Sercomm WAP321 Wireless-N Selectable-Band Access Point with PoE User Manual

Sercomm Corporation Wireless-N Selectable-Band Access Point with PoE

UserManual.wiki >

Sercomm >

WAP321 User Manual

User Manual

:LUHOHVV6HWWLQJV

WPS Setup

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 71



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

PIN Control

A client may also enroll with a registrar by using a PIN. For example, the AP

administrator may start an enrollment transaction for a particular VAP by entering

the PIN of a client. When the client detects the WPS-enabled device, its user can

then supply its PIN to the AP to continue the enrollment process. After the WPS

protocol has completed, the client securely joins the network. The client can also

initiate this process.

As with the PBC method, if the AP begins the enrollment transaction and no client

attempts to enroll after 120 seconds, the AP terminates the pending transaction.

2SWLRQDO8VHRI,QWHUQDO5HJLVWUDU

Although the AP supports an internal registrar for WPS, its use is optional. After an

external registrar has configured the AP, the AP acts as a proxy for that external

registrar, regardless of whether the AP’s internal registrar is enabled (it is enabled

by default).

/RFNGRZQ&DSDELOLW\

Each AP stores a WPS-compatible device PIN in nonvolatile RAM. WPS requires

this PIN if an administrator wants to allow an unconfigured AP (that is, one with

only factory defaults, including WPS being enabled on a VAP) to join a network. In

this "out-of-box" scenario, the administrator obtains the PIN value from the UI of the

AP.

The administrator may wish to change the PIN if network integrity has been

compromised in some way. The AP provides a method for generating a new PIN

and storing this value in NVRAM. In the event that the value in NVRAM is corrupted,

erased, or missing, a new PIN is generated by the AP and stored in NVRAM.

The PIN method of enrollment is potentially vulnerable by way of "brute force"

attacks. A network intruder could, in theory, try to pose as an external registrar on

the wireless LAN and attempt to derive the AP's PIN value by exhaustively

applying WPS-compliant PINs. To address this vulnerability, in the event that a

registrar fails to supply a correct PIN in three attempts within 60 seconds, the AP

prohibits any further attempts by an external registrar to register the AP on the

WPS-enabled VAP for 60 seconds. However, wireless client stations may enroll

with the AP's internal registrar, if enabled, during this “lockdown” period. The AP

also continues to provide proxy services for enrollment requests to external

registrars.

The AP adds an additional security mechanism for protecting its device PIN. Once

the AP has completed registration with an external registrar, and the resulting WPS

transaction has concluded, the device PIN is automatically regenerated.

:LUHOHVV6HWWLQJV

WPS Setup

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 72



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

9$3&RQILJXUDWLRQ&KDQJHV

The WPS protocol on a WPS-enabled VAP may configure the following

parameters:

•Network SSID

•Key management options (WPA-PSK, or WPA-PSK and WPA2-PSK)

•Cryptography options (CCMP/AES, or TKIP and CCMP/AES)

•Network (public shared) key

If a VAP is enabled for WPS, these configuration parameters are subject to change,

and are persistent between reboots of the AP.

([WHUQDO5HJLVWUDWLRQ

The AP supports the registration with WPS external registrars (ER) on the wired

and wireless LAN. On the WLAN, external registrars advertise their capabilities

within WPS-specific information elements (IEs) of their beacon frames; on the

wired LAN, external registrars announce their presence via UPnP.

WPS v2.0 does not require registration with an ER to be done explicitly through the

AP’s user interface. The AP administrator can register the AP with an ER by:

1. Initiating the registration process on the AP by entering the ER’s PIN on the AP.

2. Registering the AP by entering the AP's PIN on the user interface of the ER.

127( The registration process can also configure the AP as specified in 9$3

&RQILJXUDWLRQ&KDQJHVSDJH if the AP has declared within the WPS-specific

IEs of its beacon frames or UPnP messages that it requires such configuration.

The AP is capable of serving as a proxy for up to three external registrars

simultaneously.

([FOXVLYH2SHUDWLRQRI:367UDQVDFWLRQV

Any one VAP on the AP can be enabled for WPS. At most, one WPS transaction (for

example, enrollment and association of an 802.11 client) can be in progress at a

time on the AP. The AP administrator can terminate the transaction in progress

from the web-based AP configuration utility. The configuration of the VAP,

however, should not be changed during the transaction; nor should the VAP be

changed during the authentication process. This restriction is recommended but

not enforced on the AP.

:LUHOHVV6HWWLQJV

WPS Setup

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 73



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

%DFNZDUG&RPSDWLELOLW\ZLWK:369HUVLRQ

Although the WAP121 supports WPS version 2.0, the AP interoperates with

enrollees and registrars that are certified by the Wi-Fi Alliance to conform to

version 1.0 of the WPS protocol.

&RQILJXULQJ:366HWWLQJV

You can use the WPS Setup page to enable the AP as a WPS-capable device and

configure basic settings. When you are ready to use the feature to enroll a new

device or add the AP to a WPS-enabled network, use the WPS Process page.

&$87,21 For security reasons, it is recommended, but not required, that you use an HTTPS

connection to the web-based AP configuration utility when configuring WPS.

To configure the AP as a WPS-capable device:

67(3  Click :LUHOHVV > :366HWXS in the navigation window.

The WPS Setup page shows global parameters and status, and parameters and

status of the WPS instance. An instance is an implementation of WPS that is

associated with a VAP on the network. The AP supports one instance only.

67(3  Configure the global parameters:

•6XSSRUWHG:369HUVLRQ—The WPS protocol version that the AP supports.

•:36'HYLFH1DPH—A default device name displays. You can assign a

different name of up to 32 characters, including spaces and special

characters.

•:36*OREDO2SHUDWLRQDO6WDWXV—Whether the WPS protocol is enabled or

disabled on the AP. It is enabled by default.

•:36'HYLFH3,1—A system-generated eight-digit WPS PIN for the AP. The

administrator may need to enter the PIN at the registrar to add the AP to a

WPS-enabled network.

You can click *HQHUDWH to generate a new PIN. This is advisable if network

integrity has been compromised.

67(3  Configure the WPS instance parameters:

:LUHOHVV6HWWLQJV

WPS Process

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 74



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•:36,QVWDQFH,'—An identifier for the instance. As there is only one

instance, the only option is wps1.

•:360RGH—Enables or disables the instance.

•:369$3—The VAP associated with this WPS instance.

•:36%XLOWLQ5HJLVWUDU—Select to enable the built-in registrar function.

When disabled, another device on the network can act as the registrar and

the AP can serve as a proxy for forwarding client registration requests and

the registrar’s responses.

•:36&RQILJXUDWLRQ6WDWH—Whether the VAP will be configured from the

external registrar as a part of WPS process. It can be set to one of the

following values:

-8QFRQILJXUHG—VAP settings will be configured using WPS, after which

the state will be change to Configured.

-&RQILJXUHG—VAP settings will not be configured by the external

registrar and will retain the existing configuration.

67(3  Click 8SGDWH. The changes are saved to the Running Configuration and to the

Startup Configuration.

The operational status of the instance and the reason for that status also display.

See (QDEOLQJDQGGLVDEOLQJ:36RQD9$3SDJH for information about

conditions that may cause the instance to be disabled.

127( The Instance Status area displays the :362SHUDWLRQDO6WDWXV as Enabled or

Disabled. You can click 5HIUHVK to update the page with the most recent status

information.

:363URFHVV

You can use the WPS Process page to use WPA to enroll a client station on the

network. You can enroll a client using a pin or using the push button method, if

supported on the client station.

(QUROOLQJD&OLHQW8VLQJWKH3,10HWKRG

To enroll a client station using the PIN method:

:LUHOHVV6HWWLQJV

WPS Process

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 75



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Obtain the PIN from the client device. The PIN may be printed on the hardware

itself, or may be obtained from the device’s software interface.

67(3  Click :LUHOHVV > :363URFHVVin the navigation window.

67(3  Enter the client’s PIN in the 3,1(QUROOPHQW text box and click 6WDUW.

67(3  Within two minutes, enter the AP’s pin on the client station’s software interface.

The AP’s pin is configured on the :366HWXS page.

When you enter the PIN on the client device, the The WPS Operational Status

changes to Adding Enrollee. When the enrollment process is complete, the WPS

Operational Status changes to Ready and the Transaction Status changes to

Success.

127( This enrollment sequence may also work in reverse; that is, you may be able to

initiate the process on the client station by entering the AP’s pin, and then entering

the client’s PIN on the AP.

When the client is enrolled, either the AP’s internal registrar or the external

registrar on the network proceeds to configure the client with the SSID, encryption

mode, and public shared key of a WPS-enabled BSS.

(QUROOLQJD&OLHQW8VLQJWKH3XVK%XWWRQ0HWKRG

To enroll a client station using the push method:

67(3  Click 6WDUW next to 3%&(QUROOPHQW.

67(3  Push the hardware button on the client station.

127( You can alternatively initiate this process on the client station, and then click the

PBC Enrollment Start button on the AP.

When you push the button on the client station, the The WPS Operational Status

changes to Adding Enrollee. When the enrollment process is complete, the WPS

Operational Status changes to Ready and the Transaction Status changes to

Success.

When the client is enrolled, either the AP’s internal registrar or the external

registrar on the network proceeds to configure the client with the SSID, encryption

mode, and public shared key of a WPS-enabled BSS.

:LUHOHVV6HWWLQJV

WPS Process

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 76



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

9LHZLQJ,QVWDQFH6XPPDU\,QIRUPDWLRQ

The following information displays for WPS instance:

•:365DGLR

•:369$3

•66,'

•6HFXULW\

If the WPS Configuration State field on the WPS Setup page is set to

Unconfigured, then the SSID and Security values are configured by the external

registrar. If the field is set to Configured, then these values are configured by the

administrator.

127( You can click 5HIUHVK to update the page with the most recent status information.

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 77

REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

6103Y

This chapter describes how to configure the Simple Network Management

Protocol to perform configuration and statistics gathering tasks.

It contains the following topics:

•61032YHUYLHZ

•*HQHUDO61036HWWLQJV

•61039LHZV

•6103*URXSV

•61038VHUV

•61037DUJHWV

61032YHUYLHZ

Simple Network Management Protocol (SNMP) defines a standard for recording,

storing, and sharing information about network devices. SNMP facilitates network

management, troubleshooting, and maintenance.

The AP supports SNMP versions 1, 2, and 3. Unless specifically noted, all

configuration parameters apply to SNMPv1 and SNMPv2c only. Key components

of any SNMP-managed network are managed devices, SNMP agents, and a

management system. The agents store data about their devices in Management

Information Bases (MIBs) and return this data to the SNMP manager when

requested. Managed devices can be network nodes such as APs, routers,

switches, bridges, hubs, servers, or printers.

The AP can function as an SNMP managed device for seamless integration into

network management systems.

6103Y

General SNMP Settings

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 78



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

*HQHUDO61036HWWLQJV

You can use the General page to enable SNMP and configure basic protocol

settings.

To configure general SNMP settings:

67(3  Click 6103>*HQHUDO in the navigation window.

67(3  Select (QDEOHG for the 6103 setting. SNMP is enabled by default.

67(3  Configure the parameters:

•5HDGRQO\&RPPXQLW\1DPH—A read-only community name for SNMPv2

access. The valid range is 1–256 characters.

The community name acts as a simple authentication mechanism to restrict

the machines on the network that can request data to the SNMP agent. The

name functions as a password, and the request is assumed to be authentic

if the sender knows the password.

The community name can be in any alphanumeric format.

•8'33RUW—By default an SNMP agent only listens to requests from logical

port 161. However, you can configure this so the agent listens to requests on

another port. The valid range is

1-65535.

•61036HW—When enabled, machines on the network can execute

configuration changes via an SNMP agent to the System MIB on the AP.

•5HDGZULWH&RPPXQLW\1DPH—Sets a read-write community name to be

used for SNMP Set requests. The valid range is 1-256 characters.

Setting a community name is similar to setting a password. Only requests

from the machines that identify themselves with this community name will

be accepted.

The community name can be in any alphanumeric format.

•0DQDJHPHQW6WDWLRQ—Determines which stations can access the AP via

SNMP: Select one of the following:

-$OO—The set of stations that can access the AP via SNMP is not restricted.

-8VHU'HILQHG—Restricts the source of permitted SNMP requests to

those specified in the following lists.

6103Y

General SNMP Settings

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 79



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•106+RVWQDPH,3Y$GGUHVV1DPH—The IPv4 DNS hostname or subnet

of the machines that can execute get and set requests to the managed

devices. The valid range is 1–256 characters.

As with community names, this provides a level of security on SNMP

settings. The SNMP agent will only accept requests from the hostname or

subnet specified here.

To specify a subnet, enter one or more subnetwork address ranges in the

form address/mask_length where

address

is an IP address and

mask_length

is the number of mask bits. Both formats address/mask and

address/mask_length are supported. Individual hosts can be provided for

this, i.e. I.P Address or Hostname. For example, if you enter a range of

192.168.1.0/24

this specifies a subnetwork with address

192.168.1.0

and

a subnet mask of

255.255.255.0

The address range is used to specify the subnet of the designated NMS.

Only machines with IP addresses in this range are permitted to execute get

and set requests on the managed device. Given the example above, the

machines with addresses from

192.168.1.1

through

192.168.1.254

can

execute SNMP commands on the device. (The address identified by suffix .0

in a subnetwork range is always reserved for the subnet address, and the

address identified by .255 in the range is always reserved for the broadcast

address).

As another example, if you enter a range of

10.10.1.128/25

machines with

IP addresses from

10.10.1.129

through

10.10.1.254

can execute SNMP

requests on managed devices. In this example,

10.10.1.128

is the network

address and

10.10.1.255

is the broadcast address. 126 addresses would

be designated.

•106,3Y$GGUHVV1DPH—The IPv6 DNS hostname or subnet of the

machines that can execute get and set requests to the managed devices.

•7UDS&RPPXQLW\1DPH—A global community string associated with SNMP

traps. Traps sent from the device will provide this string as a community

name.

The community name can be in any alphanumeric format. Special characters

are not permitted. The valid range is 1–256 characters

•7UDS'HVWLQDWLRQ7DEOH—A list of up to three IP addresses or hostnames to

receive SNMP traps. The valid range is 1-256 characters. Select the

checkbox and choose a +RVW7\SH (IPv4 or IPv6) before adding the ,3

$GGUHVV+RVWQDPH.

6103Y

SNMP Views

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 80



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

An example of a DNS hostname is:

snmptraps.foo.com.

Since SNMP traps

are sent randomly from the SNMP agent, it makes sense to specify where

exactly the traps should be sent. You can add up to a maximum of three DNS

hostnames. Ensure you select the E

nabled check box and select the

appropriate Host Type.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

127( Changing some settings might cause the AP to stop and restart system processes.

If this happens, wireless clients will temporarily lose connectivity. We recommend

that you change AP settings when WLAN traffic is low.

61039LHZV

An SNMP MIB view is a family of view subtrees in the MIB hierarchy. A view

subtree is identified by the pairing of an object identifier (OID) subtree value with a

bit string mask value. Each MIB view is defined by two sets of view subtrees,

included in or excluded from the MIB view. You can create MIB views to control the

OID range that SNMPv3 users can access.

The AP supports a maximum of 16 views.

The following notes summarize some critical guidelines regarding SNMPv3 view

configuration. Please read all the notes before proceeding.

127( A MIB view called all is created by default in the system. This view contains all

management objects supported by the system.

127( By default, view-all and view-none SNMPv3 views are created on the AP. These

views cannot be deleted, but the OID, Mask, and Type fields can be modified.

To configure an SNMP view:

67(3  Click 6103Y > 9LHZV in the navigation window.

67(3  Configure the parameters:

•9LHZ1DPH—A name that identifies the MIB view. View names can contain

up to 32 alphanumeric characters.

•7\SH—Whether to include or exclude the view subtree or family of subtrees

from the MIB view.

6103Y

SNMP Groups

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 81



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•2,'—An OID string for the subtree to include or exclude from the view.

For example, the system subtree is specified by the OID string .1.3.6.1.2.1.1.

•0DVN—An OID mask. The mask is 47 characters in length. The format of the

OID mask is xx.xx.xx (.)... or xx:xx:xx.... (:) and is 16 octets in length. Each octet

is two hexadecimal characters separated by either . (period) or : (colon). Only

hex characters are accepted in this field.

For example, OID mask FA.80 is 11111010.10000000.

A family mask is used to define a family of view subtrees. The family mask

indicates which sub-identifiers of the associated family OID string are

significant to the family's definition. A family of view subtrees enables

efficient control access to one row in a table.

67(3  Click $GG, and then click 6DYH. The view is added to the SNMPv3 Views list and

your changes are saved to the Running Configuration and to the Startup

Configuration.

127( To remove a view, select the view in the list and click 5HPRYH.

6103*URXSV

SNMPv3 groups allow you to combine users into groups of different authorization

and access privileges. Each group is associated with one of three security levels:

•.noAuthNoPriv.

•.authNoPriv.

•.authPriv.

Access to management objects (MIBs) for each group is controlled by associating

a MIB view to a group for read or write access, separately.

By default, the AP has three groups:

•52—A read-only group with no authentication and no data encryption. No

security is provided by this group. By default, users of this group have read

access to the default all MIB view, which can be modified by the user.

•5:$XWK—A read/write group using authentication, but no data encryption.

Users in this group send SNMP messages that use an MD5 key/password

6103Y

SNMP Groups

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 82



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

for authentication, but not a DES key/password for encryption. By default,

users of this group will have read and write access to the default all MIB

view, which can be modified by the user.

•5:3ULY—A read/write group using authentication and data encryption.

Users in this group use an MD5 key/password for authentication and a DES

key/password for encryption. Both the MD5 and DES key/passwords must

be defined. By default, users of this group have read and write access to the

default all MIB view, which can be modified by the user.

127( The default groups RO, RWAuth, and RWPriv cannot be deleted.

127( The AP supports a maximum of eight groups.

To add an SNMP group:

67(3  Click 6103 > *URXSV in the navigation window.

67(3  Configure the parameters:

•1DPH—A name that identifies the group. The default group names are

RWPriv, RWAuth, and RO.

Group names can contain up to 32 alphanumeric characters.

•6HFXULW\/HYHO—The security level for the group, which can be one of the

following:

-noAuthentication-noPrivacy—No authentication and no data encryption

(no security).

-Authentication-noPrivacy—Authentication, but no data encryption. With

this security level, users send SNMP messages that use an MD5 key/

password for authentication, but not a DES key/password for encryption.

•$XWKHQWLFDWLRQ3ULYDF\—Authentication and data encryption. With this

security level, users send an MD5 key/password for authentication and a

DES key/password for encryption.

For groups that require authentication, encryption, or both, you must define

the MD5 and DES key/passwords on the SNMP Users page.

•:ULWH9LHZV—The write access to management objects (MIBs) for the

group, which can be one of the following:

-ZULWHDOO—The group can create, alter, and delete MIBs.

-ZULWHQRQH—The group cannot create, alter, or delete MIBS.

6103Y

SNMP Users

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 83



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•5HDG9LHZV—The read access to management objects (MIBs) for the group:

-YLHZDOO—The group is allowed to view and read all MIBs.

-YLHZQRQH—The group cannot view or read MIBs.

67(3  Click $GG, and then click 6DYH. The group is added to the SNMPv3 Groups list and

your changes are saved to the Running Configuration and to the Startup

Configuration.

127( To remove a group, select the group in the list and click 5HPRYH.

61038VHUV

You can use the SNMP Users page to define users, associate a security level to

each user, and configure per-user security keys.

Each user is mapped to an SNMPv3 group, either from the predefined or user-

defined groups, and, optionally, is configured for authentication and encryption.

For authentication, only the MD5 type is supported. For encryption, only the DES

type is supported. There are no default SNMPv3 users on the AP.

To add SNMP users:

67(3  Click 6103Y > 8VHUV in the navigation window.

67(3  Configure the parameters:

•1DPH—A name that identifies the SNMPv3 user.

User names can contain up to 32 alphanumeric characters.

•*URXS—The group that the user is mapped to. The default groups are

RWAuth, RWPriv, and RO. You can define additional groups on the SNMP

Groups page.

•$XWKHQWLFDWLRQ7\SH—The type of authentication to use on SNMP requests

from the user, which can be one of the following:

-0'—Require MD5 authentication on SNMPv3 requests from the user.

-1RQH—SNMPv3 requests from this user require no authentication.

6103Y

SNMP Targets

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 84



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•$XWKHQWLFDWLRQ.H\—(If you specify MD5 as the authentication type) A

password to enable the SNMP agent to authenticate requests sent by the

user.

The password must be between 8 and 32 characters in length.

•(QFU\SWLRQ7\SH—The type of privacy to use on SNMP requests from the

user, which can be one of the following:

-'(6—Use DES encryption on SNMPv3 requests from the user.

-1RQH—SNMPv3 requests from this user require no privacy.

•(QFU\SWLRQ.H\—(If you specify DES as the privacy type) A key to use to

encrypt the SNMP requests.

The key must be between 8 and 32 characters in length.

67(3  Click $GG, and then click 6DYH. The user is added to the SNMPv3 Users list and

your changes are saved to the Running Configuration and to the Startup

Configuration.

127( To remove a user, select the user in the list and click 5HPRYH.

61037DUJHWV

SNMPv3 targets send trap messages to the SNMP manager. Inform messages are

not supported. Each target is defined with a target IP address, UDP port, and

SNMPv3 user name.

127( SNMPv3 user configuration (see 61038VHUVSDJH) should be completed

before configuring SNMPv3 targets.

127( The AP supports a maximum of eight targets.

To add SNMP targets:

67(3  Click 6103Y > 7DUJHWV in the navigation window.

67(3  Configure the parameters:

•,3Y,3Y$GGUHVV—Enter the IP address of the remote SNMP manager to

receive the target.

6103Y

SNMP Targets

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 85



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•3RUW—Enter the UDP port to use for sending SNMP targets.

•8VHUV—Enter the name of the SNMP user to associate with the target. To

configure SNMP users, see “Configuring SNMPv3 Users” on page 125.

•6103Y7DUJHWV—This field shows the SNMPv3 Targets on the AP. To

remove a target, select it and click Remove.

67(3  Click $GG, and then click 6DYH. The user is added to the SNMPv3 Targets list and

your changes are saved to the Running Configuration and to the Startup

Configuration.

127( To remove a user, select the user in the list and click 5HPRYH.

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 86

REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

$GPLQLVWUDWLRQ

This chapter describes how to configure global system settings and perform

diagnostics.

It contains the following topics.

•6\VWHP6HWWLQJV

•8VHU$FFRXQWV

•)LUPZDUH8SJUDGH

•3DFNHW&DSWXUH

•/RJ6HWWLQJV

•(PDLO$OHUW

•'LVFRYHU\{%RQMRXU

•+773+77366HUYLFH

•7HOQHW66+6HUYLFH

•0DQDJHPHQW$FFHVV&RQWURO

•'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH

•&RQILJXUDWLRQ)LOHV3URSHUWLHV

•&RS\LQJDQG6DYLQJWKH&RQILJXUDWLRQ

•5HERRWLQJ

6\VWHP6HWWLQJV

The System Settings page enables you to configure information that identifies the

switch within the network.

$GPLQLVWUDWLRQ

User Accounts

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 87



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

To configure system settings:

67(3  Click $GPLQLVWUDWLRQ > 6\VWHP6HWWLQJV in the navigation window.

67(3  Enter the parameters:

•+RVW1DPH—Administratively-assigned name for the AP. By convention, this

is the fully-qualified domain name of the node. The default host name is

"wap" concatenated with the last 6 hex digits of the MAC address of the

switch. Host Name labels contain only letters, digits and hyphens. Host

Name labels cannot begin or end with a hyphen. No other symbols,

punctuation characters, or blank spaces are permitted.

•6\VWHP&RQWDFW—A contact person for the switch.

•6\VWHP/RFDWLRQ—Description of the physical location of the switch.

67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup

Configuration.

8VHU$FFRXQWV

One management user is configured on the switch by default:

•User Name: FLVFR

•Password: FLVFR

You can use the User Accounts page configure up to five additional users and to

change a user password.

$GGLQJD8VHU

To add a new user:

$GPLQLVWUDWLRQ

Firmware Upgrade

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 89



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•Red—The password fails to meet the minimum complexity requirements.

•Orange—The password meets the minimum complexity requirements but

the password strength is weak.

•Green—The password is strong.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

)LUPZDUH8SJUDGH

As new versions of the AP firmware become available, you can upgrade the

firmware on your devices to take advantage of new features and enhancements.

The AP uses a TFTP or HTTP client for firmware upgrades.

After you upload new firmware and the system reboots, the newly added

firmware becomes the primary image. If the upgrade fails, the original firmware

remains as the primary image.

127( When you upgrade the firmware, the access point retains the existing configuration

information.

7)738SJUDGH

To upgrade the firmware on an access point using TFTP:

67(3  Click $GPLQLVWUDWLRQ > 8SJUDGH)LUPZDUH in the navigation window.

The Product ID (PID), Vender ID (VID), and current Firmware Version display.

67(3  Select T

FTP for T

ransfer Method.

67(3  Enter a name (1 to 256 characters) for the image file in the 6RXUFH)LOH1DPH field,

including the path to the directory that contains the image to upload.

For example, to upload the

ap_upgrade.tar

image located in the

/share/builds/ap

directory, enter

/share/builds/ap/ap_upgrade.tar

The firmware upgrade file supplied must be a

tar

file. Do not attempt to use

bin

files or files of other formats for the upgrade; these types of files will not work.

67(3  Enter the 7)736HUYHU,3Y$GGUHVV and click 8SJUDGH.

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 90



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

Uploading the new software may take several minutes. Do not refresh the page or

navigate to another page while uploading the new software, or the software

upload will be aborted. When the process is complete the access point will restart

and resume normal operation.

67(3  To verify that the firmware upgrade completed successfully, log into the user

interface and display the Upgrade Firmware page and view the active firmware

version.

+7738SJUDGH

To upgrade using HTTP:

67(3  Select H

TTP for T

ransfer Method.

67(3  If you know the name and path to the new file, enter it in the 6RXUFH)LOH1DPH

field. Otherwise, click the B

rowse button and locate the firmware image file on

your network.

The firmware upgrade file supplied must be a

tar

file. Do not attempt to use

bin

files or files of other formats for the upgrade; these types of files will not work.

67(3  Click U

pgrade to apply the new firmware image.

Uploading the new software may take several minutes. Do not refresh the page or

navigate to another page while uploading the new software, or the software

upload will be aborted. When the process is complete the access point will restart

and resume normal operation.

67(3  To verify that the firmware upgrade completed successfully, log into the user

interface and display the Upgrade Firmware page and view the active firmware

version.

3DFNHW&DSWXUH

The wireless packet capture feature enables capturing and storing packets

received and transmitted by the AP. The captured packets can then be analyzed

by a network protocol analyzer, for troubleshooting or performance optimization.

Packet capture can operate in either of two modes:

$GPLQLVWUDWLRQ

User Accounts

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 88



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GPLQLVWUDWLRQ > 8VHU$FFRXQWVin the navigation window.

The User Account Table displays the currently configured users. The user FLVFR is

preconfigured in the system to have Read/Write privileges. This user cannot be

deleted. However, you can change the password.

All other user can have Read Only Access, but not Read/Write access.

67(3  Click $GG. A new row of text boxes displays.

67(3  Select the checkbox for the new user and click (GLW.

67(3  Enter a 8VHU1DPH between 1 to 32 alphanumeric characters. Only numbers 0-9

and letters a-z (upper or lower) are allowed for user names.

67(3  Enter a 1HZ3DVVZRUG between 1and 64 characters and then enter the same

password in the &RQILUP1HZ3DVVZRUG text box.

As you enter a password, the number and color of vertical bars changes to

indicate the password strength, as follows:

•Red—The password fails to meet the minimum complexity requirements.

•Orange—The password meets the minimum complexity requirements but

the password strength is weak.

•Green—The password is strong.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

127( To delete a user, select the check box next to the user name and click 'HOHWH.

&KDQJLQJD8VHU3DVVZRUG

To change a user password:

67(3  Click $GPLQLVWUDWLRQ > 8VHU$FFRXQWVin the navigation window.

67(3  Select the user to configure and click (GLW.

67(3  Enter a 1HZ3DVVZRUG between 1and 64 characters and then enter the same

password in the &RQILUP1HZ3DVVZRUG text box.

As you enter a password, the number and color of vertical bars changes to

indicate the password strength, as follows:

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 91



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•Capture file mode— Captured packets are stored in a file on the AP. The AP

can transfer the file to a TFTP server. The file is formatted in pcap format

and can be examined using tools such as Wireshark and OmniPeek.

•Remote capture mode—Captured packets are redirected in real time to an

external PC running the Wireshark tool.

The AP can capture the following types of packets:

•802.11 packets received and transmitted on radio interfaces. Packets

captured on radio interfaces include the 802.11 header.

•802.3 packets received and transmitted on the Ethernet interface.

•802.3 packets received and transmitted on the internal logical interfaces

such as VAPs and WDS interfaces.

Click A

dministration > Packet Capture to display the Packet Capture page. From

this page you can:

•Configure packet capture parameters.

•Start a local or remote packet capture.

•View the current packet capture status.

•Download a packet capture file.

3DFNHW&DSWXUH&RQILJXUDWLRQ

The Packet Capture Configuration area of page enables you to configure

parameters and initiate a packet capture.

To configure packet capture settings:

67(3  Configure the following parameters:

•&DSWXUH%HDFRQV—Enables or disables the capturing of 802.11 beacons

detected or transmitted by the radio.

•3URPLVFXRXV&DSWXUH—Enables or disables promiscuous mode when the

capture is active.

In promiscuous mode, the radio receives all traffic on the channel, including

traffic that is not destined to this AP. While the radio is operating in

promiscuous mode, it continues serving associated clients. Packets not

destined to the AP are not forwarded.

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 92



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

As soon as the capture is completed, the radio reverts to non-promiscuous

mode operation.

•5DGLR&OLHQW)LOWHU—Enables or disables the WLAN client filter to capture

only frames that are transmitted to, or received from, a WLAN client with a

specified MAC address.

•&OLHQW)LOWHU0$&$GGUHVV—The MAC address for WLAN client filtering.

127(: The MAC filter is active only when capture is performed on an 802.11

interface.

•3DFNHW&DSWXUH0HWKRG—Select one of the following:

-/RFDO)LOH—Captured packets are stored in a file on the AP.

-5HPRWH—Captured packets are redirected in real time to an external PC

running the Wireshark tool.

67(3  Depending on the selected method, refer to the steps in either of the following

sections to continue.

127( Changes to packet capture configuration parameters take affect after packet

capture is restarted. Modifying the parameters while the packet capture is running

does not affect the current packet capture session. In order to begin using new

parameter values, an existing packet capture session must be stopped and re-

started.

/RFDO3DFNHW&DSWXUH

To initiate a local packet capture:

67(3  Ensure that /RFDO)LOH is selected for the 3DFNHW&DSWXUH0HWKRG.

67(3  Configure the following parameters:

•&DSWXUH,QWHUIDFH—The AP capture interface names eligible for packet

capture are:

-radio1—802.11 traffic.

-eth0—802.3 traffic on the Ethernet port.

-wlan0—VAP0 traffic on radio 1.

-wlan0vap1 to wlan0vap15—VAP1 through VAP15 traffic (if configured).

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 93



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

-brtrunk—Linux bridge interface in the AP.

•&DSWXUH'XUDWLRQ—The time duration in seconds for the capture (range 10

to 3600).

•0D[&DSWXUH)LOH6L]H—The maximum allowed size for the capture file in KB

(range 64 to 4096).

67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup

Configuration.

67(3  Click 6WDUW&DSWXUH.

In Packet File Capture mode, the AP stores captured packets in the RAM file

system. Upon activation, the packet capture proceeds until one of the following

occurs:

•The capture time reaches configured duration.

•The capture file reaches its maximum size.

•The administrator stops the capture.

The Packet Capture Status area of the page shows the status of a packet capture,

if one is active on the AP. The following fields display:

•&XUUHQW&DSWXUH6WDWXV—Whether packet capture is running or stopped.

•3DFNHW&DSWXUH7LPH—Elapsed capture time.

•3DFNHW&DSWXUH)LOH6L]H—The current capture file size.

Click R

efresh to display the latest data from the AP.

127( To stop a packet file capture, click 6WRS&DSWXUH.

5HPRWH3DFNHW&DSWXUH

The Remote Packet Capture feature enables you to specify a remote port as the

destination for packet captures. This feature works in conjunction with the

Wireshark network analyzer tool for Windows. A packet capture server runs on the

AP and sends the captured packets via a TCP connection to the Wireshark tool.

A Windows PC running the Wireshark tool allows you to display, log, and analyze

captured traffic.

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 94



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

When the remote capture mode is in use, the AP does not store any captured data

locally in its file system.

Your can trace up to five interfaces on the AP at the same time. However, you must

start a separate Wireshark session for each interface. You can configure the IP

port number used for connecting Wireshark to the AP. The default port number is

2002. The system uses five consecutive port numbers, starting with the

configured port for the packet capture sessions.

If a firewall is installed between the Wireshark PC and the AP, these ports must be

allowed to pass through the firewall. The firewall must also be configured to allow

the Wireshark PC to initiate TCP connection to the AP.

To configure Wireshark to use the AP as the source for captured packets, you must

specify the remote interface in the "Capture Options" menu. For example to

capture packets on an AP with IP address 192.168.1.10 on radio 1 using the default

IP port, specify the following interface:

rpcap://192.168.1.10/radio1

To capture packets on the Ethernet interface of the AP and VAP0 on radio 1 using

IP port 58000, start two Wireshark sessions and specify the following interfaces:

rpcap://192.168.1.10:58000/eth0

rpcap://192.168.1.10:58000/wlan0

When you are capturing traffic on the radio interface, you can disable beacon

capture, but other 802.11 control frames are still sent to Wireshark. You can set up

a display filter to show only:

•Data frames in the trace

•Traffic on specific BSSIDs

•Traffic between two clients

Some examples of useful display filters are:

•Exclude beacons and ACK/RTS/CTS frames:

!(wlan.fc.type_subtype == 8 || wlan.fc.type == 1)

•Data frames only:

wlan.fc.type == 2

•Traffic on a specific BSSID:

wlan.bssid == 00:02:bc:00:17:d0

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 95



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•All traffic to and from a specific client:

wlan.addr == 00:00:e8:4e:5f:8e

In remote capture mode, traffic is sent to the PC running Wireshark via one of the

network interfaces. Depending on where the Wireshark tool is located, the traffic

can be sent on an Ethernet interface or one of the radios. To avoid a traffic flood

caused by tracing the trace packets, the AP automatically installs a capture filter to

filter out all packets destined to the Wireshark application. For example if the

Wireshark IP port is configured to be 58000 then the following capture filter is

automatically installed on the AP:

not portrange 58000-58004.

Enabling the packet capture feature impacts performance of the AP and can

create a security issue (unauthorized clients may be able to connect to the AP and

trace user data). The AP performance is negatively impacted even if there is no

active Wireshark session with the AP. The performance is negatively impacted to a

greater extent when packet capture is in progress.

Due to performance and security issues, the packet capture mode is not saved in

NVRAM on the AP; if the AP resets, the capture mode is disabled and the you must

reenable it in order to resume capturing traffic. Packet capture parameters (other

than mode) are saved in NVRAM.

In order to minimize performance impact on the AP while traffic capture is in

progress, you should install capture filters to limit which traffic is sent to the

Wireshark tool. When capturing 802.11 traffic, large portion of the captured frames

tend to be beacons (typically sent every 100 ms by all APs). Although Wireshark

supports a display filter for beacon frames, it does not support a capture filter to

prevent the AP from forwarding captured beacon packets to the Wireshark tool. In

order to reduce the performance impact of capturing the 802.11 beacons, you can

disable the capture beacons mode.

The remote packet capture facility is a standard feature of the Wireshark tool for

Windows.

127( Remote packet capture is not standard on the Linux version of Wireshark; the Linux

version does not work with the AP.

Wireshark is an open source tool and is available for free; it can be downloaded

from http://www.wireshark.org.

To start a remote packet capture:

$GPLQLVWUDWLRQ

Packet Capture

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 96



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Ensure that 5HPRWHis selected for the 3DFNHW&DSWXUH0HWKRG.

67(3  Specify the 5HPRWH&DSWXUH3RUW to use as the destination for packet captures.

(range 1 to 65530).

67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup

Configuration.

67(3  Click 6WDUW&DSWXUH.

A confirmation window displays to remind you to make sure the monitoring

application is ready.

67(3  Click 2..

127( To stop a remote packet capture, click 6WRS&DSWXUH.

3DFNHW&DSWXUH)LOH'RZQORDG

You can download a capture file by TFTP to a configured TFTP server, or by

HTTP(S) to a PC. A capture is automatically stopped when the capture file

download command is triggered.

Because the capture file is located in the RAM file system, it disappears if the AP is

reset.

To download a packet capture file using TFTP:

67(3  Select 8VH7)73WRGRZQORDGWKHFDSWXUHILOH.

67(3  Enter the 7)736HUYHU)LOHQDPH to download, if different from the default. By

default, the captured packets are stored in the folder file /tmp/apcapture.pcap on

the AP.

67(3  Specify a 7)736HUYHU,3Y$GGUHVVin the field provided.

67(3  Click 'RZQORDG.

To download a packet capture file using HTTP:

67(3  Clear 8VH7)73WRGRZQORDGWKHFDSWXUHGILOH.

67(3  Click 'RZQORDG. A confirmation window displays.

$GPLQLVWUDWLRQ

Log Settings

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 97



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click 2.. A dialog box displays to enable you to choose a network location to save

the file.

/RJ6HWWLQJV

You can use the Log Settings page to enable log messages to be saved in

permanent memory and to specify a remote host that provides syslog relay

services.

&RQILJXULQJWKH3HUVLVWHQW/RJ

If the system unexpectedly reboots, log messages can be useful to diagnose the

cause. However, log messages are erased when the system reboots unless you

enable persistent logging.

&$87,21 Enabling persistent logging can wear out the flash (non-volatile) memory and

degrade network performance. You should only enable persistent logging to debug

a problem. Make sure you disable persistent logging after you finish debugging the

problem.

To configure persistent log settings:

67(3  Click $GPLQLVWUDWLRQ > /RJ6HWWLQJVin the navigation window.

parameters and initiate a packet capture.

67(3  Configure the parameters:

•3HUVLVWHQFH—Click E

nable to save system logs to nonvolatile memory so

that the logs are not erased when the AP reboots. Clear this field to save

system logs to volatile memory. Logs in volatile memory are deleted when

the system reboots.

•6HYHULW\—The minimum severity that an event must have for it to be written

to the log in nonvolatile memory. For example, if you specify 2, critical, then

critical, alert and emergency events are logged to nonvolatile memory. Error

messages with a severity level of 3–

–

7 are written to volatile memory. The

severity levels are as follows:

$GPLQLVWUDWLRQ

Log Settings

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 98



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

-0—emergency

-1—alert

-2—critical

-3—error

-4—warning

-5—notice

-6—info

-7—debug

•'HSWK—You can store up to 512 messages in memory. When the number

you configure in this field is reached, the oldest log event is overwritten by

the new log event.

67(3  Click 6DYH. The changes are saved to the Running Configuration and the Startup

Configuration.

5HPRWH/RJ6HUYHU

The Kernel Log is a comprehensive list of system events (shown in the System

Log) and kernel messages such as error conditions, such as dropped frames.

You cannot view kernel log messages directly from the Web interface. You must

first set up a remote server running a syslog process and acting as a syslog log

relay host on your network. Then, you can configure the AP to send syslog

messages to the remote server.

Remote log server collection for AP syslog messages provides the following

features:

•Allows aggregation of syslog messages from multiple APs

•Stores a longer history of messages than kept on a single AP

•Triggers scripted management operations and alerts

To use Kernel Log relaying, you must configure a remote server to receive the

syslog messages. The procedure to configure a remote log host depends on the

type of system you use as the remote host.

To specify a host on your network that serves as a syslog relay host:

$GPLQLVWUDWLRQ

Email Alert

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 99



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GPLQLVWUDWLRQ > /RJ6HWWLQJVin the navigation window.

67(3  Configure the parameters:

•5HOD\/RJ—Enables the AP to send log messages to a remote host. When

disabled, all log messages are kept on the local system.

•6HUYHU,3Y$GGUHVV1DPH—The IP address or DNS name of the remote

log server.

•8'33RUW—The logical port number for the syslog process on the relay host.

The default port is 514.

Using the default port is recommended. However; If you choose to

reconfigure the log port, make sure that the port number you assign to

syslog is not being used by another process.

67(3  Click S

ave. The changes are saved to the Running Configuration and to the Startup

Configuration.

If you enabled the Log Relay Host, clicking S

ave will activate remote logging. The

AP will send its kernel messages real-time for display to the remote log server

monitor, a specified kernel log file, or other storage, depending on how you

configured the Log Relay Host.

If you disabled the Log Relay Host, clicking S

ave will disable remote logging.

127( Changing some settings might cause the AP to stop and restart system processes.

If this happens, wireless clients will temporarily lose connectivity. We recommend

that you change AP settings when WLAN traffic is low.

(PDLO$OHUW

Use the email alert feature to send messages to the configured email addresses

when particular system events occur.

The feature supports mail server configuration, message severity configuration,

and up to three email address configurations to send urgent and non-urgent email

alerts.

To configure the AP to send email alerts:

$GPLQLVWUDWLRQ

Email Alert

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 100



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GPLQLVWUDWLRQ > (PDLO$OHUW in the navigation window.

67(3  In the Global Configuration area, configure the following parameters:

•$GPLQ0RGH—Enables the email alert feature globally.

•)URP$GGUHVV—Email alert From Address configuration. The address is a

255 character string with only printable characters. The default is null.

•/RJ'XUDWLRQ—The email alert log duration in minutes. The range is 30-1440

minutes. The default is 30 minutes.

•6FKHGXOHG0HVVDJH6HYHULW\—Log messages of this severity level or

higher are grouped and sent periodically to the configuration email address.

Select from the following values: None, Emergency, Alert, Critical, Error,

Warning, Notice, Info, Debug. If set to None, then no scheduled severity

messages are sent.

•8UJHQW0HVVDJH6HYHULW\—Log messages of this severity level or higher

are are sent to the configured email address immediately. Possible values

are: None, Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. If set

to None, then no urgent severity messages are sent. The default is Alert.

67(3  In the Mail Server Configuration area, configure the following parameters:

•$GGUHVV—Configures the SMTP server IP address. The server address

must be a valid IPv4 address or hostname.

•'DWD(QFU\SWLRQ—Configures the mode of security. Possible values are

Open or TLSv1.

•3RUW—Configures the SMTP port. The range is a valid Port number from 0 to

65535. The default is 25.

•8VHUQDPH—The username for authentication. The username is a 64-byte

character string with all printable characters.

•3DVVZRUG—The password for authentication. The username is a 64-byte

character string with all printable characters.

67(3  Configure the email addresses and subject line.

•7R( PDLO$ GGUH V V—Three addresses to send email alerts to. The

address must be a valid email.

•(PDLO6XEMHFW—The text to appear in the email subject line. This can be up

to a 255 character alphanumeric string.

$GPLQLVWUDWLRQ

Discovery—Bonjour

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 101



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click T

est Mail to validate the configured email server credentials. The

administrator can send a test email once the email server details are configured.

The following is a sample format of the email alert sent from the AP:

From: AP-192.168.2.10@mailserver.com

Sent: Wednesday, September 09, 2009 11:16 AM

To: administrator@mailserver.com

Subject: log message from AP

TIME PriorityProcess Id Message

Sep 8 03:48:25 info login[1457] root login on ‘ttyp0’

Sep 8 03:48:26 info mini_http-ssl[1175] Max concurrent connections of 20

reached

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

'LVFRYHU\{%RQMRXU

Bonjour enables the AP and its services to be discovered by using multicast DNS

(mDNS). Bonjour advertises services to the network and answers queries for

service types it supports, simplifying network configuration in small business

environments.

The AP advertises the following service types:

•&LVFRVSHFLILFGHYLFHGHVFULSWLRQ (csco-sb)—This service enables clients

to discover Cisco AP and other products deployed in small business

networks.

•0DQDJHPHQWXVHULQWHUIDFHV—This service identifies the management

interfaces available on the AP (HTTP, Telnet, SSH, and SNMP).

When a Bonjour-enabled AP is attached to a network, any Bonjour client can

discover and get access to the management interface without prior configuration.

A system administrator can use an installed Internet Explorer plug-in to discover

the AP. The web-based AP configuration utility shows up as a tab in the browser.

Bonjour works in both IPv4 and IPv6 networks.

To enable the AP to be discovered through Bonjour:

$GPLQLVWUDWLRQ

HTTP/HTTPS Service

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 102



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GPLQLVWUDWLRQ > 'LVFRYHU\%RQMRXU in the navigation window.

67(3  Select (QDEOH.

67(3  Click 6DYH. Your changes are saved to the Running Configuration and the Startup

Configuration.

+773+77366HUYLFH

Use the HTTP/HTTPS Service page to enable and configure web-based

management connections. If HTTPS will be used for secure management

sessions, you also use this page to manage the required SSL certificates.

&RQILJXULQJ+773DQG+77366HUYLFHV

To configure the HTTP and HTTP services:

67(3  Click $GPLQLVWUDWLRQ > +773+77366HUYLFH in the navigation window.

67(3  Configure the following Global Parameters:

•0D[LPXP6HVVLRQV—The number web sessions, including both HTTP and

HTTPs, that can be in use at the same time.

When a user logs on to the AP web interface, a session is created. This

session is maintained until the user logs off or the session inactivity timer

expires. The range is 1–10 sessions. The default is 5. If the maximum number

of sessions is reached, the next user who attempts to log on to the AP web

interface receives an error message about the session limit.

•6HVVLRQ7LPHRXW—The maximum amount of time, in minutes, an inactive

user remains logged on to the AP web interface. When the configured

timeout is reached, the user is automatically logged off the AP. The range is

1–1440 minutes (1440 minutes = 1 day). The default is 5 minutes.

67(3  Configure HTTP and HTTPS services:

•+77366HUYHU—Enables access via secure HTTP. By default, HTTPS

access is enabled. If you disable it, any current connections using that

protocol are disconnected.

$GPLQLVWUDWLRQ

HTTP/HTTPS Service

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 103



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•+77363RUW—The logical port number to use for HTTP connections, from

1025 to 65535. The default port number for HTTP connections is the well-

known IANA port number443.

•+7736HUYHU—Enables access via HTTP. By default, HTTP access is

enabled. If you disable it, any current connections using that protocol are

disconnected.

•+7733RUW—The logical port number to use for HTTP connections, from

1025 to 65535. The default port number for HTTP connections is the well-

known IANA port number 80.

•5HGLUHFW+773WR+7736—Redirects management HTTP access attempts

on the HTTP port to the HTTPS port. This field is available only when HTTP

access is disabled.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

0DQDJLQJ66/&HUWLILFDWHV

To use HTTPS services, the AP must have a valid SSL certificate. The AP can

generate a certificate or you can download it from your network or from a TFTP

server.

To have the AP generate the certificate, click *HQHUDWH66/&HUWLILFDWH This

should be done after the AP has acquired an IP address to ensure that the

common name for the certificate matches the IP address of the AP. Generating a

new SSL certificate restarts the secure Web server. The secure connection will

not work until the new certificate is accepted on the browser.

In the Certificate File Status area, you can view whether a certificate currently

exists on the AP, and, if one does, the following information about it:

•Certificate File Present

•Certificate Expiration Date

•Certificate Issuer Common Name

If an SSL certificate exists on the AP, you can download it to your PC as a backup.

In the Download SSL Certificate (From Device to PC) area, select +773 or 7)73

for the 'RZQORDG0HWKRG and click 'RZQORDG.

$GPLQLVWUDWLRQ

Telnet/SSH Service

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 104



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

•If you select HTTP, you will be prompted to confirm the download and then

to browse to the location to save the file on your network.

•If you select TFTP, additional fields display to enable you to enter the File

Name to assign to the downloaded file, and the TFTP server address where

the file will be downloaded.

You can also upload a certificate file from your PC to the AP. In the Upload SSL

Certificate (From PC to Device), select +773 or 7)73 for the 8SORDG0HWKRG

•For an HTTP, browse to the network location, select the file, and click

8SORDG.

•For TFTP, enter the )LOH1DPH as it exists on the TFTP server and the 7)73

6HUYHU,3Y$GGUHVV, then click 8SORDG.

A confirmation displays to indicate that the upload was successful.

7HOQHW66+6HUYLFH

You can enable management access through Telnet and SSH. The user names and

passwords that you configure for HTTP/HTTPS access also apply to the Telnet

and SSH services. These services are disabled by default.

To enable Telnet or SSH:

67(3  Click $GPLQLVWUDWLRQ > 7HOQHW66+6HUYLFH in the navigation window.

67(3  Select (QDEOH for 7HOQHWor 66+.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

0DQDJHPHQW$FFHVV&RQWURO

You can create an access control list (ACL) that lists up to five IPv4 hosts and five

IPv6 hosts that are authorized to access the AP management interface. If this

feature is disabled, anyone can access the management interface from any

network client by supplying the correct AP username and password.

$GPLQLVWUDWLRQ

Download/Backup Configuration File

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 105



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

If the management ACL is enabled, access via the Web, Telnet, SSH, and SNMP is

restricted to the specified IP hosts.

To create an access list:

67(3  Click $GPLQLVWUDWLRQ > 0DQDJHPHQW$FFHVV&RQWUROin the navigation window.

67(3  Select (QDEOH for the 0DQDJHPHQW$&/0RGH.

67(3  Enter up to five IPv4 and five IPv6 addresses that you want to provide access to.

67(3  Click 6DYH. The changes are saved to the Running Configuration and to the Startup

Configuration.

'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH

The AP configuration files are in XML format and contain all the information about

the AP settings. You can backup (upload) the configuration files to a network host

or TFTP server to manually edit the content or create backups. After you edit a

backed-up configuration file, you can download it back to the access point to

modify the configuration.

The AP maintains the following configuration files:

•5XQQLQJ&RQILJXUDWLRQ—The current configuration, including any changes

applied in the any management sessions since the last reboot.

•6WDUWXS&RQILJXUDWLRQ—The configuration file saved to flash memory.

•%DFNXS&RQILJXUDWLRQ—An additional configuration file saved on the

switch for use as a backup.

•0LUURU&RQILJXUDWLRQ—If the Running Configuration is not modified for at

least 24 hours, it is automatically saved to a Mirror Configuration file type,

and a log message with severity alert is generated to indicate that a new

mirror file is available. This feature allows the administrator to view the

previous version of the configuration before it is saved to the Startup

Configuration file type or to copy the Mirror Configuration file type to

another configuration file type. If the AP is rebooted, the Mirror

Configuration is reset to the factory default parameters.

$GPLQLVWUDWLRQ

Download/Backup Configuration File

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 106



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

127( In addition to downloading and uploading these files to another system, you can

copy them to different file types on the AP. See &RS\LQJDQG6DYLQJWKH

&RQILJXUDWLRQSDJH.

%DFNLQJ8SD&RQILJXUDWLRQ)LOH

To backup (upload) the configuration file to a network host or TFTP server:

67(3  Click $GPLQLVWUDWLRQ > 'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH in the navigation

window.

67(3  Select 9LD7)73 or 9LD+773+7736 as the 7UDQVIHU0HWKRG.

67(3  Select %DFNXS$3WR3&as the 6DYH$FWLRQ.

67(3  For a TFTP backup only, enter the 'HVWLQDWLRQ)LOH1DPH, including path, where

the file is to be placed on the server, then enter the 7)736HUYHU,3Y$GGUHVV.

67(3  For a TFTP backup only, enter the 7)736HUYHU,3Y$GGUHVV.

67(3  Select which configuration file you want to back up:

•5XQQLQJ&RQILJXUDWLRQ—Current configuration, including any changes

applied in the current management session.

•6WDUWXS&RQILJXUDWLRQ—Configuration file type used when the switch last

booted. This does not include any configuration changes applied but not yet

saved to the switch.

•%DFNXS&RQILJXUDWLRQ—Backup configuration file type saved on the switch.

•0LUURU&RQILJXUDWLRQ—If the Running Configuration is not modified for at

least 24 hours, it is automatically saved to the Mirror Configuration file type,

and a log message with severity level $OHUW is generated to indicate that a

new Mirror Configuration file is available. The Mirror Configuration file can be

used when the switch has problems booting with the Startup or Backup

Configuration file types. In such cases, the administrator can copy the Mirror

Configuration to either the Startup or Backup Configuration file type and

reboot.

67(3  Click 6DYH to begin the backup. For HTTP backups, a window displays to enable

you to browse to the desired location for saving the file.

$GPLQLVWUDWLRQ

Configuration Files Properties

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 107



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

'RZQORDGLQJD&RQILJXUDWLRQ)LOH

You can download a file to the AP to update the configuration or to restore the AP

to a previously backed-up configuration.

To download a configuration file to the AP:

67(3  Click $GPLQLVWUDWLRQ > 'RZQORDG%DFNXS&RQILJXUDWLRQ)LOH in the navigation

window.

67(3  Select 9LD7)73 or 9LD+773+7736 as the 7UDQVIHU0HWKRG.

67(3  Select 'RZQORDG3&WR$3 as the 6DYH$FWLRQ.

67(3  For a TFTP download only, enter the 6RXUFH)LOH1DPH, including path, where the

file exists on the server, then enter the 7)736HUYHU,3Y$GGUHVV.

67(3  Select which configuration file on the AP you want to be overwritten with the

downloaded file: the 6WDUWXS&RQILJXUDWLRQ or the %DFNXS&RQILJXUDWLRQ.

If the downloaded file overwrites the Startup Configuration file, and the file passes

a validity check, then the downloaded configuration will take effect the next time

the AP reboots.

67(3  Click 6DYH to begin the upgrade or backup. For HTTP downloads, a window

displays to enable you to browse to select the file to download. When the

download is finished, a window displays indicating “Download Successful!”

&$87,21 Ensure that power to the AP remains uninterrupted while the configuration file is

downloading to the switch. If a power failure occurs while downloading the

configuration file, the file is lost and the process must be restarted.

&RQILJXUDWLRQ)LOHV3URSHUWLHV

The Configuration Files Properties page enables you clear the Startup, Running,

or Backup Configuration file. If you clear the Startup Configuration file, the Backup

Configuration file will become active the next time you reboot the AP. The Running

Configuration cannot be cleared.

To delete the Startup Configuration or Backup Configuration file:

$GPLQLVWUDWLRQ

Copying and Saving the Configuration

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 108



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

67(3  Click $GPLQLVWUDWLRQ > &RQILJXUDWLRQ)LOHV3URSHUWLHVin the navigation window.

67(3  Select the 6WDUWXS&RQILJXUDWLRQ,%DFNXS&RQILJXUDWLRQ, or 5XQQLQJ

&RQILJXUDWLRQ file type.

67(3  Click &OHDU)LOHV.

&RS\LQJDQG6DYLQJWKH&RQILJXUDWLRQ

The Copy/Save Configuration page enables you to copy files within the AP file

system. For example, you can copy the Backup Configuration file to the Startup

Configuration file type, so that it will be used the next time you boot up the switch.

To copy a file to another file type:

67(3  Click $GPLQLVWUDWLRQ > &RS\6DYH&RQILJXUDWLRQin the navigation window.

67(3  Select the 6RXUFH)LOH1DPH: