WPS Setup

This section describes the Wi-Fi Protected Setup (WPS) protocol and its configuration on the WAP device.

WPS is a standard that enables simple establishment of wireless networks without compromising network security. It relieves both the wireless client users and the WAP device administrators from having to know network names, keys, and various other cryptographic configuration options.

WPS facilitates network setup by allowing the administrator to use a push button or PIN to establish wireless networks, which avoids the manual entry of network names (SSIDs) and wireless security parameters:

Push button: The WPS button is either on the product or a clickable button on the user interface.

Personal Identification Number (PIN): The PIN can be viewed in the product user interface.

WPS maintains network security by requiring both the users of new client devices and WLAN administrators to have either physical access to their respective devices or secure remote access to these devices.

A user wishes to enroll a client station on a WPS-enabled WLAN. (The enrolling client device may detect the network, and prompt the user to enroll, although this is not necessary.) The user triggers the enrollment by pushing a button on the client device. The WAP device's administrator then pushes a button on the WAP device. During a brief exchange of WPS protocol messages, the WAP device supplies the new client with a new security configuration through Extensible Authentication Protocol (EAP). The two devices disassociate, and then reassociate and authenticate with the new settings.

A user wishes to enroll a client station on a WPS-enabled WLAN by supplying the WAP device administrator with the PIN of the client device. The administrator enters this PIN in the configuration utility of the WAP device and triggers the device enrollment. The new enrollee and the WAP device exchange WPS messages, including a new security configuration, disassociate, reassociate, and authenticate.

A WAP device administrator purchases a new WAP device that has been certified by the Wi-Fi Alliance to be compliant with WPS version 2.0, and wishes to add the WAP device to an existing (wired or wireless) network. The administrator turns on the WAP device, and then accesses a network host that supports the WPS registration protocol. The administrator enters the PIN of the WAP device in the configuration utility of this external registrar, and triggers the WPS registration process. (On a wired LAN, the WPS protocol messages are transported through Universal Plug and Play, or UPnP, protocol.) The host registers the WAP as a new network device and configures the WAP with new security settings.

A WAP device administrator has just added a new WAP device to an existing (wireless or wired) network through WPS, and wishes to grant network access to a new client device. The device is enrolled through either the PIN or Push-Button Control (PBC) methods described above, but this time the device enrolls with the external registrar, with the WAP device acting solely as a proxy.

A wireless device that does not support WPS must join the WPS-enabled WLAN. The administrator, who cannot use WPS in this case, instead manually configures the device with the SSID, public shared key, and cryptography modes of the WPS-enabled WAP device. The device joins the network.

The PIN is either an eight-digit number that uses its last digit as a checksum value, or a four-digit number with no checksum. Each of these numbers may contain leading zeroes.

The WPS standard assigns specific roles to the various components in its architecture:

Enrollee—A device that can join the wireless network.

AP—A device that provides wireless access to the network.

Registrar—An entity that issues security credentials to enrollees and configures APs.

The WAP devices act as AP devices and support a built-in registrar. They do not function as an enrollee.

The administrator can enable or disable WPS on only one VAP. WPS is operational only if this VAP meets these conditions:

The WAP device is configured to broadcast the VAP SSID.

MAC address filtering is disabled on the VAP.

WEP encryption is disabled on the VAP.

The VAP is configured to use either WPA-Personal security or none. If WPA2-PSK encryption mode is enabled, then a valid pre-shared key (PSK) must be configured and CCMP (AES) encryption must be enabled.

The VAP is operationally enabled.

WPS is operationally disabled on the VAP if any of these conditions are not met.

NOTE Disabling WPS on a VAP does not cause disassociation of any clients previously authenticated through WPS on that VAP.

It is not necessary for the WAP devices to handle the registration of clients on the network themselves. The WAP device can either use its built-in registrar, or act as a proxy for an external registrar. The external registrar may be accessed through the wired or wireless LAN. An external registrar may also configure the SSID, encryption mode, and public shared key of a WPS-enabled BSS. This capability is very useful for out-of-box deployments; that is, when an administrator simply attaches a new WAP device to a LAN for the first time.

If the WAP device is using a built-in registrar, it enrolls new clients using the configuration of the VAP associated with the WPS service, whether this configuration was configured directly on the WAP device or acquired by an external registrar through WPS.

The WAP device enrolls 802.11 clients through WPS by one of two methods: the Push-Button Control (PBC) method, or the Personal Identification Number (PIN) method.

The PBC method is when the user of a prospective client pushes a button on the enrolling device, and the administrator of the WAP device with an enabled built-in registrar pushes a similar (hardware or software) button. This sequence begins the enrollment process, and the client device joins the network. Although the Cisco WAP devices do not support an actual hardware button, the administrator can initiate the enrollment for a particular VAP using a software button in the web- based configuration utility.

NOTE There is no defined order in which the buttons on the client device and WAP device must be pressed. Either device can initiate the enrollment. However, if the software button on the WAP device is pressed, and no client attempts to enroll after 120 seconds, the WAP device terminates the pending WPS enrollment transaction.

A client may also enroll with a registrar by using a PIN. For example, the WAP device administrator may start an enrollment transaction for a particular VAP by entering the PIN of a client. When the client detects the WPS-enabled device, the user can then supply its PIN to the WAP device to continue the enrollment process. After the WPS protocol has completed, the client securely joins the network. The client can also initiate this process.

As with the PBC method, if the WAP device begins the enrollment transaction and no client attempts to enroll after 120 seconds, the WAP device terminates the pending transaction.

Although the WAP device supports a built-in registrar for WPS, its use is optional. After an external registrar has configured the WAP device, the WAP device acts as a proxy for that external registrar, regardless if the built-in registrar of the WAP device is enabled (it is enabled by default).

Each WAP device stores a WPS-compatible device PIN in nonvolatile RAM. WPS requires this PIN if an administrator wants to allow an unconfigured WAP device (that is, one with only factory defaults, including WPS being enabled on a VAP) to join a network. In this scenario, the administrator obtains the PIN value from the configuration utility of the WAP device.

The administrator may wish to change the PIN if network integrity has been compromised in some way. The WAP device provides a method for generating a new PIN and storing this value in NVRAM. If the value in NVRAM is corrupted, erased, or missing, a new PIN is generated by the WAP device and stored in NVRAM.

The PIN method of enrollment is potentially vulnerable by way of brute force attacks. A network intruder could try to pose as an external registrar on the wireless LAN and attempt to derive the PIN value of the WAP device by exhaustively applying WPS-compliant PINs. To address this vulnerability, in the event that a registrar fails to supply a correct PIN in three attempts within 60 seconds, the WAP device prohibits any further attempts by an external registrar to register with the WAP device on the WPS-enabled VAP for 60 seconds. The lockdown duration increases upon subsequent failures, up to a maximum of 64 minutes. The WAP devices registration functionality goes into permanent lockdown after the 10th consecutive failed attempt. Reset the device to restart the registration functionality.

However, wireless client stations may enroll with the WAP device's built-in registrar, if enabled, during this lockdown period. The WAP device also continues to provide proxy services for enrollment requests to external registrars.

The WAP device has an additional security features for protecting its device PIN. After the WAP device has completed registration with an external registrar, and the resulting WPS transaction has concluded, the device PIN is automatically regenerated.

The WPS protocol can configure the following parameters for a WPS-enabled VAP on a WAP device:

Network SSID

Key management options (WPA-PSK, or WPA-PSK and WPA2-PSK)

Cryptography options (CCMP/AES, or TKIP and CCMP/AES)

Network (public shared) key

If a VAP is enabled for WPS, these configuration parameters are subject to change, and are persistent between reboots of the WAP device.

The WAP device supports registration with WPS External Registrars (ER) on the wired and wireless LAN. On the WLAN, external registrars advertise their capabilities within WPS-specific Information Elements (IEs) of their beacon frames; on the wired LAN, external registrars announce their presence through UPnP.

WPS v2.0 does not require registration with an ER through the user interface. The administrator can register the WAP device with an ER by:

Entering the ER PIN on the WAP device.

Entering the WAP device PIN on the user interface of the ER.

NOTE The registration process can also configure the WAP device as specified in the VAP Configuration Changes section, if the WAP device has declared within the WPS- specific IEs of its beacon frames or UPnP messages that it requires such configuration.

The WAP device can serve as a proxy for up to three external registrars simultaneously.

Any one VAP on the WAP device can be enabled for WPS. At most, one WPS transaction (for example, enrollment and association of an 802.11 client) can be in progress at a time on the WAP device. The WAP device administrator can terminate the transaction in progress from the web-based AP configuration utility. The configuration of the VAP, however, should not be changed during the transaction; nor should the VAP be changed during the authentication process. This restriction is recommended but not enforced on the WAP device.

Although WAP devices support WPS version 2.0, the WAP device interoperates with enrollees and registrars that are certified by the Wi-Fi Alliance to conform to version 1.0 of the WPS protocol.

You can use the WPS Setup page to enable the WAP device as a WPS-capable device and configure basic settings. When you are ready to use the feature to enroll a new device or add the WAP device to a WPS-enabled network, use the WPS Process page.

Select Wireless > WPS Setup in the navigation pane.

The WPS Setup page shows global parameters and status, and parameters and status of the WPS instance. An instance is an implementation of WPS that is associated with a VAP on the network. The WAP device supports one instance only.

Configure the global parameters:

Supported WPS Version—The WPS protocol version that the WAP device supports.

WPS Device Name—Provides a default device name. You can assign a different name from 1 to 32 characters, including spaces and special characters.

WPS Global Operational Status—Whether the WPS operational status is Up or Down on the WAP device.

WPS Device PIN—A system-generated eight-digit WPS PIN for the WAP device. The administrator may use this generated PIN to register the WAP device with an external registrar.

You can click Generate to generate a new PIN. Generating a new pin is advisable if network integrity has been compromised.

Configure the WPS instance parameters:

WPS Instance ID—An identifier for the instance. As there is only one instance, the only option is wps1.

WPS Mode—Enables or disables the instance.

WPS Radio—The radio to which this WPS instance applies (WAP561 devices only).

WPS VAP—The VAP associated with this WPS instance.

WPS Built-in Registrar—Enables the built-in registrar function. When enabled, enrollees (typically WLAN clients) can register with the WAP device. When disabled, the registrar functionality in the WAP device is turned off and the enrollee needs to register with another registrar on the network. In this case, another device on the network acts as the registrar and the WAP device serves as a proxy for forwarding client registration requests and the responses of the registrar.

WPS Configuration State—Specifies if the VAP will be configured from the external registrar as a part of WPS process. It can be set to one of these values:

Unconfigured—VAP settings are configured using WPS, after which the state will be change to Configured.

Configured—VAP settings are not configured by the external registrar and will retain the existing configuration.

Click Save. The changes are saved to the Startup Configuration.

The operational status of the instance and the reason for that status appears. See Enabling or Disabling WPS on a VAP for information about conditions that may cause the instance to be disabled.

The Instance Status area shows the following information about the selected WPS instance:

WPS Operational Status—Whether or not the WPS instance is operational.

AP Lockdown Status—Whether the AP is in lockdown mode, in which external registrars are blocked from registering with the AP. When in lockdown status, this field reports the start time of the lockdown, whether it is temporary or permanent, and if temporary, the duration of the lockdown period. When not in lockdown mode, the status appears as Disabled.

Failed Attempts with Invalid PIN—The number of times an external registrar has tried and failed to register with the WAP device.

AP Lockdown Duration—The duration in minutes for which the WAP is locked. When the WAP is permanently locked, this value is set to –1.

AP Lockdown Timestamp—The time when the WAP device was locked.

You can click Refresh to update the page with the most recent status information.