Tuesday, November 10, 2015

Universal Power Over Ethernet

C11-670993-00_FIG_01

UPOE Architecture
As defined in IEEE 802.3af and IEEE 802.3at, PoE delivers electrical power over two pairs out of the four twisted pairs of cable in Class D (also known as Cat5e) or better, cabling as specified in ISO/IEC 11801:1995. A PSE uses only signal pairs, the pairs 1, 2 and 3, 6, to transport power from the PSE to the PD and leaves the spare pairs, the pairs 4, 5 and 7, 8, idle. This architecture can deliver up to 30W per port. (Refer to Figure 5.)
Figure 5. PoE and PoE+ Architecture
C11-670993-00_FIG_05
UPOE uses the same cabling standard as PoE. Instead of delivering power over two twisted pairs, it provides the capability to source up to 60W of power by using all the four pairs of standard Ethernet cabling (Cat5e or better).
The architecture for a 4-pair system is pretty straightforward; it is an extension of the 2-pair design. The 2-pair system uses one PSE controller to power the PD through the signal pairs of the cable. In the new 4-pair system two PSE controllers will be used to power both the signal pairs and the spare pairs. Figure 6 shows the UPOE architecture.
Figure 6. UPoE Architecture
C11-670993-00_FIG_06
Table 1 summarizes the primary comparison between PoE, PoE Plus, and UPOE.
Table 1. PoE/PoE Plus/UPOE comparison
PoE
PoE Plus
UPOE
Minimum cable type
Cat5e
Cat5e
Cat5e
IEEE standard definition
802.3af
802.3at
Cisco proprietary
Maximum power per PSE port
15.4W
30W
60W
Maximum power to PD
12.95W
25.5W
51W
Twisted pair used
2-pair
2-pair
4-pair

UPOE Operation
This section describes the UPOE operation steps to detect, classify, and negotiate power and subsequently power up the PD.
PD Detection, Classification
The hardware detection and classification mechanism for UPOE follows the IEEE 802.3 standard. The PSE and the PD use a set of physical layer mechanisms to detect the connection of the endpoint and subsequently classify the endpoints into different categories that map to different levels of power requirements. Table 3 lists the PoE classes.
Table 3. PoE Classes
Class
Usage of class
Minimum Power Levels Output at the PSE
Maximum Power Levels at the Powered Device
Class description
0
Default
15.4W
0.44 to 12.95W
Classification unimplemented
1
Optional
4.0W
0.44 to 3.84W
Very Low Power
2
Optional
7.0W
3.84 to 6.49W
Low Power
3
Optional
15.4W
6.49 to 12.95W
Mid Power
4
4
Reserved in 802.3af
802.3at
Treat as Class 0
30W
12.95W to 25.5W
High Power
At power-on, a UPOE device is treated as a PoE device and allocated 15.4W as the default power. After power-on the PSE and PD go through a power negotiation phase to determine exactly how much power will be provisioned from the PSE to the PD.


Friday, October 16, 2015

Proxy ARP

This document explains the concept of proxy Address Resolution Protocol (ARP). Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. Proxy ARP is defined in RFC 1027



How Does Proxy ARP Work?

This is an example of how proxy ARP works:

Network Diagram

5_01.gif
The Host A (172.16.10.100) on Subnet A needs to send packets to Host D (172.16.20.200) on Subnet B. As shown in the diagram, Host A has a /16 subnet mask. What this means is that Host A believes that it is directly connected to all of network 172.16.0.0. When Host A needs to communicate with any devices it believes are directly connected, it sends an ARP request to the destination. Therefore, when Host A needs to send a packet to Host D, Host A believes that Host D is directly connected, so it sends an ARP request to Host D.
In order to reach Host D (172.16.20.200), Host A needs the MAC address of Host D.
Therefore, Host A broadcasts an ARP request on Subnet A, as shown:
Sender's MAC Address Sender's IP Address Target MAC Address Target IP Address
00-00-0c-94-36-aa 172.16.10.100 00-00-00-00-00-00 172.16.20.200
In this ARP request, Host A (172.16.10.100) requests that Host D (172.16.20.200) send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FFFF.FFFF.FFFF) as the destination address. Since the ARP request is a broadcast, it reaches all the nodes in the Subnet A, which includes the e0 interface of the router, but does not reach Host D. The broadcast does not reach Host D because routers, by default, do not forward broadcasts.
Since the router knows that the target address (172.16.20.200) is on another subnet and can reach Host D, it replies with its own MAC address to Host A.
Sender's MAC Address Sender's IP Address Target MAC Address Target IP Address
00-00-0c-94-36-ab 172.16.20.200 00-00-0c-94-36-aa 172.16.10.100
This is the Proxy ARP reply that the router sends to Host A. The proxy ARP reply packet is encapsulated in an Ethernet frame with MAC address of the router as the source address and the MAC address of Host A as the destination address. The ARP replies are always unicast to the original requester.
Upon receipt of this ARP reply, Host A updates its ARP table, as shown:
IP Address MAC Address
172.16.20.200 00-00-0c-94-36-ab
From now on, Host A forwards all the packets that it wants to reach 172.16.20.200 (Host D) to the MAC address 00-00-0c-94-36-ab (router). Since the router knows how to reach Host D, the router forwards the packet to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.
The ARP cache of Host A is shown in this table:
IP Address MAC Address
172.16.20.200 00-00-0c-94-36-ab
172.16.20.100 00-00-0c-94-36-ab
172.16.10.99 00-00-0c-94-36-ab
172.16.10.200 00-00-0c-94-36-bb
Note: Multiple IP addresses are mapped to a single MAC address, the MAC address of this router, which indicates that proxy ARP is in use.
The interface of the Cisco must be configured to accept and respond to proxy ARP. This is enabled by default. The no ip proxy-arp command must be configured on the interface of the router connected to the ISP router. Proxy ARP can be disabled on each interface individually with the interface configuration command no ip proxy-arp, as shown:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface ethernet 0
Router(config-if)# no ip proxy-arp
Router(config-if)# ^Z
Router#
In order to enable proxy ARP on an interface, issue the ip proxy-arp interface configuration command.
Note: When Host B (172.16.10.200/24) on Subnet A tries to send packets to destination Host D (172.16.20.200) on Subnet B, it looks into its IP routing table and routes the packet accordingly. Host B (172.16.10.200/24) does not ARP for Host D IP address 172.16.20.200 because it belongs to a different subnet than what is configured on Host B ethernet interface 172.16.20.200/24.

Advantages of Proxy ARP

The main advantage of proxy ARP is that it can be added to a single router on a network and does not disturb the routing tables of the other routers on the network.
Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence.

Disadvantages of Proxy ARP

Hosts have no idea of the physical details of their network and assume it to be a flat network in which they can reach any destination simply by sending an ARP request. But using ARP for everything has disadvantages. These are some of the disadvantages:
  • It increases the amount of ARP traffic on your segment.
  • Hosts need larger ARP tables in order to handle IP-to-MAC address mappings.
  • Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing."
  • It does not work for networks that do not use ARP for address resolution.
  • It does not generalize to all network topologies. For example, more than one router that connects two physical networks.

When Are ICMP Redirects Sent?

Internet Control Message Protocol (ICMP) is used to communicate to the original source, the errors encountered while routing the packets, and exercise control on the traffic. This document discusses ICMP redirects and when redirects happen in a network.



How ICMP Redirect Messages Work

ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination.
For example, the two routers R1 and R2 are connected to the same Ethernet segment as Host H. The default gateway for Host H is configured to use router R1. Host H sends a packet to router R1 to reach the destination on Remote Branch office Host 10.1.1.1. Router R1, after it consults its routing table, finds that the next-hop to reach Host 10.1.1.1 is router R2. Now router R1 must forward the packet out the same Ethernet interface on which it was received. Router R1 forwards the packet to router R2 and also sends an ICMP redirect message to Host H. This informs the host that the best route to reach Host 10.1.1.1 is by way of router R2. Host H then forwards all the subsequent packets destined for Host 10.1.1.1 to router R2.
43_01.gif
This debug message shows router R1, as in the network diagram, sending an ICMP redirect message to Host H (172.16.1.1).
R1#
debug ip icmp


ICMP packet debugging is on

*Mar 18 06:28:54: ICMP:redirect sent to 172.16.1.1 for dest 10.1.1.1, use gw 172.16.1.200

R1# 
Router R1 (172.16.1.100) sends a redirect to Host H (172.16.1.1) to use router R2 (172.16.1.200) as the gateway to reach the destination 10.1.1.1.

When Are ICMP Redirects Sent?

Cisco routers send ICMP redirects when all of these conditions are met:
  • The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
  • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
  • The datagram is not source-routed.
  • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)
Note: ICMP redirects are disabled by default if Hot Standby Router Protocol (HSRP) is configured on the interface. In Cisco IOS Software Release 12.1(3)T and later, ICMP Redirect is allowed to be enabled on interfaces configured with HSRP. For more information, refer to HSRP Support for ICMP Redirects section of Hot Standby Router Protocol Features and Functionality.
For example, if a router has two IP addresses on one of its interfaces:
  interface ethernet 0

  ip address 171.68.179.1 255.255.255.0

  ip address 171.68.254.1 255.255.255.0 secondary
If the router receives a packet that is sourced from a host in the subnet 171.68.179.0 and destined to a host in the subnet 171.68.254.0, the router does not send an ICMP redirect because only the first condition is met, not the second.
The original packet for which the router sends a redirect still gets routed to the correct destination.

Wednesday, September 9, 2015

Steps to configure an IPSEC site to site VPN on a Cisco IOS device


VPN Topology
The following five steps need to configured in order to create an IPSEC VPN on a Cisco IOS device.
Desciption
Step 1.ISAKMP policy – Configure what parameters will be used for the IKE phase 1 tunnel
Step 2.Transform Set – Configure what parameters will eb used for the IKE phase 2 tunnel (aka the IPSEC tunnel)
Step 3.ACL – Create an ACL to define what “interesting” traffic will be sent over the VPN
Step 4.Cypto Map – Configured using the previous parameters.
Step 5.Apply – Apply the cypto map to an interface

Step 1. – ISAKMP

Lefty#conf t
Lefty(config)#crypto isakmp enable
Lefty(config)#crypto isakmp policy 10
Lefty(config-isakmp)#authentication pre-share
Lefty(config-isakmp)#hash sha
Lefty(config-isakmp)#encryption aes 256
Lefty(config-isakmp)#group 5
Lefty(config-isakmp)#lifetime 3600
Lefty(config-isakmp)#exit
Lefty(config)#crypto isakmp key 0 SuperS3cure address 192.168.1.2
Lefty(config)#crypto isakmp keepalive 10 2 periodic
Lefty(config)#^Z
First of we enter config mode then enable isakmp, although by default it is enabled this probably wont be needed. The policy number is quite important. When the router tries to negotiate an acceptable phase one policy it always starts with the policy closest to 1 then work up in order until a negotiation is successful (using 10 leaves some room for growth if needed)
Now we configure the authentication method. Acceptable options are pre-shared key, RSA-Sig and RSA-Encr. For simplicity we’ll use PSK at the moment. I’ll do another post soon to explain the other options.
Next is the hash method to be used. Options are MD5 and SHA-1 (SHA-1 is the default)
Now we configure the encryption algorithm we want to use. In order of strength AES 256, AES 192, AES 128, 3DES, DES (DES as the default if nothing is explicitly configured)
Group <number> will configure the modulus size of the Diffie-Hellman key exchange. (Group 5 isnt supported on all versions of IOS!)
GroupDescription
1The 768-bit Diffie-Hellman group.
2The 1024-bit Diffie-Hellman group.
5The 1536-bit Diffie-Hellman group.
(Group 1 is the default)
Lifetime is the time in seconds the Security Association (SA). 3600 = 1 hour (86400 (1 day) is the default)
Since we configured pre-shared key we need to configure the key on a per host basis in main config mode.
Just to emphasize  dead peer detection (DPD) we set it to send keepalives every 10s then every 2s if a keepalive fails. Sent on demand rather than periodically like we have configured is the default.
Verify configuration with “show crypto isakmp policy”

Step 2. – Transform Set

Lefty#conf t
Lefty(config)#crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac
Lefty(cfg-crypto-trans)#mode tunnel
Lefty(cfg-crypto-trans)#^Z
We configure IPSEC tunnel mode using 256 bit AES ecryption and sha-1 hmac.
Various other options are
Lefty(config)#crypto ipsec transform-set MYTSETNAME ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
Verify with “show crypto ipsec transform-set”

Step 3. – ACL

Lefty#conf t
Lefty(config)#access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
Stright forward extended ACL config to define the “interesting” traffic that will be secured via the VPN.

Step 4. – Crypto Map

Lefty#conf t
Lefty(config)#crypto map LEFTY_TO_RIGHTY 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
Lefty(config-crypto-map)#set peer 192.168.1.2
Lefty(config-crypto-map)#match address 101
Lefty(config-crypto-map)#set transform-set MYTSETNAME
Lefty(config-crypto-map)#^Z
We configure the IP or hostname of the opposite end of the tunnel. Configure the “interesting” traffic with the match command then finally configure the transform set to be used.
Verify with “show crypto map”

Step 5. – Apply

Lefty#conf t
Lefty(config)#int fastEthernet 1/0
Lefty(config-if)#crypto map LEFTY_TO_RIGHTY
Lefty(config)#ip route 10.2.2.0 255.255.255.0 192.168.1.2
Lefty(config)#^Z
Apply the configured crypto map to the outgoing interface. We need the static route to point to the router at the other end of the VPN tunnel.

Testing/Verify

The easest way to test is by using and extended ping. So here we use the 10.1.1.1 (fa 1/1) interface on Lefty as the source to ping the 10.2.2.2 address on the Righty router.
Lefty#p
Protocol [ip]:
Target IP address: 10.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/8 ms
Now the ping has setup the VPN because of its “interesting” traffic (the first ping is lost in the VPN creation). We can verify with “show crypto engine connections active”
Lefty#show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Fa0/0 IPsec AES256+SHA 0 4 192.168.1.1
2 Fa0/0 IPsec AES256+SHA 4 0 192.168.1.1
1001 Fa0/0 IKE SHA+AES256 0 0 192.168.1.1
You can see we have one IKE connection and an IPSEC tunnel for each direction.

Tuesday, September 8, 2015

Choosing a VPN -- SSL VPN vs. IPSec VPN

If your organization is among the many that have struggled with the administrative headaches and costs of IPSec VPNs, going "clientless" sounds compelling. Given the demand for secure, easy, anytime/anywhere remote access for travelers and home office workers, the surge of interest in SSL/TLS-based VPNs isn't surprising. The key is deciding when to use IPSec and when to use SSL.

In choosing an SSL VPN over IPSec, Torre wanted to avoid the overhead of installing client software and to leverage one of SSL's strengths--access to specific applications, rather than entire subnets.
"It's not that one is right and one is wrong," says Doug Torre, who is rolling out Neoteris SSL VPNs to give 500 doctors and clinicians remote access to medical applications and patient information for Catholic Health System of Western New York in Buffalo. "IPSec and SSL VPNs both solve the problem, but SSL was a more tailored fit for us." Torre still uses IPSec VPNs for site-to-site connections, such as connecting remote sites to the core network.
"We're getting access to the exact thing we need, which is the application," says Torre, director of networking and technical services for Catholic Health System, which includes four hospitals and a number of long-term health care facilities.

Does all this mean that SSL VPNs are the way to go? Everything being equal, who wouldn't want to reduce the cost of VPN ownership by eliminating client installation and configuration and centralizing policy administration, enforcement and access control?
It's not that simple, of course. Vendors promise to deliver secure access, but are SSL VPNs as secure and reliable as IPSec? Where do SSL VPNs fit into your network security policies, and which remote user communities can they best serve? What does it really take to install and administer an SSL VPN?
Securing Remote Access
Both IPSec and SSL VPNs can provide enterprise-level secure remote access, but they do so in fundamentally different ways. These differences directly impact both application and security services, and shape the factors that will influence your decision on which technology to deploy, and where.
IPSec VPNs protect IP packets exchanged between remote networks or hosts and an IPSec gateway located at the edge of your private network. SSL VPN products protect application streams from remote users to an SSL gateway. In other words, IPSec connects hosts to entire private networks, while SSL VPNs connect users to services and applications inside those networks.
IPSec VPNs can support all IP-based applications--to an IPSec VPN product, all IP packets are the same. SSL VPN application services vary, because each product has its own way of presenting client interfaces through browsers, relaying application streams through the gateway, and integrating with destination servers inside the private network. Most SSL VPNs provide secure access to Microsoft Outlook Webmail, network file shares and other common business applications. However, they often require custom development to support nonbrowser-based apps.
Before you choose to deploy either--or both--you'll want to know how SSL and IPSec VPNs stack up as security solutions, and what price you have to pay for that security in administrative overhead.
First, we'll compare how IPSec and SSL VPNs address three essential security requirements:
  • Authentication and access control. Each VPN type presents different options for user authentication, with clear implications for security. The fundamental difference in how SSL and IPSec VPNs implement access control is an important consideration in where and how each technology is best applied.
  • Defense against attack. Strong data confidentiality and integrity, and resistance to message replay and other attacks, are essential to make a VPN secure.
  • Client security. The tunnel can't be secure if the host client is compromised. VPN client computers need strong AV and firewall protection, and admins need a way to check on the "health" of those systems.
Next, we'll look at what it takes to configure and administer both IPSec and SSL VPNs, and the payoff for what you put into it:
  • Client vs. clientless. It's not necessarily a clear-cut choice: IPSec client administration and policy distribution headaches vs. SSL app customization.
  • Integrating VPN gateways into your network. VPN gateways have to fit in to your network and play nicely with your app servers. What does it take?

Access Control and Authentication 
Both SSL and IPSec VPNs support a range of user authentication methods, including certificates. However, if you choose a noncertificate option (such as password or tokens), you should be aware that the IPSec choices, as we'll see, are generally more vulnerable than the SSL alternatives.
Accepted security best practices include allowing only that which is expressly permitted, denying all others. In a nutshell, SSL VPNs tend to be deployed with more granular access controls than IPSec, but that also means admins may spend more time configuring and modifying individual and group access rules.
Authentication. IPSec employs Internet Key Exchange (IKE), using digital certificates or preshared secrets for two-way authentication; SSL Web servers always authenticate with digital certificates, no matter what method is used to authenticate the SSL client. Both support certificate-based user authentication, though each offers less expensive options through individual vendor extensions. They differ significantly on how these extensions are implemented, and SSL is the more secure solution for companies that decide to implement noncertificate user authentication.
IPSec vendors, for example, offer alternatives such as Extended Authentication (XAUTH) and L2TP over IPSec. However, XAUTH, which is frequently deployed using preshared group secrets and DHCP, is vulnerable to several known attacks. And while L2TP over IPSec is embedded in Windows 2000/XP, it isn't broadly supported by VPN gateways or used by non-Microsoft shops.
Most SSL vendors support passwords and tokens as extensions. Further, SSL's encrypted tunnel protects the user's identity and credentials, making asymmetric authentication more secure than IPSec with XAUTH.

SSL is better suited for scenarios where trust is limited or where installed certificates are infeasible--business partner desktops, public kiosk PCs and personal home computers.
Access control. If you really need per-user, per-application access control, go SSL. If you need to give trusted user groups homogenous access to entire private servers and subnets, go IPSec.
IPSec standards support "selectors"--packet filters that permit, encrypt or block traffic to individual destinations or applications. As a practical matter, most organizations grant hosts access to entire subnets, rather than keep up with the headaches of creating/modifying selectors for each IP address change or new app.
SSL VPN products tend to provide more granular tools--how granular varies from product to product--but how you use them (and how much administrative cost you're prepared to shoulder) is up to you. Because they operate at the session layer, SSL VPNs can filter on and make decisions about user or group access to individual applications (ports), selected URLs, embedded objects, application commands and even content.
Defense Against Attack
Both SSL and IPSec support block encryption algorithms like TripleDES Cipher Block Chaining, which are commonly used in VPNs. SSL VPNs also support stream encryption algorithms like RC4 that are often used for Web browsing. Given comparable key lengths, block encryption is less vulnerable to traffic analysis than stream encryption.
If you're implementing an SSL VPN, try to choose products that support TLS, which is slightly stronger than the older SSLv3. TLS eliminates older key exchange and message integrity options, ensuring strong defense against key cracking and forgery.
In addition to strong encryption support, both types of VPNs are built to resist common Internet attacks. However, there are some important differences that can impact security, performance and operability. They include:
Man in the middle. IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong security feature also generates operational problems. NAT frequently breaks IPSec because it modifies packets by substituting public IP addresses for private ones. Many IPSec products implement NAT traversal extensions, but support for this feature isn't universal, and interoperability is still an issue.
SSL is almost as tough against man-in-the-middle attacks, without IPSec's NAT conflict. SSL rides on TCP, so it's insulated from IP and port modifications, and thus passes easily through NAT. SSL carries sequence numbers inside encrypted packets to prevent packet injection, and TLS uses message authentication to detect payload changes.
Message replay. Both IPSec and SSL use sequencing to detect and resist message replay attacks. IPSec is more efficient, because it discards out-of-order packets lower in the stack in system code. In SSL VPNs, out-of-order packets are detected by the TCP session engine or the SSL proxy engine, wasting more resources before they are discarded. This is one reason why IPSec is broadly used for site-to-site VPNs, where raw horsepower is critical to accommodate high-volume, low-latency needs.
Denial of service. IPSec has a slight advantage against DoS attacks, such as packet floods, because it uses only datagrams, while SSL uses TCP sessions. This is because IP and UDP (IKE) datagram floods are conceptually easier to deflect than TCP SYN floods, which fill session tables and cripple many off-the-shelf protocol stacks.
Every product must be hardened against DoS attacks. Look carefully at individual products and published third-party test results to assess DoS vulnerability in each implementation.
Business-grade IPSec VPN appliances have been hardened against DoS attack; some IPSec vendors have even published DoS test results. While IPSec VPNs have been subject to testing for years, a certification program for SSL VPNs has just been initiated. ICSA Labs is launching a SSL/TLS certification program, and expects to complete first-round testing of crypto implementation and baseline features by year's end.
Client Security
Your VPN--IPSec or SSL--is only as secure as the laptops, PCs or PDAs connected to it. Without precautions, any client device can be used to attack your network.
Therefore, companies implementing any kind of VPN should mandate complementary client security measures, such as personal firewalls, malware scanning, intrusion prevention, OS authentication and file encryption. Some IPSec VPN clients include integrated desktop security products to restrict access to systems that conform to organizational security policies. For example, Check Point Software Technologies' VPN-1 is integrated with PestPatrol, and WatchGuard Technologies' Mobile User VPN with Zone Labs' ZoneAlarm.
SSL client devices present their own set of problems. Because SSL VPNs are often accessed by computers outside a company's control--public computers are a particular challenge--vendors address their security requirements in several ways. For example:
  • Many SSL VPNs, including Whale Communications' e-Gap and Aventail's EX-1500, provide secure browser/client logoff by wiping all traces of activity--cached credentials, cached Web pages, temporary files and cookies--from the public computers.
  • Nokia's Secure Access System checks client-side security by instructing the browser to run an applet that looks for open ports and verifies antivirus presence before the gateway accepts remote access requests.
  • Some SSL VPNs combine client security with access rules. For example,Permeo Technologies' Application Security offers methods that filter individual application commands (e.g., FTP GET but not PUT; no retrieving HTTP objects ending in .exe). This could narrow permissions given to users that only merit "partial trust" because they use client computers that lie outside your organization's control. Nokia's Secure Access System can limit application features and functions, depending on the system from which a VPN session is initiated. For example, public kiosks may be restricted from uploading files that company laptops are permitted to access.
Session state is a dimension of usability more than security, but it's worth noting that both IPSec and SSL VPN products often run configurable "keepalives" that detect when the tunnel has gone away. Both kinds of tunnels are disconnected if the client loses network connectivity or the tunnel times out due to inactivity. Different methodologies are used due to different locations in the protocol stack, but they have the same net effect on users.
Client vs. Clientless?
The primary allure of SSL VPNs is their use of standard browsers rather than having to install client software, but there are a number of factors to consider.
SSL VPNs do a great job making browser-based apps available to remote devices. However, generally speaking, the more diverse the application mix, the more attractive IPSec appears. It boils down to a trade-off between IPSec client installation and SSL VPN customization. Let's examine this in more detail.
"Clientless" isn't entirely accurate. The extent to which applications can or should be "Webified" is a wild card for SSL VPNs. If you can find an SSL VPN product that meets all or most of your application needs, great. If not, you may spend more time and effort developing custom Java/ActiveX plug-ins than you would have supporting an IPSec VPN.
Although SSL VPN tunnels are launched through from the user's browser, often a desktop agent--a Java applet or ActiveX control--must be downloaded for access to thin client, client/server or other applications that don't lend themselves to Web page presentation (e.g., Citrix, IBM green screen, Windows Terminal Service). Moreover, applications that require Java applets or ActiveX controls and plug-ins may conflict with a browser security policy that prohibits active content. Most organizations block "unsigned" Java/ActiveX, which can be used to install Trojans, retrieve or delete files, etc. Some organizations block all active content to be on the safe side. As a result, you may have to reconfigure some browser clients to use an SSL VPN.
And don't dismiss the "user factor." People grow accustomed to existing user interfaces. The advantage of having browser interfaces for native apps may be offset by the time spent reeducating unhappy users.
SSL VPN vendors have a range of approaches on Webification. Some products such as Permeo's Application Security, Aventail's EX-1500 and Nokia's Secure Access System use client-side code to support a more native representation of application interfaces. Conversely, solutions such as Neoteris' Instant Virtual Extranet, Netilla Networks' Security Platform and Whale's e-Gap are more inclined to Webify applications, even if that means some apps will require backend development to bolt them onto the VPN server.
Most IPSec deployments still require third-party client software. Installing third-party clients is time consuming and requires access to the users' desktops. The problem is exacerbated when you factor in the increased need to service home computers and partner sites. In addition, while client software quality and compatibility have improved considerably, there are still conflicts--particularly with hardware drivers.
IPSec VPN clients are now embedded in newer OSes such as Win2K/XP and Mac OS X. But these clients aren't as feature-rich as third-party offerings. Moreover, IPSec clients aren't widely available for older Windows, *nix, Mac and handheld OSes.
Some vendors offer hardware IPSec VPN clients for organizations that must deal with diverse OS platforms. Small appliances, like Cisco Systems' VPN 3002, sit between a worker's home PC and cable/DSL modem, acting like an IPSec VPN client. The idea is to invest in hardware up-front to avoid ongoing costs of administering remotely deployed VPN software.
Organizations sometimes use IPSec-enabled SOHO firewall appliances to incorporate teleworkers' LANs into their site-to-site VPN topology, but this solution often pushes the problems of scale and remote administration from remote access to the VPN backbone.
Policy distribution and maintenance are often hamstrung by user mobility and intermittent connectivity. This is a significant issue for IPSec VPNs. Whenever users get involved in security configuration or debugging, there's also an increased risk of error or unauthorized change.
IPSec administrators must create security policies for each authorized network connection, identifying such esoteric information as IKE Identity, Diffie-Hellman Group, crypto algorithms and security association lifetimes. IPSec vendors like Cisco, Check Point, NetScreen Technologies and Avayahave created proprietary, centralized policy management systems that automate policy distribution. These systems help, but keeping policy synchronized across large IPSec VPNs can still be tough.
"We found supporting remote clients over an IPSec VPN to be problematic due to the need for configuring VPN and application software, making securing it a bit tricky," says Catholic Health System's Torre.
For the most part, security policy for SSL VPNs is implemented and enforced at the gateway (SSL proxy). Thus, there's no user involvement and no client policy to remotely manage.
Integrating VPN Gateways
Server-side issues tend to get lost amid the buzz about clientless savings, but understanding what's involved is essential in VPN product selection, secure solution design and cost-effective deployment.
Whether you choose IPSec or SSL, your VPN gateway will be where the rubber meets the road. Significant server-side VPN administration is inevitable for both. Network integration is an issue for IPSec gateways, while SSL VPN gateways tend to have a greater impact on how you administer your app servers.
IPSec remote hosts become part of your private network, making integration more challenging than with SSL VPNs. The IPSec design tasks that burn the most IT cycles include:
  • Address assignment. IPSec tunnels have two addresses. Outer addresses come from the network where the tunnel starts (e.g., the ISP). Inner addresses are used to correctly route traffic once it gets past the VPN gateway, inside the protected network. Admins have to invest time assigning these addresses to VPN clients and making routing changes on firewalls and inside the network.
  • Traffic classification. Deciding what and what not to protect, then configuring selectors to match that objective, takes time. For example, "HR clients should be able to reach the HR server," must be mapped into the right set of users and destination subnets/servers/ports.
  • Routing. Adding a VPN gateway changes network routes. You'll spend time deciding how client traffic should be routed to and from the VPN gateway, and determining if NAT will interfere with your deployment.
SSL VPNs don't require client address assignment or changes to routing inside your network, because they control access to applications and content (e.g., URLs) rather than network-layer entities, such as subnets and hosts. Typically, SSL VPN gateways are deployed behind a perimeter firewall, which requires punching a hole through that firewall to deliver SSL to the VPN gateway. This means delegating trust from the firewall to the VPN gateway, which enforces security policy on SSL-encrypted streams.
SSL VPN gateways have greater potential impact on the application servers inside your private network. On most intranet servers, when IT staff need to restrict access at a finer-than-firewall granularity (e.g., control user access to a directory on a Web server), they must apply OS-level access controls (e.g., Windows NTFS) and per-user or per-application authentication on the servers themselves.
IPSec VPNs can't offload these security services from individual servers.
By applying very granular access controls at SSL VPNs gateways, organizations can eliminate duplicate processing from intranet servers. This also allows an organization to enforce uniform policy at the gateway. Some products, such as Whale's e-Gap and Aventail's EX-1500, can provide single sign-on capability for all intranet servers protected by a VPN gateway (see "E-mail from Anywhere").
But SSL's fine-grained access controls come at a price: Extreme granularity means more planning, configuration and verification, which translates into overhead and, sometimes, error. First- time SSL VPN adopters are advised to keep things simple by applying easily managed individual user authentication and group access controls.
The Test of Time
Are SSL and IPSec VPNs complementary or competing remote access solutions? There may be room for both.
"We think that classic IPSec VPNs are great for connecting to the network, such as hooking up remote sites to each other, or for the power user who needs every tool in the toolbox, like an IT user," says Catholic Health System's Torre. "For the average user, however, it's overkill."
"Power users like the idea of a full PC-to-gateway IPSec VPN, and often believe they need access to the full IP spectrum of the enterprise network from their home office," says Fred Avolio, president and founder of Avolio Consulting. "But many, if not most, occasional teleworkers often use home PCs and only need to access services that are easily available through a Web browser, such as e-mail and file access. An SSL VPN gives them secure access without the hassle of a hard-to-configure client."
It's quite likely that IPSec will remain attractive to organizations with broader needs than Web apps. As user constituencies become larger and more diverse, assets must be separated at finer granularity, making SSL more attractive. Today, SSL VPN adoption is driven by tight IT budgets and vendor promises to reduce total cost of ownership. As SSL VPN products mature, they must deliver on this promise in large successful deployments, grow their turnkey support for common business applications, and demonstrate their ability to withstand Internet threats and enterprise performance demands. If they can do all this, SSL will give IPSec a real run for the money in the remote access VPN market.

Monday, August 17, 2015

CONVERT A CISCO AIR-LAP1142N-A-K9 TO AUTONOMOUS AP

Here is a easy and quick way to convert the AIR-LAP1142N-A-K9 TO AUTONOMOUS AP.

This is a method without configure the IP address of the AP as shown below.

Setting the default IP address and copying to the flash of the AP didn't work for me.  I was not able to communicate with the AP on the 10.0.0.1 address. For example:
ap: set IP_ADDR 10.0.0.1
ap: set NETMASK 255.0.0.0
ap: set DEFAULT_ROUTER 10.0.0.2
ap: tftp_init
ap: ether_init
ap: flash_init
ap: tar -xtract tftp://10.0.0.2/c1140-k9w7-tar.124-25d.JA.tar flash:
ap: set BOOT flash:/c1140-k9w7-mx.124-25d.JA/c1140-k9w7-mx.124-25d.JA

ap: boot

Here are the steps to follow:
1. Install Klever TfTP on your computer
2. Download the standalone Autonomous version of the image software.
3. Configure the TFTP server on the computer; Copy the image software from (Step 2) to the tftp directory and rename it "c1140-k9w7-tar.default" or the name of the image it tries to default to.  When the AP boots it will load extract the image and delete the existing image.  (see below screen capture)
4. Configure your laptop’s Ethernet connection to use static IP 10.0.0.2 with netmask 255.0.0.0, NO Default Gateway/Router;  The idea is to place the both the AP and the computer on the same LAN without blocking any network traffic .
5. Connect your computer Ethernet cable to the switch and connect the other cable from your AP (Ethernet port) to the switch. Power on the switch;
6. Connect your AP’s Ethernet port to the switch;
— With the above a few steps your TFTP server is ready to serve the image software
Next:
7. Connect your Cisco serial console cable to your System. Connect the Cisco serial console cable to the Console port of the AP;
8. Open your Terminal program such as Tera Term and configure the serial communication port
9. Hold down your “Mode” button of the AP while plugging in the power of the AP;
10. You can see now see the Terminal is displaying the AP startup messages. Keep holding the Mode button until you see the AP showing the red light, then release the Mode button.  You will see the message "button is pressed, wait for button to be released...button pressed for 27 seconds"
11. On the Terminal window, you will see it’s trying to load the software recovery image from the TFTP server at 255.255.255.255
Screen capture Output:
using  eeprom values

WRDTR,CLKTR: 0x86000800 0x40000000
RQDC ,RFDC : 0x8000003b 0x00000212

ddr init done

IOS Bootloader - Starting system.
Xmodem file system is available.

DDR values used from system serial eeprom.
WRDTR,CLKTR: 0x86000800, 0x40000000
RQDC, RFDC : 0x8000003b, 0x00000212

PCIE0: link is up.
PCIE0: VC0 is active
PCIE1: link is up.
PCIE1: VC0 is active
PCIEx: initialization done
flashfs[0]: 28 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 7382016
flashfs[0]: Bytes available: 25003008
flashfs[0]: flashfs fsck took 20 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: f8:66:f2:44:5a:e4
Ethernet speed is 1000 Mb - FULL duplex
button is pressed, wait for button to be released...
button pressed for 27 seconds
process_config_recovery: set IP address and config to default 10.0.0.1
process_config_recovery: image recovery
image_recovery: Download default IOS tar image tftp://255.255.255.255/c1140-k9w7-tar.default

examining image...
extracting info (283 bytes)
Image info:
    Version Suffix: k9w7-.153-3.JBB1
    Image Name: c1140-k9w7-mx.153-3.JBB1
    Version Directory: c1140-k9w7-mx.153-3.JBB1
    Ios Image Size: 8120832
    Total Image Size: 9298432
    Image Feature: WIRELESS LAN
    Image Family: C1140
    Wireless Switch Management Version: 8.1.111.0
Extracting files...
c1140-k9w7-mx.153-3.JBB1/ (directory) 0 (bytes)
extracting c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-mx.153-3.JBB1 (119277 bytes).........................
c1140-k9w7-mx.153-3.JBB1/html/ (directory) 0 (bytes)
c1140-k9w7-mx.153-3.JBB1/html/level/ (directory) 0 (bytes)
c1140-k9w7-mx.153-3.JBB1/html/level/1/ (directory) 0 (bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/appsui.js (563 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/back.shtml (512 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/cookies.js (5032 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/forms.js (20442 bytes)....
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/sitewide.js (17250 bytes)...
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/config.js (28952 bytes)......
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/stylesheet.css (3220 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/popup_capabilitycodes.shtml.gz (1020 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/filter.js.gz (2037 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/filter_vlan.js.gz (1459 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/filter_mac_ether.js.gz (1793 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/security.js.gz (962 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/vlan.js.gz (1196 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ssid.js.gz (5580 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/dot1x.js.gz (988 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/network-if.js.gz (2098 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/stp.js.gz (957 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_assoc.shtml.gz (5892 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_event-log.shtml.gz (4158 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_home.shtml.gz (7621 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_network-if.shtml.gz (3576 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_network-map.shtml.gz (4124 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_services.shtml.gz (3937 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_system-sw.shtml.gz (3134 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/ap_contextmgr.shtml.gz (4073 bytes)
c1140-k9w7-mx.153-3.JBB1/html/level/1/images/ (directory) 0 (bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/ap_title_appname.gif (2042 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/c1040_title_appname.gif (2058 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button.gif (1211 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_1st.gif (1171 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_cbottom.gif (318 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_current.gif (1206 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_endcap.gif (878 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_encap_last.gif (333 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_last.gif (386 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_button_nth.gif (1177 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_leftnav_dkgreen.gif (869 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_leftnav_green.gif (879 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_leftnav_upright.gif (64 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/apps_leftnav_yellow.gif (881 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/arrowdown_red.gif (108 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/arrowup_green.gif (108 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/corner_ur_7.gif (53 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/dkgreenmask11_up.gif (113 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/dkgreenmask28_upright.gif (110 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/grn_vertlines_bottom.gif (149 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/grn_vertlines_top.gif (141 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/hinav_plus.gif (56 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/left_bkg.gif (146 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/list_data.gif (122 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/logo.gif (29454 bytes)......
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/pixel.gif (49 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/sitewide_downleft.gif (53 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/sitewide_help_off.gif (934 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/sitewide_help_on.gif (934 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/sitewide_print_off.gif (111 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/sitewide_print_on.gif (111 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/spacer.gif (49 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/whitemask11_botleft.gif (62 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/whitemask11_upright.gif (61 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_alert.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_critical.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_debugging.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_emergency.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_error.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_information.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_notification.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/event_warning.gif (73 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/check_mark.gif (71 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/background_web41.jpg (732 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cisco-logo-2012.gif (579 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/logout_image.gif (40294 bytes)........
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cna_icon1.gif (1212 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cna_icon2.gif (1185 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cna_icon3.gif (1196 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cna_icon4.gif (1072 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/1/images/cna_download_splash.gif (44862 bytes).........
c1140-k9w7-mx.153-3.JBB1/html/level/15/ (directory) 0 (bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_assoc_adv.shtml.gz (4144 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_event-log_config-options.shtml.gz (5730 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_event-log_notif-options.shtml.gz (2693 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_express-setup.shtml.gz (11858 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_express-security.shtml.gz (13550 bytes)...
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_broadcast-ssid.shtml.gz (1263 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_no-security.shtml.gz (1582 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_eap-security.shtml.gz (1791 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_wep-security.shtml.gz (1597 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_wpa-security.shtml.gz (1854 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_ipaddress.shtml.gz (6321 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_802-11.shtml.gz (7132 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_802-11_b.shtml.gz (6292 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_802-11_c.shtml.gz (29443 bytes)......
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/dBm_mW_translation_table.shtml.gz (1511 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_802-11_d.shtml.gz (4070 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_ethernet.shtml.gz (4376 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-if_ethernet_b.shtml.gz (6620 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_network-map_ap-adjacent-list.shtml.gz (3806 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec.shtml.gz (7600 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-security.shtml.gz (30281 bytes)......
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-key-security.shtml.gz (12068 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_band_select.shtml.gz (5720 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_auto-config.shtml.gz (3611 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_local-admin-access.shtml.gz (6991 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_network-security_a.shtml.gz (11764 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_network-security_b.shtml.gz (5620 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_lrs.shtml.gz (5087 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_lrs_b.shtml.gz (8525 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_lrs_c.shtml.gz (6205 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-security-adv_a.shtml.gz (4984 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-security-adv_b.shtml.gz (5061 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-security-adv_c.shtml.gz (4668 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-security-adv_d.shtml.gz (3608 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ids_mfp.shtml.gz (3922 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ids_mfp_stats.shtml.gz (3651 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_dot1x-security.shtml.gz (6444 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_dot1x-certificates.shtml.gz (11173 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_dot1x-cert_fingerprint.shtml.gz (577 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_arp.shtml.gz (3017 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_cdp.shtml.gz (5123 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_console-telnet.shtml.gz (6833 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_dns.shtml.gz (3604 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_filters.shtml.gz (5313 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_filters-ip.shtml.gz (9264 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_filters-mac.shtml.gz (4011 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_filters-ether.shtml.gz (3855 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_hot-standby.shtml.gz (5506 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_http.shtml.gz (5986 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_mobile-ip-b.shtml.gz (6668 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_mobile-ip-c.shtml.gz (4163 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_mobile-ip-d.shtml.gz (5170 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_mobile-ip.shtml.gz (6015 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_qos-traffic.shtml.gz (8139 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_qos.shtml.gz (12217 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_qos_adv.shtml.gz (4443 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_voice.shtml.gz (4088 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_voice-traffic.shtml.gz (6358 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_snmp.shtml.gz (8027 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_sntp.shtml.gz (5959 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_vlan.shtml.gz (14651 bytes)...
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_services_stp.shtml.gz (7128 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_stationview-client_ltest.shtml.gz (5535 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade-b.htm (231 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade-b.shtml.gz (6208 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade.htm (229 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade.shtml.gz (6240 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/banner.html (14136 bytes)...
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameAssociation.html (628 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameEventlog.html (627 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameHome.html (611 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameNetWork.html (619 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameSecurity.html (637 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameServices.html (651 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameSoftware.html (650 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameWireless.html (626 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameset.html (4736 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navAssociation.html (1269 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navBar41.css (3605 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navHome.html (2251 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navNetwork.html (7057 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navSecurity.html (2958 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navServices.html (5018 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navSoftware.html (1542 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navWireless.html (1580 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/arrow_down.gif (177 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/arrow_down2.gif (838 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/arrow_right.gif (137 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/arrow_right2.gif (838 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/servicescript41.js.gz (11929 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/sideMenu.js.gz (813 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_easy-setup.shtml.gz (29062 bytes)......
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navEventLog.html (1283 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/content41.css (10497 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/logout.html (2782 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_guest_list.shtml.gz (2556 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_guest_login.shtml.gz (1523 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_guest_new.shtml.gz (4293 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/frameguest.html (617 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/navguest.html (1605 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_webauth.shtml.gz (3884 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/def_wpa_psk-security.shtml.gz (1859 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/cna_upgrade.htm (5895 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_sec_ap-client-dot11u.shtml.gz (11397 bytes)..
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade_poll.htm (234 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_upgrade_poll.shtml (3596 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_system-sw_sysconfig.shtml.gz (7443 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_stationview-client.shtml.gz (5592 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_contextmgr_ap.shtml.gz (4784 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_contextmgr_scm.shtml.gz (5304 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_contextmgr_scm-groups.shtml.gz (7600 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/html/level/15/ap_contextmgr_scm_summary.shtml.gz (5205 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1 (7954956 bytes)..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
extracting c1140-k9w7-mx.153-3.JBB1/8001.img (152668 bytes).................................
extracting c1140-k9w7-mx.153-3.JBB1/T2.bin (8080 bytes).
extracting c1140-k9w7-mx.153-3.JBB1/T5.bin (23836 bytes).....
extracting c1140-k9w7-mx.153-3.JBB1/info (283 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/file_hashes (32088 bytes).......
extracting c1140-k9w7-mx.153-3.JBB1/final_hash (141 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/final_hash.sig (513 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/img_sign_rel.cert (1375 bytes)
extracting c1140-k9w7-mx.153-3.JBB1/img_sign_rel_sha2.cert (1371 bytes)
extracting info.ver (283 bytes)
Deleting current version: flash:/c1140-k9w8-mx.124-23c.JA2...done.
New software image installed in flash:/c1140-k9w7-mx.153-3.JBB1
Configuring system to use new image...done.
Requested system reload in progress...download took about 358 seconds
Loading "flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-mx.153-3.JBB1"...############

File "flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-mx.153-3.JBB1" uncompressed and installed, entry point: 0x4000
executing...
enet halted

Secondary Bootloader - Starting system.
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................
Xmodem file system is available.
flashfs[0]: 204 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32385024
flashfs[0]: Bytes used: 11546624
flashfs[0]: Bytes available: 20838400
flashfs[0]: flashfs fsck took 12 seconds.
Reading cookie from system serial eeprom...Done
Base Ethernet MAC address: f8:66:f2:44:5a:e4

Secondary bootloader Ethernet not enabled, skip ether_init
Boot CMD: 'boot  flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1;flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1'
Loading "flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1"...##################################
File "flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1" uncompressed and installed, entry point: 0x4000
executing...

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 15.3(3)JBB1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 23-Jul-15 10:50 by prod_rel_team

Initializing flashfs...
FLASH CHIP:  Numonyx P33
Checking for Over Erased blocks
......................................................................................................................................................................................................................................................

flashfs[2]: erasing block[38]...
flashfs[2]: erasing block[40]...
flashfs[2]: 204 files, 8 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 32126976
flashfs[2]: Bytes used: 11546624
flashfs[2]: Bytes available: 20580352
flashfs[2]: flashfs fsck took 12 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.

Radio0  present 8363 8000 90020000 0 90030000 B
Rate table has 300 entries (16 legacy/64 11n/220 11ac)

POWER TABLE FILENAME = flash:/c1140-k9w7-mx.153-3.JBB1/T2.bin

Radio1  present 8363 8000 98020000 0 98030000 0
POWER TABLE FILENAME = flash:/c1140-k9w7-mx.153-3.JBB1/T5.bin

Ethernet speed is 1000 Mb - FULL duplex

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1142N-A-K9 (PowerPC405ex) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FTX1431K7K7
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from watchdog timer expired
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F8:66:F2:44:5A:E4
Part Number                          : 73-11451-08
PCA Assembly Number                  : 800-30554-06
PCA Revision Number                  : A0
PCB Serial Number                    : FOC14302BGX
Top Assembly Part Number             : 800-31273-04
Top Assembly Serial Number           : FTX1431K7K7
Top Revision Number                  : A0
Product/Model Number                 : AIR-LAP1142N-A-K9



Press RETURN to get started!


*Mar  1 00:00:16.061: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar  1 00:00:16.062: *** CRASH_LOG = YES

*Mar  1 00:00:18.480: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar  1 00:00:18.656: Loading Power Tables from flash:/c1140-k9w7-mx.153-3.JBB1/T2.bin. Class = A
*Mar  1 00:00:18.657:  record size of 2ss: 404 read_ptr: 215F3F0

*Mar  1 00:00:19.511: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar  1 00:00:19.596: Loading Power Tables from flash:/c1140-k9w7-mx.153-3.JBB1/T5.bin. Class = A
*Mar  1 00:00:19.596:  record size of 2ss: 404 read_ptr: 215F3F0
Base Ethernet MAC address: F8:66:F2:44:5A:E4

*Mar  1 00:00:22.274: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:23.963: Starting Ethernet promiscuous mode
*Mar  1 00:15:43.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:15:43.003: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar  1 00:15:43.003: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Mar  1 00:15:43.022: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 15.3(3)JBB1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 23-Jul-15 10
ap>
ap>
ap>
ap>
ap>
ap>
ap>:50 by prod_rel_team
*Mar  1 00:15:43.022: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start
*Mar  1 00:15:43.051: No configuration in NVRAM..Auto Install initiated..
*Mar  1 00:15:43.983: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:15:44.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar  1 00:15:44.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar  1 00:15:
ap>47.595: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
ap>en
Password:
ap#sh ver
Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 15.3(3)JBB1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 23-Jul-15 10:50 by prod_rel_team

ROM: Bootstrap program is C1140 boot loader
BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1)

ap uptime is 0 minutes
System returned to ROM by watchdog timer expired
System image file is "flash:/c1140-k9w7-mx.153-3.JBB1/c1140-k9w7-xx.153-3.JBB1"
Last reload reason:



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-AP1142N-A-K9 (PowerPC405ex) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FTX1431K7K7
PowerPC405ex CPU at 586Mhz, revision number 0x147E
Last reset from watchdog timer expired
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F8:66:F2:44:5A:E4
Part Number                          : 73-11451-08
PCA Assembly Number                  : 800-30554-06
PCA Revision Number                  : A0
PCB Serial Number                    : FOC14302BGX



Before converting LWAP to Autonomous need to understand the type of OS image running on these platforms. I found following blog post is very useful to summarize the type of IOS & understanding its naming convention.
Following are the three type of IOS available & need to download the correct type before starting the conversion process.
  • k9w7 – autonomous IOS
  • k9w8 – full lightweight IOS (this is what is bundled in the WLC .aes image, and is factory installed on “mesh” APs)
  • rcvk9w8 – lightweight recovery image – this is factory installed on lightweight APs, unless a “mesh” image is specified; it lacks radio firmware
In our case we require k9w7 for Autonomous conversion. More specifically c1140-k9w7-tar.124-25d.JA.tar as my AP is 1142.
To convert Lightweight AP to Autonomous AP, need to have PC directly connected to AP’s ethernet port. If you are powering AP from the switch (i.e use PoE) then PC & AP needs to be in two switch ports in the same vlan. In my example PC is 10.10.10.1/24 & AP is 10.10.10.102/24.
Console into the access point & do the following configurations.
AP5475.d0f5.2ee7#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Dot11Radio0                unassigned      NO  unset  up                    up      
Dot11Radio1                unassigned      NO  unset  up                    up      
GigabitEthernet0           unassigned      YES DHCP   up                  up  
AP5475.d0f5.2ee7#debug capwap console cli   <- without this line LWAP not accepting the conf t
AP5475.d0f5.2ee7#conf t
AP5475.d0f5.2ee7(config)#ip default-gateway 10.10.10.1
AP5475.d0f5.2ee7(config)#int g0
AP5475.d0f5.2ee7(config-if)#ip address 10.10.10.102 255.255.255.0
AP5475.d0f5.2ee7(config-if)#no sh
AP5475.d0f5.2ee7#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!!
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-k9w7-tar.124-25d.JA.tar
"examining image...
 Loading c1140-k9w7-tar.124-25d.JA.tar from 10.10.10.1 (via GigabitEthernet0): !
 extracting info (283 bytes)
 Image info:
     Version Suffix: k9w7-.124-25d.JA ...................."
Once conversion process is over, you can verify the right image is on your access point.
ap>en
  Password:  <-- default password is Cisco
  ap#
  ap#sh version
  Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(25d)JA, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2010 by Cisco Systems, Inc.
  Compiled Thu 09-Dec-10 15:24 by prod_rel_team
ROM: Bootstrap program is C1140 boot loader
  BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(18a)JA3, RELEASE SOFTWARE (fc1)
ap uptime is 0 minutes
  System returned to ROM by reload
  System image file is "flash:/c1140-k9w7-mx.124-25d.JA/c1140-k9w7-mx.124-25d.JA"
For the LWAP conversion, use the recovery image ( e.g  c1140-rcvk9w8-tar.124-25d.JAL.tar). We can use the same command on the autonomous AP priviledge mode.
AP5475.d0f5.2ee7#archive download-sw /force-reload /overwrite tftp://10.10.10.1/c1140-rcvk9w8-tar.124-25d.JA.tar
Following Cisco Support Community forum video demonstrate teh above process.