password for authentication. The username is a 64-byte
character string with all printable characters.
67(3  Configure the email addresses and subject line.
•
7R(PDLO$GGUHVV—Three addresses to send email alerts to. The
address must be a valid email.
•
(PDLO6XEMHFW—The text to appear in the email subject line. This can be up
to a 255 character alphanumeric string.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
100
$GPLQLVWUDWLRQ
Discovery—Bonjour
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click Test Mail to validate the configured email server credentials. The
administrator can send a test email once the email server details are configured.
The following is a sample format of the email alert sent from the AP:
From: AP-192.168.2.10@mailserver.com
Sent: Wednesday, September 09, 2009 11:16 AM
To: administrator@mailserver.com
Subject: log message from AP
TIME
PriorityProcess Id
Message
Sep 8 03:48:25 info
login[1457]
root login on ‘ttyp0’
Sep 8 03:48:26 info
mini_http-ssl[1175] Max concurrent connections of 20
reached
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
'LVFRYHU\{%RQMRXU
Bonjour enables the AP and its services to be discovered by using multicast DNS
(mDNS). Bonjour advertises services to the network and answers queries for
service types it supports, simplifying network configuration in small business
environments.
The AP advertises the following service types:
•
&LVFRVSHFLILFGHYLFHGHVFULSWLRQ (csco-sb)—This service enables clients
to discover Cisco AP and other products deployed in small business
networks.
•
0DQDJHPHQWXVHULQWHUIDFHV—This service identifies the management
interfaces available on the AP (HTTP, Telnet, SSH, and SNMP).
When a Bonjour-enabled AP is attached to a network, any Bonjour client can
discover and get access to the management interface without prior configuration.
A system administrator can use an installed Internet Explorer plug-in to discover
the AP. The web-based AP configuration utility shows up as a tab in the browser.
Bonjour works in both IPv4 and IPv6 networks.
To enable the AP to be discovered through Bonjour:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
101
$GPLQLVWUDWLRQ
HTTP/HTTPS Service
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click $GPLQLVWUDWLRQ > 'LVFRYHU\%RQMRXU in the navigation window.
67(3  Select (QDEOH.
67(3  Click 6DYH. Your changes are saved to the Running Configuration and the Startup
Configuration.
+773+77366HUYLFH
Use the HTTP/HTTPS Service page to enable and configure web-based
management connections. If HTTPS will be used for secure management
sessions, you also use this page to manage the required SSL certificates.
&RQILJXULQJ+773DQG+77366HUYLFHV
To configure the HTTP and HTTP services:
67(3  Click $GPLQLVWUDWLRQ > +773+77366HUYLFH in the navigation window.
67(3  Configure the following Global Parameters:
•
0D[LPXP6HVVLRQV—The number web sessions, including both HTTP and
HTTPs, that can be in use at the same time.
When a user logs on to the AP web interface, a session is created. This
session is maintained until the user logs off or the session inactivity timer
expires. The range is 1–10 sessions. The default is 5. If the maximum number
of sessions is reached, the next user who attempts to log on to the AP web
interface receives an error message about the session limit.
•
6HVVLRQ7LPHRXW—The maximum amount of time, in minutes, an inactive
user remains logged on to the AP web interface. When the configured
timeout is reached, the user is automatically logged off the AP. The range is
1–1440 minutes (1440 minutes = 1 day). The default is 5 minutes.
67(3  Configure HTTP and HTTPS services:
•
+77366HUYHU—Enables access via secure HTTP. By default, HTTPS
access is enabled. If you disable it, any current connections using that
protocol are disconnected.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
102
$GPLQLVWUDWLRQ
HTTP/HTTPS Service
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
+77363RUW—The logical port number to use for HTTP connections, from
1025 to 65535. The default port number for HTTP connections is the wellknown IANA port number 443.
•
+7736HUYHU—Enables access via HTTP. By default, HTTP access is
enabled. If you disable it, any current connections using that protocol are
disconnected.
•
+7733RUW—The logical port number to use for HTTP connections, from
1025 to 65535. The default port number for HTTP connections is the wellknown IANA port number 80.
•
5HGLUHFW+773WR+7736—Redirects management HTTP access attempts
on the HTTP port to the HTTPS port. This field is available only when HTTP
access is disabled.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
0DQDJLQJ66/&HUWLILFDWHV
To use HTTPS services, the AP must have a valid SSL certificate. The AP can
generate a certificate or you can download it from your network or from a TFTP
server.
To have the AP generate the certificate, click *HQHUDWH66/&HUWLILFDWH This
should be done after the AP has acquired an IP address to ensure that the
common name for the certificate matches the IP address of the AP. Generating a
new SSL certificate restarts the secure Web server. The secure connection will
not work until the new certificate is accepted on the browser.
In the Certificate File Status area, you can view whether a certificate currently
exists on the AP, and, if one does, the following information about it:
•
Certificate File Present
•
Certificate Expiration Date
•
Certificate Issuer Common Name
If an SSL certificate exists on the AP, you can download it to your PC as a backup.
In the Download SSL Certificate (From Device to PC) area, select +773 or 7)73
for the 'RZQORDG0HWKRG and click 'RZQORDG.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
103
$GPLQLVWUDWLRQ
Telnet/SSH Service
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
If you select HTTP, you will be prompted to confirm the download and then
to browse to the location to save the file on your network.
•
If you select TFTP, additional fields display to enable you to enter the File
Name to assign to the downloaded file, and the TFTP server address where
the file will be downloaded.
You can also upload a certificate file from your PC to the AP. In the Upload SSL
Certificate (From PC to Device), select +773 or 7)73 for the 8SORDG0HWKRG
•
For an HTTP, browse to the network location, select the file, and click
8SORDG.
•
For TFTP, enter the )LOH1DPH as it exists on the TFTP server and the 7)73
6HUYHU,3Y$GGUHVV, then click 8SORDG.
A confirmation displays to indicate that the upload was successful.
7HOQHW66+6HUYLFH
You can enable management access through Telnet and SSH. The user names and
passwords that you configure for HTTP/HTTPS access also apply to the Telnet
and SSH services. These services are disabled by default.
To enable Telnet or SSH:
67(3  Click $GPLQLVWUDWLRQ > 7HOQHW66+6HUYLFH in the navigation window.
67(3  Select (QDEOH for 7HOQHWor 66+.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
0DQDJHPHQW$FFHVV&RQWURO
You can create an access control list (ACL) that lists up to five IPv4 hosts and five
IPv6 hosts that are authorized to access the AP management interface. If this
feature is disabled, anyone can access the management interface from any
network client by supplying the correct AP username and password.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
104
$GPLQLVWUDWLRQ
Download/Backup Configuration File
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
If the management ACL is enabled, access via the Web, Telnet, SSH, and SNMP is
restricted to the specified IP hosts.
To create an access list:
67(3  Click $GPLQLVWUDWLRQ > 0DQDJHPHQW$FFHVV&RQWUROin the navigation window.
67(3  Select (QDEOH for the 0DQDJHPHQW$&/0RGH.
67(3  Enter up to five IPv4 and five IPv6 addresses that you want to provide access to.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH
The AP configuration files are in XML format and contain all the information about
the AP settings. You can backup (upload) the configuration files to a network host
or TFTP server to manually edit the content or create backups. After you edit a
backed-up configuration file, you can download it back to the access point to
modify the configuration.
The AP maintains the following configuration files:
•
5XQQLQJ&RQILJXUDWLRQ—The current configuration, including any changes
applied in the any management sessions since the last reboot.
•
6WDUWXS&RQILJXUDWLRQ—The configuration file saved to flash memory.
•
%DFNXS&RQILJXUDWLRQ—An additional configuration file saved on the
switch for use as a backup.
•
0LUURU&RQILJXUDWLRQ—If the Running Configuration is not modified for at
least 24 hours, it is automatically saved to a Mirror Configuration file type,
and a log message with severity alert is generated to indicate that a new
mirror file is available. This feature allows the administrator to view the
previous version of the configuration before it is saved to the Startup
Configuration file type or to copy the Mirror Configuration file type to
another configuration file type. If the AP is rebooted, the Mirror
Configuration is reset to the factory default parameters.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
105
$GPLQLVWUDWLRQ
Download/Backup Configuration File
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
127( In addition to downloading and uploading these files to another system, you can
copy them to different file types on the AP. See &RS\LQJDQG6DYLQJWKH
&RQILJXUDWLRQSDJH.
%DFNLQJ8SD&RQILJXUDWLRQ)LOH
To backup (upload) the configuration file to a network host or TFTP server:
67(3  Click $GPLQLVWUDWLRQ > 'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH in the navigation
window.
67(3  Select 9LD7)73 or 9LD+773+7736 as the 7UDQVIHU0HWKRG.
67(3  Select %DFNXS $3WR3& as the 6DYH$FWLRQ.
67(3  For a TFTP backup only, enter the 'HVWLQDWLRQ)LOH1DPH, including path, where
the file is to be placed on the server, then enter the 7)736HUYHU,3Y$GGUHVV.
67(3  For a TFTP backup only, enter the 7)736HUYHU,3Y$GGUHVV.
67(3  Select which configuration file you want to back up:
•
5XQQLQJ&RQILJXUDWLRQ—Current configuration, including any changes
applied in the current management session.
•
6WDUWXS&RQILJXUDWLRQ—Configuration file type used when the switch last
booted. This does not include any configuration changes applied but not yet
saved to the switch.
•
%DFNXS&RQILJXUDWLRQ—Backup configuration file type saved on the switch.
•
0LUURU&RQILJXUDWLRQ—If the Running Configuration is not modified for at
least 24 hours, it is automatically saved to the Mirror Configuration file type,
and a log message with severity level $OHUW is generated to indicate that a
new Mirror Configuration file is available. The Mirror Configuration file can be
used when the switch has problems booting with the Startup or Backup
Configuration file types. In such cases, the administrator can copy the Mirror
Configuration to either the Startup or Backup Configuration file type and
reboot.
67(3  Click 6DYH to begin the backup. For HTTP backups, a window displays to enable
you to browse to the desired location for saving the file.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
106
$GPLQLVWUDWLRQ
Configuration Files Properties
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
'RZQORDGLQJD&RQILJXUDWLRQ)LOH
You can download a file to the AP to update the configuration or to restore the AP
to a previously backed-up configuration.
To download a configuration file to the AP:
67(3  Click $GPLQLVWUDWLRQ > 'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH in the navigation
window.
67(3  Select 9LD7)73 or 9LD+773+7736 as the 7UDQVIHU0HWKRG.
67(3  Select 'RZQORDG 3&WR$3 as the 6DYH$FWLRQ.
67(3  For a TFTP download only, enter the 6RXUFH)LOH1DPH, including path, where the
file exists on the server, then enter the 7)736HUYHU,3Y$GGUHVV.
67(3  Select which configuration file on the AP you want to be overwritten with the
downloaded file: the 6WDUWXS&RQILJXUDWLRQ or the %DFNXS&RQILJXUDWLRQ.
If the downloaded file overwrites the Startup Configuration file, and the file passes
a validity check, then the downloaded configuration will take effect the next time
the AP reboots.
67(3  Click 6DYH to begin the upgrade or backup. For HTTP downloads, a window
displays to enable you to browse to select the file to download. When the
download is finished, a window displays indicating “Download Successful!”
&$87,21 Ensure that power to the AP remains uninterrupted while the configuration file is
downloading to the switch. If a power failure occurs while downloading the
configuration file, the file is lost and the process must be restarted.
&RQILJXUDWLRQ)LOHV3URSHUWLHV
The Configuration Files Properties page enables you clear the Startup, Running,
or Backup Configuration file. If you clear the Startup Configuration file, the Backup
Configuration file will become active the next time you reboot the AP. The Running
Configuration cannot be cleared.
To delete the Startup Configuration or Backup Configuration file:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
107
$GPLQLVWUDWLRQ
Copying and Saving the Configuration
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click $GPLQLVWUDWLRQ > &RQILJXUDWLRQ)LOHV3URSHUWLHVin the navigation window.
67(3  Select the 6WDUWXS&RQILJXUDWLRQ, %DFNXS&RQILJXUDWLRQ, or 5XQQLQJ
&RQILJXUDWLRQ file type.
67(3  Click &OHDU)LOHV.
&RS\LQJDQG6DYLQJWKH&RQILJXUDWLRQ
The Copy/Save Configuration page enables you to copy files within the AP file
system. For example, you can copy the Backup Configuration file to the Startup
Configuration file type, so that it will be used the next time you boot up the switch.
To copy a file to another file type:
67(3  Click $GPLQLVWUDWLRQ > &RS\6DYH&RQILJXUDWLRQin the navigation window.
67(3  Select the 6RXUFH)LOH1DPH:
•
5XQQLQJ&RQILJXUDWLRQ—Current configuration, including any changes
applied in the current management session.
•
6WDUWXS&RQILJXUDWLRQ—Configuration file type used when the switch last
booted. This does not include any configuration changes applied but not yet
saved to the switch.
•
%DFNXS&RQILJXUDWLRQ—Backup configuration file type saved on the switch.
•
0LUURU&RQILJXUDWLRQ—If the Running Configuration is not modified for at
least 24 hours, it is automatically saved to the Mirror Configuration file type,
and a log message with severity level $OHUW is generated to indicate that a
new Mirror Configuration file is available. The Mirror Configuration file can be
used when the switch has problems booting with the Startup or Backup
Configuration file types. In such cases, the administrator can copy the Mirror
Configuration to either the Startup or Backup Configuration file type and
reboot.
67(3  For the 'HVWLQDWLRQ)LOH1DPH, select the file type to be overwritten with the file
you are copying. (The running configuration cannot be overwritten.)
67(3  Click 6DYH to begin the copy process.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
108
$GPLQLVWUDWLRQ
Rebooting
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
When complete, a window displays the message, “Copy Operation Successful.”
5HERRWLQJ
You can use the Reboot page reboot the AP, as follows:
67(3  Click $GPLQLVWUDWLRQ > 5HERRW in the navigation window.
67(3  Select one of the following options:
•
5HERRW—Reboots the switch using Startup Configuration.
•
5HERRWWR)DFWRU\'HIDXOW—Reboots the switch using with the factory
default configuration file. Any customized settings are lost.
A window appears to enable you to confirm or cancel the reboot. The current
management session might be terminated.
67(3  Click 2. to reboot.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
109
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
6\VWHP6HFXULW\
This chapter describes how to configure security settings on the AP.
It contains the following topics.
•
5$',866HUYHU
•
;6XSSOLFDQW
•
3DVVZRUG&RPSOH[LW\
•
:3$36.&RPSOH[LW\
5$',866HUYHU
Several of the AP features require communication with a RADIUS authentication
server. For example, when you configure virtual access points (VAPs) on the AP,
you can configure security methods that control wireless client access (see
5DGLRSDJH). The Dynamic WEP and WPA Enterprise security methods use an
external RADIUS server to authenticate clients. The MAC address filtering feature,
whereby client access is restricted to a list, may also be configured to use a
RADIUS server to control access. The Captive Portal feature also uses RADIUS to
authenticate clients.
You can use the RADIUS Server page to configure the RADIUS servers that are
used by these features. You can configure up to four globally available IPv4 or IPv6
RADIUS servers; however you must select whether the RADIUS client operates in
IPv4 or IPv6 mode with respect to the global servers. One of the servers always
acts as a primary while the others act as backup servers.
127( In addition to using the global RADIUS servers, you can also configure each VAPs
to use a specific set of RADIUS servers. See the Networks page.
To configure global RADIUS servers:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
110
6\VWHP6HFXULW\
RADIUS Server
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click 6HFXULW\ > 5$',866HUYHUin the navigation window.
67(3  Enter the parameters:
•
6HUYHU,3$GGUHVV7\SH—The IP version that the RADIUS server uses.
You can toggle between the address types to configure IPv4 and IPv6 global
RADIUS address settings, but the AP contacts only the RADIUS server or
servers of the address type you select in this field.
•
6HUYHU,3$GGUHVV or 6HUYHU,3Y$GGUHVV—The addresses for the
primary global RADIUS server.
When the first wireless client tries to authenticate with the AP, the AP sends
an authentication request to the primary server. If the primary server
responds to the authentication request, the AP continues to use this RADIUS
server as the primary server, and authentication requests are sent to the
address you specify.
•
6HUYHU,3$GGUHVV through or 6HUYHU,3Y$GGUHVV through —
Up to three backup IPv4 or IPv6 RADIUS server addresses.
If authentication fails with the primary server, each configured backup server
is tried in sequence.
•
.H\—The shared secret key that the AP uses to authenticate to the
primary RADIUS server.
You can use up to 63 standard alphanumeric and special characters. The key
is case sensitive and must match the key configured on the RADIUS server.
The text you enter will be displayed as "*" characters.
•
.H\ through —The RADIUS key associated with the configured backup
RADIUS servers. The server at RADIUS IP Address-2 uses RADIUS Key-2,
RADIUS IP Address-3 uses RADIUS Key-3, and so on.
•
(QDEOH5$',86$FFRXQWLQJ—Enables tracking and measuring the
resources a particular user has consumed, such as system time, amount of
data transmitted and received, and so on.
If you enable RADIUS accounting, it is enabled for the primary RADIUS
server and all backup servers.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
111
6\VWHP6HFXULW\
802.1X Supplicant
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
;6XSSOLFDQW
IEEE 802.1X authentication enables the access point to gain access to a secured
wired network. You can enable the access point as an 802.1X supplicant (client) on
the wired network. A user name and password that are encrypted using the MD5
algorithm can be configured to allow the access point to authenticate using
802.1X.
On networks that use IEEE 802.1X port-based network access control, a
supplicant cannot gain access to the network until the 802.1X authenticator grants
access. If your network uses 802.1X, you must configure 802.1X authentication
information on the AP, so that it can supply it to the authenticator.
The 802.1X Supplicant page is divided into three areas: Supplicant Configuration,
Certificate File Status, and Certificate File Upload.
The Supplicant Configuration area enables you to configure the 802.1X
operational status and basic settings.
To configure the AP’s 802.1X supplicant functionality:
67(3  Click 6\VWHP6HFXULW\ > ;6XSSOLFDQW in the navigation window.
67(3  Enter the parameters:
•
;6XSSOLFDQW—Enables the 802.1X supplicant functionality.
•
($30HWKRG—The algorithm to be used for encrypting authentication user
names and passwords.
•
0'—A hash function defined in RFC 3748 that provides basic security.
3($3—Protected Extensible Authentication Protocol, which provides a
higher level of security than MD5 by encapsulating it within a TLS tunnel.
7/6—Transport Layer Security, as defined in RFC 5216, an open
standard that provides a high level of security.
8VHUQDPH— The user name for the AP to use when responding to requests
from an 802.1X authenticator. The user name can be 1 to 64 characters long.
ASCII-printable characters are allowed, which includes upper and lower
case alphabetic letters, the numeric digits, and special symbols such as @
and #.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
112
6\VWHP6HFXULW\
Password Complexity
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
3DVVZRUG—The MD5 password for the AP to use when responding to
requests from an 802.1X authenticator. The password can be 1 to 64
characters in length. ASCII-printable characters are allowed, which includes
upper and lower case letters, numbers, and special symbols such as @ and
#.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
127( Changing some settings might cause the AP to stop and restart system processes.
If this happens, wireless clients will temporarily lose connectivity. We recommend
that you change AP settings when WLAN traffic is low.
The Certificate File Status area shows whether a current certificate exists:
•
&HUWLILFDWH)LOH3UHVHQW—Indicates if the HTTP SSL Certificate file is
present. Range is Yes or No. The default is No.
•
&HUWLILFDWH([SLUDWLRQ'DWH—Indicates when the HTTP SSL Certificate file
will expire. The range is a valid date.
The Certificate File Upload area enables you to upload a certificate file to the AP:
67(3  Select either +773 or 7)73 as the 7UDQVIHU0HWKRG.
67(3  If you selected HTTP, click %URZVH to select the file.
127(: To configure the HTTP and HTTPS server settings, see +773+7736
6HUYLFHSDJH.
If you selected TFTP, enter )LOHQDPH and the 7)736HUYHU,3Y$GGUHVV.
67(3  Click 8SORDG.
A confirmation window displays, followed by a progress bar to indicate the status
of the upload.
3DVVZRUG&RPSOH[LW\
You can configure minimum complexity requirements for passwords used to
access the AP management interfaces. More complex passwords increase
security.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
113
6\VWHP6HFXULW\
WPA-PSK Complexity
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
To configure password complexity requirements:
67(3  Click 6HFXULW\> 3DVVZRUG&RPSOH[LW\ in the navigation window.
67(3  For the 3DVVZRUG&RPSOH[LW\ setting, select (QDEOH.
67(3  Configure the parameters:
•
3DVVZRUG0LQLPXP&KDUDFWHU&ODVV—The minimum number of character
classes that must be represented in the password string. The four possible
character classes are: uppercase letters, lowercase letters, numbers, and
special characters available on a standard keyboard.
•
3DVVZRUG'LIIHUHQW)URP&XUUHQW—Select to have users enter a different
password when their current passwords expire. If not selected, users can
reenter the previous password when their current password expires.
•
0D[LPXP3DVVZRUG/HQJWK—The maximum password length in number of
characters, from 64 to 80.
•
0LQLPXP3DVVZRUG/HQJWK—The minimum password length in number of
characters, from 0 to 64.
•
3DVVZRUG$JLQJ6XSSRUW—Select to have passwords expire after a
configured time period.
•
3DVVZRUG$JLQJ7LPH—The number of days before a newly created
password expires, from 1 to 365.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
:3$36.&RPSOH[LW\
When you configure VAPs on the AP, you can select a method of securely
authenticating clients. If you select the WPA Personal protocol (also known as
WPA pre-shared key or WPA-PSK) as the security method for any VAP, you can
use the WPA-PSK Complexity page to configure complexity requirements for the
key used in the authentication process. More complex keys provide increased
security.
To configure WPA-PSK complexity:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
114
6\VWHP6HFXULW\
WPA-PSK Complexity
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click 6HFXULW\ > :3$36.&RPSOH[LW\in the navigation window.
67(3  Click (QDEOH for the :3$36.&RPSOH[LW\ setting to enable the AP to check
WPA-PSK keys against the criteria you configure. If you clear the checkbox, none
of the following settings will be used.
67(3  Configure the parameters:
•
:3$36.0LQLPXP&KDUDFWHU&ODVV—The minimum number of character
classes that must be represented in the key string. The four possible
character classes are: uppercase letters, lowercase letters, numbers, and
special characters available on a standard keyboard.
•
:3$36.'LIIHUHQW)URP&XUUHQW—Select one of the following:
 *OREDO&RQILJXUDWLRQin the navigation window.
Step body
67(3  Configure the parameters:
•
&DSWLYH3RUWDO0RGH—Enables CP operation on the AP.
•
$XWKHQWLFDWLRQ7LPHRXW—To access the network through a portal, the client
must first enter authentication information on an authentication Web page.
This field specifies the number of seconds the AP will keep an authentication
session open with the client. When the timeout expires, the AP disconnects
any active TCP or SSL connection with the client.
•
$GGLWLRQDO+7733RUW—HTTP traffic uses port 80, but you can configure an
additional port for HTTP traffic. Enter a port number between 0-65535.
•
$GGLWLRQDO+77363RUW—HTTP traffic over SSL (HTTPS) uses port 443, but
you can configure an additional port for HTTPS traffic. Enter a port number
between 0-65535.
The following fields display nonconfigurable CP information:
•
,QVWDQFH&RXQW—The number of CP instances currently configured on the
AP. Up to two instances can be configured.
•
*URXS&RXQW—The number of CP groups currently configured on the AP. Up
to three groups can be configured.
•
8VHU&RXQW—The number of CP users currently configured on the AP. Up to
128 users can be configured.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
117
&DSWLYH3RUWDO
Configuring Instances
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
&RQILJXULQJ,QVWDQFHV
You can create up to two captive portal instances, which is a defined set of CP
parameters. Instances can be associated with one or more VAPs. Different
instances can be configured to respond differently to users as they attempt to
access the associated VAP.
To create a CP instance and configure its settings:
67(3  Click &DSWLYH3RUWDO > ,QVWDQFH&RQILJXUDWLRQ in the navigation window.
67(3  Select &UHDWH from the &DSWLYH3RUW,QVWDQFHV list.
The Captive Portal Instance Parameters fields display.
67(3  Enter and ,QVWDQFH1DPH (1–32 characters) and ,QVWDQFH,' (either 1 or 2) and
click 6DYH.
67(3  Select the instance name from the &DSWLYH3RUW,QVWDQFHV list.
The Captive Portal Instance Parameters fields redisplay, with additional options.
67(3  Configure the parameters:
•
$GPLQLVWUDWLYH0RGH—Enables and disables the CP instance.
•
3URWRFRO—Specifies HTTP or HTTPs as the protocol for the CP instance to
use during the verification process.
+773—Does not use encryption during verification.
+7736—Uses the Secure Sockets Layer (SSL), which requires a
certificate to provide encryption.
The certificate is presented to the user at connection time.
•
•
9HULILFDWLRQ—The mode for the CP to use to verify clients:
*XHVW—The user does not need to be authenticated by a database.
/RFDO—The AP uses a local database to authenticated users.
5$',86—The AP uses a database on a remote RADIUS server to
authenticate users.
5HGLUHFW—Specifies that the CP should redirect the newly authenticated
client to the configured URL. If this option is clear, the user sees the localespecific welcome page after a successful verification.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
118
&DSWLYH3RUWDO
Configuring Instances
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
5HGLUHFW85/—The URL to which the newly authenticated client is
redirected if the URL Redirect Mode is enabled.
•
,GOH7LPH—The number of seconds a user can remain idle before
automatically being logged out. If the value is set to 0, the timeout is not
enforced. The default value is 0.
•
6HVVLRQ7LPHRXW—The number of seconds to wait before terminating a
session. A user is logged out once the session timeout is reached. If the value
is set to 0, the timeout is not enforced. The default value is 0.
•
8VHU8S5DWH—The maximum speed, in megabytes per second, that a client
can transmit traffic when using the captive portal. This setting limits the
bandwidth at which the client can send data into the network.
•
8VHU'RZQ5DWH—The maximum speed, in megabytes per second, that a
client can receive traffic when using the captive portal. This setting limits the
bandwidth at which the client can receive data from the network.
•
8VHU*URXS1DPH—If the Verification Mode is Local or RADIUS, assigns an
existing User Group to the captive portal. All users who belong to the group
are permitted to access the network through this portal.
•
5$',86,31HWZRUN—Whether the the AP RADIUS client will use the
configured IPv4 or IPv6 RADIUS server addresses.
•
*OREDO5$',86—If the Verification Mode is RADIUS, select to specify that
the default RADIUS server list is used to authenticating clients. (See 5$',86
6HUYHUSDJH for information about configuring the global RADIUS
servers.) If you want the CP feature to use a different set of RADIUS servers,
clear this setting and configure the servers in the fields on this page.
•
5$',86$FFRXQWLQJ—Enables tracking and measuring the resources a
particular user has consumed, such as system time and amount of data
transmitted and received.
If you enable RADIUS accounting, it is enabled for the primary RADIUS
server and all backup servers, and for globally or locally configured servers.
•
5$',86,3—The IPv4 or IPv6 address for the primary RADIUS server for this
VAP.
When the first wireless client tries to authenticate with a VAP, the AP sends
an authentication request to the primary server. If the primary server
responds to the authentication request, the AP continues to use this RADIUS
server as the primary server, and authentication requests are sent to the
address you specify.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
119
&DSWLYH3RUWDO
Configuring VAPs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
5DGLXV%DFNXS,3z—Up to three IPv4or IPv6 backup RADIUS server
addresses.
If authentication fails with the primary server, each configured backup server
is tried in sequence.
•
5$',86&XUUHQW—Enables administratively selecting the active RADIUS
server, rather than having the AP attempt to contact each configured server
in sequence and choose the first server that is up.
•
5$',86.H\—The shared secret key that the AP uses to authenticate to the
primary RADIUS server.
You can use up to 63 standard alphanumeric and special characters. The key
is case sensitive and must match the key configured on the RADIUS server.
The text you enter will be displayed as "*" characters.
•
5$',86%DFNXS.H\z—The RADIUS key associated with the
configured backup RADIUS servers. The server at RADIUS IP Address-1
uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on.
•
/RFDOH&RXQW—The number of locales associated with the instance. You
assign locales to instances on the Web Customization page.
•
'HOHWH,QVWDQFH—Deletes the current instance.
67(3  Click 6DYH. You changes are saved to the Running Configuration.
&RQILJXULQJ9$3V
You can use the VAP configuration page to associate a CP instance to a VAP. The
associated CP instance settings will apply to users who attempt to authenticate
on the VAP.
To associate an instance to a VAP:
67(3  Click &DSWLYH3RUWDO > 9$3&RQILJXUDWLRQ in the navigation window.
67(3  From the 9$3,' list, select the VAP to which you want to associate a CP instance.
67(3  From the ,QVWDQFH1DPH list select the CP instance you want to associate with the
VAP.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
120

&DSWLYH3RUWDO
Uploading Binary Files
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
67(3  Click 6DYH. Your change are saved to the Running Configuration.
8SORDGLQJ%LQDU\)LOHV
When users initiate access to a VAP that is associated to a captive portal instance,
an authentication page displays. You can customize this page with your own logo
and other graphics. You can use the Upload Binary Files page to upload these
graphics to the AP.
To upload binary graphic files to the AP:
67(3  Create or identify custom graphics to replace the default graphics, as shown in the
following table.:
,PDJH7\SH
8VH
'HIDXOW:LGWK[
+HLJKW
Logo
Displays at top left of page to provide
branding information.
168 × 78 pixels
Account
Displays above the login field to depict
an authenticated login.
295 × 55 pixels
Background
Displays in the page background.
10 × 800
Images will be resized to fit the specified dimensions. For best results, the logo
and account images should be similar in proportion to the default images.
All images must be 5 kilobytes or smaller and must be in GIF or JPG format.
67(3  Click &DSWLYH3RUWDO > 8SORDG%LQDU\)LOHV in the navigation window.
67(3  Click %URZVH next to 8SORDG:HE&XVWRPL]DWLRQ,PDJH to select the file from
your PC or network.
67(3  Click 8SORDG.
67(3  Go to the Web Customization page to apply an uploaded graphic to a CP web
page.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
121
&DSWLYH3RUWDO
Customizing the Captive Portal Web Pages
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
127(: To delete an image, select it from the 'HOHWH:HE&XVWRPL]DWLRQ,PDJH
list and click 'HOHWH.
&XVWRPL]LQJWKH&DSWLYH3RUWDO:HE3DJHV
When users initiate access to a VAP that is associated to a captive portal instance,
an authentication page displays. You can use the Web Customization page to
create unique pages for different locales on your network, and to customize the
textual and graphic elements of the pages.
To create and customize a CP authentication page:
67(3  Click &DSWLYH3RUWDO > :HE&XVWRPL]DWLRQ in the navigation window.
67(3  Select &UHDWH from the &DSWLYH3RUWDO:HE/RFDOH list.
You can create up to three pages for use with different locales on your network.
67(3  Enter a :HE/RFDOH1DPH to assign to the page.
67(3  Specify a /RFDOH,', from 1–3.
67(3  From the &DSWLYH3RUWDO,QVWDQFHV list, select the CP instance that this locale is
associated with.
You can associate multiple locales with an instance. When a user attempts to
access a particular VAP that is associated with a CP instance, the locales that are
associated with that instance display as links on the authentication page. The user
can select a link to switch to that locale.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
67(3  From the &DSWLYH3RUWDO:HE/RFDOH list, select the locale you created.
The page displays additional fields for modifying the locale. The /RFDOH,',
,QVWDQFH,', and ,QVWDQFH1DPH fields display and cannot be edited. The editable
fields are populated with default values.
67(3  Configure the parameters:
•
%DFNJURXQG,PDJH1DPH—The image to display as the page background.
If you uploaded a custom background image to the AP, you can select it from
the list.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
122
&DSWLYH3RUWDO
Customizing the Captive Portal Web Pages
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
/RJR,PDJH1DPH—The image file to display on the top left corner of the
page. This image is used for branding purposes, such as the company logo.
If you uploaded a custom logo image to the AP, you can select it from the list.
•
)RUHJURXQGFRORU—The HTML code for the foreground color in 6-digit
hexadecimal format.
•
%DFNJURXQGFRORU—The HTML code for the background color in 6-digit
hexadecimal format.
•
6HSDUDWRU—The HTML code for the color of the thick horizontal line that
separates the page header from the page body, in 6-digit hexadecimal
format.
•
/RFDOH/DEHO—A descriptive label for the locale, from 1–32 characters. The
default is English.
•
/RFDOH—An abbreviation for the locale, from 1–32 characters. The default is
en.
•
$FFRXQW,PDJH—The image file to display above the login field to depict an
authenticated login.
•
$FFRXQW/DEHO—The text that instructs the user to enter a user name.
•
8VHU/DEHO—The label for the user name text box.
•
3DVVZRUG/DEHO—The label for the user password text box.
•
%XWWRQ/DEHO—The label on the button users click to submit their user name/
password for authentication.
•
)RQWV—The name of the font to use for all text on the CP page. You can enter
multiple font names, each separated by a comma. If the first font is not
available on the client system, the next font will be used, and so on. For font
names that have spaces, surround the entire name in quotes.
•
%URZVHU7LWOH—The text to display in the browser title bar.
•
%URZVHU&RQWHQW—The text that displays in the page header, to the right of
the logo.
•
&RQWHQW—The instructive text that displays in the page body below the user
name and password text boxes.
•
$FFHSWDQFH8VH3ROLF\—The text that appears in the Acceptance Use
Policy box.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
123
&DSWLYH3RUWDO
Web Customization Preview
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
$FFHSW/DEHO—The text that instructs users to select the check box to
acknowledge reading and accepting the Acceptance Use Policy.
•
1R$FFHSW7H[W—Error: The text that displays in a pop-up window when a
user submits login credentials without selecting the Acceptance Use Policy
check box.
•
:RUN,Q3URJUHVV7H[W—The text that displays during authentication.
•
'HQLHG7H[W—The text that displays when a user fails authentication.
•
5HVRXUFH7H[W—The text that displays when the authenticator is
unavailable.
•
7LPHRXW7H[W—The text that displays when the authenticator has not replied
in the configured time frame.
•
:HOFRPH7LWOH—The text that displays when the client has authenticated to
the VAP.
•
:HOFRPH&RQWHQW—The text that displays when the client has connected to
the network.
•
'HOHWH/RFDOH—Deletes the current locale.
67(3  Click 6DYH. Your changes are saved to the Running Configuration and the Startup
Configuration.
You can use the Web Customization Preview page view the updated page.
:HE&XVWRPL]DWLRQ3UHYLHZ
Use the Web Customization Preview page to view a locale page that you have
modified.
To preview a customized page:
67(3  Click &DSWLYH3RUWDO > :HE&XVWRPL]DWLRQ3UHYLHZ in the navigation window.
67(3  Select the locale you want to preview from the &DSWLYH3RUWDO:HE/RFDOH list.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
124
&DSWLYH3RUWDO
Local Groups
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
The page for the locale displays in the Captive Portal Web Locale Parameters
Preview area.
/RFDO*URXSV
Each local user is assigned to a user group. Each group is assigned to a CP
instance. The group facilitates managing the assignment of users to CP instances.
The user group named default is built-in and cannot be deleted. You can create up
to two additional user groups.
To add local user groups:
67(3  Click &DSWLYH3RUWDO > /RFDO*URXSV in the navigation window.
67(3  In the &DSWLYH3RUWDO*URXSV list, click &UHDWH.
The page displays additional fields for configuring a new group.
67(3  Enter a *URXS1DPHand *URXS,'and click 6DYH. The changes are saved to the
Running Configuration and to the Startup Configuration.
127(: To delete a group, select it in the &DSWLYH3RUWDO*URXSV list, select the
'HOHWH*URXS check box, and click 6DYH.
/RFDO8VHUV
You can configure a captive portal instance to accommodate either guest users
and authorized users.
Guest users do not have assigned user names and passwords. The CP instance to
which guest users are assigned might be associated with a VAP that provides a
more restricted access to the network.
Authorized users provide a valid user name and password that must first be
validated against a local database or RADIUS server. Authorized users are
typically assigned to a CP instance that is associated with a different VAP than
guest users.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
125
&DSWLYH3RUWDO
Local Users
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
You can use the Local Users page to configure up to 128 authorized users in the
local database.
To add and configure a local user:
67(3  Click &DSWLYH3RUWDO > /RFDO8VHUV in the navigation window.
67(3  Select &UHDWH in the &DSWLYH3RUWDO8VHUV list.
The page displays additional fields for creating a new user.
67(3  Enter a 8VHU1DPHand 8VHU,', then click 6DYH.
67(3  From the &DSWLYH3RUW8VHUV list, select the name of the user you created.
The page displays additional fields for configuring the user.
67(3  Enter the parameters:
•
8VHU3DVVZRUG—Enter the user’s password, from 8 to 64 alphanumeric and
special characters. A user enter must enter the password to log into the
network through the Captive Portal.
•
,GOH7LPH—The period of time after which the user is logged out if there is
no activity.
•
*URXS1DPH—The group the user is assigned to. Each CP instance is
configured to support a particular group of users.
•
0D[LPXP%DQGZLGWK8S—The maximum speed, in megabytes per second,
that a client can transmit traffic when using the captive portal. This setting
limits the bandwidth at which the client can send data into the network.
•
0D[LPXP%DQGZLGWK'RZQ—The maximum speed, in megabytes per
second, that a client can receive traffic when using the captive portal. This
setting limits the bandwidth at which the client can receive data from the
network.
•
'HOHWH8VHU—Deletes the current user.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
126
&DSWLYH3RUWDO
Local User/Group Associations
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
/RFDO8VHU*URXS$VVRFLDWLRQV
When you define CP users, you assign them to groups. The groups are assigned to
a CP instance, enabling all members access to that CP instance. In addition to
making a user a member of a group, you can also associate the user with another
group (without assigning them as member). The association enables a user
access to an additional CP instance.
To associate a user to a group (of which the user is not already a member):
67(3  Click &DSWLYH3RUWDO > /RFDO8VHU*URXS$VVRFLDWLRQV in the navigation window.
67(3  In the &DSWLYH3RUWDO8VHU*URXS list, click &UHDWH.
The page displays additional fields for associating a user to a group.
67(3  Enter a 8VHU*URXS1DPH
67(3  Enter the *URXS,'and 8VHU,' to associate and click 6DYH. The changes are
saved to the Running Configuration and to the Startup Configuration.
127(: To delete a group, select it in the &DSWLYH3RUWDO8VHU*URXSV list, select
the 'HOHWH*URXS check box, and click 6DYH.
$XWKHQWLFDWHG&OLHQWV
The Authenticated Clients page provides information about clients that have
authenticated on any Captive Portal instance.
To view the list of authenticated clients, click &DSWLYH3RUWDO > $XWKHQWLFDWHG
&OLHQWV in the navigation window.
The following fields display:
•
0$&$GGUHVV—The MAC address of the client.
•
,3$GGUHVV—The IP address of the client.
•
8VHU1DPH—The clients Captive Portal user name.
•
3URWRFRO—The protocol the user used to establish the connection (HTTP or
HTTPS).
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
127
&DSWLYH3RUWDO
Failed Authentication Clients
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•
9HULILFDWLRQ—The method used to authenticate the user on the Captive
Portal, which can be one of the following values:
*XHVW—The user does not need to be authenticated by a database.
/RFDO—The AP uses a local database to authenticated users.
5$',86—The AP uses a database on a remote RADIUS server to
authenticate users.
•
9$3,'—The VAP that the user is associated with.
•
5DGLR,'—The ID of the radio. Because the AP has a single radio, this field
always displays Radio1.
•
&DSWLYH3RUWDO,'—The ID of the Captive Portal instance to which the user
is associated.
•
6HVVLRQ7LPH—The time that has elapsed since the user authenticated on
Captive Portal.
•
,GOH7LPH—The time that has elapsed since the last user activity.
•
,QLWLDO85/5HTXHVW—The URL that the user initially attempted to access.
•
5HFHLYHG3DFNHWV—The number of IP packets received by the AP from the
user station.
•
7UDQVPLWWHG3DFNHWV—The number of IP packets transmitted from the AP
to the user station.
•
5HFHLYHG%\WHV—The number of bytes received by the AP from the user
station.
•
7UDQVPLWWHG%\WHV—The number of bytes transmitted from the AP to the
user station.
You can click 5HIUHVK to show the latest data from the switch.
)DLOHG$XWKHQWLFDWLRQ&OLHQWV
The Failed Authenticated Clients page lists information about clients that
attempted to authenticate on a Captive Portal and failed.
To view a list of clients who failed authentication, click &DSWLYH3RUWDO > )DLOHG
$XWKHQWLFDWLRQ&OLHQWV in the navigation window.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
128
&DSWLYH3RUWDO
Failed Authentication Clients
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
The following fields display:
•
0$&$GGUHVV—The MAC address of the client.
•
,3$GGUHVV—The IP address of the client.
•
8VHU1DPH—The clients Captive Portal user name.
•
9HULILFDWLRQ—The method the client attempted to use to authenticate on the
Captive Portal, which can be one of the following values:
*XHVW—The user does not need to be authenticated by a database.
/RFDO—The AP uses a local database to authenticated users.
5$',86—The AP uses a database on a remote RADIUS server to
authenticate users.
•
9$3,'—The VAP that the user is associated with.
•
5DGLR,'—The ID of the radio. Because the AP has a single radio, this field
always displays Radio1.
•
&DSWLYH3RUWDO,'—The ID of the Captive Portal instance to which the user
is associated.
•
)DLOXUH7LPH—The time that the authentication failure occurred.
You can click 5HIUHVK to show the latest data from the switch.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
129
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
10
&OLHQW4XDOLW\RI6HUYLFH
This chapter provides an overview of Quality of Service (QoS) and explains the
QoS features available from the Quality of Service menu.
•
$&/V
•
&ODVV0DS
•
3ROLF\0DS
•
&OLHQW4R6$VVRFLDWLRQ
•
&OLHQW4R66WDWXV
$&/V
ACLs are a collection of permit and deny conditions, called rules, that provide
security by blocking unauthorized users and allowing authorized users to access
specific resources. ACLs can block any unwarranted attempts to reach network
resources.
The AP supports up to 50 IPv4, IPv6, and MAC ACLs.
,3YDQG,3Y$&/V
IP ACLs classify traffic for Layers 3 and 4.
Each ACL is a set of up to 10 rules applied to traffic sent from a wireless client or
to be received by a wireless client. Each rule specifies whether the contents of a
given field should be used to permit or deny access to the network. Rules can be
based on various criteria and may apply to one ore more fields within a packet,
such as the source or destination IP address, the source or destination L4 port, or
the protocol carried in the packet.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
130
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

0$&$&/V
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect fields of a
frame such as the source or destination MAC address, the VLAN ID, or the Class of
Service 802.1p priority. When a frame enters or exits the AP port (depending on
whether the ACL is applied in the up or down direction), the AP inspects the frame
and checks the ACL rules against the content of the frame. If any of the rules match
the content, a permit or deny action is taken on the frame.
&RQILJXULQJ$&/V
Configure ACLs and rules on the ACL Configuration page (steps 1–5), and then
apply the rules to a specified VAP.
Use the following general steps to configure ACLs:
67(3  Specify a name for the ACL.
67(3  Select the type of ACL to add.
67(3  Add the ACL
67(3  Add new rules to the ACL.
67(3  Configure the match criteria for the rules.
67(3  Use the Client QoS Association page to apply the ACL to one or more VAPs.
To add an ACL and configure its rules:
67(3  Click &OLHQW4R6> $&/in the navigation window.
67(3  Enter the following parameters to create a new ACL:
•
$&/1DPH—A name to identify the ACL. The name can contain from 1 – 31
alphanumeric characters. Spaces are not allowed.
•
$&/7\SH—The type of ACL to configure:
IPv4
IPv6
MAC
IPv4 and IPv6 ACLs control access to network resources based on Layer 3
and Layer 4 criteria. MAC ACLs control access based on Layer 2 criteria.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
131
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GG$&/.
The page displays additional fields for configuring the ACL.
67(3  Configure the rule parameters:
•
$&/1DPH$&/7\SH—The ACL to configure with the new rule. The list
contains all ACLs added in the ACL Configuration section.
•
5XOH—The action to be taken:
Select 1HZ5XOH to configure a new rule for the selected ACL
If rules already exist (even if created for use with other ACLs), you can
select the rule number to add the rule to the selected ACL or to modify
the rule.
When an ACL has multiple rules, the rules are applied to the packet or frame
in the order in which you add them to the ACL. There is an implicit deny all
rule as the final rule.
•
$FWLRQ—Whether the ACL rule permits or denies an action.
When you select Permit, the rule allows all traffic that meets the rule criteria
to enter or exit the AP (depending on the ACL direction you select). Traffic
that does not meet the criteria is dropped.
When you select Deny, the rule blocks all traffic that meets the rule criteria
from entering or exiting the AP (depending on the ACL direction you select).
Traffic that does not meet the criteria is forwarded unless this rule is the final
rule. Because there is an implicit deny all rule at the end of every ACL, traffic
that is not explicitly permitted is dropped.
•
0DWFK(YHU\3DFNHW—If selected, the rule, which either has a permit or deny
action, will match the frame or packet regardless of its contents.
If you select this field, you cannot configure any additional match criteria. The
Match Every option is selected by default for a new rule. You must clear the
option to configure other match fields.
For IPv4 ACLs, configure the following parameters:
•
3URWRFRO—The Protocol field to use an L3 or L4 protocol match condition
based on the value of the IP Protocol field in IPv4 packets or the Next Header
field of IPv6 packets.
If you select the checkbox, select one of the following:
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
132
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

6HOHFW)URP/LVW—Select one of the following protocols: IP, ICMP, IGMP,
TCP, or UDP.
0DWFKWR9DOXH—Enter a standard IANA-assigned protocol ID from
0–255. Choose this method to identify a protocol not listed by name in
the Select From List.
•
6RXUFH,3$GGUHVV—Requires a packet's source IP address to match the
address listed here. Enter an IP address in the appropriate field to apply this
criteria.
•
:LOG&DUG0DVN—The source IP address wildcard mask.
The wild card masks determines which bits are used and which bits are
ignored. A wild card mask of 255.255.255.255 indicates that no bit is
important. A wildcard of 0.0.0.0 indicates that all of the bits are important.
This field is required when Source IP Address is checked.
A wild card mask is, in essence, the inverse of a subnet mask. For example,
To match the criteria to a single host address, use a wildcard mask of 0.0.0.0.
To match the criteria to a 24-bit subnet (for example 192.168.10.0/24), use a
wild card mask of 0.0.0.255.
•
6RXUFH3RUW—Includes a source port in the match condition for the rule. The
source port is identified in the datagram header.
If you select this checkbox, choose the port name or enter the port number.
6HOHFW)URP/LVW—The keyword associated with the source port to
match: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www.
Each of these keywords translates into its equivalent port number.
•
0DWFKWR3RUW—The IANA port number to match to the source port
identified in the datagram header. The port range is 0–65535 and
includes three different types of ports:
0–1023: Well Known Ports
1024–49151: Registered Ports
49152–65535: Dynamic and/or Private Ports
•
'HVWLQDWLRQ,3$GGUHVV—Requires a packet's destination IP address to
match the address listed here. Enter an IP address in the appropriate field to
apply this criteria.
•
:LOG&DUG0DVN—The destination IP address wildcard mask.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
133
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

The wild card masks determines which bits are used and which bits are
ignored. A wild card mask of 255.255.255.255 indicates that no bit is
important. A wildcard of 0.0.0.0 indicates that all of the bits are important.
This field is required when Source IP Address is selected.
A wild card mask is in essence the inverse of a subnet mask. For example, To
match the criteria to a single host address, use a wildcard mask of 0.0.0.0. To
match the criteria to a 24-bit subnet (for example 192.168.10.0/24), use a wild
card mask of 0.0.0.255.
•
'HVWLQDWLRQ3RUW—Includes a destination port in the match condition for the
rule. The destination port is identified in the datagram header.
If you select this checkbox, choose the port name or enter the port number.
6HOHFW)URP/LVW—Select the keyword associated with the destination
port to match: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www.
Each of these keywords translates into its equivalent port number.
•
0DWFKWR3RUW—The IANA port number to match to the destination port
identified in the datagram header. The port range is 0–65535 and
includes three different types of ports:
0–1023: Well Known Ports
1024–49151: Registered Ports
49152–65535: Dynamic and/or Private Ports
•
,3'6&3—Matches packets based on their IP DSCP value.
If you select this checkbox, choose one of the following as the match criteria:
6HOHFW)URP/LVW—DSCP Assured Forwarding (AS), Class of Service
(CS) or Expedited Forwarding (EF) values.
•
0DWFKWR9DOXH—A custom DSCP value, from 0–63.
•
,33UHFHGHQFH—Matches packets based on their IP Precedence value. If
you select this checkbox, enter an IP Precedence value from 0–7.
•
,3726%LWV—Specifies a value to use the packet's Type of Service bits in
the IP header as match criteria.
The IP TOS field in a packet is defined as all eight bits of the Service Type
octet in the IP header. The TOS Bits value is a two-digit hexadecimal number
from 00 to ff.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
134
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

The high-order three bits represent the IP precedence value. The high-order
six bits represent the IP Differentiated Services Code Point (DSCP) value.
•
,37260DVN—Enter an IP TOS mask value to identify the bit positions in the
TOS Bits value that are used for comparison against the IP TOS field in a
packet.
The TOS Mask value is a two-digit hexadecimal number from 00 to ff,
representing an inverted (i.e. wildcard) mask. The zero-valued bits in the TOS
Mask denote the bit positions in the TOS Bits value that are used for
comparison against the IP TOS field of a packet. For example, to check for an
IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most
significant, use a TOS Bits value of a0 and a TOS Mask of 00. This is an
optional configuration.
For IPv6 ACLs, configure the following parameters:
•
3URWRFRO—Select the Protocol field to use an L3 or L4 protocol match
condition based on the value of the IP Protocol field in IPv4 packets or the
Next Header field of IPv6 packets.
If you select the field, choose the protocol to match by keyword or protocol
ID.
•
6RXUFH,3Y$GGUHVV—Select this field to require a packet's source IPv6
address to match the address listed here. Enter an IPv6 address in the
appropriate field to apply this criteria.
•
6RXUFH,3Y3UHIL[/HQJWK—Enter the prefix length of the source IPv6
address.
•
6RXUFH3RUW—Select this option to include a source port in the match
condition for the rule. The source port is identified in the datagram header.
If you select this checkbox, choose the port name or enter the port number.
•
'HVWLQDWLRQ,3Y$GGUHVV—Select this field to require a packet's
destination IPv6 address to match the address listed here. Enter an IPv6
address in the appropriate field to apply this criteria.
•
'HVWLQDWLRQ,3Y3UHIL[/HQJWK—Enter the prefix length of the destination
IPv6 address.
•
'HVWLQDWLRQ3RUW—Select this option to include a destination port in the
match condition for the rule. The destination port is identified in the datagram
header.
If you select this checkbox, choose the port name or enter the port number.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
135
&OLHQW4XDOLW\RI6HUYLFH
ACLs
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•
,3Y)ORZ/DEHO—Flow label is 20-bit number that is unique to an IPv6
packet. It is used by end stations to signify quality-of-service handling in
routers (range 0 to 1048575).
•
,3'6&3—Matches packets based on their IP DSCP value.
If you select this checkbox, choose one of the following as the match criteria:
6HOHFW)URP/LVW—DSCP Assured Forwarding (AS), Class of Service
(CS) or Expedited Forwarding (EF) values.
•
0DWFKWR9DOXH—A custom DSCP value, from 0–63.
For a MAC ACL, configure the following parameters:
•
(WKHU7\SH—Select the EtherType field to compare the match criteria
against the value in the header of an Ethernet frame.
Select an EtherType keyword or enter an EtherType value to specify the
match criteria.
•
6HOHFWIURP/LVW—Select one of the following protocol types: appletalk,
arp, ipv4, ipv6, ipx, netbios, pppoe
0DWFKWR9DOXH—Enter a custom protocol identifier to which packets are
matched. The value is a four-digit hexadecimal number in the range of
0600–FFFF.
&ODVVRI6HUYLFH—Select this field and enter an 802.1p user priority to
compare against an Ethernet frame.
The valid range is 0–7. This field is located in the first/only 802.1Q VLAN tag.
•
6RXUFH0$&$GGUHVV—Select this field and enter the source MAC address
to compare against an Ethernet frame.
•
6RXUFH0$&0DVN—Select this field and enter the source MAC address
mask specifying which bits in the source MAC to compare against an
Ethernet frame.
A 0 indicates that the address bit is significant, and an f indicates that the
address bit is to be ignored. A MAC mask of 00:00:00:00:00:00 matches a
single MAC address.
•
'HVWLQDWLRQ0$&$GGUHVV—Select this field and enter the destination MAC
address to compare against an Ethernet frame.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
136
&OLHQW4XDOLW\RI6HUYLFH
Class Map
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL
•

'HVWLQDWLRQ0$&0DVN—Enter the destination MAC address mask
specifying which bits in the destination MAC to compare against an Ethernet
frame.
A 0 indicates that the address bit is significant, and an f indicates that the
address bit is to be ignored. A MAC mask of 00:00:00:00:00:00 matches a
single MAC address.
•
9/$1,'—Select this field and enter the VLAN IDs to compare against an
Ethernet frame.
This field is located in the first/only 802.1Q VLAN tag.
67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup
Configuration.
127( To delete an ACL, ensure that it is selected in the $&/1DPH$&/7\SH list,
select 'HOHWH$&/, and click 6DYH.
&ODVV0DS
The Client QoS feature contains Differentiated Services (DiffServ) support that
allows traffic to be classified into streams and given certain QoS treatment in
accordance with defined per-hop behaviors.
Standard IP-based networks are designed to provide best effort data delivery
service. Best effort service implies that the network delivers the data in a timely
fashion, although there is no guarantee that it will. During times of congestion,
packets may be delayed, sent sporadically, or dropped. For typical Internet
applications, such as e-mail and file transfer, a slight degradation in service is
acceptable and in many cases unnoticeable. However, on applications with strict
timing requirements, such as voice or multimedia, any degradation of service has
undesirable effects.
A diffserv configuration begins with defining class maps, which classify traffic
according to their IP protocol and other criteria. Each class map can then be
associated with a policy map, which defines how to handle the traffic class.
Classes that include time-sensitive traffic can be assigned to policy maps that
give precedence over other traffic.
You can use the Class Map page to define classes of traffic. Use the Policy Map
page to define policies and associate class maps to them.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
137
&OLHQW4XDOLW\RI6HUYLFH
Class Map
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

$GGLQJD&ODVV0DS
To add a class map:
67(3  Click &OLHQW4R6 > &ODVV0DS in the navigation window.
67(3  Enter a &ODVV0DS1DPH.
67(3  Select a value from the 0DWFK/D\HU3URWRFRO list:
•
,3Y—The class map applies only to IPv4 traffic on the AP.
•
,3Y—The class map applies only to IPv6 traffic on the AP.
The Class Map page displays with additional fields, depending on the layer 3
protocol selected:
Use the fields in the Match Criteria Configuration area to match packets to a class.
Select the check box for each field to be used as a criterion for a class and enter
data in the related field. You can have multiple match criteria in a class.
The match criteria fields that are available depend on whether the class map is an
IPv4 or IPv6 class map.
'HILQLQJD&ODVV0DS
To configure a class map:
67(3  Select the class map from the &ODVV0DS1DPH list.
67(3  Configure the parameters (parameters that display only for IPv4 or IPv6 class
maps are noted):
•
0DWFK(YHU\3DFNHW—The match condition is true to all the parameters in an
L3 packet.
When selected, all L3 packets will match an Match Every match condition.
•
3URWRFRO—Use an L3 or L4 protocol match condition based on the value of
the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets.
If you select the field, choose the protocol to match by keyword or enter a
protocol ID.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
138
&OLHQW4XDOLW\RI6HUYLFH
Class Map
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

6HOHFW)URP/LVW—Match the selected protocol: IP, ICMP, IPv6, ICMPv6,
IGMP, TCP, UDP.
0DWFKWR9DOXH—Match a protocol that is not listed by name. Enter the
protocol ID. The protocol ID is a standard value assigned by the IANA. The
range is a number from 0–255.
•
6RXUFH,3$GGUHVV or 6RXUFH,3Y$GGUHVV—Requires a packet's source
IP address to match the address listed here. Select the checkbox and enter
an IP address in the text box.
•
6RXUFH,30DVN (IPv4 only)—The source IP address mask.
The mask for DiffServ is a network-style bit mask in IP dotted decimal format
indicating which part(s) of the destination IP Address to use for matching
against packet content.
A DiffServ mask of 255.255.255.255 indicates that all bits are important, and
a mask of 0.0.0.0 indicates that no bits are important. The opposite is true
with an ACL wild card mask. For example, to match the criteria to a single
host address, use a mask of 255.255.255.255. To match the criteria to a 24bit subnet (for example 192.168.10.0/24), use a mask of 255.255.255.0.
•
6RXUFH,3Y3UHIL[/HQJWK (IPv6 only)—The prefix length of the source IPv6
address.
•
'HVWLQDWLRQ,3$GGUHVV or 'HVWLQDWLRQ,3Y$GGUHVV—Requires a packet's
destination IP address to match the address listed here. Enter an IP address
in the appropriate field to apply this criteria.
•
'HVWLQDWLRQ,30DVN (IPv4 only)—The destination IP address mask.
The mask for DiffServ is a network-style bit mask in IP dotted decimal format
indicating which part(s) of the destination IP Address to use for matching
against packet content.
A DiffServ mask of 255.255.255.255 indicates that all bits are important, and
a mask of 0.0.0.0 indicates that no bits are important. The opposite is true
with an ACL wild card mask. For example, to match the criteria to a single
host address, use a mask of 255.255.255.255. To match the criteria to a
24-bit subnet (for example 192.168.10.0/24), use a mask of 255.255.255.0.
•
'HVWLQDWLRQ,3Y3UHIL[/HQJWK (IPv6 only)—The prefix length of the
destination IPv6 address.
•
,3Y)ORZ/DEHO (IPv6 only)—A 20-bit number that is unique to an IPv6
packet. It is used by end stations to signify quality-of-service handling in
routers (range 0 to 1048575).
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
139
&OLHQW4XDOLW\RI6HUYLFH
Class Map
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•
,3'6&3—See description under Service Types below.
•
6RXUFH3RUW—Includes a source port in the match condition for the rule. The
source port is identified in the datagram header.
If you select the field, choose the port name or enter the port number.
6HOHFW)URP/LVW—Matches a keyword associated with the source port:
ftp, ftpdata, http, smtp, snmp, telnet, tftp, www.
Each of these keywords translates into its equivalent port number.
0DWFKWR3RUW—Matches the source port number in the datagram header
to a IANA port number that you specify. The port range is 0–65535 and
includes three different types of ports:
0–1023–Well Known Ports
1024–49151: Registered Ports
49152–65535: Dynamic and/or Private Ports
•
'HVWLQDWLRQ3RUW—Includes a destination port in the match condition for the
rule. The destination port is identified in the datagram header.
If you select this field, choose the port name or enter the port number.
6HOHFW)URP/LVW—Matches the destination port in the datagram header
with the selected keyword: ftp, ftpdata, http, smtp, snmp, telnet, tftp,
www.
Each of these keywords translates into its equivalent port number.
0DWFKWR3RUW—Matches the destination port in the datagram header
with an IANA port number that you specify. The port range is 0–65535
and includes three different types of ports:
0–1023: Well Known Ports
1024–49151: Registered Ports
49152–65535: Dynamic and/or Private Ports
•
(WKHU7\SH—Compares the match criteria against the value in the header of
an Ethernet frame.
Select an EtherType keyword or enter an EtherType value to specify the
match criteria.
Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE
140

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : Yes
Page Count                      : 70
Has XFA                         : No
XMP Toolkit                     : XMP toolkit 2.9.1-13, framework 1.6
About                           : uuid:f2cff54e-ea42-4ea8-a8ca-02c2af6cae32
Modify Date                     : 2011:11:29 15:27:40+08:00
Create Date                     : 2011:11:29 15:27:29+08:00
Metadata Date                   : 2011:11:29 15:27:40+08:00
Document ID                     : uuid:2c3ef00b-260d-4fcc-b5ce-fea619c470ba
Format                          : application/pdf
Title                           : untitled
Producer                        : Acrobat Distiller 6.0 (Windows)
EXIF Metadata provided by EXIF.tools
FCC ID Filing: P27-WAP121

Navigation menu