B WAP150 361 Admin Guide
B WAP150 361 Admin Guide
B WAP150 361 Admin Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2019 Cisco Systems, Inc. All rights reserved.
The Java logo is a trademark or registered trademark of Sun Microsystems, Inc. in the U.S. or other countries.
© 2019 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 2 Administration 11
Firmware 11
Swapping the Firmware Image 11
HTTP/HTTPS Upgrade 12
TFTP Upgrade 12
Reboot 13
Schedule Reboot 13
Configuration Management 13
Backup Configuration Files 14
Download Configuration Files 14
Copying Configuration Files 15
Clearing Configuration Files 15
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
v
Contents
LAN 17
IPv4 Configuration 17
DHCP Auto Configuration Settings 18
IPv6 Configuration 19
Port Settings 20
Spanning Tree Protocol 20
VLANs Setting 21
Neighbor Discover 21
LLDP 22
IPv6 Tunnel 22
Time 23
Automatically Acquiring the Time Settings through NTP 24
Manually Configuring the Time Settings 24
Notification 25
LED Display 25
Log Settings 25
Remote Log Server Table 26
View System Log 27
Email Alert/ Mail Server/ Message Configuration 27
Email Alert Examples 29
User Accounts 29
Adding a User 29
Changing a User Password 30
Management 31
Management 31
Connect Session Settings/HTTP/HTTPS Service 31
SSL Certificate File Status 32
SNMP / SNMPv2c Settings 33
SNMPv3 Views 34
SNMPv3 Groups 35
SNMPv3 Users 37
SNMPv3 Targets 38
Plug and Play (PnP) 38
Security 39
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
vi
Contents
Radius Server 39
Configuring Global RADIUS Servers 39
802.1x 40
CHAPTER 4 Wireless 47
Radio 47
Networks 52
Configuring VAPs 52
Configuring Security Settings 54
Client Filter 58
Configuring a Client Filter List Locally on the WAP device 58
Configuring MAC Authentication on the Radius Server 59
Scheduler 59
Scheduler Profile Configuration 59
Profile Rule Configuration 60
QoS 60
Wireless Bridge 63
Configuring WDS Bridge 64
WPA/PSK on WDS Links 64
WorkGroup Bridge 65
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
vii
Contents
ACL 81
IPv4 and IPv6 ACLs 81
Workflow to Configure ACLs 82
Configure IPv4 ACLs 82
Configure IPv6 ACLs 84
Configure MAC ACLs 87
Client QoS 88
Configuring IPv4 Traffic Classes 89
Configuring IPv6 Traffic Classes 91
Configuring MAC Traffic Classes 93
QoS Policy 94
QoS Association 95
Global Settings 96
Guest Access 96
Guest Access Instance Table 97
Guest Group Table 100
Guest User Account 101
Web Portal Customization 101
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
viii
Contents
Dashboard 107
LAN Status 108
Wireless Status 109
Traffic Statistics 110
Single Point Setup Status 110
Clients 111
Guests 113
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
ix
Contents
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
x
CHAPTER 1
Getting Started
This chapter contains the following sections:
• Getting Started with the Configuration, on page 1
• Using the Access Point Setup Wizard, on page 2
• Changing Password, on page 6
• TCP/UDP Service, on page 6
• System Status, on page 7
• Quick Start Configuration, on page 8
• Window Navigation, on page 9
Supported Browsers
Before you begin to use the configuration utility, make sure that you have a computer with one of the following
browsers:
• Internet Explorer 11, Microsoft Edge or later
• Firefox 64 or later
• Chrome 72 or later
• Safari 5.1 or later
Browser Restrictions
• If using Internet Explorer 11, configure the following security settings:
• Select Tools, Internet Options and then select the Security tab.
• Next, select Local Intranet and then select Sites.
• Select Advanced and then select Add. Add the intranet address of the WAP device
http://<ip-address> to the local intranet zone. The IP address can also be specified as the
subnet IP address so that all subnet addresses, are added to the local intranet zone.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
1
Getting Started
Using the Access Point Setup Wizard
• If you have multiple IPv6 interfaces on your management station, use the IPv6 global address instead of
the IPv6 local address to access the WAP device from your browser.
Follow the Setup Wizard instructions to finish the installation. We strongly recommend that you use the Setup
Wizard for the first installation. See Using the Access Point Setup Wizard, on page 2 for more information.
Logging Out
By default, the configuration utility logs out after 10 minutes of inactivity. See Management, on page 31 for
instructions on changing the default timeout period.
To log out, click Logout in the top right corner of the configuration utility.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
2
Getting Started
Using the Access Point Setup Wizard
Note If you click Cancel to bypass the wizard, the Change Password page appears. You can then change the
default password and username for logging in. See Changing Password for more information.
Step 9 Click Next. The Configure Device - Set System Date and Time window appears.
Step 10 Choose your time zone, and then set the system time automatically from an NTP server or manually. For a description
of these options, see Time, on page 23.
Step 11 Click Next. The Configure Device - Set Password window appears.
Step 12 Enter a New Password and enter it again in the Confirm Password field.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
3
Getting Started
Using the Access Point Setup Wizard with mobile
Note Uncheck Password Complexity to disable the password security rules. However, we strongly recommend
keeping the password security rules enabled. For more information about passwords, see Security, on page
39.
Step 13 Click Next. The Configure Radio 1 - Name Your Wireless Network window appears.
Step 14 Enter a Network Name. This name serves as the SSID for the default wireless network.
Step 15 Click Next. The Configure Radio 1 - Secure Your Wireless Network window appears.
Step 16 Choose a security encryption type and enter a security key. For a description of these options, see Configuring Security
Settings, on page 54.
Step 17 Click Next. The Configure Radio 1 - Assign the VLAN ID for your Wireless Network window appears.
Step 18 Choose the VLAN ID for traffic received on the wireless network.
We recommend that you assign a different VLAN ID from the default (1) to the wireless traffic, in order to segregate
it from the management traffic on VLAN 1.
Step 19 Click Next. Repeat the step 13 to step 18 to configure the settings for Radio 2 interface.
Step 20 Click Next. The Enable Captive Portal - Create Your Guest Network window appears.
Step 21 Select whether or not to set up an authentication method for guests on your network, and click Next.
If you click No, skip to Step 29.
If you click Yes, the Enable Captive Portal - Name Your Guest Network window appears.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
4
Getting Started
Using the Access Point Setup Wizard with mobile
Note The default SSID under factory default mode is CiscoSB-Setup. Associate your portable device to the Access
Point with this SSID and the pre-shared key, cisco123. Launch a browser and enter an arbitrary IP address or
a domain name. A web page with login fields is displayed. Enter the default user name and password: cisco.
Click Log In. The Access Point Setup Wizard is displayed.
Step 6 In the Configure Device - Set Password window, enter a new password and re-enter the password in the Confirm
Password field.
Step 7 Click Next. The Configure Your Wireless Network window appears.
a) Enter a Network Name which serves as the SSID for the default wireless network.
b) Enter a Security key (security type, WPA2 Personal - AES is by default)
c) Enter the VLAN ID for traffic received on the wireless network.
Note Check the check box to apply same configuration to Radio 2 or switch to another radio tab and repeat Step
7 to configure again.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
5
Getting Started
Changing Password
Changing Password
For security reasons, you are required to change the administrative password at a set interval. You will need
to access this page when the Password Aging Time is up.
Password complexity is enabled by default. The minimum password complexity requirements are shown on
the Change Password page. The new password must comply with the default complexity rules, or it can be
disabled temporarily by disabling the Password Complexity. See Security, on page 39 for more information.
To change the default password, configure the following:
• Username—Enter a new username. The default name is cisco.
• Old Password—Enter the current password. The default password is cisco.
• New Password—Enter a new password.
• Confirm Password—Enter the new password again for confirmation.
• Password Strength Meter—Displays the strength of the new password.
• Password Complexity—The password complexity is enabled by default and requires that the new
password conforms to the following complexity settings:
• Is different from the username.
• Is different from the current password.
• Has a minimum length of eight characters.
• Contains characters from at least three character classes (uppercase letters, lowercase letters, numbers,
and special characters available on a standard keyboard).
Note Check Disable to disable the password complexity rules. However, we strongly recommend that you keep
the password complexity rules enabled.
TCP/UDP Service
The TCP/UDP Service table displays the protocols and services operating on the WAP.
• Service — The service name.
• Protocol — The underlying transport protocol that the service uses (TCP or UDP).
• Local IP Address — The local IP address of the connected device. All indicates that any IP address on
the device can use this service.
• Local Port — The local port number.
• Remote IP Address — The IP address of a remote host using this service. All indicates that the service
is available to all remote hosts that access the system.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
6
Getting Started
System Status
• Remote Port — The port number of any remote device communicating with this service.
• Connection State — The state of the service. For UDP, only connections in the Active or Established
states appear in the table. The TCP states are:
• Listening — The service is listening for connection requests.
• Active — A connection session is established and the packets are being transmitted and received.
• Established — A connection session is established between the WAP device and a server or client.
• Time Wait — The closing sequence has been initiated and the WAP device is waiting for a
system-defined timeout period (typically 60 seconds) before closing the connection.
Note You can modify or rearrange the order on the TCP/UDP Service Table. Click Refresh to refresh the screen
and show the most current information.
You can also enter parameters related to Service, Protocol and other details to filter the TCP/UDP Services
displayed.
Click Back to return to the Getting Started page.
System Status
The System Status page displays the hardware model description, software version, and the various
configuration parameters such as:
• PID VID—The hardware model and version of the WAP device.
• Serial Number—The serial number of the WAP device.
• Host Name—The host name assigned to the WAP device.
• MAC Address—The MAC address of the WAP device.
• IPv4 Address —The IP address of the WAP device.
• IPv6 Address—The IPv6 address of the WAP device.
• If your model is WAP150, your Ethernet interface will be:
• LAN Port—Displays the status of Ethernet interface.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
7
Getting Started
Quick Start Configuration
• Radio 1 (2.4GHz)—The 2.4GHz mode is enabled or disabled for the Radio 1 interface.
• Radio 2 (5GHz) —The 5GHz mode is enabled or disabled for the Radio 2 interface.
• Power Source—The system may be powered by a power adapter, or may be receiving power over
Ethernet (PoE) from a Power Sourcing Equipment (PSE).
• PSE Status (For WAP361 Only)
• Overload—Indicates that an attached Powered Device (PD) requires power from the WAP device
that is exceeding the configured allocation any time during the connectivity.
• Down —Indicates that there is no PD device connector or there is a malfunction.
• Up — Indicates that PSE normally works on 802.3af mode.
• PSE Power Consumption (For WAP361 Only) —The power allocation for the connected PD device.
• System Uptime—The time elapsed since the last reboot.
• System Time—The current system time.
• Firmware Version (Active Image)—The firmware version of the active image.
• Firmware MD5 Checksum (Active Image)—The checksum for the active image.
• Firmware Version (Non-active)—The firmware version of the backup image.
• Firmware MD5 Checksum (Non-active)—The checksum for the backup image.
Quick Setup Wizard Using the Access Point Setup Wizard, on page 2
Access
Change Account Password Adding a User, on page 29
Configure Single Point Setup Configuring the WAP Device for Single Point Setup, on page
77
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
8
Getting Started
Window Navigation
For additional information on the device, you can access the product support page or the Cisco Support
Community by:
• Click Support to access the product support page.
• Click Forums to access the Cisco Support Community page.
• Click More info on FindIT to see information on FindIT utility.
• Click Download FindIT to download the FindIT utility.
Window Navigation
Use the navigation buttons to move around the graphical user interface of the WAP.
Configuration Utility Header
The configuration utility header contains standard information and appears at the top of every page. The header
provides these buttons:
Button Description
Name
(User) The account name (Administrator or Guest) of the user logged into the WAP device. The
factory default username is cisco.
(Language) Hover the mouse pointer over the button, and select a language. The factory default language
is English.
Click to show the context-sensitive online help. The online help is designed to be viewed with
browsers using UTF-8 encoding. If the online help shows errant characters, verify that the
encoding settings on your browser are set to UTF-8.
Navigation Pane
A navigation pane, or main menu, is located on the left of each page. The navigation pane lists the top-level
features of the WAP device. If an arrow occurs after a main menu item, you can select to expand and display
the submenu of each group. You can then select the desired submenu item to open the associated page.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
9
Getting Started
Management Buttons
Management Buttons
The following table describes the commonly used buttons that appear on various pages in the system:
Button Description
Name
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
10
CHAPTER 2
Administration
This chapter describes how to configure the Administration settings and perform the diagnostics. It contains
the following topics:
• Firmware, on page 11
• Reboot, on page 13
• Configuration Management, on page 13
Firmware
The WAP device maintains two firmware images. One image is active and the other is inactive. If the active
image fails to load during boot up, the inactive image is loaded and becomes the active image. You can also
swap the active and inactive images.
When new versions of the firmware become available, you can upgrade the firmware on your WAP device
to take advantage of new features and enhancements. The WAP device uses a TFTP or HTTP/HTTPS client
for firmware upgrades.
After you upload the new firmware and the system reboots, the newly added firmware becomes the primary
image. If the upgrade fails, the original firmware remains as the primary image.
Note When you upgrade the firmware, the WAP device retains the existing configuration settings.
Step 1 Select Administration > Firmware. The product ID (PID VID), active and inactive firmware version are displayed.
Step 2 Click Swap Images. A dialog box appears confirming the firmware image switch and subsequent reboot.
Step 3 Click Yes to proceed.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
11
Administration
HTTP/HTTPS Upgrade
The process may take several minutes, during which time the WAP device is unavailable. Do not power down the WAP
device while the image switch is in process. When the image switch is complete, the WAP device restarts. The WAP
device resumes normal operation with the same configuration settings it had before the upgrade.
HTTP/HTTPS Upgrade
To upgrade using HTTP/HTTPS:
Step 4 To verify that the firmware was upgraded successfully, log into the web-based Configuration Utility, open the Upgrade
Firmware page, and view the active firmware version.
TFTP Upgrade
To upgrade the firmware on the WAP device using TFTP:
Step 3 Enter the TFTP Server IPv4 Address and click Upgrade.
Uploading the new firmware may take several minutes. Do not refresh the page or navigate to another page while uploading
the new firmware, or the firmware upload is aborted. When the process is complete, the WAP device restarts and resumes
normal operation.
Step 4 To verify that the firmware upgrade completed successfully, log into the configuration utility, open the Upgrade Firmware
page, and view the active firmware version.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
12
Administration
Reboot
Reboot
Use the Reboot page to reboot the WAP device or reset the WAP device to its factory defaults. To reboot or
reset the WAP device do the following:
Schedule Reboot
To schedule a reboot on the WAP device, follow these steps:
Step 1 Check the Schedule Reboot check box to enable the schedule reboot function.
Step 2 There are two options to schedule a reboot.
• Date — Set the exact date and time when to reboot the device.
• In — Set the reboot time for the reboot to occur after the function is enabled.
Note For the In option, this feature will not retain after scheduled reboot. If WAP is power-cycled before scheduled
reboot, the scheduler will still work as configured.
Configuration Management
The WAP device configuration files are in XML format and contain all the information about the WAP device
settings. You can back up (upload) the configuration files to a network host or TFTP server to manually edit
the content or create backups. After you edit a backed-up configuration file, you can upload it to the WAP
device to modify the configuration. The WAP device maintains these configuration files:
• Startup Configuration — The configuration file saved to the flash memory.
• Backup Configuration — An additional configuration file saved on the WAP device to use as a backup.
• Mirror Configuration — If the Startup Configuration is not modified for at least 24 hours, it is
automatically saved to a Mirror Configuration file. The Mirror Configuration file is a snapshot of the
past Startup Configuration. The Mirror Configuration is preserved across factory resets, so it can be used
to recover a system configuration after a factory reset by copying the Mirror Configuration to the Startup
Configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
13
Administration
Backup Configuration Files
Note In addition to downloading and uploading these files to another system, you can copy them to the different
file types on the WAP device.
Step 6 Click Apply to begin the backup. For HTTP/HTTPS backups, a window appears to enable you to browse to the desired
location for saving the file.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
14
Administration
Copying Configuration Files
The filename cannot contain the following characters: spaces, <, >, |, \, : , (, ), &, ; , #, ? , *, and two or more successive
periods.
Step 5 Select Startup Configuration or Backup Configuration to replace the file with the downloaded file.
If the downloaded file overwrites the Startup Configuration file, and the file passes a validity check, then the downloaded
configuration takes effect the next time the WAP device reboots.
Step 6 Click Apply to begin the upgrade or backup. For HTTP/HTTPS downloads, a window appears to enable you to browse
to select the file to download.
Caution Ensure that the power to the WAP device remains uninterrupted while the configuration file is downloading.
If a power failure occurs while downloading the configuration file, the file is lost and the process must be
restarted.
Step 3 In the To field, select the file type to be replaced with the file that you are copying.
Step 4 Click Apply to begin the copy process.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
15
Administration
Clearing Configuration Files
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
16
CHAPTER 3
System Configuration
This chapter describes how to configure the global system settings and perform diagnostics. It contains the
following topics:
• LAN, on page 17
• Time, on page 23
• Notification, on page 25
• User Accounts, on page 29
• Management, on page 31
• Security, on page 39
LAN
This section describes the process to configure the port, VLAN, LLDP, IPv4, and IPv6 settings on the WAP
device.
IPv4 Configuration
Use the IPv4 Configuration section to configure the IPv4 address.
• Static IP Address, Subnet Mask, and Default Gateway—Enter the static IP address, subnet mask and default
gateway.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
17
System Configuration
DHCP Auto Configuration Settings
DHCP client automatically broadcasts requests for DHCP options 66 and 67. If DHCP and DHCP Auto
Configuration Options are enabled, Access Point is Auto configured during next reboot considering the
information received from DHCP Server for DHCP requests.
Note Configuration upload operation by User/Cisco overrides the Auto Configuration so that the chosen configuration
file is given preference. In any other cases of rebooting the AP such as firmware upgrade or reboot operations,
existing Auto Configuration settings will be effective.
• TFTP Server IPv4 Address/Host Name—If you configure TFTP server address, it is used in case of
failure to retrieve file from other TFTP Servers specified by DHCP server during Auto Configuration.
Enter IPv4 address or hostname information. If it happens to be in hostname format DNS server must
be available to translate hostname into IP address.
The value is used during the Auto Configuration procedure during next boot-up.
• Configuration File Name—If you specify the configuration file name, it is retrieved from TFTP Server
during Auto Configuration of AP, in case the boot file name is not received from DHCP server. Absence
of this value indicates config.xml to be used. The file must have an xml extension if specified.
The value is used during the Auto Configuration procedure during next boot-up.
• Wait Interval—If configured, Access Point comes up with the local configuration and makes enabled
services available to the user, after the wait interval. Access point aborts Auto configuration if TFTP
transaction is not initiated within this interval specified. The default value is 3 minutes.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
18
System Configuration
IPv6 Configuration
The value is used during the Auto Configuration procedure during next boot-up.
• Status Log—This field displays reason of Auto Configuration completion or abort.
IPv6 Configuration
Use the IPv6 Configuration section to configure the IPv6 address by performing the following steps:
• IPv6 Autoconfigured Global Addresses — Lists the IPv6 addresses which have been automatically assigned to
the device.
• IPv6 Link Local Address — The IPv6 address used by the local physical link. The link local address is not
configurable and is assigned by using the IPv6 Neighbor Discovery process.
• Default IPv6 Gateway —The statically configured default IPv6 gateway.
• IPv6 Domain Name Servers — Select one of the following options:
• Dynamic — The DNS servers are recognized dynamically through the DHCPv6.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
19
System Configuration
Port Settings
Port Settings
Use the Port Settings Table to view and configure the settings for the port that connects the WAP device to
a LAN.
Step 2 Jumbo Frames (For WAP361 Only) — When enabled, the port supports packet length of up to 9720 bytes. Otherwise,
the port supports packet length up to 2000 bytes. The Jumbo Frame is supported only when link speed is in 1000 Mbps
mode. Since the wireless interface does not support Jumbo Frames, it only works to forward packets between Ethernet
(LAN0 to LAN4) ports. For this reason, it is recommended to disable it.
Step 3 CoS (port VLAN priority, 802.1p Class of Service, For WAP361 Only)—Assigns the 802.1p class of service (CoS)
when the port receives an untagged packet.
Step 4 Click Apply.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
20
System Configuration
VLANs Setting
VLANs Setting
Use the VLAN Configuration page to view and configure the VLANs settings.
Step 3 Click Apply. The changes are saved to the Startup Configuration.
Neighbor Discover
Bonjour enables the WAP device and its services to be discovered by using multicast DNS (mDNS). Bonjour
advertises services to the network and answers queries for the service types that it supports, simplifying
network configuration in your environments.
The WAP device advertises these service types:
• Cisco-specific device description (csco-sb) — This service enables clients to discover the Cisco WAP
devices and other products deployed in your networks.
• Management user interfaces — This service identifies the management interfaces available on the
WAP device (HTTP and SNMP).
When a Bonjour-enabled WAP device is attached to a network, any Bonjour client can discover and get access
to the configuration utility without prior configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
21
System Configuration
LLDP
A system administrator can use an installed Internet browser plug-in to discover the WAP device. The
web-based Configuration Utility shows up as a tab in the browser.
Note The system administrator can view the Bonjour enabled WAP’s using the latest Internet Explorer plug-in
(Cisco Business Dashboard tool). All WAP devices present in a cluster, are shown under the cluster name
after the Bonjour discovery process. The administrator should ensure that the name of the cluster is unique
within a network.
LLDP
The Link Layer Discovery Protocol (LLDP) is defined by the IEEE 802.1AB standard and allows the UAP
to advertise its system name, system capabilities, and power requirements. This information can help to identify
system topology and detect bad configurations on the LAN. The AP also supports the Link Layer Discovery
Protocol for the Media Endpoint Devices (LLDP-MED), which standardizes additional information elements
that devices can pass to each other to improve network management.
Step 1 To configure the LLDP settings, select LAN > More > LLDP.
Step 2 Configure the following parameters:
• LLDP Mode — Check Enable to enable the LLDP. Once enabled, the AP transmits LLDP Protocol Data Units to
the neighbor devices. By default, this mode is enabled.
• TX Interval — The number of seconds between each LLDP message transmissions. The valid range is 5 to 32768
seconds. The default value is 30 seconds.
• POE Priority — Select the priority level from the drop-down list (Critical, High, Low or Unknown). The PoE
priority helps the Power Sourcing Equipment (PSE), determine which powered devices should be given priority in
power allocation when the PSE doesn't have enough capacity to supply power to all connected devices.
IPv6 Tunnel
The WAP device supports the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). The ISATAP
enables the WAP device to transmit IPv6 packets encapsulated within the IPv4 packets over the LAN. The
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
22
System Configuration
Time
protocol enables the WAP device to communicate with remote IPv6-capable hosts even when the LAN that
connects them does not support the IPv6.
The WAP device acts as an ISATAP client. An ISATAP-enabled host or router must reside on the LAN. The
IP address or host name of the router is configured on the WAP device (by default, it is ISATAP). If configured
as a host name, the WAP device communicates with a DNS server to resolve the name into one or more
ISATAP router addresses. The WAP device then sends solicit messages to the routers. When an
ISATAP-enabled router replies with an advertisement message, the WAP device and the router establish the
tunnel. The tunnel interface is assigned a link-local and a global IPv6 address, which serve as virtual IPv6
interfaces on the IPv4 network.
When IPv6 hosts initiate the communication with the WAP device connected through the ISATAP router,
the IPv6 packets are encapsulated into IPv4 packets by the ISATAP router.
1. ISATAP Status — Check Enable to enable ISATAP on the device. By default, this option is enabled.
2. ISATAP Capable Host — Enter the IP address or DNS name of the ISATAP router. The default value
is isatap.
3. ISATAP Query Interval — Enter how often the WAP device should send queries to the DNS server to
attempt to resolve the ISATAP host name into an IP address. The valid range is 120 to 3600 seconds. The
default value is 120 seconds.
4. ISATAP Solicitation Interval — Enter how often the WAP device should send the router solicitation
messages to the ISATAP routers. The WAP device sends the router solicitation messages only when there
is no active ISATAP router. The valid range is 120 to 3600 seconds. The default value is 120 seconds.
5. ISATAP IPv6 Link Local Address— The IPv6 address used by the local physical link. The link local
address is not configurable and is assigned by using the IPv6 Neighbor Discovery process.
6. ISATAP IPv6 Global Address— If the WAP device has been assigned one or more IPv6 addresses
automatically, the addresses are listed.
Note When the tunnel is established, the ISATAP IPv6 Link Local Address and ISATAP IPv6 Global Address
fields appear on the page. These are the virtual IPv6 interface addresses.
7. Click Apply.
Time
A system clock provides a network-synchronized time-stamping service for the message logs. The system
clock can be configured manually or as a Network Time Protocol (NTP) client that obtains the clock data
from a server.
Use the Time Settings page to configure the system time manually or from a preconfigured NTP server. By
default, the WAP device is configured to obtain its time from a predefined list of NTP servers.
The current system time appears at the top of the page, along with the System Clock Source option.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
23
System Configuration
Automatically Acquiring the Time Settings through NTP
Step 4 Click Apply. The changes are saved to the Startup Configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
24
System Configuration
Notification
• Daylight Saving Offset — Specify the number of minutes to move the clock forward when daylight savings
time begins and backward when it ends.
Step 5 Click Apply. The changes are saved to the Startup Configuration.
Note Click Sync Time with PC, the system time of the device will be same as the PC.
Notification
This section details the process to enable and configure notifications for the access point.
LED Display
The WAP device has two type of LEDs: System LED and Ethernet LED. Use the LED Display page to
configure all LEDs.
To configure the LED Display do the following:
Log Settings
Use the Log Settings page to enable log messages to be saved in permanent memory. You can also send logs
to a remote host.
If the system unexpectedly reboots, the log messages can be useful to diagnose the cause. However, log
messages are erased when the system reboots unless you enable persistent logging.
Caution Enabling persistent logging can wear out the flash (nonvolatile) memory and degrade network performance.
Only enable persistent logging to debug a problem. Make sure that you disable persistent logging after you
finish debugging the problem.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
25
System Configuration
Remote Log Server Table
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
26
System Configuration
View System Log
Using the default port is recommended. If you reconfigure the log port, make sure that the port number that you
assign to syslog is available for use.
Step 3 Click Apply. The changes are saved to the Startup Configuration.
Note If you enable a remote log server, clicking Apply activates the remote logging. The WAP device sends its
kernel messages in real-time for display to the remote log server monitor, a specified kernel log file, or other
storage, depending on your configuration.
If you disabled a remote log server, click Apply to disable remote logging.
Tip Do not use your personal email address. This would unnecessarily expose your personal email login credentials.
Use a separate email account instead. Also, be aware that many email accounts keep a copy of all sent messages
by default. Anyone with access to this email account has access to the sent messages. Review the email settings
to ensure that they conform to your privacy policy.
To configure the WAP device to send email alerts, perform the following steps:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
27
System Configuration
Email Alert/ Mail Server/ Message Configuration
Step 4 In the Message Configuration area, configure the email addresses and subject line:
• To Email Address 1/2/3 — Enter up to three addresses to receive the email alerts. Each email address must be a
valid address.
• Email Subject — Enter the text to appear in the email subject line. This can be up to a 255-character alphanumeric
string.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
28
System Configuration
Email Alert Examples
Yahoo! Mail
Yahoo requires using a paid account for this type of service. Yahoo
recommends the following settings:
Data Encryption: TLSv1
SMTP Server: plus.smtp.mail.yahoo.com
SMTP Port: 465 or 587
Username: Your email address, without the domain name such as myName (without
@yahoo.com)
Password: Your Yahoo account password
User Accounts
One management user is configured on the WAP device by default:
• User Name: cisco
• Password: cisco
Use the User Accounts page to configure up to four additional users and change the user password.
Adding a User
Configure the following settings to add a new user:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
29
System Configuration
Changing a User Password
Step 4 Click Apply. The changes are saved to the Startup Configuration.
Note If you change your password, you must log in again to the system.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
30
System Configuration
Management
Management
This section describes how to configure the management settings on the WAP device.
Management
Use the Management section to configure the information that identifies the WAP device within the network.
To configure the system settings:
Step 1 Select Management > Management and configure the following parameters:
• Host Name — Enter the host name for the WAP device. By default, the name is the fully qualified domain name
(FQDN) of the node. The default host name is wap concatenated with the last 6 hexadecimal digits of the MAC
address of the WAP device. The host name label can contain only letters, digits, and hyphens. It cannot begin or
end with a hyphen. No other symbols, punctuation characters, or blank spaces are permitted. The host name can be
1 to 63 characters long.
• System Contact — Enter the contact person for the WAP device. The system contact can be 0 to 255 characters
long and can include spaces and special characters.
• System Location — Enter the physical location of the WAP device. The system location can be 0 to 255 characters
long and can include spaces and special characters.
Step 2 Click Apply. The changes are saved to the Startup Configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
31
System Configuration
SSL Certificate File Status
• HTTPS Service — Enable or disable access through secure HTTP (HTTPS). By default, HTTPS access is enabled.
If you disable it, any current connections using that protocol are disconnected.
• HTTPS Port — Enter the logical port number to use for the HTTPS connections, from 1025 to 65535. The
default port number for the HTTPS connections is the IANA port number 443.
• TLSv1.0, TLSv1.1, SSLv3 — Check or uncheck the checkbox to enable or disable the protocol of the HTTPS
Service.
• Management ACL Mode — If the Mode is enabled, access through the web and SNMP is restricted to the specified
IP hosts. You can configure up to 5 IPv4 and 5 IPv6 addresses under the Management Access Control. If this
feature is disabled, anyone can access the configuration utility from any network client by supplying the correct user
name and password of the WAP device.
Note Verify any IP address that you enter. If you enter an IP address that does not match your administrative
computer, you will lose access to the configuration interface. We recommend that you give the administrative
computer a static IP address, so the address does not change over time.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
32
System Configuration
SNMP / SNMPv2c Settings
If a SSL certificate (with a .pem extension) exists on the WAP device, you can download it to your computer
as a backup. In the Transfer SSL Certificate from (Device to PC) area, select HTTP/HTTPS or TFTP as
the download option and click Transfer.
• If you select HTTP/HTTPS, confirm the download and then browse to the location to save the file on
your network.
• If you select TFTP, enter a file name to assign to the download file, and enter the TFTP server IPv4
address where the file will be downloaded.
You can also upload a certificate file (with a .pem extension) from your computer to the WAP device. In the
Transfer SSL Certificate from (PC to Device) area, select HTTP/HTTPS or TFTP as the upload option
and click Transfer.
• For HTTP/HTTPS, browse to the network location, select the file, and click Transfer.
• For TFTP, enter the file name and the TFTP Server IPv4 Address, then click Transfer. The filename
cannot contain the following characters: spaces, <, >, |, \, : , (, ), &, ; , #, ? aszxaa, *, and two or more
successive periods.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
33
System Configuration
SNMPv3 Views
• User Defined — The set of user defined SNMP requests that are permitted.
• NMS IPv4 Address/Name — Enter the IPv4 IP address, DNS host name, or subnet of the network management
system (NMS).
A DNS host name can consist of one or more labels, which are sets of up to 63 alphanumeric characters. If a host
name includes multiple labels, each is separated by a period (.). The entire series of labels and periods can be up to
253 characters long.
As with community names, this setting provides a level of security on the SNMP settings. The SNMP agent only
accepts the requests from the IP address, host name, or subnet specified here.
To specify a subnet, enter one or more subnetwork address ranges in the form address/mask length where the address
is an IP address and mask length is the number of mask bits. Both formats address/mask and address/mask length
are supported. For example, if you enter a range of 192.168.1.0/24, this specifies a subnetwork with address
192.168.1.0 and a subnet mask of 255.255.255.0.
• NMS IPv6 Address/Name — The IPv6 address, DNS host name, or subnet of the devices that can execute, get,
and set requests to the managed devices. The IPv6 address should be in a form similar to
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (2001:DB8:CAD5:7D91).
Note A host name can consist of one or more labels, which are sets of up to 63 alphanumeric characters. If a host
name includes multiple labels, each is separated by a period (.). The entire series of labels and periods can be
up to 253 characters long.
Step 5 In the SNMPv2c Trap Settings area, configure the SNMPv2c trap settings:
• Trap Community — Enter a global community string associated with SNMP traps. Traps sent from the device
provide this string as a community name. The valid range is from 1 to 60 alphanumeric and special characters.
• Trap Destination Table — Enter a list of up to three IP addresses or host names to receive the SNMP traps. Check
the box and choose a Host IP Address Type (IPv4 or IPv6) before adding the Host Name/IP Address.
An example of a DNS host name is snmptraps.foo.com. Because the SNMP traps are sent randomly from the SNMP
agent, it makes sense to specify where exactly the traps should be sent. You can have a maximum of three DNS host
names. Ensure that you check Enabled and select the appropriate Host IP Address Type.
SNMPv3 Views
A SNMP MIB view is a family of view subtrees in the MIB hierarchy. A view subtree is identified by the
pairing of an Object Identifier (OID) subtree value with a bit string mask value. Each MIB view is defined
by two sets of view subtrees, included in or excluded from the MIB view. You can create MIB views to control
the OID range that SNMPv3 users can access.
The WAP device supports a maximum of 16 views.
This section summarizes the critical guidelines for the SNMPv3 view configuration. Please read all the notes
before proceeding.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
34
System Configuration
SNMPv3 Groups
Note A MIB view called all is created by default in the system. This view contains all management objects supported
by the system.
Note By default, view-all and view-none SNMPv3 views are created on the WAP device. These views cannot be
deleted or modified.
A family mask is used to define a family of view subtrees. The family mask indicates which sub identifiers of the associated
family OID string are significant to the family's definition. A family of view subtrees enables efficient control access to
one row in a table.
SNMPv3 Groups
The SNMPv3 groups allow you to combine users into groups of different authorization and access privileges.
Each group is associated with one of three security levels:
• noAuthNoPriv
• authNoPriv
• authPriv
Access to MIBs for each group is controlled by associating a MIB view to a group for read or write access,
separately.
By default, the WAP device has two groups:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
35
System Configuration
SNMPv3 Groups
• RO — A read-only group using authentication and data encryption. Users in this group use the SHA or
password for authentication and a DES for encryption. The SHA and DES keys or passwords must be
defined. By default, users of this group have read access to the default all MIB view.
• RW — A read/write group using authentication and data encryption. Users in this group use the SHA
or password for authentication and a DES key for encryption. The SHA and DES keys or passwords
must be defined. By default, users of this group have read and write access to the default all MIB view.
Note The default groups RO and RW cannot be deleted. The WAP device supports a maximum of eight groups.
To add and configure the SNMP group, perform the following steps:
• Write Views — Choose the write access for the group's MIBs from one of the following options:
• view-all — The group can create, alter, and delete MIBs.
• view-none — The group cannot create, alter, or delete MIBs.
• Read Views — Choose the read access to MIBs for the group, from one of the following options:
• view-all — The group is allowed to view and read all MIBs.
• view-none — The group cannot view or read MIBs.
Step 4 Click Apply to add the group to the SNMPv3 Groups list.
Note To delete a group, check the group in the list and click Delete. To edit a group, check the group in the list and
click Edit.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
36
System Configuration
SNMPv3 Users
SNMPv3 Users
Use the SNMP Users table to define users, associate a security level to each user, and configure the security
keys per user.
Each user is mapped to a SNMPv3 group, either from the predefined or user- defined groups, and, optionally,
is configured for authentication and encryption. For authentication, only the SHA is supported. For encryption,
only the DES type is supported. There are no default SNMPv3 users on the WAP device, and you can add up
to eight users.
To add SNMP users follow these steps:
• Authentication Pass Phrase — If you specify SHA as the authentication type, enter the pass phrase to enable the
SNMP agent to authenticate the requests sent by the user. The pass phrase must be between 8 and 32 characters in
length.
• Encryption Type — Choose the encryption/privacy type applied to the user's SNMP requests from the following
options:
• DES — Uses DES encryption on the SNMPv3 requests from the user.
• None—SNMPv3 requests from this user require no privacy.
• Encryption Pass Phrase — If you specify DES as the encryption type, enter the pass phrase used to encrypt the
SNMP requests. The pass phrase must be between 8 and 32 characters in length.
Step 4 Click Apply. The user is added to the SNMPv3 Users list and your changes are saved to the Startup Configuration.
Note To remove a user, select the user in the list and click Delete. To edit a user, select the user in the list and click
Edit.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
37
System Configuration
SNMPv3 Targets
SNMPv3 Targets
The SNMPv3 targets send SNMP notifications using Inform messages to the SNMP manager. For SNMPv3
targets, only the Informs are sent, not traps. For SNMP versions 1 and 2, the traps are sent. Each target is
defined with a target IP address, UDP port, and SNMPv3 user name.
Note The SNMPv3 user configuration should be completed before configuring the SNMPv3 targets. For more
details, refer to SNMPv3 Users, on page 37.
The WAP device supports a maximum of eight targets.
Step 4 Click Apply. The user is added to the SNMPv3 Targets list and your changes are saved to the Startup Configuration.
Note To remove a SMMP target, select the user in the list and click Delete. To edit a SMMP target, select the user
in the list and click Edit.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
38
System Configuration
Security
Option Description
• Static: Select and specify values in the IP/FQDN and Port fields. Select the required
certificate from the CA Certificate drop-down list. The default port number is 443.
Security
This section describes how to configure the security settings on the WAP device.
Radius Server
Several features require communication with a RADIUS authentication server. For example, when you
configure Virtual Access Points (VAPs) on the AP, you can configure security methods that control wireless
client access. For more details, see Radio, on page 47. The WPA Enterprise security methods use an external
RADIUS server to authenticate clients. The MAC address filtering feature, where client access is restricted
to a list, may also be configured to use a RADIUS server to control access. The Captive Portal feature also
uses RADIUS to authenticate clients.
You can use the Radius Server page to configure the RADIUS servers that are used by these features. You
can configure up to two globally available IPv4 or IPv6 RADIUS servers; however, you must select whether
the RADIUS client operates in IPv4 or IPv6 mode with respect to the global servers. One of the servers always
acts as a primary while the others act as backup servers.
Note In addition to using the global RADIUS servers, you can also configure each VAP to use a specific set of
RADIUS servers. For more details, see Networks, on page 52.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
39
System Configuration
802.1x
• Server IP Address-2 or Server IPv6 Address-2 —Enter the addresses for the backup IPv4 or IPv6 RADIUS
servers. If authentication fails with the primary server, the configured backup server is tried.
• Key-1—Enter the shared secret key that the WAP device uses to authenticate to the primary RADIUS server. You
can use from 1 to 64 standard alphanumeric and special characters. The key is case sensitive and must match the
key configured on the RADIUS server. The text that you enter appears as asterisks.
• Key-2 —Enter the RADIUS key associated with the configured backup RADIUS servers. The server at Server IP
(IPv6) Address 2 uses Key 2.
• Enable RADIUS Accounting—Enables tracking and measuring of the resources that a particular user has consumed,
such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is
enabled for the primary RADIUS server and all backup servers.
802.1x
The IEEE 802.1X authentication enables the WAP device to gain access to a secured wired network. You can
enable the WAP device as an 802.1X supplicant (client) on the wired network. A user name and password
with the MD5 algorithm encryption can be configured to allow the WAP device to authenticate using 802.1X.
On the networks that use IEEE 802.1X port-based network access control, a supplicant cannot gain access to
the network until the 802.1X authenticator grants access. If your network uses 802.1X, you must configure
802.1X authentication information on the WAP device, so that it can supply it to the authenticator.
Step 4 In the Certificate File Upload area, you can upload a certificate file to the WAP device:
a) Choose either HTTP or TFTP as the transfer method.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
40
System Configuration
Configuring 802.1x for WAP361
b) If you selected HTTP, click Browse to select the file. See Connect Session Settings/HTTP/HTTPS Service for more
information on configuring the HTTP server settings.
c) If you selected TFTP, enter the Filename and the TFTP Server IPv4 Address.
d) Click Upload. A confirmation window appears, followed by a progress bar to indicate the status of the upload.
Step 5 Click Apply.
Step 5 In the Certificate File Upload area, you can upload a certificate file to the WAP device:
a) Choose either HTTP or TFTP as the transfer method.
b) If you selected HTTP, click Browse to select the file. See Connect Session Settings/HTTP/HTTPS Service for more
information on configuring the HTTP server settings.
c) If you selected TFTP, enter the Filename and the TFTP Server IPv4 Address.
d) Click Upload. A confirmation window appears, followed by a progress bar to indicate the status of the upload.
e) Click OK to save and close the dialogue.
Step 6 To configure using the 802.1x Authenticator functionality, do the following:
a) Click More and use the following parameters as required:
• Use Global RADIUS Server Settings—By default, each Ethernet port uses the global RADIUS settings that
you define for the WAP device (see RADIUS Server). However, you can configure each port to use a different
set of RADIUS servers.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
41
System Configuration
Rogue AP Detection
• Server IP Address Type—The IP version that the RADIUS server uses. You can toggle between the address
types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS
server or servers for the address type you select in this field.
• Server IP Address-1—The address for the primary RADIUS server for this Ethernet port.
When the first PC plugs in and tries to authenticate with the WAP device, the WAP device sends an authentication
request to the primary server. If the primary server responds to the authentication request, the WAP device
continues to use this RADIUS server as the primary server, and authentication requests are sent to the address
you specify.
The IPv4 address should be in a form similar to xxx.xxx.xxx.xxx (192.0.2.10). The IPv6 address should be in
a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (2001:DB8::CAD5:7D91).
• Server IP Address-2—The address for the backup RADIUS server for this Ethernet port. If authentication fails
with the primary server, each configured backup server is tried in sequence.
• Key-1—The shared secret key that the WAP device uses to authenticate to the primary RADIUS server. You
can use up to 63 standard alphanumeric and special characters. The key is case sensitive and must match the
key configured on the RADIUS server.
• Key-2—The shared secret key that the WAP device uses to authenticate to the backup RADIUS server.
• Enable RADIUS Accounting—Enables tracking and measuring of the resources a particular user has consumed,
such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it
is enabled for the primary RADIUS server and all backup servers.
• Active Server —Enables administratively selecting the active RADIUS server, rather than having the WAP
device attempt to contact each configured server in sequence and choose the first server that is up.
• Periodic Re-authentication—Enables EAP re-authentication.
• Re authentication Period— Enter the EAP re-authentication period in seconds. The default is 3600. The valid
range is from 300 to 4294967295 seconds.
• Click OK to save and close the dialogue.
Rogue AP Detection
A Rogue AP is an access point that has been installed on a secure network without explicit authorization from
a system administrator. The rogue AP poses a security threat because anyone with access to the premises can
unconsciously or maliciously install an inexpensive wireless WAP device that can potentially allow unauthorized
parties to access the network.
The WAP device performs a RF scan on all channels to detect all APs in the vicinity of the network. If rogue
APs are detected, they are shown on the Rogue AP Detection page. If an AP listed as a rogue is legitimate, it
can be added to the Known AP List.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
42
System Configuration
Viewing the Rogue AP List
Note The Detected Rogue AP List and Trusted AP List provide information. The AP does not have any control
over the APs on the list and cannot apply any security policies to APs detected through the RF scan.
When the Rogue AP detection is enabled, the radio periodically switches from its operating channel to scan
other channels within the same band.
• SSID — The Service Set Identifier (SSID) for the WAP device.
• Privacy — Indicates whether there is any security on the rogue device. The options are:
• Off — Security mode is off (no security).
• On — Security mode is on.
• WPA — Shows whether the WPA security is on or off for the rogue AP.
• Band — The IEEE 802.11 mode being used on the rogue AP, such as IEEE 802.11a, IEEE 802.11b, IEEE 802.11g,
IEEE 802.11n, and IEEE 802.11ac.
The number shown indicates the mode:
• 2.4 indicates IEEE 802.11b, 802.11g, or 802.11n mode (or a combination of the modes).
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
43
System Configuration
Saving the Trusted AP List
• 5 indicates IEEE 802.11a, 802.11n, or 802.11ac mode (or a combination of the modes).
Step 4 Check the AP List, then click the Move to Trusted AP List in order to move the AP to the Trusted AP List. If the AP
is in the Trusted AP List, click the Move to Rogue AP List in order to move the AP to the Detected Rogue AP List.
Step 5 Click Refresh to refresh the screen and display the most current information.
Step 1 Select Security and click View Rogue AP List... in the Rogue AP Detection section. The Rogue AP Detection page
is displayed.
Step 2 In the Detected Rogue AP List, click Move to Trusted AP List for the APs that are known to you. The trusted APs
move to the Trusted AP List.
Step 3 In the Download/Backup Trusted AP List area, click Backup (AP to PC).
Step 4 Click Apply.
The list contains the MAC addresses of all APs that have been added to the Trusted AP List. By default, the filename
is Rogue1.cfg. You can use a text editor or web browser to open the file and view its contents.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
44
System Configuration
Configure Password Complexity
Step 3 In the Source File Name field, click Browse to choose the file to import.
The imported file must be a plain-text file with a .txt or .cfg extension. Entries in the file are MAC addresses in hexadecimal
format with each octet separated by colons, for example, 00:11:22:33:44:55. You must separate entries with a single
space. For the AP to accept the file, it must contain only MAC addresses.
Step 4 In the File Management Destination field, choose whether to replace the existing Trusted AP List or add the entries
in the imported file to the Trusted AP List. The options are:
• Replace — Imports the list and replaces the contents of the Trusted AP List.
• Merge — Imports the list and adds the APs in the imported file to the APs currently shown in the Trusted AP List.
Step 4 Click Apply. The changes are saved to the Startup Configuration.
Note When the Password Aging Time is up, you will be required to access the Changing Password page.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
45
System Configuration
Configure WAP-PSK Complexity
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
46
CHAPTER 4
Wireless
This chapter describes how to configure the wireless radio properties. It includes the following topics:
• Radio, on page 47
• Networks, on page 52
• Client Filter, on page 58
• Scheduler, on page 59
• QoS, on page 60
Radio
The radio is the physical part of the WAP that creates a wireless network. The radio settings on the WAP
control the behavior of the radio and determine what kind of wireless signals the WAP emits.
To configure the wireless radio settings:
Step 3 In the radio setting per interface area, select the radio interface to which the configuration parameters will be applied.
Step 4 In the Basic Settings area, configure these parameters for the selected radio interface:
Note Local regulations may prohibit the use of certain radio modes. Not all modes are available in all countries.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
47
Wireless
Radio
• 2.4 GHz 802.11n — 802.11n clients operating in the 2.4-GHz frequency can connect to the WAP device.
• Wireless Band Selection (802.11n and 802.11ac modes only) — The 802.11n specification allows a coexisting
20/40 MHz band in addition to the legacy 20 MHz band available with other modes. The 20/40 MHz band enables
higher data rates but leaves fewer bands available for use by other 2.4 GHz and 5 GHz devices.
The 802.11ac specification allows an 80 MHz-wide band in addition to the 20 MHz and 40 MHz band.
Set the field to 20 MHz to restrict the use of the wireless band selection to a 20 MHz band. For the 802.11ac mode,
set the field to 40 MHz to prevent the radio from using the 80 MHz wireless band selection.
• Primary Channel (802.11n modes with 20/40 MHz bandwidth only) — A 40 MHz channel can be considered
to consist of two 20-MHz channels that are contiguous in the frequency domain. These two 20-MHz channels are
often referred to as the primary and secondary channels. The primary channel is used for 802.11n clients that support
only a 20-MHz channel bandwidth and for legacy clients.
Choose one of these options:
• Upper — Sets the primary channel as the upper 20-MHz channel in the 40-MHz band.
• Lower — Sets the primary channel as the lower 20-MHz channel in the 40-MHz band. Lower is the default
selection.
• Channel — The portion of the radio spectrum that the radio uses for transmitting and receiving.
The range of available channels is determined by the mode of the radio interface and the country code setting. If
you select Auto for the channel setting, the WAP device scans available channels and selects a channel where the
least amount of traffic is detected.
Each mode offers a number of channels, depending on how the spectrum is licensed by national and transnational
authorities such as the Federal Communications Commission (FCC), the International Telecommunication Union
(ITU-R) or the European Telecommunications Standards Institute (ETSI).
• Scheduler — For the radio interface, select the profile from the list. The default value is None.
Note To create a profile, navigate to Wireless > Scheduler.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
48
Wireless
Radio
• Yes — The WAP device transmits data using a 400-nanosecond guard interval when communicating with
clients that also support the short guard interval. This is the default selection.
• No — The WAP device transmits data using an 800-nanosecond guard interval.
• Protection — The protection feature contains rules to guarantee that 802.11 transmissions do not cause interference
with legacy stations or applications. By default, protection is enabled (Auto). With protection enabled, protection
is invoked if the legacy devices are within the range of the WAP device.
You can disable the protection (Off); however, the legacy clients or the WAP devices within the range can be affected
by 802.11n transmissions. Protection is also available when the mode is 802.11b/g. When protection is enabled in
this mode, it protects 802.11b clients and the WAP devices from 802.11g transmissions.
Note This setting does not affect the ability of the client to associate with the WAP device.
• Beacon Interval — The interval between the transmission of beacon frames. The WAP device transmits these
frames at regular intervals to announce the existence of the wireless network. The default behavior is to send a
beacon frame once every 100 milliseconds (or 10 per second). Enter an integer from 20 to 2000 milliseconds. The
default is 100 milliseconds.
• DTIM Period — The Delivery Traffic Information Map (DTIM) period. Enter an integer from 1 to 255 beacons.
The default is 2 beacons.
The DTIM message is an element included in some beacon frames. It indicates which client stations, currently
sleeping in low-power mode, have data buffered on the WAP device awaiting pickup.
The DTIM period indicates how often the clients served by this WAP device should check for buffered data awaiting
pickup.
The measurement is in beacons. For example, if you set it to 1, the clients check for buffered data on the WAP device
at every beacon. If you set it to 10, the clients check on every 10th beacon.
• Fragmentation Threshold — The frame size threshold in bytes. The valid integer must be even and in the range
of 256 to 2346. The default is 2346.
The fragmentation threshold is a way of limiting the size of packets (frames) transmitted over the network. If a
packet exceeds the fragmentation threshold set, the fragmentation is activated and the packet is sent as multiple
802.11 frames.
If the packet being transmitted is equal to or less than the threshold, the fragmentation is not used. Setting the
threshold to the largest value (2,346 bytes, which is the default) effectively disables the fragmentation.
By default, the fragmentation is off. We recommend not using fragmentation unless you suspect the radio interference.
The additional headers applied to each fragment increase the overhead on the network and can greatly reduce the
throughput.
• RTS Threshold — The Request to Send (RTS) Threshold value. The valid integer range must be from 0 to 65535.
The default is 65535 octets.
The RTS threshold indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed.
Changing the RTS threshold can help control the traffic flow through the WAP device. If you specify a low threshold
value, the RTS packets are sent more frequently, which consumes more bandwidth and reduces the throughput of
the packet. However, sending more RTS packets can help the network recover from interference or collisions that
might occur on a busy network, or on a network experiencing electromagnetic interference.
• Max Associated Clients — The maximum number of stations allowed to access the WAP device at any one time.
You can enter an integer between 0 and 200. The default is 200 stations.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
49
Wireless
Radio
• Transmit Power — A percentage value for the transmit power level for the WAP device.
The default value of Full - 100 % can be more cost-efficient than a lower percentage because it gives the WAP
device a maximum broadcast range and reduces the number of access points needed.
To increase the capacity of the network, place the WAP devices closer together and reduce the value of the transmit
power. This setting helps reduce overlap and interference among the access points. A lower transmit power setting
can also keep your network more secure because the weaker wireless signals are less likely to propagate outside of
the physical location of your network.
Some channel ranges and country code combinations have relatively low maximum transmit power. When attempting
to set the transmit power to the lower ranges (for example, Medium - 25 percent or Low -12 percent), the expected
drop in power may not occur, because certain power amplifiers have minimum transmit power requirements.
• Frame-burst Support — Generally enabling Frame-burst support improves the radio performance in the downstream
direction.
• Airtime Fairness Mode — The airtime fairness (ATF) feature was implemented to address the issue of slower-data
transfers throttling the higher-speed ones.
• Maximum Utilization Threshold—Enter the percentage of network bandwidth utilization allowed on the radio
before the WAP device stops accepting new client associations. The valid integer range is from 0 to 100 percent.
The default is 0 percent. When set to 0, all new associations are allowed regardless of the utilization rate.
• Fixed Multicast Rate — The transmission rate in Mbps for broadcast and multicast packets. This setting can be
useful in an environment where the wireless multicast video streaming occurs, provided the wireless clients are
capable of handling the configured rate.
When Auto is selected, the WAP device chooses the best rate for the associated clients. The range of valid values
is determined by the configured radio mode.
• Legacy Rate Sets — Rates are expressed in megabits per second.
The Supported Rate Sets indicate the rates that the WAP device supports. You can check multiple rates. The WAP
device automatically chooses the most efficient rate based on the factors such as error rates and the distance of client
stations from the WAP device.
The Basic Rate Sets indicate the rates that the WAP device advertises to the network for the purposes of setting up
communication with other access points and client stations on the network. It is generally more efficient to have a
WAP device broadcast a subset of its supported rate sets.
• Broadcast/Multicast Rate Limiting — Multicast and broadcast rate limiting can improve overall network
performance by limiting the number of packets transmitted across the network.
By default, this feature is disabled. Until you enable this feature, these fields are disabled:
• Rate Limit — The rate limit for multicast and broadcast traffic. The limit should be greater than 1, but less
than 50 packets per second. Any traffic that falls below this rate limit will always conform and be transmitted
to the appropriate destination. The default and maximum rate limit setting is 50 packets per second.
• Rate Limit Burst — An amount of traffic, measured in bytes, which is allowed to pass as a temporary burst
even if it is above the defined maximum rate. The default and maximum rate limit burst setting is 75 packets
per second.
• Spectrum Analysis Mode— The Spectrum Analysis Mode status can be one of the following:
• Dedicated Spectrum Analyzer—In dedicated mode, the radio is used for spectrum analysis for more than
10% of the time and the client connections may work but are not guaranteed.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
50
Wireless
Radio
• Hybrid Spectrum Analyzer—In hybrid mode, client connections are guaranteed but degradation is expected
throughout.
• 3+1 Spectrum Analysis— In 3+1 mode, clients connect to 3x3 chains, while spectrum analysis is done on 1x1
chain.
• Disabled—The default is Disabled
• TSPEC Voice ACM Mode — Regulates mandatory admission control (ACM) for the voice access category. By
default, TSPEC Voice ACM mode is off. The options are:
• On — A station is required to send a TSPEC request for bandwidth to the WAP device before sending or
receiving a voice traffic stream. The WAP device responds with the result of the request, which includes the
allotted medium time if the TSPEC was admitted.
• Off — A station can send and receive the voice priority traffic without requiring an admitted TSPEC. The WAP
device ignores voice TSPEC requests from client stations.
• TSPEC Voice ACM Limit — The upper limit on the amount of traffic that the WAP device attempts to transmit
on the wireless medium using a voice AC to gain access. The default limit is 20 percent of total traffic.
• TSPEC Video ACM Mode — Regulates mandatory admission control for the video access category. By default,
TSPEC Video ACM mode is off. The options are:
• On — A station is required to send a TSPEC request for bandwidth to the WAP device before sending or
receiving a video traffic stream. The WAP device responds with the result of the request, which includes the
allotted medium time if the TSPEC was admitted.
• Off — A station can send and receive video priority traffic without requiring an admitted TSPEC; the WAP
device ignores video TSPEC requests from client stations.
• TSPEC Video ACM Limit — The upper limit on the amount of traffic that the WAP device attempts to transmit
on the wireless medium using a video AC to gain access. The default limit is 15 percent of total traffic.
• TSPEC AP Inactivity Timeout — The amount of time for a WAP device to detect a downlink traffic specification
as idle before deleting it. The valid integer range is from 0 to 120 seconds and the default is 30 seconds.
• TSPEC Station Inactivity Timeout — The amount of time for a WAP device to detect an uplink traffic specification
as idle before deleting it. The valid integer range is from 0 to 120 seconds and the default is 30 seconds.
• TSPEC Legacy WMM Queue Map Mode — Check Enable to enable the intermixing of legacy traffic on queues
operating as ACM. By default, this mode is off.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
51
Wireless
Networks
Networks
Virtual Access Points (VAPs), segment the wireless LAN into multiple broadcast domains that are wireless
equivalent of the Ethernet VLANs. VAPs simulate multiple access points on one physical WAP device. Up
to four VAPs are supported on this Cisco WAP device.
Each VAP can be independently enabled or disabled, with the exception of VAP0. The VAP0 is the physical
radio interface and remains enabled as long as the radio is enabled. To disable the VAP0, the radio itself must
be disabled.
Each VAP is identified by a user-configured Service Set Identifier (SSID). Multiple VAPs cannot have the
same SSID name. SSID broadcasts can be enabled or disabled independently on each VAP. SSID broadcast
is enabled by default.
SSID Naming Conventions
The default SSID for VAP0 is ciscosb. Every additional VAP created has a blank SSID name. The SSIDs for
all VAPs can be configured to other values. The SSID can be any alphanumeric, case-sensitive entry from 2
to 32 characters.
The following characters are allowed:
• ASCII 0x20 through 0x7E.
• Trailing and leading spaces (ASCII 0x20) are not permitted.
Note This means that spaces are allowed within the SSID, but not as the first or last character including the period
“.” (ASCII 0x2E).
VLAN IDs
Each VAP is associated with a VLAN, and is identified by a VLAN ID (VID). A VID can be any value from
1 to 4094, inclusive. The WAP150/361 device supports 33 active VLANs (32 for WLAN plus one management
VLAN).
By default, the VID assigned to the configuration utility for the WAP device is 1, which is also the default
untagged VID. If the management VID is the same as the VID assigned to a VAP, then the WLAN clients
associated with this specific VAP can administer the WAP device. If needed, an access control list (ACL)
can be created to disable administration from WLAN clients.
Configuring VAPs
To configure VAPs:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
52
Wireless
Configuring VAPs
Step 3 If VAP0 is the only VAP configured on the system, and you want to add a VAP, click ✚. Then, check the VAP.
Step 4 Configure the following:
• VLAN ID — Specify the VLAN ID of the VLAN to associate with the VAP.
Be sure to enter a VLAN ID that is properly configured on the network. Network problems can result if the VAP
associates the wireless clients with an improperly configured VLAN.
When a wireless client connects to the WAP device by using this VAP, the WAP device tags all traffic from the
wireless client with the configured VLAN ID, unless you enter the port VLAN ID or use a RADIUS server to assign
a wireless client to a VLAN. The range for the VLAN ID is from 1 to 4094.
If you change the VLAN ID to a different ID than the current management VLAN ID, the WLAN clients associated
with this specific VAP cannot administer the device. You can verify the configuration of the untagged and management
VLAN IDs on the LAN page. See IPv4 Configuration, on page 17 for more information.
• SSID Name — Enter the name for the wireless network. The SSID is an alphanumeric string of up to 32 characters.
Choose a unique SSID for each VAP.
If you are connected as a wireless client to the same WAP device that you are administering, resetting the SSID will
cause you to lose connectivity to the WAP device. You will need to reconnect to the new SSID after you save this
new setting.
• SSID Broadcast — Enables and disables the broadcast of the SSID.
Specify whether to allow the WAP device to broadcast the SSID in its beacon frames. The Broadcast SSID parameter
is enabled by default. When the VAP does not broadcast its SSID, the network name is not shown in the list of
available networks on a client station. Instead, you must manually enter the exact network name into the wireless
connection utility on the client so that it can connect.
Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network, but it
does not prevent even the simplest of attempts by a hacker to connect or monitor unencrypted traffic. Suppressing
the SSID broadcast offers a very minimal level of protection on an otherwise exposed network (such as a guest
network) where the priority is to make it easy for clients to get a connection and where no sensitive information is
available.
WMF — The Wireless Multicast Forwarding provides an efficient way to transfer multicast traffic on the wireless
device and overcome multicast transmission issues on the WLAN using the repeated unicast or multicast the frames.
• Security — Choose the type of authentication required for access to the VAP. The options are:
• None
• WPA Personal
• WPA Enterprise
If you choose a security mode other than None, additional fields appear. For more information on configuring the wireless
security settings, see Configuring Security Settings, on page 54.
We recommend using WPA Personal or WPA Enterprise as the authentication type as it provides stronger security
protection.
Note Static WEP can be used for wireless computers or devices that do not support WPA Personal and WPA Enterprise.
To set security with Static WEP, configure the radio as 802.11a or 802.11b/g mode. The 802.11n mode restricts
the use of Static as the security.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
53
Wireless
Configuring Security Settings
• Client Filter — Specifies whether the stations that can access the VAP are restricted to a configured global list of
MAC addresses. You can choose one of these types of Client filter:
• Disabled — Does not use the Client filter.
• Local — Uses the MAC authentication list that is configured on the Client Filter page.
• RADIUS — Uses the MAC authentication list on an external RADIUS server.
• Scheduler — Select a scheduler profile from the list, VAP0 can’t be associated to a scheduler profile.
• Guest Access Instance — Associate a CP instance to a VAP. The associated CP instance settings applies to users
who attempt to authenticate on the VAP. Select the instance name for each VAP you want to associate an instance
with.
Note A VAP can associate to one Guest Access Instance in Access Control > Guest Access page. You must configure
a Guest Access Instance first.
Note To delete a VAP, check the VAP and click Delete. To edit a VAP, check the VAP and click Edit. To save your
changes, click Apply when complete.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
54
Wireless
Configuring Security Settings
None
If you select None as your security mode, no additional security settings are required on the device. This mode
means that any data transferred to and from the WAP device is not encrypted. This security mode can be used
during initial network configuration or for troubleshooting, but the same is not recommended for a regular
use on the internal network as this mode is not secure.
WPA Personal
The WPA Personal is a Wi-Fi Alliance IEEE 802.11i standard, which includes AES-CCMP and TKIP
encryption. The WPA Personal uses a pre-shared key (PSK) instead of using IEEE 802.1X and EAP as is
used in the Enterprise WPA security mode. The PSK is used for an initial check of credentials only. WPA
Personal is also referred to as WPA-PSK.
This security mode is backwards-compatible for the wireless clients that support the original WPA.
To configure WPA Personal, configure the following:
• WPA Versions — Choose the types of client stations from the following:
• WPA-TKIP — This network has client stations that only support the original WPA and TKIP
security protocol. Note that selecting the WPA-TKIP only is not allowed as per the latest Wi-Fi
Alliance requirements.
• WPA2-AES — All client stations on the network support WPA2 and AES-CCMP cipher/security
protocol. This provides the best security per IEEE 802.11i standard. As per the latest Wi-Fi Alliance
requirement, the AP has to support this mode all the time.
If the network has a mix of clients, some of which support WPA2 and others which support only
the original WPA, select both. This lets both WPA and WPA2 client stations associate and
authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration
allows more interoperability in place of some security.
WPA clients must have one of these keys to be able to associate with the WAP device:
• A valid TKIP key
• A valid AES-CCMP key
• PMF (Protection Management Frame) — Provides security for the unencrypted 802.11 management
frames. When Security Mode is disabled, the PMF is set to No PMF and is not editable (Hidden or Grey).
When the security Mode is set to WPA2-xxx, the PMF is Capable by default and is editable. The following
three check box values can be configured for it.
• Not Required
• Capable
• Required
Note The WiFi Alliance requires the PMF to be enabled and set to Capable (Default).
You may disable it when the non-compliant wireless clients experience instability
or connectivity issues.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
55
Wireless
Configuring Security Settings
• Key — The shared secret key for WPA Personal security. Enter a string of at least 8 characters to a
maximum of 63 characters. Acceptable characters include uppercase and lowercase alphabetic letters,
the numeric digits, and special symbols such as @ and #.
• Show Key as Clear Text —When enabled, the text you type is visible. When disabled, the text is not
masked as you enter it.
• Key Strength Meter — The WAP device checks the key against complexity criteria such as how many
different types of characters (uppercase and lowercase alphabetic letters, numbers, and special characters)
are used and how long is the string. If the WPA-PSK complexity check feature is enabled, the key is not
accepted unless it meets the minimum criteria. See Configure WAP-PSK Complexity, on page 46 for
information on configuring the complexity check.
• Broadcast Key Refresh Rate — The interval at which the broadcast (group) key is refreshed for clients
associated with this VAP. The default is 86400 seconds and the valid range is from 0 to 86400 seconds.
A value of 0 indicates that the broadcast key is not refreshed.
WPA Enterprise
The WPA Enterprise with RADIUS is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which
includes CCMP (AES), and TKIP encryption. The Enterprise mode requires the use of a RADIUS server to
authenticate the users.
This security mode is backwards-compatible with the wireless clients that support the original WPA.
The dynamic VLAN mode is enabled by default, which allows RADIUS authentication server to decide which
VLAN is used for the stations.
These parameters configure WPA Enterprise:
• WPA Versions — Choose the types of client stations to be supported. The options are:
• WPA-TKIP — The network has some client stations that only support original WPA and TKIP
security protocol. Note that selecting only WPA-TKIP for the access point is not allowed as per the
latest Wi-Fi Alliance requirement.
• WPA2-AES — All client stations on the network support WPA2 version and AES-CCMP cipher/
security protocol. This provides the best security per the IEEE 802.11i standard. As per the latest
Wi-Fi Alliance requirement, the AP has to support this mode all the time.
• Enable Pre-authentication — If you choose only WPA2 or both WPA and WPA2 as the WPA version,
you can enable pre-authentication for the WPA2 clients.
Check this option if you want the WPA2 wireless clients to send the pre-authentication packets. The
pre-authentication information is relayed from the WAP device that the client is currently using to the
target WAP device. Enabling this feature can help speed up the authentication for roaming clients who
connect to multiple APs.
This option does not apply if you selected WPA for WPA versions because the original WPA does not
support this feature.
Client stations configured to use WPA with RADIUS must have one of these addresses and keys:
• A valid TKIP RADIUS IP address and RADIUS key
• A valid CCMP (AES) IP address and RADIUS key
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
56
Wireless
Configuring Security Settings
• PMF (Protection Management Frame)— Provides security for the unencrypted 802.11 management
frames. When Security Mode is disabled or WEP, the PMF is set to No PMF and is not editable (Hidden
or Grey).When the security Mode is set to WPA2-xxx, the PMF is Capable by default and is editable.
The following three check box values can be configured for it.
• Not Required
• Capable
• Required
Note WiFi Alliance requires PMF to be enabled with default setting of Capable. You
may disable it when non-compliant wireless clients experience instability or
connectivity issues.
• Use Global RADIUS Server Settings — By default, each VAP uses the global RADIUS settings that
you define for the WAP device. However, you can configure each VAP to use a different set of RADIUS
servers.
Check this option to use the global RADIUS server settings, or uncheck this option to use a separate
RADIUS server for the VAP and enter the RADIUS server IP address and key in the appropriate fields.
• Server IP Address Type — The IP version that the RADIUS server uses. You can toggle between the
address types to configure the IPv4 and IPv6 global RADIUS address settings, but the WAP device
contacts only the RADIUS server or servers for the address type that you select in this field.
• Server IP Address-1 or Server IPv6 Address-1 — The address for the primary RADIUS server for
this VAP.
• Server IP Address-2 or Server IPv6 Address-2 — Up to three IPv4 and/or IPv6 addresses to use as
the backup RADIUS servers for this VAP. If authentication fails with the primary server, each configured
backup server is tried in sequence.
• Key-1 — The shared secret key for the global RADIUS server. You can use up to 63 standard
alphanumeric and special characters. The key is case sensitive, and you must configure the same key on
the WAP device and on your RADIUS server. The text that you enter is shown as asterisks to prevent
others from seeing the RADIUS key as you type.
• Key-2 — The RADIUS key associated with the configured backup RADIUS servers. The server at Server
IP (IPv6) Address 2 uses Key 2.
• Enable RADIUS Accounting — Tracks and measures the resources a particular user has consumed
such as system time, amount of data transmitted and received, and so on. If you enable RADIUS
accounting, it is enabled for the primary RADIUS server and all backup servers.
• Active Server — Enables the administrative selection of the active RADIUS server, rather than having
the WAP device attempt to contact each configured server in sequence and choose the first server that
is up.
• Broadcast Key Refresh Rate — The interval at which the broadcast (group) key is refreshed for clients
associated with this VAP. The default is 86400 seconds. The valid range is from 0 to 86400 seconds. A
value of 0 indicates that the broadcast key is not refreshed.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
57
Wireless
Client Filter
• Session Key Refresh Rate — The interval at which the WAP device refreshes session (unicast) keys
for each client associated with the VAP. The valid range is from 30 to 86400 seconds. A value of 0
indicates that the session key is not refreshed. The default value is 0.
Client Filter
Client filter can be used to permit or deny listed client stations to authenticate with the WAP device. MAC
authentication is configured on the Networks, on page 52 page. Based on the VAP configuration, the WAP
device may refer to a Client filter list stored on an external RADlUS server, or may refer a Client filter list
stored locally on the WAP device.
Step 3 Continue entering MAC addresses until the list is complete. Click the arrow next to Associated Clients to display the
list. Choose one of the MAC address and then click Add. One rule will be added to the MAC Address Table. The
Associated Clients list includes the following:
• MAC Address—The MAC address of the associated wireless client.
• Host Name—The hostname of the associated wireless client.
• IP Address—The IP address of the associated wireless client.
• Network (SSID)— The Service Set Identifier (SSID) for the WAP device. The SSID is an alphanumeric string of
up to 32 characters that uniquely identifies a wireless local area network. It is also referred to as the Network Name.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
58
Wireless
Configuring MAC Authentication on the Radius Server
User-Name (1) MAC address of the client station. Valid Ethernet MAC
address
Scheduler
The Radio and VAP scheduler allows you to configure a rule with a specific time interval for the VAPs or
radios to be operational.
You can use this feature is to schedule the radio to operate or allow access to the VAPs only during the office
working hours in order to achieve security and reduce power consumption.
The WAP device supports up to 16 profiles. Only valid rules are added to the profile. Up to 16 rules are
grouped together to form a scheduling profile. Periodic time entries belonging to the same profile cannot
overlap.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
59
Wireless
Profile Rule Configuration
Step 3 To add a profile, enter a profile name in the Create a Profile Name text box and click Add. The profile name can be up
to 32 alphanumeric characters.
Step 1 Choose the profile from the Select a Profile Name list.
Step 2 Click ✚.
The new rule is displayed in the Profile Rule Table.
Step 3 Check the check box before the Profile Name and click Edit.
Step 4 From the Day of the Week menu, choose the recurring schedule for the rule. You can configure the rule to occur daily,
each weekday, each weekend day (Saturday and Sunday), or any single day of the week.
Step 5 Set the start and end times:
• Start Time (24hh:mm)— Set the time when the radio or VAP is enabled. The time is in hh:mm 24-hour format.
The range is <00-23>:<00-59>. The default is 00:00.
• End Time (24hh:mm) — Set the time when the radio or VAP is disabled. The time is in hh:mm 24-hour format.
The range is <00-23>:<00-59>. The default is 00:00.
QoS
The Quality of Service (QoS) settings allow for configuration of the transmission queues for optimized
throughput and enhanced performance when handling differentiated wireless traffic. This traffic can be VoIP,
other types of audio, video, streaming media, and traditional IP data.
To configure QoS on the WAP device, set the parameters on the transmission queues for different types of
wireless traffic and specify the minimum and maximum wait times for transmission.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
60
Wireless
QoS
The WAP Enhanced Distributed Channel Access (EDCA) parameters affect the traffic flowing from the WAP
device to the client station. The station EDCA parameters affect the traffic flowing from the client station to
the WAP device.
In normal use, the default values for the WAP device and the station EDCA should not be changed. Changing
these values affects the QoS provided.
To configure the WAP device and EDCA parameters:
These four queues are defined for different types of data transmitted from WAP- to-station. If you choose a Custom
template, the parameters that define the queues are configurable; otherwise, they are set to predefined values appropriate
to your selection. The four queues are:
• Data 0 (Voice) — High priority queue, with minimum delay. Time-sensitive data such as VoIP and streaming media
are automatically sent to this queue.
• Data 1 (Video) — High priority queue, with minimum delay. Time-sensitive video data is automatically sent to this
queue.
• Data 2 (Best Effort) — Medium priority queue, with medium throughput and delay. Most traditional IP data is sent
to this queue.
• Data 3 (Background) — Lowest priority queue, with high throughput. Bulk data that requires maximum throughput
and is not time-sensitive is sent to this queue (FTP data, for example).
Step 5 Configure the following WAP EDCA and Station EDCA parameters:
• Arbitration Inter-Frame Space — Wait time for the data frames. The wait time is measured in slots. Valid values
for AIFS are 1 through 255.
• Minimum Contention Window — An input to the algorithm that determines the initial random backoff wait time
(window) for a retry of a transmission failure.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
61
Wireless
QoS
This value is the upper limit (in milliseconds) of a range from which the initial random backoff wait time is determined.
The first random number generated is a number between 0 and the number specified here. If the first random backoff
wait time expires before the data frame is sent, a retry counter is incremented and the random backoff value (window)
is doubled. Doubling continues until the size of the random backoff value reaches the number defined in the Maximum
Contention Window.
Valid values are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1023. This value must be lower than the value for the Maximum
Contention Window.
• Maximum Contention Window — The upper limit in milliseconds for the doubling of the random backoff value.
This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached.
After the Maximum Contention Window size is reached, retries continue until a maximum number of retries allowed
is reached.
Valid values are 1, 3, 7, 15, 31, 63, 127, 255, 511, or 1023. This value must be higher than the value for the Minimum
Contention Window.
• Maximum Burst — A WAP EDCA parameter that applies only to traffic flowing from the WAP to the client station.
This value specifies (in milliseconds) the maximum burst length allowed for packet bursts on the wireless network.
A packet burst is a collection of multiple frames transmitted without header information. The decreased overhead
results in higher throughput and better performance. Valid values are 0.0 through 999.
• TXOP Limit (Station only) — The TXOP Limit is a station EDCA parameter that only applies to traffic flowing
from the client station to the WAP device. The Transmission Opportunity (TXOP) is an interval of time, in
milliseconds, when a WME client station has the right to initiate transmissions onto the wireless medium (WM)
towards the WAP device. The TXOP Limit maximum value is 65535.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
62
CHAPTER 5
Wireless Bridge
This chapter describes how to configure the Wireless Bridge settings. It contains the following topics:
• Wireless Bridge, on page 63
• Configuring WDS Bridge, on page 64
• WPA/PSK on WDS Links, on page 64
• WorkGroup Bridge, on page 65
Wireless Bridge
The Wireless Distribution System (WDS) allows you to connect multiple WAP devices. With WDS, the WAP
devices communicate with one another wirelessly. This provides a seamless experience for roaming the clients
and managing multiple wireless networks. You can configure the WAP device in point-to-point or
point-to-multipoint bridge mode based on the number of links to connect.
In the point-to-point mode, the WAP device accepts client associations and communicates with the wireless
clients. The WAP device forwards all traffic meant for the other network over the tunnel that is established
between the access points. The bridge does not add to the hop count. It functions as a simple OSI Layer 2
network device.
In the point-to-multipoint bridge mode, one WAP device acts as the common link between multiple access
points. In this mode, the central WAP device accepts the client associations and communicates with the clients.
All other access points associate only with the central WAP device that forwards the packets to the appropriate
wireless bridge for routing purposes.
The WAP device can also act as a repeater. In this mode, the WAP device serves as a connection between
two WAP devices that may be too far apart to be within cell range. When acting as a repeater, the WAP device
does not have a wired connection to the LAN and repeats signals by using the wireless connection. No special
configuration is required for the WAP device to function as a repeater, and there are no repeater mode settings.
The wireless clients can still connect to an WAP device that is operating as a repeater.
Before you configure WDS on the WAP device, note these guidelines:
• All Cisco WAP devices participating in a WDS link must have the following identical settings:
• Radio
• IEEE 802.11 Mode
• Channel Bandwidth
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
63
Wireless Bridge
Configuring WDS Bridge
When operating bridging in the 802.11n 2.4 GHz band, set the Channel Bandwidth to 20 MHz, rather
than the default 20/40 MHz. In the 2.4 GHz, 20/40 MHz band, the operating bandwidth can change from
40 MHz to 20 MHz if any 20 MHz WAP devices are detected in the area. The mismatched channel
bandwidth can cause the link to disconnect.
• When using WDS, be sure to configure WDS on both WAP devices participating in the WDS link.
• You can have only one WDS link between any pair of WAP devices. That is, a remote MAC address
may appear only once on the WDS page for a particular WAP device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
64
Wireless Bridge
WorkGroup Bridge
• WDS ID — Enter an appropriate name for the new WDS link that you have created. It is important that
the same WDS ID is also entered at the other end of the WDS link. If this WDS ID is not the same for
both WAP devices on the WDS link, they will not be able to communicate and exchange data.
The WDS ID can be any alphanumeric combination within a range of 2-32 characters.
• Key — Enter a unique shared key for the WDS bridge. This unique shared key must also be entered for
the WAP device at the other end of the WDS link. If this key is not the same for both WAPs, they will
not be able to communicate and exchange data.
The WPA-PSK key is a string of at least 8 characters to a maximum of 63 characters. Acceptable characters
include uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @
and #.
WorkGroup Bridge
The Work Group Bridge feature enables the WAP device to extend the accessibility of a remote network. In
the Work Group Bridge mode, the WAP device acts as a wireless station (STA) on the wireless LAN. It can
bridge traffic between a remote wired network or associated wireless clients and the wireless LAN that is
connected using the Work Group Bridge mode.
The Work Group Bridge feature enables support for STA-mode and AP-mode operation simultaneously. The
WAP device can operate in one Basic Service Set (BSS) as an STA device while operating on another BSS
as a WAP device. When the Work Group Bridge mode is enabled, the WAP device supports only one BSS
for wireless clients that associate with it, and another BSS with which the WAP device associates as a wireless
client.
We recommend that you use the Work Group Bridge mode only when the WDS bridge feature cannot be
operational with a peer WAP device. WDS is a better solution and is preferred over the Work Group Bridge
solution. Use WDS if you are bridging the Cisco WAP150 and Cisco WAP361 devices. If you are not, then
consider the Work Group Bridge. When the Work Group Bridge feature is enabled, the VAP configurations
are not applied; only the Work Group Bridge configuration is applied.
Note The WDS feature does not work when the Work Group Bridge mode is enabled on the WAP device.
In Work Group Bridge mode, the BSS managed by the WAP device while operating in WAP device mode is
referred to as the access point interface, and associated STAs as the downstream STAs. The BSS managed
by the other WAP device (that is, the one to which the WAP device associates as an STA) is referred to as
the infrastructure client interface, and the other WAP device is referred as the upstream AP.
The devices connected to the wired interface of the WAP device, as well as the downstream stations associated
with the access point interface of the device, can access the network connected by the infrastructure client
interface. To allow the bridging of packets, the VLAN configuration for the access point interface and the
wired interface must match that of the infrastructure client interface.
The Work Group Bridge mode can be used as a range extender to enable BSS to provide access to remote or
hard-to-reach networks. A single radio can be configured to forward packets from associated STAs to another
WAP device in the same ESS, without using WDS.
Before you configure Work Group Bridge on the WAP device, note these guidelines:
• All WAP devices participating in Work Group Bridge must have the following identical settings:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
65
Wireless Bridge
WorkGroup Bridge
• Radio
• IEEE 802.11 Mode
• Channel Bandwidth
• Channel (Auto is not recommended)
See Radio, on page 47 (Basic Settings) for information on configuring these settings.
• Work Group Bridge mode currently supports only IPv4 traffic.
• Work Group Bridge mode is not supported across a Single Point Setup.
Enabled Check the check box to enable the Check the check box to enable the
Infrastructure Client Interface. Infrastructure Client Interface.
Radio Specifies the Radio Id (Radio 1 (2.4 GHz) or Specifies the Radio Id (Radio 1 (2.4 GHz) or
Radio 2 (5GHz)). Radio 2 (5GHz)).
SSID Specifies the current SSID of the BSS. The SSID for the Access Point Interface cannot
be the same as the Infrastructure Client SSID.
Note There is an arrow next to SSID for
SSID Scanning. This feature is
disabled by default, and is enabled
only if AP Detection is enabled in
Rogue AP Detection (which is also
disabled by default).
Encryption The type of security to use for authenticating The type of security to use for authenticating.
as a client station on the upstream WAP The options are:
device. It can be one of the following:
• None
• None
• WPA Personal
• WPA Personal
• WPA Enterprise
Connection Status Indicates whether the WAP is connected to the Not Applicable (N/A)
upstream WAP device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
66
Wireless Bridge
WorkGroup Bridge
VLAN ID Specifies the VLAN associated with the BSS. Configure the Access Point Interface with the
same VLAN ID as advertised on the
Infrastructure Client Interface.
Note The Infrastructure Client Interface will be associated with the upstream WAP device with the configured
credentials. The WAP device may obtain its IP address from a DHCP server on the upstream link. Alternatively,
you can assign a static IP address.
SSID Broadcast Specifies if the broadcast of the SSID is Check if you want the downstream SSID to be
available, enabled or disabled. broadcast. SSID Broadcast is enabled by
default.
Client Filter Not Applicable (N/A) Choose one of the following options:
• Disabled—The set of clients in the APs
BSS that can access the upstream network
is not restricted to the clients specified in
a MAC address list.
• Local—The set of clients in the APs BSS
that can access the upstream network is
restricted to the clients specified in a
locally defined MAC address list.
• RADIUS—The set of clients in the APs
BSS that can access the upstream network
is restricted to the clients specified in a
MAC address list on a RADIUS server.
Note If you choose Local or RADIUS, see Client Filter, on page 58 for instructions on creating the Client filter
list.
Step 5 Click Apply. The associated downstream clients now have connectivity to the upstream network.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
67
Wireless Bridge
WorkGroup Bridge
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
68
CHAPTER 6
Fast Roaming
This chapter describes how to configure the Fast Roaming settings. It contains the following topics:
• Fast Roaming, on page 69
• Configuring Fast Roaming , on page 69
• Configuring Remote Key Holder List Profiles, on page 70
Fast Roaming
Fast roaming, also known as IEEE 802.11r or Fast BSS Transition (FT), allows a client device to roam quickly
in environments implementing the WPA2 Enterprise security, by ensuring that the client device does not need
to re-authenticate to the RADIUS server every time it roams from one access point to another.
Fast transition roaming is an amendment to the IEEE 802.11 standard that permits continuous connectivity
aboard wireless devices in motion, with fast and secure handoffs from an AP to another managed AP in a
seamless manner. In order to ensure voice quality and network security, a portable station must be able to
maintain a secure, low-latency voice call while roaming between APs that are handling other traffic.
This device supports the FBT (Fast BSS Transition) as defined in 802.11r for fast handoff with WPA2
Enterprise security. For Voice over WI-FI Enterprise, only a subset of the features defined in 802.11r are
supported. The fast BSS transition decreases latency during roaming.
FBT is enabled per VAP per radio.
Note Before you configure FBT on a VAP, be sure to verify that the VAP is configured with WPA2 security,
pre-authentication disabled and MFP disabled.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
69
Fast Roaming
Configuring Remote Key Holder List Profiles
• R0 Key Holder — Specifies the NAS identifier to be sent in the radius Access Request Message. The NAS Identifier
is used as R0 Key holder ID.
• R1 Key Holder — Specifies the R1 key Holder ID that names the holder of PMK-R1 in the authenticator.
• Remote Key Holder List — Select a Remote Key Holder List from the drop down menu that you have created.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
70
Fast Roaming
Configuring Remote Key Holder List Profiles
Step 5 Repeat steps 1 through 4 and then configure the R1 key holder in the Remote R1 Key Holder Data List. A maximum of
10 entries of R1 key holders are allowed to be configured per VAP. The key holder data is configured per VAP.
• MAC Address — Destination's VAP MAC address which is the R1 Key holder. The PMKR1 is sent in RRB PUSH
message to this AP MAC address. This MAC Address must be unique across all the VAPs.
• R1 Key Holder — The R1 key Holder ID that names the holder of PMK-R1 in the authenticator.
• RRB Key — Key used to encrypt RRM protocol messages.
Note After you configure the Remote Key Holder Data List settings, you can click Restore to restore the old settings,
or click Apply to save the settings. Click Cancel to go back before Fast Roaming page.
Click Apply after copying or deleting a profile.
Caution Clicking Export for selected profile/s will export only those profiles. Clicking Export with no profiles selected
will Export all the profiles.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
71
Fast Roaming
Configuring Remote Key Holder List Profiles
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
72
CHAPTER 7
Single Point Setup
This chapter describes how to configure Single Point Setup over multiple WAP devices. It includes the
following topics:
• Single Point Setup Overview, on page 73
• Access Points, on page 77
• Firmware Management, on page 78
• Channel Management, on page 79
Note Ensure that the PID is exactly the same in order for the device to cluster. For example:
• The WAP150-A-K9 will not cluster with the WAP150-C-K9 or any other WAP.
• The WAP361-E-K9 will not cluster with the WAP361-F-K9 or any other WAP.
Single Point Setup allows the management of more than one cluster in the same subnet or network; however,
they are managed as single independent entities. The following table shows the wireless service limits of a
Single Point Setup:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
73
Single Point Setup
Single Point Setup Negotiation
Group/Cluster Type WAP Devices per Single Point Number of Active Clients per Maximum Number of Clients
Setup Single Point Setup (Active and Idle)
Cisco WAP150 4 40 64
A cluster can propagate configuration information, such as VAP settings, the QoS queue parameters, and the
radio parameters. When you configure Single Point Setup on a device, settings from that device (whether they
are manually set or set by default) are propagated to other devices as they join the cluster.
To form a cluster, make sure the following prerequisites or conditions are met:
Step 1 Plan your Single Point Setup cluster. Be sure that two or more WAP devices that you want to cluster are the same model.
For example, Cisco WAP150/361 devices can only cluster with other Cisco WAP150/361 devices.
Note It is strongly recommended to run the same firmware version on all clustered WAP devices. Firmware can be
upgraded from the Dominant AP (Cluster Controller). See Access Points for more information.
Step 2 Set up the WAP devices that will be clustered on the same IP subnet and verify that they are interconnected and accessible
across the switched LAN network.
Step 3 Enable Single Point Setup on all WAP devices. See Access Points for more information.
Step 4 Verify that all WAP devices reference the same Single Point Setup name. See Access Points for more information.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
74
Single Point Setup
Operation of a Device Dropped From a Single Point Setup
• If a WAP device in a cluster loses connectivity, is dropped, later rejoins the cluster, and configuration
changes were made in the during the lost connectivity period, the changes are propagated to the device
when it rejoins. If there are configuration changes in both the disconnected device and the cluster, then
the device with the greatest number of changes and, secondarily, the most recent change, will be selected
to propagate its configuration to the cluster. (That is, if WAP1 has more changes, but WAP2 has the
most recent change, WAP1 is selected. If they have an equal number of changes, but WAP2 has the most
recent change, then WAP2 is selected.)
Common Configuration Settings and Parameters that are Propagated in Single Point Setup
HTTP/HTTPs Service (Except SSL Certificate Radio Settings Including TSPEC Settings (Some
Configuration) exceptions)
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
75
Single Point Setup
Configuration Parameters Propagated and Not Propagated to Single Point Setup Access Points
Common Configuration Settings and Parameters that are Propagated in Single Point Setup
Radio Configuration Settings and Parameters that are Propagated in Single Point Setup
Fragmentation Threshold
RTS Threshold
Rate Sets
Channel
Protection
Radio Configuration Settings and Parameters that are Not Propagated in Single Point Setup
Channel
Beacon Interval
DTIM Period
Maximum Stations
Transmit Power
Other Configuration Settings and Parameters that are Not Propagated in Single Point Setup
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
76
Single Point Setup
Access Points
Access Points
The Access Points page allows you to enable or disable Single Point Setup on a WAP device, view the cluster
members, and configure the location and cluster name for a member. You can also click the IP address of a
member to configure and view data on that device.
Step 2 Configure these parameters for each individual member of a Single Point Setup cluster:
• AP Location—Enter a description of where the WAP device is physically located, for example, Reception. The
location field is optional. The valid range is 1 to 64 alphanumeric and special characters.
• AP Priority—Enter the priority of the cluster for Dominant AP (Cluster Controller) election. The higher number
indicates the higher preference for this AP to become the Dominant AP. In case of tie, lowest MAC address becomes
dominant. The range can be between 0 to 255. The default value is 0.
• Cluster Name to Join—Enter the name of the cluster for the WAP device to join, for example Reception_Cluster.
The cluster name is not sent to other WAP devices. You must configure the same name on each device that is a
member. The cluster name must be unique for each Single Point Setup that you configure on the network. The default
is ciscosb-cluster. The valid range is 1 to 64 alphanumeric and special characters.
• Cluster IP Protocol—Choose the IP version that the WAP devices in the cluster use to communicate with other
members of the cluster. The default is IPv4.
• If you choose IPv6, Single Point Setup can use the link local address, auto-configured IPv6 global address, and
statically configured IPv6 global address. When using IPv6, ensure that all WAP devices in the cluster either use
link-local addresses only or use global addresses only.
Single Point Setup works only with the WAP devices using the same type of IP addressing. It does not work with
a group of the WAP devices where some have IPv4 addresses and some have IPv6 addresses.
The WAP device begins searching for other WAP devices in the subnet that are configured with the same cluster name
and IP Protocol. A potential cluster member sends the advertisements every 10 seconds to announce its presence.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
77
Single Point Setup
Firmware Management
Firmware Management
Cluster provides a centralized cluster firmware upgrade feature that allows all the APs in the cluster to be
upgraded from the Dominant AP (Cluster Controller). The Cluster firmware upgrade can be performed only
from the Dominant AP.
On the cluster firmware upgrade page the WAP devices detected are listed in a table and the following
information is shown:
• Location—Description of where the access point is physically located.
• IP Address—The IP address for the access point.
• MAC Address—Media Access Control (MAC) address of the access point. The address is the MAC
address for the bridge (br0), and is the address by which the WAP device is known externally to other
networks.
• Current Firmware Version—The current running firmware version for the access point.
• Firmware-transfer-status—Shows whether the firmware download and validation in cluster member
is None/Started/Downloaded/Success/Fail/Abort_admin/Abort_local/Dap_resigned.
• Firmware-transfer-progress-bar—Shows the progress bar for firmware download.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
78
Single Point Setup
Channel Management
Note Overall Upgrade Status shows the combined upgrade status (Not Initialized/In Progress/
Completed/Fail/Abort_admin/ None) of all the cluster members.
To stop the cluster member upgrade from Dominant AP:
Click Stop-Upgrade.
Channel Management
Use the Channel Management page to manage the channel for the WAP devices in a Single Point Setup
cluster.
When the channel management is enabled, the WAP device automatically assigns the radio channels used by
the WAP devices in a Single Point Setup cluster. The automatic channel assignment reduces mutual interference
(or interference with other WAP devices outside of its cluster) and maximizes the Wi-Fi bandwidth to help
maintain efficient communication over the wireless network.
The Automatic Channel Assignment feature is enabled by default. The state of channel management (enabled
or disabled) is propagated to the other devices in the Single Point Setup cluster.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
79
Single Point Setup
Channel Assignment Table
However, if you reset the minimal channel interference benefit to 25 percent and click Apply, the proposed
channel plan will be implemented and the channels will be reassigned as needed.
• Reassess Channel Assignment Every—The schedule for automated updates. A range of intervals is
provided, from 30 minutes to six months. The default is one hour, meaning that the channel usage is
reassessed and the resulting channel plan is applied every hour.
If you change these settings, click Apply. The changes are saved to the active configuration and the
Startup Configuration.
When the Automatic Channel Assignment is enabled, the page shows the Channel Assignations table.
Click Apply to update the locked setting. The locked devices show the same channel for the Current Channel
Assignment table and the Proposed Channel Assignment table. The locked devices keep their current channels.
The proposed channels that are to be assigned to each WAP device when the next update occurs. The locked
channels are not reassigned—the optimization of channel distribution among the devices takes into account
that the locked devices must remain on their current channels. The WAP devices that are not locked may be
assigned to different channels than what they were previously using, depending on the results of the plan.
Refresh the page to see the new channel assignment table.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
80
CHAPTER 8
Access Control
This chapter describes how to configure the ACL and the quality of service (QoS) feature on the WAP device.
It contains the following topics:
• ACL, on page 81
• Client QoS, on page 88
• Guest Access, on page 96
ACL
Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security
by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can block
any unwarranted attempts to reach network resources.
The WAP device supports up to 50 IPv4, IPv6, and MAC ACLs and up to 10 rules in each ACL. Each ACL
supports multiple interfaces.
Note There is an implicit deny at the end of every rule created. To avoid denying all, we strongly recommend that
you add a permit rule to the ACL to allow traffic.
MAC ACLs
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect fields of a frame such as the source or
destination MAC address, the VLAN ID, or the class of service. When a frame enters the WAP device port,
the WAP device inspects the frame and checks the ACL rules against the content of the frame. If any of the
rules match the content, a permit or deny action is taken on the frame.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
81
Access Control
Workflow to Configure ACLs
• Rule Priority — When an ACL has multiple rules, the rules are applied to the packet or frame in order of priority.
A smaller number means a higher priority. The priority of the new rule will be the lowest of all explicit rules. Note
that there is always an implicit rule denying all traffic with lowest priority.
• Action — Choose whether to Deny or Permit the action. The default action is Deny.
When you choose Permit, the rule allows all traffic that meets the rule criteria to enter the WAP device. Traffic that
does not meet the criteria is dropped.
When you choose Deny, the rule blocks all traffic that meets the rule criteria from entering the WAP device. Traffic
that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule
at the end of every ACL, traffic that is not explicitly permitted is dropped.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
82
Access Control
Configure IPv4 ACLs
• Service (Protocol) — Uses a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol
field. You can choose one of these options:
• All Traffic — Allows all traffic that meets the rule criteria
• Select From List — Choose one of these protocols: IP, ICMP, IGMP, TCP, or UDP.
• Custom — Enter a standard IANA-assigned protocol ID from 0 to 255. Choose this method to identify a
protocol not listed in the Select From List.
• Source IPv4 Address — Requires the packet's source IP address to match the address defined in the appropriate
fields.
• Any— Allows for any IP address.
• Single Address — Enter the IP address to apply this criteria.
• Address/Mask — Enter the source IP address wild card mask. The wild card mask determines which bits are
used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A
wild card of 0.0.0.0 indicates that all bits are important.
A wild card mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host
address, use a wild card mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24),
use a wild card mask of 0.0.0.255.
• Source Port — Includes a source port in the match condition for the rule. The source port is identified in the datagram
header
• All Traffic— Allows all traffic that meets the rule criteria.
• Select From List — Choose the keyword associated with the source port to match: ftp, ftpdata, http, smtp,
snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
• Custom — Enter the IANA port number to match to the source port identified in the datagram header. The
port range is 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private port
• Destination IPv4 Address — Requires a packet's destination IP address to match the address defined in the
appropriate fields.
• Any — Enter any IP address.
• Single Address — Enter an IP address to apply this criteria.
• Address/ Mask — Enter the destination IP address wild card mask. The wild card mask determines which bits
are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important.
A wild card of 0.0.0.0 indicates that all bits are important.
A wild card mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host
address, use a wild card mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24),
use a wild card mask of 0.0.0.255.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
83
Access Control
Configure IPv6 ACLs
• Destination Port — Includes a destination port in the match condition for the rule. The destination port is identified
in the datagram header.
• Any — Any port that meets the rule criteria.
• Select From List — Choose the keyword associated with the destination port to match: ftp, ftpdata, http,
smtp, snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
• Custom — Enter the IANA port number to match to the destination port identified in the datagram header.
The port range is from 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private port
Step 7 Click OK. The changes are saved to the Startup Configuration.
Note To delete or modify an ACL, select the ACL and then click Delete or Edit
To delete or modify a rule, select the rule in the Details Of Rule(s) area and click Delete or Edit.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
84
Access Control
Configure IPv6 ACLs
• Rule Priority — When an ACL has multiple rules, the rules are applied to the packet or frame in order of priority.
A smaller number means a higher priority. The priority of the new rule will be the lowest of all explicit rules. You
can click the up or down button to change its priority. Note that there is always an implicit rule denying all traffic
with lowest priority.
• Action — Choose whether to Deny or Permit the action. The default action is Deny.
When you choose Permit, the rule allows all traffic that meets the rule criteria to enter the WAP device. Traffic that
does not meet the criteria is dropped.
When you choose Deny, the rule blocks all traffic that meets the rule criteria from entering the WAP device. Traffic
that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule
at the end of every ACL, traffic that is not explicitly permitted is dropped.
• Service (Protocol) — Uses a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol
field. You can choose one of these options:
• All Traffic — Allows all traffic that meets the rule criteria.
• Select From List — Choose one of these protocols: IPv6, ICMPv6, IGMP, TCP, or UDP.
• Custom — Enter a standard IANA-assigned protocol ID from 0 to 255. Choose this method to identify a
protocol not listed in the Select From List.
• Source IPv6 Address — Requires the packet's source IP address to match the address defined in the appropriate
fields.
• Any— Allows for any IP address.
• Single Address — Enter the IP address to apply this criteria.
• Address/Mask — Enter the source IP address wild card mask. The wild card mask determines which bits are
used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A
wild card of 0.0.0.0 indicates that all bits are important.
A wild card mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host
address, use a wild card mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24),
use a wild card mask of 0.0.0.255.
• Source Port — Includes a source port in the match condition for the rule. The source port is identified in the datagram
header.
• Any— Allows for any source port.
• Select From List — Choose the keyword associated with the source port to match: ftp, ftpdata, http, smtp,
snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
85
Access Control
Configure IPv6 ACLs
• Custom — Enter the IANA port number to match to the source port identified in the datagram header. The
port range is 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private port
• Destination IPv6 Address — Requires a packet's destination IP address to match the address defined in the
appropriate fields.
• Any — Enter any IP address.
• Single Address — Enter an IP address to apply this criteria.
• Address/ Mask — Enter the destination IP address wild card mask. The wild card mask determines which bits
are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important.
A wild card of 0.0.0.0 indicates that all bits are important.
A wild card mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host
address, use a wild card mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24),
use a wild card mask of 0.0.0.255.
• Destination Port — Includes a destination port in the match condition for the rule. The destination port is identified
in the datagram header.
• Any — Any port that meets the rule criteria.
• Select From List — Choose the keyword associated with the destination port to match: ftp, ftpdata, http,
smtp, snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
• Custom — Enter the IANA port number to match to the destination port identified in the datagram header.
The port range is from 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private port
Step 7 Click OK. The changes are saved to the Startup Configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
86
Access Control
Configure MAC ACLs
Note To delete or modify an ACL, select the ACL and then click Delete or Edit.
To delete or modify a rule, select the rule in the Details Of Rule(s) area and click Delete or Edit.
• Source MAC Address — Requires the packet's source MAC address to match the address defined in the appropriate
fields.
• Any — Allows for any source MAC address.
• Single Address — Enter the source MAC address to compare against an Ethernet frame.
• Address/ Mask — Enter the source MAC address mask specifying which bits in the source MAC to compare
against an Ethernet frame.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
87
Access Control
Client QoS
For each bit position in the MAC mask, a 0 indicates that the corresponding address bit is significant and a 1
indicates that the address bit is ignored. For example, to check only the first four octets of a MAC address, a
MAC mask of 00:00:00:00:ff:ff is used. A MAC mask of 00:00:00:00:00:00 checks all address bits and is used
to match a single MAC address.
• Destination MAC Address — Requires the packet's destination MAC address to match the address defined in the
appropriate fields.
• Any — Allows for any destination MAC address.
• Single Address — Enter the destination MAC address to compare against an Ethernet frame.
• Address/Mask — Enter the destination MAC address mask to specify which bits in the destination MAC to
compare against an Ethernet frame
• Class Of Service — Specifies the class of service 802.1p user priority value.
• Any — Allows for any class of service.
• Custom — Enter an 802.1p user priority to compare against an Ethernet frame. The valid range is from 0 to
7.
Step 7 Click OK. The changes are saved to the Startup Configuration.
Note To delete or modify an ACL, select the ACL and then click Delete or Edit. To delete or modify a rule, select
the rule in the Details Of Rule(s) area and click Delete or Edit.
Client QoS
Client Quality Of Service (QoS) is used to control the wireless clients connected to the network, and manages
the bandwidth that is used. Client QoS can control the traffic such as the HTTP traffic or traffic from a specific
subnet by the use of Access Control Lists (ACLs). An ACL is a collection of permit and deny conditions,
called rules, that provide security and block unauthorized users and allow authorized users to access specific
resources. ACLs can block any unwarranted attempts to reach network resources.
Traffic Classes
The QoS feature contains Differentiated Services (DiffServ) support that allows traffic to be classified into
streams. It is also given a certain QoS treatment in accordance with defined per-hop behaviors.
The standard IP-based networks are designed to provide best-effort data delivery service. Best effort service
implies that the network delivers the data in a timely fashion, although there is no guarantee that it will. During
times of congestion, packets may be delayed, sent sporadically, or dropped. For typical Internet applications,
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
88
Access Control
Configuring IPv4 Traffic Classes
such as email and file transfer, a slight degradation in service is acceptable and in many cases unnoticeable.
However, on applications with strict timing requirements, such as voice or multimedia, any degradation of
service has undesirable effects.
A DiffServ configuration begins with defining class maps, which classify traffic according to their IP protocol
and other criteria. Each class map can then be associated with a policy map, which defines how to handle the
traffic class. Classes that include time-sensitive traffic can be assigned to the policy maps.
Step 3 In the Traffic Class Name text box, enter the name for the new class map. The name can contain from 1 to 31 alphanumeric
and special characters. Spaces are not allowed.
Step 4 In the Class Type, choose IPv4 from the list. The IPv4 traffic classes applies only to IPv4 traffic on the WAP device.
Step 5 Configure the following:
• Source Address — Requires a packet's source IPv4 address to match the IPv4 address defined in the appropriate
fields.
• Any — Any IPv4 address to be used as the source address.
• Single Address — Enter a single IPv4 address to apply this criteria.
• Address/ Mask— Enter the source IPv4 address mask. The mask for DiffServ is a network-style bit mask in
IP dotted decimal format indicating which part(s) of the destination IP address to use for matching against
packet content.
A DiffServ mask of 255.255.255.255 indicates that all bits are important, and mask of 0.0.0.0 indicates that no
bits are important. The opposite is true with an ACL wild card mask. For example, to match the criteria to a
single host address, use a mask of 255.255.255.255. To match the criteria to a 24-bit subnet (for example,
192.168.10.0/24), use a mask of 255.255.255.0.
• Destination Address — Requires a packet's destination IPv4 address to match the IPv4 address defined in the
appropriate fields.
• Any — Any IPv4 address to be used as the destination address.
• Single Address — Enter the IPv4 address to apply this criteria.
• Address/Mask — Enter the destination IP address mask.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
89
Access Control
Configuring IPv4 Traffic Classes
• Select From List — Matches the selected protocol: IP, ICMP, IGMP, TCP or UDP.
• Custom — Matches a protocol that is not listed by name. Enter the protocol ID. The protocol ID is a standard
value assigned by IANA. The range is a number from 0 to 255.
Note If Protocol is All Traffic, Source Address and Destination Address are not optional.
• Source Port — Includes a source port in the match condition for the rule. The source port is identified in the datagram
header.
• Any — Any port is allowed as the source port.
• Select From List — Matches a keyword associated with the source port: ftp, ftpdata, http, smtp, snmp,
telnet, tftp or www. Each of these keywords translates into its equivalent port number.
• Custom — Matches the source port number in the datagram header to an IANA port number that you specify.
The port range is from 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well-Known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private ports
• Destination Port — Includes a destination port in the match condition for the rule. The destination port is identified
in the datagram header.
• Any — Any port is allowed as the destination port.
• Select From List — Matches a keyword associated with the source port: ftp, ftpdata, http, smtp, snmp,
telnet, tftp or www. Each of these keywords translates into its equivalent port number.
• Custom — Matches the source port number in the datagram header to an IANA port number that you specify.
The port range is from 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well-known ports
• 1024 to 49151 — Registered ports
• 49152 to 65535 — Dynamic and/or private ports
• Service Type — Specifies the type of service to use in matching the packets to the class criteria.
• Any — Allows for any type of service as a match criterion.
• IP DSCP Select from List — Choose a DSCP value to use as a match criterion.
• IP DSCP Match to Value — Enter a custom DSCP value from 0 to 63.
• IP Precedence — Matches the packet's IP precedence value to the IP precedence value defined in this field.
The IP precedence range is from 0 to 7.
• IP ToS Bits — Uses the packet's type of service (ToS) bits in the IP header as the match criteria. The IP ToS
bit value ranges between (00 to FF). The high-order three bits represent the IP precedence value. The high-order
six bits represent the IP DSCP value.
• IP ToS Mask — Enter an IP ToS Mask value to identify the bit positions in the IP ToS Bits value that are used
for comparison against the IP ToS field in a packet.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
90
Access Control
Configuring IPv6 Traffic Classes
The IP ToS Mask value is a two-digit hexadecimal number from 00 to FF. The nonzero-valued bits in the IP
ToS Mask denote the bit positions in the IP ToS Bits value that are used for comparison against the IP ToS
field of a packet.
Step 7 Click OK. The changes are saved to the Startup Configuration.
Note To delete or modify a class map, select the Traffic Class Name from the list and click Delete or Edit. The
class map cannot be deleted if it is already attached to a policy.
Step 3 In the Traffic Class Name field, enter the name for the new class map. The name can contain from 1 to 31 alphanumeric
and special characters. Spaces are not allowed.
Step 4 Choose IPv6 as the type of Traffic Classes from the list. The IPv6 traffic classes applies only to IPv6 traffic on the WAP
device.
Step 5 Configure the following:
• Source Address — Requires a packet's source IPv6 address to match the IPv6 address defined in the appropriate
fields.
• Any — Any IPv6 address to be used as the source address.
• Single Address — Enter the IPv6 address to apply this criteria.
• Address/ Mask— Enter the prefix length of the source IPv6 address.
• Destination Address — Requires a packet's destination IPv4 address to match the IPv4 address defined in the
appropriate fields.
• Any — Any IPv6 address to be used as the destination address.
• Single Address — Enter the IPv6 address to apply this criteria.
• Address/Mask — Enter the destination IPv6 address and Enter the prefix length of the destination IPv6 address.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
91
Access Control
Configuring IPv6 Traffic Classes
• Select From List — Matches the selected protocol: IPv6, ICMPv6, TCP or UDP.
• Custom — Matches a protocol that is not listed by name. Enter the protocol ID. The protocol ID is a standard
value assigned by IANA. The range is a number from 0 to 255.
• Source Port — Includes a source port in the match condition for the rule. The source port is identified in the datagram
header.
Note If Protocol is All Traffic, Source Address and Destination Address are not optional.
• Destination Port — Includes a destination port in the match condition for the rule. The destination port is identified
in the datagram header.
• Any — Any port is allowed as the destination port.
• Select From List — Matches a keyword associated with the source port: ftp, ftpdata, http, smtp, snmp,
telnet, tftp or www. Each of these keywords translates into its equivalent port number.
• Custom — Matches the source port number in the datagram header to an IANA port number that you specify.
The port range is from 0 to 65535 and includes three different types of ports:
• 0 to 1023 — Well-Known Ports
• 1024 to 49151 — Registered Ports
• 49152 to 65535 — Dynamic and/or Private Port
• IPv6 Flow Label — The Flow Label is used by a node to label packets in a flow.
• Any — Any 20-bit number that is unique to an IPv6 packet.
• User Defined — Enter a 20-bit number that is unique to an IPv6 packet. It is used by end stations to signify
QoS handling in routers (range 0 to FFFFF).
• Service Type — Specifies the type of service to use in matching the packets to the class criteria.
• Any — Allows for any type of service as a match criterion.
• IP DSCP Select from List — Choose a DSCP value to use as a match criterion.
• IP DSCP Match to Value — Enter a custom DSCP value from 0 to 63
Step 7 Click OK. The changes are saved to the Startup Configuration.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
92
Access Control
Configuring MAC Traffic Classes
Note To delete or modify a class map, select the Traffic Class Name from the list and click Delete or Edit. The
class map cannot be deleted if it is already attached to a policy.
Step 3 In the Traffic Class Name field, enter the name for the new class map. The name can contain from 1 to 31 alphanumeric
and special characters. Spaces are not allowed.
Step 4 Choose MAC as the type of class map from the Class Type list. The MAC class map applies to Layer 2 criteria.
Step 5 Source Address — Includes a source MAC address in the match condition for the rule.
• Any — Any MAC address to be used as the source address.
• Single Address — Enter the source MAC address to compare against an Ethernet frame.
• Address/Mask — Enter the source MAC address mask specifying which bits in the destination MAC address to
compare against an Ethernet frame.
For each bit position in the MAC mask, a 1 indicates that the corresponding address bit is significant and a 0 indicates
that the address bit is ignored. For example, to check only the first four octets of a MAC address, a MAC mask of
ff:ff:ff:ff:00:00 is used. A MAC mask of ff:ff:ff:ff:ff:ff checks all address bits and is used to match a single MAC
address.
Step 6 Destination Address — Includes a destination MAC address in the match condition for the rule.
• Any — Any MAC address to be used as the destination address.
• Single Address — Enter the destination MAC address to compare against an Ethernet frame.
• Address/Mask — Enter the destination MAC address mask specifying which bits in the destination MAC address
to compare against an Ethernet frame.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
93
Access Control
QoS Policy
Note If Protocol is All Traffic, Source Address and Destination Address are not optional.
• Class Of Service — Specifies the class of service 802.1p user priority value.
• Any — Allows for any class of service.
• User Defined — Enter an 802.1p user priority to compare against an Ethernet frame. The valid range is from
0 to 7.
Step 8 Click OK. The changes are saved to the Startup Configuration.
Note To delete or modify a class map, choose the class map from the list and click Delete or Edit. The class map
cannot be deleted if it is already attached to a policy.
QoS Policy
Packets are classified and processed based on the defined criteria. The classification criteria is defined by a
class on the Traffic Classes page. The processing is defined by a policy attributes on the QoS Policy page.
Policy attributes may be defined on a per-class instance basis and determine how traffic that matches the class
criteria is handled.
The WAP device can hold up to 50 policies and up to 10 classes in each policy.
To add and configure a policy map:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
94
Access Control
QoS Association
• Drop — Specifies that all packets for the associated traffic stream are to be dropped if the traffic class criteria
is met.
• Remark Traffic — Marks all packets for the associated traffic stream with the specified class of service value in
the priority field of the 802.1p header. If the packet does not already contain this header, one is inserted. The CoS
value is an integer from 0 to 7.
• Remark COS — Network traffic can be partitioned into multiple priority levels or Classes of Service. CoS
values range from 0 to 7 with 0 as the lowest priority and 7 as the highest priority.
• Remark DSCP — Specifies a particular per-hop behavior (PHB) that is applied to a packet, based on the QoS
provided. Select a value from the drop-down list.
• Remark IP Precedence — Marks all packets for the associated traffic stream with the specified IP precedence
value. The IP precedence value is an integer from 0 to 7
Step 5 Click ✚ . You can add another class map. The class map count for this specific policy has the maximum limit of 10.
Step 6 Click Apply.
Note To delete or modify a QoS policy, select the QoS policy from the list and click Delete or Edit.
QoS Association
The QoS Association page provides additional control over certain QoS aspects of the wireless and Ethernet
interface.
In addition to controlling the general traffic categories, the QoS allows you to configure the per-client
conditioning of the various microflows through the QoS Policy Name. The QoS Policy Name is a useful tool
for establishing general microflow definition and treatment characteristics that can be applied to each wireless
client, both inbound and outbound, when it is authenticated on the network.
To configure the QoS Association parameters:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
95
Access Control
Global Settings
Global Settings
This feature is relevant to WAP361 device.
Use the Global Settings page to enable or disable the QoS functionality on the WAP device, and configure
the trust mode and other QoS settings if you are using a Cisco WAP361 device.
Follow the instructions below, if you are using a Cisco WAP361 device and the QoS mode is enabled. This
helps configure the trust mode and other settings for the Ethernet switch:
Guest Access
You can create up to two CP instances on the WAP device. The CP instance is a defined set of instance
parameters. The instance can be associated with one or more VAPs.
When you use a wireless client connect to VAP, and access any URL, the web will redirect the URL to Web
Portal Locale page, which you have configured in the Access Control/Guest Access page.
Web Portal Locale Table defines the show style of the authentication web page while the Guest Group
Table decides the users’ username and password.
To configure Guest Access Instance:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
96
Access Control
Guest Access Instance Table
Step 1 Edit Web Portal Locale Table to design the display of the authentication web page. Click the Preview tab to view the
display.
Step 2 Edit the Guest Group Table, click the value link on Total Guest Users number to add a user and click Apply.
Step 3 Configure the Guest Access Instance Table, select Guest Group and Web Portal Locale which you configured by
using the above steps.
Step 4 Go to Wireless > Networks to associate the VAP Guest Access and configure the Guest Access Instance.
• Authentication Method — Choose the authentication method for CP to use to verify the clients. The options are:
• Local Database — The WAP device uses a local database to authenticate the users. Configure the following
if using the Local Database setting.
• Guest Group—Enter a name for the guest group.
• Idle Timeout (min.)—Enter the time in minutes for idle timeout.
• Maximum Bandwidth Up (Mbps)— Enter the maximum upload speed, in megabits per second, that a
client can transmit traffic when using the Captive Portal. This setting limits the bandwidth used to send
data into the network. The range is from 0 to 1733Mbps. The default value is 0.
• Maximum Bandwidth Down (Mbps)— Enter the maximum download speed, in megabits per second,
that a client can receive traffic when using the Captive Portal. This setting limits the bandwidth used to
receive data from the network. The range is from 0 to 1733Mbps. The default value is 0.
• Total Guest Users— Total number of guest users.
• Radius Authentication — The WAP device uses a database on a remote RADIUS server to authenticate the
users. Configure the following if using the Radius Authentication setting.
• RADIUS IP Network — Select the Radius IP network from the drop down list (IPv4 or IPv6).
• Global RADIUS— Check Enable to enable global RADIUS. If you want the CP feature to use a different
set of RADIUS servers, uncheck the box and configure the servers in the fields on this page.
• RADIUS Accounting — Check Enable to track and measure the resources that a particular user has
consumed, such as the system time and the amount of data transmitted and received.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
97
Access Control
Guest Access Instance Table
If you enable RADIUS accounting, it is enabled for the primary RADIUS server, all backup servers, and
all configured servers.
• Server IP Address-1 or Server IPv6 Address-1— Enter the IPv4 or IPv6 address for the primary RADIUS
server for this VAP. The IPv4 address should be in a form similar to xxx.xxx.xxx.xxx (192.0.2.10). The
IPv6 address should be in a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
(2001:DB8:CAD5:7D91).
When the first wireless client tries to authenticate with a VAP, the WAP device sends an authentication
request to the primary server. If the primary server responds to the authentication request, the WAP device
continues to use this RADIUS server as the primary server, and the authentication requests are sent to the
specified address.
Server IP Address-2 or Server IPv6 Address-2 —Enter up to three IPv4 or IPv6 backup RADIUS server
addresses. If the authentication fails with the primary server, each configured backup server is tried in
sequence.
• Key-1— Enter the shared secret key that the WAP device uses to authenticate to the primary RADIUS
server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive and
must match the key configured on the RADIUS server. The text that you enter is shown as asterisks.
Key-2—Enter the RADIUS key associated with the configured backup RADIUS servers. The server at
Server IP Address-1 uses Key-1, Server IP Address-2 uses Key-2, and so on.
Note Cisco integrates data protection, privacy, and security requirements into product design and
development methodologies from ideation through launch. For more information, see
https://www.cisco.com/c/en/us/about/trust-center/gdpr.html.
• Active Directory Service — The WAP device uses a database on a remote ADS server to authenticate the
users. Configure the following if using the Active Directory Service authentication setting.
• Active Directory Servers — Add new ADS server by clicking the ✚ icon. You can add upto 3 servers.
Use arrow to move and prioritize the servers. Choose trash can to delete the configuration. Use the Test
to check if the ADS server is valid.
• External Capture Portal — The WAP device uses an external site to customize and authenticate users on the
captive portal page. For this purpose, it uses Purple WiFi: https://purple.ai/ to access on an external site.
In the Purple WiFi page, create a purple account and register. Specify the venue and location when requested.
Add the hardware details based on the MAC address of the WAP. This generates a User Guide with all the
required information for configuring the External Capture Portal (EXCAP) interface on the WAP.
Note Make sure that your Purple WiFi account is configured right before on-boarding the Cisco AP. This
ensures an appropriate functioning of the Purple WiFi redirection service.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
98
Access Control
Guest Access Instance Table
• Splash Page URL — Enter the URL (including https://) for the portal page which is obtained after
successful registration into the Purple WiFi. The range is 0 to 256 characters. The EXCAP hosts the initial
login page called the splash page on the cloud or on an external web server which may be outside the AP
network. For example: https://region3.purpleportal.net/access/ if your region is ASIA-PACIFIC in Purple
Wi-Fi.
• Walled Garden — Specify a list of domains that users can access before passing through the Web portal
page. Items in the list should be separated by a comma, and domains can include wildcards in the form of
an asterisk (*). The length of each domain cannot be greater than 100. Ensure that the total length of the
Walled Garden must be less than 4096. The following options should be set if you want to use them on
Purple Wi-Fi’s EXCAP solution:
Instagram instagram.com
(Optional)
• RADIUS Server IP Address-1 — Enter the IPv4 address for the primary RADIUS server for this VAP.
The IPv4 address should be in a form similar to xxx.xxx.xxx.xxx.
When the first wireless client tries to authenticate with a VAP, the WAP device sends an authentication
request to the primary server. If the primary server responds to the authentication request, the WAP device
continues to use this RADIUS server as the primary server, and the authentication requests are sent to the
specified address.
• RADIUS Server IP Address-2 — Enter the IPv4 backup RADIUS server addresses. If the authentication
fails with the primary server, the configured backup server is tried.
• Key-1 — Enter the shared secret key that the WAP device uses to authenticate to the primary RADIUS
server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive and
must match the key configured on the RADIUS server. For example, the secret can be 6n8!5ETGb^nd if
you use Purple Wi-Fi. The text that you enter is shown as asterisks.
• Key-2 — Enter the RADIUS key associated with the configured backup RADIUS servers. The server at
Server IP Address-1 uses Key-1, Server IP Address-2 uses Key-2.
For the Purple WiFi, the Server IP Address-1 and Address-2 varies for different regions. The table below
specifies the same:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
99
Access Control
Guest Group Table
• RADIUS Accounting — Check Enable to track and measure the resources that a particular user has
consumed, such as the system time and the amount of data transmitted and received.
If you enable RADIUS accounting, it is enabled for the primary RADIUS server and the backup server.
• Guest Group — If the Authentication Method is set to Local Database or Radius Authenticated, select a Guest
Group that was created previously . All users who belong to the group are permitted to access the network through
this portal.
• Redirect URL — To enable the URL Redirect, enter the URL (including http://). The range is from 0 to 256
characters.
• Session Timeout (min.) — Enter the time remaining, in minutes, for the CP session to be valid. After the time
reaches zero, the client is de-authenticated. The range is from 0 to 1440 minutes. The default value is 0. The session
timeout got from the Radius Server will over ride the user configured timeout in the event of a session timeout.
• Web Portal Locale — Select a web portal locale that was created previously from the drop-down list.
Step 4 Click Apply . Your changes are saved to the Startup Configuration.
Note Redirect URL and Web Portal Locale are not of use in EXCAP mode.
Please refer to Hardware manual in Purple Wi-Fi for more detailed settings of EXCAP
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
100
Access Control
Guest User Account
The default value is 60. The timeout value configured here has precedence over the value configured for the CP
instance, unless the user value is set to 0. When it is set to 0, the timeout value configured for the CP instance is
used.
• Maximum Bandwidth Up — Enter the maximum upload speed, in megabits per second, that a client can transmit
traffic when using the Captive Portal. This setting limits the bandwidth used to send data into the network. The range
is from 0 to 1733 Mbps. The default is 0.
• Maximum Bandwidth Down — Enter the maximum download speed, in megabits per second, that a client can
receive traffic when using the Captive Portal. This setting limits the bandwidth used to receive data from the network.
The range is from 0 to 1733 Mbps. The default is 0.
• Total Guest Users — Displays the number of total guest users. Click the value link on the Total Guest Users to
display the Guest User Account page.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
101
Access Control
Web Portal Customization
You can create up to three different authentication pages with different locales on your network.
Step 3 In the Web Portal Customization page, configure the following parameters:
• Web Portal Locale Name — Enter a web locale name to assign to the page. The name can be from 1 to 32
alphanumeric characters.
Step 4 The Guest Access Instance Name cannot be edited. The editable fields are populated with default values. Configure the
following parameters:
• Guest Access Instance Name — Displays the name of the guest access instance.
• Background Image — Click Browse to choose the image. You can click Upload to upload the images for CP
instances. The filesize must be 64K or less.
• Logo Image — Click Browse to choose the logo image. You can click Upload to upload the logo images. The
filesize must be 64K or less.
• Foreground Color — Enter the HTML code for the foreground color in 6-digit hexadecimal format. The range is
from 1 to 32 characters. The default is #FFFFFF.
• Background Color — Enter the HTML code for the background color in 6-digit hexadecimal format. The range is
from 1 to 32 characters. The default is #FFFFFF.
• Separator Color — Enter the HTML code for the color of the thick horizontal line that separates the page header
from the page body, in 6-digit hexadecimal format. The range is from 1 to 32 characters. The default is #FFFFFF.
• Account Image — Click Browse to choose the image. You can click Upload to upload the account images. The
filesize must be 64K or lesser per alert message.
• Fonts—Select a font from the drop down list. This font will be used when displaying all text.
• Account Prompting — Enter a user name. The range is from 1 to 32 characters.
• Username Prompting — The label for the user name text box. The range is from 1 to 32 characters.
• Password Prompting — The label for the user password text box. The range is from 1 to 64 characters.
• Button Prompting — The label on the button that users click to submit their user name and password for
authentication. The range is from 2 to 32 characters. The default is Connect.
• Browser Head Prompting — The text that appears in the browser title bar. The range is from 1 to 128 characters.
The default is Captive Portal.
• Portal Title Prompting — The text that appears in the page header, to the right of the logo. The range is from 1 to
128 characters. The default is Welcome to the Wireless Network.
• Account Tips Prompting — The text that appears in the page body below the user name and password text boxes.
The range is from 1 to 256 characters. The default is To start using this service, enter your credentials and click the
connect button.
• Acceptance Policy — The text that appears in the Acceptance Use Policy box. The range is from 1 to 4096 characters.
The default is Acceptance Use Policy.
• Acceptance Prompting — The text that instructs users to select the check box to acknowledge reading and accepting
the Acceptance Use Policy. The range is from 1 to 128 characters.
• No Acceptance Warning — The text that appears in a pop-up window when a user submits login credentials without
selecting the Acceptance Use Policy check box. The range is from 1 to 128 characters.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
102
Access Control
Web Portal Customization
• Work In Progress Prompting—The text that appears during the authentication process. The range is from 1 to 128
characters.
• Invalid Credentials Prompting — The text that appears when a user fails the authentication. The range is from 1
to 128 characters.
• Connect Success Prompting — The text that appears when the client has authenticated to the VAP. The range is
from 1 to 128 characters.
• Welcome Prompting — The text that appears when the client has connected to the network. The range is from 1
to 256 characters.
• Restore — Deletes the current locale.
Step 5 Click Apply. Your changes are saved to the Startup Configuration.
Step 6 Click Preview to view the updated page.
Clicking Preview will show the text and the images that have already been saved to the Startup Configuration. If you
make a change, click Apply before clicking Preview to see your changes.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
103
Access Control
Web Portal Customization
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
104
CHAPTER 9
Cisco Umbrella
This chapter describes how to configure the Cisco Umbrella service. It contains the following topics:
• Cisco Umbrella, on page 105
Cisco Umbrella
Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet.
It acts as a gateway between the internet and your systems and data to block malware, botnets and phishing
over any port, protocol or app.
Using an Umbrella account, the integration will transparently intercept DNS queries and redirect them to
Umbrella. This device will appear in the Umbrella dashboard as a network device for applying policy and
viewing reports.
Step 1 Check the check box to enable the Cisco Umbrella functionality.
Step 2 Enter the Secret and API Key which you obtain from the Cisco Umbrella website in the required fields.
Note Log in to your Cisco Umbrella using: the URL: https://login.umbrella.com/ and go to the dashboard. Navigate
to Admin > Platform API Keys to add a name and create the Secret and Key information.
Step 3 Enter the domain name you trust in the Local Domains to Bypass (optional) field and the packets will reach the destination
without going through the Umbrella. Items in the list should be separated by a comma, while the domains can include
wildcards in the form of an asterisk (*). For example: *.cisco.com.*.
Note This is required for all intranet domains and split DNS domains.
Step 4 Enter a tag name in the Device Tag (optional) field to tag the device. The Device Tag describes the device or a particular
origin assigned to the device. Ensure it is unique to your organization.
Note Any change in the Secret, API Key and the Device Tag will trigger re-registration to create a network device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
105
Cisco Umbrella
Cisco Umbrella
Step 6 Click Apply to apply these configurations. The status of the registration is indicated in the Registration Status field.
The status can be Successful, Registering or Failed.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
106
CHAPTER 10
Monitor
This chapter describes how to display status and statistics of the WAP device. It contains the following topics:
• Dashboard, on page 107
• Single Point Setup Status, on page 110
• Clients, on page 111
• Guests, on page 113
Dashboard
The Dashboard displays the throughput status, and provides you with easy steps to configure or monitor your
network device. This page is updated every 30 seconds.
Connected Clients
The total number of clients currently associated with the WAP device. Click the box, to be redirected to the
Clients page.
Internet/LAN/Wireless
Round icons on the top right of the page, show Internet, LAN and wireless connection status.
Internet
• Red round — No Internet connection.
• Green round — Internet connection is good.
LAN
• Red round — No wired connection.
• Green round — Wired connection.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
107
Monitor
LAN Status
5G Radio Throughput
This line chart displays 5G Radio Throughput and updates every 30 seconds.
• Upload—Throughput of the last 30 seconds transmitted.
• Download—Throughput of the last 30 seconds received.
Network Usage
This line chart displays the eth throughput
• Upload—Throughput of the last 30 seconds transmitted.
• Download—Throughput of the last 30 seconds received.
LAN Status
Click on the LAN circle to display the following configuration and status settings on the LAN interface.
• MAC Address — The MAC address of the WAP device.
• IP Address — The IP address of the WAP device.
• Subnet Mask — The subnet mask of the WAP device
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
108
Monitor
Wireless Status
Note These settings apply to the LAN interface. Click Edit to change any of these settings. You will be redirected
to the LAN page.
Click Refresh to refresh the screen and show the most current information.
Click Back to return to the Dashboard page.
Wireless Status
Click the Wireless circle to display the wireless radio interfaces, such as:
• Wireless Radio — The wireless radio mode is enabled or disabled for the radio interface.
• MAC Address — The MAC address associated with the radio interface.
• Mode — The 802.11 mode (a/b/g/n/ac) used by the radio interface.
• Channel — The channel used by the radio interface.
• Operational bandwidth — The operational bandwidth used by the radio interface.
Click Edit to change any of these settings. You will be redirected to the Radio page.
Click Refresh to refresh the screen and show the most current information.
Click Back to return to the Dashboard page.
Interface Status
The Interface Status table displays the following status information for each Virtual Access Point (VAP) and
on each Wireless Distribution System (WDS) interface:
• Network Interface — The wireless interface of the WAP device.
• Name (SSID) — The wireless interface name.
• Status — The administrative status (up or down) of the VAP.
• MAC Address — The MAC address of the radio interface.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
109
Monitor
Traffic Statistics
Traffic Statistics
The Traffic Statistics page shows the real-time transmit and receive statistics for the Ethernet interface, the
Virtual Access Points (VAPs), and all WDS interfaces. All transmit and receive statistics reflect the totals
since the WAP device was last started. If you reboot the WAP device, these figures indicate the transmit and
receive totals since the reboot.
To view traffic statistics, select Monitor > Dashboard > Quick Access > Traffic Statistics.
The following information is displayed:
• Interface—Name of the Ethernet interface, each VAP interface, and each WDS interface. The name for
each VAP interface is followed by its SSID in parentheses
• Total Packets—The total number of packets sent and received by the WAP device is displayed in the
Transmit Traffic Statistics table and the Receive Traffic Statistics table respectively.
• Total Bytes—The total number of bytes sent and received by the WAP device is displayed in the Transmit
Traffic Statistics table and the Receive Traffic Statistics table respectively.
• Total Dropped Packets—The total number of dropped packets sent and received by the WAP device
is displayed in the Transmit Traffic Statistics table and the Receive Traffic Statistics table respectively.
• Total Dropped Bytes—The total number of dropped bytes sent and received by the WAP device is
displayed in the Transmit Traffic Statistics table and the Receive Traffic Statistics table respectively.
• Errors—The total number of errors related to sending and receiving data on the WAP device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
110
Monitor
Clients
Clients
Clients
The Clients page displays the client stations associated with the device.
Total Number of Associated Clients—The total number of clients on the WAP device.
Client Summary
Displays the client summary by 802.11 client type currently on the device.
Average Bandwidth
Displays the average client bandwidth in Mbps.
• Upload — Throughput of the last 30 seconds transmitted.
• Download — Throughput of the last 30 seconds received.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
111
Monitor
Clients
Local Clients
• Clients Details — The hostname and MAC address of the associated wireless client.
• IP Address— The IP address of the associated wireless client.
• Network (SSID) — The Service Set Identifier (SSID) for the WAP device. The SSID is an alphanumeric
string of up to 32 characters that uniquely identifies a wireless local area network. It is also referred to
as the Network Name.
• Mode — The IEEE 802.11 mode being used on the client, such as IEEE 802.11a, IEEE 802.11b, IEEE
802.11g, IEEE 802.11n or IEEE 802.11ac.
• Data Rate — The current transmitting data rate.
• Channel — The channel on which the Client is currently in connection with. The channel defines the
portion of the radio spectrum that the radio uses for transmitting and receiving. You can use the Radio
page to set the channel.
• Traffic (Up /Down) — The total number of bytes sent (Up) or received (Down) by the client device.
• SNR (dB) — Displays the SNR (Signal to Noise ratio) strength in decibels (dB).
• Throughput Meter — The last 30 seconds' throughput / Data Rate.
Note You can order the clients through Clients Details, Network (SSID), and so on.
You can filter clients the through Clients Details, Network (SSID), and so on.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
112
Monitor
Guests
• SNR (dB)—A number representing the strength of the SNR (Signal to Noise ratio) in decibels (dB)
appears.
• Throughput Meter—the last 30 seconds' throughput/Date Rate.
Note You can order and filter the clients through Clients Details, Network (SSID), and so on.
Guests
The Guests page provides two tables. One is the Authenticated Clients table, which displays the clients that
have authenticated on any Captive Portal instance. The other one is the Failed Clients table, which displays
information on the clients that attempted to authenticate on a Captive Portal and failed.
To view the list of authenticated clients or the list of clients who failed the authentication, select Monitor >
Guests.
The following information is displayed:
• MAC — The MAC address of the client.
• IP Address — The IP address of the client.
• User Name — The Captive Portal user name of the client.
• Protocol — The protocol that the user used to establish the connection (HTTP or HTTPS).
• Verification — The method used to authenticate the user on the Captive Portal, which can be one of
these values:
• GUEST — The user does not need to be authenticated by a database.
• LOCAL— The WAP device uses a local database to authenticate the users.
• RADIUS — The WAP device uses a database on a remote RADIUS server to authenticate the users.
• FACEBOOK —The WAP device uses Facebook accounts to authenticate users.
• GOOGLE — The WAP device uses Google accounts to authenticate users.
• ACTIVE DIRECTORY SERVER — The WAP device uses the database on Active Directory
server to authenticate the users.
• EXCAP — The WAP device uses External Capture Portal to authenticate users.
• VAP/Radio ID — The VAP and radio that the user is associated with.
• Captive Portal ID— The ID of the Captive Portal instance to which the user is associated.
• Timeout — The time remaining, in seconds, for the CP session to be valid. After the time reaches zero,
the client is de-authenticated.
• Away Time — The time remaining, in seconds, for the client entry to be valid. The timer starts when
the client dissociates from the CP. After the time reaches zero, the client is de-authenticated.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
113
Monitor
Guests
• UP/Down (MB) — The number of bytes transmitted and received by the WAP device from the user
station.
• Failure Time — The time at which the authentication failure occurred. A timestamp is included that
shows the time of the failure.
You can click Export to download the current Authenticated/Failed clients message.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
114
CHAPTER 11
Troubleshoot
This chapter describes how to configure Packet Capture over multiple WAP devices for troubleshooting. It
includes the following topics:
• Spectrum Intelligence, on page 115
• Packet Capture, on page 115
• Support Information, on page 121
Spectrum Intelligence
The Spectrum Intelligence page provide the status of spectrum analyzer capability and provides the link to
view the spectrum data. The following page describes details about the Spectrum Analyzer.
Enable Spectrum Analysis Mode—The Spectrum Analysis Mode is either Dedicated Spectrum Analyzer
or Hybrid Spectrum Analyzer or 3+1 Spectrum Analysis.
Packet Capture
The wireless packet capture feature enables capturing and storing the packets received and transmitted by the
WAP device. The captured packets can then be analyzed by a network protocol analyzer for troubleshooting
or performance optimization.
There are two methods of packet capture:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
115
Troubleshoot
Local Packet Capture
• Local Capture Method — Captured packets are stored in a file on the WAP device. The WAP device
can transfer the file to a TFTP server. The file is formatted in pcap format and can be examined using
Wireshark. You can choose Save File on this Device to select the local capture method.
• Remote Capture Method — Captured packets are redirected in real time to an external computer running
Wireshark. You can choose Stream to a Remote Host to select the remote capture method.
Captured packets could be redirected in real time to CloudShark, a web-based packet decoder and analyzer
site. It is similar to Wireshark UI for packet analysis. You can choose Stream to CloudShark to select
the remote capture method.
Use the Packet Capture page to configure the parameters of the packet capture, start a local or remote packet
capture, view the current packet capture status, and download a packet capture file.
• Duration — Enter the time duration in seconds for the capture. The range is from 10 to 3600. The default is 60.
• Max File Size — Enter the maximum allowed size for the capture file in kilobytes (KB). The range is from 64 to
4096. The default is 1024.
Step 5 Click Enable Filters. There are three checkboxes available (Ignore Beacons, Filter on Client, Filter on SSID).
• Ignore Beacons — Enables or disables the capturing of 802.11 beacons detected or transmitted by the radio.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
116
Troubleshoot
Remote Packet Capture
• Filter on Client — Specifies the MAC address for WLAN client filter. Note that the Client filter is active only when
a capture is performed on an 802.11 interface.
• Filter on SSID — Select a SSID name for packet capture.
Step 6 Click Apply. The changes are saved to the Startup Configuration.
Step 7 Click Start Capture and then click Refresh to obtain the Packet Capture Status which contains of the following data:
a) Current Capture Status
b) Packet Capture Time
c) Packet Capture File Size
In Packet File Capture mode, the WAP device stores the captured packets in the RAM file system. Upon activation, the
packet capture proceeds until one of these events occurs:
• The capture time reaches the configured duration.
• The capture file reaches its maximum size.
• The administrator stops the capture.
Note While the remote packet capture is not supported by the Linux, the Wiresharktool works under Linux and
already created capture files can be viewed.
When the remote capture mode is in use, the WAP device does not store any captured data locally in its file
system.
If a firewall is installed between the Wireshark computer and the WAP device, the Wireshark must be allowed
to pass through the firewall policy of the computer. The firewall must also be configured to allow the Wireshark
computer to initiate a TCP connection to the WAP device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
117
Troubleshoot
Stream to CloudShark
Step 3 In the Remote Capture Port field, use the default port (2002), or if you are using a port other than the default, enter the
desired port number used to connect Wireshark to the WAP device. The port range is from 1025 to 65530.
Step 4 There are two modes for packet capture.
• All Wireless Traffic — capture all wireless packets in the air.
• Traffic to/from this AP — capture the packet sent from the AP or the AP received.
Step 5 Next, check Enable Filters. Then choose from the following options:
• Ignore Beacons — Enables or disables the capturing of 802.11 beacons detected or transmitted by the radio.
• Filter on Client — Specifies the MAC address for WLAN Client filter. Note that the Client filter is active only
when a capture is performed on an 802.11 interface.
• Filter on SSID — Select a SSID name for packet capture.
Step 6 If you want to save the settings for use at another time, click Apply. However, the selection of Remote as the Packet
Capture Method is not saved.
Step 7 Click Start Capture to start the capture. To stop the capture, click Stop Capture.
Stream to CloudShark
To initiate a remote capture on a WAP device using Stream to CloudShark option, do the following:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
118
Troubleshoot
Wireshark
Wireshark
First, download Wireshark and install it on your computer. You can download Wireshark from
https://www.wireshark.org/.
To initiate the Wireshark network analyzer tool for Microsoft Windows, follow these steps:
--rpcap://[192.168.1.220]:2002/brtrunk
Wired LAN interface
-- rpcap://[192.168.1.220]:2002/eth0
VAP0 traffic on radio 1
-- rpcap://[192.168.1.220]:2002/wlan0
802.11 traffic
-- rpcap://[192.168.1.220]:2002/radio1
At WAP361, VAP1 ~ VAP7 traffic
-- rpcap://[192.168.1.220]:2002/wlan0vap1 ~ wlan0vap7
At WAP150, VAP1 ~ VAP3 traffic
-- rpcap://[192.168.1.220]:2002/wlan0vap1 ~ wlan0vap3
You can trace up to four interfaces on the WAP device simultaneously. However, you must start a separate Wireshark
session for each interface. To initiate additional remote capture sessions, repeat the Wireshark configuration steps. No
configuration required on the WAP device.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
119
Troubleshoot
Wireshark
Note The system uses four consecutive port numbers, starting with the configured port for the remote packet capture
sessions. Verify that you have four consecutive port numbers available. We recommend that if you do not use
the default port; use a port number greater than 1024.
When you are capturing traffic on the radio interface, you can disable beacon capture, but other 802.11 control
frames are still sent to Wireshark. You can set up a display filter to show only:
In remote capture mode, traffic is sent to the computer running Wireshark through one of the network interfaces. Depending
on the location of the Wireshark tool, the traffic can be sent on an Ethernet interface or one of the radios. To avoid a
traffic flood caused by tracing the packets, the WAP device automatically installs a capture filter to filter out all packets
destined to the Wireshark application. For example, if the Wireshark IP port is configured to be 58000, then this capture
filter is automatically installed on the WAP device:
not port range 58000-58004
Due to performance and security issues, the packet capture mode is not saved in NVRAM on the WAP device. If the
WAP device resets, the capture mode is disabled and then you must enable it again to resume capturing traffic. Packet
capture parameters (other than the mode) are saved in NVRAM.
Enabling the packet capture feature can create a security issue: Unauthorized clients may be able to connect to the WAP
device and trace user data. The performance of the WAP device also is negatively impacted during packet capture, and
this impact continues to a lesser extent even when there is no active Wireshark session. To minimize the performance
impact on the WAP device during traffic capture, install capture filters to limit which traffic is sent to the Wireshark tool.
When capturing 802.11 traffic, a large portion of the captured frames tend to be beacons (typically sent every 100 ms by
all access points). Although Wireshark supports a display filter for beacon frames, it does not support a capture filter to
prevent the WAP device from forwarding the captured beacon packets to the Wireshark tool. To reduce the performance
impact of capturing the 802.11 beacons, disable the capture beacons mode.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
120
Troubleshoot
Packet Capture File Download
Using HTTP
To download a packet capture file using HTTP:
Step 1 Click Download to this Device. A confirmation pop-up message will appear.
Step 2 Click Yes. A pop-up enables you to select a network location to save the file.
Support Information
This Support Information page displays the status of the CPU and RAM.
To record and display the CPU/RAM activity, follow these steps:
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
121
Troubleshoot
Download CPU/RAM Data
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
122
APPENDIX A
DeAuthentication Message Reason Codes
This appendix contains the following sections:
• Deauthentication Message Reason Codes, on page 123
• Deauthentication Reason Code Table, on page 123
0 Reserved
1 Unspecified reason
3 Deauthenticated because sending station (STA) is leaving or has left Independent Basic Service Set (IBSS)
or ESS
5 Disassociated because WAP device is unable to handle all currently associated STAs
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
123
DeAuthentication Message Reason Codes
DeAuthentication Message Reason Codes
8 Disassociated because sending STA is leaving or has left Basic Service Set (BSS)
12 Reserved
13 Invalid element, that is, an element defined in this standard for which the content does not meet the
specifications in Clause 8
20 Invalid AKMP
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
124
APPENDIX B
Where to Go from Here
This appendix contains the following section:
• Where to Go from Here, on page 125
Cisco Open Source Requests If you wish to receive a copy of the source code to
which you are entitled under the applicable free/open
source license(s) (such as the GNU Lesser/General
Public License), please send your request to:
external-opensource-requests@cisco.com.
In your requests please include the Cisco product
name, version, and the 18 digit reference number (for
example: 7XEEX17D99-3X49X08 1) found in the
product open source documentation.
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
125
Where to Go from Here
Where to Go from Here
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE / Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE
Administration Guide
126