Enabling HTTPS for Secure Browsing
You can protect the communication with the access point web-browser interface by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol.
Note When you enable HTTPS, your browser might lose its connection to the access point. If you lose the connection, change the URL in your browser address line from http://ip_address to https://ip_address and log into the access point again.
Note When you enable HTTPS, most browsers prompt you for approval each time you browse to a device that does not have a fully qualified domain name (FQDN). To avoid the approval prompts, create an FQDN for the access point as detailed in the following procedure.
Follow these steps to create an FQDN and enable HTTPS:
Step 1 If your browser uses popup-blocking software, disable the popup-blocking feature.
Step 2 Choose Easy Setup > Network Configuration.
The Network Configuration page appears.
Step 3 Enter a name for the access point in the Host Name field, and then click Apply.
Step 4 Choose Services > DNS page.
The Services: DNS - Domain Name Service page appears.
Step 5 In the Domain Name System (DNS) field, click the Enable radio button.
Step 6 In the Domain Name field, enter your company’s domain name.
Step 7 Enter at least one IP address for your DNS server in the Name Server IPv4/IPv6 Addresses fields.
Step 8 Click Apply.
The access point FQDN is a combination of the system name and the domain name. For example, if your system name is ap3600 and your domain name is company.com, the FQDN is ap3600.company.com.
Step 9 Enter the FQDN on your DNS server.
Tip If you do not have a DNS server, you can register the access point FQDN with a dynamic DNS service. Search the Internet for dynamic DNS to find a fee-based DNS service.
Step 10 Choose Services > HTTP.
The Services: HTTP - Web Server page is displayed.
Step 11 In the Web-based Configuration Management field, select the
Enable Secure (HTTPS) Browsing
Step 12 In the Domain Name field, enter a domain name, and then click Apply.
Note Enabling HTTPS automatically disables HTTP. To maintain HTTP access with HTTPS enabled, check the Enable Secure (HTTPS) Browsing check box, and then check the Enable Standard (HTTP) Browsing check box. Although you can enable both standard HTTP and HTTPS, we recommend that you enable only one.
A warning appears stating that you will now use secure HTTP to browse to the access point. The warning also displays the new URL containing https, which you will need to use to browse to the access point.
Step 13 In the warning box, click OK.
The address in your browser address line changes from http://<ip-address> to https://<ip-address>.
Step 14 Another warning appears stating that the access point security certificate was not issued by a trusted certificate authority. However, you can ignore this warning. Click Continue to this Website (not recommended).
Note The following steps assume that you are using Microsoft Internet Explorer. If you are not, please refer to your browser documentation for more information on how to access web sites using self signed certificates.
Step 15 The access point login window appears and you must log in to the access point again. The default user name is Cisco (case-sensitive) and the default password is Cisco (case-sensitive).
Step 16 To display the access point’s security certificate, click the Certificate error icon in the address bar.
Step 17 Click View Certificates.
Step 18 In the Certificate window, click Install Certificate.
The Microsoft Windows Certificate Import Wizard appears.
Step 19 Click Next.
The next screen asks where you want to store the certificate. We recommend that you use the default storage area on your system.
Step 20 Click Next to accept the default storage area.
You have now successfully imported the certificate.
Step 21 Click Finish.
A security warning is displayed.
Step 22 Click Yes.
A message box stating that the installation is successful is displayed.
Step 23 Click OK.
CLI Configuration Example
This example shows the CLI commands that are equivalent to the steps listed in the “Enabling HTTPS for Secure Browsing” section:
AP(config)# hostname ap3600 AP(config)# ip domain name company.com AP(config)# ip name-server 10.91.107.18 AP(config)# ip http secure-server
In this example, the access point system name is ap3600, the domain name is company.com, and the IP address of the DNS server is 10.91.107.18.
For complete descriptions of the commands used in this example, consult the Cisco IOS Commands Master List, Release 12.4. Click this link to browse to the master list of commands:
Deleting an HTTPS Certificate
The access point generates a certificate automatically when you enable HTTPS. However, if you need to change the fully qualified domain name (FQDN) for an access point, or you need to add an FQDN after enabling HTTPS, you might need to delete the certificate. Follow these steps:
Step 1 Browse to the Services: HTTP Web Server page.
Step 2 Uncheck the Enable Secure (HTTPS) Browsing check box to disable HTTPS.
Step 3 Click Delete Partial SSL certificate to delete the certificate.
Step 4 Click Apply. The access point generates a new certificate using the new FQDN.
CLI Commands for Deleting an HTTPS Certificate
In the global configuration mode, use the following commands for deleting an HTTPS certificate.
no ip http secure-server
crypto key zeroize rsa name-of-rsa-key
Deletes the RSA key for the http server. Along with this all the router certificates (HTTPS certificates) issued using these keys will also be removed.
Using Online Help
Click the help icon at the top of the Homw page in the web-browser interface to display the online help. Figure 2-2 shows the help and print icons.
Figure 2-2 Help and Print Icons
When a help page appears in a new browser window, use the Select a topic drop-down list to display the help index or instructions for common configuration tasks, such as configuring VLANs.
Changing the Location of Help Files
Cisco maintains up-to-date HTML help files for access points on the Cisco website. By default, the access point opens a help file on Cisco.com when you click the help button on the access point web-browser interface. However, you can install the help files on your network so your access points can access them there. Follow these steps to install the help files locally:
Step 1 Download the help files from the Software Center on Cisco.com. Click this link to browse to the Software Center Wireless Software page:
Select the help files that match the software Version on your access point.
Step 2 Unzip the help files on your network in a directory accessible to your access point. When you unzip the help files, the HTML help pages are stored in a folder named according to the help Version number and access point model number.
Step 3 Browse to the Services: HTTP Web Server page in the access point web-browser interface.
Step 4 In the Default Help Root URL entry field, enter the complete path to the location where you unzipped the help files. When you click the access point help button, the access point automatically appends the help Version number and model number to the path that you enter.
Note Do not add the help Version number and device model number to the Default Help Root URL entry. The access point automatically adds the help Version and model number to the help root URL.
If you unzip the help files on your network file server at //myserver/myhelp, your Default Help Root URL looks like this:
shows an example help location and Help Root URL for an 1100 series access point.
Table 2-2 Example Help Root URL and Help Location
Files Unzipped at This Location
Actual Location of Help Files
Step 5 Click Apply.