NIST SPECIAL PUBLICATION 1800-1C


Securing Wireless Infusion Pumps

In Healthcare Delivery Organizations


Volume C:

How-To Guides


DRAFT


Gavin O’Brien

National Cybersecurity Center of Excellence

Information Technology Laboratory


Sallie Edwards

Kevin Littlefield

Neil McNab

Sue Wang

Kangmin Zheng

The MITRE Corporation

McLean, VA



May 2017



image70


DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-8C Natl. Inst. Stand. Technol. Spec. Publ. 1800-8C, 256 pages, (May 2017), CODEN: NSPUE2

FEEDBACK

You can improve this guide by contributing feedback. As you review and adopt this solution for your own organization, we ask you and your colleagues to share your experience and advice with us.

Comments on this publication may be submitted to: hit_nccoe@nist.gov.

Public comment period: May 8, 2017 through July 7, 2017

All comments are subject to release under the Freedom of Information Act (FOIA).

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mailstop 2002
Gaithersburg, MD 20899

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries or broad, cross-sector technology challenges. Working with technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Md.

To learn more about the NCCoE, visit https://nccoe.nist.gov. To learn more about NIST, visit https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

ABSTRACT

Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. But today’s medical devices connect to a variety of health care systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes, however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pump’s function.

The NCCoE at NIST analyzed risk factors in and around the infusion pump ecosystem using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits.

This practice guide will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps.

KEYWORDS

authentication; authorization; digital certificates; encryption; infusion pumps; Internet of Things; IoT; medical devices; network zoning; pump servers; questionnaire-based risk assessment; segmentation; VPN; Wi-Fi; wireless medical devices

ACKNOWLEDGMENTS

We are grateful to the following individuals for their generous contributions of expertise and time.

Name Organization
Arnab Ray Baxter Healthcare Corporation
Pavel Slavin Baxter Healthcare Corporation
Phillip Fisk Baxter Healthcare Corporation
Raymond Kan Baxter Healthcare Corporation
Tom Kowalczyk B. Braun Medical Inc.
David Suarez Becton, Dickinson and Company (BD)
Robert Canfield Becton, Dickinson and Company (BD)
Rob Suarez Becton, Dickinson and Company (BD)
Robert Skelton Becton, Dickinson and Company (BD)
Rich Curtiss Clearwater Compliance
Peter Romness Cisco
Kevin McFadden Cisco
Darin Andrew DigiCert
Kris Singh DigiCert
Mike Nelson DigiCert
Chaitanya Srinivasamurthy Hospira Inc., a Pfizer Company (ICU Medical)
Joseph Sener Hospira Inc., a Pfizer Company (ICU Medical)
Chris Edwards Intercede
Won Jun Intercede
Dale Nordenberg MDISS
Jay Stevens MDISS
Carlos Aguayo Gonzalez PFP Cybersecurity
Thurston Brooks PFP Cybersecurity
Colin Bowers Ramparts
Bill Hagestad Smiths Medical
Axel Wirth Symantec Corporation
Bryan Jacobs Symantec Corporation
Bill Johnson TDi Technologies, Inc.
Barbara De Pompa Reimers The MITRE Corporation
Sarah Kinling The MITRE Corporation
Marilyn Kupetz The MITRE Corporation
David Weitzel The MITRE Corporation
Mary Yang The MITRE Corporation

The technology vendors who participated in this build submitted their capabilities in response to a notice in the Federal Register. Companies with relevant products were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator Build Involvement
Baxter Healthcare Corporation
  • Sigma Spectrum LVP, version 8
  • Sigma Spectrum Wireless Battery Module, version 8
  • Sigma Spectrum Master Drug Library, version 8
  • CareEverywhere Gateway Server, version 14
B. Braun Medical Inc.
  • Infusomat® Space Infusion System/ Large Volume Pumps
  • DoseTrac® Infusion Management Software/ Infusion Pump Software
Becton, Dickinson and Company (BD)
  • Alaris® 8015 PC Unit Unit v9.19.2
  • Alaris® Syringe Module 8110
  • Alaris® LVP Module 8100
  • Alaris® Systems Manager v4.2
  • Alaris® System Maintenance (ASM) v 10.19
Cisco
  • Access Point (AIR-CAP1602I-A-K9)
  • Wireless LAN Controller 8.2.111.0
  • Cisco ISE
  • Cisco: ASA

Catalyst 3650 Switch

Clearwater Compliance Clearwater: IRM | Pro
DigiCert CertCentral management account / Certificate Authority
Hospira Inc., a Pfizer Company (ICU Medical)
  • Plum 360™ Infusion System, version 15.10
  • LifeCare PCA™ Infusion System, version 7.02
  • Hospira MedNet™, version 6.2
Intercede MyID
MDISS MDRAP
PFP Cybersecurity Device Monitor
Ramparts Risk Assessment
Smiths Medical
  • Medfusion® 3500 V5 syringe infusion system
  • PharmGuard® Toolbox v1.5
  • Medfusion 4000® Wireless Syringe Infusion Pump
  • CD, PHARMGUARD® TOOLBOX 2, V3.0 use with Medfusion® 4000 and 3500 V6 (US)
  • PharmGuard® Server Licenses, PharmGuard® Server Enterprise Edition, V1.1
  • CADD®-Solis Ambulatory Infusion Pump
  • CADD™-Solis Medication Safety Software
Symantec Corporation
  • Endpoint Protection (SEP)
  • Advanced Threat Protection: Network (ATP:N)
  • Server Advanced - DataCenter Security (DCS:SA):
TDi Technologies, Inc. ConsoleWorks

List of Figures

Figure 1‑1: Logical Architecture Summary

Figure 2‑1: Importing Server Certificate

Figure 2‑2: Data Center Security: Server Advanced Environment 3

Figure 2‑3: IRM|Analysis™ Login Page

Figure 2‑4: Asset List

Figure 2‑5: New Asset

Figure 2‑6: Media/Asset Groups

Figure 2‑7: Edit Media/Asset Group

Figure 2‑8: Controls - Global/Media

Figure 2‑9: Risk Questionnaire List

Figure 2‑10: Risk Questionnaire Form (part 1)

Figure 2‑11: Risk Questionnaire Form (part 2)

Figure 2‑12: Risk Response List - Risk Registry

Figure 2‑13: Risk Treat and Evaluate Form

Figure 2‑14: Dashboard Example

Figure 2‑15: Report Example

Figure 2‑16: MDRAP Login Page

Figure 2‑17: MDRAP Welcome page

Figure 2‑18: Device Inventory List

Figure 2‑19: Add Device

Figure 2‑20: Edit Device

Figure 2‑21: Inventory Bulk Import

Figure 2‑22: Device inventory Template Sample

Figure 2‑23: Create Assessment (part 1)

Figure 2‑24: Create Assessment (part 2)

Figure 2‑25: Assessment Step (example 1)

Figure 2‑26: Assessment Step (example 2)

Figure 2‑27: Assessment Result (dashboard example) 3

Figure 2‑28: Assessment Result (report example)

List of Tables

Table 2‑1: Infusion Pump List

Table 2‑2: Summary of Infusion Pump Configuration Methods

Table 2‑3: Pump Servers used in this Example Implementation

1. Introduction

The following guidelines show IT professionals and security engineers how the NCCoE implemented this example solution. We discuss every product that we employed in this reference design. We do not, however, recreate the product manufacturers’ documentation, which is widely available. Rather, these guidelines show how we integrated the products in our environment on your behalf.

Note: These guidelines are not comprehensive tutorials. Many possible service and security configurations for these products exist but are out of scope for this reference design.

1.1. Practice Guide Structure

This NIST Cybersecurity Practice Guide demonstrates a standards-based reference design and gives users the information they need to replicate all or parts of the example implementation that we built in our lab. This reference design is modular and can be deployed in whole or in part.

This guide contains three volumes:

  • NIST SP 1800-8A: Executive Summary
  • NIST SP 1800-8B: Approach, Architecture, and Security Characteristics – what we built and why
  • NIST SP 1800-8C: How-To Guides – instructions for building the example solution (you are here)

Depending on your role in your organization, you might use this guide in different ways:

Business decision makers, including chief security and technology officers will be interested in the Executive Summary (NIST SP 1800-8A), which describes the:

  • challenges enterprises face in securing the wireless infusion pump ecosystem
  • example solution built at the NCCoE
  • benefits of adopting the example solution

Technology or security program managers who are concerned with how to identify, understand, assess, and mitigate risk will be interested in NIST SP 1800-8B, which describes what we did and why. The following sections will be of particular interest:

  • Section 4, Risk Assessment and Mitigation, describes the risk analysis we performed
  • Section 4.3, Security Characteristics and Control Mapping, maps the security characteristics of this example solution to cybersecurity standards and best practices

You might share the Executive Summary, NIST SP 1800-8A, with your leadership team members to help them understand the importance of adopting standards-based, commercially available technologies that can help secure the wireless infusion pump ecosystem.

IT professionals who want to implement an approach like this will find the entire practice guide useful. You can use the How-To portion of the guide, NIST SP 1800-8C, to replicate all or parts of the build created in our lab. The How-To guide provides specific product installation, configuration, and integration instructions for implementing the example solution. We do not recreate the product manufacturers’ documentation, which is generally widely available. Rather, we show how we incorporated the products in our environment to create an example solution.

This guide assumes that IT professionals have experience implementing security products within their enterprise. Although we have used a suite of commercial products to address this challenge, this guide does not endorse these products. Your organization can adopt this solution or one that adheres to these guidelines in part or in whole. Your organization’s security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. We hope you will seek products that are congruent with applicable standards and best practices. Section 4.4, Technologies, lists the products we used and maps them to the cybersecurity controls provided by this reference solution.

A NIST Cybersecurity Practice Guide does not describe the solution, but rather a possible solution. This is a draft guide. We seek feedback on its contents and welcome your input. Comments, suggestions, and success stories will improve subsequent versions of this guide. Please contribute your thoughts to hit_nccoe@nist.gov.

1.2. Typographical Conventions

The following table presents typographic conventions used in this volume.

Typeface/Symbol Meaning Example
Italics

filenames and pathnames

references to documents that are not hyperlinks, new terms, and placeholders

For detailed definitions of terms, see the NCCoE Glossary.
Bold names of menus, options, command buttons and fields Choose File > Edit.
Monospace
command-line input, on-screen computer output, sample code examples, status codes
mkdir
Monospace Bold
command-line user input contrasted with computer output
service sshd start
blue text link to other parts of the document, a web URL, or an email address All publications from NIST’s National Cybersecurity Center of Excellence are available at https://nccoe.nist.gov.

1.3. How-to Overview

Refer to NIST SP 1800-8B: Approach, Architecture, and Security Characteristics for an explanation of why we used each technology.

1.4. Logical Architecture Summary

Below depicts a reference network architecture that performs groupings that would translate to network segments or zones. The rationale behind segmentation and zoning is to limit trust between areas of the network. In considering a hospital infrastructure, NCCoE identified devices and usage, and grouped them by usage. The grouping facilitated the identification of network zones. Once zones are defined, infrastructure components may be configured such that those zones do not inherently have network access to other zones within the hospital network infrastructure. Segmenting the network in this fashion limits the overall attack surface posed to the infusion pump environment, and considers the network infrastructure configuration as part of an overall defense in depth strategy. (Figure 1-1) is included from the architecture for your reference.

Figure 1-1: Logical Architecture Summary

../_images/fig1-1.png

2. Product Installation Guides

This section of the practice guide contains detailed instructions for installing and configuring the products that NCCoE used to build an instance of the example solution.

2.1. The Core Network

The NCCoE’s example architecture implements a core network zone which is used to establish the backbone network infrastructure. The external firewall/router also has an interface connected to the core enterprise network, just like other firewall/router devices in the other zones. This zone serves as the backbone of the enterprise network and consists only of routers connected by switches. The routers automatically share internal route information with each other via authenticated Open Shortest Path First (OSPF) [1] to mitigate configuration errors as zones are added or removed.

Several functional segments may be part of this core network:

  • guest network
  • business office (example only)
  • database server (example only)
  • enterprise services
  • clinical services (example only)
  • biomedical engineering
  • medical devices with wireless LAN
  • remote access for external vendor support.

The NCCoE build uses Cisco Adaptive Security Appliances (ASA) as virtual router and firewall devices within the network. Each defined zone in the hospital network we built has its own ASA, with two interfaces to protect the zone. As we considered how many ASAs to use, we opted for a tradeoff between the complexity of the configuration and the number of interfaces on a single ASA.

2.1.1. Cisco ASA Baseline Configuration

In our environment, all ASAs are virtualized and are based on Cisco’s Adaptive Security Virtual Appliance (ASAv) product. In your environment, the responsible person would complete installation by following Cisco’s Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.6 [2].

We imported the virtual appliance called asav-vi.ovf, assigning the first interface to the management network, the second to the wide area network (WAN), and the third to the local area network (LAN). For an unknown reason, the ‘show version’ command did not work in the console; as a workaround, we configured secure shell (SSH) [3] access and ran the command via SSH instead.

Then we configured the ASA with a baseline configuration template that allows all outbound traffic, but only related traffic inbound as allowed by the stateful firewall. Internet Control Message Protocol (ICMP) [4] enables troubleshooting with ping and traceroute tools. Authenticated OSPF automates routing tables as we added or removed ASAs in the network. In your production environment, you may wish to make different decisions in your baseline configuration. All ASAs have an additional management interface on 192.168.29.0/24. We opted to configure Simple Network Management Protocol (SNMP) [5] and SSH for management use on this interface, but not on the other interfaces. See Section A.1 for the ASA configuration for this zone.

2.1.2. External Firewall and Guest Network

We configured the build network to use network address translation (NAT) at the external firewall. This is the only point in the network where NAT is used. The upstream provider uses 10.0.0.0/8 addresses on the WAN interface. We also defined a LAN interface on 192.168.100.0/24 as the core network where other ASAs connect. Another interface is defined as GUEST on 192.168.170.0/24. We assigned the GUEST and LAN interfaces equal security levels higher than those for the WAN interface. When ASAs interfaces are configured with equal security levels, by default they cannot communicate with each other, but they will both have WAN access. Dynamic Host Configuration Protocol (DHCP) [6] is enabled on the GUEST interface for addressing.

See Section A.2 for the ASA configuration for this zone.

2.1.3. Enterprise Services

We defined a LAN interface on 192.168.120.0/24 as the LAN for all enterprise services. Ports are open for domain name system (DNS) from the Biomedical Engineering network to the DNS servers. Port 8114 is open for all hosts to the Symantec Endpoint Protection server. Several ports are open for any host to the Symantec Data Center Security server.

See Section A.3 for the ASA configuration for this zone.

2.1.4. Biomedical Engineering Network

This zone contains a dedicated wireless network to support the wireless infusion pumps. We defined a LAN interface on 192.168.140.0/24 for all biomedical equipment, including infusion pump servers. Each manufacturer has a custom set of ports opened to their server. These ports are only accessible from the medical device network.

Generally, the firewall is configured in this way:

All pump servers -> internet/intranet (all destinations)

All intranet -> all pump servers Ping and Traceroute (primarily for debugging)

All pumps -> Smiths Medical Pump Server on port 1588

All pumps -> Carefusion Pump Server on port 3613

All pumps -> Baxter Pump Server on port 51244

All pumps -> Hospira Pump server on ports 443, 8443, 8100,9292,11443, 11444

All pumps -> B. Braun Pump server on ports 443, 80, 8080, 1500, 4080

See Section A.4 for the ASA configuration for this zone.

2.1.5. Medical Devices

We defined a LAN interface on 192.168.150.0/24 as the LAN for all medical devices. The infusion pump systems are designed such that all external connections to the pumps, such as an EHR system or vendor maintenance, is completed with the associated pump server on the Biomedical Engineering network. This enables us to disallow all outbound traffic not destined for the Biomedical Engineering network. In addition, because some pump servers initiate connections to open ports on the pumps, we added vendor-specific rules to allow this. A DNS server is not useful in this case, but, if you needed one, we recommend that the ASA act as a forwarder. The DHCP server on the ASA is enabled for LAN addressing. In our lab, we discovered that at least one brand of infusion pump would not recognize network setup as complete unless at least one DNS server address was set. In this case, the DNS server address only needed to be included in the configuration; a DNS server did not actually need to be present at that address.

Generally, the firewall is configured in this way:

All pumps -> all pumps servers

All intranet -> all pumps Ping and Traceroute (primarily for debugging)

Hospira Pump Server -> All pumps ports 8100, 9292, 443, 8443

Baxter Pump Server-> All pumps port 51243

B. Braun Pump Server -> All pumps ports 80, 443, 8080, 1500

See Section A.5 for the ASA configuration for this zone.

2.1.6. Cisco Catalyst Switch Configuration

The Catalyst 3650 switch is configured with four virtual LANs (VLANs) [7]. One port is assigned to a management VLAN, with subnet 192.168.20.0/24. Wireless access points are connected to a Wi-Fi management VLAN, which also is trunked back to the virtual WLAN controller software. Additionally, the Biomedical and Device networks have some physical ports configured for testing, both of which are also trunked back to the virtualization hardware and ASAs. DHCP is enabled for the wireless access points. SNMP and SSH are enabled for management. The switch also supports Power over Ethernet (PoE), allowing for a single Ethernet cable, with both data and power for the APs.

To set up your organization’s configuration, follow the instructions in Cisco’s Catalyst 3650 Switch Getting Started Guide: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/hardware/quick/guide/cat3650_gsg.html.

See Section A.6 for the switch configuration.

2.1.7. Cisco Enterprise Wi-Fi Infrastructure

The Wi-Fi management network is different in that it does not have a firewall/router that connects directly to the core network. A completely closed network, this is used for management and communication between the Cisco Aironet wireless access points (AP) and the Cisco Wireless LAN Controller (WLC). The WLC is the central point where wireless service set identifiers (SSID), virtual LANs (VLAN), and Wi-Fi-protected access version 2 (WPA2) [8] security settings are managed for the entire enterprise. We defined two SSIDS: IP_Dev and IP_Dev_Cert. IP_Dev uses WPA2-PSK and IP_Dev_Cert uses WPA2-Enterprise protocols.

2.1.7.1. Installation

In our environment, the Cisco WLC is virtualized. In your environment, the responsible person would complete installation by following Cisco’s Virtual Wireless LAN Controller Deployment Guide 8.2: http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-2/b_Virtual_Wireless_LAN_Controller_Deployment_Guide_8-2.html

We imported the virtual appliance called AIR_CTVM_K9_8_2_111_0.ova, assigning the first interface to the management network, referred to as service-port in the web interface. The second interface is used as a trunk port, with VLAN tags for all user and Wi-Fi management traffic. In the web interface, the built-in management interface refers to the wireless system control traffic network that the APs are connected to.

The primary management mechanism for the WLC is the web interface. To configure an IP address for the web interface, we first needed to use the console and complete the setup wizard that sets the service-port address. What follows is our process, which your organization can adapt to your needs.

2.1.7.2. Controller Configuration

Configure Network Interfaces:

  1. Configure the interface for AP management traffic at Controller -> Interfaces -> Management.

image1

  1. Configure interfaces for user Wi-Fi traffic, by first mapping the interface to an Ethernet port and setting the VLAN and IP address, and then mapping to wireless SSIDs.

Create the new interface at Controller -> Interfaces -> New.

image2

Configure the new interface by using the form below. Refer to the completed interface for the values that we used in the lab.

image3

Our completed Interfaces list looks like the following:

image4

Configure NTP [9] at Controller -> NTP -> Server -> New:

image5

To configure the DHCP server, disable the DHCP Proxy at Controller -> Advanced -> DHCP.

image6

2.1.7.3. Wireless AP Connection and Setup

Connect the APs to the Ethernet ports configured for untagged VLAN 1520. They will obtain their addresses and the WLC address automatically via DHCP from the switch (see Cisco Catalyst Switch Configuration in Section 2.1.6). No other VLANs should to be configured for the APs because we are using a centralized switching model where Wi-Fi traffic VLANs are connected to the Enterprise network through the WLC.

As each AP is connected, it should show up in the Wireless tab on the WLC. For each AP, the AP Mode needs to be set to FlexConnect (see below).

image7

2.1.7.4. Authentication Configuration

To use certificate-based authentication, the WLC must consult a RADIUS server. Configure Cisco ISE RADIUS server IP Address and Shared Secret at Security -> RADIUS -> Authentication -> New.

image8

2.1.7.5. WLANs Configuration

At this point, we configured two SSIDs for medical devices: IP_Dev is configured for WPA2 (AES [10]) PSK, and IP_Dev_Cert is configured for WPA2 (AES) Enterprise. They both use the same interface and therefore connect to the same network VLAN; the only difference is the Wi-Fi security.

To create a new SSID, follow these steps:

  1. Use the WLAN tab.

image9

  1. Enter your new SSID information.

image10

  1. In WLANs > WLANs -> WLANs, select the WLAN ID number of the newly created SSID. Set Status to Enabled and Interface/Interface Group(G) to ip_dev.

image11

  1. On the Security tab under Authentication Key Management, uncheck 802.1X, check PSK, and set the PSK field.

image12

image13

  1. For the SSID IP_Dev_Cert, repeat the steps above, but do not change the Security Settings for Authentication Key Management; leave 802.1X checked, and leave PSK unchecked.
  2. On the Security, AAA Servers tab, select the RADIUS server to authenticate with.

image14

2.1.7.6. Monitoring

By using Monitor -> Clients, you will find the list of currently connected clients, which SSID they are connected to, and the User Name used to authenticate (Common Name from Certificate).

image15image16

2.1.7.7. Final Configuration

See Section A.7 for the WLC configuration, accessing details about additional configuration options at Cisco Wireless Controller Configuration Guide, Release 8.0, http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80.html.

2.1.8. TDi ConsoleWorks External Remote Access

The NCCoE lab implemented a VendorNet using TDi ConsoleWorks, which is a browser interface that enables healthcare organizations to manage, monitor, and record activities from external vendors in the IT infrastructure.

System Environment:

The NCCoE lab set up a fully updated (as of 4/20/2016) CentOS 7 Operating System, with the following hardware specifications:

  • 8GB RAM
  • 40 GB HDD
  • 1 Network Interface

Other requirements:

  • ConsoleWorks install media (we built from a CD)
  • ConsoleWorksSSL-<version>.rpm
  • ConsoleWorks_gui_gateway-<version>.rpm
  • ConsoleWorks license keys (TDI_Licenses.tar.gz)
  • Software installation command
  • yum install uuid libbpng12 libvncserver

Installation:

As Root:

  1. Place ConsoleWorks Media into the system
  2. mount /dev/sr0 /mnt/cdrom
  3. mkdir /tmp/consoleworks
  4. cp /mnt/cdrom/consolew.rpm /tmp/consoleworks/consolew.rpm
  5. rpm -ivh /tmp/consoleworks/ConsoleWorksSSL-<version>.rpm
  6. mkdir /tmp/consoleworkskeys/
  7. Copy ConsoleWorks keys to /tmp/consoleworkskeys/
  8. cd /tmp/consoleworkskeys/
  9. tar xzf TDI_Licenses.tar.gz
  10. cp /tmp/consoleworkskeys* /etc/TDI_licenses/
  11. /opt/ConsoleWorks/bin/cw\_add\_invo
  12. Accept the License Terms.
  13. Press Enter to continue.
  14. Name the instance of ConsoleWorks.
  15. Press Enter to accept default port (5176).
  16. Press N to deny SYSLOG listening.
  17. Press Enter to accept parameters entered.
  18. Press Enter to return to /opt/ConsoleWorks/bin/cw_add_invo.
  19. rpm -ivh /tmp/consoleworks/ConsoleWorks_gui_gateway-version>.rpm
  20. /opt/gui\_gateway/install\_local.sh
  21. /opt/ConsoleWorks/bin/cw\_start <invocation name created early>
  22. service gui\_gatewayd start

Usage:

  1. Open a browser and navigate to https://<ConsoleWorksIP>:5176.
  2. Log in with Username: console_manager, Password: Setup.
  3. Change the default password.
  4. Choose Register Now.

NCCoE chose ConsoleWorks to segregate and limit vendor access to our labs. Our data model groups consoles and graphical connections together into a tag. The tag is a collection of equipment that you need to connect to, although a vendor typically owns the equipment. This tag allows us to operate on a group of consoles and graphical connections. We group users from the same vendor into a profile that allows us to operate on the users. An Access Control Rule associates a profile with a tag and defines permissions for a particular component type (typically consoles or graphical connections).

Initial Configuration of Graphical Gateway

Use the menu in the sidebar to access all instructions below.

Configure Graphical Gateway (only required for graphical connections such as virtual network computing, VNC; and remote desktop protocol, RDP):

  1. Click on Graphical->Gateways->Add.
  2. Set a name: LOCAL, then set Host as Localhost and port as 5172.
  3. Check the Enabled box and click Save.
  4. Verify that it works by clicking Test in the top-left corner.

image17

Create one tag for each vendor company:

  1. Click on Security->Tags->Add.
  2. Set Name, usually the company name.
  3. Click Save.

image18

Create one profile for each vendor company.

  1. Click on Users->Profiles->Add.
  2. Set Name, usually the company name.
  3. Click Save.

image19

Establish graphical access controls. (Repeat this section for each vendor company.)

  1. Click on Security->Access Control->Add.

  2. Set Name to Vendor_Company_Graphical.

  3. Check Enabled.

  4. Set Order.

  5. Set Allow.

  6. Set Component Type to Graphical Connection.

  7. Look under Profile Selection; you should see:

    • Property Profile Equals *Vendor Company Profile Name* <join>.
    • Vendor company profile should appear in the box on right.

image20

  1. Look under Resource Selection; you should see:

    • Associated with a Tag that
    • Property Tag Equals *Vendor Company Tag name* <join>.

image21

  1. Matching Graphical Consoles should then appear in the box on right. Under Privileges, check:

    • Aware
    • View
    • Connect

image22

Console Access Controls (repeat this section for each vendor company):

  1. Security->Access Control->Add

  2. Set Name to Vendor_Company_Console.

  3. Check Enabled.

  4. Set Order.

  5. Set Allow.

  6. Set Component Type to Console.

  7. Look at Profile Selection. You should see:

    • Property Profile Equals *Vendor Company Profile Name* <join>.
    • Vendor company Profile should appear in the box on right.

image23

  1. Look under Resource Selection; you should see:

    • Associated with a Tag that
    • Property Tag Equals *Vendor Company Tag name* <join>

image24

  1. Matching consoles should appear in the box on right. Under Privileges, check:

    • Aware
    • View
    • Connect

image25

Users:

Users->Add:

  1. Set Name.
  2. Set Password and retype password to confirm.
  3. Fill in contact information.
  4. Set Profile to the one defined for this user’s company.
  5. Click Save.

image26

RDP Graphical Connections

Follow these steps to add a RDP graphical connection:

  1. Graphical->Add

  2. Set Name for the device you are connecting to.

  3. Set Type to RDP.

  4. Set Hostname/IP for the device you are connecting to.

  5. Set Authentication:

    • Username
    • Password
    • Domain (optional).
  6. Add Graphical Gateway named Local.

  7. Add Tags for all vendor companies that should have access.

  8. Click Save.

image27

SSH Console Connections

Follow these steps to add a SSH console connection:

  1. Consoles->Add

  2. Set Name for the device you are connecting to.

  3. Set the Connector to SSH Session with Password Connection Details.

  4. Set the Host IP for the device you are connecting to by doing the following:

    1. Set Port to 22.
    2. Set Username.
    3. Set Password.
    4. Retype the password.
  5. Add tags for all vendor companies that should have access.

  6. Click Save.

image28

2.2. Infusion Pump and Pump Server

2.2.1. Infusion Pumps

Vendors collaborating with the NCCoE in this use case donated the following pump products.

Table 2‑1: Infusion Pump List

Vendor Name Product Name Product Type Description
B Braun SpaceStation Station for hosting individual pump Provides centralized power and network connection for pumps stacked on the station
  Infusomat® Space large volume infusion pump Wireless infusion pump Designed for acute-care facilities for adults and children
  Perfusor® Space Syringe Pump Syringe infusion pump Can be stacked in SpaceStation and uses SpaceStation for network communication
Baxter Baxter Sigma Spectrum Wireless infusion pump Provides large-volume infusion capability for patients.
BD Alaris PC 8015 Infusion pump core system Provides a common user interface for programming infusion, network connection, and monitoring modules. The Alaris® 8015 PC Unit is the core of the Alaris® System and provides a common user interface for programming infusion and monitoring modules.
  Alaris Syringe 8110 Syringe infusion pump Provides syringe infusion capability for patients and it works with Alaris PC unit.
  Alaris Pump 8100 Large-volume infusion pump Provides large-volume infusion capability for patients and it works with Alaris PC unit.
Hospira Plum 360 Infusion system Builds on the air management and secondary delivery features of Plum A+, while expanding its drug library and wireless capability to enable streamlined electronic medical record integration
  Hospira PCA PCA syringe infusion system Complements Infusion pump to manage pain
Smiths Medical MediFusion 4000 Syringe infusion pump Delivers medication to patients in critical care units
  CADD Solis 2000 Ambulatory infusion pump Delivers medication to patients in hospital, home care, and alternative care facilities
2.2.1.1. Infusion Pump Setup

In our example solution, we generalized the infusion pump vendors’ products and systems as infusion pump devices, infusion pump servers, and infusion pump ecosystems. Our first goal was to connect each vendor’s infusion pump(s) to their corresponding pump server for performing the basic operational events, such as registering the devices to the server; pushing/installing the new drug library to the pumps; pushing/updating the new version of software to the pumps, and keeping the log of the pump usage.

Each pump vendor has a basic setup that includes configuring the pump to connect to the network and the pump server wirelessly. We used WPA2 security with Advanced Encryption Standard (AES) for encryption. In the case of WPA2-PSK mode, we assigned all infusion pumps the same access password for wireless network authentication. In the case of WPA2-Enterprise/EAP-TLS [11], we configured the pumps to use an individual certificate issued by DigiCert for wireless network authentication, using Cisco ISE, the enterprise authentication server.

Because each pump vendor has its own way of connecting, configuring, and setting up its pumps, we describe high-level steps in a generic way. The following table summarizes these key configuration steps. See Appendix B for the sample configuration files.

Table 2‑2: Summary of Infusion Pump Configuration Methods

Vendors Infusion Pump Model Configuration Tool Connection Methods
Baxter Sigma Spectrum

Uses a PC with an IrDA interface to program multiple pumps with the same configuration

Edits the network configuration file (a simple text file) on a PC and send it via the IrDA to a pump

Uses the IrDA Serial Infrared

Link to a PC under the IrDA Serial Infrared Link Management Protocol v1.1

B Braun Space Station Connects PC with HiBaSeD Service program to the Space Station using a B Braun interface cable for pump configuration setting Uses special B Braun interface cable
  Infusomat® Space large volume infusion pump Connects PC with HiBaSeD Service program to the Space Station using a BBraun interface cable for pump configuration setting Uses special B Braun interface cable
  Perfusor® Space Syringe Pump Connects PC with HiBaSeD Service program to the Space Station using a B Braun interface cable for pump configuration setting Uses special B Braun interface cable
BD The Alaris® 8015 PC Uses management system to do the configuration. The Alaris® 8015 PC Unit is the core of the Alaris® System and provides a common user interface for programming infusion and monitoring modules. Uses series cable to connect pump to a local computer.
Hospira Hospira PCA Accesses Web Config utility on Pump through a web browser using the Local IP address of the pump

Uses pump’s Ethernet Jack to connect to a LAN or to interface

with host computer

  Plum 360 Accesses Web Config utility on Pump through a web browser using the Local IP address of the pump

Uses pump’s Ethernet Jack to connect to a LAN or to interface

with host computer

Smiths Medical MediFusion 4000 Pushes configuration text file to pump using the Telnet from a PC connected to the pump with the known IP address Connects a PC to pump using micro USB-USB cable
  CADD Solis 2000 Uses Smiths Medical Network Configuration Utility to update the pump’s configuration parameters Connects a PC to pump using micro USB-USB cable
2.2.1.2. Infusion Pump Configuration

Pre-Conditions:

  • You have set up wireless AP with pre-share password SSID
  • You have installed and configured infusion pump servers
  • You have made available the infusion pump configuration and setup manual available

Post-Conditions:

  • You have connected the infusion pumps to AP
  • You have estimated the pump server to discover the pumps to the corresponding pump server

NCCoE followed the pump vendors’ instructions to access to the pump in maintenance/biomedical model. We configured the pump as follows:

  • For wireless properties

    • Enable wireless
    • Use DHCP
    • Set SSID (IP_Dev or IP_Dev_Cert)
  • For wireless security properties

    • Set Security Mode (WPA2-PSK or WPA2-Ent)
    • Set Encryption Protocol to AES/CCMP
    • Enter PSK password or install a PKI certificate
  • For pump server properties

    • Set Server IP/port
    • Set Device Name or ID
    • Set Device Type
  • To verify connectivity for each infusion pump and the corresponding pump server:

  • Connect pumps to AP (IP_Dev with PSK or IP_Dev_Cert with EAP-TLS)

  • Confirm that pump receives an IP address from the DHCP server from the AP

  • Confirm that the pump server can discover the pumps and display the pump status such connected, in use, or offline.

2.2.1.3. Infusion Pump Hardening

Hardening may include the following:

  • disabling unused or unnecessary communication ports and services
  • changing manufacture default administrative passwords
  • securing the remote access points if there are any
  • confirming the firmware version is up-to-date.

2.2.2. Infusion Pumps Server Systems

Table 2‑3: Pump Servers used in this Example Implementation

Vendor Name Product Name Operating Platform Description
B Braun DoseTrac® Infusion Management Microsoft Windows Drug library and infusion management system that provides real-time, infusion data reporting and analysis to add safety, efficiency and value
Baxter Care Everywhere Infusion Pump Management System Microsoft Windows Provides interface capability to help hospital biomedical engineering department manage their infusion pump fleet effectively. Drug Library publishing module helps hospital pharmacy distribute and enforce medication safety rules effectively.
BD Alaris Systems Manager Compatible with VMWare ESX and VMWare vSphere environment Virtual server platform that provides two-way wireless communication with Alaris PC units
Hospira Hospira MetNet Server Microsoft Windows Manages drug libraries, firmware updates, and configurations of intravenous pumps
Smiths Medical PharmGuard Server Microsoft Windows Manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps for Smiths Medical Pumps

NCCoE installed the pump servers in the network in the VLAN 1400. To do so, we prepared a virtual machine in the VMWare with the operating system and network as specified in the vendor installation manual. Because one or more database is associated with the infusion pump server for storing the data, installation and configuration of the database is part of the pump server installation procedure. After the installation, we implemented basic configuration: the user account setup, reporting template configuration, security hardening, license installation, pump metadata installation.

We have not included the pump server setup because the vendor performs this activity.

2.3. Identity Services

2.3.1. Cisco Identity Service Engine (ISE)

The Cisco Identity Services Engine (ISE) enables your organization to:

  • Centralize and unify identity and access policy management
  • Have visibility and more assured device identification during certificate challenges
  • Use business rules to segment access to sections of the network
  • Make the user experience seamless during the challenge process, even with more assured and stronger authentication

System requirements

  • Virtual Hypervisor (VH) capable of housing virtual machines (VMs)
  • VM with CPU: Single Quad-core; 2.0 GHz or faster
  • VM with minimum 4 GB memory
  • VM with minimum 200 GB disk space

NCCoE installed the Cisco ISE 2.1 on a virtual machine using the OVA image provided by Cisco.

For your organization, follow the guidance from your VM vendor to import the OVA and start the install process. Once the system boots up, follow the console display to select one of the installation options. The configuration parameter selected for this use case is shown below:

! hostname

ise

!ip domain-name

nccoe.lab

! ipv6

enable

!interface

GigabitEthernet 0 ip address 192.168.29.159 255.255.255.0 ipv6 address
autoconfig ipv6 enable

! interface

GigabitEthernet 1 ip address 192.168.120.159 255.255.255.0 ipv6 address
autoconfig ipv6 enable

!interface

GigabitEthernet 2 shutdown ipv6 address autoconfig ipv6 enable

! interface

GigabitEthernet 3 shutdown ipv6 address autoconfig ipv6 enable

! ip name-server

8.8.8.8 8.8.4.4

! ip default-gateway

192.168.120.1

!

! clock timezone

EST

! ntp server

time.nist.gov

! username admin password hash

$5$jNPleEb4$YxDZH6oDF2Y4.02OqE/jBWxXFumRvtpe8JdNNZm1yj0 role admin

! max-ssh-sessions

5

! service sshd

enable

! password-policy

lower-case-required

upper-case-required

digit-required

no-username

no-previous-password

password-expiration-enabled

password-expiration-days 45

password-expiration-warning 30

min-password-length 4

password-lock-enabled

password-lock-timeout 15

password-lock-retry-count 3

! logging loglevel

6

! conn-limit 10

port 9060

! cdp timer

60 cdp holdtime 180 cdp run GigabitEthernet 0

! icmp echo

on

!
2.3.1.1. Configure ISE to Support EAP-TLS Authentication

Execute your management of the Cisco ISE with a web browser unless you intend to administer via command line. Using a web browser and the Cisco ISE host address, log on to the Cisco ISE Administration Portal. You will use the credentials (username and password) you created during the installation procedure.

2.3.1.2. Set ISE to Support RADIUS Authentication

Use the following steps to set up a communication connection from Cisco ISE to the network device (Access Point) you use as the authentication server during RADIUS [12] authentication:

  1. Add a Network Recourse

From the ISE Admin Portal, navigate to the path: Administration > Network Resources > Network Devices. Then select Add. Fill out the required parameters as indicated in the form:

  • The name of the network device
  • The IP Address of the device with its subnet mask.
  1. Select the RADIUS protocol as the selected protocol, and enter the shared secret that is configured on the network device.
  2. Populate the system certificate with CA-signed certificates. We replaced the Cisco ISE default self-signed certificate with the CA-signed certificate issued through DigiCert Certificate Authority. The steps for acquiring the signing certificate from DigiCert are described in the next Section 2.3.2, DigiCert Certificate Authority.
  3. Once the CA-signed certificate for ISE and the Root CA are issued, use the following steps to install the certificates to the System.
  4. From the ISE Administration Portal, use the navigation path Administration > System > Certificates > System Certificate to show the installed certificates. Then select Import to open a screen for importing Server certificate. Fill in the required information as shown in the following screen shot.

Figure 2-1: Importing Server Certificate

../_images/fig2-1.png
  1. Check the EAP Authentication to enable the imported certificate to be used for EAP Authentication. Then click the Submit button to complete the certificate importing.

  2. Import the DigiCert Root CA and signing CA to ISE Trusted Certificates. From the ISE Administration Portal, use the navigation path Administration > System > Certificates > Trusted Certificate to show the installed certificates. Then select Import to open a screen for importing DigiCert Root CA and the signing CA individually.

    1. After importing, make sure the certificate status is Enabled.
    2. Establish the OCSP [13] client profile from the OCSP Client Profile page under the Administration > System > Certificates > OCSP Client Profile.
    3. If OCSP (Online Certificate Status Protocol) is used for Certificate Status Validation, check Validate against OCSP Service and enter the OCSP service name.
  3. Set Identity Source for Client Certificate Authentication. When using the trusted certificate for EAP-TLS certificate-based authentication validation, set up the Certificate Authentication Profile in the ISE as the external identity source. Instead of authenticating via the traditional username and password, Cisco ISE compares the client certificate received from the Access Point to verify the authenticity of a device, in this case, the infusion pump.

    To create a Certificate Authentication Profile:

    • Use the Administration Portal to navigate to the path Administration > Identity Management > External Identity Sources > Certificate Authentication Profile and click Add.
    • Name the profile as, for example, “Cert_Auth_Profile”, then fill out the form with proper parameters. Be sure to select Subject Name as the Principal Username X509 attribute because it is the field that will be used to validate the authenticity of the client.
    • Select the Identity Resource Sequences tab, in the Certificate Based Authentication, check Select Certificate Authentication Profile and choose the Cert_Auth_Profile from the dropdown list.
  4. Set Authentication Protocols. Cisco ISE uses authentication protocols to communicate with external identity sources. Cisco ISE supports many authentication protocols such as the Password Authentication Protocol (PAP), Protected Extensible Authentication Protocol (PEAP), and the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For this build, we used the EAP-TLS protocol for user and machine authentication. To specify the allowed protocols services in Cisco ISE:

    • From the Administration Portal navigate to the path Policy >Policy Elements > Results >Authentication > Allowed Protocols > Add
    • Select the preferred protocol or list of protocols. In this build, the EAP_TLS is selected as the allowed authentication protocol.
  5. Set up Authentication Policy. Define the authentication policy by

selecting the protocols that ISE should use to communicate with the network devices, and the identity sources that it should use for authentication. To specify the authentication policy:

  • From the Administration Portal navigate to the path Policy >Authentication Policy > Type > Rule Based.
  • Set “if Protocol is Wireless 802.1x, use the Network Device as defined in Step 1 and the Identity Sequences as defined in Step 8.

2.3.2. DigiCert Certificate Authority

DigiCert is a cloud-based platform designed to provide a full line of SSL Certificates, tools, and platforms for optimal certificate life cycle management. After you set up an account with DigiCert, you can use a DigiCert dashboard and its built-in certificate management tools to issue PKI certificates for network authentication and encryption for data-at-rest or in-transition if needed.

The follow instruction describes the process we used to request a PKI certificate on behalf a wireless infusion pump using the DigiCert PKI services:

2.3.2.1. Create a Certificate Signing Request (CSR)

A CSR can be represented as a Base64 encoded PKCS#10 binary format. Many tools and utilities are available to help to generate a CSR, and the key pair containing the private key and public key is generated in the same time. The CSR identifies the applicant’s distinguished name, which must be digitally signed using the applicant’s private key and the information for the public key chosen for the applicant. In this build, Certificate Utility for Windows (DigiCertUtil.exe) provided by DigiCert is used to generate CSRs for infusion pumps.

Download and save the DigiCertUtil.exe from <https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm>

  1. Double-click DigiCertUtil.exe to start the utility:

image30

  1. Click the Create CSR link to open a CSR request window.

image31

  1. On the Create CSR window, fill in the key information (some is optional):

    • Certificate Type: Select SSL

    • Common Name: Enter the entity name

    • Organization: Enter your company’s legally registered name

    • City: Enter the city where your company is legally located

    • State: Select the state where your company is legally located

    • Country: Select the country where your company is legally located

    • Key Size: In the drop-down list, select 2048

    • Provider: Select Microsoft RSA SChannel Cryptographic Provider (unless you have a
      specific cryptographic provider)
  2. Click Generate to generate a CSR:

image32

This will also generate a corresponding private key in the Windows computer from which the CSR is requested. The Certificate Enrollment Request is stored under: (Console Root\Certificates(Local Computer)\Certificate Enrollment Requests\Certificates).

2.3.2.2. Issue Signed Certificates
  1. With a created applicant CSR, request a signed certificate using DigiCert CertCentral portal.

    • Login to a DigiCert Dashboard <https://www.digicert.com/account/login.php> with your account user name and password.
    • Once in the portal, go to Request a Certificate, then select Private SSL to open a certificate request form. Fill in the certificate settings in the fields shown in the form which includes pasting the CSR information to the area called Paste your CSR.
  2. After filling in all the required information and scroll down to the bottom of the page and click on the “I agree to the Certificate Services Agreement above” check box, click the Submit Certificate Request button at the bottom of the form to submit the certificate for signing approval. The administrator of the CA authority will use the same portal with different privilege to prove the request after reviewing and verifying the submitted request information if needed.

  3. To download the signed certificate, go to CERTIFICATES->Orders to list the ordered signed certificates:

image33

  1. Click a specific order number to display the certificate details with a list of actions for you to perform. Click the Download Certificate As to download certificates with signed CA and Root CA certificates. A variety of certificate formats can be downloaded, such as .crt, .p7b, or .PEM, etc.
  2. Save the downloaded certificate in a location where it can be used for further processing if needed.
2.3.2.3. Import and Export the Signed Certificate

Using the DigiCert Utility and OpenSSL tool, you can further manipulate the certificates to combine with the private key and export the signed certificate, or you can convert certificates or keys to the formats specified for your organization’s devices.

  1. To import a signed certificate, use DigiCert Utility to click the
Import button to load a downloaded file to the utility. The download file was saved in Step 9 above. Click the Next button to import.
  1. From the DigiCert Certificate utility for Windows, click SSL to
list all the imported files.

image34

  1. To export the certificate, select the certificate that you want to
export as a combined certificate file and key file in a .pfx file or separated as a certificate file and key file, and then click Export Certificate.

image35

  1. Click the Next button and follow the wizard instruction to save the
certificate file and private key file to a location you desire.

image36

2.3.2.4. Certificate and Key File Format Conversion

PKI certificates and key files can be in different formats. When PKI certificates are used in medical devices, device manufacturer user guides specify which formats are acceptable in their devices. Fortunately, many tools can perform format conversion. One utility tool that NCCoE used is the OpenSSL for Windows. It is open source and can be downloaded from https://www.openssl.org/community/binaries.html. Here are some of the useful convert commands:

  • To convert .crt to .pem:

    • openssl x509 -in mycert.crt -outform PEM -out mycert.pem.
  • To convert a private key into PEM format:

    • openssl rsa -in yourdomain.key -outform PEM -out yourdomain_pem.key.
  • Separate a pfx file into two different .key/.crt files:

    • For a key file: openssl pkcs12 -in yourfile.pfx -nocerts -out keyfile-encrypted.key.
    • For cert file: openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt].
  • To convert a Cert PEM file to DER:

    • openssl x509 -outform der -inform DEM -in certificate.pem -out certificate.der.
  • To convert a key PEM file to DER:

    • openssl rsa -inform DEM -in infile.key -out outfile.der -outform DER.

2.4. Symantec Endpoint Protection and Intrusion Detection

NCCoE protected the pump server application in the notional Biomedical Engineering network by using three Symantec cybersecurity products on an enterprise network, with a specific focus on wireless infusion pumps:

  • Symantec Data Center Security- Server Advanced
  • Symantec Endpoint Protection Manager Server
  • Symantec Advanced Threat Protection Server.

Each product protects components in the enterprise systems at different levels.

2.4.1. Symantec Data Center Security: Server Advanced

For data center security, Server Advanced provides a policy-based approach to endpoint security and compliance. It includes the management server, the agents, the unified management console, the database, and DCS Security Virtual Appliance (SVA). The agent components working with the server management provide intrusion prevention and detection on endpoint devices; the database is used for storing the policies, agent information, and real time actionable events; and the SVA provides agentless anti-malware protection for VMWare guest VMs running Windows.

The management server and the console can be installed on one system, and the agents are generally deployed to every supported host or endpoint devices. (Figure 2-2) displays the Data Center Security: Server Advanced Environment.

Figure 2-2: Data Center Security: Server Advanced Environment

../_images/fig2-2.png
2.4.1.1. Installing Data Center Security: Server Advanced Manager

Minimum Hardware Requirement: Server Advanced includes hardware support x86, EM64T, and AMD64 with 60 GB free disk space (all platforms) 8 GB RAM 4 CPUs.

Minimum Software Requirement: Windows Installer 2.0 or higher, Microsoft SQL Server 2008, .NET Framework 4.0 or 4.5.1, PowerShell 2.0, and Windows 2008 or later.

Operating the Symantec Data Center Security: Server Advanced installation requires to link to an instance of SQL Server locally or remotely. All installations allocate approximately 60 GB of space for the database on SQL Server Enterprise edition. We first installed a new instance of SQL Server that conforms to the Symantec installation requirements. The SQL Server was installed on the same machine as that for the Data Center Security: Server Advanced Manager.

Follow these steps to install the SQL Server software.

  1. Use SCSP as the default instance name
  2. Set authentication configuration to Mixed Mode (Windows authentication and SQL Server authentication)
  3. Set the “sa” with a password when you set Mixed Mode authentication. You will need this password when you install Data Center.
  4. After installing the instance of SQL Server, select to authenticate using SQL Server credentials.
  5. Register the instance. Registering the instance also starts the instance.

Follow these steps to install Data Center Security: Server Advanced:

  1. Double click server.exe, then in the Welcome panel, click Next and accept the license agreement
  2. In the Installation Type panel, click Evaluation Installation, then click Use an Existing MSSQL Instance, and then click Next.
  3. Follow the instructions and select the parameters suitable for your organization to complete the installation.

See Symantec™ Data Center Security: Server, Monitoring Edition, and Server Advanced 6.7 MP1 Planning and Deployment Guide for further details: https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9394/en_US/DCSSA_Planning_Deployment_Guide.pdf?__gda__=1494398285_572b0ff349979359e0cc9342b337f3bb

2.4.1.2. Configuration of Data Center Security: Server Advanced Manager

After you install the Management Server, the Server Configuration Wizard lets you configure various parameters of the installation.

One purpose of these configuration settings is to use the policy-based least privilege access control provided by DCS to lock down the configuration settings, files, and file systems in the pump for restricting application and operating system behavior and protecting the files and systems from tampering.

To enable a policy in DCS Management Server, follow these steps:

  1. Login to the DCS console.
  2. Create a policy folder.
  3. In the Java console, click Policies.
  4. Under the Policies tab, click Prevention or Detection.
  5. On the Policies page, in the Workspace Folders, select the Workspace folder and then right-click Add Folder. Look for a new policy folder with the name New Folder. Rename this folder as Pump Server.
  6. Copy an existing policy to the Pump Server folder.
  7. From the default Symantec folder, find a proper policy example and copy it to the Pump Server.
  8. Using the Move To command. In the Workspace pane, select a policy (e.g., “windows-baseline-detection” policy in Symantec folder for Detection), and then right-click Move To. In the MoveFolder dialog box, select Pump Server to receive the policy, and then click MoveTo.
  9. To edit a policy, right-click a policy, and then click Edit Policy. Configure the setting based on your security protection needs.

DCS Advanced Server provides a variety of configurable protection from application data protection, application protection to network protection. For example, the Windows prevention policies have a Protected Whitelisting strategy that lets you specify an application to which you always want to allow access or give permission to run. When you whitelist a process or an application, all the other processes and applications that are not included in the list are denied access.

To allow a program to run by using the Protected Whitelisting strategy, follow these steps:

  1. In the management console, click the Policies tab and then click Prevention.
  2. In the Policies workspace, click Add.
  3. In the Select a Prevention Policy Builder wizard, in the New Policy Builder section, click Launch.
  4. In the Policy Name panel, from the Policy Pack drop-down list, select the policy pack that you want to use as the baseline for the new custom policy.
  5. In the Name text box, enter a name for the policy that you create. In this build, we use “Windows Prevention Policy 6.0 Reference 31 Protected Whitelisting strategy.”
  6. Check Create a custom prevention policy, and then click Next.
  7. In the Protection Strategy panel, use the slider to select Protected Whitelisting.
  8. In the Trusted Updaters panel, click Add, and then in the Select Type dialog box, select the type of updater that you want to add. The Trusted Updaters list is populated through the agent data retriever. You can edit or delete an updater that you have already added to the list.
  9. Click Next.
  10. In the Application Rules panel, click Add, and then in the Select Type dialog box, select the type of rules that you want to add. You can edit or delete a rule that you have already added to the list.
  11. In the Global Policy Options panel, click Configure to configure the global policy settings, and then click Next.
  12. In the Summary panel, click Save.
2.4.1.3. Installing Data Center Security: Server Advanced Agent

Use agent.exe to install the agent software on computers that run supported Windows operating systems. To install the Windows agent software, follow these steps:

  1. On the installation package, double-click agent.exe.
  2. In the Welcome panel, click Next.
  3. In the License Agreement panel, select I accept the terms in the license agreement, and then click Next.
  4. In the Destination Folder panel, change the folders if necessary, and then click Next.
  5. In the Agent Configuration panel, accept or change the default settings, and then click Next. Ensure that Enable Intrusion Prevention is checked.
  6. In the Management Server Configuration panel, in the Primary Management Server box, type the fully qualified host name or IP address of the primary server that is used to manage this agent. If you changed the Agent Port setting during management server installation, in the Agent Port box, type a port number that matches.
  7. (Optional) In the Management Server Configuration panel, in the Alternate Management Servers box, type the fully qualified host name or IP address of the alternate servers that are used for failover for this agent. Type the servers in a comma-separated list.
  8. In the Management Server Configuration panel, accept the directory for the SSL certificate Agent-cert.ssl, or click Browse to browse to and locate Agent-cert.ssl. Access to a copy of the SSL certificate Agent-cert.ssl is required to connect to the management server. All primary and alternate management servers must use the same certificate.
  9. In the Management Server Configuration panel, click Next.
  10. (Optional) In the Agent Group Configuration panel, in the group boxes, type the group names that you created with the Java console. You may add multiple detection policy group names separated with commas. You may include the name of an existing detection policy domain in the group path/name.
  11. In the Agent Group Configuration panel, click Next.
  12. In the Service User Configuration panel, accept the default Local System account, and then click Next.
  13. In the Ready to Install the Program panel, confirm the installation parameters, and then click Install.
  14. When the installation completes, click Finish.

Agent installation configures the appropriate networking for the environment. The agent installation configuration includes which Data Center Security: Server Advanced Management Servers to communicate with, which ports to use, and how often to poll for changes. The initial Data Center Security: Server Advanced installation also determines whether key product features are enabled or not. Particular key agent features can be installed, and each provides different protection:

  • Enabling the intrusion prevention feature
  • Enabling the real-time file integrity monitoring feature in intrusion detection
  • Enabling the real-time file integrity monitoring feature in intrusion detection
  • Creating agent registration groups.

See the Symantec Data Center Security: Server, Monitoring Edition, and Server Advanced 6.7 MP1 Planning and Deployment Guide for details; http://help.symantec.com/cs/DCS6.7/DCS6_7/v118490468_ v110163010/Installing-Data-Center-Security:-Server-Advanced-6.7-or-6.7-MP1/?locale=EN_US.

2.4.2. Symantec Endpoint Protection Manager

Minimum Hardware Requirement: 2 GB RAM as minimum; 8 GB or more available recommended. Hard drive should be 40 GB as minimum (200 GB recommended) for the management server and database with a remote SQL Server database.

Minimum Software Requirement: Windows Installer 2.0 or higher, Microsoft SQL Server 2008, .NET Framework 4.0 or 4.5.1, PowerShell 2.0, and Windows 2008 Server or later. Intel Pentium Dual-Core or equivalent minimum, 8-core or greater is recommended.

The Symantec Endpoint Protection Manager includes an embedded database. You may instead choose to use a database from one of the following versions of Microsoft SQL Server: SQL Server 2008, SP4 up to SQL Server 2016.

2.4.2.1. Installing Symantec Endpoint Manager
  1. Download the product, extract the entire installation file to a physical disk, such as a hard disk. Run Setup.exe. The installation should start automatically.
  2. Follow the screen instruction and accept the license agreement.
  3. Continue the installation until it is finished. After the initial installation completes, configure the server and database.
  4. Click Next. The Management Server Configuration Wizard starts.
  5. Select Default Configuration, and then click Next.
  6. Enter company name, a password for the default administrator admin, and an email address.
  7. If you run LiveUpdate as part of a new installation, content is more readily available for the clients you deploy.
  8. If you want Symantec to receive anonymous data, click Next to begin the database creation.
  9. When the database creation completes, click Finish to complete the Symantec Endpoint Protection Manager configuration.
2.4.2.2. Installing the Client

After installing Symantec Endpoint Protection Manager, install the Symantec Endpoint Protection client to the endpoint host with the Client Deployment Wizard. Of the several installation methods, we recommend using the Save package. This installation option creates an executable installation package that you save on the management server and then distribute to the client computers. Follow these steps:

  1. Make your configuration selections as you install the Symantec Endpoint Protection Manager and then create the client installation packages.
  2. Save the installation package to a folder on the computer that runs Symantec Endpoint Protection Manager.
  3. Copy this package to a client machine where you have an administrator privilege.
  4. The installation package comprises one setup.exe file. Click the executable file to start the installation. Follow the wizards to complete the installation.

2.4.3. Symantec Advanced Threat Protection: Advanced Threat Protection: Network

With Advanced Threat Protection: Network (ATP:N) installed on the network, it can provide Network-based protection of medical device subnets via monitor internal inbound and outbound internet traffic. We integrate Symantec Advanced Threat Protection (ATP) with Symantec Endpoint Protection, it will allow ATP to monitor and manage all network traffic from the endpoints and provide threat assessment for dangerous activity to secure the medical devices on an enterprise network.

Minimum Hardware Requirement: 32 GB RAM; 4 CPUs. Hard drive should be at least 500 GB.

Minimum Software Requirement: ESXi 5.5 and 6.0, ATP virtual appliance includes an Integrated Dell Remote Access Controller (iDRAC). The iDRAC console requires the latest version of the Java Runtime Environment (JRE) installed on the administrative client.

2.4.3.1. ATP-N Installation

The installation of the ATP-N involves the deployment of the OVA template on the VMware ESXi Server. A sample installation steps are shown below:

  1. Deploy the OVA. During the Deploying procedure, the Deploy OVA Template wizard prompts you to map the Source Network adapters, which are built into the APT OVA with Destination Networks that you already configured on your network.
  2. In VMware vSphere Client, start the newly-created virtual appliance.
  3. Open a console to the appliance and logon with the user name admin and the proper password to start the bootstrap.
  4. From a computer that is on the same subnet as the appliance management port, use a browser to connect to the APT Manager using the ATP IP address. The user name is setup and the password is Symantec.
2.4.3.2. Integrating APT with Symantec Endpoint Protection

To integrate the Symantec Advanced Threat Protection (ATP) with Symantec Endpoint Protection allows us to Correlation of event data from Symantec Endpoint Protection Manager to ATP. To do the integration, follow these steps:

  1. On Symantec Endpoint Protection Manager, prepare the database for log collection to allow ATP to access the database using DB administrator (sa) credentials.
  2. Enable Symantec Endpoint Protection Correlation option by checking in the Settings > Global > Synapse area of ATP Manager.
  3. In ATP Manager, configure the connection to Symantec Endpoint Protection Manager instances.
  4. In Symantec Endpoint Protection Manager, configure host integrity and quarantine firewall policies, if not already enabled.
  5. In Symantec Endpoint Protection Manager, configure endpoints to send information to the ATP management node.
  6. In ATP Manager, add SSL certificates for secure communication between endpoints and ATP, if needed.

More detail about integrating ATP and Symantec Endpoint Protection can be found from the following reference: http://help.symantec.com/cs/ATP_2.2/ATP/v102658999_v117970559/About-integrating-ATP-with-Symantec-Endpoint-Protection?locale=EN_US.

2.5. Risk Assessment Tools

2.5.1. Clearwater IRM|Analysis™ Software

We used Clearwater IRM|Analysis™ Software-as-a-Service (SaaS) application, a control-based risk tool for conducting a risk assessment with a focus on the Healthcare Delivery Organization (HDO) enterprise. In our environment, we built the enterprise network to simulate a typical HDO environment. Clearwater Compliance created an account for NCCoE under their cloud based tool, IRM|Analysis™. The software is based on the construct of an “Information Asset” which creates, maintains, receives or transmits electronically Protected Health Information (ePHI.) This can be a software application, information system, medical device system, etc.

This section does not show you how to conduct a risk assessment. Instead, we present some basic steps for using the IRM|Analysis™ tool to conduct the risk assessment:

  1. Login to IRM|Analysis™.
  2. Import Inventory of Information Assets or enter the data through the Asset Inventory Form.
  3. Establish conformance with the NIST-based Security Controls.
  4. Determine the Risk Rating predicated on a 5x5 matrix of likelihood x impact.
  5. Identify those risks that are exceed the established “risk threshold.”
  6. Document “Risk Response” and associated tasks necessary to mitigate, transfer, avoid or accept the risk in the IRM|Analysis™ software.
  7. Leverage Dashboard and Reporting functionality to provide documentation and evidence of a credible and bona fide risk analysis.
2.5.1.1. Login to IRM|Analysis™
  1. From a browser, type https://software.clearwatercompliance.com/login.
  2. On the Login page (see Figure 2‑3), enter the appropriate email and password.
  3. Click on Sign In.

Figure 2-3: IRM|Analysis™ Login Page

../_images/fig2-3.png
2.5.1.2. Enter Asset Inventory

We used the New Asset page to add the assets to the system and the Edit Asset page to update the record. After all assets are entered, an analysis is conducted to determine if media (i.e., devices) associated with different assets can be grouped together based on a similar risk profile. For instance: all servers are virtual machines using the same Storage Area Network and identical Operating Systems. If you have 10 assets that have server selected and they are all the same, they can be grouped and evaluated as one. The Media/Asset Group is the logic group for organizing media into classes to reduce the number of identical security control assessments.

To add a new asset:

  1. On the IRM|Analysis™ tool, expand Assets on the left menu bar.
  2. Under Assets, click on Asset Inventory List.
  3. On the Asset Inventory List page (see Figure 2‑4), click on the New button.
  4. On the New Asset form (see Figure 2‑5), enter the required information and click on the Save button.

Figure 2-4: Asset Inventory List

../_images/fig2-4.png

Figure 2-5: New Asset

../_images/fig2-5.png

To update an asset:

  1. On the IRM|Analysis™ tool, expand Assets on the left menu bar.
  2. Under Assets, click on Asset Inventory List.
  3. On the Asset Inventory List page (see Figure 2‑4), select the asset you want to edit, then click on the Edit button.
  4. On the Edit Media/Asset Groups page (see Figure 2‑7), enter the necessary information and click on the Save button.

To view and manage media/asset groups:

  1. On the IRM|Analysis™ tool, expend Assets on the left menu bar.
  2. Under Assets, click on Media/Asset Groups.
  3. On the Media/Asset Groups (see Figure 2‑6), scroll up and down to view the groups and select a group by clicking on the Edit button.
  4. On the Edit Media/Asset Groups page (see Figure 2‑7), enter the necessary information and click on the Save button.

Figure 2-6: Media/Asset Groups

../_images/fig2-6.png

Figure 2-7: Edit Media/Asset Group

../_images/fig2-7.png
2.5.1.3. Risk Determination

The IRM|Analysis™ tool uses different methods to determine risk. In this section, we show two ways to use the tool: Controls – Global/Media screen to document the status of a control; and the Risk Questionnaire List to select a given Media/Asset group.

To use the Risk Determination at Global/Media level:

  1. On the IRM|Analysis™ tool, expand Risk Determination on the left menu bar.
  2. Under Risk Determination, click on Controls – Global/Media.
  3. On the Controls – Global/Media page (see Figure 2‑8), scroll up and down to view the controls. For each control, select one of the responses (i.e., Yes, In Progress, No, and N/A) to indicate the response status.

Figure 2-8: Controls - Global/Media

../_images/fig2-8.png

To use the Risk Determination at the Asset/Media group level:

  1. On the IRM|Analysis™ tool, expand Risk Determination on the left menu bar.
  2. Under Risk Determination, click on Risk Questionnaire List.
  3. On the Risk Questionnaire List page (see Figure 2‑9), scroll up and down to view the media/asset groups.
  4. For each relevant media/asset group, select the Risk Analyst, fill in the Due Date and click on the Continue button to get in the Risk Questionnaire Form (see Figure 2‑10 – part 1 and Figure2‑11 – part 2).
  5. For each control, select one of the responses (i.e., Yes, In Progress, No, and N/A) to indicate the response status (example shown in part 1), if it was already noted on the Controls Global/Media page.
  6. Controls can be set globally or for individual Media/Asset Groups. The plus sign will expand the control to reveal the Media/Asset Groups so the control can be set individually. To illustrate, a global control can be set for Training for the Security Workforce but an individual control would be set for each of the Media/Asset groups associated with the User Activity Review since only a subset of assets may undergo a User Activity Review.
  7. Then determine and select the Risk Likelihood and Risk Impact for the selected risk scenario (example shown in part 2) to populate the Risk Rating.
  8. You may select the question mark for more information on the control and the NIST symbol for a quick reference to NIST SP800-53.

Figure 2-9: Risk Questionnaire List

../_images/fig2-9.png

Figure 2-10: Risk Questionnaire Form (part 1)

../_images/fig2-10.png

Figure 2-11: Risk Questionnaire Form (part 2)

../_images/fig2-11.png
2.5.1.4. Risk Response

The IRM|Analysis™ tool enables users to try different methods of reviewing risk scenarios, acquiring a risk rating, and seeing progress in a risk response workflow. The basics of using the tool follow.

Consider following these risk response steps:

  1. In the IRM|Analysis™ tool, expand Risk Response in the left menu bar.
  2. Under Risk Response, click on Risk Response List.
  3. Only those risks which exceed the risk threshold established under Framing/Governance in the left menu bar will move to the Risk Response portion of the software.
  4. On the Risk Response List page (see Figure 2‑12), scroll up and down to view the Medial/Asset Groups along with the associated threat source, vulnerability, and risk rating.
  5. For each relevant risk response, click on the button under the Treatment column to enter the Risk Treat and Evaluate Form page of that risk (see Figure 2‑13).
  6. On the Risk Treat and Evaluate Form page, perform the risk response analysis by selecting the risk treatment type; evaluate the control or recommendation; select risk owner; put risk notes, and so on.

Figure 2-12: Risk Response List - Risk Registry

../_images/fig2-12.png

Figure 2-13: Risk Treat and Evaluate Form

../_images/fig2-13.png
2.5.1.5. Dashboard and Report

The IRM|Analysis™ tool enables users to review their risk analyses with a dashboard or report format. To access the dashboard views, follow these steps:

  1. On the IRM|Analysis™ tool, expand Dashboard on the left menu bar
  2. Under Dashboard, click on Rating Distribution by Asset
  3. Example Dashboard: Rating Distribution by Asset page (see Figure 2‑14 below)

You can also view other types of dashboards, such as Risk Rating Trends and Risk Rating Averages.

Figure 2-14: Dashboard Example

../_images/fig2-14.png

For report views, follow these steps:

  1. On the IRM|Analysis™ tool, expand Reports on the left menu bar
  2. Under Reports, click on Risk Rating Report
  3. Example Report: Risk Rating Report page is showing (see Figure 2‑15 below)

You can also view other types of dashboards, such as Risk Rating Trends and Risk Rating Averages.

Figure 2-15: Report Example

../_images/fig2-15.png

2.5.2. MDISS MDRAP

We used MDISS’s cloud-based Medical Device Risk Assessment Platform (MDRAP), a questionnaire-based risk assessment tool to conduct the assessment on the medical devices. In our environment, we set up and configured wireless infusion pump systems from five manufactures and built the enterprise network to simulate a typical HDO environment.

Please note, this section does not show you how to conduct a risk assessment. Instead, we show these basic steps for using the MDRAP tool:

  • Login to MDRAP
  • Conduct Device Inventory
  • Risk Assessment
  • Dashboard and Reports.
2.5.2.1. Login to MDRAP
  1. Within a browser, type https://mdrap.mdiss.org/ and click on Log In
  2. On the Login page (see Figure 2‑16), enter the appropriate email and password
  3. Click on Submit.

Figure 2-16: MDRAP Login Page

../_images/fig2-16.png
2.5.2.2. Conduct Device Inventory

We use the Device Inventory module of MDRAP to keep track all the infusion pumps and servers in our sample implementation. Add Device, per its name, enables us to add individual devices, while Bulk Import enables us to add a group of devices. Steps for using both methods follow.

  1. On the Welcome to MDRAP page (see Figure 2‑17), click on Device Inventory on the menu bar or on the View Device Inventory link on the page.
  2. On the Device Inventory page (Figure 2‑18), add an individual device, or edit a device, or bulk import a group of devices.

Figure 2-17: MDRAP Welcome page

../_images/fig2-17.png

Figure 2-18: Device Inventory List

../_images/fig2-18.png

Add device:

  1. On the Device Inventory page (see Figure 2‑18 above), click on ADD DEVICE.
  2. On Add Device page (see Figure 2‑19 below), locate the device from the Category List, then click on ADD.

Figure 2-19: Add Device

../_images/fig2-19.png

Edit a device:

  1. On the Device Inventory page (see Figure 2‑18 above), locate the device from the list, click on the product name link or the Edit icon.
  2. On the Edit Inventory page (see Figure 2‑20 below), update the data and click on Save.

Figure 2-20: Edit Device

../_images/fig2-20.png

Bulk Import a group of devices:

  1. On the Device Inventory page (see Figure 2‑18: Device Inventory List above), click on BULK IMPORT button.
  2. On Inventory Bulk Import page (see Figure 2‑21 below), download the template, fill-in the data into the template.
  3. Follow the instruction to upload and import the devices by using the template (see Figure 2‑22).

Figure 2-21: Inventory Bulk Import

../_images/fig2-21.png

Figure 2-22: Device inventory Template Sample

../_images/fig2-22.png
2.5.2.3. Risk Assessment

We created a risk assessment for each device by responding to the MDRAP’s built-in questionnaire. The basic steps of creating a risk assessment for a given device follow:

  1. Create assessment

    1. On the Welcome to MDRAP page (see Figure 2‑17 above), click on Assessments on the menu bar or Go to Assessments link on the page.
    2. On Create Assessment page 1(see Figure 2‑23), select a device.
    3. On Create Assessment page 2 (see Figure 2‑24), select Questionnaire type (i.e., MDISS Questionnaire).
    4. Answer the questions and then click Next button (see example questionnaire pages in Figure 2‑25 and Figure 2‑26).

Figure 2-23: Create Assessment (part 1)

../_images/fig2-23.png

Figure 2-24: Create Assessment (part 2)

../_images/fig2-24.png

Figure 2-25: Assessment Step (example 1)

../_images/fig2-25.png

Figure 2-26: Assessment Step (example 2)

../_images/fig2-26.png
2.5.2.4. Dashboard and Reports

MDRAP computes assessment results based on the responses to the questionnaires. For a given assessment (complete or partially complete), the assessment result is available for view as a dashboard (see Figure 2‑27) or report (see Figure 2‑28).

Figure 2-27: Assessment Result (dashboard example)

../_images/fig2-27.png

Figure 2-28: Assessment Result (report example)

../_images/fig2-28.png

Appendix

Appendix A Baseline Configuration File

A.1 Baseline Configuration File

Baseline Configuration File


ASA Version 9.6(1)

!

interface Management0/0

ip address 192.168.29.149 255.255.255.0

!

! optional, SSH, version is important as v1 is insecure and on by
default, also set your own password!

username cisco password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

aaa authentication ssh console LOCAL

! set to network and interface you want to manage from, can be WAN

ssh 192.168.29.0 255.255.255.0 management

ssh version 2

!

hostname internal-kmcfadde

!

! Configure network interfaces

interface GigabitEthernet0/0

nameif WAN

security-level 50

ip address 192.168.100.149 255.255.255.0

no shutdown

! optional, authenticated OSPF for excellence

ospf authentication-key [L}N]@Uv

ospf authentication message-digest

!

interface GigabitEthernet0/1

nameif LAN

security-level 100

ip address 192.168.150.1 255.255.255.0

no shutdown

!

! optional, DHCP Server

dhcpd address 192.168.150.220-192.168.150.250 LAN

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd option 3 ip 192.168.150.1

dhcpd enable LAN

!

! optional, OSPFv2

router ospf 1

network 192.168.100.0 255.255.255.0 area 0

redistribute connected subnets

redistribute static subnets

!

! Configure DNS resolution here, required for license activation

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

!

license smart

feature tier standard

throughput level 1G

names

!

! optional, Configure time zone and NTP here

clock timezone EST -5

clock summer-time EDT recurring

ntp server 10.97.74.8

!

! Allow ping through LAN to WAN

policy-map global\_policy

class inspection\_default

inspect icmp

inspect icmp error

!

! Show up in traceroute

policy-map global\_policy

class class-default

set connection decrement-ttl

!

! Make ICMP/UDP traceroute work from LAN to WAN

object-group icmp-type PING-REPLIES

icmp-object echo-reply

object-group icmp-type TRACEROUTE-REPLIES

icmp-object time-exceeded

icmp-object unreachable

group-object PING-REPLIES

access-list 101 extended permit icmp any any object-group
TRACEROUTE-REPLIES

access-list 101 extended permit icmp any any object-group PING-REPLIES

!

! Allow ICMP ping/traceroute from WAN to LAN

object-group icmp-type PING

icmp-object echo

access-list 101 extended permit icmp any any object-group PING

!

! Allow UDP traceroute from WAN to LAN

object-group service TRACEROUTEUDP

service-object udp destination gt 33434

access-list 101 extended permit object-group TRACEROUTEUDP any any

!

! example, allow a specific port on a host

! access-list 101 extended permit tcp any host 192.168.140.XXX eq www

!

! Add firewall rules we created to WAN interface

access-group 101 in interface WAN

!

! Example, set a static route

! route WAN 192.168.140.0 255.255.255.0 192.168.100.111

!

! SNMP

object network SNMPHOSTS

subnet 192.168.29.0 255.255.255.0

snmp-server enable

snmp-server community public

snmp-server host-group management SNMPHOSTS

A.2 External Firewall and Guest Network ASA Configuration File

: Saved

:

: Serial Number: 9AK64JT2D2M

: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2200 MHz

:

ASA Version 9.6(1)

!

hostname border-kmcfadde

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

license smart

feature tier standard

throughput level 1G

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 10.32.3.10 255.255.255.0

!

interface GigabitEthernet0/1

nameif LAN

security-level 100

ip address 192.168.100.101 255.255.255.0

ospf authentication-key \*\*\*\*\*

ospf authentication message-digest

!

interface GigabitEthernet0/2

nameif GUEST

security-level 100

ip address 192.168.170.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 192.168.29.147 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

object network LAN-SUBNETS

subnet 192.168.0.0 255.255.0.0

object network SNMPHOSTS

subnet 192.168.29.0 255.255.255.0

object-group icmp-type PING-REPLIES

icmp-object echo-reply

object-group icmp-type TRACEROUTE-REPLIES

icmp-object time-exceeded

icmp-object unreachable

group-object PING-REPLIES

object-group icmp-type PING

icmp-object echo

object-group service TRACEROUTEUDP

service-object udp destination gt 33434

access-list 101 extended permit icmp any any object-group
TRACEROUTE-REPLIES

pager lines 23

mtu WAN 1500

mtu LAN 1500

mtu management 1500

mtu GUEST 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network LAN-SUBNETS

nat (LAN,WAN) dynamic interface

access-group 101 in interface WAN

!

route-map DEFAULT permit 10

match interface WAN

!

router ospf 1

network 192.168.100.0 255.255.255.0 area 0

log-adj-changes

redistribute connected subnets

redistribute static subnets

default-information originate

!

route WAN 0.0.0.0 0.0.0.0 10.32.3.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp
0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip\_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server host-group management SNMPHOSTS poll community \*\*\*\*\*

no snmp-server location

no snmp-server contact

snmp-server community \*\*\*\*\*

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint \_SmartCallHome\_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain \_SmartCallHome\_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201

db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8

45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969

6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609

2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.29.0 255.255.255.0 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd option 3 ip 192.168.170.1

!

dhcpd address 192.168.170.220-192.168.170.250 GUEST

dhcpd enable GUEST

!

dynamic-access-policy-record DfltAccessPolicy

username cisco password YBYvHe595lIMVg7Y encrypted

!

class-map inspection\_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated\_dns\_map\_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global\_policy

class inspection\_default

inspect dns migrated\_dns\_map\_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global\_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:9ffa4947d875e0c501e036c54e80ee93

: end

A.3 Enterprise Services ASA Configuration File

: Saved

:

: Serial Number: 9AEHKLC171M

: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2200 MHz

:

ASA Version 9.6(1)

!

hostname enterprise-services-kmcfadde

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

license smart

feature tier standard

throughput level 1G

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 50

ip address 192.168.100.154 255.255.255.0

ospf authentication-key \*\*\*\*\*

ospf authentication message-digest

!

interface GigabitEthernet0/1

nameif LAN

security-level 100

ip address 192.168.120.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 192.168.29.154 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

object network SNMPHOSTS

subnet 192.168.29.0 255.255.255.0

object-group service DNS

service-object tcp-udp destination eq domain

object-group service SYMANTEC-DCS

service-object tcp destination eq 4443

service-object tcp destination eq https

service-object tcp destination eq 8443

service-object tcp destination eq 2222

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any echo

access-list 101 extended permit udp any any gt 33434

access-list 101 extended permit object-group DNS 192.168.140.0
255.255.255.0 host 192.168.120.162

access-list 101 extended permit object-group DNS 192.168.140.0
255.255.255.0 host 192.168.120.163

access-list 101 extended permit tcp any host 192.168.120.166 eq 8114

access-list 101 extended permit object-group SYMANTEC-DCS any host
192.168.120.167

pager lines 23

mtu management 1500

mtu WAN 1500

mtu LAN 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group 101 in interface WAN

router ospf 1

network 192.168.100.0 255.255.255.0 area 0

log-adj-changes

redistribute connected subnets

redistribute static subnets

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp
0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip\_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server host-group management SNMPHOSTS poll community \*\*\*\*\*

no snmp-server location

no snmp-server contact

snmp-server community \*\*\*\*\*

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint \_SmartCallHome\_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain \_SmartCallHome\_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201

db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8

45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969

6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609

2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.29.0 255.255.255.0 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dynamic-access-policy-record DfltAccessPolicy

username cisco password YBYvHe595lIMVg7Y encrypted

!

class-map inspection\_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated\_dns\_map\_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global\_policy

class inspection\_default

inspect dns migrated\_dns\_map\_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global\_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile License

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

profile CiscoTAC-1

no active

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e57e00145eb4fd26d97b4b0109308140

: end

A.4 Biomedical Engineering

: Saved

:

: Serial Number: 9A3RHJVFPQS

: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2200 MHz

:

ASA Version 9.6(1)

!

hostname biomedical-kmcfadde

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

license smart

feature tier standard

throughput level 1G

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 50

ip address 192.168.100.152 255.255.255.0

ospf authentication-key \*\*\*\*\*

ospf authentication message-digest

!

interface GigabitEthernet0/1

nameif LAN

security-level 100

ip address 192.168.140.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 192.168.29.152 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

object network SNMPHOSTS

subnet 192.168.29.0 255.255.255.0

object network PUMPS

subnet 192.168.150.0 255.255.255.0

object-group icmp-type PING-REPLIES

icmp-object echo-reply

object-group icmp-type TRACEROUTE-REPLIES

icmp-object time-exceeded

icmp-object unreachable

group-object PING-REPLIES

object-group icmp-type PING

icmp-object echo

object-group service TRACEROUTEUDP

service-object udp destination gt 33434

object-group service BAXTERPORTS

service-object tcp-udp destination eq 51244

object-group service SMITHSPORTS

service-object tcp destination eq 1588

object-group service CAREFUSIONPORTS

service-object tcp destination eq 3613

object-group service PCAPORTS

service-object tcp destination eq https

service-object tcp destination eq 11443

service-object tcp destination eq 11444

object-group service PLUM360PORTS

service-object tcp destination eq 8100

service-object tcp destination eq 9292

object-group service HOSPIRAPUMPSIMPORTS

service-object tcp destination eq https

service-object tcp destination eq 8443

object-group service BBRAUNPORTS

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq 8080

service-object tcp destination eq 1500

service-object tcp destination eq 4080

access-list 101 extended permit icmp any any object-group
TRACEROUTE-REPLIES

access-list 101 extended permit object-group TRACEROUTEUDP any any

access-list 101 extended permit icmp any any object-group PING

access-list 101 extended permit icmp any any object-group PING-REPLIES

access-list 101 extended permit object-group SMITHSPORTS object PUMPS
host 192.168.140.150

access-list 101 extended permit object-group CAREFUSIONPORTS object
PUMPS host 192.168.140.158

access-list 101 extended permit object-group PCAPORTS object PUMPS host
192.168.140.160

access-list 101 extended permit object-group PLUM360PORTS object PUMPS
host 192.168.140.160

access-list 101 extended permit object-group HOSPIRAPUMPSIMPORTS object
PUMPS host 192.168.140.160

access-list 101 extended permit object-group BAXTERPORTS object PUMPS
host 192.168.140.165

access-list 101 extended permit object-group BBRAUNPORTS object PUMPS
host 192.168.140.169

pager lines 23

mtu WAN 1500

mtu LAN 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group 101 in interface WAN

router ospf 1

network 192.168.100.0 255.255.255.0 area 0

log-adj-changes

redistribute connected subnets

redistribute static subnets

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp
0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip\_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server host-group management SNMPHOSTS poll community \*\*\*\*\*

no snmp-server location

no snmp-server contact

snmp-server community \*\*\*\*\*

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint \_SmartCallHome\_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain \_SmartCallHome\_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201

db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8

45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969

6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609

2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.29.0 255.255.255.0 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 192.168.120.163 192.168.120.162

dhcpd option 3 ip 192.168.140.1

!

dhcpd address 192.168.140.220-192.168.140.250 LAN

dhcpd enable LAN

!

dynamic-access-policy-record DfltAccessPolicy

username cisco password YBYvHe595lIMVg7Y encrypted

!

class-map inspection\_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated\_dns\_map\_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global\_policy

class inspection\_default

inspect dns migrated\_dns\_map\_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global\_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:627e549de0a7dd97cd1379bbf37bc168

: end

A.5 Medical Devices Zone ASA Configuration File

: Saved

:

: Serial Number: 9AEWS2E5JRA

: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2200 MHz

:

ASA Version 9.6(1)

!

hostname medical-devices-kmcfadde

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

!

license smart

feature tier standard

throughput level 1G

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 50

ip address 192.168.100.149 255.255.255.0

ospf authentication-key \*\*\*\*\*

ospf authentication message-digest

!

interface GigabitEthernet0/1

nameif LAN

security-level 100

ip address 192.168.150.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 192.168.29.149 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup WAN

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

object network SNMPHOSTS

subnet 192.168.29.0 255.255.255.0

object network PUMPSERVERS

subnet 192.168.140.0 255.255.255.0

object network PUMPS

subnet 192.168.150.0 255.255.255.0

object-group icmp-type PING-REPLIES

icmp-object echo-reply

object-group service PCAPORTS

service-object tcp destination eq https

service-object tcp destination eq 11444

service-object tcp destination eq 11443

service-object tcp destination eq 8443

object-group icmp-type TRACEROUTE-REPLIES

icmp-object time-exceeded

icmp-object unreachable

group-object PING-REPLIES

object-group icmp-type PING

icmp-object echo

object-group service TRACEROUTEUDP

service-object udp destination gt 33434

object-group service PLUM360PORTS

service-object tcp destination eq 8100

service-object tcp destination eq 9292

object-group service HOSPIRAPUMPSIMPORTS

service-object tcp destination eq https

service-object tcp destination eq 8443

object-group service BAXTERPUMPPORTS

service-object tcp-udp destination eq 51243

object-group service BBRAUNPORTS

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq 8080

service-object tcp destination eq 1500

access-list LAN2WAN extended permit ip object PUMPS object PUMPSERVERS

access-list WAN2LAN extended permit object-group PCAPORTS host
192.168.140.160 o bject PUMPS

access-list WAN2LAN extended permit icmp any any object-group PING

access-list WAN2LAN extended permit object-group TRACEROUTEUDP any any

access-list WAN2LAN extended permit icmp any any object-group
TRACEROUTE-REPLIES

access-list WAN2LAN extended permit icmp any any object-group
PING-REPLIES

access-list WAN2LAN extended permit object-group PLUM360PORTS host
192.168.140.1 60 object PUMPS

access-list WAN2LAN extended permit object-group HOSPIRAPUMPSIMPORTS
host 192.16 8.140.160 object PUMPS

access-list WAN2LAN extended permit object-group BAXTERPUMPPORTS host
192.168.14 0.165 object PUMPS

access-list WAN2LAN extended permit object-group BBRAUNPORTS host
192.168.140.16 9 object PUMPS

pager lines 23

mtu WAN 1500

mtu LAN 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group WAN2LAN in interface WAN

access-group LAN2WAN in interface LAN

router ospf 1

network 192.168.100.0 255.255.255.0 area 0

log-adj-changes

redistribute connected subnets

redistribute static subnets

!

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp
0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00

timeout sip 0:30:00 sip\_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

snmp-server host-group management SNMPHOSTS poll community \*\*\*\*\*

no snmp-server location

no snmp-server contact

snmp-server community \*\*\*\*\*

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint \_SmartCallHome\_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain \_SmartCallHome\_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130

0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b

30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20

496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65

74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420

68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329

3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365

63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7

0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597

a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10

9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc

7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b

15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845

63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8

18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced

4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f

81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201

db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868

7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101

ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8

45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777

2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a

1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406

03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973

69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403

02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969

6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b

c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973

69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30

1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603

551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355

1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609

2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80

4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e

b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a

6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc

481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16

b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0

5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8

6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28

6c2527b9 deb78458 c61f381e a4c4cb66

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.29.0 255.255.255.0 management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 192.168.150.1

dhcpd option 3 ip 192.168.150.1

!

dhcpd address 192.168.150.220-192.168.150.250 LAN

dhcpd enable LAN

!

dynamic-access-policy-record DfltAccessPolicy

username cisco password YBYvHe595lIMVg7Y encrypted

!

class-map inspection\_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated\_dns\_map\_1

parameters

message-length maximum client auto

message-length maximum 512

policy-map global\_policy

class inspection\_default

inspect dns migrated\_dns\_map\_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

!

service-policy global\_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http
https://tools.cisco.com/its/service/oddce/services/DD CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http
https://tools.cisco.com/its/service/oddce/services/DD CEService

destination transport-method http

Cryptochecksum:b2e10eb9d982ddbe5330e964af80d2d3

: end

A.6 Switch Configuration File

!

! Last configuration change at 22:21:08 UTC Wed Feb 22 2017 by cisco

! NVRAM config last updated at 23:22:47 UTC Wed Feb 22 2017 by cisco

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service compress-config

!

hostname Cisco3650-01

!

boot-start-marker

boot-end-marker

!

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

logging console emergencies

enable secret 5 $1$FraY$.34n8ay7c.I7qwJttjHas0

enable password 7 023624481811003348

!

username admin privilege 15 password 7 04734A125E75606E0B4A

user-name cisco

creation-time 1469560730

privilege 15

password 7 0523471B701862291B56

type mgmt-user

no aaa new-model

switch 1 provision ws-c3650-48ps

!

ip domain-name nist.gov

ip device tracking

ip dhcp excluded-address 192.168.250.1 192.168.250.9

!

ip dhcp pool WLAN

network 192.168.250.0 255.255.255.0

default-router 192.168.250.1

option 43 hex c0a8.fa02

!

!

vtp mode transparent

!

crypto pki trustpoint TP-self-signed-2035642131

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2035642131

revocation-check none

rsakeypair TP-self-signed-2035642131

!

!

crypto pki certificate chain TP-self-signed-2035642131

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303335 36343231 3331301E 170D3136 30373236 32303436

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333536

34323133 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100F1C4 010AE138 9BD9BBCC 2E563180 698979B5 51F7B46B D122595E E7033DCA

D80C9432 0728E47F 8CAC2629 40CEC617 5CDFFBD9 19744025 CB62CA75 8F6F0A9A

34F790DD 07DA9D60 737196C1 FDD9E764 6D22EDA3 8D9E7DF5 6CD934E3 D89FA9D5

C165F3EE E9E0EA9F 37742B00 2C4CFA0B C262E61B 95565B42 302B23E7 A1C85D9F

5FDB0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603

551D1104 19301782 15436973 636F3336 35302D30 312E6E69 73742E67 6F76301F

0603551D 23041830 1680148F 3A1CDEB7 502DACB7 DF4E96E4 EA1470F1 CFD1F730

1D060355 1D0E0416 04148F3A 1CDEB750 2DACB7DF 4E96E4EA 1470F1CF D1F7300D

06092A86 4886F70D 01010405 00038181 004FE025 9B72B4D2 5391B847 F443B481

4493F8BD 69D2FF3A 3C2E6D96 D7D83B92 91DBB84D DD47E242 9B2F45AC CA7C7CBC

D7CB9660 2B07AE9B 0376D5A1 15CBA04B B326AADE AB213EB1 D625FBFF B2F54CCD

40B1EB91 C6DD5E33 DEA8EEB3 20ECDE96 F42527D6 AD1F6A5D A261D394 FE358B8F

317FAFD0 E853785D 777E1E1D 6F561A2A 07

quit

!

!

!

!

!

diagnostic bootup level minimal

spanning-tree mode pvst

spanning-tree extend system-id

!

redundancy

mode sso

!

!

vlan 20

!

vlan 1400

name IP\_DEV\_BIOMEDICAL

!

vlan 1500

name IP\_DEV

!

vlan 1520

name WIFI\_MGMT

!

ip ssh version 2

!

class-map match-any non-client-nrt-class

match non-client-nrt

!

policy-map port\_child\_policy

class non-client-nrt-class

bandwidth remaining ratio 10

!

!

!

!

!

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

ip address 192.168.20.13 255.255.255.0

negotiation auto

!

interface GigabitEthernet1/0/1

switchport access vlan 1520

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/2

switchport access vlan 1520

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/3

switchport access vlan 1520

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/4

switchport access vlan 1520

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet1/0/5

spanning-tree portfast

!

interface GigabitEthernet1/0/6

spanning-tree portfast

!

interface GigabitEthernet1/0/7

spanning-tree portfast

!

interface GigabitEthernet1/0/8

spanning-tree portfast

!

interface GigabitEthernet1/0/9

spanning-tree portfast

!

interface GigabitEthernet1/0/10

spanning-tree portfast

!

interface GigabitEthernet1/0/11

spanning-tree portfast

!

interface GigabitEthernet1/0/12

spanning-tree portfast

!

interface GigabitEthernet1/0/13

spanning-tree portfast

!

interface GigabitEthernet1/0/14

spanning-tree portfast

!

interface GigabitEthernet1/0/15

spanning-tree portfast

!

interface GigabitEthernet1/0/16

spanning-tree portfast

!

interface GigabitEthernet1/0/17

spanning-tree portfast

!

interface GigabitEthernet1/0/18

spanning-tree portfast

!

interface GigabitEthernet1/0/19

spanning-tree portfast

!

interface GigabitEthernet1/0/20

spanning-tree portfast

!

interface GigabitEthernet1/0/21

spanning-tree portfast

!

interface GigabitEthernet1/0/22

spanning-tree portfast

!

interface GigabitEthernet1/0/23

spanning-tree portfast

!

interface GigabitEthernet1/0/24

spanning-tree portfast

!

interface GigabitEthernet1/0/25

spanning-tree portfast

!

interface GigabitEthernet1/0/26

spanning-tree portfast

!

interface GigabitEthernet1/0/27

spanning-tree portfast

!

interface GigabitEthernet1/0/28

spanning-tree portfast

!

interface GigabitEthernet1/0/29

spanning-tree portfast

!

interface GigabitEthernet1/0/30

spanning-tree portfast

!

interface GigabitEthernet1/0/31

spanning-tree portfast

!

interface GigabitEthernet1/0/32

spanning-tree portfast

!

interface GigabitEthernet1/0/33

spanning-tree portfast

!

interface GigabitEthernet1/0/34

spanning-tree portfast

!

interface GigabitEthernet1/0/35

spanning-tree portfast

!

interface GigabitEthernet1/0/36

spanning-tree portfast

!

interface GigabitEthernet1/0/37

spanning-tree portfast

!

interface GigabitEthernet1/0/38

spanning-tree portfast

!

interface GigabitEthernet1/0/39

spanning-tree portfast

!

interface GigabitEthernet1/0/40

spanning-tree portfast

!

interface GigabitEthernet1/0/41

switchport access vlan 1400

spanning-tree portfast

!

interface GigabitEthernet1/0/42

switchport access vlan 1400

spanning-tree portfast

!

interface GigabitEthernet1/0/43

switchport access vlan 1400

spanning-tree portfast

!

interface GigabitEthernet1/0/44

switchport access vlan 1400

spanning-tree portfast

!

interface GigabitEthernet1/0/45

description Set to 10/Half for Hospira

switchport access vlan 1500

speed 10

duplex half

spanning-tree portfast

!

interface GigabitEthernet1/0/46

switchport access vlan 1500

spanning-tree portfast

!

interface GigabitEthernet1/0/47

description VLAN trunk

switchport trunk allowed vlan 1400,1500,1520

switchport mode trunk

spanning-tree portfast

!

interface GigabitEthernet1/0/48

description management connection on VL20

switchport access vlan 20

spanning-tree portfast

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface Vlan1

no ip address

shutdown

!

interface Vlan20

ip address 192.168.20.13 255.255.255.0

!

interface Vlan1520

description Wireless-MGMT

ip address 192.168.250.1 255.255.255.0

!

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.20.254

!

ip access-list extended SSH-Access

permit tcp 192.168.20.0 0.0.0.255 any eq 22

deny ip any any log

!

access-list 10 permit 192.168.20.0 0.0.0.255

!

snmp-server community public RO 10

snmp-server location NCCoE

snmp-server contact nccoe\_healthcare\_dev@nist.gov

!

!

line con 0

exec-timeout 0 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class SSH-Access in

exec-timeout 300 0

password 7 022E454F5A5223014E1D

login local

transport input ssh

line vty 5 15

access-class SSH-Access in

exec-timeout 300 0

password 7 022E454F5A5223014E1D

login local

transport input ssh

!

ntp server 10.97.74.8

wsma agent exec

profile httplistener

profile httpslistener

wsma agent config

profile httplistener

profile httpslistener

wsma agent filesys

profile httplistener

profile httpslistener

wsma agent notify

profile httplistener

profile httpslistener

!

wsma profile listener httplistener

transport http

!

wsma profile listener httpslistener

transport https

ap group default-group

end

A.7 Wireless Configuration

System Inventory

NAME: "Chassis" , DESCR: "Cisco Wireless Controller"

PID: AIR-CTVM-K9, VID: V01, SN: 96NTPERK0A6

Burned-in MAC Address............................ 00:50:56:AC:6D:08

Maximum number of APs supported.................. 200

System Information

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 8.2.111.0

RTOS Version..................................... 8.2.111.0

Bootloader Version............................... 8.2.111.0

Emergency Image Version.......................... 8.2.111.0

Build Type....................................... DATA + WPS

System Name...................................... wlc

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.1631

IP Address....................................... 192.168.250.2

IPv6 Address..................................... ::

System Up Time................................... 6 days 3 hrs 48 mins
20 secs

System Timezone Location.........................

System Stats Realtime Interval................... 5

System Stats Normal Interval..................... 180

Configured Country............................... US - United States

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 2

Number of Active Clients......................... 2

Burned-in MAC Address............................ 00:50:56:AC:6D:08

Maximum number of APs supported.................. 200

System Nas-Id....................................

WLC MIC Certificate Types........................ SHA1

Licensing Type................................... RTU

vWLC config...................................... Small

Backup Controller Configuration

AP primary Backup Controller ....................

AP secondary Backup Controller ..................

System Time Information:

Time............................................. Thu Aug 18 20:05:16
2016

Timezone delta................................... 0:0

Timezone location................................

NTP Servers

NTP Polling Interval......................... 3600

Index NTP Key Index NTP Server Status NTP Msg Auth Status

-------
----------------------------------------------------------------------------------------------

1 0 192.168.250.1 Not Synched AUTH DISABLED

Redundancy Information

Redundancy Mode ................................. SSO DISABLED

Local State...................................... ACTIVE

Peer State....................................... N/A

Unit............................................. Primary

Unit ID.......................................... 00:50:56:AC:6D:08

Redunadancy State................................ N/A

Mobility MAC..................................... 00:50:56:AC:6D:08

Redundancy Management IP Address................. 0.0.0.0

Peer Redundancy Management IP Address............ 0.0.0.0

Redundancy Port IP Address....................... 0.0.0.0

Peer Redundancy Port IP Address.................. 169.254.0.0

AP Bundle Information

Primary AP Image Size

---------------- ----

ap1g1 12660

ap1g2 11748

ap1g3 13672

ap1g4 19256

ap3g1 9736

ap3g2 13480

ap3g3 18696

ap801 8064

ap802 9536

c1140 8636

c1520 7344

c1550 10628

c1570 11536

c602i 3864

version.info 4

Secondary AP Image Size

------------------ ----

ap1g1 12660

ap1g2 11748

ap1g3 13672

ap1g4 19256

ap3g1 9736

ap3g2 13480

ap3g3 18696

ap801 8064

ap802 9536

c1140 8636

c1520 7344

c1550 10628

c1570 11536

c602i 3864

version.info 4

Switch Configuration

802.3x Flow Control Mode......................... Disable

FIPS prerequisite features....................... Disabled

WLANCC prerequisite features..................... Disabled

UCAPL prerequisite features...................... Disabled

secret obfuscation............................... Enabled

Strong Password Check Features

case-check.................................... Enabled

consecutive-check............................. Enabled

default-check................................. Enabled

username-check................................ Enabled

position-check................................ Disabled

case-digit-check.............................. Disabled

Min. Password length.......................... 3

Min. Upper case chars......................... 0

Min. Lower case chars......................... 0

Min. Digits chars............................. 0

Min. Special chars............................ 0

Mgmt User

Password Lifetime [days]...................... 0

Password Lockout.............................. Disabled

Lockout Attempts.............................. 3

Lockout Timeout [mins]........................ 5

SNMPv3 User

Password Lifetime [days]...................... 0

Password Lockout.............................. Disabled

Lockout Attempts.............................. 3

Lockout Timeout [mins]........................ 5

Network Information

RF-Network Name............................. WLAN

DNS Server IP...............................

Web Mode.................................... Disable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Web Mode RC4 Cipher Preference....... Disable

Secure Web Mode SSL Protocol................ Disable

OCSP........................................ Disabled

OCSP responder URL..........................

Secure Shell (ssh).......................... Enable

Secure Shell (ssh) Cipher-Option High....... Disable

Telnet...................................... Disable

Ethernet Multicast Forwarding............... Disable

Ethernet Broadcast Forwarding............... Disable

IPv4 AP Multicast/Broadcast Mode............ Unicast

IPv6 AP Multicast/Broadcast Mode............ Unicast

IGMP snooping............................... Disabled

IGMP timeout................................ 60 seconds

IGMP Query Interval......................... 20 seconds

MLD snooping................................ Disabled

MLD timeout................................. 60 seconds

MLD query interval.......................... 20 seconds

User Idle Timeout........................... 300 seconds

ARP Idle Timeout............................ 300 seconds

Cisco AP Default Master..................... Disable

AP Join Priority............................ Disable

Mgmt Via Wireless Interface................. Disable

Mgmt Via Dynamic Interface.................. Disable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Mesh Full Sector DFS........................ Enable

Mesh Backhaul RRM........................... Disable

AP Fallback ................................ Enable

Web Auth CMCC Support ...................... Disabled

Web Auth Redirect Ports .................... 80

Web Auth Proxy Redirect ................... Disable

Web Auth Captive-Bypass .................. Disable

Web Auth Secure Web ....................... Enable

Web Auth Secure Redirection ............... Disable

Fast SSID Change ........................... Disabled

AP Discovery - NAT IP Only ................. Enabled

IP/MAC Addr Binding Check .................. Enabled

Link Local Bridging Status ................. Disabled

CCX-lite status ............................ Disable

oeap-600 dual-rlan-ports ................... Disable

oeap-600 local-network ..................... Enable

oeap-600 Split Tunneling (Printers)......... Disable

WebPortal Online Client .................... 0

WebPortal NTF\_LOGOUT Client ................ 0

mDNS snooping............................... Disabled

mDNS Query Interval......................... 15 minutes

Web Color Theme............................. Default

Capwap Prefer Mode.......................... IPv4

Network Profile............................. Disabled

Client ip conflict detection (DHCP) ........ Disabled

Mesh BH RRM ................................ Disable

Mesh Aggressive DCA......................... Disable

Mesh Auto RF................................ Disable

HTTP Profiling Port......................... 80

Port Summary

STP Admin Physical Physical Link Link

Pr Type Stat Mode Mode Status Status Trap POE

-- ------- ---- ------- ---------- ---------- ------ ------- ---------

1 Normal Forw Enable Auto 1000 Full Up Enable N/A

AP Summary

Number of APs.................................... 2

Global AP User Name.............................. Not Configured

Global AP Dot1x User Name........................ Not Configured

AP Name Slots AP Model Ethernet MAC Location Country IP Address Clients
DSE Location

------------------ ----- -------------------- -----------------
---------------- ---------- --------------- -------- --------------

AP78da.6ee0.08ec 2 AIR-CAP1602I-A-K9 78:da:6e:e0:08:ec default location
US 192.168.250.10 0 [0 ,0 ,0 ]

AP24e9.b34b.f1ed 2 AIR-CAP1602I-A-K9 24:e9:b3:4b:f1:ed default location
US 192.168.250.11 1 [0 ,0 ,0 ]

AP Tcp-Mss-Adjust Info

AP Name TCP State MSS Size

------------------ -------- -------

AP78da.6ee0.08ec disabled -

AP24e9.b34b.f1ed disabled -

AP Location

Total Number of AP Groups........................ 1

Site Name........................................ default-group

Site Description................................. <none>

NAS-identifier................................... none

Client Traffic QinQ Enable....................... FALSE

DHCPv4 QinQ Enable............................... FALSE

AP Operating Class............................... Not-configured

Capwap Prefer Mode............................... Not-configured

RF Profile

----------

2.4 GHz band..................................... <none>

5 GHz band....................................... <none>

WLAN ID Interface Network Admission Control Radio Policy

------- ----------- -------------------------- ------------

1 ip\_dev Disabled None

2 ip\_dev Disabled None

\*AP3600 with 802.11ac Module will only advertise first 8 WLANs on 5GHz
radios.

Lan Port configs

----------------

LAN Status POE RLAN

--- ------- ---- -----

1 Disabled Disabled None

2 Disabled None

3 Disabled None

External 3G/4G module configs

-----------------------------

LAN Status POE RLAN

--- ------- ---- -----

1 Disabled None

AP Name Slots AP Model Ethernet MAC Location Port Country Priority

------------------ ----- ------------------- -----------------
---------------- ---- ------- --------

AP78da.6ee0.08ec 2 AIR-CAP1602I-A-K9 78:da:6e:e0:08:ec default location
1 US 1

AP24e9.b34b.f1ed 2 AIR-CAP1602I-A-K9 24:e9:b3:4b:f1:ed default location
1 US 1

RF Profile

Number of RF Profiles............................ 6

Out Of Box State................................. Disabled

Out Of Box Persistence........................... Disabled

RF Profile Name Band Description 11n-client-only Applied

--------------------------------- -------
----------------------------------- ------------------ ----------

High-Client-Density-802.11a 5 GHz <none> disable No

High-Client-Density-802.11bg 2.4 GHz <none> disable No

Low-Client-Density-802.11a 5 GHz <none> disable No

Low-Client-Density-802.11bg 2.4 GHz <none> disable No

Typical-Client-Density-802.11a 5 GHz <none> disable No

Typical-Client-Density-802.11bg 2.4 GHz <none> disable No

RF Profile name................................
High-Client-Density-802.11a

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 5 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -65 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... 7 dBm

Max Transmit Power............................... 30 dBm

802.11a Operational Rates

802.11a 6M Rate.............................. Disabled

802.11a 9M Rate.............................. Disabled

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported

802.11a 24M Rate............................. Mandatory

802.11a 36M Rate............................. Supported

802.11a 48M Rate............................. Supported

802.11a 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. -78 dBm

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -80 dBm

Voice........................................ -80 dBm

Minimum Client Level......................... 3 clients

Exception Level.............................. 25 %

DCA Channel List.................................
36,40,44,48,52,56,60,64,100,

104,108,112,116,120,124,128,

132,136,140,144,149,153,157,

161

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

RF Profile name................................
High-Client-Density-802.11bg

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 2.4 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -70 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... 7 dBm

Max Transmit Power............................... 30 dBm

802.11b/g Operational Rates

802.11b/g 1M Rate............................ Disabled

802.11b/g 2M Rate............................ Disabled

802.11b/g 5.5M Rate.......................... Disabled

802.11b/g 11M Rate........................... Disabled

802.11g 6M Rate.............................. Disabled

802.11g 9M Rate.............................. Supported

802.11g 12M Rate............................. Mandatory

802.11g 18M Rate............................. Supported

802.11g 24M Rate............................. Supported

802.11g 36M Rate............................. Supported

802.11g 48M Rate............................. Supported

802.11g 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. -82 dBm

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -80 dBm

Voice........................................ -80 dBm

Minimum Client Level......................... 3 clients

Exception Level.............................. 25 %

DCA Channel List................................. 1,6,11

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

RF Profile name................................
Low-Client-Density-802.11a

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 5 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -60 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... -10 dBm

Max Transmit Power............................... 30 dBm

802.11a Operational Rates

802.11a 6M Rate.............................. Mandatory

802.11a 9M Rate.............................. Supported

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported

802.11a 24M Rate............................. Mandatory

802.11a 36M Rate............................. Supported

802.11a 48M Rate............................. Supported

802.11a 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. -80 dBm

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -90 dBm

Voice........................................ -90 dBm

Minimum Client Level......................... 2 clients

Exception Level.............................. 25 %

DCA Channel List.................................
36,40,44,48,52,56,60,64,100,

104,108,112,116,120,124,128,

132,136,140,144,149,153,157,

161

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

RF Profile name................................
Low-Client-Density-802.11bg

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 2.4 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -65 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... -10 dBm

Max Transmit Power............................... 30 dBm

802.11b/g Operational Rates

802.11b/g 1M Rate............................ Mandatory

802.11b/g 2M Rate............................ Mandatory

802.11b/g 5.5M Rate.......................... Mandatory

802.11b/g 11M Rate........................... Mandatory

802.11g 6M Rate.............................. Supported

802.11g 9M Rate.............................. Supported

802.11g 12M Rate............................. Supported

802.11g 18M Rate............................. Supported

802.11g 24M Rate............................. Supported

802.11g 36M Rate............................. Supported

802.11g 48M Rate............................. Supported

802.11g 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. -85 dBm

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -90 dBm

Voice........................................ -90 dBm

Minimum Client Level......................... 2 clients

Exception Level.............................. 25 %

DCA Channel List................................. 1,6,11

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

RF Profile name................................
Typical-Client-Density-802.11a

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 5 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -70 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... -10 dBm

Max Transmit Power............................... 30 dBm

802.11a Operational Rates

802.11a 6M Rate.............................. Mandatory

802.11a 9M Rate.............................. Supported

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported

802.11a 24M Rate............................. Mandatory

802.11a 36M Rate............................. Supported

802.11a 48M Rate............................. Supported

802.11a 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. AUTO

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -80 dBm

Voice........................................ -80 dBm

Minimum Client Level......................... 3 clients

Exception Level.............................. 25 %

DCA Channel List.................................
36,40,44,48,52,56,60,64,100,

104,108,112,116,120,124,128,

132,136,140,144,149,153,157,

161

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

RF Profile name................................
Typical-Client-Density-802.11bg

Description...................................... <none>

AP Group Name.................................... <none>

Radio policy..................................... 2.4 GHz

11n-client-only.................................. disabled

Transmit Power Threshold v1...................... -70 dBm

Transmit Power Threshold v2...................... -67 dBm

Min Transmit Power............................... -10 dBm

Max Transmit Power............................... 30 dBm

802.11b/g Operational Rates

802.11b/g 1M Rate............................ Disabled

802.11b/g 2M Rate............................ Disabled

802.11b/g 5.5M Rate.......................... Disabled

802.11b/g 11M Rate........................... Disabled

802.11g 6M Rate.............................. Disabled

802.11g 9M Rate.............................. Supported

802.11g 12M Rate............................. Mandatory

802.11g 18M Rate............................. Supported

802.11g 24M Rate............................. Supported

802.11g 36M Rate............................. Supported

802.11g 48M Rate............................. Supported

802.11g 54M Rate............................. Supported

Max Clients...................................... 200

WLAN ID Max Clients

------- -------

1 600

2 600

Trap Threshold

Clients...................................... 12 clients

Interference................................. 10 %

Noise........................................ -70 dBm

Utilization.................................. 80 %

Multicast Data Rate.............................. 0

Rx Sop Threshold................................. AUTO

Cca Threshold.................................... 0 dBm

Slot Admin State:................................ Enabled

Band Select

Probe Response............................... Disabled

Cycle Count.................................. 2 cycles

Cycle Threshold.............................. 200 milliseconds

Expire Suppression........................... 20 seconds

Expire Dual Band............................. 60 seconds

Client Rssi.................................. -80 dBm

Client Mid Rssi.............................. -80 dBm

Load Balancing

Denial....................................... 3 count

Window....................................... 5 clients

Coverage Data

Data......................................... -80 dBm

Voice........................................ -80 dBm

Minimum Client Level......................... 3 clients

Exception Level.............................. 25 %

DCA Channel List................................. 1,6,11

DCA Bandwidth.................................... 20

DCA Foreign AP Contribution...................... enabled

802.11n MCS Rates

MCS-00 Rate.................................. enabled

MCS-01 Rate.................................. enabled

MCS-02 Rate.................................. enabled

MCS-03 Rate.................................. enabled

MCS-04 Rate.................................. enabled

MCS-05 Rate.................................. enabled

MCS-06 Rate.................................. enabled

MCS-07 Rate.................................. enabled

MCS-08 Rate.................................. enabled

MCS-09 Rate.................................. enabled

MCS-10 Rate.................................. enabled

MCS-11 Rate.................................. enabled

MCS-12 Rate.................................. enabled

MCS-13 Rate.................................. enabled

MCS-14 Rate.................................. enabled

MCS-15 Rate.................................. enabled

MCS-16 Rate.................................. enabled

MCS-17 Rate.................................. enabled

MCS-18 Rate.................................. enabled

MCS-19 Rate.................................. enabled

MCS-20 Rate.................................. enabled

MCS-21 Rate.................................. enabled

MCS-22 Rate.................................. enabled

MCS-23 Rate.................................. enabled

MCS-24 Rate.................................. enabled

MCS-25 Rate.................................. enabled

MCS-26 Rate.................................. enabled

MCS-27 Rate.................................. enabled

MCS-28 Rate.................................. enabled

MCS-29 Rate.................................. enabled

MCS-30 Rate.................................. enabled

MCS-31 Rate.................................. enabled

Client Network Preference....................... default

AP Config

Cisco AP Identifier.............................. 3

Cisco AP Name.................................... AP78da.6ee0.08ec

Country code..................................... US - United States

Regulatory Domain allowed by Country............. 802.11bg:-A
802.11a:-AB

AP Country code.................................. US - United States

AP Regulatory Domain............................. -A

Switch Port Number .............................. 1

MAC Address...................................... 78:da:6e:e0:08:ec

IP Address Configuration......................... DHCP

IP Address....................................... 192.168.250.10

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 192.168.250.1

NAT External IP Address.......................... None

CAPWAP Path MTU.................................. 1485

DHCP Release Override............................ Disabled

Telnet State..................................... Globally Disabled

Ssh State........................................ Globally Disabled

Cisco AP Location................................ default location

Cisco AP Floor Label............................. 0

Cisco AP Group Name.............................. default-group

Primary Cisco Switch Name........................

Primary Cisco Switch IP Address.................. Not Configured

Secondary Cisco Switch Name......................

Secondary Cisco Switch IP Address................ Not Configured

Tertiary Cisco Switch Name.......................

Tertiary Cisco Switch IP Address................. Not Configured

Administrative State ............................ ADMIN\_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... FlexConnect

Public Safety ................................... Disabled

ATF Mode: ....................................... Disable

AP SubMode ...................................... Not Configured

Rogue Detection ................................. Enabled

AP Vlan Trunking ................................ Disabled

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... informational

Logging syslog facility ......................... kern

S/W Version .................................... 8.2.111.0

Boot Version ................................... 15.2.2.0

Mini IOS Version ................................ 7.5.1.73

Stats Reporting Period .......................... 180

Stats Collection Mode ........................... normal

LED State........................................ Enabled

PoE Pre-Standard Switch.......................... Disabled

PoE Power Injector MAC Addr...................... Disabled

Power Type/Mode.................................. PoE/Full Power

Number Of Slots.................................. 2

AP Model......................................... AIR-CAP1602I-A-K9

AP Image......................................... C1600-K9W8-M

IOS Version...................................... 15.3(3)JC2$

Reset Button..................................... Enabled

AP Serial Number................................. FGL1748W52Y

AP Certificate Type.............................. Manufacture Installed

AP Lag Status ................................... Disable

Native Vlan Inheritance: ........................ AP

FlexConnect Vlan mode :.......................... Disabled

FlexConnect Group................................ Not a member of any
group

Group VLAN ACL Mappings

Group VLAN Name to Id Mappings

Template in Modified State - apply it to see mappings

AP-Specific FlexConnect Policy ACLs :

L2Acl Configuration ............................. Not Available

FlexConnect Local-Split ACLs :

WLAN ID PROFILE NAME ACL TYPE

------- --------------------------------
--------------------------------- -------

Flexconnect Central-Dhcp Values :

WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type

------- --------------------------------- -------------- --------------
--------- ------

1 IP\_Dev No Encryption False False False Wlan

Flex AVC visibility Configurations..............

WlanId PROFILE NAME Inherit-level Visibility Flex Avc-profile

------- -------------------------------- ------------- ----------
--------------------------------

1 IP\_Dev No Encryption wlan-spec disable none

FlexConnect Backup Auth Radius Servers :

Primary Radius Server........................... Disabled

Secondary Radius Server......................... Disabled

AP User Mode..................................... AUTOMATIC

AP User Name..................................... Cisco

AP Dot1x User Mode............................... Not Configured

AP Dot1x User Name............................... Not Configured

Cisco AP system logging host..................... 255.255.255.255

AP Core Dump Config.............................. Disabled

AP Up Time....................................... 2 days, 22 h 22 m 20 s

AP LWAPP Up Time................................. 2 days, 22 h 18 m 20 s

Join Date and Time............................... Mon Aug 15 21:47:06
2016

Join Taken Time.................................. 0 days, 00 h 03 m 59 s

Attributes for Slot 0

Radio Type................................... RADIO\_TYPE\_80211n-2.4

Administrative State ........................ ADMIN\_ENABLED

Operation State ............................. UP

Mesh Radio Role ............................. ACCESS

Radio Role .................................. Client Serving (Remote)

CellId ...................................... 0

Station Configuration

Configuration ............................. AUTOMATIC

Number Of WLANs ........................... 1

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 5c:a4:8a:be:ca:90

Operation Rate Set

1000 Kilo Bits........................... MANDATORY

2000 Kilo Bits........................... MANDATORY

5500 Kilo Bits........................... MANDATORY

11000 Kilo Bits.......................... MANDATORY

6000 Kilo Bits........................... SUPPORTED

9000 Kilo Bits........................... SUPPORTED

12000 Kilo Bits.......................... SUPPORTED

18000 Kilo Bits.......................... SUPPORTED

24000 Kilo Bits.......................... SUPPORTED

36000 Kilo Bits.......................... SUPPORTED

48000 Kilo Bits.......................... SUPPORTED

54000 Kilo Bits.......................... SUPPORTED

MCS Set

MCS 0.................................... SUPPORTED

MCS 1.................................... SUPPORTED

MCS 2.................................... SUPPORTED

MCS 3.................................... SUPPORTED

MCS 4.................................... SUPPORTED

MCS 5.................................... SUPPORTED

MCS 6.................................... SUPPORTED

MCS 7.................................... SUPPORTED

MCS 8.................................... SUPPORTED

MCS 9.................................... SUPPORTED

MCS 10................................... SUPPORTED

MCS 11................................... SUPPORTED

MCS 12................................... SUPPORTED

MCS 13................................... SUPPORTED

MCS 14................................... SUPPORTED

MCS 15................................... SUPPORTED

MCS 16................................... DISABLED

MCS 17................................... DISABLED

MCS 18................................... DISABLED

MCS 19................................... DISABLED

MCS 20................................... DISABLED

MCS 21................................... DISABLED

MCS 22................................... DISABLED

MCS 23................................... DISABLED

MCS 24................................... DISABLED

MCS 25................................... DISABLED

MCS 26................................... DISABLED

MCS 27................................... DISABLED

MCS 28................................... DISABLED

MCS 29................................... DISABLED

MCS 30................................... DISABLED

MCS 31................................... DISABLED

Beacon Period ............................. 100

Fragmentation Threshold ................... 2346

Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

Country String ............................ US

Multi Domain Capability

Configuration ............................. AUTOMATIC

First Chan Num ............................ 1

Number Of Channels ........................ 11

MAC Operation Parameters

Configuration ............................. AUTOMATIC

Fragmentation Threshold ................... 2346

Packet Retry Limit ........................ 64

Tx Power

Num Of Supported Power Levels ............. 6

Tx Power Level 1 .......................... 22 dBm

Tx Power Level 2 .......................... 19 dBm

Tx Power Level 3 .......................... 16 dBm

Tx Power Level 4 .......................... 13 dBm

Tx Power Level 5 .......................... 10 dBm

Tx Power Level 6 .......................... 7 dBm

Tx Power Configuration .................... AUTOMATIC

Current Tx Power Level .................... 1

Tx Power Assigned By ...................... DTPC

Phy OFDM parameters

Configuration ............................. AUTOMATIC

Current Channel ........................... 11

Channel Assigned By ....................... DCA

Extension Channel ......................... NONE

Channel Width.............................. 20 Mhz

Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11

TI Threshold .............................. -50

DCA Channel List........................... Global

Legacy Tx Beamforming Configuration ....... CUSTOMIZED

Legacy Tx Beamforming ..................... ENABLED

Antenna Type............................... INTERNAL\_ANTENNA

Internal Antenna Gain (in .5 dBi units).... 8

Diversity.................................. DIVERSITY\_ENABLED

802.11n Antennas

A....................................... ENABLED

B....................................... ENABLED

C....................................... ENABLED

Performance Profile Parameters

Configuration ............................. AUTOMATIC

Interference threshold..................... 10 %

Noise threshold............................ -70 dBm

RF utilization threshold................... 80 %

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 12 dB

Coverage exception level................... 25 %

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

CleanAir Management Information

CleanAir Capable......................... Yes

CleanAir Management Administration St.... Enabled

CleanAir Management Operation State...... Down

Rapid Update Mode........................ Off

Spectrum Expert connection............... Enabled

CleanAir NSI Key....................... C44B365F4CFF338BE94B85633D98944B

Spectrum Expert Connections counter.... 0

CleanAir Sensor State.................... Configured

Radio Extended Configurations

Beacon period.............................. 100 milliseconds

Beacon range............................... AUTO

Multicast buffer........................... AUTO

Multicast data-rate........................ AUTO

RX SOP threshold........................... AUTO

CCA threshold.............................. AUTO

Attributes for Slot 1

Radio Type................................... RADIO\_TYPE\_80211n-5

Radio Subband................................ RADIO\_SUBBAND\_ALL

Administrative State ........................ ADMIN\_ENABLED

Operation State ............................. UP

Mesh Radio Role ............................. ACCESS

Radio Role .................................. Client Serving (Remote)

CellId ...................................... 0

Station Configuration

Configuration ............................. AUTOMATIC

Number Of WLANs ........................... 1

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 5c:a4:8a:be:ca:90

Operation Rate Set

6000 Kilo Bits........................... MANDATORY

9000 Kilo Bits........................... SUPPORTED

12000 Kilo Bits.......................... MANDATORY

18000 Kilo Bits.......................... SUPPORTED

24000 Kilo Bits.......................... MANDATORY

36000 Kilo Bits.......................... SUPPORTED

48000 Kilo Bits.......................... SUPPORTED

54000 Kilo Bits.......................... SUPPORTED

MCS Set

MCS 0.................................... SUPPORTED

MCS 1.................................... SUPPORTED

MCS 2.................................... SUPPORTED

MCS 3.................................... SUPPORTED

MCS 4.................................... SUPPORTED

MCS 5.................................... SUPPORTED

MCS 6.................................... SUPPORTED

MCS 7.................................... SUPPORTED

MCS 8.................................... SUPPORTED

MCS 9.................................... SUPPORTED

MCS 10................................... SUPPORTED

MCS 11................................... SUPPORTED

MCS 12................................... SUPPORTED

MCS 13................................... SUPPORTED

MCS 14................................... SUPPORTED

MCS 15................................... SUPPORTED

MCS 16................................... DISABLED

MCS 17................................... DISABLED

MCS 18................................... DISABLED

MCS 19................................... DISABLED

MCS 20................................... DISABLED

MCS 21................................... DISABLED

MCS 22................................... DISABLED

MCS 23................................... DISABLED

MCS 24................................... DISABLED

MCS 25................................... DISABLED

MCS 26................................... DISABLED

MCS 27................................... DISABLED

MCS 28................................... DISABLED

MCS 29................................... DISABLED

MCS 30................................... DISABLED

MCS 31................................... DISABLED

Beacon Period ............................. 100

Fragmentation Threshold ................... 2346

Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

Country String ............................ US

Multi Domain Capability

Configuration ............................. AUTOMATIC

First Chan Num ............................ 36

Number Of Channels ........................ 21

MAC Operation Parameters

Configuration ............................. AUTOMATIC

Fragmentation Threshold ................... 2346

Packet Retry Limit ........................ 64

Tx Power

Num Of Supported Power Levels ............. 6

Tx Power Level 1 .......................... 22 dBm

Tx Power Level 2 .......................... 19 dBm

Tx Power Level 3 .......................... 16 dBm

Tx Power Level 4 .......................... 13 dBm

Tx Power Level 5 .......................... 10 dBm

Tx Power Level 6 .......................... 7 dBm

Tx Power Configuration .................... AUTOMATIC

Current Tx Power Level .................... 1

Tx Power Assigned By ...................... DTPC

Phy OFDM parameters

Configuration ............................. AUTOMATIC

Current Channel ........................... 149

Channel Assigned By ....................... DCA

Extension Channel ......................... NONE

Channel Width.............................. 20 Mhz

Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,

......................................... 104,108,112,116,132,136,140,

......................................... 149,153,157,161,165

TI Threshold .............................. -50

DCA Channel List........................... Global

Legacy Tx Beamforming Configuration ....... CUSTOMIZED

Legacy Tx Beamforming ..................... ENABLED

Antenna Type............................... INTERNAL\_ANTENNA

Internal Antenna Gain (in .5 dBi units).... 8

Diversity.................................. DIVERSITY\_ENABLED

802.11n Antennas

A....................................... ENABLED

B....................................... ENABLED

C....................................... ENABLED

Performance Profile Parameters

Configuration ............................. AUTOMATIC

Interference threshold..................... 10 %

Noise threshold............................ -70 dBm

RF utilization threshold................... 80 %

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 16 dB

Coverage exception level................... 25 %

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

CleanAir Management Information

CleanAir Capable......................... Yes

CleanAir Management Administration St.... Enabled

CleanAir Management Operation State...... Down

Rapid Update Mode........................ Off

Spectrum Expert connection............... Enabled

CleanAir NSI Key....................... C44B365F4CFF338BE94B85633D98944B

Spectrum Expert Connections counter.... 0

CleanAir Sensor State.................... Configured

Radio Extended Configurations

Beacon period.............................. 100 milliseconds

Beacon range............................... AUTO

Multicast buffer........................... AUTO

Multicast data-rate........................ AUTO

RX SOP threshold........................... AUTO

CCA threshold.............................. AUTO

Cisco AP Identifier.............................. 4

Cisco AP Name.................................... AP24e9.b34b.f1ed

Country code..................................... US - United States

Regulatory Domain allowed by Country............. 802.11bg:-A
802.11a:-AB

AP Country code.................................. US - United States

AP Regulatory Domain............................. -A

Switch Port Number .............................. 1

MAC Address...................................... 24:e9:b3:4b:f1:ed

IP Address Configuration......................... DHCP

IP Address....................................... 192.168.250.11

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 192.168.250.1

NAT External IP Address.......................... None

CAPWAP Path MTU.................................. 1485

DHCP Release Override............................ Disabled

Telnet State..................................... Globally Disabled

Ssh State........................................ Globally Disabled

Cisco AP Location................................ default location

Cisco AP Floor Label............................. 0

Cisco AP Group Name.............................. default-group

Primary Cisco Switch Name........................

Primary Cisco Switch IP Address.................. Not Configured

Secondary Cisco Switch Name......................

Secondary Cisco Switch IP Address................ Not Configured

Tertiary Cisco Switch Name.......................

Tertiary Cisco Switch IP Address................. Not Configured

Administrative State ............................ ADMIN\_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... FlexConnect

Public Safety ................................... Disabled

ATF Mode: ....................................... Disable

AP SubMode ...................................... Not Configured

Rogue Detection ................................. Enabled

AP Vlan Trunking ................................ Disabled

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... emergencies

Logging syslog facility ......................... system

S/W Version .................................... 8.2.111.0

Boot Version ................................... 15.2.2.0

Mini IOS Version ................................ 7.5.1.73

Stats Reporting Period .......................... 180

Stats Collection Mode ........................... normal

LED State........................................ Enabled

PoE Pre-Standard Switch.......................... Disabled

PoE Power Injector MAC Addr...................... Disabled

Power Type/Mode.................................. PoE/Full Power

Number Of Slots.................................. 2

AP Model......................................... AIR-CAP1602I-A-K9

AP Image......................................... C1600-K9W8-M

IOS Version...................................... 15.3(3)JC2$

Reset Button..................................... Enabled

AP Serial Number................................. FGL1748W52S

AP Certificate Type.............................. Manufacture Installed

AP Lag Status ................................... Disable

Native Vlan Inheritance: ........................ Group

FlexConnect Vlan mode :.......................... Disabled

FlexConnect Group................................ Not a member of any
group

Group VLAN ACL Mappings

Group VLAN Name to Id Mappings

Template in Modified State - apply it to see mappings

AP-Specific FlexConnect Policy ACLs :

L2Acl Configuration ............................. Not Available

FlexConnect Local-Split ACLs :

WLAN ID PROFILE NAME ACL TYPE

------- --------------------------------
--------------------------------- -------

Flexconnect Central-Dhcp Values :

WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type

------- --------------------------------- -------------- --------------
--------- ------

1 IP\_Dev No Encryption False False False Wlan

Flex AVC visibility Configurations..............

WlanId PROFILE NAME Inherit-level Visibility Flex Avc-profile

------- -------------------------------- ------------- ----------
--------------------------------

1 IP\_Dev No Encryption wlan-spec disable none

FlexConnect Backup Auth Radius Servers :

Primary Radius Server........................... Disabled

Secondary Radius Server......................... Disabled

AP User Mode..................................... AUTOMATIC

AP User Name..................................... Cisco

AP Dot1x User Mode............................... Not Configured

AP Dot1x User Name............................... Not Configured

Cisco AP system logging host..................... 255.255.255.255

AP Core Dump Config.............................. Disabled

AP Up Time....................................... 2 days, 22 h 22 m 16 s

AP LWAPP Up Time................................. 2 days, 22 h 18 m 14 s

Join Date and Time............................... Mon Aug 15 21:47:12
2016

Join Taken Time.................................. 0 days, 00 h 04 m 01 s

Attributes for Slot 0

Radio Type................................... RADIO\_TYPE\_80211n-2.4

Administrative State ........................ ADMIN\_ENABLED

Operation State ............................. UP

Mesh Radio Role ............................. ACCESS

Radio Role .................................. Client Serving (Remote)

CellId ...................................... 0

Station Configuration

Configuration ............................. AUTOMATIC

Number Of WLANs ........................... 1

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 1c:1d:86:31:e5:50

Operation Rate Set

1000 Kilo Bits........................... MANDATORY

2000 Kilo Bits........................... MANDATORY

5500 Kilo Bits........................... MANDATORY

11000 Kilo Bits.......................... MANDATORY

6000 Kilo Bits........................... SUPPORTED

9000 Kilo Bits........................... SUPPORTED

12000 Kilo Bits.......................... SUPPORTED

18000 Kilo Bits.......................... SUPPORTED

24000 Kilo Bits.......................... SUPPORTED

36000 Kilo Bits.......................... SUPPORTED

48000 Kilo Bits.......................... SUPPORTED

54000 Kilo Bits.......................... SUPPORTED

MCS Set

MCS 0.................................... SUPPORTED

MCS 1.................................... SUPPORTED

MCS 2.................................... SUPPORTED

MCS 3.................................... SUPPORTED

MCS 4.................................... SUPPORTED

MCS 5.................................... SUPPORTED

MCS 6.................................... SUPPORTED

MCS 7.................................... SUPPORTED

MCS 8.................................... SUPPORTED

MCS 9.................................... SUPPORTED

MCS 10................................... SUPPORTED

MCS 11................................... SUPPORTED

MCS 12................................... SUPPORTED

MCS 13................................... SUPPORTED

MCS 14................................... SUPPORTED

MCS 15................................... SUPPORTED

MCS 16................................... DISABLED

MCS 17................................... DISABLED

MCS 18................................... DISABLED

MCS 19................................... DISABLED

MCS 20................................... DISABLED

MCS 21................................... DISABLED

MCS 22................................... DISABLED

MCS 23................................... DISABLED

MCS 24................................... DISABLED

MCS 25................................... DISABLED

MCS 26................................... DISABLED

MCS 27................................... DISABLED

MCS 28................................... DISABLED

MCS 29................................... DISABLED

MCS 30................................... DISABLED

MCS 31................................... DISABLED

Beacon Period ............................. 100

Fragmentation Threshold ................... 2346

Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

Country String ............................ US

Multi Domain Capability

Configuration ............................. AUTOMATIC

First Chan Num ............................ 1

Number Of Channels ........................ 11

MAC Operation Parameters

Configuration ............................. AUTOMATIC

Fragmentation Threshold ................... 2346

Packet Retry Limit ........................ 64

Tx Power

Num Of Supported Power Levels ............. 6

Tx Power Level 1 .......................... 22 dBm

Tx Power Level 2 .......................... 19 dBm

Tx Power Level 3 .......................... 16 dBm

Tx Power Level 4 .......................... 13 dBm

Tx Power Level 5 .......................... 10 dBm

Tx Power Level 6 .......................... 7 dBm

Tx Power Configuration .................... AUTOMATIC

Current Tx Power Level .................... 1

Tx Power Assigned By ...................... DTPC

Phy OFDM parameters

Configuration ............................. AUTOMATIC

Current Channel ........................... 11

Channel Assigned By ....................... DCA

Extension Channel ......................... NONE

Channel Width.............................. 20 Mhz

Allowed Channel List....................... 1,2,3,4,5,6,7,8,9,10,11

TI Threshold .............................. -50

DCA Channel List........................... Global

Legacy Tx Beamforming Configuration ....... CUSTOMIZED

Legacy Tx Beamforming ..................... ENABLED

Antenna Type............................... INTERNAL\_ANTENNA

Internal Antenna Gain (in .5 dBi units).... 8

Diversity.................................. DIVERSITY\_ENABLED

802.11n Antennas

A....................................... ENABLED

B....................................... ENABLED

C....................................... ENABLED

Performance Profile Parameters

Configuration ............................. AUTOMATIC

Interference threshold..................... 10 %

Noise threshold............................ -70 dBm

RF utilization threshold................... 80 %

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 12 dB

Coverage exception level................... 25 %

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

CleanAir Management Information

CleanAir Capable......................... Yes

CleanAir Management Administration St.... Disabled

CleanAir Management Operation State...... Down

Rapid Update Mode........................ Off

Spectrum Expert connection............... Enabled

CleanAir NSI Key....................... 8994C2313910BF9588C6693603B8F970

Spectrum Expert Connections counter.... 0

CleanAir Sensor State.................... Configured

Radio Extended Configurations

Beacon period.............................. 100 milliseconds

Beacon range............................... AUTO

Multicast buffer........................... AUTO

Multicast data-rate........................ AUTO

RX SOP threshold........................... AUTO

CCA threshold.............................. AUTO

Attributes for Slot 1

Radio Type................................... RADIO\_TYPE\_80211n-5

Radio Subband................................ RADIO\_SUBBAND\_ALL

Administrative State ........................ ADMIN\_ENABLED

Operation State ............................. UP

Mesh Radio Role ............................. ACCESS

Radio Role .................................. Client Serving (Remote)

CellId ...................................... 0

Station Configuration

Configuration ............................. AUTOMATIC

Number Of WLANs ........................... 1

Medium Occupancy Limit .................... 100

CFP Period ................................ 4

CFP MaxDuration ........................... 60

BSSID ..................................... 1c:1d:86:31:e5:50

Operation Rate Set

6000 Kilo Bits........................... MANDATORY

9000 Kilo Bits........................... SUPPORTED

12000 Kilo Bits.......................... MANDATORY

18000 Kilo Bits.......................... SUPPORTED

24000 Kilo Bits.......................... MANDATORY

36000 Kilo Bits.......................... SUPPORTED

48000 Kilo Bits.......................... SUPPORTED

54000 Kilo Bits.......................... SUPPORTED

MCS Set

MCS 0.................................... SUPPORTED

MCS 1.................................... SUPPORTED

MCS 2.................................... SUPPORTED

MCS 3.................................... SUPPORTED

MCS 4.................................... SUPPORTED

MCS 5.................................... SUPPORTED

MCS 6.................................... SUPPORTED

MCS 7.................................... SUPPORTED

MCS 8.................................... SUPPORTED

MCS 9.................................... SUPPORTED

MCS 10................................... SUPPORTED

MCS 11................................... SUPPORTED

MCS 12................................... SUPPORTED

MCS 13................................... SUPPORTED

MCS 14................................... SUPPORTED

MCS 15................................... SUPPORTED

MCS 16................................... DISABLED

MCS 17................................... DISABLED

MCS 18................................... DISABLED

MCS 19................................... DISABLED

MCS 20................................... DISABLED

MCS 21................................... DISABLED

MCS 22................................... DISABLED

MCS 23................................... DISABLED

MCS 24................................... DISABLED

MCS 25................................... DISABLED

MCS 26................................... DISABLED

MCS 27................................... DISABLED

MCS 28................................... DISABLED

MCS 29................................... DISABLED

MCS 30................................... DISABLED

MCS 31................................... DISABLED

Beacon Period ............................. 100

Fragmentation Threshold ................... 2346

Multi Domain Capability Implemented ....... TRUE

Multi Domain Capability Enabled ........... TRUE

Country String ............................ US

Multi Domain Capability

Configuration ............................. AUTOMATIC

First Chan Num ............................ 36

Number Of Channels ........................ 21

MAC Operation Parameters

Configuration ............................. AUTOMATIC

Fragmentation Threshold ................... 2346

Packet Retry Limit ........................ 64

Tx Power

Num Of Supported Power Levels ............. 6

Tx Power Level 1 .......................... 22 dBm

Tx Power Level 2 .......................... 19 dBm

Tx Power Level 3 .......................... 16 dBm

Tx Power Level 4 .......................... 13 dBm

Tx Power Level 5 .......................... 10 dBm

Tx Power Level 6 .......................... 7 dBm

Tx Power Configuration .................... AUTOMATIC

Current Tx Power Level .................... 1

Tx Power Assigned By ...................... DTPC

Phy OFDM parameters

Configuration ............................. AUTOMATIC

Current Channel ........................... 48

Channel Assigned By ....................... DCA

Extension Channel ......................... NONE

Channel Width.............................. 20 Mhz

Allowed Channel List....................... 36,40,44,48,52,56,60,64,100,

......................................... 104,108,112,116,132,136,140,

......................................... 149,153,157,161,165

TI Threshold .............................. -50

DCA Channel List........................... Global

Legacy Tx Beamforming Configuration ....... CUSTOMIZED

Legacy Tx Beamforming ..................... ENABLED

Antenna Type............................... INTERNAL\_ANTENNA

Internal Antenna Gain (in .5 dBi units).... 8

Diversity.................................. DIVERSITY\_ENABLED

802.11n Antennas

A....................................... ENABLED

B....................................... ENABLED

C....................................... ENABLED

Performance Profile Parameters

Configuration ............................. AUTOMATIC

Interference threshold..................... 10 %

Noise threshold............................ -70 dBm

RF utilization threshold................... 80 %

Data-rate threshold........................ 1000000 bps

Client threshold........................... 12 clients

Coverage SNR threshold..................... 16 dB

Coverage exception level................... 25 %

Client minimum exception level............. 3 clients

Rogue Containment Information

Containment Count............................ 0

CleanAir Management Information

CleanAir Capable......................... Yes

CleanAir Management Administration St.... Disabled

CleanAir Management Operation State...... Down

Rapid Update Mode........................ Off

Spectrum Expert connection............... Enabled

CleanAir NSI Key....................... 8994C2313910BF9588C6693603B8F970

Spectrum Expert Connections counter.... 0

CleanAir Sensor State.................... Configured

Radio Extended Configurations

Beacon period.............................. 100 milliseconds

Beacon range............................... AUTO

Multicast buffer........................... AUTO

Multicast data-rate........................ AUTO

RX SOP threshold........................... AUTO

CCA threshold.............................. AUTO

AP Airewave Director Configuration

AP does not have the 802.11-abgn radio.

Number Of Slots.................................. 2

AP Name.......................................... AP78da.6ee0.08ec

MAC Address...................................... 78:da:6e:e0:08:ec

Slot ID........................................ 0

Radio Type..................................... RADIO\_TYPE\_80211b/g

Sub-band Type.................................. All

Noise Information

Noise Profile................................ PASSED

Interference Information

Interference Profile......................... PASSED

Rogue Histogram (20)

.............................................

Load Information

Load Profile................................. PASSED

Receive Utilization.......................... 0 %

Transmit Utilization......................... 0 %

Channel Utilization.......................... 38 %

Attached Clients............................. 0 clients

Coverage Information

Coverage Profile............................. PASSED

Failed Clients............................... 0 clients

Client Signal Strengths

RSSI -100 dbm................................ 0 clients

RSSI -92 dbm................................ 0 clients

RSSI -84 dbm................................ 0 clients

RSSI -76 dbm................................ 0 clients

RSSI -68 dbm................................ 0 clients

RSSI -60 dbm................................ 0 clients

RSSI -52 dbm................................ 0 clients

Client Signal To Noise Ratios

SNR 0 dB.................................. 0 clients

SNR 5 dB.................................. 0 clients

SNR 10 dB.................................. 0 clients

SNR 15 dB.................................. 0 clients

SNR 20 dB.................................. 0 clients

SNR 25 dB.................................. 0 clients

SNR 30 dB.................................. 0 clients

SNR 35 dB.................................. 0 clients

SNR 40 dB.................................. 0 clients

SNR 45 dB.................................. 0 clients

Nearby APs

Radar Information

Channel Assignment Information

Current Channel Average Energy............... -127 dBm

Previous Channel Average Energy.............. -127 dBm

Channel Change Count......................... 415

Last Channel Change Time..................... Thu Aug 18 20:01:53 2016

Recommended Best Channel..................... 11

RF Parameter Recommendations

Power Level.................................. 1

RTS/CTS Threshold............................ 2347

Fragmentation Threshold...................... 2346

Antenna Pattern.............................. 0

Persistent Interference Devices

Class Type Channel DC (%%) RSSI (dBm) Last Update Time

------------------------- ------- ------ ----------
------------------------

All third party trademarks are the property of their respective owners.

Number Of Slots.................................. 2

AP Name.......................................... AP78da.6ee0.08ec

MAC Address...................................... 78:da:6e:e0:08:ec

Slot ID........................................ 1

Radio Type..................................... RADIO\_TYPE\_80211a

Sub-band Type.................................. All

Noise Information

Noise Profile................................ PASSED

Interference Information

Interference Profile......................... PASSED

Rogue Histogram (20/40/80/160)

.............................................

Load Information

Load Profile................................. PASSED

Receive Utilization.......................... 0 %

Transmit Utilization......................... 0 %

Channel Utilization.......................... 1 %

Attached Clients............................. 0 clients

Coverage Information

Coverage Profile............................. PASSED

Failed Clients............................... 0 clients

Client Signal Strengths

RSSI -100 dbm................................ 0 clients

RSSI -92 dbm................................ 0 clients

RSSI -84 dbm................................ 0 clients

RSSI -76 dbm................................ 0 clients

RSSI -68 dbm................................ 0 clients

RSSI -60 dbm................................ 0 clients

RSSI -52 dbm................................ 0 clients

Client Signal To Noise Ratios

SNR 0 dB.................................. 0 clients

SNR 5 dB.................................. 0 clients

SNR 10 dB.................................. 0 clients

SNR 15 dB.................................. 0 clients

SNR 20 dB.................................. 0 clients

SNR 25 dB.................................. 0 clients

SNR 30 dB.................................. 0 clients

SNR 35 dB.................................. 0 clients

SNR 40 dB.................................. 0 clients

SNR 45 dB.................................. 0 clients

Nearby APs

Radar Information

Channel Assignment Information

Current Channel Average Energy............... -127 dBm

Previous Channel Average Energy.............. -127 dBm

Channel Change Count......................... 417

Last Channel Change Time..................... Thu Aug 18 20:05:14 2016

Recommended Best Channel..................... 149

RF Parameter Recommendations

Power Level.................................. 1

RTS/CTS Threshold............................ 2347

Fragmentation Threshold...................... 2346

Antenna Pattern.............................. 0

Persistent Interference Devices

Class Type Channel DC (%%) RSSI (dBm) Last Update Time

------------------------- ------- ------ ----------
------------------------

All third party trademarks are the property of their respective owners.

AP does not have the 802.11-abgn radio.

Number Of Slots.................................. 2

AP Name.......................................... AP24e9.b34b.f1ed

MAC Address...................................... 24:e9:b3:4b:f1:ed

Slot ID........................................ 0

Radio Type..................................... RADIO\_TYPE\_80211b/g

Sub-band Type.................................. All

Noise Information

Noise Profile................................ PASSED

Interference Information

Interference Profile......................... PASSED

Rogue Histogram (20)

.............................................

Load Information

Load Profile................................. PASSED

Receive Utilization.......................... 0 %

Transmit Utilization......................... 0 %

Channel Utilization.......................... 34 %

Attached Clients............................. 1 clients

Coverage Information

Coverage Profile............................. PASSED

Failed Clients............................... 0 clients

Client Signal Strengths

RSSI -100 dbm................................ 0 clients

RSSI -92 dbm................................ 0 clients

RSSI -84 dbm................................ 0 clients

RSSI -76 dbm................................ 0 clients

RSSI -68 dbm................................ 0 clients

RSSI -60 dbm................................ 0 clients

RSSI -52 dbm................................ 1 clients

Client Signal To Noise Ratios

SNR 0 dB.................................. 0 clients

SNR 5 dB.................................. 0 clients

SNR 10 dB.................................. 0 clients

SNR 15 dB.................................. 0 clients

SNR 20 dB.................................. 0 clients

SNR 25 dB.................................. 0 clients

SNR 30 dB.................................. 0 clients

SNR 35 dB.................................. 0 clients

SNR 40 dB.................................. 0 clients

SNR 45 dB.................................. 1 clients

Nearby APs

Radar Information

Channel Assignment Information

Current Channel Average Energy............... -127 dBm

Previous Channel Average Energy.............. -127 dBm

Channel Change Count......................... 415

Last Channel Change Time..................... Thu Aug 18 20:01:53 2016

Recommended Best Channel..................... 11

RF Parameter Recommendations

Power Level.................................. 1

RTS/CTS Threshold............................ 2347

Fragmentation Threshold...................... 2346

Antenna Pattern.............................. 0

Persistent Interference Devices

Class Type Channel DC (%%) RSSI (dBm) Last Update Time

------------------------- ------- ------ ----------
------------------------

All third party trademarks are the property of their respective owners.

Number Of Slots.................................. 2

AP Name.......................................... AP24e9.b34b.f1ed

MAC Address...................................... 24:e9:b3:4b:f1:ed

Slot ID........................................ 1

Radio Type..................................... RADIO\_TYPE\_80211a

Sub-band Type.................................. All

Noise Information

Noise Profile................................ PASSED

Interference Information

Interference Profile......................... PASSED

Rogue Histogram (20/40/80/160)

.............................................

Load Information

Load Profile................................. PASSED

Receive Utilization.......................... 0 %

Transmit Utilization......................... 0 %

Channel Utilization.......................... 0 %

Attached Clients............................. 0 clients

Coverage Information

Coverage Profile............................. PASSED

Failed Clients............................... 0 clients

Client Signal Strengths

RSSI -100 dbm................................ 0 clients

RSSI -92 dbm................................ 0 clients

RSSI -84 dbm................................ 0 clients

RSSI -76 dbm................................ 0 clients

RSSI -68 dbm................................ 0 clients

RSSI -60 dbm................................ 0 clients

RSSI -52 dbm................................ 0 clients

Client Signal To Noise Ratios

SNR 0 dB.................................. 0 clients

SNR 5 dB.................................. 0 clients

SNR 10 dB.................................. 0 clients

SNR 15 dB.................................. 0 clients

SNR 20 dB.................................. 0 clients

SNR 25 dB.................................. 0 clients

SNR 30 dB.................................. 0 clients

SNR 35 dB.................................. 0 clients

SNR 40 dB.................................. 0 clients

SNR 45 dB.................................. 0 clients

Nearby APs

Radar Information

Channel Assignment Information

Current Channel Average Energy............... -127 dBm

Previous Channel Average Energy.............. -127 dBm

Channel Change Count......................... 417

Last Channel Change Time..................... Thu Aug 18 20:05:14 2016

Recommended Best Channel..................... 48

RF Parameter Recommendations

Power Level.................................. 1

RTS/CTS Threshold............................ 2347

Fragmentation Threshold...................... 2346

Antenna Pattern.............................. 0

Persistent Interference Devices

Class Type Channel DC (%%) RSSI (dBm) Last Update Time

------------------------- ------- ------ ----------
------------------------

All third party trademarks are the property of their respective owners.

802.11a Configuration

802.11a Network.................................. Enabled

11acSupport...................................... Enabled

11nSupport....................................... Enabled

802.11a Low Band........................... Enabled

802.11a Mid Band........................... Enabled

802.11a High Band.......................... Enabled

802.11a Operational Rates

802.11a 6M Rate.............................. Mandatory

802.11a 9M Rate.............................. Supported

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported

802.11a 24M Rate............................. Mandatory

802.11a 36M Rate............................. Supported

802.11a 48M Rate............................. Supported

802.11a 54M Rate............................. Supported

802.11n MCS Settings:

MCS 0........................................ Supported

MCS 1........................................ Supported

MCS 2........................................ Supported

MCS 3........................................ Supported

MCS 4........................................ Supported

MCS 5........................................ Supported

MCS 6........................................ Supported

MCS 7........................................ Supported

MCS 8........................................ Supported

MCS 9........................................ Supported

MCS 10....................................... Supported

MCS 11....................................... Supported

MCS 12....................................... Supported

MCS 13....................................... Supported

MCS 14....................................... Supported

MCS 15....................................... Supported

MCS 16....................................... Supported

MCS 17....................................... Supported

MCS 18....................................... Supported

MCS 19....................................... Supported

MCS 20....................................... Supported

MCS 21....................................... Supported

MCS 22....................................... Supported

MCS 23....................................... Supported

MCS 24....................................... Supported

MCS 25....................................... Supported

MCS 26....................................... Supported

MCS 27....................................... Supported

MCS 28....................................... Supported

MCS 29....................................... Supported

MCS 30....................................... Supported

MCS 31....................................... Supported

802.11ac MCS Settings:

Nss=1: MCS 0-9 .............................. Supported

Nss=2: MCS 0-9 .............................. Supported

Nss=3: MCS 0-9 .............................. Supported

Nss=4: MCS 0-7 .............................. Supported

802.11n Status:

A-MPDU Tx:

Priority 0............................... Enabled

Priority 1............................... Enabled

Priority 2............................... Enabled

Priority 3............................... Enabled

Priority 4............................... Enabled

Priority 5............................... Enabled

Priority 6............................... Disabled

Priority 7............................... Disabled

Aggregation scheduler.................... Enabled

Frame Burst.............................. Automatic

Realtime Timeout..................... 10

Non Realtime Timeout................. 200

A-MSDU Tx:

Priority 0............................... Enabled

Priority 1............................... Enabled

Priority 2............................... Enabled

Priority 3............................... Enabled

Priority 4............................... Enabled

Priority 5............................... Enabled

Priority 6............................... Disabled

Priority 7............................... Disabled

A-MSDU Max Subframes ........................ 3

A-MSDU MAX Length ........................... 8k

Rifs Rx ..................................... Enabled

Guard Interval .............................. Any

Beacon Interval.................................. 100

CF Pollable mandatory............................ Disabled

CF Poll Request mandatory........................ Disabled

CFP Period....................................... 4

CFP Maximum Duration............................. 60

Default Channel.................................. 36

Default Tx Power Level........................... 0

DTPC Status..................................... Enabled

Fragmentation Threshold.......................... 2346

RSSI Low Check................................... Disabled

RSSI Threshold................................... -80

TI Threshold..................................... -50

Legacy Tx Beamforming setting.................... Disabled

Traffic Stream Metrics Status.................... Disabled

Expedited BW Request Status...................... Disabled

World Mode....................................... Enabled

dfs-peakdetect................................... Enabled

EDCA profile type................................ default-wmm

Voice MAC optimization status.................... Disabled

Call Admission Control (CAC) configuration

Voice AC:

Voice AC - Admission control (ACM)............ Disabled

Voice Stream-Size............................. 84000

Voice Max-Streams............................. 2

Voice max RF bandwidth........................ 75

Voice reserved roaming bandwidth.............. 6

Voice CAC Method ............................. Load-Based

Voice tspec inactivity timeout................ Disabled

CAC SIP-Voice configuration

SIP based CAC ................................ Disabled

SIP Codec Type ............................... CODEC\_TYPE\_G711

SIP call bandwidth ........................... 64

SIP call bandwith sample-size ................ 20

Video AC:

Video AC - Admission control (ACM)............ Disabled

Video max RF bandwidth........................ Infinite

Video reserved roaming bandwidth.............. 0

Video load-based CAC mode..................... Disabled

Video CAC Method ............................. Static

CAC SIP-Video Configuration

SIP based CAC ................................ Disabled

Best-effort AC - Admission control (ACM)...... Disabled

Background AC - Admission control (ACM)....... Disabled

Maximum Number of Clients per AP Radio........... 200

802.11a Advanced Configuration

Member RRM Information

AP Name MAC Address Slot Admin Oper Channel TxPower

-------------------------------- ----------------- ---- --------
----------- ------------------ -------------

AP78da.6ee0.08ec 5c:a4:8a:be:ca:90 1 ENABLED UP 149\* \*1/6 (22 dBm)

AP24e9.b34b.f1ed 1c:1d:86:31:e5:50 1 ENABLED UP 48\* \*1/6 (22 dBm)

802.11a Airewave Director Configuration

RF Event and Performance Logging

Channel Update Logging......................... Off

Coverage Profile Logging....................... Off

Foreign Profile Logging........................ Off

Load Profile Logging........................... Off

Noise Profile Logging.......................... Off

Performance Profile Logging.................... Off

TxPower Update Logging......................... Off

Default 802.11a AP performance profiles

802.11a Global Interference threshold.......... 10 %

802.11a Global noise threshold................. -70 dBm

802.11a Global RF utilization threshold........ 80 %

802.11a Global throughput threshold............ 1000000 bps

802.11a Global clients threshold............... 12 clients

Default 802.11a AP monitoring

802.11a Monitor Mode........................... enable

802.11a Monitor Mode for Mesh AP Backhaul...... disable

802.11a Monitor Channels....................... Country channels

802.11a RRM Neighbor Discover Type............. Transparent

802.11a RRM Neighbor RSSI Normalization........ Enabled

802.11a AP Coverage Interval................... 90 seconds

802.11a AP Load Interval....................... 60 seconds

802.11a AP Monitor Measurement Interval........ 180 seconds

802.11a AP Neighbor Timeout Factor............. 5

802.11a AP Report Measurement Interval......... 180 seconds

Leader Automatic Transmit Power Assignment

Transmit Power Assignment Mode................. AUTO

Transmit Power Update Interval................. 600 seconds

Transmit Power Threshold....................... -70 dBm

Transmit Power Neighbor Count.................. 3 APs

Min Transmit Power............................. -10 dBm

Max Transmit Power............................. 30 dBm

Update Contribution

Noise........................................ Enable

Interference................................. Enable

Load......................................... Disable

Device Aware................................. Disable

Transmit Power Assignment Leader............... wlc (192.168.250.2) (::)

Last Run....................................... 21 seconds ago

Last Run Time.................................. 0 seconds

TPC Mode....................................... Version 1

TPCv2 Target RSSI.............................. -67 dBm

TPCv2 VoWLAN Guide RSSI........................ -67.0 dBm

TPCv2 SOP...................................... -85.0 dBm

TPCv2 Default Client Ant Gain.................. 0.0 dBi

TPCv2 Path Loss Decay Factor................... 3.6

TPCv2 Search Intensity......................... 10 Iterations

AP Name Channel TxPower Allowed Power Levels

-------------------------------- ---------- -------------
------------------------

AP78da.6ee0.08ec 149\* \*1/6 (22 dBm) [22/19/16/13/10/7/7/7]

AP24e9.b34b.f1ed 48\* \*1/6 (22 dBm) [22/19/16/13/10/7/7/7]

Coverage Hole Detection

802.11a Coverage Hole Detection Mode........... Enabled

802.11a Coverage Voice Packet Count............ 100 packets

802.11a Coverage Voice Packet Percentage....... 50%

802.11a Coverage Voice RSSI Threshold.......... -80 dBm

802.11a Coverage Data Packet Count............. 50 packets

802.11a Coverage Data Packet Percentage........ 50%

802.11a Coverage Data RSSI Threshold........... -80 dBm

802.11a Global coverage exception level........ 25 %

802.11a Global client minimum exception lev.... 3 clients

OptimizedRoaming

802.11a OptimizedRoaming Mode.................. Disabled

802.11a OptimizedRoaming Reporting Interval.... 90 seconds

802.11a OptimizedRoaming Rate Threshold........ disabled

802.11a OptimizedRoaming Hysteresis............ 6 dB

OptimizedRoaming Stats

802.11a OptimizedRoaming Disassociations....... 0

802.11a OptimizedRoaming Rejections............ 0

Leader Automatic Channel Assignment

Channel Assignment Mode........................ AUTO

Channel Update Interval........................ 600 seconds

Anchor time (Hour of the day).................. 0

Update Contribution

Noise........................................ Enable

Interference................................. Enable

Load......................................... Disable

Device Aware................................. Disable

CleanAir Event-driven RRM option............... Disabled

Channel Assignment Leader...................... wlc (192.168.250.2) (::)

Last Run....................................... 21 seconds ago

Last Run Time.................................. 0 seconds

DCA Sensitivity Level.......................... MEDIUM (15 dB)

DCA 802.11n/ac Channel Width................... 20 MHz

DCA Minimum Energy Limit....................... -95 dBm

Channel Energy Levels

Minimum...................................... -127 dBm

Average...................................... -127 dBm

Maximum...................................... -127 dBm

Channel Dwell Times

Minimum...................................... 0 days, 00 h 00 m 19 s

Average...................................... 0 days, 00 h 00 m 19 s

Maximum...................................... 0 days, 00 h 00 m 19 s

802.11a 5 GHz Auto-RF Channel List

Allowed Channel List.........................
36,40,44,48,52,56,60,64,100,

104,108,112,116,120,124,128,

132,136,140,144,149,153,157,

161

Unused Channel List.......................... 165

802.11a 4.9 GHz Auto-RF Channel List

Allowed Channel List.........................

Unused Channel List..........................
1,2,3,4,5,6,7,8,9,10,11,12,

13,14,15,16,17,18,19,20,21,

22,23,24,25,26

DCA Outdoor AP option.......................... Disabled

802.11a Radio RF Grouping

RF Group Name.................................. WLAN

RF Protocol Version(MIN)....................... 101(30)

RF Packet Header Version....................... 2

Group Role(Mode)............................... LEADER(AUTO)

Group State.................................... Idle

Group Update Interval.......................... 600 seconds

Group Leader................................... wlc (192.168.250.2) (::)

Group Member

................................. wlc (192.168.250.2)

Maximum/Current number of Group Member......... 20/1

Maximum/Current number of AP................... 500/2

Last Run....................................... 21 seconds ago

802.11a CleanAir Configuration

Clean Air Solution............................... Disabled

Air Quality Settings:

Air Quality Reporting........................ Enabled

Air Quality Reporting Period (min)........... 15

Air Quality Alarms........................... Enabled

Air Quality Alarm Threshold................ 35

Unclassified Interference.................. Disabled

Unclassified Severity Threshold............ 20

Interference Device Settings:

Interference Device Reporting................ Enabled

Interference Device Types:

TDD Transmitter.......................... Enabled

Jammer................................... Enabled

Continuous Transmitter................... Enabled

DECT-like Phone.......................... Enabled

Video Camera............................. Enabled

WiFi Inverted............................ Enabled

WiFi Invalid Channel..................... Enabled

SuperAG.................................. Enabled

Canopy................................... Enabled

WiMax Mobile............................. Enabled

WiMax Fixed.............................. Enabled

Interference Device Alarms................... Enabled

Interference Device Types Triggering Alarms:

TDD Transmitter.......................... Disabled

Jammer................................... Enabled

Continuous Transmitter................... Disabled

DECT-like Phone.......................... Disabled

Video Camera............................. Disabled

WiFi Inverted............................ Enabled

WiFi Invalid Channel..................... Enabled

SuperAG.................................. Disabled

Canopy................................... Disabled

WiMax Mobile............................. Disabled

WiMax Fixed.............................. Disabled

Additional Clean Air Settings:

CleanAir ED-RRM State........................ Disabled

CleanAir ED-RRM Sensitivity.................. Medium

CleanAir ED-RRM Custom Threshold............. 50

CleanAir Rogue Contribution.................. Disabled

CleanAir Rogue Duty-Cycle Threshold.......... 80

CleanAir Persistent Devices state............ Disabled

CleanAir Persistent Device Propagation....... Disabled

802.11a CleanAir AirQuality Summary

AQ = Air Quality

DFS = Dynamic Frequency Selection

AP Name Channel Avg AQ Min AQ Interferers DFS

------------------ ------- ------ ------ ----------- ---

802.11b Configuration

802.11b Network.................................. Enabled

11gSupport....................................... Enabled

11nSupport....................................... Enabled

802.11b/g Operational Rates

802.11b/g 1M Rate............................ Mandatory

802.11b/g 2M Rate............................ Mandatory

802.11b/g 5.5M Rate.......................... Mandatory

802.11b/g 11M Rate........................... Mandatory

802.11g 6M Rate.............................. Supported

802.11g 9M Rate.............................. Supported

802.11g 12M Rate............................. Supported

802.11g 18M Rate............................. Supported

802.11g 24M Rate............................. Supported

802.11g 36M Rate............................. Supported

802.11g 48M Rate............................. Supported

802.11g 54M Rate............................. Supported

802.11n MCS Settings:

MCS 0........................................ Supported

MCS 1........................................ Supported

MCS 2........................................ Supported

MCS 3........................................ Supported

MCS 4........................................ Supported

MCS 5........................................ Supported

MCS 6........................................ Supported

MCS 7........................................ Supported

MCS 8........................................ Supported

MCS 9........................................ Supported

MCS 10....................................... Supported

MCS 11....................................... Supported

MCS 12....................................... Supported

MCS 13....................................... Supported

MCS 14....................................... Supported

MCS 15....................................... Supported

MCS 16....................................... Supported

MCS 17....................................... Supported

MCS 18....................................... Supported

MCS 19....................................... Supported

MCS 20....................................... Supported

MCS 21....................................... Supported

MCS 22....................................... Supported

MCS 23....................................... Supported

MCS 24....................................... Supported

MCS 25....................................... Supported

MCS 26....................................... Supported

MCS 27....................................... Supported

MCS 28....................................... Supported

MCS 29....................................... Supported

MCS 30....................................... Supported

MCS 31....................................... Supported

802.11n Status:

A-MPDU Tx:

Priority 0............................... Enabled

Priority 1............................... Enabled

Priority 2............................... Enabled

Priority 3............................... Enabled

Priority 4............................... Enabled

Priority 5............................... Enabled

Priority 6............................... Disabled

Priority 7............................... Disabled

Aggregation scheduler.................... Enabled

Realtime Timeout..................... 10

Non Realtime Timeout................. 200

A-MSDU Tx:

Priority 0............................... Enabled

Priority 1............................... Enabled

Priority 2............................... Enabled

Priority 3............................... Enabled

Priority 4............................... Enabled

Priority 5............................... Enabled

Priority 6............................... Disabled

Priority 7............................... Disabled

A-MSDU Max Subframes ........................ 3

A-MSDU MAX Length ........................... 8k

Rifs Rx ..................................... Enabled

Guard Interval .............................. Any

Beacon Interval.................................. 100

CF Pollable mode................................. Disabled

CF Poll Request mandatory........................ Disabled

CFP Period....................................... 4

CFP Maximum Duration............................. 60

Default Channel.................................. 1

Default Tx Power Level........................... 0

DTPC Status..................................... Enabled

RSSI Low Check................................... Disabled

RSSI Threshold................................... -80

Call Admission Limit ........................... 105

G711 CU Quantum ................................. 15

ED Threshold..................................... -50

Fragmentation Threshold.......................... 2346

PBCC mandatory................................... Disabled

RTS Threshold.................................... 2347

Short Preamble mandatory......................... Enabled

Short Retry Limit................................ 7

Legacy Tx Beamforming setting.................... Disabled

Traffic Stream Metrics Status.................... Disabled

Expedited BW Request Status...................... Disabled

World Mode....................................... Enabled

Faster Carrier Tracking Loop..................... Disabled

EDCA profile type................................ default-wmm

Voice MAC optimization status.................... Disabled

Call Admission Control (CAC) configuration

Voice AC - Admission control (ACM)............ Disabled

Voice Stream-Size............................. 84000

Voice Max-Streams............................. 2

Voice max RF bandwidth........................ 75

Voice reserved roaming bandwidth.............. 6

Voice CAC Method.............................. Load-Based

Voice tspec inactivity timeout................ Disabled

CAC SIP-Voice configuration

SIP based CAC ................................ Disabled

SIP Codec Type ............................... CODEC\_TYPE\_G711

SIP call bandwidth: .......................... 64

SIP call bandwidth sample-size ............... 20

Video AC - Admission control (ACM)............ Disabled

Video max RF bandwidth........................ Infinite

Video reserved roaming bandwidth.............. 0

Video load-based CAC mode..................... Disabled

Video CAC Method ............................. Static

CAC SIP-Video configuration

SIP based CAC ................................ Disabled

Best-effort AC - Admission control (ACM)...... Disabled

Background AC - Admission control (ACM)....... Disabled

Maximum Number of Clients per AP................. 200

802.11b Advanced Configuration

Member RRM Information

AP Name MAC Address Admin Oper Channel TxPower

-------------------------------- ----------------- -------- -----------
---------- -------------

AP78da.6ee0.08ec 5c:a4:8a:be:ca:90 ENABLED UP 11\* \*1/6 (22 dBm)

AP24e9.b34b.f1ed 1c:1d:86:31:e5:50 ENABLED UP 11\* \*1/6 (22 dBm)

802.11b Airewave Director Configuration

RF Event and Performance Logging

Channel Update Logging......................... Off

Coverage Profile Logging....................... Off

Foreign Profile Logging........................ Off

Load Profile Logging........................... Off

Noise Profile Logging.......................... Off

Performance Profile Logging.................... Off

Transmit Power Update Logging.................. Off

Default 802.11b AP performance profiles

802.11b Global Interference threshold.......... 10 %

802.11b Global noise threshold................. -70 dBm

802.11b Global RF utilization threshold........ 80 %

802.11b Global throughput threshold............ 1000000 bps

802.11b Global clients threshold............... 12 clients

Default 802.11b AP monitoring

802.11b Monitor Mode........................... enable

802.11b Monitor Channels....................... Country channels

802.11b RRM Neighbor Discovery Type............ Transparent

802.11b RRM Neighbor RSSI Normalization........ Enabled

802.11b AP Coverage Interval................... 90 seconds

802.11b AP Load Interval....................... 60 seconds

802.11b AP Monitor Measurement Interval........ 180 seconds

802.11b AP Neighbor Timeout Factor............. 5

802.11b AP Report Measurement Interval......... 180 seconds

Leader Automatic Transmit Power Assignment

Transmit Power Assignment Mode................. AUTO

Transmit Power Update Interval................. 600 seconds

Transmit Power Threshold....................... -70 dBm

Transmit Power Neighbor Count.................. 3 APs

Min Transmit Power............................. -10 dBm

Max Transmit Power............................. 30 dBm

Update Contribution

Noise........................................ Enable

Interference................................. Enable

Load......................................... Disable

Device Aware................................. Disable

Transmit Power Assignment Leader............... wlc (192.168.250.2) (::)

Last Run....................................... 225 seconds ago

Last Run Time.................................. 0 seconds

TPC Mode....................................... Version 1

TPCv2 Target RSSI.............................. -67 dBm

TPCv2 VoWLAN Guide RSSI........................ -67.0 dBm

TPCv2 SOP...................................... -85.0 dBm

TPCv2 Default Client Ant Gain.................. 0.0 dBi

TPCv2 Path Loss Decay Factor................... 3.6

TPCv2 Search Intensity......................... 10 Iterations

AP Name Channel TxPower Allowed Power Levels

-------------------------------- ---------- -------------
------------------------

AP78da.6ee0.08ec \*11 \*1/6 (22 dBm) [22/19/16/13/10/7/7/7]

AP24e9.b34b.f1ed \*11 \*1/6 (22 dBm) [22/19/16/13/10/7/7/7]

Coverage Hole Detection

802.11b Coverage Hole Detection Mode........... Enabled

802.11b Coverage Voice Packet Count............ 100 packets

802.11b Coverage Voice Packet Percentage....... 50%

802.11b Coverage Voice RSSI Threshold.......... -80 dBm

802.11b Coverage Data Packet Count............. 50 packets

802.11b Coverage Data Packet Percentage........ 50%

802.11b Coverage Data RSSI Threshold........... -80 dBm

802.11b Global coverage exception level........ 25 %

802.11b Global client minimum exception lev.... 3 clients

OptimizedRoaming

802.11b OptimizedRoaming Mode.................. Disabled

802.11b OptimizedRoaming Reporting Interval.... 90 seconds

802.11b OptimizedRoaming Rate Threshold........ disabled

802.11b OptimizedRoaming Hysteresis............ 6 dB

OptimizedRoaming Stats

802.11b OptimizedRoaming Disassociations....... 0

802.11b OptimizedRoaming Rejections............ 0

Leader Automatic Channel Assignment

Channel Assignment Mode........................ AUTO

Channel Update Interval........................ 600 seconds

Anchor time (Hour of the day).................. 0

Update Contribution

Noise........................................ Enable

Interference................................. Enable

Load......................................... Disable

Device Aware................................. Disable

CleanAir Event-driven RRM option............... Disabled

Channel Assignment Leader...................... wlc (192.168.250.2) (::)

Last Run....................................... 225 seconds ago

Last Run Time.................................. 0 seconds

DCA Sensitivity Level: ...................... MEDIUM (10 dB)

DCA Minimum Energy Limit....................... -95 dBm

Channel Energy Levels

Minimum...................................... -127 dBm

Average...................................... -127 dBm

Maximum...................................... -127 dBm

Channel Dwell Times

Minimum...................................... 0 days, 00 h 03 m 43 s

Average...................................... 0 days, 00 h 03 m 43 s

Maximum...................................... 0 days, 00 h 03 m 43 s

802.11b Auto-RF Allowed Channel List........... 1,6,11

Auto-RF Unused Channel List.................... 2,3,4,5,7,8,9,10

802.11b Radio RF Grouping

RF Group Name.................................. WLAN

RF Protocol Version(MIN)....................... 101(30)

RF Packet Header Version....................... 2

Group Role(Mode)............................... LEADER(AUTO)

Group State.................................... Idle

Group Update Interval.......................... 600 seconds

Group Leader................................... wlc (192.168.250.2) (::)

Group Member

................................. wlc (192.168.250.2)

Maximum/Current number of Group Member......... 20/1

Maximum/Current number of AP................... 500/2

Last Run....................................... 225 seconds ago

802.11b CleanAir Configuration

Clean Air Solution............................... Disabled

Air Quality Settings:

Air Quality Reporting........................ Enabled

Air Quality Reporting Period (min)........... 15

Air Quality Alarms........................... Enabled

Air Quality Alarm Threshold................ 35

Unclassified Interference.................. Disabled

Unclassified Severity Threshold............ 20

Interference Device Settings:

Interference Device Reporting................ Enabled

Interference Device Types:

Bluetooth Link........................... Enabled

Microwave Oven........................... Enabled

802.11 FH................................ Enabled

Bluetooth Discovery...................... Enabled

TDD Transmitter.......................... Enabled

Jammer................................... Enabled

Continuous Transmitter................... Enabled

DECT-like Phone.......................... Enabled

Video Camera............................. Enabled

802.15.4................................. Enabled

WiFi Inverted............................ Enabled

WiFi Invalid Channel..................... Enabled

SuperAG.................................. Enabled

Canopy................................... Enabled

Microsoft Device......................... Enabled

WiMax Mobile............................. Enabled

WiMax Fixed.............................. Enabled

BLE Beacon............................... Enabled

Interference Device Alarms................... Enabled

Interference Device Types Triggering Alarms:

Bluetooth Link........................... Disabled

Microwave Oven........................... Disabled

802.11 FH................................ Disabled

Bluetooth Discovery...................... Disabled

TDD Transmitter.......................... Disabled

Jammer................................... Enabled

Continuous Transmitter................... Disabled

DECT-like Phone.......................... Disabled

Video Camera............................. Disabled

802.15.4................................. Disabled

WiFi Inverted............................ Enabled

WiFi Invalid Channel..................... Enabled

SuperAG.................................. Disabled

Canopy................................... Disabled

Microsoft Device......................... Disabled

WiMax Mobile............................. Disabled

WiMax Fixed.............................. Disabled

BLE Beacon............................... Disabled

Additional Clean Air Settings:

CleanAir ED-RRM State........................ Disabled

CleanAir ED-RRM Sensitivity.................. Medium

CleanAir ED-RRM Custom Threshold............. 50

CleanAir Rogue Contribution.................. Disabled

CleanAir Rogue Duty-Cycle Threshold.......... 80

CleanAir Persistent Devices state............ Disabled

CleanAir Persistent Device Propagation....... Disabled

802.11a CleanAir AirQuality Summary

AQ = Air Quality

DFS = Dynamic Frequency Selection

AP Name Channel Avg AQ Min AQ Interferers DFS

------------------ ------- ------ ------ ----------- ---

RF Density Optimization Configurations

FRA State........................................ Disabled

FRA Sensitivity.................................. low (100)

FAR Interval..................................... 1 Hour(s)

Last Run....................................... 2703 seconds ago

Last Run Time.................................. 0 seconds

AP Name MAC Address Slot Current Band COF % Suggested Mode

-------------------------------- ----------------- ---- --------------
-------------------- -------------------------

COF : Coverage Overlap Factor

RF Client Steering Configurations

Client Steering Configuration Information

Macro to micro transition threshold............ -55 dBm

micro to Macro transition threshold............ -65 dBm

micro-Macro transition minimum client count.... 3

micro-Macro transition client balancing win.... 3

Probe suppression mode......................... disabled

Probe suppression validity window.............. 100 s

Probe suppression aggregate window............. 200 ms

Probe suppression transition aggressiveness.... 3

Probe suppression hysteresis................... -6 dBm

Mobility Configuration

Mobility Protocol Port........................... 16666

Default Mobility Domain.......................... WLAN

Multicast Mode .................................. Disabled

Mobility Domain ID for 802.11r................... 0xf6a2

Mobility Keepalive Interval...................... 10

Mobility Keepalive Count......................... 3

Mobility Group Members Configured................ 1

Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group

MAC Address IP Address Group Name Multicast IP Status

00:50:56:ac:6d:08 192.168.250.2 WLAN 0.0.0.0 Up

Mobility Hash Configuration

Default Mobility Domain.......................... WLAN

IP Address Hash Key

---------------------------------------------------------

192.168.250.2 7a9b864fa2922672949cf9a66fd012a0ce8cc7b0

Self Signed Certificate details

SSC Hash validation.............................. Enabled.

SSC Device Certificate details:

Subject Name :

C=US, ST=California, L=San Jose, O=Cisco Virtual Wireless LAN
Controller,

CN=DEVICE-vWLC-AIR-CTVM-K9-005056AC6338, emailAddress=support@vwlc.com

Validity :

Start : Jul 26 20:52:54 2016 GMT

End : Jun 4 20:52:54 2026 GMT

Hash key : 7a9b864fa2922672949cf9a66fd012a0ce8cc7b0

Mobility Foreign Map Configuration

WLAN ID Foreign Mac Address Interface

------- ------------------- ---------

Advanced Configuration

Probe request filtering.......................... Enabled

Probes fwd to controller per client per radio.... 2

Probe request rate-limiting interval............. 500 msec

Aggregate Probe request interval................. 500 msec

Increased backoff parameters for probe respon.... Disabled

EAP-Identity-Request Timeout (seconds)........... 30

EAP-Identity-Request Max Retries................. 2

EAP Key-Index for Dynamic WEP.................... 0

EAP Max-Login Ignore Identity Response........... enable

EAP-Request Timeout (seconds).................... 30

EAP-Request Max Retries.......................... 2

EAPOL-Key Timeout (milliseconds)................. 1000

EAPOL-Key Max Retries............................ 2

EAP-Broadcast Key Interval....................... 3600

dot11-padding.................................... Disabled

padding-size..................................... 0

Advanced Hotspot Commands

ANQP 4-way state................................. Disabled

GARP Broadcast state: ........................... Enabled

GAS request rate limit .......................... Disabled

ANQP comeback delay in TUs(TU=1024usec).......... 1 TUs (=1mSec)

Location Configuration

RFID Tag data Collection......................... Enabled

RFID timeout.................................... 1200 seconds

RFID mobility....................................

Interface Configuration

Interface Name................................... ip\_dev

MAC Address...................................... 00:50:56:ac:6d:08

IP Address....................................... 192.168.150.2

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 192.168.150.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. 1500

Quarantine-vlan.................................. 0

NAS-Identifier................................... none

Physical Port.................................... 1

DHCP Proxy Mode.................................. Global

Primary DHCP Server.............................. Unconfigured

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

DHCP Option 82 bridge mode insertion............. Disabled

IPv4 ACL......................................... Unconfigured

mDNS Profile Name................................ Unconfigured

AP Manager....................................... No

Guest Interface.................................. N/A

3G VLAN.......................................... Disabled

L2 Multicast..................................... Enabled

Interface Name................................... management

MAC Address...................................... 00:50:56:ac:6d:08

IP Address....................................... 192.168.250.2

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 192.168.250.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

Link Local IPv6 Address..........................
fe80::250:56ff:feac:6d08/64

STATE ........................................... REACHABLE

Primary IPv6 Address............................. ::/128

STATE ........................................... NONE

Primary IPv6 Gateway............................. ::

Primary IPv6 Gateway Mac Address................. 00:00:00:00:00:00

STATE ........................................... INCOMPLETE

VLAN............................................. 1520

Quarantine-vlan.................................. 0

Physical Port.................................... 1

DHCP Proxy Mode.................................. Global

Primary DHCP Server.............................. 192.168.250.1

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

DHCP Option 82 bridge mode insertion............. Disabled

IPv4 ACL......................................... Unconfigured

IPv6 ACL......................................... Unconfigured

mDNS Profile Name................................ Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. N/A

L2 Multicast..................................... Enabled

Interface Name................................... service-port

MAC Address...................................... 00:50:56:ac:63:38

IP Address....................................... 192.168.29.146

IP Netmask....................................... 255.255.255.0

Link Local IPv6 Address..........................
fe80::250:56ff:feac:6338/64

STATE ........................................... NONE

IPv6 Address..................................... ::/128

STATE ........................................... NONE

SLAAC............................................ Disabled

DHCP Protocol.................................... Disabled

AP Manager....................................... No

Guest Interface.................................. N/A

Speed ........................................... 1Gbps

Duplex .......................................... Full

Auto Negotiation ................................ Enabled

Link Status...................................... Up

Port specific Information:

inet addr:192.168.29.146 Bcast:192.168.29.255 Mask:255.255.255.0

inet6 addr: fe80::250:56ff:feac:6338/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1430 Metric:1

RX packets:258830 errors:0 dropped:298 overruns:0 frame:0

TX packets:95115 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:25069479 (23.9 MiB) TX bytes:55852901 (53.2 MiB)

Interface Name................................... virtual

MAC Address...................................... 00:50:56:ac:6d:08

IP Address....................................... 1.1.1.1

Virtual DNS Host Name............................ Disabled

AP Manager....................................... No

Guest Interface.................................. N/A

Interface Group Configuration

WLAN Configuration

WLAN Identifier.................................. 1

Profile Name..................................... IP\_Dev No Encryption

Network Name (SSID).............................. IP\_Dev

Status........................................... Disabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status

Radius Profiling ............................ Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Local Profiling ............................. Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

ATF Policy....................................... 0

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ Disabled

Sleep Client..................................... disable

Sleep Client Timeout............................. 720 minutes

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... none

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ ip\_dev

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

WLAN Layer2 ACL.................................. unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Tunnel Profile................................... Unconfigured

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... 802.1P (Tag=0)

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ Global Servers

Accounting.................................... Global Servers

Interim Update............................. Enabled

Interim Update Interval.................... 0

Framed IPv6 Acct AVP ...................... Prefix

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

Radius NAI-Realm................................. Disabled

Mu-Mimo.......................................... Enabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web Authentication Timeout.................... 300

Web-Passthrough............................... Disabled

Mac-auth-server............................... 0.0.0.0

Web-portal-server............................. 0.0.0.0

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Enabled

FlexConnect Central Association............... Disabled

flexconnect Central Dhcp Flag................. Disabled

flexconnect nat-pat Flag...................... Disabled

flexconnect Dns Override Flag................. Disabled

flexconnect PPPoE pass-through................ Disabled

flexconnect local-switching IP-source-guar.... Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional but inactive
(WPA2 not configured)

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

Eap-params.................................... Not Applicable

Flex Avc Profile Name............................ None

Flow Monitor Name................................ None

Split Tunnel Configuration

Split Tunnel................................. Disabled

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

802.11v Directed Multicast Service............... Disabled

802.11v BSS Max Idle Service..................... Enabled

802.11v BSS Transition Service................... Disabled

802.11v BSS Transition Disassoc Imminent......... Disabled

802.11v BSS Transition Disassoc Timer............ 200

802.11v BSS Transition OpRoam Disassoc Timer..... 40

DMS DB is empty

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Universal Ap Admin............................... Disabled

Mobility Anchor List

WLAN ID IP Address Status Priority

------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy

----------------

Priority Policy Name

-------- ---------------

WLAN Configuration

WLAN Identifier.................................. 2

Profile Name..................................... IP\_Dev All WPA/WPA2
PSK

Network Name (SSID).............................. IP\_Dev

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status

Radius Profiling ............................ Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Local Profiling ............................. Disabled

DHCP ....................................... Disabled

HTTP ....................................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

ATF Policy....................................... 0

Number of Active Clients......................... 2

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

User Idle Timeout................................ Disabled

Sleep Client..................................... disable

Sleep Client Timeout............................. 720 minutes

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... none

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ ip\_dev

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

WLAN Layer2 ACL.................................. unconfigured

mDNS Status...................................... Disabled

mDNS Profile Name................................ unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Tunnel Profile................................... Unconfigured

Quality of Service............................... Silver

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... 802.1P (Tag=0)

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ Global Servers

Accounting.................................... Global Servers

Interim Update............................. Enabled

Interim Update Interval.................... 0

Framed IPv6 Acct AVP ...................... Prefix

Dynamic Interface............................. Disabled

Dynamic Interface Priority.................... wlan

Local EAP Authentication......................... Disabled

Radius NAI-Realm................................. Disabled

Mu-Mimo.......................................... Enabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Enabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

OSEN IE.................................... Disabled

Auth Key Management

802.1x.................................. Disabled

PSK..................................... Enabled

CCKM.................................... Disabled

FT-1X(802.11r).......................... Disabled

FT-PSK(802.11r)......................... Disabled

PMF-1X(802.11w)......................... Disabled

PMF-PSK(802.11w)........................ Disabled

OSEN-1X................................. Disabled

FT Reassociation Timeout................... 20

FT Over-The-DS mode........................ Disabled

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web Authentication Timeout.................... 300

Web-Passthrough............................... Disabled

Mac-auth-server............................... 0.0.0.0

Web-portal-server............................. 0.0.0.0

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Disabled

FlexConnect Central Association............... Disabled

flexconnect Central Dhcp Flag................. Disabled

flexconnect nat-pat Flag...................... Disabled

flexconnect Dns Override Flag................. Disabled

flexconnect PPPoE pass-through................ Disabled

flexconnect local-switching IP-source-guar.... Disabled

FlexConnect Vlan based Central Switching ..... Disabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional

PMF........................................... Disabled

PMF Association Comeback Time................. 1

PMF SA Query RetryTimeout..................... 200

Tkip MIC Countermeasure Hold-down Timer....... 60

Eap-params.................................... Disabled

Flex Avc Profile Name............................ None

Flow Monitor Name................................ None

Split Tunnel Configuration

Split Tunnel................................. Disabled

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

802.11v Directed Multicast Service............... Disabled

802.11v BSS Max Idle Service..................... Enabled

802.11v BSS Transition Service................... Disabled

802.11v BSS Transition Disassoc Imminent......... Disabled

802.11v BSS Transition Disassoc Timer............ 200

802.11v BSS Transition OpRoam Disassoc Timer..... 40

DMS DB is empty

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Universal Ap Admin............................... Disabled

Mobility Anchor List

WLAN ID IP Address Status Priority

------- --------------- ------ --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy

----------------

Priority Policy Name

-------- ---------------

Policy Configuration

L2ACL Configuration

ACL Configuration

CPU ACL Configuration

CPU Acl Name................................ NOT CONFIGURED

Wireless Traffic............................ Disabled

Wired Traffic............................... Disabled

RADIUS Configuration

Vendor Id Backward Compatibility................. Disabled

Call Station Id Case............................. lower

Accounting Call Station Id Type.................. Mac Address

Auth Call Station Id Type........................ AP's Radio MAC
Address:SSID

Extended Source Ports Support.................... Enabled

Aggressive Failover.............................. Enabled

Keywrap.......................................... Disabled

Fallback Test:

Test Mode.................................... Passive

Probe User Name.............................. cisco-probe

Interval (in seconds)........................ 300

MAC Delimiter for Authentication Messages........ hyphen

MAC Delimiter for Accounting Messages............ hyphen

RADIUS Authentication Framed-MTU................. 1300 Bytes

Authentication Servers

Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region

--- ---- ---------------- ------ -------- ---- -------- -------
-------------------------------------------------------

Accounting Servers

Idx Type Server Address Port State Tout MgmtTout RFC3576 IPSec -
AuthMode/Phase1/Group/Lifetime/Auth/Encr/Region

--- ---- ---------------- ------ -------- ---- -------- -------
-------------------------------------------------------

TACACS Configuration

Fallback Test:

Interval (in seconds)........................ 0

Authentication Servers

Idx Server Address Port State Tout MgmtTout

--- ---------------------- ------ ------- ----- --------

Authorization Servers

Idx Server Address Port State Tout MgmtTout

--- ---------------------- ------ ------- ----- --------

Accounting Servers

Idx Server Address Port State Tout MgmtTout

--- ---------------------- ------ ------- ----- --------

LDAP Configuration

Local EAP Configuration

User credentials database search order:

Primary ..................................... Local DB

Timer:

Active timeout .............................. 300

Configured EAP profiles:

EAP Method configuration:

EAP-FAST:

Server key ................................ <hidden>

TTL for the PAC ........................... 10

Anonymous provision allowed ............... Yes

Authority ID ..............................
436973636f0000000000000000000000

Authority Information ..................... Cisco A-ID

Dns Configuration

Radius port......................................

Radius secret....................................

Dns url..........................................

Dns timeout......................................

Dns Serverip.....................................

Dns state........................................ Disable

Dns Auth Retransmit Timeout...................... 2

Dns Acct Retransmit Timeout...................... 2

Dns Auth Mgmt-Retransmit Timeout................. 2

Dns Network Auth................................. Enable

Dns Mgmt Auth.................................... Enable

Dns Network Acct................................. Enable

Dns RFC 3576 Auth................................ Disable

Tacacs port......................................

Tacacs secret.................................... 2

Dns url..........................................

Dns timeout......................................

Dns Serverip.....................................

Dns state........................................ Disable

Fallback Radio Shut configuration:

Fallback Radio Shut: Disabled

Arp-caching: Disabled

Subnet Broadcast Drop: Disabled

FlexConnect Group Summary

FlexConnect Group Summary: Count: 0

Group Name # Aps

FlexConnect Group Detail

FlexConnect Vlan name Summary

Vlan-Name Id Status

-------------------------------- -------

FlexConnect Vlan Name Detail

Route Info

Number of Routes................................. 0

Destination Network Netmask Gateway

------------------- ------------------- -------------------

Peer Route Info

Number of Routes................................. 32555

Destination Network Netmask Gateway

------------------- ------------------- -------------------

Qos Queue Length Info

Platinum queue length............................ 100

Gold queue length................................ 75

Silver queue length.............................. 50

Bronze queue length.............................. 25

Qos Profile Info

Description...................................... For Voice Applications

Maximum Priority................................. voice

Unicast Default Priority......................... voice

Multicast Default Priority....................... voice

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

protocol......................................... dot1p

dot1p............................................ 5

Description...................................... For Video Applications

Maximum Priority................................. video

Unicast Default Priority......................... video

Multicast Default Priority....................... video

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

protocol......................................... dot1p

dot1p............................................ 4

Description...................................... For Best Effort

Maximum Priority................................. besteffort

Unicast Default Priority......................... besteffort

Multicast Default Priority....................... besteffort

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

protocol......................................... dot1p

dot1p............................................ 0

Description...................................... For Background

Maximum Priority................................. background

Unicast Default Priority......................... background

Multicast Default Priority....................... background

Per-SSID Rate Limits............................. Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

Per-Client Rate Limits........................... Upstream Downstream

Average Data Rate................................ 0 0

Average Realtime Data Rate....................... 0 0

Burst Data Rate.................................. 0 0

Burst Realtime Data Rate......................... 0 0

protocol......................................... dot1p

dot1p............................................ 1

Mac Filter Info

Authorization List

Authorize MIC APs against Auth-list or AAA ...... disabled

Authorize LSC APs against Auth-List ............. disabled

APs Allowed to Join

AP with Manufacturing Installed Certificate.... yes

AP with Self-Signed Certificate................ no

AP with Locally Significant Certificate........ no

Load Balancing Info

Aggressive Load Balancing........................ per WLAN enabling

Aggressive Load Balancing Window................. 5 clients

Aggressive Load Balancing Denial Count........... 3

Aggressive Load Balancing Uplink Threshold....... 50

Statistics (client-count based)

Total Denied Count............................... 0 clients

Total Denial Sent................................ 0 messages

Exceeded Denial Max Limit Count.................. 0 times

None 5G Candidate Count.......................... 0 times

None 2.4G Candidate Count........................ 0 times

Statistics (uplink-usage based)

Total Denied Count............................... 0 clients

Total Denial Sent................................ 0 messages

Exceeded Denial Max Limit Count.................. 0 times

None 5G Candidate Count.......................... 0 times

None 2.4G Candidate Count........................ 0 times

DHCP Info

DHCP Opt-82 RID Format: <AP radio MAC address>

DHCP Opt-82 Format: binary

DHCP Proxy Behaviour: disabled

Exclusion List ConfigurationUnable to retrieve exclusion-list entry

CDP Configuration

cdp version v2

Country Channels Configuration

Configured Country............................. US - United States

KEY: \* = Channel is legal in this country and may be configured
manually.

A = Channel is the Auto-RF default in this country.

. = Channel is not legal in this country.

C = Channel has been configured for use by Auto-RF.

x = Channel is available to be configured for use by Auto-RF.

(-,-) = (indoor, outdoor) regulatory domain allowed by this country.

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11bg :

Channels : 1 1 1 1 1

: 1 2 3 4 5 6 7 8 9 0 1 2 3 4

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

US (-A ,-AB ): A \* \* \* \* A \* \* \* \* A . . .

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11a : 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Channels : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 4 5 5 6 6 6 7

: 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 4 9 3 7 1 5 9 3

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

US (-AB ,-AB ): . A . A . A . A A A A A A A A A A A A A A A A A A A A A
\* . .

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

4.9GHz 802.11a :

Channels : 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2

: 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

US (-AB ,-AB ): \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \* \*
A \* \* \* \* \* A

-----------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

WPS Configuration Summary

Auto-Immune

Auto-Immune.................................... Disabled

Auto-Immune by aWIPS Prevention................ Disabled

Client Exclusion Policy

Excessive 802.11-association failures.......... Enabled

Excessive 802.11-authentication failures....... Enabled

Excessive 802.1x-authentication................ Enabled

IP-theft....................................... Enabled

Excessive Web authentication failure........... Enabled

Maximum 802.1x-AAA failure attempts............ 3

Signature Policy

Signature Processing........................... Enabled

Management Frame Protection

Global Infrastructure MFP state................ DISABLED (\*all
infrastructure settings are overridden)

AP Impersonation detection..................... Disabled

Controller Time Source Valid................... False

WLAN Client

WLAN ID WLAN Name Status Protection

------- ------------------------- --------- ----------

1 IP\_Dev No Encryption Disabled Optional but inactive (WPA2 not
configured)

2 IP\_Dev All WPA/WPA2 PSK Enabled Optional

Custom Web Configuration

Radius Authentication Method..................... PAP

Cisco Logo....................................... Enabled

CustomLogo....................................... None

Custom Title..................................... None

Custom Message................................... None

Custom Redirect URL.............................. None

Web Authentication Type.......................... Internal Default

Logout-popup..................................... Enabled

External Web Authentication URL.................. None

Configuration Per Profile:

Core dump Configuration

Core Dump upload is disabled

Rogue AP Configuration

Rogue Detection Security Level................... custom

Rogue Pending Time............................... 180 secs

Rogue on wire Auto-Contain....................... Disabled

Rogue using our SSID Auto-Contain................ Disabled

Valid client on rogue AP Auto-Contain............ Disabled

Rogue AP timeout................................. 1200

Rogue Detection Report Interval.................. 10

Rogue Detection Min Rssi......................... -90

Rogue Detection Transient Interval............... 0

Rogue Detection Client Num Thershold............. 0

Validate rogue AP against AAA.................... Disabled

Rogue AP AAA validation interval................. 0 secs

Total Rogues(AP+Ad-hoc) supported................ 800

Total Rogues classified.......................... 41

MAC Address Classification # APs # Clients Last Heard

----------------- ------------------ ----- ---------
-----------------------

04:bd:88:b5:2f:40 Friendly 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b5:2f:45 Friendly 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b5:2f:50 Friendly 0 0 Not Heard

04:bd:88:b5:2f:55 Friendly 0 0 Not Heard

04:bd:88:b5:4e:e0 Friendly 0 0 Not Heard

04:bd:88:b5:4e:f0 Friendly 0 0 Not Heard

04:bd:88:b5:5a:20 Unclassified 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b5:5a:21 Unclassified 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b6:0d:60 Friendly 0 0 Not Heard

04:bd:88:b6:0d:70 Friendly 0 0 Not Heard

04:bd:88:b6:0d:75 Friendly 0 0 Not Heard

04:bd:88:b6:0e:e0 Friendly 0 0 Not Heard

04:bd:88:b6:0e:f0 Friendly 0 0 Not Heard

04:bd:88:b6:0e:f5 Friendly 0 0 Not Heard

04:bd:88:b6:10:00 Friendly 0 0 Not Heard

04:bd:88:b6:10:10 Friendly 0 0 Not Heard

04:bd:88:b6:10:15 Friendly 0 0 Not Heard

04:bd:88:b6:10:60 Friendly 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b6:10:65 Unclassified 2 0 Thu Aug 18 20:06:04 2016

04:bd:88:b6:10:70 Friendly 0 0 Not Heard

04:bd:88:b6:10:75 Friendly 0 0 Not Heard

04:bd:88:b6:10:b5 Friendly 0 0 Not Heard

62:6d:c7:27:a6:98 Unclassified 2 0 Thu Aug 18 20:06:04 2016

6c:72:20:3e:af:26 Friendly 0 0 Not Heard

6c:72:20:3e:af:28 Friendly 0 0 Not Heard

6c:72:20:3e:af:2a Friendly 0 0 Not Heard

88:dc:96:30:d9:1b Friendly 0 0 Not Heard

8a:dc:96:30:d9:1b Friendly 0 0 Not Heard

9a:dc:96:30:d9:1b Friendly 0 0 Not Heard

e0:d1:73:02:b7:ab Friendly 0 0 Not Heard

e0:d1:73:02:b7:af Friendly 0 0 Not Heard

e0:d1:73:02:bc:2b Friendly 0 0 Not Heard

e0:d1:73:02:bc:2f Friendly 0 0 Not Heard

e0:d1:73:02:f6:6b Friendly 0 0 Not Heard

e0:d1:73:02:f6:6f Friendly 0 0 Not Heard

e0:d1:73:02:f9:4b Friendly 0 0 Not Heard

e0:d1:73:02:f9:4f Friendly 0 0 Not Heard

e0:d1:73:02:fa:4b Friendly 0 0 Not Heard

e0:d1:73:02:fa:4f Friendly 0 0 Not Heard

e0:d1:73:02:ff:1b Friendly 0 0 Not Heard

e0:d1:73:02:ff:1f Friendly 0 0 Not Heard

Rogue AP RLDP Configuration

Rogue Location Discovery Protocol................ Disabled

RLDP Schedule Config............................. Disabled

RLDP Scheduling Operation........................ Disabled

RLDP Retry....................................... 1

RLDP Start Time RLDP End Time Day

--------------- ------------- ---

Rogue Auto Contain Configuration

Containment Level................................ 1

monitor\_ap\_only.................................. false

Adhoc Rogue Configuration

Detect and report Ad-Hoc Networks................ Enabled

Auto-Contain Ad-Hoc Networks..................... Disabled

Total Rogues(Ad-Hoc+AP) supported ............... 800

Total Ad-Hoc entries ............................ 0

Client MAC Address Adhoc BSSID State # APs Last Heard

------------------ ------------------ ----------------- ------
-----------------------

Rogue Client Configuration

Validate rogue clients against AAA............... Disabled

Validate rogue clients against MSE............... Disabled

Total Rogue Clients supported.................... 3000

Total Rogue Clients present...................... 0

MAC Address State # APs Last Heard

----------------- ------------------ ----- -----------------------

Ignore List Configuration

MAC Address

-----------------

Rogue Rule Configuration

Priority Rule Name Rule state Class Type Notify State Match Hit Count

-------- -------------------------------- ----------- -----------
-------- -------- ------ ---------

Media-Stream Configuration

Multicast-direct State........................... disable

Allowed WLANs....................................

Stream Name Start IP End IP Operation Status

------------- ---------------------------------------
--------------------------------------- ----------------

URL..............................................

E-mail...........................................

Phone............................................

Note.............................................

State............................................ disable

2.4G Band Media-Stream Configuration

Multicast-direct................................. Enabled

Best Effort...................................... Disabled

Video Re-Direct.................................. Enabled

Max Allowed Streams Per Radio.................... Auto

Max Allowed Streams Per Client................... Auto

Max Video Bandwidth.............................. 0

Max Voice Bandwidth.............................. 75

Max Media Bandwidth.............................. 85

Min PHY Rate..................................... 6000

Max Retry Percentage............................. 80

5G Band Media-Stream Configuration

Multicast-direct................................. Enabled

Best Effort...................................... Disabled

Video Re-Direct.................................. Enabled

Max Allowed Streams Per Radio.................... Auto

Max Allowed Streams Per Client................... Auto

Max Video Bandwidth.............................. 0

Max Voice Bandwidth.............................. 75

Max Media Bandwidth.............................. 85

Min PHY Rate..................................... 6000

Max Retry Percentage............................. 80

Number of Clients................................ 0

Client Mac Stream Name Stream Type Radio WLAN QoS Status

----------------- ----------- ----------- ---- ---- ------ -------

WLC Voice Call Statistics

WLC Voice Call Statistics for 802.11b Radio

WMM TSPEC CAC Call Stats

Total num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of exp bw requests received.......... 0

Total Num of exp bw requests Admitted.......... 0

Total Num of Calls Rejected.................... 0

Total Num of Roam Calls Rejected............... 0

Num of Calls Rejected due to insufficent bw.... 0

Num of Calls Rejected due to invalid params.... 0

Num of Calls Rejected due to PHY rate.......... 0

Num of Calls Rejected due to QoS policy........ 0

SIP CAC Call Stats

Total Num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of Preferred Calls Received.......... 0

Total Num of Preferred Calls Admitted.......... 0

Total Num of Ongoing Preferred Calls........... 0

Total Num of Calls Rejected(Insuff BW)......... 0

Total Num of Roam Calls Rejected(Insuff BW).... 0

KTS based CAC Call Stats

Total Num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of Calls Rejected(Insuff BW)......... 0

Total Num of Roam Calls Rejected(Insuff BW).... 0

WLC Voice Call Statistics for 802.11a Radio

WMM TSPEC CAC Call Stats

Total num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of exp bw requests received.......... 0

Total Num of exp bw requests Admitted.......... 0

Total Num of Calls Rejected.................... 0

Total Num of Roam Calls Rejected............... 0

Num of Calls Rejected due to insufficent bw.... 0

Num of Calls Rejected due to invalid params.... 0

Num of Calls Rejected due to PHY rate.......... 0

Num of Calls Rejected due to QoS policy........ 0

SIP CAC Call Stats

Total Num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of Preferred Calls Received.......... 0

Total Num of Preferred Calls Admitted.......... 0

Total Num of Ongoing Preferred Calls........... 0

Total Num of Calls Rejected(Insuff BW)......... 0

Total Num of Roam Calls Rejected(Insuff BW).... 0

KTS based CAC Call Stats

Total Num of Calls in progress................. 0

Num of Roam Calls in progress.................. 0

Total Num of Calls Admitted.................... 0

Total Num of Roam Calls Admitted............... 0

Total Num of Calls Rejected(Insuff BW)......... 0

Total Num of Roam Calls Rejected(Insuff BW).... 0

WLC IPv6 Summary

Global Config............................... Enabled

Reachable-lifetime value.................... 300

Stale-lifetime value........................ 86400

Down-lifetime value......................... 30

RA Throttling............................... Disabled

RA Throttling allow at-least................ 1

RA Throttling allow at-most................. 1

RA Throttling max-through................... 10

RA Throttling throttle-period............... 600

RA Throttling interval-option............... passthrough

NS Mulitcast CacheMiss Forwarding........... Disabled

NA Mulitcast Forwarding..................... Enabled

IPv6 Capwap UDP Lite........................ Enabled

Operating System IPv6 state................. Enabled

mDNS Service Summary

Number of Services.............................. 10

Mobility learning status ........................ Enabled

Service-Name LSS Origin No SP Service-string

-------------------------------- ---- ---------- ----- ---------------

AirTunes No All 0 \_raop.\_tcp.local.

Airplay No All 0 \_airplay.\_tcp.local.

Googlecast No All 0 \_googlecast.\_tcp.local.

HP\_Photosmart\_Printer\_1 No All 0 \_universal.\_sub.\_ipp.\_tcp.local.

HP\_Photosmart\_Printer\_2 No All 0 \_cups.\_sub.\_ipp.\_tcp.local.

HomeSharing No All 0 \_home-sharing.\_tcp.local.

Printer-IPP No All 0 \_ipp.\_tcp.local.

Printer-IPPS No All 0 \_ipps.\_tcp.local.

Printer-LPD No All 0 \_printer.\_tcp.local.

Printer-SOCKET No All 0 \_pdl-datastream.\_tcp.local.

\* -> If access policy is enabled LSS will be ignored.

mDNS service-group Summary

Access Policy Status............................ Disabled

Total number of mDNS Policies.................... 1

Number of Admin configured Policies.............. 1

Sl No Service Group Name Description Origin

----- -------------------------------
------------------------------------- ----------

1 default-mdns-policy Default Access Policy created by WLC WLC

mDNS profile detailed

Profile Name..................................... default-mdns-profile

Profile Id....................................... 1

No of Services................................... 10

Services......................................... AirTunes

Airplay

Googlecast

HP\_Photosmart\_Printer\_1

HP\_Photosmart\_Printer\_2

HomeSharing

Printer-IPP

Printer-IPPS

Printer-LPD

Printer-SOCKET

No. Interfaces Attached.......................... 0

No. Interface Groups Attached.................... 0

No. Wlans........................................ 0

No. Local Policies Attached...................... 0

mDNS AP Summary

Number of mDNS APs............................. 0

PMIPv6 Global Configuration

PMIPv6 Profile Summary

No Profile Created.

PMIPv6 MAG Statistics

PMIPv6 domain has to be configured first

EoGRE Global Configuration

Heartbeat Interval...............60

Max Heartbeat Skip Count.........3

Interface........................management

EoGRE Gateway Configuration

EoGRE Domain Configuration

Domain Name Gateways Active Gateway

-------------- ----------------- --------------------

EoGRE Profile Configuration

WLAN Express Setup Information.

WLAN Express Setup - ............................ False

Flex Avc Profile summary.

Profile-Name Number of Rules status

============ =============== ========

Flex Avc Profile Detailed Configuration.

Certificate Summary.

Web Administration Certificate................... 3rd Party

Web Authentication Certificate................... Locally Generated

Certificate compatibility mode:.................. off

Lifetime Check Ignore for MIC ................... Disable

Lifetime Check Ignore for SSC ................... Disable

Smart-licensing status Summary.

Call-home Summary.

Hotspot Icon Summary.

Unable to find Icon directory in flash.

Coredump Summary

Core Dump upload is disabled

Memory Summary

-------------------------- System Memory Summary
-------------------------

System Name:wlc Primary SW Ver:8.2.111.0

Current Time:Thu Aug 18 20:06:33 2016 System UP Time:6 days 3 hrs 49
mins 39 secs

NAME: "Chassis" , DESCR: "Cisco Wireless Controller"

PID: AIR-CTVM-K9, VID: V01, SN: 96NTPERK0A6

Total System Memory.............................. (2057560 KB) 2009 MB

Total System Free Memory......................... (909360 KB) 888 MB (44
%)

Total Memory in Buffers.......................... (1104 KB)

Total Memory in Cache............................ (266564 KB) 260 MB

Total Active Memory.............................. (511540 KB) 499 MB

Total InActive Memory............................ (238112 KB) 232 MB

Total Memory in Anon Pages....................... (481984 KB) 470 MB

Total Memory in Slab............................. (11004 KB) 10 MB

Total Memory in Page Tables...................... (2748 KB) 2 MB

WLC Peak Memory.................................. (1402280 KB) 1369 MB

WLC Virtual Memory Size.......................... (1383912 KB) 1351 MB

WLC Resident Memory.............................. (506340 KB) 494 MB

WLC Data Segment Memory.......................... (1318240 KB) 1287 MB

Total Heap Including Mapped Pages................ (399115 KB) 389 MB

Total Memory in Pmalloc Pools.................... (350174 KB) 341 MB

Total Used Memory in Pmalloc Pools............... (324913 KB) 317 MB

Total Free Memory in Pmalloc Pools............... (16706 KB) 16 MB

------------------------- Pmalloc Pools Information --------------------

Index Pool-Size Chunks-In-Pool Chunks-In-Use Memory(Size/Used/Free)KB

0 16 50000 5351 5468 /4771 /697

1 64 40000 16626 6250 /4789 /1460

2 128 52800 52677 11550 /11534 /15

3 256 9400 9377 3231 /3225 /5

4 384 6000 287 2812 /670 /2142

5 512 16000 15 9500 /1507 /7992

6 1024 13100 12985 14328 /14213 /115

7 2048 1000 712 2093 /1517 /576

8 4096 1000 74 4093 /389 /3704

9 Raw-Pool 0 524 290800 /290800 /0

------------------------- MBUF Information ----------------------------

Maximum number of Mbufs.......................... 24576

Number of Mbufs Free............................. 24560

Number of Mbufs In Use........................... 16

Mesh Configuration

Mesh Range....................................... 12000

Mesh Statistics update period.................... 3 minutes

Backhaul with client access status............... disabled

Backhaul with extended client access status...... disabled

Background Scanning State........................ disabled

Subset Channel Sync State........................ disabled

Backhaul Amsdu State............................. enabled

Backhaul RRM..................................... disabled

Mesh Auto RF..................................... disabled

Mesh Security

Security Mode................................. EAP

External-Auth................................. disabled

Use MAC Filter in External AAA server......... disabled

Force External Authentication................. disabled

LSC Only MAP Authentication................... disabled

Mesh Alarm Criteria

Max Hop Count................................. 4

Recommended Max Children for MAP.............. 10

Recommended Max Children for RAP.............. 20

Low Link SNR.................................. 12

High Link SNR................................. 60

Max Association Number........................ 10

Association Interval.......................... 60 minutes

Parent Change Numbers......................... 3

Parent Change Interval........................ 60 minutes

Mesh Multicast Mode.............................. In-Out

Mesh CAC Mode.................................... enabled

Mesh Full Sector DFS............................. enabled

Mesh Ethernet Bridging VLAN Transparent Mode..... enabled

Mesh DCA channels for serial backhaul APs........ disabled

Outdoor Ext. UNII B Domain channels(for BH)...... disabled

Mesh Advanced LSC................................ disabled

Advanced LSC AP Provisioning .................... disabled

Open Window.................................... disabled

Provision Controller........................... disabled

Mesh Slot Bias................................... enabled

Mesh Convergence Method.......................... standard

Mesh Channel Change Notification................. disabled

Mesh Ethernet Bridging STP BPDU Allowed.......... disabled

Mesh RAP downlink backhaul....................... 802.11Radio-A (Slot 1)

Appendix B Sample Pump Configuration Parameters

B.1 Example of Pump Configuration File

SN=2011304

# Pump serial number - must match SN of receiving pump

# SIGMA Spectrum Settings

[NETWORK CONFIGURATION]

# DHCP=0 DHCP disabled - IP, GATEWAY, NETMASK, and DNS must be valid

# DHCP=1 DHCP enabled - IP, GATEWAY, NETMASK, and DNS must be blank

DHCP=1

IP=

GATEWAY=

NETMASK=

DNS=

# Leave either SIGMAGW or MULTICAST blank

# SIGMAGW set to DNS name or IP address of SIGMA gateway server

SIGMAGW=192.168.140.165

# MULTICAST group default is 239.237.12.87

MULTICAST=

# DEVICEID set to device alias

# Limited to 20 alpha-numeric characters (0-1,A-Z,a-z), blank is
acceptable

DEVICEID=000345

[WIFI CONFIGURATION]

# BSS=0 Infrastructure mode (Access point)

# BSS=1 Join or Create Ad-Hoc (peer-to-peer)

# BSS=2 Join only Ad-Hoc (peer-to-peer)

# BSS=3 Join any

BSS=0

# SSID= set to wireless network name

SSID=IP\_Dev\_Cert

# 802.11 Mode - 'b', 'g', and/or 'a'

802.11b=1

802.11g=1

802.11a=1

# CHANNEL=0 search channels

CHANNEL=0

# SECURITY=0 Any available security method

# SECURITY=1 Open system (no-encryption)

# SECURITY=2 WEP shared key

# SECURITY=3 WPA pre-shared key

# SECURITY=4 WPA with 802.1x authentication

# SECURITY=5 WEP with 802.1x authentication

# SECURITY=6 LEAP

# SECURITY=7 EAP-FAST

SECURITY=4

# WEPKEYINDEX=0-3

WEPKEYINDEX=0

# WEPKEY may be blank or 10 (64-bit) or 26 (128-bit) hex (0-1 and a-f)

characters long

WEPKEY=

# WPAENCRYPTION=0 Any

# WPAENCRYPTION=1 WEP

# WPAENCRYPTION=2 TKIP

# WPAENCRYPTION=3 CCMP (AES)

# WPAENCRYPTION=4 Open (no encryption)

WPAENCRYPTION=3

# WPAPSK must be blank if WPA PSK is not used

# WPAPSK may 64 hex (0-1 and a-f) characters long to specify a PSK

# WPAPSK may be 8-63 ascii characters long to specify a passphrase

WPAPSK=

# 802.1X/EAP Authentication method

# Set one, or more, authentication methods to 1 to enable them, all
others

should be 0

LEAP=0

PEAP/MSCHAPv2=0

EAP-TLS=1

EAP-FAST=0

# IDENTITY= 802.1X Identity (username)

IDENTITY=BaxterCert

# PASSWORD= 802.1X Password

PASSWORD=

# Certificate information follows, required for authentication modes
that use a

certificate.

# All certificates and private keys must be PEM format (base64 encoded).

# Client certificate, both cert and private key are required.

# Certificate and key information is not output for security reasons.

# Certificate information is radio specific, so the MAC address of the
Wireless

Battery Module

# of the attached, or soon to be attached module must match.

# If the certs or keys required a password, it should be specified in
the 802.1x

PASSWORD field above.

# The MAC address specified below must match the module connected to the
pump.

MAC=00:40:9d:66:db:45

CLIENTCERT=

-----BEGIN RSA PRIVATE KEY-----

MIIEowIBAAKCAQEAuhKvGS9womnF7tmM1IOWuzbvMct7u+TDYtoQSNEitAYe5Bjr

XR+tQOT/2b08nJUjVNl91/+3t2i9qUDDU58DTKKir9dmR5ridHlaIyhts8fB7h2a

rZ74YK+4/A1C2mNpmwqwDQlwWhJzJgSe5XeZF0ALTdS3LEggwpuPb6Eo2Wbnqwr0

/tbsRvaeEjwcIGOwmuy1v8TkrbSKeFt9I4B54Pcl3KsxbnnUjH7JIV9h/0nyrOKi

z2P+3maogCnOwxRQp79j/IgCS3JbUBMG14gKnxorJgLuBovqpsWIYO6k/qohIpyg

Vevc0UUj8XiyEun1ldT1SCXYke/I9jauLBB6OQIDAQABAoIBAHjnmw7qXG2r/Qju

IywTNOYBE/tvFL9KLgsVVm96NOp0762W45hm9NSt9/ErnS7BWWvQxoyLhHyQemx3

wHOdZy9snflUJQlyAqNcFs2xf1bJ/aETa2ZVXV61z6U3mLD+16f+kdZmw7JDOr8B

UZ4Y0EjjPHUeOsdzNpY9Lj6CoWBg+V3+TEo3WCqHsqHN8yoVKP30Xnfb1JMgRLf/

infhI6Qg6QKBM++vWQjlUYuM4hbQtQ6HmwWv2epu8YHFdmm3jTSrv+W8lBbY2N5D

N9tZsdUJ54NHiVZTjVmAXCxSpBp3+yTOMRpnzgW0v8MLMhFanjIC5QypG712HIQx

gk7LZGECgYEA4vB26UpZNxsOlgzcEQP8fQ82Dk5xNjb9e7qDSD85LUppR6F4xwNs

QPyFVYRemb+pQyIwn1X2SNAdRvsDwSsFVTV9ENi1PzlHbOfaBWE9/VNMaz8vCjfr

teC3So6bIWllHNeoOl8d1wrTOtGZFENH/H4DoOBC7U0aoYjvtnYBplMCgYEA0eaJ

mITPESmZRZI8kaCb/TrWLTZmH2SOCPgC/qVmJ2FiQ8iT3KJXJ5d8ophY84Kay4le

axVUUgIdKNyvNrf038Rx0DirN+qznSKPJuMdY+tnCxaXBjTj/tSwkeiNamZOXHeH

boVlReX6ONDvT+u9MkvMxDmhwBb9G4izw26a88MCgYAhqyFJLTGdPlNkqZXApIHC

IA6aAsNDEtd6kspFXrPh50dFTEx54iUeYxh4/oF2d/vprNnf2cYHOXEOhdEhyHsr

EBt082G4dowFOUScRbgHrGMLCj21W2SKAEPROOUFCPjqVYhs2I25yK5b7Jq0aeL1

L9Dj/kGPqT/JNWKzBEDsZwKBgQDFNt5BN0d20Kb5/xR5n3Xwz788a8g35rqtIplt

uOnqRk2Vcne67a0FvgeUnZ+17BiU9FSKOFgpVWMgaXkW6HBjbqehBB2bRCHOmhH2

b53Fq//9IxRy+G7fl+busJluRwGJT6Un6p3kttgLWgQAC3aQMzgJhjy7xt25aQ+9

p8ZfEQKBgB6jQAT31FxvPFHyjU4NdFeogJd2c2nFbkC7aqOEPKNG9Nbzn/VVWh7x

Rx7Axua3D2OYrCH7V1NcR9X1dInpyj/hYXc5/VdtLZ2yhEc2GiG/jfgNWk2W2BZd

2NLf54bgV67lkC2yKMK/5wBru+V73WmqvWfQ4KsMesLLBBzMRvJa

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIFWzCCBEOgAwIBAgIQAr0FxoUrLR0mLxVp3m/RJzANBgkqhkiG9w0BAQsFADBx

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMTAwLgYDVQQDEydEaWdpQ2VydCBUZXN0IEludGVybWVk

aWF0ZSBSb290IENBIFNIQTIwHhcNMTcwMzE1MDAwMDAwWhcNMTgwMzE1MTIwMDAw

WjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRIwEAYDVQQHEwlSb2Nrdmls

bGUxNzA1BgNVBAoTLk5hdGlvbmFsIEluc3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5k

IFRlY2hub2xvZ3kxDjAMBgNVBAsTBU5DQ29FMQ8wDQYDVQQDEwZCYXh0ZXIwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6Eq8ZL3CiacXu2YzUg5a7Nu8x

y3u75MNi2hBI0SK0Bh7kGOtdH61A5P/ZvTyclSNU2X3X/7e3aL2pQMNTnwNMoqKv

12ZHmuJ0eVojKG2zx8HuHZqtnvhgr7j8DULaY2mbCrANCXBaEnMmBJ7ld5kXQAtN

1LcsSCDCm49voSjZZuerCvT+1uxG9p4SPBwgY7Ca7LW/xOSttIp4W30jgHng9yXc

qzFuedSMfskhX2H/SfKs4qLPY/7eZqiAKc7DFFCnv2P8iAJLcltQEwbXiAqfGism

Au4Gi+qmxYhg7qT+qiEinKBV69zRRSPxeLIS6fWV1PVIJdiR78j2Nq4sEHo5AgMB

AAGjggHVMIIB0TAfBgNVHSMEGDAWgBSJVf2JvOIQPPttTh8w+fmCi1xh4jAdBgNV

HQ4EFgQU3PsIuQqjWZ2eFYrcKNhdYi7Rf1owEQYDVR0RBAowCIIGQmF4dGVyMA4G

A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZUG

A1UdHwSBjTCBijBDoEGgP4Y9aHR0cDovL2NybDN0ZXN0LmRpZ2ljZXJ0LmNvbS9E

aWdpQ2VydFRlc3RJbnRlcm1lZGlhdGVTSEEyLmNybDBDoEGgP4Y9aHR0cDovL2Ny

bDN0ZXN0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRlc3RJbnRlcm1lZGlhdGVTSEEy

LmNybDAhBgNVHSAEGjAYMAwGCmCGSAGG/WxjAQEwCAYGZ4EMAQICMIGDBggrBgEF

BQcBAQR3MHUwKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwdGVzdC5kaWdpY2VydC5j

b20wSQYIKwYBBQUHMAKGPWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp

Q2VydFRlc3RJbnRlcm1lZGlhdGUtU0hBMi5jcnQwDAYDVR0TAQH/BAIwADANBgkq

hkiG9w0BAQsFAAOCAQEAe7Rc6PbIfEjSQpCZ3UpZ7zqWruov44nmSKvR/X4MJITM

z9k3S+TzGOGYnq7bHBF1mjLt0l5K/BDWSG6LY5clSYJuGCbC/dSNFk9G+lzBKs5S

5xJxk8HeAt4OHOWmtEhZ7S4np7zUBcRu1koHbw4vW/lYJBvxRF1Sdd0ypyBP4X81

D2mX+LmFo2rlLSExurr5rd1s6Pna2FRBEjoyM78ID9AmKENqeioDi+hxGLlQROOt

y7aZU8yWcec7nad9iUGO/pMDdhbWexpvp4CBihxYkUMQcf8RaqTkJM8fLAdvPq9P

oQuBuMi+qPtI3WkTgfwr49usBzgbrdNPc/5MRQEz8Q==

-----END CERTIFICATE-----

# Client certificate expiration date, GMT in the format: MM/DD/YYYY
HH:MM:SS.

CLIENTCERTEXPIRE=

# Trusted certificates, maximum of 5.

TRUSTEDCERTS=

-----BEGIN CERTIFICATE-----

MIIGSTCCBTGgAwIBAgIEM6qqqjANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV

UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu

Y29tMSMwIQYDVQQDExpEaWdpQ2VydCBUZXN0IFJvb3QgQ0EgU0hBMjAeFw0wNjEx

MTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMHExCzAJBgNVBAYTAlVTMRUwEwYDVQQK

EwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xMDAuBgNV

BAMTJ0RpZ2lDZXJ0IFRlc3QgSW50ZXJtZWRpYXRlIFJvb3QgQ0EgU0hBMjCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJiahU+gQ8Brmcov1LwvynLKgxMc

buqjeyYeiDEUXtTEJKoPm1Pc5YE39fBY1ydwaBJ6k3LbLZM+zqw2pCXwaf4LBhLv

t4ppHMfXlgI2IVpWibSYVcvJ4waD09AQ47u/SQhDHSVf17HRUIs1tIw+MMpMyGH0

9YzgI/ZI5KTWBY+nlnz9t1/RpPdcJfAWin3T/s7xNu364OFDURX+3Rxb7bVnV1xI

GZUwQx23GGcSnypsflr1rBc2yvXaUnwl4DbQMUo10tdZtd1wZNQE3C1L3MXndvn0

WdFB4cM6kQlSky0RFW+TJqQIMmb29n09P/ez7Ipo0cpV3vlBAC0DWm2z/FMCAwEA

AaOCAvQwggLwMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0wggG5MIIBtQYL

YIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0

LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIB

UgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkA

YwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEA

bgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMA

UABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkA

IABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwA

aQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8A

cgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMA

ZQAuMA8GA1UdEwEB/wQFMAMBAf8wOAYIKwYBBQUHAQEELDAqMCgGCCsGAQUFBzAB

hhxodHRwOi8vb2NzcHRlc3QuZGlnaWNlcnQuY29tMIGIBgNVHR8EgYAwfjA9oDug

OYY3aHR0cDovL2NybDN0ZXN0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRlc3RSb290

Q0FTSEEyLmNybDA9oDugOYY3aHR0cDovL2NybDR0ZXN0LmRpZ2ljZXJ0LmNvbS9E

aWdpQ2VydFRlc3RSb290Q0FTSEEyLmNybDAdBgNVHQ4EFgQUiVX9ibziEDz7bU4f

MPn5gotcYeIwHwYDVR0jBBgwFoAU9kZ+Gxa7N5lj9z/YhSzkyepYDx4wDQYJKoZI

hvcNAQELBQADggEBALFxPxkcHgaXBuoZ10FGWsq3bybGnxC6llfDETcWVrPajudx

asm8EXOTSVnqKNIXZTlm1BY0chhnVGA3YyNN7XF7XrT1HtRH5NDhWO2lzFEGSFLw

hlCiGQBuzKOelbBWDhpN7icm+Y/u+DPaK6oFu0tX/u9kPzoc8OYSBe412sHAD1/l

kUDPAEO4yHSXDnoe0fhk24/yCuO6Wc+mMe7YXzEkq8pOEWjNw/9E1dsP20L7jD3F

97q5uVNe1wEaeE3U5Eq1xKUBdyQqitinpTv/yo/UPTDLpfjBmK2nh2HK6r0RH+YC

OicqQ99N+q6YeAlhejLa7+7FkKYKK1YEAbE1Icc=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDpjCCAo6gAwIBAgIBMzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzEV

MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29t

MSMwIQYDVQQDExpEaWdpQ2VydCBUZXN0IFJvb3QgQ0EgU0hBMjAeFw0wNjExMTAw

MDAwMDBaFw0zMTExMTAwMDAwMDBaMGQxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxE

aWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIzAhBgNVBAMT

GkRpZ2lDZXJ0IFRlc3QgUm9vdCBDQSBTSEEyMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEA0DLGgpMXqI2YZ15ULS61yqyqiBMpmRtM9/w/1pqoA/GEri19

VMFuvtPTWgu9IQf0dQsRMy2d8V4INSj43YyQeXnxPzanTSqza95yoH/h4xUM/pNq

AlXlO8c+cYMyCDzTQ0vrEWcvPZOtXYABac9E9ceT015RdD5pORjMwTcb6NxydZr8

nRd9/J66L4R17IKvTU74IwA6fwNd0UnXbhVhGdeEAe+eIEvJ5WlWxDeS6ZdZuSZv

h24QxhxpucTzSq81HHCHw4a1kOel2oqlDlUY698atS0nxfw3IR30heQ/g793Mce9

SX9u2dPPAZtSaW8/38TwKbNOa9zkRFn7oF+cZQIDAQABo2MwYTAOBgNVHQ8BAf8E

BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU9kZ+Gxa7N5lj9z/YhSzk

yepYDx4wHwYDVR0jBBgwFoAU9kZ+Gxa7N5lj9z/YhSzkyepYDx4wDQYJKoZIhvcN

AQELBQADggEBAAeQacFm1sFPOIEvXDVi3IH2RKF7he0p/M0bK2Soj137LMf+ctpM

3bFKJPY97YIE0g7T1qgR8TN2sK0moumMTPjWCdFWJyN4yakS6tPIWEG2XobJ9H1r

iuVXLKd2M/1yhqUyt1o5KtbOGQXLFd3qdp4A1tcXuK2wyMTiSCYS3Uow61JdEw6M

eyrMIpZl9GtvaXTz6LdnozAbhKC7bVUy7ob0T4E03fQ8hIQCNPupvY7Db1/XmIw8

QWVd6AOH7EE3P8xbWOvcTWZ5XbstWY014GeJFXZ7YreaAg8sYa6CzasuHkr/rxeZ

8yzOmCTTTSPk5Ju5bTfAyEpgkl5fDvntJQg=

-----END CERTIFICATE-----

Appendix C References

[1]J. Moy, OSPF Version 2, Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 2328, April 1998. https://www.ietf.org/rfc/rfc2328.txt [accessed 4/20/2017]
[2]Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.6 [Web site], http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asav/quick-start/asav-quick/intro-asav.html [accessed 4/20/17]
[3]Bider and M. Baushke SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol Internet Engineering Task Force (IETF) Request for Comments (RFC) 6668, July 2012. https://tools.ietf.org/html/rfc6668 [accessed 4/20/2017]
[4]J. Postel Internet Control Message Protocol DARPA Internet Program Protocol Specification, Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 792, September 1981. https://tools.ietf.org/html/rfc792 [accessed 4/20/2017]
[5]J. Case, M. Fedor, M. Schoffstall, and J. Davin A Simple Network Management Protocol (SNMP) Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 1157, May 1990. https://tools.ietf.org/html/rfc1157 [accessed 4/20/2017]
[6]R. Droms Dynamic Host Configuration Protocol Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 2131, March 1997. https://www.ietf.org/rfc/rfc2131.txt [accessed 4/20/2017]
[7]Institute of Electrical and Electronics Engineers (IEEE), 802.1Q-2014 - Bridges and Bridged Networks, December 2014 http://www.ieee802.org/1/pages/802.1Q-2014.html [accessed 4/20/2017]
[8]Institute of Electrical and Electronics Engineers (IEEE), 802.11i-2004 Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium Access Control (MAC) Security Enhancements. http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=1318903
[9]D. Mills, J. Martin, Ed, J. Burbank, and W. Kasch Network Time Protocol Version 4: Protocol and Algorithms Specification Internet Engineering Task Force (IETF) Request for Comments (RFC) 5905, June 2010. https://www.ietf.org/rfc/rfc5905.txt [accessed 4/20/2017]
[10]U.S. Department of Commerce. Announcing the Advanced Encryption Standard (AES) Federal Information Processing Standards (FIPS) Publication 197, November 2001. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf [accessed 4/20/2017]
[11]D. Simon, B. Aboba, and R. Hurst The EAP-TLS Authentication Protocol Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 5016, March 2008. https://www.ietf.org/rfc/rfc5216.txt [accessed 4/20/2017]
[12]C. Rigney, S. Willens, A. Rubens, and W. Simpson Remote Authentication Dial In User Service (RADIUS) Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 2865, June 2000. https://tools.ietf.org/html/rfc2865 [accessed 4/20/2017]
[13]S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP Internet Engineering Task Force (IETF) Request for Comments (RFC) 6960, June 2013. https://tools.ietf.org/html/rfc6960 [accessed 4/20/2017]