Virtual Access Point Settings

VAPs segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of Ethernet VLANs. VAPs simulate multiple APs in one physical AP. The AP541N supports up to 16 VAPs.

Note: Note that only those VAPs which have non-default configuration will be displayed when the page initially loads. To configure additional VAPs, click Add Another to expose new (empty) VAP entries.

For each VAP, you can customize the security mode to control wireless client access. Each VAP can also have a unique SSID. Multiple SSIDs make a single AP look like two or more APs to other systems on the network. By configuring VAPs, you can maintain better control over broadcast and multicast traffic, which affects network performance.

You can configure each VAP to use a different VLAN, or you can configure multiple VAPs to use the same VLAN. VAP0 and VAP2, which are always enabled, are assigned to the default VLAN 1. VAP1 is also enabled by default and assigned to VLAN 100.

The AP adds VLAN ID tags to wireless client traffic based on the VLAN ID you configure on the VAP page or by using the RADIUS server assignment. If you use an external RADIUS server, you can configure multiple VLANs on each VAP. The external RADIUS server assigns wireless clients to the VLAN when the clients associate and authenticate.

You can configure up to four global IPv4 RADIUS servers. One of the servers always acts as a primary while the others act as backup servers. The network type and accounting mode are common across all configured RADIUS servers. You can configure each VAP to use the global RADIUS server settings, which is the default, or you can configure a per-VAP RADIUS server set. You can also configure separate RADIUS server settings for each VAP. The Global RADIUS server settings are collapsed when the page initially loads. To show (expand) the Global RADIUS server settings section of the page, click the right arrow icon to the left of the Global RADIUS server settings section title. To collapse the Global RADIUS server settings section, click the down arrow icon to the left of the Global RADIUS server settings section title.

If wireless clients use a security mode that does not communicate with the RADIUS server, or if the RADIUS server does not provide the VLAN information, you can assign a VLAN ID to each VAP. The AP assigns the VLAN to all wireless clients that connect to the AP through that VAP.

Note: Before you configure VLANs on the AP, be sure to verify that the switch and DHCP server the AP uses can support IEEE 802.1Q VLAN encapsulation.

Field	Description
RADIUS IP Address	Enter the address for the primary global RADIUS server. By default, each VAP uses the global RADIUS settings that you define for the AP at the top of the VAP page. When the first wireless client tries to authenticate with the AP, the AP sends an authentication request to the primary server. If the primary server responds to the authentication request, the AP continues to use this RADIUS server as the primary server, and authentication requests are sent to the address you specify.
RADIUS IP Address 1-3	Enter up to three IPv4 addresses to use as the backup RADIUS servers. If authentication fails with the primary server, each configured backup server is tried in sequence. The address must be valid in order for the AP to attempt to contact the server.
RADIUS Key	Enter the RADIUS key in the text box. The RADIUS Key is the shared secret key for the global RADIUS server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive, and you must configure the same key on the AP and on your RADIUS server. The text you enter will be displayed as large dot characters to prevent others from seeing the RADIUS key as you type.
RADIUS Key 1-3	Enter the RADIUS key associated with the configured backup RADIUS servers. The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on.
Enable RADIUS Accounting	Select this option to track and measure the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.
VAP	You can configure up to 16 VAPs for each radio. VAP0 is the physical radio interface, so to disable VAP0, you must disable the radio. Due to the dependency of the WDS links with the VAP0 security mode, VAP0 cannot be configured to None, Static WEP, or Dynamic WEP if the WDS links have WPA Personal as the security mode. If you need to change the security of VAP0 from WPA Personal or WPA Enterprise to None, Static WEP, or Dynamic WEP, then remove the WPA security mode for all the WDS links.
Enabled	You can enable or disable a configured network. To enable the specified network, select the Enabled option beside the appropriate VAP. To disable the specified network, clear the Enabled option beside the appropriate VAP. If you disable the specified network, you will lose the VLAN ID you entered.
VLAN ID	When a wireless client connects to the AP by using this VAP, the AP tags all traffic from the wireless client with the VLAN ID you enter in this field unless you enter the untagged VLAN ID or use a RADIUS server to assign a wireless client to a VLAN. The range for the VLAN ID is 1-4094. If you use RADIUS-based authentication for clients, you can optionally add the following attributes to the appropriate file in the RADIUS or AAA server to configure a VLAN for the client: Tunnel-Type Tunnel-Medium-Type Tunnel-Private-Group-ID The RADIUS-assigned VLAN ID overrides the VLAN ID you configure on the VAP page. You configure the untagged and management VLAN IDs on the Ethernet Settings page.
SSID	Enter a name for the wireless network. The SSID is an alphanumeric string of up to 32 characters. Double quote (") is not a valid character. You can use the same SSID for multiple VAPs, or you can choose a unique SSID for each VAP. Note: If you are connected as a wireless client to the same AP that you are administering, resetting the SSID will cause you to lose connectivity to the AP. You will need to reconnect to the new SSID after you save this new setting.
Broadcast SSID	Specify whether to allow the AP to broadcast the Service Set Identifier (SSID) in its beacon frames. The Broadcast SSID parameter is enabled by default. When the VAP does not broadcast its SSID, the network name is not displayed in the list of available networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it is able to connect. To enable the SSID broadcast, select the Broadcast SSID check box. To prohibit the SSID broadcast, clear the Broadcast SSID check box. Note: Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network, but it will not prevent even the simplest of attempts by a hacker to connect or monitor unencrypted traffic. Suppressing the SSID broadcast offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available.
Security	Select one of the following Security modes for this VAP: None Static WEP Dynamic WEP WPA Personal WPA Enterprise If you select a security mode other than None, additional fields appear. These fields are explained below. Note: The Security mode you set here is specifically for this VAP. When the page initially loads, any VAP that has a security mode other than None will have a Show details link below the Security selection box. Click the Show details link to show the current security settings. When showing the current security settings, the link will change to Hide details. Click Hide details to collapse the current security settings.
MAC Filtering	You can configure a global list of MAC addresses that are allowed or denied access to the network. The drop-down menu for this feature allows you to select the type of MAC Authentication to use: Disabled: Do not use MAC Authentication. Local: Use the MAC Authentication list that you configure on the Wireless Connection Control page. RADIUS: Use the MAC Authentication list on the external RADIUS server.
Station Isolation	Select from the drop-down menu to configure Station Isolation for this VAP: When Station Isolation is disabled, wireless clients can communicate with one another normally by sending traffic through the AP. When Station Isolation is enabled, the AP blocks communication between wireless clients on the same VAP. The AP still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP.
HTTP Redirect	Enable the HTTP redirect feature to redirect wireless clients to a custom Web page. When redirect mode is enabled, the user will be redirected to the URL you specify after the wireless client associates with an AP and the user opens a Web browser on the client to access the Internet. The custom Web page must be located on an external Web server and might contain information such as the company logo and network usage policy. Note: The wireless client is redirected to the external Web server only once while it is associated with the AP.
Redirect URL	Specify the URL where the Web browser is to be redirected after the wireless client associates with the AP and sends HTTP traffic. Length is 1 to 120 alphanumeric and hyphen characters , in the form "^[A-Za-z]+://[A-Za-z0-9-]+\.[A-Za-z0-9]+" ). For example: http://cisco.com.
Delete	Click the red x Delete icon to remove the configuration for a particular VAP. When a VAP is deleted, all of its configuration is restored to its default configuration settings. The entry will also be removed from the list of displayed VAPs. Note: VAP0 corresponds to the physical radio interface and cannot be deleted. The Delete icon will not appear for this VAP.

Note: After you configure the VAP settings, you must click Apply to apply the changes and to save the settings. Changing some settings might cause the AP to stop and restart system processes. If this happens, wireless clients will temporarily lose connectivity. We recommend that you change AP settings when WLAN traffic is low.

None (Plain-text)

If you select None as your security mode, no further options are configurable on the AP. This mode means that any data transferred to and from the Access Point is not encrypted. This security mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the Internal network because it is not secure.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and APs on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

Static WEP is not the most secure mode available, but it offers more protection than setting the security mode to None (Plain-text) as it does prevent an outsider from easily sniffing out unencrypted wireless traffic.

WEP encrypts data moving across the wireless network based on a static key. (The encryption algorithm is a stream cipher called RC4.)

Field	Description
Transfer Key Index	Select a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1. The transfer key index indicates which WEP key the AP will use to encrypt the data it transmits.
Key Length	Specify the length of the key by clicking one of the radio buttons: 64 bits 128 bits
Key Type	Select the key type by clicking one of the radio buttons: ASCII Hex
WEP Keys	You can specify up to four WEP keys. In each text box, enter a string of characters for each key. The keys you enter depend on the key type selected: ASCII. Includes upper and lower case alphabetic letters, the numeric digits, and special symbols such as @ and #. Hex. Includes digits 0 to 9 and the letters A to F. Use the same number of characters for each key as specified in the Characters Required field. These are the RC4 WEP keys shared with the stations using the AP. Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. Characters Required: The number of characters you enter into the WEP Key fields is determined by the Key length and Key type you select. For example, if you use 128-bit ASCII keys, you must enter 13 characters in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type.
802.1X Authentication	The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an AP when static WEP is the security mode. Specify the authentication algorithm you want to use by choosing one of the following options: Open system authentication allows any client station to associate with the AP whether that client station has the correct WEP key or not. This algorithm is also used in plaintext, Dynamic WEP, and WPA modes. When the authentication algorithm is set to Open System, any client can associate with the AP. Note: Just because a client station is allowed to associate does not ensure it can exchange traffic with an AP. A station must have the correct WEP key to be able to successfully access and decrypt data from an AP, and to transmit readable data to the AP. Shared key authentication requires the client station to have the correct WEP key in order to associate with the AP. When the authentication algorithm is set to Shared Key, a station with an incorrect WEP key will not be able to associate with the AP. Both Open system and Shared key. When you select both authentication algorithms: - Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the AP. - Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the AP even if they do not have the correct WEP key.

Dynamic WEP

IEEE 802.1X is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). Dynamic WEP provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of an external RADIUS server to authenticate users. The AP requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server. To work with Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.

You can use any of a variety of authentication methods that the Dynamic WEP mode supports, including certificates, Kerberos, and public key authentication. You must configure the client stations to use the same authentication method the AP uses.

Field	Description
Use Global RADIUS Server Settings	By default each VAP uses the global RADIUS settings that you define for the AP at the top of the VAP page. However, you can configure each VAP to use a different set of RADIUS servers. To use the global RADIUS server settings, make sure the check box is selected. To use a separate RADIUS server for the VAP, clear the check box and enter the RADIUS server IP address and key in the following fields.
RADIUS IP Address	Enter the address for the primary RADIUS server for this VAP.
RADIUS IP Address 1-3	Enter up to three IPv4 addresses to use as the backup RADIUS servers for this VAP. If authentication fails with the primary server, each configured backup server is tried in sequence.
RADIUS Key	Enter the RADIUS key in the text box. The RADIUS Key is the shared secret key for the global RADIUS server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive, and you must configure the same key on the AP and on your RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
RADIUS Key 1-3	Enter the RADIUS key associated with the configured backup RADIUS servers. The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on.
Enable RADIUS Accounting	Select this option to track and measure the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.
Broadcast Key Refresh Rate	Enter a value to set the interval at which the broadcast (group) key is refreshed for clients associated to this VAP. The valid range is 0-86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.
Session Key Refresh Rate	Enter a value to set the interval at which the AP will refresh session (unicast) keys for each client associated to the VAP. The valid range is 0-86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

Note: After you configure the security settings, you must click Apply to apply the changes and to save the settings.

WPA Personal

WPA Personal is a Wi-Fi Alliance IEEE 802.11i standard, which includes AES-CCMP and TKIP mechanisms. The Personal version of WPA employs a pre-shared key (instead of using IEEE 802.1X and EAP as is used in the Enterprise WPA security mode). The PSK is used for an initial check of credentials only.

This security mode is backwards-compatible for wireless clients that support the original WPA.

Field	Description
WPA Versions	Select the types of client stations you want to support: WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. WPA and WPA2. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both of the check boxes. This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Cipher Suites	Select the cipher suite you want to use: TKIP CCMP (AES) TKIP and CCMP (AES) Both TKIP and AES clients can associate with the AP. WPA clients must have one of the following to be able to associate with the AP: A valid TKIP key A valid AES-CCMP key Clients not configured to use a WPA Personal will not be able to associate with the AP.
Key	The Pre-shared Key is the shared secret key for WPA Personal. Enter a string of at least 8 characters to a maximum of 63 characters. Acceptable characters include upper and lower case alphabetic letters, the numeric digits, and special symbols such as @ and #.
Broadcast Key Refresh Rate	Enter a value to set the interval at which the broadcast (group) key is refreshed for clients associated to this VAP. The valid range is 0-86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

Note: After you configure the security settings, you must click Apply to apply the changes and to save the settings.

WPA Enterprise

WPA Enterprise with RADIUS is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes CCMP (AES), and TKIP mechanisms. The Enterprise mode requires the use of a RADIUS server to authenticate users.

This security mode is backwards-compatible with wireless clients that support the original WPA.

Field	Description
WPA Versions	Select the types of client stations you want to support: WPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA. WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard. WPA and WPA2. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select both WPA and WPA2. This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security.
Enable pre-authentication	If for WPA Versions you select only WPA2 or both WPA and WPA2, you can enable pre-authentication for WPA2 clients. Click Enable pre-authentication if you want WPA2 wireless clients to send pre-authentication packet. The pre-authentication information will be relayed from the AP the client is currently using to the target AP. Enabling this feature can help speed up authentication for roaming clients who connect to multiple APs. This option does not apply if you selected WPA for WPA Versions because the original WPA does not support this feature.
Cipher Suites	Select the cipher suite you want to use: TKIP CCMP (AES) TKIP and CCMP (AES) By default both TKIP and CCMP are selected. When both TKIP and CCMP are selected, client stations configured to use WPA with RADIUS must have one of the following: A valid TKIP RADIUS IP address and RADIUS Key A valid CCMP (AES) IP address and RADIUS Key
Active Server	Displays which RADIUS server is currently in use. You can manually update the server to a different server by selecting the appropriate server in the dropdown box. Note: The Active Server is not stored across boots. The first configured RADIUS server is selected upon boot.
Use Global RADIUS Server Settings	By default each VAP uses the global RADIUS settings that you define for the AP at the top of the VAP page. However, you can configure each VAP to use a different set of RADIUS servers. To use the global RADIUS server settings, make sure the check box is selected. To use a separate RADIUS server for the VAP, clear the check box and enter the RADIUS server IP address and key in the following fields.
RADIUS IP Address	Enter the address for the primary RADIUS server for this VAP.
RADIUS IP Address 1-3	Enter up to three IPv4 addresses to use as the backup RADIUS servers for this VAP. If authentication fails with the primary server, each configured backup server is tried in sequence.
RADIUS Key	Enter the RADIUS key in the text box. The RADIUS Key is the shared secret key for the global RADIUS server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive, and you must configure the same key on the AP and on your RADIUS server. The text you enter will be displayed as "*" characters to prevent others from seeing the RADIUS key as you type.
RADIUS Key 1-3	Enter the RADIUS key associated with the configured backup RADIUS servers. The server at RADIUS IP Address-1 uses RADIUS Key-1, RADIUS IP Address-2 uses RADIUS Key-2, and so on.
Enable RADIUS Accounting	Select this option to track and measure the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on. If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.
Broadcast Key Refresh Rate	Enter a value to set the interval at which the broadcast (group) key is refreshed for clients associated to this VAP. The valid range is 0-86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.
Session Key Refresh Rate	Enter a value to set the interval at which the AP will refresh session (unicast) keys for each client associated to the VAP. The valid range is 0-86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

Note: After you configure the security settings, you must click Apply to apply the changes and to save the settings.