User's Manual

ManualsBrandsSercomm ManualsElectronicsWireless-N Selectable-Band Access Point with PoE

:LUHOHVV6HWWLQJV

WPS Setup

Cisco Small Business WAP121 and WAP321 Wireless-N Access Point with PoE 71



REVIEW DRAFT Version 2—CISCO CONFIDENTIAL

PIN Control

A client may also enroll with a registrar by using a PIN. For example, the AP

administrator may start an enrollment transaction for a particular VAP by entering

the PIN of a client. When the client detects the WPS-enabled device, its user can

then supply its PIN to the AP to continue the enrollment process. After the WPS

protocol has completed, the client securely joins the network. The client can also

initiate this process.

As with the PBC method, if the AP begins the enrollment transaction and no client

attempts to enroll after 120 seconds, the AP terminates the pending transaction.

2SWLRQDO8VHRI,QWHUQDO5HJLVWUDU

Although the AP supports an internal registrar for WPS, its use is optional. After an

external registrar has configured the AP, the AP acts as a proxy for that external

registrar, regardless of whether the AP’s internal registrar is enabled (it is enabled

by default).

/RFNGRZQ&DSDELOLW\

Each AP stores a WPS-compatible device PIN in nonvolatile RAM. WPS requires

this PIN if an administrator wants to allow an unconfigured AP (that is, one with

only factory defaults, including WPS being enabled on a VAP) to join a network. In

this "out-of-box" scenario, the administrator obtains the PIN value from the UI of the

AP.

The administrator may wish to change the PIN if network integrity has been

compromised in some way. The AP provides a method for generating a new PIN

and storing this value in NVRAM. In the event that the value in NVRAM is corrupted,

erased, or missing, a new PIN is generated by the AP and stored in NVRAM.

The PIN method of enrollment is potentially vulnerable by way of "brute force"

attacks. A network intruder could, in theory, try to pose as an external registrar on

the wireless LAN and attempt to derive the AP's PIN value by exhaustively

applying WPS-compliant PINs. To address this vulnerability, in the event that a

registrar fails to supply a correct PIN in three attempts within 60 seconds, the AP

prohibits any further attempts by an external registrar to register the AP on the

WPS-enabled VAP for 60 seconds. However, wireless client stations may enroll

with the AP's internal registrar, if enabled, during this “lockdown” period. The AP

also continues to provide proxy services for enrollment requests to external

registrars.

The AP adds an additional security mechanism for protecting its device PIN. Once

the AP has completed registration with an external registrar, and the resulting WPS

transaction has concluded, the device PIN is automatically regenerated.

Summary of content (70 pages)

PAGE 1
:LUHOHVV 6HWWLQJV WPS Setup REVIEW DRAFT Version 2—CISCO CONFIDENTIAL PIN Control A client may also enroll with a registrar by using a PIN. For example, the AP administrator may start an enrollment transaction for a particular VAP by entering the PIN of a client. When the client detects the WPS-enabled device, its user can then supply its PIN to the AP to continue the enrollment process. After the WPS protocol has completed, the client securely joins the network.
PAGE 2
:LUHOHVV 6HWWLQJV WPS Setup REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 9$3 &RQILJXUDWLRQ &KDQJHV The WPS protocol on a WPS-enabled VAP may configure the following parameters: • Network SSID • Key management options (WPA-PSK, or WPA-PSK and WPA2-PSK) • Cryptography options (CCMP/AES, or TKIP and CCMP/AES) • Network (public shared) key If a VAP is enabled for WPS, these configuration parameters are subject to change, and are persistent between reboots of the AP.
PAGE 3
:LUHOHVV 6HWWLQJV WPS Setup REVIEW DRAFT Version 2—CISCO CONFIDENTIAL %DFNZDUG &RPSDWLELOLW\ ZLWK :36 9HUVLRQ Although the WAP121 supports WPS version 2.0, the AP interoperates with enrollees and registrars that are certified by the Wi-Fi Alliance to conform to version 1.0 of the WPS protocol. &RQILJXULQJ :36 6HWWLQJV You can use the WPS Setup page to enable the AP as a WPS-capable device and configure basic settings.
PAGE 4
:LUHOHVV 6HWWLQJV WPS Process REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • :36 ,QVWDQFH ,'—An identifier for the instance. As there is only one instance, the only option is wps1. • :36 0RGH—Enables or disables the instance. • :36 9$3—The VAP associated with this WPS instance. • :36 %XLOW LQ 5HJLVWUDU—Select to enable the built-in registrar function.
PAGE 5
:LUHOHVV 6HWWLQJV WPS Process REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Obtain the PIN from the client device. The PIN may be printed on the hardware itself, or may be obtained from the device’s software interface. 67(3 Click :LUHOHVV > :36 3URFHVV in the navigation window. 67(3 Enter the client’s PIN in the 3,1 (QUROOPHQW text box and click 6WDUW. 67(3 Within two minutes, enter the AP’s pin on the client station’s software interface. The AP’s pin is configured on the :36 6HWXS page.
PAGE 6
:LUHOHVV 6HWWLQJV WPS Process REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 9LHZLQJ ,QVWDQFH 6XPPDU\ ,QIRUPDWLRQ The following information displays for WPS instance: • :36 5DGLR • :36 9$3 • 66,' • 6HFXULW\ If the WPS Configuration State field on the WPS Setup page is set to Unconfigured, then the SSID and Security values are configured by the external registrar. If the field is set to Configured, then these values are configured by the administrator.
PAGE 7
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 6 6103Y This chapter describes how to configure the Simple Network Management Protocol to perform configuration and statistics gathering tasks. It contains the following topics: • 6103 2YHUYLHZ • *HQHUDO 6103 6HWWLQJV • 6103 9LHZV • 6103 *URXSV • 6103 8VHUV • 6103 7DUJHWV 6103 2YHUYLHZ Simple Network Management Protocol (SNMP) defines a standard for recording, storing, and sharing information about network devices.
PAGE 8
6103Y General SNMP Settings REVIEW DRAFT Version 2—CISCO CONFIDENTIAL *HQHUDO 6103 6HWWLQJV You can use the General page to enable SNMP and configure basic protocol settings. To configure general SNMP settings: 67(3 Click 6103 > *HQHUDO in the navigation window. 67(3 Select (QDEOHG for the 6103 setting. SNMP is enabled by default. 67(3 Configure the parameters: • 5HDG RQO\ &RPPXQLW\ 1DPH—A read-only community name for SNMPv2 access. The valid range is 1–256 characters.
PAGE 9
6103Y General SNMP Settings REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 106 +RVWQDPH ,3Y $GGUHVV 1DPH—The IPv4 DNS hostname or subnet of the machines that can execute get and set requests to the managed devices. The valid range is 1–256 characters. As with community names, this provides a level of security on SNMP settings. The SNMP agent will only accept requests from the hostname or subnet specified here.
PAGE 10
6103Y SNMP Views REVIEW DRAFT Version 2—CISCO CONFIDENTIAL An example of a DNS hostname is: snmptraps.foo.com. Since SNMP traps are sent randomly from the SNMP agent, it makes sense to specify where exactly the traps should be sent. You can add up to a maximum of three DNS hostnames. Ensure you select the Enabled check box and select the appropriate Host Type. 67(3 Click 6DYH. The changes are saved to the Running Configuration and to the Startup Configuration.
PAGE 11
6103Y SNMP Groups REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 2,'—An OID string for the subtree to include or exclude from the view. For example, the system subtree is specified by the OID string .1.3.6.1.2.1.1. • 0DVN—An OID mask. The mask is 47 characters in length. The format of the OID mask is xx.xx.xx (.)... or xx:xx:xx.... (:) and is 16 octets in length. Each octet is two hexadecimal characters separated by either . (period) or : (colon). Only hex characters are accepted in this field.
PAGE 12
6103Y SNMP Groups REVIEW DRAFT Version 2—CISCO CONFIDENTIAL for authentication, but not a DES key/password for encryption. By default, users of this group will have read and write access to the default all MIB view, which can be modified by the user. • 5:3ULY—A read/write group using authentication and data encryption. Users in this group use an MD5 key/password for authentication and a DES key/password for encryption. Both the MD5 and DES key/passwords must be defined.
PAGE 13
6103Y SNMP Users REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 5HDG 9LHZV—The read access to management objects (MIBs) for the group: - YLHZ DOO—The group is allowed to view and read all MIBs. - YLHZ QRQH—The group cannot view or read MIBs. 67(3 Click $GG, and then click 6DYH. The group is added to the SNMPv3 Groups list and your changes are saved to the Running Configuration and to the Startup Configuration. 127( To remove a group, select the group in the list and click 5HPRYH.
PAGE 14
6103Y SNMP Targets REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • $XWKHQWLFDWLRQ .H\—(If you specify MD5 as the authentication type) A password to enable the SNMP agent to authenticate requests sent by the user. The password must be between 8 and 32 characters in length. • • (QFU\SWLRQ 7\SH—The type of privacy to use on SNMP requests from the user, which can be one of the following: - '(6—Use DES encryption on SNMPv3 requests from the user. - 1RQH—SNMPv3 requests from this user require no privacy.
PAGE 15
6103Y SNMP Targets REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 3RUW—Enter the UDP port to use for sending SNMP targets. • 8VHUV—Enter the name of the SNMP user to associate with the target. To configure SNMP users, see “Configuring SNMPv3 Users” on page 125. • 6103Y 7DUJHWV—This field shows the SNMPv3 Targets on the AP. To remove a target, select it and click Remove. 67(3 Click $GG, and then click 6DYH.
PAGE 16
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 7 $GPLQLVWUDWLRQ This chapter describes how to configure global system settings and perform diagnostics. It contains the following topics. • 6\VWHP 6HWWLQJV • 8VHU $FFRXQWV • )LUPZDUH 8SJUDGH • 3DFNHW &DSWXUH • /RJ 6HWWLQJV • (PDLO $OHUW • 'LVFRYHU\{%RQMRXU • +773 +7736 6HUYLFH • 7HOQHW 66+ 6HUYLFH • 0DQDJHPHQW $FFHVV &RQWURO • 'RZQORDG %DFNXS &RQILJXUDWLRQ )LOH • &RQILJXUDWLRQ )LOHV 3URSHUWLHV • &RS\LQJ DQG 6DYLQJ WKH &RQILJXUDWLRQ • 5H
PAGE 17
$GPLQLVWUDWLRQ User Accounts REVIEW DRAFT Version 2—CISCO CONFIDENTIAL To configure system settings: 67(3 Click $GPLQLVWUDWLRQ > 6\VWHP 6HWWLQJV in the navigation window. 67(3 Enter the parameters: • +RVW 1DPH—Administratively-assigned name for the AP. By convention, this is the fully-qualified domain name of the node. The default host name is "wap" concatenated with the last 6 hex digits of the MAC address of the switch. Host Name labels contain only letters, digits and hyphens.
PAGE 18
$GPLQLVWUDWLRQ Firmware Upgrade REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • Red—The password fails to meet the minimum complexity requirements. • Orange—The password meets the minimum complexity requirements but the password strength is weak. • Green—The password is strong. 67(3 Click 6DYH. The changes are saved to the Running Configuration and to the Startup Configuration.
PAGE 19
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL Uploading the new software may take several minutes. Do not refresh the page or navigate to another page while uploading the new software, or the software upload will be aborted. When the process is complete the access point will restart and resume normal operation.
PAGE 20
$GPLQLVWUDWLRQ User Accounts REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GPLQLVWUDWLRQ > 8VHU $FFRXQWV in the navigation window. The User Account Table displays the currently configured users. The user FLVFR is preconfigured in the system to have Read/Write privileges. This user cannot be deleted. However, you can change the password. All other user can have Read Only Access, but not Read/Write access. 67(3 Click $GG. A new row of text boxes displays.
PAGE 21
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • Capture file mode— Captured packets are stored in a file on the AP. The AP can transfer the file to a TFTP server. The file is formatted in pcap format and can be examined using tools such as Wireshark and OmniPeek. • Remote capture mode—Captured packets are redirected in real time to an external PC running the Wireshark tool. The AP can capture the following types of packets: • 802.
PAGE 22
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL As soon as the capture is completed, the radio reverts to non-promiscuous mode operation. • 5DGLR &OLHQW )LOWHU—Enables or disables the WLAN client filter to capture only frames that are transmitted to, or received from, a WLAN client with a specified MAC address. • &OLHQW )LOWHU 0$& $GGUHVV—The MAC address for WLAN client filtering. 127(: The MAC filter is active only when capture is performed on an 802.11 interface.
PAGE 23
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL - brtrunk—Linux bridge interface in the AP. • &DSWXUH 'XUDWLRQ—The time duration in seconds for the capture (range 10 to 3600). • 0D[ &DSWXUH )LOH 6L]H—The maximum allowed size for the capture file in KB (range 64 to 4096). 67(3 Click 6DYH. The changes are saved to the Running Configuration and the Startup Configuration. 67(3 Click 6WDUW &DSWXUH.
PAGE 24
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL When the remote capture mode is in use, the AP does not store any captured data locally in its file system. Your can trace up to five interfaces on the AP at the same time. However, you must start a separate Wireshark session for each interface. You can configure the IP port number used for connecting Wireshark to the AP. The default port number is 2002.
PAGE 25
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • All traffic to and from a specific client: wlan.addr == 00:00:e8:4e:5f:8e In remote capture mode, traffic is sent to the PC running Wireshark via one of the network interfaces. Depending on where the Wireshark tool is located, the traffic can be sent on an Ethernet interface or one of the radios.
PAGE 26
$GPLQLVWUDWLRQ Packet Capture REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Ensure that 5HPRWH is selected for the 3DFNHW &DSWXUH 0HWKRG. 67(3 Specify the 5HPRWH &DSWXUH 3RUW to use as the destination for packet captures. (range 1 to 65530). 67(3 Click 6DYH. The changes are saved to the Running Configuration and the Startup Configuration. 67(3 Click 6WDUW &DSWXUH. A confirmation window displays to remind you to make sure the monitoring application is ready. 67(3 Click 2..
PAGE 27
$GPLQLVWUDWLRQ Log Settings REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click 2.. A dialog box displays to enable you to choose a network location to save the file. /RJ 6HWWLQJV You can use the Log Settings page to enable log messages to be saved in permanent memory and to specify a remote host that provides syslog relay services. &RQILJXULQJ WKH 3HUVLVWHQW /RJ If the system unexpectedly reboots, log messages can be useful to diagnose the cause.
PAGE 28
$GPLQLVWUDWLRQ Log Settings REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • - 0—emergency - 1—alert - 2—critical - 3—error - 4—warning - 5—notice - 6—info - 7—debug 'HSWK—You can store up to 512 messages in memory. When the number you configure in this field is reached, the oldest log event is overwritten by the new log event. 67(3 Click 6DYH. The changes are saved to the Running Configuration and the Startup Configuration.
PAGE 29
$GPLQLVWUDWLRQ Email Alert REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GPLQLVWUDWLRQ > /RJ 6HWWLQJV in the navigation window. 67(3 Configure the parameters: • 5HOD\ /RJ—Enables the AP to send log messages to a remote host. When disabled, all log messages are kept on the local system. • 6HUYHU ,3Y $GGUHVV 1DPH—The IP address or DNS name of the remote log server. • 8'3 3RUW—The logical port number for the syslog process on the relay host. The default port is 514.
PAGE 30
$GPLQLVWUDWLRQ Email Alert REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GPLQLVWUDWLRQ > (PDLO $OHUW in the navigation window. 67(3 In the Global Configuration area, configure the following parameters: • $GPLQ 0RGH—Enables the email alert feature globally. • )URP $GGUHVV—Email alert From Address configuration. The address is a 255 character string with only printable characters. The default is null. • /RJ 'XUDWLRQ—The email alert log duration in minutes. The range is 30-1440 minutes.
PAGE 31
$GPLQLVWUDWLRQ Discovery—Bonjour REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click Test Mail to validate the configured email server credentials. The administrator can send a test email once the email server details are configured. The following is a sample format of the email alert sent from the AP: From: AP-192.168.2.10@mailserver.com Sent: Wednesday, September 09, 2009 11:16 AM To: administrator@mailserver.
PAGE 32
$GPLQLVWUDWLRQ HTTP/HTTPS Service REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GPLQLVWUDWLRQ > 'LVFRYHU\ %RQMRXU in the navigation window. 67(3 Select (QDEOH. 67(3 Click 6DYH. Your changes are saved to the Running Configuration and the Startup Configuration. +773 +7736 6HUYLFH Use the HTTP/HTTPS Service page to enable and configure web-based management connections. If HTTPS will be used for secure management sessions, you also use this page to manage the required SSL certificates.
PAGE 33
$GPLQLVWUDWLRQ HTTP/HTTPS Service REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • +7736 3RUW—The logical port number to use for HTTP connections, from 1025 to 65535. The default port number for HTTP connections is the wellknown IANA port number 443. • +773 6HUYHU—Enables access via HTTP. By default, HTTP access is enabled. If you disable it, any current connections using that protocol are disconnected. • +773 3RUW—The logical port number to use for HTTP connections, from 1025 to 65535.
PAGE 34
$GPLQLVWUDWLRQ Telnet/SSH Service REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • If you select HTTP, you will be prompted to confirm the download and then to browse to the location to save the file on your network. • If you select TFTP, additional fields display to enable you to enter the File Name to assign to the downloaded file, and the TFTP server address where the file will be downloaded. You can also upload a certificate file from your PC to the AP.
PAGE 35
$GPLQLVWUDWLRQ Download/Backup Configuration File REVIEW DRAFT Version 2—CISCO CONFIDENTIAL If the management ACL is enabled, access via the Web, Telnet, SSH, and SNMP is restricted to the specified IP hosts. To create an access list: 67(3 Click $GPLQLVWUDWLRQ > 0DQDJHPHQW $FFHVV &RQWURO in the navigation window. 67(3 Select (QDEOH for the 0DQDJHPHQW $&/ 0RGH. 67(3 Enter up to five IPv4 and five IPv6 addresses that you want to provide access to. 67(3 Click 6DYH.
PAGE 36
$GPLQLVWUDWLRQ Download/Backup Configuration File REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 127( In addition to downloading and uploading these files to another system, you can copy them to different file types on the AP. See &RS\LQJ DQG 6DYLQJ WKH &RQILJXUDWLRQ SDJH . %DFNLQJ 8S D &RQILJXUDWLRQ )LOH To backup (upload) the configuration file to a network host or TFTP server: 67(3 Click $GPLQLVWUDWLRQ > 'RZQORDG %DFNXS &RQILJXUDWLRQ )LOH in the navigation window.
PAGE 37
$GPLQLVWUDWLRQ Configuration Files Properties REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 'RZQORDGLQJ D &RQILJXUDWLRQ )LOH You can download a file to the AP to update the configuration or to restore the AP to a previously backed-up configuration. To download a configuration file to the AP: 67(3 Click $GPLQLVWUDWLRQ > 'RZQORDG %DFNXS &RQILJXUDWLRQ )LOH in the navigation window. 67(3 Select 9LD 7)73 or 9LD +773 +7736 as the 7UDQVIHU 0HWKRG. 67(3 Select 'RZQORDG 3& WR $3 as the 6DYH $FWLRQ.
PAGE 38
$GPLQLVWUDWLRQ Copying and Saving the Configuration REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GPLQLVWUDWLRQ > &RQILJXUDWLRQ )LOHV 3URSHUWLHV in the navigation window. 67(3 Select the 6WDUWXS &RQILJXUDWLRQ, %DFNXS &RQILJXUDWLRQ, or 5XQQLQJ &RQILJXUDWLRQ file type. 67(3 Click &OHDU )LOHV. &RS\LQJ DQG 6DYLQJ WKH &RQILJXUDWLRQ The Copy/Save Configuration page enables you to copy files within the AP file system.
PAGE 39
$GPLQLVWUDWLRQ Rebooting REVIEW DRAFT Version 2—CISCO CONFIDENTIAL When complete, a window displays the message, “Copy Operation Successful.” 5HERRWLQJ You can use the Reboot page reboot the AP, as follows: 67(3 Click $GPLQLVWUDWLRQ > 5HERRW in the navigation window. 67(3 Select one of the following options: • 5HERRW—Reboots the switch using Startup Configuration. • 5HERRW WR )DFWRU\ 'HIDXOW—Reboots the switch using with the factory default configuration file.
PAGE 40
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 8 6\VWHP 6HFXULW\ This chapter describes how to configure security settings on the AP. It contains the following topics. • 5$',86 6HUYHU • ; 6XSSOLFDQW • 3DVVZRUG &RPSOH[LW\ • :3$ 36. &RPSOH[LW\ 5$',86 6HUYHU Several of the AP features require communication with a RADIUS authentication server.
PAGE 41
6\VWHP 6HFXULW\ RADIUS Server REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click 6HFXULW\ > 5$',86 6HUYHU in the navigation window. 67(3 Enter the parameters: • 6HUYHU ,3 $GGUHVV 7\SH—The IP version that the RADIUS server uses. You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the AP contacts only the RADIUS server or servers of the address type you select in this field.
PAGE 42
6\VWHP 6HFXULW\ 802.1X Supplicant REVIEW DRAFT Version 2—CISCO CONFIDENTIAL ; 6XSSOLFDQW IEEE 802.1X authentication enables the access point to gain access to a secured wired network. You can enable the access point as an 802.1X supplicant (client) on the wired network. A user name and password that are encrypted using the MD5 algorithm can be configured to allow the access point to authenticate using 802.1X. On networks that use IEEE 802.
PAGE 43
6\VWHP 6HFXULW\ Password Complexity REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 3DVVZRUG—The MD5 password for the AP to use when responding to requests from an 802.1X authenticator. The password can be 1 to 64 characters in length. ASCII-printable characters are allowed, which includes upper and lower case letters, numbers, and special symbols such as @ and #. 67(3 Click 6DYH. The changes are saved to the Running Configuration and to the Startup Configuration.
PAGE 44
6\VWHP 6HFXULW\ WPA-PSK Complexity REVIEW DRAFT Version 2—CISCO CONFIDENTIAL To configure password complexity requirements: 67(3 Click 6HFXULW\ > 3DVVZRUG &RPSOH[LW\ in the navigation window. 67(3 For the 3DVVZRUG &RPSOH[LW\ setting, select (QDEOH. 67(3 Configure the parameters: • 3DVVZRUG 0LQLPXP &KDUDFWHU &ODVV—The minimum number of character classes that must be represented in the password string.
PAGE 45
6\VWHP 6HFXULW\ WPA-PSK Complexity REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click 6HFXULW\ > :3$ 36. &RPSOH[LW\ in the navigation window. 67(3 Click (QDEOH for the :3$ 36. &RPSOH[LW\ setting to enable the AP to check WPA-PSK keys against the criteria you configure. If you clear the checkbox, none of the following settings will be used. 67(3 Configure the parameters: • :3$ 36. 0LQLPXP &KDUDFWHU &ODVV—The minimum number of character classes that must be represented in the key string.
PAGE 46
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 9 &DSWLYH 3RUWDO This chapter describes the Captive Portal feature, which allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. 127( The Captive Portal feature is available only on the WAP321 AP. Authenticated users must be validated against a database of authorized Captive Portal users before access is granted.
PAGE 47
&DSWLYH 3RUWDO Configuring Global Captive Portal Settings REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • )DLOHG $XWKHQWLFDWLRQ &OLHQWV &RQILJXULQJ *OREDO &DSWLYH 3RUWDO 6HWWLQJV You can use the CP Global Configuration page to control the administrative state of the CP feature and configure global settings that affect all captive portal instances configured on the AP. To configure CP Global settings: 67(3 Click &DSWLYH 3RUWDO > *OREDO &RQILJXUDWLRQ in the navigation window.
PAGE 48
&DSWLYH 3RUWDO Configuring Instances REVIEW DRAFT Version 2—CISCO CONFIDENTIAL &RQILJXULQJ ,QVWDQFHV You can create up to two captive portal instances, which is a defined set of CP parameters. Instances can be associated with one or more VAPs. Different instances can be configured to respond differently to users as they attempt to access the associated VAP. To create a CP instance and configure its settings: 67(3 Click &DSWLYH 3RUWDO > ,QVWDQFH &RQILJXUDWLRQ in the navigation window.
PAGE 49
&DSWLYH 3RUWDO Configuring Instances REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 5HGLUHFW 85/—The URL to which the newly authenticated client is redirected if the URL Redirect Mode is enabled. • ,GOH 7LPH—The number of seconds a user can remain idle before automatically being logged out. If the value is set to 0, the timeout is not enforced. The default value is 0. • 6HVVLRQ 7LPHRXW—The number of seconds to wait before terminating a session.
PAGE 50
&DSWLYH 3RUWDO Configuring VAPs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 5DGLXV %DFNXS ,3 z —Up to three IPv4or IPv6 backup RADIUS server addresses. If authentication fails with the primary server, each configured backup server is tried in sequence. • 5$',86 &XUUHQW—Enables administratively selecting the active RADIUS server, rather than having the AP attempt to contact each configured server in sequence and choose the first server that is up. • 5$',86 .H\—The shared secret key that the AP use
PAGE 51
&DSWLYH 3RUWDO Uploading Binary Files REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click 6DYH. Your change are saved to the Running Configuration. 8SORDGLQJ %LQDU\ )LOHV When users initiate access to a VAP that is associated to a captive portal instance, an authentication page displays. You can customize this page with your own logo and other graphics. You can use the Upload Binary Files page to upload these graphics to the AP.
PAGE 52
&DSWLYH 3RUWDO Customizing the Captive Portal Web Pages REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 127(: To delete an image, select it from the 'HOHWH :HE &XVWRPL]DWLRQ ,PDJH list and click 'HOHWH. &XVWRPL]LQJ WKH &DSWLYH 3RUWDO :HE 3DJHV When users initiate access to a VAP that is associated to a captive portal instance, an authentication page displays.
PAGE 53
&DSWLYH 3RUWDO Customizing the Captive Portal Web Pages REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • /RJR ,PDJH 1DPH—The image file to display on the top left corner of the page. This image is used for branding purposes, such as the company logo. If you uploaded a custom logo image to the AP, you can select it from the list. • )RUHJURXQG FRORU—The HTML code for the foreground color in 6-digit hexadecimal format.
PAGE 54
&DSWLYH 3RUWDO Web Customization Preview REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • $FFHSW /DEHO—The text that instructs users to select the check box to acknowledge reading and accepting the Acceptance Use Policy. • 1R $FFHSW 7H[W—Error: The text that displays in a pop-up window when a user submits login credentials without selecting the Acceptance Use Policy check box. • :RUN ,Q 3URJUHVV 7H[W—The text that displays during authentication.
PAGE 55
&DSWLYH 3RUWDO Local Groups REVIEW DRAFT Version 2—CISCO CONFIDENTIAL The page for the locale displays in the Captive Portal Web Locale Parameters Preview area. /RFDO *URXSV Each local user is assigned to a user group. Each group is assigned to a CP instance. The group facilitates managing the assignment of users to CP instances. The user group named default is built-in and cannot be deleted. You can create up to two additional user groups.
PAGE 56
&DSWLYH 3RUWDO Local Users REVIEW DRAFT Version 2—CISCO CONFIDENTIAL You can use the Local Users page to configure up to 128 authorized users in the local database. To add and configure a local user: 67(3 Click &DSWLYH 3RUWDO > /RFDO 8VHUV in the navigation window. 67(3 Select &UHDWH in the &DSWLYH 3RUWDO 8VHUV list. The page displays additional fields for creating a new user. 67(3 Enter a 8VHU 1DPH and 8VHU ,', then click 6DYH.
PAGE 57
&DSWLYH 3RUWDO Local User/Group Associations REVIEW DRAFT Version 2—CISCO CONFIDENTIAL /RFDO 8VHU *URXS $VVRFLDWLRQV When you define CP users, you assign them to groups. The groups are assigned to a CP instance, enabling all members access to that CP instance. In addition to making a user a member of a group, you can also associate the user with another group (without assigning them as member). The association enables a user access to an additional CP instance.
PAGE 58
&DSWLYH 3RUWDO Failed Authentication Clients REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 9HULILFDWLRQ—The method used to authenticate the user on the Captive Portal, which can be one of the following values: - *XHVW—The user does not need to be authenticated by a database. - /RFDO—The AP uses a local database to authenticated users. - 5$',86—The AP uses a database on a remote RADIUS server to authenticate users. • 9$3 ,'—The VAP that the user is associated with.
PAGE 59
&DSWLYH 3RUWDO Failed Authentication Clients REVIEW DRAFT Version 2—CISCO CONFIDENTIAL The following fields display: • 0$& $GGUHVV—The MAC address of the client. • ,3 $GGUHVV—The IP address of the client. • 8VHU 1DPH—The clients Captive Portal user name. • 9HULILFDWLRQ—The method the client attempted to use to authenticate on the Captive Portal, which can be one of the following values: - *XHVW—The user does not need to be authenticated by a database.
PAGE 60
REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 10 &OLHQW 4XDOLW\ RI 6HUYLFH This chapter provides an overview of Quality of Service (QoS) and explains the QoS features available from the Quality of Service menu. • $&/V • &ODVV 0DS • 3ROLF\ 0DS • &OLHQW 4R6 $VVRFLDWLRQ • &OLHQW 4R6 6WDWXV $&/V ACLs are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources.
PAGE 61
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 0$& $&/V MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect fields of a frame such as the source or destination MAC address, the VLAN ID, or the Class of Service 802.1p priority. When a frame enters or exits the AP port (depending on whether the ACL is applied in the up or down direction), the AP inspects the frame and checks the ACL rules against the content of the frame.
PAGE 62
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL 67(3 Click $GG $&/. The page displays additional fields for configuring the ACL. 67(3 Configure the rule parameters: • $&/ 1DPH $&/ 7\SH—The ACL to configure with the new rule. The list contains all ACLs added in the ACL Configuration section.
PAGE 63
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL - 6HOHFW )URP /LVW—Select one of the following protocols: IP, ICMP, IGMP, TCP, or UDP. - 0DWFK WR 9DOXH—Enter a standard IANA-assigned protocol ID from 0–255. Choose this method to identify a protocol not listed by name in the Select From List. • 6RXUFH ,3 $GGUHVV—Requires a packet's source IP address to match the address listed here. Enter an IP address in the appropriate field to apply this criteria.
PAGE 64
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL The wild card masks determines which bits are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. This field is required when Source IP Address is selected. A wild card mask is in essence the inverse of a subnet mask. For example, To match the criteria to a single host address, use a wildcard mask of 0.0.0.0.
PAGE 65
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL The high-order three bits represent the IP precedence value. The high-order six bits represent the IP Differentiated Services Code Point (DSCP) value. • ,3 726 0DVN—Enter an IP TOS mask value to identify the bit positions in the TOS Bits value that are used for comparison against the IP TOS field in a packet. The TOS Mask value is a two-digit hexadecimal number from 00 to ff, representing an inverted (i.e. wildcard) mask.
PAGE 66
&OLHQW 4XDOLW\ RI 6HUYLFH ACLs REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • ,3Y )ORZ /DEHO—Flow label is 20-bit number that is unique to an IPv6 packet. It is used by end stations to signify quality-of-service handling in routers (range 0 to 1048575). • ,3 '6&3—Matches packets based on their IP DSCP value. If you select this checkbox, choose one of the following as the match criteria: - 6HOHFW )URP /LVW—DSCP Assured Forwarding (AS), Class of Service (CS) or Expedited Forwarding (EF) values.
PAGE 67
&OLHQW 4XDOLW\ RI 6HUYLFH Class Map REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • 'HVWLQDWLRQ 0$& 0DVN—Enter the destination MAC address mask specifying which bits in the destination MAC to compare against an Ethernet frame. A 0 indicates that the address bit is significant, and an f indicates that the address bit is to be ignored. A MAC mask of 00:00:00:00:00:00 matches a single MAC address. • 9/$1 ,'—Select this field and enter the VLAN IDs to compare against an Ethernet frame.
PAGE 68
&OLHQW 4XDOLW\ RI 6HUYLFH Class Map REVIEW DRAFT Version 2—CISCO CONFIDENTIAL $GGLQJ D &ODVV 0DS To add a class map: 67(3 Click &OLHQW 4R6 > &ODVV 0DS in the navigation window. 67(3 Enter a &ODVV 0DS 1DPH. 67(3 Select a value from the 0DWFK /D\HU 3URWRFRO list: • ,3Y —The class map applies only to IPv4 traffic on the AP. • ,3Y —The class map applies only to IPv6 traffic on the AP.
PAGE 69
&OLHQW 4XDOLW\ RI 6HUYLFH Class Map REVIEW DRAFT Version 2—CISCO CONFIDENTIAL - 6HOHFW )URP /LVW—Match the selected protocol: IP, ICMP, IPv6, ICMPv6, IGMP, TCP, UDP. - 0DWFK WR 9DOXH—Match a protocol that is not listed by name. Enter the protocol ID. The protocol ID is a standard value assigned by the IANA. The range is a number from 0–255. • 6RXUFH ,3 $GGUHVV or 6RXUFH ,3Y $GGUHVV—Requires a packet's source IP address to match the address listed here.
PAGE 70
&OLHQW 4XDOLW\ RI 6HUYLFH Class Map REVIEW DRAFT Version 2—CISCO CONFIDENTIAL • ,3 '6&3—See description under Service Types below. • 6RXUFH 3RUW—Includes a source port in the match condition for the rule. The source port is identified in the datagram header. If you select the field, choose the port name or enter the port number. - 6HOHFW )URP /LVW—Matches a keyword associated with the source port: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www.