all | frequencies |
|
|
exhibits | applications |
---|---|---|---|---|---|
manuals |
app s | submitted / available | |||||||
---|---|---|---|---|---|---|---|---|
1 2 3 4 5 |
|
Manual | Users Manual | 1.56 MiB | ||||
1 2 3 4 5 |
|
User Guide | Users Manual | 1.07 MiB | ||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | RF Exposure Info | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | ID Label/Location Info | |||||||
1 2 3 4 5 | ID Label/Location Info | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | External Photos | |||||||
1 2 3 4 5 | External Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Internal Photos | |||||||
1 2 3 4 5 | ID Label/Location Info | |||||||
1 2 3 4 5 | ID Label/Location Info | |||||||
1 2 3 4 5 | RF Exposure Info | |||||||
1 2 3 4 5 | Cover Letter(s) | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos | |||||||
1 2 3 4 5 | Test Report | |||||||
1 2 3 4 5 | Test Setup Photos |
1 2 3 4 5 | Manual | Users Manual | 1.56 MiB |
ap3700getstart.fm Page 1 Wednesday, March 27, 2013 10:16 AM GETTING STARTED GUIDE Cisco Aironet 3700 Series Access Points 1 About this Guide 2 Introduction to the Access Point 3 Safety Instructions 4 Unpacking 5 Configurations 6 Access Point Ports and Connectors 7 Configuring the Access Point 8 Mounting the Access Point 9 Deploying the Access Point on the Wireless Network 10 Installing Modules 11 Troubleshooting 12 Declarations of Conformity and Regulatory Information 13 Configuring DHCP Option 43 and DHCP Option 60 14 Access Point Specifications ap3700getstart.fm Page 2 Wednesday, March 27, 2013 10:16 AM Revised: March 25, 2013 1 About this Guide This Guide provides instructions on how to install and configure your Cisco Aironet 3700 Series Access Point and how to install available radio modules. This guide also provides mounting instructions and limited troubleshooting procedures. The 3700 Series Access Point is referred to as the access point in this document. 2 Introduction to the Access Point The 3700 series supports high-performing Spectrum Intelligence which sustains three spatial stream rates over a deployable distance with high reliability when serving clients. The 3700 series provides high reliability and overall wireless performance. The 3700 series offers dual-band radios (2.4 GHz and 5 GHz) with integrated and external antenna options. The access points support full inter-operability with leading 802.11ac clients, and support a mixed deployment with other access points and controllers. The 3700 series access point is a controller-based (Unified) product and supports:
Simultaneous dual-band (2.4-GHz and 5-GHz) radios
External antennas for rugged 3702E access point model (AIR-CAP3702E-x-K9) Integrated antennas on the 3702I access point model (AIR-CAP3702I-x-K9) Note The x in the model numbers represents the regulatory domain. Refer to Regulatory Domains section on page 6 for a list of supported regulatory domains. The features of the 3700 series are:
Processing sub-systems (including CPUs and memory) and radio hardware which supports:
Network management CleanAirAutomatic detection, classification, location and mitigation of RF interference ClientLink+BeamForming to 802.11n clients as well as legacy 802.11a/g OFDM clients VideoStream Location WIDS/WIPS Security 2 ap3700getstart.fm Page 3 Wednesday, March 27, 2013 10:16 AM Radio Resource Management (RRM) Rogue detection Management Frame Protection (MFP) Throughput, forwarding, and filtering performance scaled to meet 3 spatial stream, 1.3-Gbps data-rates
32 MB flash size
802.11af/at CDP (Cisco Discovery Protocol)
2.4 GHz and 5 GHz 802.11n radios with the following features:
4TX x 4RX 3-spatial streams, 1.3-Gbps PHY rate Spectrum intelligence DPD (Digital Pre-Distortion) technology Cisco Vector BeamformingImplicit Co-phase beamforming for .11ag clients and 1x1 11n clients Radio hardware is capable of explicit compressed beamforming (ECBF) per 802.11n standard 3 Safety Instructions Translated versions of the following safety warnings are provided in the translated safety warnings document that is shipped with your access point. The translated warnings are also in the Translated Safety Warnings for Cisco Aironet Access Points, which is available on Cisco.com. Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS 3 ap3700getstart.fm Page 4 Wednesday, March 27, 2013 10:16 AM Warning Read the installation instructions before you connect the system to its power source. Statement 1004 Warning Installation of the equipment must comply with local and national electrical codes. Statement 1074 Warning This product relies on the buildings installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than:
20A. Statement 1005 Warning Do not operate your wireless network device near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use. Statement 245B Warning In order to comply with FCC radio frequency (RF) exposure limits, antennas should be located at a minimum of 7.9 inches (20 cm) or more from the body of all persons. Statement 332 The fasteners you use to mount an access point on a ceiling must be capable of maintaining a minimum pullout force of 20 lbs (9 kg) and must use all 4 indented holes on the mounting bracket. This product and all interconnected equipment must be installed indoors within the same building, including the associated LAN connections as defined by Environment A of the IEEE 802.af Standard. Caution Caution 4 ap3700getstart.fm Page 5 Wednesday, March 27, 2013 10:16 AM Note The access point is suitable for use in environmental air space in accordance with section 300.22.C of the National Electrical Code and sections 2-128, 12-010(3), and 12-100 of the Canadian Electrical Code, Part 1, C22.1. You should not install the power supply or power injector in air handling spaces. Note Use only with listed ITE equipment. 4 Unpacking To unpack the access point, follow these steps:
Step 1 Unpack and remove the access point and the accessory kit from the shipping box. Step 2 Return any packing material to the shipping container and save it for future use. Step 3 Verify that you have received the items listed below. If any item is missing or damaged, contact your Cisco representative or reseller for instructions. The access point Mounting bracket (selected when you ordered the access point) Adjustable ceiling-rail clip (selected when you ordered the access point) 5 Configurations The 3700 series access point contains two simultaneous dual-band radios, the 2.4-GHz MIMO radio and the 5-GHz 802.11ac MIMO radio. The 3700 series access point configurations are:
AIR-CAP3702E-x-K9two 2.4-GHz/5-GHz dual-band radios, up to 4 external dual-band diopole antennas
AIR-CAP3702I-x-K9two 2.4-GHz/5-GHz dual-band radios, with integrated dual-band inverted-F antennas For information on the regulatory domains (shown as x in the model numbers) see Regulatory Domains section on page 6. 5 ap3700getstart.fm Page 6 Wednesday, March 27, 2013 10:16 AM External Antennas The 3702E model is configured with up to four external dual-band dipole antennas, and two 2.4-GHz/
5-GHz dual-band radios. The radio and antennas support frequency bands 24002500 MHz and 51805865 MHz through a common dual-band RF interface. Features of the external dual-band dipole antennas are:
Four RTNC antenna connectors on the top of the access point
Four TX/RX antennas These antennas are supported on the 3702E:
AIR-ANT2524DB-R
AIR-ANT2524DW-R
AIR-ANT2524DG-R
AIR-ANT2524V4C-R
AIR-ANT2544V4M-R
AIR-ANT2566P4W-R Internal Antennas The 3702I model access point is configured with four dual-band inverted-F antennas, and two 2.4-GHz/5-GHz dual-band radios. There are four antennas deployed inside the access point with one deployed on each corner of the 3702I access point top housing. Each antenna covers both the 2.4 GHz and the 5 GHz bands with a single feed line. The basic features are as follows:
Dual-band inverted-F antenna for use in both the 2.4-GHz and 5-GHz bands.
Antenna unit integrated into the 3702I model access point.
Peak gain is approximately 2 dBi in the 2.4-GHz band and approximately 4 dBi in the 5-GHz band. Regulatory Domains The 3700 series supports the following regulatory domains (shown as x in the model numbers):
-A, -C, -E, -I, -K, -N, -Q, -R, -S, -T 6 ap3700getstart.fm Page 7 Wednesday, March 27, 2013 10:16 AM Countries Supported Click this URL to browse to a list of countries and regulatory domains supported by the 3700:
www.cisco.com/go/aironet/compliance 6 Access Point Ports and Connectors The 3702E model access point has external antenna connectors and the LED indictor on the top of the model, as shown in Figure 1. The 3702I model access point has integrated antennas and does not have external connectors on the top of the unit; however, it does have the LED indicator on top of the unit, as shown in Figure 2. Figure 1 Access Point Ports and Connections (top)3702E Model 1 4 A D UAL B A N D D D UAL B A N D B D UAL B A N D C D UAL B A N D 2 3 1 Dual-band antenna connector A 2 Dual-band antenna connector B 3 Dual-band antenna connector C 4 Dual-band antenna connector D 7 ap3700getstart.fm Page 8 Wednesday, March 27, 2013 10:16 AM Figure 2 Access Point LED Indicator (top)3702I Model 1 1 LED indicator The ports and connections on the bottom of the access point are shown in Figure 3. Figure 3 Access Point Ports and Connections (bottom)-AIR3702E and 3702I Models 1 5 6 7 7 3 2 7 2 2 3 4 6 8 ap3700getstart.fm Page 9 Wednesday, March 27, 2013 10:16 AM 1 Kensington lock slot DC Power connection 2 3 Gbit Ethernet port 4 Console port Security padlock and hasp (padlock not included) 5 6 Mounting bracket pins (feet for desk or table-top mount) 7 Configuring the Access Point This section describes how to connect the access point to a wireless LAN controller. Because the configuration process takes place on the controller, see the Cisco Wireless LAN Controller Configuration Guide for additional information. This guide is available on Cisco.com. The Controller Discovery Process The access point uses standard Control and Provisioning of Wireless Access Points Protocol
(CAPWAP) to communicate between the controller and other wireless access points on the network. CAPWAP is a standard, interoperable protocol which enables an access controller to manage a collection of wireless termination points. The discovery process using CAPWAP is identical to the Lightweight Access Point Protocol (LWAPP) used with previous Cisco Aironet access points. LWAPP-enabled access points are compatible with CAPWAP, and conversion to a CAPWAP controller is seamless. Deployments can combine CAPWAP and LWAPP software on the controllers. The functionality provided by the controller does not change except for customers who have Layer 2 deployments, which CAPWAP does not support. In a CAPWAP environment, a wireless access point discovers a controller by using CAPWAP discovery mechanisms and then sends it a CAPWAP join request. The controller sends the access point a CAPWAP join response allowing the access point to join the controller. When the access point joins the controller, the controller manages its configuration, firmware, control transactions, and data transactions. Note Note For additional information about the discovery process and CAPWAP, see the Cisco Wireless LAN Controller Software Configuration Guide. This document is available on Cisco.com. CAPWAP support is provided in controller software release 5.2 or later. However, your controller must be running release 7.5.0.0 or later to support 3700 series access points. 9 ap3700getstart.fm Page 10 Wednesday, March 27, 2013 10:16 AM Note You cannot edit or query any access point using the controller CLI if the name of the access point contains a space. Note Make sure that the controller is set to the current time. If the controller is set to a time that has already occurred, the access point might not join the controller because its certificate may not be valid for that time. Access points must be discovered by a controller before they can become an active part of the network. The access point supports these controller discovery processes:
Layer 3 CAPWAP discoveryCan occur on different subnets than the access point and uses IP addresses and UDP packets rather than MAC addresses used by Layer 2 discovery.
Locally stored controller IP address discoveryIf the access point was previously joined to a controller, the IP addresses of the primary, secondary, and tertiary controllers are stored in the access points non-volatile memory. This process of storing controller IP addresses on an access point for later deployment is called priming the access point. For more information about priming, see the Performing a Pre-Installation Configuration section on page 11.
DHCP server discoveryThis feature uses DHCP option 43 to provide controller IP addresses to the access points. Cisco switches support a DHCP server option that is typically used for this capability. For more information about DHCP option 43, see the Configuring DHCP Option 43 and DHCP Option 60 section on page 38.
DNS discoveryThe access point can discover controllers through your domain name server
(DNS). For the access point to do so, you must configure your DNS to return controller IP addresses in response to CISCO-CAPWAP-CONTROLLER.localdomain, where localdomain is the access point domain name. Configuring the CISCO-CAPWAP-CONTROLLER provides backwards compatibility in an existing customer deployment. When an access point receives an IP address and DNS information from a DHCP server, it contacts the DNS to resolve CISCO-CAPWAP-CONTROLLER.localdomain. When the DNS sends a list of controller IP addresses, the access point sends discovery requests to the controllers. Preparing the Access Point Before you mount and deploy your access point, we recommend that you perform a site survey (or use the site planning tool) to determine the best location to install your access point. You should have the following information about your wireless network available:
Access point locations. 10 ap3700getstart.fm Page 11 Wednesday, March 27, 2013 10:16 AM
Access point mounting options: below a suspended ceiling, on a flat horizontal surface, or on a desktop. Note You can mount the access point above a suspended ceiling but you must purchase additional mounting hardware: See Mounting the Access Point section on page 14 for additional information.
Access point power options: power supplied by the recommended external power supply (Cisco AIR-PWR-B), a DC power supply, PoE from a network device, or a PoE power injector/hub
(usually located in a wiring closet). Note Access points mounted in a buildings environmental airspace must be powered using PoE to comply with safety regulations. Cisco recommends that you make a site map showing access point locations so that you can record the device MAC addresses from each location and return them to the person who is planning or managing your wireless network. Installation Summary Installing the access point involves these operations:
Performing a pre-installation configuration (optional)
Mounting the access point
Grounding the access point
Deploying the access point on the wireless network Performing a Pre-Installation Configuration The following procedures ensure that your access point installation and initial operation go as expected. A pre-installation configuration is also known as priming the access point. This procedure is optional. Note Performing a pre-installation configuration is an optional procedure. If your network controller is properly configured, you can install your access point in its final location and connect it to the network from there. See the Deploying the Access Point on the Wireless Network section on page 14 for details. 11 ap3700getstart.fm Page 12 Wednesday, March 27, 2013 10:16 AM Pre-Installation Configuration Setup The pre-installation configuration setup is shown in Figure 4. Figure 4 Pre-Installation Configuration Setup Controller Layer 3 devices Cisco Aironet access points 8 8 4 2 7 2 To perform pre-installation configuration, perform the following steps:
Step 1 Make sure that the Cisco wireless LAN controller DS port is connected to the network. Use the CLI, web-browser interface, or Cisco WCS procedures as described in the appropriate Cisco wireless LAN controller guide. a. Make sure that access points have Layer 3 connectivity to the Cisco wireless LAN controller Management and AP-Manager Interface. b. Configure the switch to which your access point is to attach. See the Cisco Wireless LAN Controller Configuration Guide, Release x.x for additional information. c. Set the Cisco wireless LAN controller as the master so that new access points always join with it. d. Make sure DHCP is enabled on the network. The access point must receive its IP address through DHCP. 12 ap3700getstart.fm Page 13 Wednesday, March 27, 2013 10:16 AM e. CAPWAP UDP ports must not be blocked in the network. f. The access point must be able to find the IP address of the controller. This can be accomplished using DHCP, DNS, or IP subnet broadcast. This guide describes the DHCP method to convey the controller IP address. For other methods, refer to the product documentation. See also the Using DHCP Option 43 section on page 18 for more information. Step 2 Apply power to the access point:
a. The access point is 802.3af (15.4 W) compliant and can be powered by any 802.3af-compliant device. The recommended external power supply for the access point is the Cisco AIR-PWR-B power supply. The access point can also be powered by the following optional external power sources:
Access point power injector (AIR-PWRINJ5) Any 802.3af compliant power injector Note The 3702 series access point requires a Gigibit Ethernet link to prevent the Ethernet port from becoming a bottleneck for traffic because wireless traffic speeds exceed transmit speeds of a 10/100 Ethernet port. b. As the access point attempts to connect to the controller, the LEDs cycle through a green, red, and amber sequence, which can take up to 5 minutes. Note If the access point remains in this mode for more than five minutes, the access point is unable to find the Master Cisco wireless LAN controller. Check the connection between the access point and the Cisco wireless LAN controller and be sure that they are on the same subnet. If the access point shuts down, check the power source. c. d. After the access point finds the Cisco wireless LAN controller, it attempts to download the new operating system code if the access point code version differs from the Cisco wireless LAN controller code version. While this is happening, the Status LED blinks dark blue. If the operating system download is successful, the access point reboots. e. Step 3 Configure the access point if required. Use the controller CLI, controller GUI, or Cisco Prime Step 4 Infrastructure to customize the access-point-specific 802.11ac network settings. If the pre-installation configuration is successful, the Status LED is green indicating normal operation. Disconnect the access point and mount it at the location at which you intend to deploy it on the wireless network. 13 ap3700getstart.fm Page 14 Wednesday, March 27, 2013 10:16 AM Step 5 If your access point does not indicate normal operation, turn it off and repeat the pre-installation configuration. Note When you are installing a Layer 3 access point on a different subnet than the Cisco wireless LAN controller, be sure that a DHCP server is reachable from the subnet on which you will be installing the access point, and that the subnet has a route back to the Cisco wireless LAN controller. Also be sure that the route back to the Cisco wireless LAN controller has destination UDP ports 5246 and 5247 open for CAPWAP communications. Ensure that the route back to the primary, secondary, and tertiary wireless LAN controller allows IP packet fragments. Finally, be sure that if address translation is used, that the access point and the Cisco wireless LAN controller have a static 1-to-1 NAT to an outside address. (Port Address Translation is not supported.) 8 Mounting the Access Point Cisco Aironet 3702 series access points can be mounted in several configurations, including on a suspended ceiling, on a hard ceiling or wall, on an electrical or network box, and above a suspended ceiling. Click this URL to browse to complete access point mounting instructions:
http://www.cisco.com/en/US/docs/wireless/access_point/mounting/guide/apmount.html 9 Deploying the Access Point on the Wireless Network After you have mounted the access point, follow these steps to deploy it on the wireless network:
Step 1 Connect and power up the access point. Step 2 Observe the access point LED (for LED descriptions, see Checking the Access Point LED section on page 18). a. When you power up the access point, it begins a power-up sequence that you can verify by observing the access point LED. If the power-up sequence is successful, the discovery and join process begins. During this process, the LED blinks sequentially green, red, and off. When the access point has joined a controller, the LED is green if no clients are associated or blue if one or more clients are associated. If the LED is not on, the access point is most likely not receiving power. b. 14 ap3700getstart.fm Page 15 Wednesday, March 27, 2013 10:16 AM c. If the LED blinks sequentially for more than 5 minutes, the access point is unable to find its primary, secondary, and tertiary Cisco wireless LAN controller. Check the connection between the access point and the Cisco wireless LAN controller, and be sure the access point and the Cisco wireless LAN controller are either on the same subnet or that the access point has a route back to its primary, secondary, and tertiary Cisco wireless LAN controller. Also, if the access point is not on the same subnet as the Cisco wireless LAN controller, be sure that there is a properly configured DHCP server on the same subnet as the access point. See the Configuring DHCP Option 43 and DHCP Option 60 section on page 38 for additional information. Step 3 Reconfigure the Cisco wireless LAN controller so that it is not the Master. Note A Master Cisco wireless LAN controller should be used only for configuring access points and not in a working network. 10 Installing Modules Modules are devices that are purchased as seperate items. When they are installed in the Cisco Aironet 3700 series access point, they give the access point additional capabilities. Modules connect to the access points module port. No special tools are required to install a module. Installing a Module Follow these steps to install a module:
Step 1 Remove the module from the packaging. Step 2 Step 3 Power down the access point. Peel off the label from the back of the 3700 series access point to reveal the module port connector. 15 ap3700getstart.fm Page 16 Wednesday, March 27, 2013 10:16 AM 1 2 1 9 7 3 5 4 3 1 Openings for modules antennas. 2 Label covering port connector. Step 4 Align the modules connector with the connector on the back of the access point and click the module into place. 16 ap3700getstart.fm Page 17 Wednesday, March 27, 2013 10:16 AM 0 8 3 5 4 3 Step 5 Screw down the thumb screws on the module. Note If the screws are not tightened, the module will not be recognized and may not operate correctly. Make sure not to over-tighten, only hand-tighten the screws. Step 6 Power up the access point. When the access point boots up, it will recognize the module. 17 ap3700getstart.fm Page 18 Wednesday, March 27, 2013 10:16 AM 11 Troubleshooting If you experience difficulty getting your access point installed and running, look for a solution to your problem in this guide or in additional access point documentation. These, and other documents, are available on Cisco.com. Guidelines for Using Cisco Aironet Lightweight Access Points Keep these guidelines in mind when you use 3702 series lightweight access points:
The access point can only communicate with Cisco wireless LAN controllers.
The access point does not support Wireless Domain Services (WDS) and cannot communicate with WDS devices. However, the controller provides functionality equivalent to WDS when the access point joins it.
CAPWAP does not support Layer 2. The access point must get an IP address and discover the controller using Layer 3, DHCP, DNS, or IP subnet broadcast.
The access point console port is enabled for monitoring and debug purposes. All configuration commands are disabled when the access point is connected to a controller. Using DHCP Option 43 You can use DHCP Option 43 to provide a list of controller IP addresses to the access points, enabling them to find and join a controller. For additional information, refer to the Configuring DHCP Option 43 and DHCP Option 60 section on page 38. Checking the Access Point LED The location of the access point status LED is shown in Figure 5. Note Regarding LED status colors: it is expected that there will be small variations in color intensity and hue from unit to unit. This is within the normal range of the LED manufacturers specifications and is not a defect. 18 ap3700getstart.fm Page 19 Wednesday, March 27, 2013 10:16 AM Figure 5 Access Point LED Location 1 8 7 3 2 7 2 1 Status LED The access point status LED indicates various conditions and are described in Table 1. Table 1 LED Status Indications Message Type Boot loader status sequence Status LED Blinking green Association status Green Blue Message Meaning DRAM memory test in progress DRAM memory test OK Board initialization in progress Initializing FLASH file system FLASH memory test OK Initializing Ethernet Ethernet OK Starting Cisco IOS Initialization successful Normal operating condition, but no wireless client associated Normal operating condition, at least one wireless client association 19 ap3700getstart.fm Page 20 Wednesday, March 27, 2013 10:16 AM Table 1 LED Status Indications (continued) Message Type Operating status Boot loader warnings Boot loader errors Status LED Blinking blue Cycling through green, red, and off Rapidly cycling through blue, green, and red Blinking red Blinking blue Red Blinking green Red Blinking red and blue Blinking red and off Cisco IOS errors Red Cycling through blue, green, red, and off Message Meaning Software upgrade in progress Discovery/join process in progress Access point location command invoked Ethernet link not operational Configuration recovery in progress (MODE button pushed for 2 to 3 seconds) Ethernet failure or image recovery (MODE button pushed for 20 to 30 seconds) Image recovery in progress (MODE button released) DRAM memory test failure FLASH file system failure Environment variable failure Bad MAC address Ethernet failure during image recovery Boot environment failure No Cisco image file Boot failure Software failure; try disconnecting and reconnecting unit power General warning; insufficient inline power Troubleshooting the Access Point Join Process Access points can fail to join a controller for many reasons: a RADIUS authorization is pending;
self-signed certificates are not enabled on the controller; the access points and controllers regulatory domains dont match, and so on. 20 ap3700getstart.fm Page 21 Wednesday, March 27, 2013 10:16 AM Controller software enables you to configure the access points to send all CAPWAP-related errors to a syslog server. You do not need to enable any debug commands on the controller because all of the CAPWAP error messages can be viewed from the syslog server itself. The state of the access point is not maintained on the controller until it receives a CAPWAP join request from the access point. Therefore, it can be difficult to determine why the CAPWAP discovery request from a certain access point was rejected. In order to troubleshoot such joining problems without enabling CAPWAP debug commands on the controller, the controller collects information for all access points that send a discovery message to it and maintains information for any access points that have successfully joined it. The controller collects all join-related information for each access point that sends a CAPWAP discovery request to the controller. Collection begins with the first discovery message received from the access point and ends with the last configuration payload sent from the controller to the access point. You can view join-related information for up to three times the maximum number of access points supported by the platform for the 2500 series controllers and the Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers. Note The maximum number of access points varies for the Cisco WiSM2, depending on which controller software release is being used. When the controller is maintaining join-related information for the maximum number of access points, it does not collect information for any more access points. An access point sends all syslog messages to IP address 255.255.255.255 by default when any of the following conditions are met:
An access point running software release 5.2 or later has been newly deployed.
An existing access point running software release 5.2 or later has been reset after clearing the configuration. If any of these conditions are met and the access point has not yet joined a controller, you can also configure a DHCP server to return a syslog server IP address to the access point using option 7 on the server. The access point then starts sending all syslog messages to this IP address. When the access point joins a controller for the first time, the controller sends the global syslog server IP address (the default is 255.255.255.255) to the access point. After that, the access point sends all syslog messages to this IP address until it is overridden by one of the following scenarios:
The access point is still connected to the same controller, and the global syslog server IP address configuration on the controller has been changed using the config ap syslog host global syslog_server_IP_address command. In this case, the controller sends the new global syslog server IP address to the access point. 21 ap3700getstart.fm Page 22 Wednesday, March 27, 2013 10:16 AM
The access point is still connected to the same controller, and a specific syslog server IP address has been configured for the access point on the controller using the config ap syslog host specific Cisco_AP syslog_server_IP_address command. In this case, the controller sends the new specific syslog server IP address to the access point.
The access point is disconnected from the controller and joins another controller. In this case, the new controller sends its global syslog server IP address to the access point.
Whenever a new syslog server IP address overrides the existing syslog server IP address, the old address is erased from persistent storage, and the new address is stored in its place. The access point also starts sending all syslog messages to the new IP address provided the access point can reach the syslog server IP address. You can configure the syslog server for access points and view the access point join information only from the controller CLI. A detailed explanation of the join process is on Cisco.com at the following URL:
http://www.Cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml 12 Declarations of Conformity and Regulatory Information This section provides declarations of conformity and regulatory information for the Cisco Aironet 3700 Series Access Points and any additional modules that can be installed into the Cisco Aironet 3700 Series Access Point. You can find additional information at this URL:
www.cisco.com/go/aironet/compliance Manufacturers Federal Communication Commission Declaration of Conformity Statement Tested To Comply With FCC Standards FOR HOME OR OFFICE USE 22 ap3700getstart.fm Page 23 Wednesday, March 27, 2013 10:16 AM Access Point Models AIR-CAP3702E-A-K9 AIR-CAP3702I-A-K9 AIR-SAP3702E-A-K9 AIR-SAP3702I-A-K9 Module Models
(Not applicable) Manufacturer:
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA Certification Number LDK102087 Certification Number
(Not applicable) This device complies with Part 15 rules. Operation is subject to the following two conditions:
1. This device may not cause harmful interference, and 2. This device must accept any interference received, including interference that may cause undesired operation. This device operates in the 5150-5250MHz and 5470-5725MHz bands and is therefore restricted to indoor operation only per FCC guidance. This equipment has been tested and found to comply with the limits of a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment. This equipment generates, uses, and radiates radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference. However, there is no guarantee that interference will not occur. If this equipment does cause interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna.
Connect the equipment to an outlet on a circuit different from which the receiver is connected.
Consult the dealer or an experienced radio/TV technician. Increase separation between the equipment and receiver. 23 ap3700getstart.fm Page 24 Wednesday, March 27, 2013 10:16 AM Caution The Part 15 radio device operates on a non-interference basis with other devices operating at this frequency when using the integrated antennas. Any changes or modification to the product not expressly approved by Cisco could void the users authority to operate this device. Caution Within the 5.15 to 5.25 GHz and 5.47-5.725 GHz bands, this device is restricted to indoor operations to reduce any potential for harmful interference to co-channel Mobile Satellite System (MSS) operations. VCCI Statement for Japan Warning This is a Class B product based on the standard of the Voluntary Control Council for Interference from Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual. 24 ap3700getstart.fm Page 25 Wednesday, March 27, 2013 10:16 AM Guidelines for Operating Cisco Aironet Access Points in Japan This section provides guidelines for avoiding interference when operating Cisco Aironet access points in Japan. These guidelines are provided in both Japanese and English. Japanese Translation 03-6434-6500 7 9 6 8 0 2 English Translation This equipment operates in the same frequency bandwidth as industrial, scientific, and medical devices such as microwave ovens and mobile object identification (RF-ID) systems (licensed premises radio stations and unlicensed specified low-power radio stations) used in factory production lines. 1. Before using this equipment, make sure that no premises radio stations or specified low-power 2. 3. radio stations of RF-ID are used in the vicinity. If this equipment causes RF interference to a premises radio station of RF-ID, promptly change the frequency or stop using the device; contact the number below and ask for recommendations on avoiding radio interference, such as setting partitions. If this equipment causes RF interference to a specified low-power radio station of RF-ID, contact the number below. Contact Number: 03-6434-6500 25 ap3700getstart.fm Page 26 Wednesday, March 27, 2013 10:16 AM Statement 371Power Cable and AC Adapter English Translation When installing the product, please use the provided or designated connection cables/power cables/AC adaptors. Using any other cables/adaptors could cause a malfunction or a fire. Electrical Appliance and Material Safety Law prohibits the use of UL-certified cables (that have the UL shown on the code) for any other electrical devices than products designated by CISCO. The use of cables that are certified by Electrical Appliance and Material Safety Law (that have PSE shown on the code) is not limited to CISCO-designated products. Industry Canada Canadian Compliance Statement Access Point Models AIR-CAP3702E-A-K9 AIR-CAP3702I-A-K9 AIR-SAP3702E-A-K9 AIR-SAP3702I-A-K9 Certification Number 2461B-102087 Module Models
(Not applicable) Certification Number
(Not applicable) This Class B Digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations. 26 ap3700getstart.fm Page 27 Wednesday, March 27, 2013 10:16 AM This device complies with Class B Limits of Industry Canada. Operation is subject to the following two conditions:
1. This device may not cause harmful interference, and 2. This device must accept any interference received, including interference that may cause undesired operation. Cisco Aironet Access Points are certified to the requirements of RSS-210. The use of this device in a system operating either partially or completely outdoors may require the user to obtain a license for the system according to the Canadian regulations. For further information, contact your local Industry Canada office. This device has been designed to operate with antennas having a maximum gain of 6 dBi. Antennas having a gain greater than 6 dBi are strictly prohibited for use with this device. The required antenna impedance is 50 ohms. To reduce potential radio interference to other users, the antenna type and its gain should be so chosen that the equivalent isotropically radiated power (EIRP) is not more than that permitted for successful communication. French Translation Cet appareil numerique de la classe B respecte les exigences du Reglement sur le material broilleur du Canada. Cet appareil respecte les limites prescrites pour les appareils de classe B par Industrie Canada. Son utilisation est soumise aux deux conditions suivantes :
(1) Cet appareil ne doit pas causer dinterf_rences nuisibles, et
(2) Cet appareil doit accepter toutes les interf_rences, y compris celles susceptibles de perturber le fonctionnement de lappareil. Les points d'acc_s Aironet de Cisco sont certifi_s conform_ment aux exigences du CNR-210. L'utilisation de cet appareil dans un syst_me fonctionnant partiellement ou enti_rement l'ext_rieur peut n_cessiter l'obtention d'une licence pour le syst_me, conform_ment la r_glementation canadienne. Pour plus de renseignements, communiquez avec le bureau local d'Industrie Canada. Cet appareil a _t_ con_u pour fonctionner avec une antenne d'un gain maximum de 6 dBi. Il est strictement interdit d'utiliser des antennes ayant un gain sup_rieur 6 dBi avec cet appareil. L'antenne doit avoir une imp_dance de 50 ohms. Afin de r_duire le risque d'interf_rence aux autres utilisateurs, le type d'antenne et son gain doivent _tre choisis de fa_on ce que la puissance isotrope rayonn_e _quivalente (p.i.r.e.) ne soit pas sup_rieure au niveau requis pour obtenir une communication satisfaisante. 27 ap3700getstart.fm Page 28 Wednesday, March 27, 2013 10:16 AM European Community, Switzerland, Norway, Iceland, and Liechtenstein Access Point Models:
AIR-CAP3702E-E-K9 AIR-CAP3702I-E-K9 Module Models:
(Not applicable) 28 ap3700getstart.fm Page 29 Wednesday, March 27, 2013 10:16 AM Declaration of Conformity with regard to the R&TTE Directive 1999/5/EC & Medical Directive 93/42/EEC 29 ap3700getstart.fm Page 30 Wednesday, March 27, 2013 10:16 AM The following standards were applied:
EMCEN 301.489-1 v1.8.1; EN 301.489-17 v2.1.1 Health & SafetyEN60950-1: 2005; EN 50385: 2002 RadioEN 300 328 v 1.7.1; EN 301.893 v 1.5.1 The conformity assessment procedure referred to in Article 10.4 and Annex III of Directive 1999/5/EC has been followed. 30 ap3700getstart.fm Page 31 Wednesday, March 27, 2013 10:16 AM This device also conforms to the EMC requirements of the Medical Devices Directive 93/42/EEC. Note This equipment is intended to be used in all EU and EFTA countries. Outdoor use may be restricted to certain frequencies and/or may require a license for operation. For more details, contact Cisco Corporate Compliance. The product carries the CE Mark:
Declaration of Conformity for RF Exposure This section contains information on compliance with guidelines related to RF exposure. Generic Discussion on RF Exposure The Cisco products are designed to comply with the following national and international standards on Human Exposure to Radio Frequencies:
US 47 Code of Federal Regulations Part 2 Subpart J
American National Standards Institute (ANSI) / Institute of Electrical and Electronic Engineers /
IEEE C 95.1 (99) International Commission on Non Ionizing Radiation Protection (ICNIRP) 98
Ministry of Health (Canada) Safety Code 6. Limits on Human Exposure to Radio Frequency Fields in the range from 3kHz to 300 GHz
Australia Radiation Protection Standard To ensure compliance with various national and international Electromagnetic Field (EMF) standards, the system should only be operated with Cisco approved antennas and accessories. This Device Meets International Guidelines for Exposure to Radio Waves The 3700 series device includes a radio transmitter and receiver. It is designed not to exceed the limits for exposure to radio waves (radio frequency electromagnetic fields) recommended by international guidelines. The guidelines were developed by an independent scientific organization (ICNIRP) and include a substantial safety margin designed to ensure the safety of all persons, regardless of age and health. 31 ap3700getstart.fm Page 32 Wednesday, March 27, 2013 10:16 AM As such the systems are designed to be operated as to avoid contact with the antennas by the end user. It is recommended to set the system in a location where the antennas can remain at least a minimum distance as specified from the user in accordance to the regulatory guidelines which are designed to reduce the overall exposure of the user or operator. Separation Distance MPE 0.63 mW/cm2 Distance 20 cm (7.87 inches) Limit 1.00 mW/cm2 The World Health Organization has stated that present scientific information does not indicate the need for any special precautions for the use of wireless devices. They recommend that if you are interested in further reducing your exposure then you can easily do so by reorienting antennas away from the user or placing he antennas at a greater separation distance then recommended. This Device Meets FCC Guidelines for Exposure to Radio Waves The 3700 series device includes a radio transmitter and receiver. It is designed not to exceed the limits for exposure to radio waves (radio frequency electromagnetic fields) as referenced in FCC Part 1.1310. The guidelines are based on IEEE ANSI C 95.1 (92) and include a substantial safety margin designed to ensure the safety of all persons, regardless of age and health. As such the systems are designed to be operated as to avoid contact with the antennas by the end user. It is recommended to set the system in a location where the antennas can remain at least a minimum distance as specified from the user in accordance to the regulatory guidelines which are designed to reduce the overall exposure of the user or operator. The device has been tested and found compliant with the applicable regulations as part of the radio certification process. Separation Distance MPE 0.63 mW/cm2 Distance 20 cm (7.87 inches) Limit 1.00 mW/cm2 The US Food and Drug Administration has stated that present scientific information does not indicate the need for any special precautions for the use of wireless devices. The FCC recommends that if you are interested in further reducing your exposure then you can easily do so by reorienting antennas away from the user or placing the antennas at a greater separation distance then recommended or lowering the transmitter power output. 32 ap3700getstart.fm Page 33 Wednesday, March 27, 2013 10:16 AM This Device Meets the Industry Canada Guidelines for Exposure to Radio Waves The 3700 series device includes a radio transmitter and receiver. It is designed not to exceed the limits for exposure to radio waves (radio frequency electromagnetic fields) as referenced in Health Canada Safety Code 6. The guidelines include a substantial safety margin designed into the limit to ensure the safety of all persons, regardless of age and health. As such the systems are designed to be operated as to avoid contact with the antennas by the end user. It is recommended to set the system in a location where the antennas can remain at least a minimum distance as specified from the user in accordance to the regulatory guidelines which are designed to reduce the overall exposure of the user or operator. Separation Distance MPE 0.63 mW/cm2 Distance 20 cm (7.87 inches) Limit 1.00 mW/cm2 Health Canada states that present scientific information does not indicate the need for any special precautions for the use of wireless devices. They recommend that if you are interested in further reducing your exposure you can easily do so by reorienting antennas away from the user, placing the antennas at a greater separation distance than recommended, or lowering the transmitter power output. Additional Information on RF Exposure You can find additional information on the subject at the following links:
Cisco Systems Spread Spectrum Radios and RF Safety white paper at this URL:
http://www.cisco.com/warp/public/cc/pd/witc/ao340ap/prodlit/rfhr_wi.htm
FCC Bulletin 56: Questions and Answers about Biological Effects and Potential Hazards of Radio Frequency Electromagnetic Fields
FCC Bulletin 65: Evaluating Compliance with the FCC guidelines for Human Exposure to Radio Frequency Electromagnetic Fields
FCC Bulletin 65C (01-01): Evaluating Compliance with the FCC guidelines for Human Exposure to Radio Frequency Electromagnetic Fields: Additional Information for Evaluating Compliance for Mobile and Portable Devices with FCC limits for Human Exposure to Radio Frequency Emission You can obtain additional information from the following organizations:
World Health Organization Internal Commission on Non-Ionizing Radiation Protection at this URL: www.who.int/emf 33 ap3700getstart.fm Page 34 Wednesday, March 27, 2013 10:16 AM
United Kingdom, National Radiological Protection Board at this URL: www.nrpb.org.uk
Cellular Telecommunications Association at this URL: www.wow-com.com
The Mobile Manufacturers Forum at this URL: www.mmfai.org Administrative Rules for Cisco Aironet Access Points in Taiwan This section provides administrative rules for operating Cisco Aironet access points in Taiwan. The rules for all access points are provided in both Chinese and English. Chinese Translation ap3700getstart.fm Page 35 Wednesday, March 27, 2013 10:16 AM English Translation Administrative Rules for Low-power Radio-Frequency Devices Article 12 For those low-power radio-frequency devices that have already received a type-approval, companies, business units or users should not change its frequencies, increase its power or change its original features and functions. Article 14 The operation of the low-power radio-frequency devices is subject to the conditions that no harmful interference is caused to aviation safety and authorized radio station; and if interference is caused, the user must stop operating the device immediately and can't re-operate it until the harmful interference is clear. The authorized radio station means a radio-communication service operating in accordance with the Communication Act. The operation of the low-power radio-frequency devices is subject to the interference caused by the operation of an authorized radio station, by another intentional or unintentional radiator, by industrial, scientific and medical (ISM) equipment, or by an incidental radiator. Chinese Translation 35 ap3700getstart.fm Page 36 Wednesday, March 27, 2013 10:16 AM English Translation Low-power Radio-frequency Devices Technical Specifications 4.7 Unlicensed National Information Infrastructure 4.7.5 4.7.6 4.7.7 Within the 5.25-5.35 GHz band, U-NII devices will be restricted to indoor operations to reduce any potential for harmful interference to co-channel MSS operations. The U-NII devices shall accept any interference from legal communications and shall not interfere the legal communications. If interference is caused, the user must stop operating the device immediately and can't re-operate it until the harmful interference is clear. Manufacturers of U-NII devices are responsible for ensuring frequency stability such that an emission is maintained within the band of operation under all conditions of normal operation as specified in the user manual. Operation of Cisco Aironet Access Points in Brazil This section contains special information for operation of Cisco Aironet access points in Brazil. Access Point Models:
AIR-CAP3702E-T-K9 AIR-CAP3702I-T-K9 Regulatory Information Figure 6 contains Brazil regulatory information for the access point models identified in the previous section. 36 ap3700getstart.fm Page 37 Wednesday, March 27, 2013 10:16 AM Figure 6 Brazil Regulatory Information Module Models:
(Not applicable) Portuguese Translation Este equipamento opera em carter secundrio, isto , no tem direito a proteo contra interferncia prejudicial, mesmo de estaes do mesmo tipo, e no pode causar interferncia a sistemas operando em carter primrio. English Translation This equipment operates on a secondary basis and consequently must accept harmful interference, including interference from stations of the same kind. This equipment may not cause harmful interference to systems operating on a primary basis. Declaration of Conformity Statements All the Declaration of Conformity statements related to this product can be found at the following location: http://www.ciscofax.com 37 ap3700getstart.fm Page 38 Wednesday, March 27, 2013 10:16 AM 13 Configuring DHCP Option 43 and DHCP Option 60 This section contains a DHCP Option 43 configuration example on a Windows 2003 Enterprise DHCP server for use with Cisco Aironet lightweight access points. For other DHCP server implementations, consult product documentation for configuring DHCP Option 43. In Option 43, you should use the IP address of the controller management interface. Note DHCP Option 43 is limited to one access point type per DHCP pool. You must configure a separate DHCP pool for each access point type. The 3700 series access point uses the type-length-value (TLV) format for DHCP Option 43. DHCP servers must be programmed to return the option based on the access points DHCP Vendor Class Identifier (VCI) string (DHCP Option 60). The VCI string for the 3700 series access point is:
Cisco AP c3700 Note If your access point was ordered with the Service Provider Option (AIR-OPT60-DHCP) selected in the ordering tool, the VCI string for the access point contains ServiceProvider. For example, a 3700 with this option will return this VCI string:
Cisco AP c3700-ServiceProvider The format of the TLV block is listed below:
Type: 0xf1 (decimal 241)
Length: Number of controller IP addresses * 4
Value: List of WLC management interfaces To configure DHCP Option 43 in the embedded Cisco IOS DHCP server, follow these steps:
Enter configuration mode at the Cisco IOS CLI. Step 1 Step 2 Create the DHCP pool, including the necessary parameters such as default router and name server. A DHCP scope example is as follows:
ip dhcp pool <pool name>
network <IP Network> <Netmask>
default-router <Default router>
dns-server <DNS Server>
Where:
<pool name> is the name of the DHCP pool, such as AP3702
<IP Network> is the network IP address where the controller resides, such as 10.0.15.1
<Netmask> is the subnet mask, such as 255.255.255.0 38 ap3700getstart.fm Page 39 Wednesday, March 27, 2013 10:16 AM
<Default router> is the IP address of the default router, such as 10.0.0.1
<DNS Server> is the IP address of the DNS server, such as 10.0.10.2 Step 3 Add the option 60 line using the following syntax:
option 60 ascii VCI string For the VCI string, Cisco AP c3700. The quotation marks must be included. Step 4 Add the option 43 line using the following syntax:
option 43 hex <hex string>
The hex string is assembled by concatenating the TLV values shown below:
Type + Length + Value Type is always f1(hex). Length is the number of controller management IP addresses times 4 in hex. Value is the IP address of the controller listed sequentially in hex. For example, suppose that there are two controllers with management interface IP addresses, 10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 * 4 = 8 = 08 (hex). The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the string then yields f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the DHCP scope is option 43 hex f1080a7e7e020a7f7f02. 14 Access Point Specifications Table 2 lists the technical specifications for 3700 series access points. Table 2 Access Point Specifications Category Dimensions (LxWxD) Weight Operating temperatures AP3702E: -4 to 131 degrees F (-20 to 55 degrees C) Specification 8.68 x 8.68 x 1.84 in. (22.04 x 22.04 x 4.67 cm) 1.9 lbs (0.86 kg) Storage temperature Humidity Antennas AP3702I: 32 to 104 degrees F (0 to 40 degrees C) 22 to 185 degrees F (30 to 85 degrees C) 10% to 90% (noncondensing) AP3702I: Integrated; AP3702E: External 39 ap3700getstart.fm Page 40 Wednesday, March 27, 2013 10:16 AM Table 2 Access Point Specifications (continued) Category Compliance Safety EMI and Susceptibility Radio Maximum power and channel settings Specification The 3700 series access point complies with UL 2043 for products installed in a buildings environmental air handling spaces, such as above suspended ceilings. UL 60950-1 CAN/CSA C22.2 No. 60950-1 IEC 60950-1 with all national deviations EN 60950-1 UL 2043 FCC Part 15.107 and 15.109 Class B ICES-003 Class B (Canada) EN 301.489 EN 55022 Class B EN 55024 VCCI Class B FCC Part 15.247, 15.407 Canada RSS-210 Japan Telec 33, 66, T71 EN 330.328, EN 301.893 FCC Bulletin OET-65C Industry Canada RSS-102 Maximum power and the channels allowed in your regulatory domain, refer to Channels and Maximum Power Settings for Cisco Aironet Lightweight Access Points. This document is available on Cisco.com. ap3700getstart.fm Page 41 Wednesday, March 27, 2013 10:16 AM ap3700getstart.fm Page 42 Wednesday, March 27, 2013 10:16 AM Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2013 Cisco Systems, Inc. All rights reserved. Printed in the USA on recycled paper containing 10% postconsumer waste.
1 2 3 4 5 | User Guide | Users Manual | 1.07 MiB |
Regulatory Domain Unification Cisco Wireless LAN Access Points For Table of Contents 1.1 Requirements ................................................................................................................... 2 1.2 Scope ................................................................................................................................ 2 Functional Overview ........................................................................................................ 2 2 Feature List (Software/Firmware) .................................................................................... 2 2.1 Universal AP Boot Sequence Cycle ................................................................................ 2 2.1.1 2.1.2 Domain Identification Engine ............................................................................................ 4 Manual Identification ................................................................................................... 4 2.1.2.1 2.1.2.2 Automatic Identification ............................................................................................... 8 2.1.3 External Interfaces (Software/Firmware) ......................................................................... 11 2.1.3.1 SmartPhone Application ............................................................................................. 11 2.1.4 Security Considerations .................................................................................................... 17 2.1.4.1 Infrastructure Security ................................................................................................. 17 2.1.4.2 Client Security ............................................................................................................. 17 Platform Requirements .................................................................................................. 18 2.2 2.2.1 Access Points ................................................................................................................. 18 2.2.2 SmartPhone Applications............................................................................................... 19 Glossary ......................................................................................................................... 19 3 4 Questionnaires from Previous Correspondence ............................................................. 20 Copyright 2013 Cisco Systems Page 1 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 1.1 Requirements The purpose of the Universal Access Point (AP) is to address worldwide regulatory compliance requirements based on geo-location of Cisco Wireless Access Points. Key elements of the requirements are:
Domain and thus channel/power plan shall be determined based on the geographical location of an AP prior to operation. The End User shouldnt be allowed to change the Regulatory Domain and Country configuration on APs. Any mechanism shall minimize user interaction to configure the correct regulatory domain . The provision process shall work with all Cisco APs. 1.2 Scope In order to meet the above requirements, the solution relies on information from trusted RF neighbors along with a smartphone based audit scheme in order to convert Universal APs into appropriate regulatory configurations post installation. 2 Functional Overview 2.1 Feature List (Software/Firmware) 2.1.1 Universal AP Boot Sequence Cycle In order to honor compliance regulations for all countries, one of the key requirements for the Universal AP, will be to initially only operate on frequencies that are allowed in all countries across the world. Currently there are no available frequencies in the 5GHz spectrum that are valid in all countries, therefore during the Universal AP initial startup cycle, only 2.4GHZ transmissions will be allowed. 5GHz transmissions will not occur until the regulatory domain conversion is completed. Copyright 2013 Cisco Systems Page 2 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Image 1.1 Universal AP Boot Up Sequence Flowchart The above flowchart shows the boot sequence diagram of Universal APs bring up cycle. When a fresh out-of-box AP gets installed at a customer site, after the boot loader initialization the host will read regulatory domain configurations from the cookie that is burned in the EEPROM of the device. For a non-configured APs, both Regulatory Domain and Country Code will be set to Universal Attribute UX. For out-of-box APs, the Domain Identification Engine (DiE) will trigger regulatory domain migration. DiE will convert UX AP into correct domain using two phases of identification methods explained in section 2.2.2. After successful migration, AP will reset and come up with new regulatory domain and country configurations and operate similar to our existing pre-configured APs. Copyright 2013 Cisco Systems Page 3 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. One key difference between a converted Universal AP and existing Cisco Aps
(Non-Universal) is that the DiE engines Location Change Identifier (LCi) will run in the background during the Universal APs boot up cycle. LCi will ensure the Universal AP is installed with the correct regulatory domain in case APs are physically moved after priming. If the LCi reports no location change, AP will enable TX on 5GHz radios. Prior to the migration into correct SKU, only 2.4 GHz radios will be operational. 2.1.2 Domain Identification Engine Overall SW architectural changes to migrate Universal AP into correct regulatory configs can be categorized into 2 major functional phases. 1. Manual Identification:
Manual identification encompasses a technique using a smartphone application that migrates Universal SKU AP into the correct regulatory domain. 2. Automatic Identification:
Automatic Identification leverages Cisco proprietary Neighbor Discovery Protocol (NDP) to propagate regulatory domain configurations across the APs localized RF neighborhoods. 2.1.2.1 Manual Identification This method encompasses a Smartphone application that runs on different flavors of mobile OSs. Upon successful authentication smartphone will communicate with Universal AP on a secure 2.4 GHz channel. Smartphone then will request AP configurations to differentiate Universal SKU AP from other access points. When associated Access Point is identified as Universal AP, smartphone will push regulatory configurations to the AP. Copyright 2013 Cisco Systems Page 4 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Image 1.2 Highlights configuration exchanges between Smartphone App and the Universal AP When user wants to prime a Universal AP, he/she must authenticate with CCO credentials. Without proper authentication, Smartphone will be disabled and not able to configure the AP. After successful authentication, Smartphone will associate to Universal AP over a secure 2.4 GHz channel as a client. Prior to the association with AP, smartphone app will also gather its location information from inbuilt GPS and cell tower that advertise country information by extracting Mobile Country Code (MCC) Identifier from the Public LAN Mobile Network (PLMN). Once associated, Universal AP then will send information about its AP type and Regulatory Domain and Country configurations in order to distinguish from existing Cisco APs and whether it has been primed already. For an unprimed/out-
of-box Universal AP, smartphone will configure the AP with the correct regulatory domain derived based on the AP information and country code details via GPS and MCC ID. Smartphone App will maintain a database that maps country configurations to regulatory domain for a specific AP model. This information will Copyright 2013 Cisco Systems Page 5 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. be sent to the Universal AP to migrate it into the correct Regulatory Domain and country configurations. Smartphone App will support following 2 modes of operations 1) Configure Mode: This will be the default mode of operation for Smartphone App to configure Universal SKU AP, fresh out of box Aps will get configured via configure knob when associated AP is configured with Universal Attributes (Reg. Domain: -UX, Country: UX) 2) Audit Mode: This special mode will handle wrongly primed Universal Aps, when Universal Aps are shipped via tier-2 distributors or were misconfigured due to change in location, in such cases reg. domain configurations will be corrected via Smartphone App in audit mode. Audit mode can overwrite reg. domain configurations of an already primed Universal AP. During the Universal AP boot up process when LCI notifies host about the potential change in location, such Aps can be only reconfigured via Smartphone App in audit mode. When Universal AP gets re-primed by Smartphone App in audit mode, a special flag will be enabled in NDP frame to propagate corrected regulatory domain settings to rest of the RF neighborhood. It will speedup overall network convergence time when majority of the Aps installed in the network are misconfigured. Copyright 2013 Cisco Systems Page 6 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Image 1.3 Decision Flowchart of Smartphone App with modes of operations Above decision flowchart explains the basic communication flow between the smartphone application and the Universal AP. Upon successful authentication with the required credentials, Smartphone will gather its location information from the GPS and Cell ID, once the location is determined it will associate to Universal AP over a secure 2.4GHz channel. After successful authentication, smartphone app will establish communication with the AP to gather AP information and regulatory details. If associated AP is identified as Universal AP, smartphone will configure regulatory settings into APs cookie under EEPROM to prime correct Regulatory Domain ID and Country configurations. For misconfigured Universal APs, Smartphone App will operate in Audit mode that can correct regulatory domain configurations when user physically moves Universal APs into a new location or when Universal APs were primed in a different country. In such case, NDP Propagation Override flag will be enabled to automatically correct Reg. Domain information to rest of the RF neighborhood and with minimal user intervention. Copyright 2013 Cisco Systems Page 7 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 2.1.2.2 Automatic Identification Automatic Identification method solely relies on Ciscos RF intelligence in order to propagate the new Regulatory Domain and Country configurations to the local RF neighborhood. Cisco proprietary Neighbor Discovery Protocol (NDP) frames will be leveraged to discover secure Cisco Universal APs in the network and propagate reg. domain attributes to the localized RF neighborhood. Sub mode of Automatic Identification process will run in the background during Universal APs boot up cycle (under Location Change Identifier) to determine change in APs location once it is primed. Automatic Identification method will be the default method used by Cisco Universal APs. While manual identification helps migrate Universal APs into the correct regulatory domain, automatic method will propagate regulatory domain configuration to the localized RF neighborhood quickly and efficiently. This method is dependent on the presence of existing Cisco Universal Aps in the network, therefore user needs to prime at least one Universal AP in the network. Automatic Identification also helps to autocorrect already primed Universal AP;
this will be addressed by special notification via NDP that can override other Universal APs configurations. Cisco Proprietary Neighbor Discovery Frame needs information about the AP type, Regulatory Domain and Country Configurations to efficiently propagate to localized RF neighborhood. New NDP message for Universal Aps will be differentiated based on the versioning of the NDP frames. Copyright 2013 Cisco Systems Page 8 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Image 1.4 Automatic Identification Method Leveraging NDP For Domain Propagation Above explains Universal APs communication with other Universal, existing Cisco and third party APs. AP maintains Geo-locator engine that is responsible to maintain database of the adjacent neighbors in the RF neighborhood, compute their approximate distance from the Universal AP, identify Cisco Universal AP, and filter out other third party or malicious rogue APs. Once secure AP list is established, Universal AP will process 802.11 beacons from such APs to learn regulatory configurations. The 802.11 beacon carries a country element includes country code details. All beacons from non-secure Cisco and third party Aps will be ignored. When Smartphone configures Universal AP with regulatory configurations, an NDP propagation flag will be enabled to propagate the configuration out to the APs localized RF neighborhood. Copyright 2013 Cisco Systems Page 9 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Special provisions are added to create safety net when a Universal AP is installed in a location where the rest of the collocated APs are configured with the incorrect regulatory domain. This would be a rare scenario, however in such occurrences when Universal AP detects mismatch with its RF neighbors, it will shutdown its transmissions on 5GHz radios. Image 1.5 Migrating Universal AP from Incorrect Regulatory Configurations Additionally, such Universal APs will also provide visual feedback with flashing RED LEDs to notify user about potential misconfigurations. User then needs to reconfigure Universal AP with SmartPhone (Audit mode) to validate its configurations. Any config corrections via audit mode will enable NDP propagation override flag, which will override the rest of the Universal APs configurations. Universal APs with propagation override will ignore domain configurations from other APs. Propagation override will automatically get disabled after 48 hours. Copyright 2013 Cisco Systems Page 10 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 2.1.3 External Interfaces (Software/Firmware) 2.1.3.1 SmartPhone Application Primary means of communication with Universal APs will be established by Smartphone application to migrate AP into correct regulatory domain. Launch Screen:
Copyright 2013 Cisco Systems Page 11 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. CCO Authentication:
User will be required to authenticate into Smartphone app using CCO credentials. Explicit user registration process will be required to create CCO credentials. Copyright 2013 Cisco Systems Page 12 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. WiFi Connection:
If capability is available on the corresponding phone (Android only), a list of available SSIDs will be displayed. iOS and Windows Phone 8 User will be prompted to go the settings menu and connect to the Admin SSID for the AP. Android SSIDs list can be retrieved and application can programmatically connect/ disconnect to/from an SSID. Only SSIDs configured on the 2.4 GHz radios will be listed. User should proceed to connect to the selected SSID with the specific interface available on the application or the phones settings menu. Copyright 2013 Cisco Systems Page 13 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Home Page Home page will display mainly configure and audit buttons. User then can move to appropriate settings to configure either out of box or an already primed Universal AP. Copyright 2013 Cisco Systems Page 14 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Configure Mode:
After successful authentication, in order to configure out-of-box Universal APs, network admin will be able to configure units with a correct regulatory domain. Universal APs that are already primed with a specific domain cannot get configured with config knob. Note: Network admin will not have ability to specify Reg. Domain configurations. Location determination and country/domain configurations will solely made based on the SmartPhone Apps location Copyright 2013 Cisco Systems Page 15 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Audit Mode:
Universal APs that are already configured via either a SmartPhone App config mode or NDP can be reconfigured via SmartPhone Audit mode. Audit mode is specifically designed to automatically correct misconfigured Universal APs. Audit mode can be also used to validate the prior Reg. Domain configurations as well. Like config mode, user will not have any ability the decision of Reg. Domain and Country configurations. When associated with Universal APs, they will be able to learn the current Reg. Domain settings and autocorrect it if required. influence to Copyright 2013 Cisco Systems Page 16 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 2.1.4 Security Considerations As part of the solution has dependencies on the third party devices (SmartPhone), it is critical to ensure that all vulnerabilities are addressed. Therefore, following security measures were added to prevent unauthorized access of the SmartPhone Application to end-user. 2.1.4.1 Infrastructure Security Prior to SmartPhone App usage, user needs to explicitly authenticate via CCO (Cisco Connections Online) server. Any customer who has a valid purchase order from Cisco needs to have a valid CCO Account. CCO Account will be primary way any user can communicate with Cisco TAC or provide feedback about the Cisco products. While authenticating to CCO server, a user who is a customer, partner or Cisco employee can login into the application after he/she is successfully authenticated to CCO server. SmartPhone Application will not function unless CCO authentication is successful. Once authenticated, when user is trying to provision Cisco Universal AP;
SmartPhone client needs to be associated to a Wireless LAN that has universal-admin configurations enabled. Only network admins who has complete access to the WLAN Controller and Access Points can enable Universal-Admin configurations. When enabled, WLAN Controller will enforce minimum of WPA2-AES 802.1X security configurations prior to WLANs operation. Therefore all communications over WiFi channel between the Access Point and the SmartPhone client will be encrypted via secure AES tunnel. 2.1.4.2 Client Security In order to prevent any device centric spoofing, SmartPhone Application does have various security measures added along with additional safety nets. Copyright 2013 Cisco Systems Page 17 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. SmartPhone will not function unless minimum criteria for OS compatibility is matched [Please refer to section 2.3.3 for supported OS list] Incase when the device legitimacy is compromised by installation of OS that does not have valid certificates or when the devices itself is jail broken or rooted, SmartPhone Application will completely shutdown its operation. Additionally, Cisco Air Provision will only accept location inputs from base cell towers (via PLMN ID) and the installed GPS device. It will not accept location coordinates from any other device; simulator or third party app that can potentially send spoofed coordinates. Once the location is determined, SmartPhone App will solely determine correct regulatory domain and country configurations and provision Universal AP. This would be completely system driven decision and any user will not be able determine or influence these configurations in any manner. 2.2 Platform Requirements Universal AP will be initially supported on following Cisco Wireless Access Point Models 2.2.1 Access Points HW Models AIR-AP702-UXK9 AIR-AP1602-UXK9 AIR-AP2602-UXK9 AIR-AP2702-UXK9 AIR-AP3602-UXK9 AIR-AP3702-UXK9 AIR-AP1532-UXK9 AIR-AP1572-UXK9 Copyright 2013 Cisco Systems Page 18 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 2.2.2 SmartPhone Applications SmartPhone Application to migrate Universal AP into correct regulatory domain will be supported on following versions of SmartPhone Operating Systems Android Jelly Bean 4.0 or higher Apple iOS 7.0 or higher Windows Mobile OS 8.0 SmartPhone Apps will be made available to registered customers via Google Play, Windows Mobile Store and Apple Store. 3 Glossary The following list describes acronyms and definitions for terms used throughout this document:
AP: Access Point DiE: Domain Identification Engine LCi: Location Change Identifier NDP: Neighbor Discovery Protocol PLMN: Public LAN Mobile Network MCC: Mobile Country Code Copyright 2013 Cisco Systems Page 19 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 4 Questionnaires from Previous Correspondence Discovery Mode: after any Power up/Reset, (transition step) and operating on default channels, and propagation mode disabled. o If CC = UX (EEPROM = UX Default Universal Mode) Find successful neighbor(s) go to operate mode, or go to Audit manual mode. Cisco Systems Inc >>[Clarification] When Universal AP is not primed
(fresh out of box) it will either try to get domain information from nearby Universal APs (that are already provisioned) or if it is an initial seed AP in the network, it needs to be provisioned via SmartPhone Application (Cisco AirProvision) via secure Wi-Fi uplink o CC=XY (EEPROM = XY (country determined)) Find successful neighbor(s) go to operate mode, or go to Audit manual mode. Cisco Systems Inc >>[Clarification] when domain is already configured via aforesaid methods, Universal does not need to find neighbors or Smartphone application for domain updates. However, it enables active scan to learn any new updates in the local RF neighborhood prior to any successful transmissions. Audit manual mode, operating on default channels and propagation mode disabled), enable use of smart phone. Cisco Systems Inc >>[Clarification] There are mainly two propagation modes leveraging Ciscos Neighbor Discovery Protocol 1) Normal Propagation: After domain configurations are done via SmartPhone, such universal AP will propagate regulatory domain and country configurations to nearby Aps in the local neighborhood. Copyright 2013 Cisco Systems Page 20 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 2) Override Propagation: SmartPhone audit mode provides audit functionality to address misconfigured Universal Access Point. Domain is overwritten for an already primed access point, override propagation is enabled to expedite domain correction across RF neighborhood Operate Mode.(after successful discovery mode) operating on country
discovered channels, propagation mode enabled and monitor for mismatch. Mismatch go to Audit manual mode I. Questions 1. The write up indicates that at first power up the unit sets the CC =
UX Default. Is this done at the factory or is there a UAP condition - never powered up. Cisco Systems Inc >> Manufacturing does this before unit goes out for shipping Confirm that during discover mode all transmissions are only over 2.4 default channels independent of EEPROM set to UX (default mode) or CC (country determined) . Cisco Systems Inc >> That is correct, during this phase all transmissions are only sent on 2.4GHz channel 1 to 11 with lowest power allowed across regulatory domains 2. Discovery Mode means: default transmission mode and propagation mode disabled. Cisco Systems Inc >> Correct, no propagation will be done until unit is primed and goes though full scan cycle Copyright 2013 Cisco Systems Page 21 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. 3. Discovery Mode and Audit manual mode includes: default mode, propagation mode disabled and AP light blinking (or NMS) with ability to connect to a manual configuration via Cisco App in Smart phone. Cisco Systems Inc >> Not sure, if I completely understood this comment but there can be two cases when Universal AP boots up 1) Out of Box AP: For out of box Universal APs first boot up cycle, APs LED will continue to cycle between RED, GREEN and OFF. During this phase, Universal AP will only allow radio operations on 2.4GHz common channels with lowest powered allowed across regulatory domains in the world. Such Aps can be either primed automatically via NDP or manually with SmartPhone application. We do not provide any knobs or manual configuration access to users that can either influence of change regulatory domain configurations on Universal AP. 2) Already Primed Universal AP: When already primed universal AP boots up, it will perform active scan to identify any changes into local RF neighborhood prior to its operation. During this phase, AP LED will continue to cycle between RED, BLUE and OFF. After successful scan, it will allow transmissions on both (2.4 / 5GHz) radios. In order to avoid any anomalies Universal AP does also conduct passive scan to efficiently measure any changes in the local RF neighborhood 4. Discovery mode clarification:
a. Discovery Protocol (NDP) finds that all universal APs (or UAP) in the operating mode have the same CC set to XY (country determined), or finds just one operating mode UAPs that has a CC set to XY (country determined). Then that Universal UAP sets the CC to the discovered CC (or confirms that the current EPROM CC is valid) and then will switch to the operate mode. Copyright 2013 Cisco Systems Page 22 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Cisco Systems Inc >> For non-primed Universal AP it will go though full NDP scan cycle to find all nearby Aps before it provisions itself with corresponding CC. When AP is already primed during its active scan it will match neighbors CC with its own and if there is any conflict it will go back to default mode (LEDs chirping RED) b. No other UAP is discovered in operating mode (none may be discovered or all may be in discovery mode), then that Universal AP goes into audit manual mode (for booth EEPROM Set to CC or UX). This means that a standalone AP will always go into audit mode on power up. Will end-
uses accept that?
Cisco Systems Inc >> Standalone AP out of box AP will go into manual mode where SmartPhone based provisioning is required in order to allow Tx operations of the radios. Once AP is already primed, it doesnt have to go through audit mode unless reg. domain anomalies are detected. Follow Up Question:
Clarify that an Access point in Japan in a standalone environment, once the country code is set by a smart phone and then brought to The US and powered up in a stand-alone environment ( no anomalies are detected), the AP will remain configured for Japan. Cisco Systems Inc >> When AP is physically moved even within country we mandate user to configurations via factory default settings [WLC CLI or by pressing hardware reset button on the AP]. This will reset Universal APs settings back to UX domain. Lets say, a user has deliberately chosen to ignore Ciscos mandatory requirement for config reset, such AP when moved to US controller will not able to associate and therefore its mode of operation will be disabled [both radios down] until it gets config reset. Further Follow Up Question:
DAVE /Vishal we are unclear what not able to associate means. Lets say, a user has deliberately chosen ignore Ciscos mandatory requirement for config reset, such AP when moved to US Copyright 2013 Cisco Systems Page 23 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. to controller will not able to associate and therefore its mode of operation will be disabled [both radios down] until it gets configured. Does this mean that a stand-alone AP after a power cycle must be reconfigured, or only if it is not associated with clients?
Cisco Systems Inc >> Let me try to clarify few items here. Cisco primarily manufactures two modes of Access Points. Unified (Cisco Wireless LAN Controller managed) and Standalone (Autonomous). Cisco Universal SKU AP is supported on both modes of these Aps. Following would be the behavior both Aps when they are physically moves from one country to another without going through Ciscos config reset requirement. 1) 2) Unified (Controller Managed): When Unified AP is moved physically from one country (ex: Japan) to another (ex: United States), in lieu of config reset it will preserve its configurations across reboots. However, when such AP joins US Controller, such AP will be rejected (CAPWAP) by the controller and hence it wont be operational. Only way to recover such AP would be via explicit configuration reset via AP CLI or Hardware button on the device. StandAlone (Autonomous): Standalone APs do not require WLAN Controller in order to operate, as long as they have valid network connection. For Standalone case, location change will be determined by NTP (Network Time Protocol). When StandAlone AP is physically moved to another country without explicit config reset, when it is plugged it into US network, NTP will flag mismatch in APs regulatory configurations. Such AP will be automatically reverted back to factory defaults (Both Radios in UX Domain) and needs to be re-provisioned via SmartPhone Application. c. The power up AP has the EEPROM set to XY (country determined), which is a mismatch with all other operating Copyright 2013 Cisco Systems Page 24 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. discovered visible APs. Then that UAP is set to the country code discovered from all the others. Cisco Systems Inc >> Good question. Correct answer is, it depends!!
Although in almost all certain cases, UAP will inherit new CC from rest of the local RF neighborhood, our design also has an additional safety net for an extremely rare case when rest of the RF neighborhood is wrong primed
(extremely low probability). In such case, when an UAP is primed via SmartPhone (Audit) mode with its Domain and CC overwritten, it will enable Propagation override (via NDP) to automatically correct rest of the RF neighborhood. d. In operating mode, what happens if a mismatch is discovered, do all UAP(s) go into discovery mode and require Audit manual mode for manual re-configuration. This would be the same situation if a power up UAP in discovery mode found a mismatch set of other APs. All UAP(s) are put into Discovery mode. Cisco Systems Inc >> Lets say we have two sets of UAPs primed in two different regulatory domains. If we somehow bring them together to form single RF neighborhood, upon bootup yes the UAP that discover domain mismatch will go back to discover mode. While multiple UAPs are in discover mode, user does have to prime only one UAP via SmartPhone audit mode and leveraging NDP propagation override they will automatically get newer domain configured e. Five universal APs power up in an area where number 5 only detects AP #6 in operating mode and sets #5 to CC of #6 and #4 , now sees # 5 in operating mode and sets # 4 CC, etc. All 5 access points work in default mode until discovery chain is completed. Cisco Systems Inc >> They dont need to wait until all APs discovery process is completed. For sparse deployment and when APs can only hear one other UAP (ex: linear topology), they will get primed in sequence. f. Can all APs be in operational mode and EEPROM CC set to UX, or is UX only a Discovery mode parameter. Copyright 2013 Cisco Systems Page 25 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Cisco Systems Inc >> Even for primed Universal AP (where CC is not equal to UX) they will still conduct discovery mode. 6. Is MCC only for LTE (MCC)?
Cisco Systems Inc >> Mobile Country Code (MCC) is encompassed within PLMN-ID, a mandatory code for all cellular operators world wide irrespective of the cellular technology (GSM / CDMA) 7. To obtain both MCC and GPS must these functions be operational or can this a recently stored value?
Cisco Systems Inc >> Our location determination doesnt rely on A-GPS or recently stored value. They need to be retrieved at the same time during the UAP provision. 8. We need more detail on the Manual Identification Method (phone). a. b. c. Users are notified by blinking light (Net management system) that AP is in default mode and manual identification is required. Cisco Systems Inc >> Correct, via AP console message and cycling RED, GREEN and OFF LED sequence. If all universal APs are in default mode because of a mismatch and nobody does anything, what happens after 48 Hours?
Cisco Systems Inc >> They will continue to operate in default mode until any user action is performed The Security Considerations explains the authentication and security between CCO and the phone client. However, Security between the client and the AP is only through Admin privileges. How secure is the link between the client and the AP from being HAC or spoofed. Copyright 2013 Cisco Systems Page 26 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. Cisco Systems Inc >> All communication between SmartPhone client and Access Points will be only available via secure http uplink. Wireless link between SmartPhone client and the UAP will be encrypted with minimum WLAN security policy of WPA2-AES/PSK. Additionally, in order to provision UAP WLAN under which the client associated needs to have uap-
admin (special configuration that network admin can enable). All client associations under WLANs that do not have uap-admin configurations will be rejected even if they pass security checks. After client goes through aforementioned security checks, it needs to authenticate to APs via admin configure username / password which will be unique per network. Follow Up Question:
Clarify the Security of the Cisco application on the smart phone.. As described in your response, the only authentication appears to be the APs admin configure username / password. Not sure of the aforementioned security checks are:
How easy is it for a third party to provide the app or spoof the protocol?
Need clarification on CCO credentials. How does it prevent third party Spoofing?
Must Phones APP authenticate with Cisco operations center to activate Cisco Systems Inc >> In order to prevent SmartPhone Application vulnerability, we enforce security mechanisms from infra (network) and client side. From network side, we enforce CCO Registration, WLAN UAP-Admin Configurations and AP authentication 1) CCO Registration: Prior to SmartPhone App (Cisco AirProvision) it requires explicit authorization and registration with CCO (Cisco Connections Online) centralized server. We validate SmartPhone application user against approved CCO Policies (Employee, Authorized Partner or Customer (with valid PO#), Copyright 2013 Cisco Systems Page 27 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. anyone that doesnt fall into aforementioned privileges will not able to use AirProvision Application. 2) WLAN UAP-Admin Configurations: We also provide explicit control to network admin so that no unauthorized user can tweak Cisco Universal AP configurations. This is done via UAP-Admin configurations under WLAN settings. When enabled, such WLAN must have minimum of WPA2-AES PSK security configurations, which results in Wi-Fi link encryption between SmartPhone and the Access Point. Any user trying to access Universal AP with a WLAN that doesnt have UAP-Admin configuration will get access denied. 3) AP Authentication: Once user is able to authenticate with correct CCO privileges and authenticates via uap-admin enabled secure WLAN, needs to further authenticate to AP with APs management username / password. Authentication is completely handled in AP, so no user should be able to sniff packets from the wired port. Additionally, we also have client centric logic on the SmartPhone App to disallow location spoofing or prevent hacking into the phone. Cisco AirProvision includes built-in device legitimacy check via OS signature validation and disallowing Cisco AirProvision to get downloaded on jail broken devices which will address any location spoofing or third party Apps trying to reverse engineer our secure application. Cisco AirProvision also doesnt accept any external or internal inputs from other Applications, and only relies on built in GPS and PLMN codes from the service providers for location determination. Combination of aforesaid network (infra) and client centric security mechanisms make it impossible to hack into Cisco AirProvision. Follow Up Question:
The question is when the AP is taken out of the box what is the APs management username/password? Is that unique to each AP or can someone spoofs an application and communicates with AP on default username and password? There is no information I saw about the default username and password description. If they say that each AP that is shipped has unique default information that is downloaded in their CCO privileges, I Copyright 2013 Cisco Systems Page 28 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision. think that is fine then there will not be an issue. Also, it means that someone buying a refurbished unit will have to go through a Cisco reset process. Cisco Systems Inc >> At present fresh out of box Cisco APs have default username / password that is common across all radios in the network. It is not possible to regenerate unique username/password per AP, or tie it up with CCO at the manufacturing site because a customer can buy thousands of APs and same CCO ID can be used by the same customer to buy multiple orders. Therefore, for out of box AP any person who is able to get hold of the SmartPhone App and login with CCO credential will still get denied AP access with management credentials unless that AP has a WLAN which explicitly have UAP-Admin configurations enabled by the network admin. Also any client that is going to provision Universal AP needs to get authenticated with WPA2-AES PSK or 802.1x security configurations. When network admin installs Cisco Aps, upon controller configurations APs default username and password can be changed to unique (per AP or per whole network) credentials, which is a typical practice done by all of our existing customers even today in order to avoid any proprietary config exposure to un-authorized users. Copyright 2013 Cisco Systems Page 29 of 29 Cisco Highly Confidential Controlled Access A printed copy of this document is considered uncontrolled. Refer to the online version for the controlled revision.
frequency | equipment class | purpose | ||
---|---|---|---|---|
1 | 2016-02-25 | 5745 ~ 5825 | NII - Unlicensed National Information Infrastructure TX | Class III permissive change to software defined radio |
2 | 2014-07-31 | 5660 ~ 5700 | NII - Unlicensed National Information Infrastructure TX | |
3 | 2014-07-30 | 5745 ~ 5825 | DTS - Digital Transmission System | |
4 | 2013-08-15 | 5660 ~ 5700 | NII - Unlicensed National Information Infrastructure TX | Original Equipment |
5 | 5745 ~ 5825 | DTS - Digital Transmission System |
app s | Applicant Information | |||||
---|---|---|---|---|---|---|
1 2 3 4 5 | Effective |
2016-02-25
|
||||
1 2 3 4 5 |
2014-07-31
|
|||||
1 2 3 4 5 |
2014-07-30
|
|||||
1 2 3 4 5 |
2013-08-15
|
|||||
1 2 3 4 5 | Applicant's complete, legal business name |
Cisco Systems Inc
|
||||
1 2 3 4 5 | FCC Registration Number (FRN) |
0004968939
|
||||
1 2 3 4 5 | Physical Address |
125 West Tasman Drive
|
||||
1 2 3 4 5 |
San Jose, California 95134-1706
|
|||||
1 2 3 4 5 |
United States
|
|||||
app s | TCB Information | |||||
1 2 3 4 5 | TCB Application Email Address |
b******@baclcorp.com
|
||||
1 2 3 4 5 |
L******@ul.com
|
|||||
1 2 3 4 5 | TCB Scope |
A4: UNII devices & low power transmitters using spread spectrum techniques
|
||||
app s | FCC ID | |||||
1 2 3 4 5 | Grantee Code |
LDK
|
||||
1 2 3 4 5 | Equipment Product Code |
102087
|
||||
app s | Person at the applicant's address to receive grant or for contact | |||||
1 2 3 4 5 | Name |
G****** T********
|
||||
1 2 3 4 5 | Title |
Manager, Engineering
|
||||
1 2 3 4 5 | Telephone Number |
408-5********
|
||||
1 2 3 4 5 | Fax Number |
408-5********
|
||||
1 2 3 4 5 |
g******@cisco.com
|
|||||
app s | Technical Contact | |||||
1 2 3 4 5 | Firm Name |
Cisco Systems, Inc.
|
||||
1 2 3 4 5 | Name |
J******** N********
|
||||
1 2 3 4 5 | Physical Address |
4125 Highlander Parkway
|
||||
1 2 3 4 5 |
Richfield, Ohio 44286
|
|||||
1 2 3 4 5 |
United States
|
|||||
1 2 3 4 5 | Telephone Number |
216-8********
|
||||
1 2 3 4 5 |
j******@cisco.com
|
|||||
app s | Non Technical Contact | |||||
n/a | ||||||
app s | Confidentiality (long or short term) | |||||
1 2 3 4 5 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | Yes | ||||
1 2 3 4 5 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
1 2 3 4 5 | Is this application for software defined/cognitive radio authorization? | Yes | ||||
1 2 3 4 5 | Equipment Class | NII - Unlicensed National Information Infrastructure TX | ||||
1 2 3 4 5 | DTS - Digital Transmission System | |||||
1 2 3 4 5 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | Cisco Aironet 3700 Series Access Points | ||||
1 2 3 4 5 | Cisco Aironet 802.11ac Dual Band Access Points | |||||
1 2 3 4 5 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | Yes | ||||
1 2 3 4 5 | No | |||||
1 2 3 4 5 | Modular Equipment Type | Does not apply | ||||
1 2 3 4 5 | Purpose / Application is for | Class III permissive change to software defined radio | ||||
1 2 3 4 5 | Original Equipment | |||||
1 2 3 4 5 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | Yes | ||||
1 2 3 4 5 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
1 2 3 4 5 | Grant Comments | Class III Permissive Change described in this filing. Output power listed is conducted. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. Users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance. This device has 20 MHz, 40 MHz and 80 MHz bandwidth modes. | ||||
1 2 3 4 5 | Class III permissive change to allow the device can change preconfigured regulatory domain scheme to an automatic self-configuring scheme. Output power is conducted. This device has 20 MHz, 40 MHz and 80 MHz BW modes. Operation in 5.15-5.25 GHz band is for indoor use only. Outdoor operation is subject to the professional installation instruction requirements as described in the Users Manual. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. Users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance. | |||||
1 2 3 4 5 | Class III permissive change to allow an automatic, self-configuring, regulatory domain scheme. Output power is conducted. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. Users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance. | |||||
1 2 3 4 5 | Output power is conducted. This device has 20 MHz, 40 MHz and 80 MHz BW modes. Operation in 5.15-5.25 GHz band is for indoor use only. Outdoor operation is subject to the professional installation instruction requirements as described in the Users Manual. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. Users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance. | |||||
1 2 3 4 5 | Output power is conducted. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter. Users and installers must be provided with antenna installation instructions and transmitter operating conditions for satisfying RF exposure compliance. | |||||
1 2 3 4 5 | Is there an equipment authorization waiver associated with this application? | No | ||||
1 2 3 4 5 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
app s | Test Firm Name and Contact Information | |||||
1 2 3 4 5 | Firm Name |
Cisco Systems, Inc.
|
||||
1 2 3 4 5 |
UL Verification Services Inc. (formerly UL CCS)
|
|||||
1 2 3 4 5 | Name |
G****** T********
|
||||
1 2 3 4 5 |
M******** M******
|
|||||
1 2 3 4 5 | Telephone Number |
408-5********
|
||||
1 2 3 4 5 |
919 5********
|
|||||
1 2 3 4 5 | Fax Number |
40852********
|
||||
1 2 3 4 5 |
000-0********
|
|||||
1 2 3 4 5 |
g******@cisco.com
|
|||||
1 2 3 4 5 |
m******@ul.com
|
|||||
Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
1 | 1 | 15E | 38 CC MO | 5180 | 5240 | 0.145 | |||||||||||||||||||||||||||||||||||
1 | 2 | 15E | 38 CC MO ND | 5260 | 5320 | 0.125 | |||||||||||||||||||||||||||||||||||
1 | 3 | 15E | 38 CC MO ND | 5500 | 5720 | 0.151 | |||||||||||||||||||||||||||||||||||
1 | 4 | 15E | 38 CC MO | 5745 | 5825 | 0.166 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
2 | 1 | 15E | CC | 5180 | 5240 | 0.0478 | |||||||||||||||||||||||||||||||||||
2 | 2 | 15E | CC | 5260 | 5320 | 0.125 | |||||||||||||||||||||||||||||||||||
2 | 3 | 15E | CC | 5500 | 5580 | 0.112 | |||||||||||||||||||||||||||||||||||
2 | 4 | 15E | CC | 5660 | 5700 | 0.109 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
3 | 1 | 15C | CC | 2412 | 2462 | 0.13 | |||||||||||||||||||||||||||||||||||
3 | 2 | 15C | CC | 5745 | 5825 | 0.194 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
4 | 1 | 15E | 5180 | 5240 | 0.0478 | ||||||||||||||||||||||||||||||||||||
4 | 2 | 15E | 5260 | 5320 | 0.125 | ||||||||||||||||||||||||||||||||||||
4 | 3 | 15E | 5500 | 5580 | 0.112 | ||||||||||||||||||||||||||||||||||||
4 | 4 | 15E | 5660 | 5700 | 0.109 | ||||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
5 | 1 | 15C | 2412 | 2462 | 0.13 | ||||||||||||||||||||||||||||||||||||
5 | 2 | 15C | 5745 | 5825 | 0.194 |
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC