Networks

Virtual Access Points (VAPs) segment the wireless LAN into multiple broadcast domains that are the wireless equivalent of Ethernet VLANs. VAPs simulate multiple access points in one physical WAP device. The AP supports up to 8 VAPs. Each VAP can be independently enabled or disabled, with the exception of VAP0. VAP0 is the physical radio interface and remains enabled as long as the radio is enabled. To disable operation of VAP0, the radio itself must be disabled.

Each VAP is identified by a user-configured Service Set Identifier (SSID). Multiple VAPs cannot have the same SSID name. SSID broadcasts can be enabled or disabled independently on each VAP. SSID broadcast is enabled by default.

SSID Naming Conventions

The default SSID for VAP0 is ciscosb. Every additional VAP created has a blank SSID name. The SSIDs for all VAPs can be configured to other values.

The SSID can be any alphanumeric, case-sensitive entry from 2 to 32 characters. The printable characters plus the space (ASCII 0x20) are allowed.

The allowable characters are:

ASCII 0x20 through 0x7E.

Trailing and leading spaces (ASCII 0x20) are not permitted.

NOTE     This means that spaces are allowed within the SSID, but not as the first or last character, and the period (.) (ASCII 0x2E) is also allowed.

VLAN IDs

Each VAP is associated with a VLAN, which is identified by a VLAN ID (VID). A VID can be any value from 1 to 4094, inclusive. The WAP371 device supports 17 active VLANs (16 for WLAN plus one management VLAN).

By default, the VID assigned to the configuration utility for the WAP device is 1, which is also the default untagged VID. If the management VID is the same as the VID assigned to a VAP, then the WLAN clients associated with this specific VAP can administer the WAP device. If needed, an access control list (ACL) can be created to disable administration from WLAN clients.

Configuring VAPs

To configure VAPs:

1. Select Wireless > Networks in the navigation pane.
2. Select the Radio interface on which you want to configure VAPs (Radio 1 or Radio 2).
3. Select the Enabled check box for the VAP you want to configure.

—Or—

If VAP0 is the only VAP configured on the system, and you want to add a VAP, click Add. Then, select the VAP and click Edit.

4. Configure the parameters:
• VLAN ID—The VID of the VLAN to associate with the VAP.

CAUTION

Be sure to enter a VLAN ID that is properly configured on the network. Network problems can result if the VAP associates wireless clients with an improperly configured VLAN. When a wireless client connects to the WAP device by using this VAP, the WAP device tags all traffic from the wireless client with the VLAN ID you enter in this field, unless you enter the port VLAN ID or use a RADIUS server to assign a wireless client to a VLAN. The range for the VLAN ID is from 1 to 4094.

NOTE     If you change the VLAN ID to a different ID than the current management VLAN ID, WLAN clients associated with this specific VAP cannot administer the device. Verify the configuration of the untagged and management VLAN IDs on the LAN page. For more information, see VLAN and IPv4 Address Settings.

• SSID Name—A name for the wireless network. The SSID is an alphanumeric string of up to 32 characters. Choose a unique SSID for each VAP.

NOTE     If you are connected as a wireless client to the same WAP device that you are administering, resetting the SSID will cause you to lose connectivity to the WAP device. You need to reconnect to the new SSID after you save this new setting.

• Broadcast SSID—Enables and disables the broadcast of the SSID.

Specify whether to allow the WAP device to broadcast the SSID in its beacon frames. The Broadcast SSID parameter is enabled by default. When the VAP does not broadcast its SSID, the network name is not shown in the list of available networks on a client station. Instead, you must enter the exact network name manually into the wireless connection utility on the client so that it can connect.

Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network, but it does not prevent even the simplest of attempts by a hacker to connect or monitor unencrypted traffic. Suppressing the SSID broadcast offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is to make it easy for clients to get a connection and where no sensitive information is available.

• Security—The type of authentication required for access to the VAP:
• None
• Static WEP
• Dynamic WEP
• WPA Personal
• WPA Enterprise

If you select a security mode other than None, additional fields appear.

NOTE     We recommend using WPA Personal or WPA Enterprise as the authentication type as it provides stronger security protection. Use Static WEP or Dynamic WEP only for legacy wireless computers or devices that do not support WPA Personal/Enterprise. If you need to set security as Static WEP or Dynamic WEP, configure Radio as 802.11a or 802.11b/g mode (see Radio). The 802.11n mode restricts the use of Static or Dynamic WEP as the security mode.

• MAC Filtering—Specifies whether the stations that can access this VAP are restricted to a configured global list of MAC addresses. You can select one of these types of MAC filtering:
• Disabled—Do not use MAC filtering.
• Local—Use the MAC Authentication list that you configure on the MAC Filtering page.
• RADIUS—Use the MAC Authentication list on an external RADIUS server.
• Channel Isolation—Enables and disables station isolation.
• When disabled, wireless clients can communicate with one another normally by sending traffic through the WAP device.
• When enabled, the WAP device blocks communication between wireless clients on the same VAP. The WAP device still allows data traffic between its wireless clients and wired devices on the network, across a WDS link, and with other wireless clients associated with a different VAP, but not among wireless clients.

NOTE     Channel isolation is applicable to the clients connected to the same VAP of a single AP, but not to the clients connected to the same VAP of different APs. So the clients connected to same VAP of a single AP fail to ping each other and the clients connected to same VAP of different APs can ping each other successfully.

• Band Steer—Enables band steer when both the radios are up. It effectively utilizes the 5-GHz band by steering dual-band supported clients from the 2.4-GHz band to the 5-GHz band.
• It is configured on a per-VAP basis and needs to be enabled on both the radios.
• It is not encouraged on VAPs with time-sensitive voice or video traffic.
• It does not consider the n-bandwidth of the radio. Even if the 5-GHz radio happens to use 20 MHz bandwidth, it tries to steer clients to that radio.
5. Click Save. The changes are saved to the Startup Configuration

CAUTION

After new settings are saved, the corresponding processes may be stopped and restarted. When this happens, the WAP device may lose connectivity. We recommend that you change WAP device settings when a loss of connectivity will least affect your wireless clients.

NOTE     To delete a VAP, select the VAP and click Delete. To save your deletion permanently, click Save when complete.

Configuring Security Settings

These sections describe the security settings that you configure, depending on your selection in the Security list on the Networks page.

None (Plain-text)

If you select None as your security mode, no additional security settings are configurable on the AP. This mode means that any data transferred to and from the AP is not encrypted. This security mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the internal network because it is not secure.

Static WEP

Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40- bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.

Static WEP is not the most secure mode available, but it offers more protection than setting the security mode to None (Plain-text), as it does prevent an outsider from easily sniffing out unencrypted wireless traffic.

WEP encrypts data moving across the wireless network based on a static key. (The encryption algorithm is a stream cipher called RC4.)

These parameters configure Static WEP:

• Transfer Key Index—A key index list. Key indexes 1 through 4 are available. The default is 1.

The Transfer Key Index indicates which WEP key the WAP device uses to encrypt the data it transmits.

• Key Length—The length of the key. Select one:
• 64 bits
• 128 bits
• Key Type—The key type. Select one:
• ASCII
• Hex
• WEP Keys—You can specify up to four WEP keys. In each text box, enter a string of characters for each key. The keys you enter depend on the key type selected:
• ASCII — Includes uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @ and #.
• Hex — Includes digits 0 to 9 and the letters A to F.

Use the same number of characters for each key as specified in the Characters Required field. These are the RC4 WEP keys shared with the stations using the WAP device.

Each client station must be configured to use one of these same WEP keys in the same slot as specified on the WAP device.

• Characters Required—The number of characters you enter into the WEP Key fields is determined by the key length and key type you select. For example, if you use 128-bit ASCII keys, you must enter 26 characters in the WEP key. The number of characters required updates automatically based on how you set the key length and key type.
• 802.1X Authentication—The authentication algorithm defines the method used to determine whether a client station is allowed to associate with WAP device when static WEP is the security mode.

Specify the authentication algorithm you want to use by choosing one of these options:

• Open System authentication allows any client station to associate with the WAP device whether that client station has the correct WEP key or not. This algorithm is also used in plaintext, IEEE 802.1X, and WPA modes. When the authentication algorithm is set to Open System, any client can associate with the WAP device.

NOTE     Just because a client station is allowed to associate does not ensure it can exchange traffic with an WAP device. A station must have the correct WEP key to be able to successfully access and decrypt data from the WAP device, and to transmit readable data to the WAP device.

• Shared Key authentication requires the client station to have the correct WEP key in order to associate with the WAP device. When the authentication algorithm is set to Shared Key, a station with an incorrect WEP key cannot associate with the WAP device.
• Both Open System and Shared Key. When you select both authentication algorithms, client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the WAP device. Also, client stations configured to use WEP as an open system (shared key mode not enabled) can associate with the WAP device even if they do not have the correct WEP key.

Static WEP Rules

If you use Static WEP, these rules apply:

• All client stations must have the Wireless LAN (WLAN) security set to WEP, and all clients must have one of the WEP keys specified on the WAP device in order to decode AP-to-station data transmissions.
• The WAP device must have all keys used by clients for station-to-AP transmit so that it can decode the station transmissions.
• The same key must occupy the same slot on all nodes (AP and clients). For example, if the WAP device defines abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.
• Client stations can use different keys to transmit data to the access point. (Or they can all use the same key, but using the same key is less secure because it means one station can decrypt the data being sent by another.)
• On some wireless client software, you can configure multiple WEP keys and define a client station transfer key index, and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring access points cannot decode other access point transmissions.
• You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.

Dynamic WEP

Dynamic WEP refers to the combination of 802.1x technology and the Extensible Authentication Protocol (EAP). With Dynamic WEP security, WEP keys are changed dynamically.

EAP messages are sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1X provides dynamically generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.

This mode requires the use of an external RADIUS server to authenticate users. The WAP device requires a RADIUS server that supports EAP, such as the Microsoft Internet Authentication Server. To work with Microsoft Windows clients, the authentication server must support Protected EAP (PEAP) and MSCHAP V2.

You can use any of a variety of authentication methods that the IEEE 802.1X mode supports, including certificates, Kerberos, and public key authentication. You must configure the client stations to use the same authentication method the WAP device uses.

These parameters configure Dynamic WEP:

• Use Global RADIUS Server Settings—By default, each VAP uses the global RADIUS settings that you define for the WAP device (see RADIUS Server). However, you can configure each VAP to use a different set of RADIUS servers.

To use the global RADIUS server settings, ensure that the check box is selected.

To use a separate RADIUS server for the VAP, uncheck the check box and enter the RADIUS server IP address and key in these fields:

• Server IP Address Type—The IP version that the RADIUS server uses.

You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers for the address type you select in this field.

• Server IP Address 1 or Server IPv6 Address 1—The address for the primary RADIUS server for this VAP.

When the first wireless client tries to authenticate with the WAP device, the WAP device sends an authentication request to the primary server. If the primary server responds to the authentication request, the WAP device continues to use this RADIUS server as the primary server, and authentication requests are sent to the address you specify.

The IPv4 address should be in a form similar to xxx.xxx.xxx.xxx (192.0.2.10). The IPv6 address should be in a form similar to xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (2001:DB8::CAD5:7D91).

• Server IP Address 2 to 4 or Server IPv6 Address 2 to 4—Up to three IPv4 or IPv6 backup RADIUS server addresses.

If authentication fails with the primary server, each configured backup server is tried in sequence.

• Key—The shared secret key that the WAP device uses to authenticate to the primary RADIUS server.

You can use up to 63 standard alphanumeric and special characters. The key is case sensitive and must match the key configured on the RADIUS server. The text you enter is shown as asterisks.

• Key 2 to Key 4—The RADIUS key associated with the configured backup RADIUS servers. The server at Server IP (IPv6) Address 2 uses Key 2, the server at Server IP (IPv6) Address 3 uses Key 3, and so on.
• Enable RADIUS Accounting—Enables tracking and measuring of the resources a particular user has consumed, such as system time, amount of data transmitted and received, and so on.

If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.

• Active Server—Enables administratively selecting the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.
• Broadcast Key Refresh Rate—The interval at which the broadcast (group) key is refreshed for clients associated with this VAP.

The default is 300. The valid range is from 0 to 86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

• Session Key Refresh Rate—The interval at which the WAP device refreshes session (unicast) keys for each client associated with the VAP.

The valid range is from 0 to 86400 seconds. A value of 0 indicates that the session key is not refreshed.

WPA Personal

WPA Personal is a Wi-Fi Alliance IEEE 802.11i standard, which includes AES-CCMP and TKIP encryption. The Personal version of WPA uses a pre-shared key (PSK) instead of using IEEE 802.1X and EAP as is used in the Enterprise WPA security mode. The PSK is used for an initial check of credentials only. WPA Personal is also referred to as WPA-PSK.

This security mode is backwards-compatible for wireless clients that support the original WPA.

These parameters configure WPA Personal:

• WPA Versions—The types of client stations to be supported:
• WPA-TKIP—The network has some client stations that only support original WPA and TKIP security protocol. Note that selecting only WPA-TKIP for the access point is not allowed as per the latest WiFi Alliance requirement.
• WPA2-AES—All client stations on the network support WPA2 version and AES-CCMP cipher/ security protocol. This WPA version provides the best security per the IEEE 802.11i standard. As per the latest WiFi Alliance requirement, the AP has to support this mode all the time.

If the network has a mix of clients, some of which support WPA2 and others which support only the original WPA, select both of the check boxes. This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability in place of some security.

WPA clients must have one of these keys to be able to associate with the WAP device:

• A valid TKIP key
• A valid AES-CCMP key
• Key—The shared secret key for WPA Personal security. Enter a string of at least 8 characters to a maximum of 63 characters. Acceptable characters include uppercase and lowercase alphabetic letters, the numeric digits, and special symbols such as @ and #.
• Key Strength Meter—The WAP device checks the key against complexity criteria such as how many different types of characters (uppercase and lowercase alphabetic letters, numbers, and special characters) are used and how long the string is. If the WPA-PSK complexity check feature is enabled, the key is not accepted unless it meets the minimum criteria. See WPA-PSK Complexity for information on configuring the complexity check.
• Broadcast Key Refresh Rate—The interval at which the broadcast (group) key is refreshed for clients associated with this VAP. The default is 300 seconds and the valid range is from 0 to 86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

WPA Enterprise

WPA Enterprise with RADIUS is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes CCMP (AES), and TKIP encryption. The Enterprise mode requires the use of a RADIUS server to authenticate users.

This security mode is backwards-compatible with wireless clients that support the original WPA.

These parameters configure WPA Enterprise:

• WPA Versions—The types of client stations to be supported:
• WPA-TKIP—The network has some client stations that only support original WPA and TKIP security protocol. Note that selecting only WPA-TKIP for the access point is not allowed as per the latest WiFi Alliance requirement.
• WPA2-AES—All client stations on the network support WPA2 version and AES-CCMP cipher/ security protocol. This WPA version provides the best security per the IEEE 802.11i standard. As per the latest WiFi Alliance requirement, the AP has to support this mode all the time.
• Enable pre-authentication—If for WPA Versions you select only WPA2 or both WPA and WPA2, you can enable pre-authentication for WPA2 clients.

Click Enable pre-authentication if you want WPA2 wireless clients to send pre- authentication packets. The pre-authentication information is relayed from the WAP device that the client is currently using to the target WAP device. Enabling this feature can help speed up authentication for roaming clients who connect to multiple APs.

This option does not apply if you selected WPA for WPA Versions because the original WPA does not support this feature.

Client stations configured to use WPA with RADIUS must have one of these addresses and keys:

• A valid TKIP RADIUS IP address and RADIUS Key
• A valid CCMP (AES) IP address and RADIUS Key
• Use Global RADIUS Server Settings—By default, each VAP uses the global RADIUS settings that you define for the WAP device (see RADIUS Server). However, you can configure each VAP to use a different set of RADIUS servers.

To use the global RADIUS server settings, make sure the check box is selected.

To use a separate RADIUS server for the VAP, uncheck the box and enter the RADIUS server IP address and key in these fields:

• Server IP Address Type—The IP version that the RADIUS server uses.

You can toggle between the address types to configure IPv4 and IPv6 global RADIUS address settings, but the WAP device contacts only the RADIUS server or servers for the address type that you select in this field.

• Server IP Address 1 or Server IPv6 Address 1—The address for the primary RADIUS server for this VAP.

If IPv4 is selected as the Server IP Address Type, enter the IP address of the RADIUS server that all VAPs use by default, for example, 192.168.10.23. If IPv6 is selected, enter the IPv6 address of the primary global RADIUS server, for example, 2001:DB8:1234::abcd.

• Server IP Address 2 to 4 or Server IPv6 Address 2 to 4—Up to three IPv4 and/or IPv6 addresses to use as the backup RADIUS servers for this VAP.

If authentication fails with the primary server, each configured backup server is tried in sequence.

• Key 1—The shared secret key for the global RADIUS server. You can use up to 63 standard alphanumeric and special characters. The key is case sensitive, and you must configure the same key on the WAP device and on your RADIUS server. The text you enter is shown as asterisks to prevent others from seeing the RADIUS key as you type.
• Key 2 to Key 4—The RADIUS key associated with the configured backup RADIUS servers. The server at Server IP (IPv6) Address 2 uses Key 2, the server at Server IP (IPv6) Address 3 uses Key 3, and so on.
• Enable RADIUS Accounting—Tracks and measures the resources a particular user has consumed such as system time, amount of data transmitted and received, and so on.

If you enable RADIUS accounting, it is enabled for the primary RADIUS server and all backup servers.

• Active Server—Enables the administrative selection of the active RADIUS server, rather than having the WAP device attempt to contact each configured server in sequence and choose the first server that is up.

Broadcast Key Refresh Rate—The interval at which the broadcast (group) key is refreshed for clients associated with this VAP.

The default is 300 seconds. The valid range is from 0 to 86400 seconds. A value of 0 indicates that the broadcast key is not refreshed.

• Session Key Refresh Rate—The interval at which the WAP device refreshes session (unicast) keys for each client associated with the VAP.

The valid range is from 0 to 86400 seconds. A value of 0 indicates that the session key is not refreshed.