Enabling HTTPS for Secure Browsing
You can protect the communication with the access point web-browser interface by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol.
Note When you enable HTTPS, your browser might lose its connection to the access point. If you lose the connection, change the URL in your browser address line from http://ip_address to https://ip_address and log into the access point again.
Note When you enable HTTPS, most browsers prompt you for approval each time you browse to a device that does not have a fully qualified domain name (FQDN). To avoid the approval prompts, create an FQDN for the access point as detailed in the following procedure.
Follow these steps to create an FQDN and enable HTTPS:
Step 1 If your browser uses popup-blocking software, disable the popup-blocking feature.
Step 2 Choose Easy Setup > Network Configuration.
The Network Configuration page appears.
Step 3 Enter a name for the access point in the Host Name field, and then click Apply.
Step 4 Choose Services > DNS page.
The Services: DNS - Domain Name Service page appears.
Step 5 In the Domain Name System (DNS) field, click the Enable radio button.
Step 6 In the Domain Name field, enter your company’s domain name.
Step 7 Enter at least one IP address for your DNS server in the Name Server IPv4/IPv6 Addresses fields.
Step 8 Click Apply.
The access point FQDN is a combination of the system name and the domain name. For example, if your system name is ap3600 and your domain name is company.com, the FQDN is ap3600.company.com.
Step 9 Enter the FQDN on your DNS server.
Tip If you do not have a DNS server, you can register the access point FQDN with a dynamic DNS service. Search the Internet for dynamic DNS to find a fee-based DNS service.
Step 10 Choose Services > HTTP.
The Services: HTTP - Web Server page is displayed.
Step 11 In the Web-based Configuration Management field, select the Enable Secure (HTTPS) Browsing check box.
Step 12 In the Domain Name field, enter a domain name, and then click Apply.
Note Enabling HTTPS automatically disables HTTP. To maintain HTTP access with HTTPS enabled, check the Enable Secure (HTTPS) Browsing check box, and then check the Enable Standard (HTTP) Browsing check box. Although you can enable both standard HTTP and HTTPS, we recommend that you enable only one.
A warning appears stating that you will now use secure HTTP to browse to the access point. The warning also displays the new URL containing https, which you will need to use to browse to the access point.
Step 13 In the warning box, click OK.
The address in your browser address line changes from http://<ip-address> to https://<ip-address>.
Step 14 Another warning appears stating that the access point security certificate was not issued by a trusted certificate authority. However, you can ignore this warning. Click Continue to this Website (not recommended).
Note The following steps assume that you are using Microsoft Internet Explorer. If you are not, please refer to your browser documentation for more information on how to access web sites using self signed certificates.
Step 15 The access point login window appears and you must log in to the access point again. The default username is Cisco (case-sensitive) and the default password is Cisco (case-sensitive).
Step 16 To display the access point’s security certificate, click the Certificate error icon in the address bar.
Step 17 Click View Certificates.
Step 18 In the Certificate window, click Install Certificate.
The Microsoft Windows Certificate Import Wizard appears.
Step 19 Click Next.
The next screen asks where you want to store the certificate. We recommend that you use the default storage area on your system.
Step 20 Click Next to accept the default storage area.
You have now successfully imported the certificate.
Step 21 Click Finish.
A security warning is displayed.
Step 22 Click Yes.
A message box stating that the installation is successful is displayed.
Step 23 Click OK.
CLI Configuration Example
This example shows the CLI commands that are equivalent to the steps listed in the “Enabling HTTPS for Secure Browsing” section:
AP(config)# hostname ap3600
AP(config)# ip domain name company.com
AP(config)# ip name-server 10.91.107.18
AP(config)# ip http secure-server
In this example, the access point system name is ap3600, the domain name is company.com, and the IP address of the DNS server is 10.91.107.18.
For complete descriptions of the commands used in this example, consult the Cisco IOS Commands Master List, Release 12.4. Click this link to browse to the master list of commands:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/124htnml.htm
Deleting an HTTPS Certificate
The access point generates a certificate automatically when you enable HTTPS. However, if you need to change the fully qualified domain name (FQDN) for an access point, or you need to add an FQDN after enabling HTTPS, you might need to delete the certificate. Follow these steps:
Step 1 Browse to the Services: HTTP Web Server page.
Step 2 Uncheck the Enable Secure (HTTPS) Browsing check box to disable HTTPS.
Step 3 Click Delete Partial SSL certificate to delete the certificate.
Step 4 Click Apply. The access point generates a new certificate using the new FQDN.
CLI Commands for Deleting an HTTPS Certificate
In the global configuration mode, use the following commands for deleting an HTTPS certificate.
|
|
|
Step 1 |
no ip http secure-server |
Disables HTTPS |
Step 2 |
crypto key zeroize rsa name-of-rsa-key |
Deletes the RSA key for the http server. Along with this all the router certificates (HTTPS certificates) issued using these keys will also be removed. |