manualshive.com logo in svg

Black Box LWN602HA, User Manual

Share
Download
Black Box LWN602HA User Manual Download Page 130

724-746-5500   |   blackbox.com 

Page 130

724-746-5500   |   blackbox.com 

Chapter 9: Common Configuration Examples

To save the firewall policy and close the dialog box, click “Save.”

NOTE:  You do not have to create a policy to control incoming traffic because you will set the default action to deny all incoming 

and outgoing traffic not specified in any of the policy rules.

User Profile

A user profile contains the rate control and queuing QoS settings, VLAN, firewall policies, tunnel policy, and schedules that you 
want the SmartPath AP to apply to traffic from certain users. Because the SSID in this example uses a preshared key for user 
authentication, you can assign a single user profile to it.* The SmartPath AP then applies the various settings in the user profile to 
all traffic on this SSID.

*An SSID using a preshared key supports a single user profile. An SSID using 802.1X authentication can support multiple user  
profiles.

To define a user profile so that SmartPath APs can apply the appropriate QoS settings, VLAN, and firewall policies to all traffic on 
that SSID, click Configuration > User Profiles > New, enter the following, leave the other settings as they are, and then click Save:

    Name: Self-reg-guests(3)

 

 The number 3 is included as part of the user profile name so that you can easily know its attribute number when looking 
at the user profile name.

    Attribute Number: 3

 

 You must enter an attribute number that is unique for the WLAN policy to which the user profile is attached. Although 
you can define different user profiles with the same attribute number in SmartPath EMS VMA, the attribute number 
must be unique for each user profile that appears in the same WLAN policy. You can set an attribute number between 1 

and 4095. (The default user profile "default-profile", which cannot be deleted, uses attribute 0.)

 

 In this example, you only associate the user profile to an SSID that authenticates users with a preshared key, so the attri-
bute number is not used here. It becomes important if you use a remote RADIUS authentication server for IEEE 802.1X 
authentication. When replying to a successful user authentication request, the server returns a set of attributes, and 
SmartPath APs use a combination of three of them to determine which user profile to assign to traffic from an authenti-
cated user:

 

 

Tunnel-Type = GRE (10)

 

 

Tunnel-Medium-Type = IP (1)

 

 

Tunnel-Private-Group-ID = <number>

If a SmartPath AP receives all three attributes and the Tunnel-Private-Group-ID matches the attribute of a user profile, it then 
applies that user profile to traffic from the authenticated user. Regardless of its ultimate use in an SSID using a preshared key or 
802.1X, the attribute number for a user profile is a required setting.

    Default VLAN: 1

    Description: Visiting guests

    Manage users for this profile via User Manager: (clear)†

†Although not a component in this example, User Manager is an excellent option for guest management. Information about  
setting up and managing users through User Manager is available in the SmartPath EMS VMA on-line Help. You can perform a 
search for “User Manager,” or navigate through the TOC to Home > Administration > User Manager.

Expand Firewalls, and enter the following in the IP Firewall Policy section:

   From-Access: guest-IP-policy-from-access

 

This is the policy that you created in "Firewall Policy."

Summary of Contents for LWN602HA

Page 1: ...ise Wireless System User Guide LWN602A LWN600VMA LWN602AE LWN600CM 1 LWN602HA LWN600CM 3 LWN602HAE LWN602WA Order toll free in the U S Call 877 877 BBOX outside U S call 724 746 5500 FREE technical support 24 hours a day 7 days a week Call 724 746 5500 or fax 724 746 0746 Mailing address Black Box Corporation 1000 Park Drive Lawrence PA 15055 1018 Web site www blackbox com E mail info blackbox com...

Page 2: ... are registered trademarks of Cisco Technologies Inc Ekahau is a registered trademark of Ekahau Oy AKA Ekahau Inc ERICO and CADDY are registered trademarks of Erico International Corporation Android is a trademark of Google Inc HP and OpenView are registered trademarks of Hewlett Packard Company Tera Term Pro Hilgraeve and Hyperterminal are registered trademarks of Hilgraeve Inc Juniper Networks i...

Page 3: ...rning Notices LWN602A devices are restricted to indoor use due to their operation in 5 GHz frequencies which are shared by mobile satellite systems and government radar systems The FCC requires that these products only be used indoors to reduce the potential for harmful interference with co channel radar that might be operating in the 5 25 5 35 or 5 47 5 725 GHz frequency ranges in the same area T...

Page 4: ...ificadores que producen calor 11 El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación o como se indique en el aparato 12 Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada 13 Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados po...

Page 5: ...ements for 5 GHz radio equipment EN 300 328 Technical requirements for 2 4 GHz radio equipment EN 301 489 1 EN 301 489 17 EMC requirements for radio equipment WEEE and RoHS Compliance SmartPath products have been reviewed analyzed and found to be in compliance with the European Union EU directive for Waste Electrical and Electronic Equipment WEEE and with the EU directive for the Restriction of Ha...

Page 6: ...or channels from 36 to 48 is 17 dBm in the ETSI region Because this maximum is enforced by SmartPath OS the SmartPath AP automatically limits the power to 17 dBm even if the setting is greater than that The availability of some specific channels and or operational frequency bands are country dependent and are firmware programmed at installation to match the intended destination The firmware settin...

Page 7: ...onnel only SmartPath APs must be connected to a grounded earthed outlet to comply with international safety standards Do not connect SmartPath APs to an AC outlet power supply without a ground earth connection The appliance coupler the connector to the unit and not the wall plug must have a configuration for mating with an EN 60320 IEC320 appliance inlet The socket outlet must be near the SmartPat...

Page 8: ...uration Denmark only The supply plug must comply with Section 107 2 D1 Standard DK2 1a or DK2 5a Switzerland The supply plug must comply with SEV ASE 1011 U K only The supply plug must comply with BS1363 3 pin 13 A and be fitted with a 5 A fuse that complies with BS1362 The power mains cord must be HAR or BASEC marked and be of type HO3VVF3GO 75 minimum IEC 320 receptacle ...

Page 9: ... 28 2 3 6 Deploying with Confidence 30 2 4 Basic Wi Fi Concepts 30 2 5 New and Enhanced SmartPath OS Features for Release 4 0r1 34 2 6 New and Enhanced SmartPath EMS VMA Features for Release 4 0r1 34 2 7 New and Enhanced SmartPath OS and SmartPath EMS VMA Features for Release 4 1r1 35 3 The Smart Path AP LWN602HA Overview 36 3 1 Hardware Description 36 3 2 Ethernet and Console Ports 38 3 2 1 Smart...

Page 10: ...ath EMS VMA 91 8 6 Example 6 Assigning the Configuration to SmartPath APs 97 8 7 Example 7 Selective Multicast Forwarding through GRE Tunnels 101 8 8 Example 8 IP Multicast Enhancements 103 9 Common Configuration Examples 105 9 1 Example 1 Mapping Locations and Installing SmartPath APs 105 9 1 1 Setting Up Topology Maps 106 9 1 2 Preparing the SmartPath APs 109 9 1 3 NetConfig UI 111 9 2 Example 2...

Page 11: ...e 1 Deploying a Single SmartPath AP 162 11 2 Example 2 Deploying a Cluster 165 11 3 Example 3 Using IEEE 802 1x Authentication 170 11 4 Active Directory Configuration Improvement 173 11 5 RADIUS Authentication for VHM Administrators 176 11 6 Example 4 Applying QoS 177 11 7 Example 5 Loading a Bootstrap Configuration 184 11 8 Command Line Interface CLI Commands for Examples 186 11 8 1 Commands for ...

Page 12: ... RJ 45 power input pins Wires 4 5 7 8 or 1 2 3 6 NOTE When using 802 af power should be applied to both Ethernet ports to maintain all features see Section 3 2 1 Smart PoE Size 1 25 H x 8 5 W x 8 D 3 2 x 21 5 x 20 3 cm Weight 3 lb 1 4 kg 1 2 Smart Path AP LWN602A Antennas 2 omnidirectional 802 11b g n antennas and 2 omnidirectional 802 11a n antennas Interface RJ 45 power input pins Wires 4 5 7 8 ...

Page 13: ...l pole mount pole must be 1 to 3 5 2 5 cm to 8 9 cm in diameter wall or flat surface mount PoE Nominal Input Voltage 48 V 30 watts Wind Speed Tolerance 165 mph 266 kph Connectors 1 RJ 45 Ethernet connector autosensing 10 100 1000 Mbps compliant with the IEEE 802 3at standard for PoE Temperature Tolerance Operating 40 to 131 F 40 to 55 C Storage 40 to 176 F 40 to 80 C Relative Humidity Up to 100 Si...

Page 14: ...nal quality and reliability issues might arise when transmitting video such as for training video or surveillance operations because of the sheer size of the data stream Other applications such as network backup and file transfers can also have an impact on the network Therefore take into account any bandwidth intensive applications if you expect your mobile workforce to be accessing the WLAN whil...

Page 15: ...k walls cubicle walls glass and elevator shafts impact signal quality differently You can often load these blueprints into a planning or site survey tool to make the process easier What devices need to access the WLAN Determine and document the full complement of devices that people will use to access the WLAN The performance requirements of the WLAN will depend on both the applications and the ca...

Page 16: ... a SmartPath network is no exception Unfortunately a traditional challenge of budgeting for Wi Fi is that it is difficult to know how many access points to plan for until you have deployed and measured them There are methods of doing site surveys before a deployment to answer these questions While doing so is often worthwhile you might just need a general idea of what you should budget Fortunately...

Page 17: ...uantity of access points These costs include the following Installation and Wiring CAT5 CAT5 wiring is required for all SmartPath APs acting as portals One advantage of SmartPath networks is that you can deploy SmartPath APs in a mesh to avoid some of the wiring costs Power Power lines are required for all SmartPath APs acting as mesh points Portals receive power through power lines or through Eth...

Page 18: ...ients Access Point Density 20 MHz 40 MHz Coverage low capacity 12 to 24 Mbps 39 Mbps 81 Mbps 1 access point per 8000 square feet Standard office deployment 36 Mbps 104 Mbps 216 Mbps 1 access point per 5000 square feet Standard office deployment with voice 54 Mbps 130 to 144 Mbps 270 to 300 Mbps 1 access point per 2000 to 3000 square feet NOTE Data rate is not the same as TCP throughput Because of ...

Page 19: ... most office environments because you have large flat floors However it can be a problem in environments with high ceilings Toroidal Pattern Cardioid Pattern Figure 2 1 Omnidirectional antenna radiation patterns The SmartPath AP can accommodate external antennas via coaxial jacks on its chassis The jack is a standard male RP SMA con nector Various patch directional and omnidirectional antennas can...

Page 20: ...ure coverage 2 2 7 Preparing the Wired Network for Wireless One of the advantages of moving to a Black Box WLAN is that you do not have to make changes to the underlying network such as putting controllers into wiring closets This can save you considerable time and effort during installation However some network changes might make sense for some deployments For example you might want to add additi...

Page 21: ...how their effect on signal attenuation After adding walls including perimeter walls you can diminish their opacity so that they blend into the background map instead of standing out prominently in the foreground To adjust their opacity click Operation Global Settings or right click the top level map name and click Global Settings Then choose the percent of opacity that you want for the walls from ...

Page 22: ...can define different settings which SmartPath EMS VMA retains for each one when they return to the topology section Note that making the tree width too narrow can cause some of the information in the notifications section at the bottom of the tree panel to be cut off Figure 2 6 Navigation tree width Auto Placement Improvements The calculation for the automatic placement of SmartPath AP icons on a ...

Page 23: ...roughs to ensure that the design goals of the wireless network continue to be met The SmartPath EMS VMA provides quick views into how the network is behaving which SmartPath APs are the most heavily loaded and which have the most clients 2 3 2 Spectrum Analysis Black Box SmartPath APs have the ability to perform spectrum analysis in both the 2 4 GHz and 5 GHz band Spectrum analysis provides a live...

Page 24: ...igation buttons are also displayed Figure 2 8 Status bar Settings Click to open a dialog box in which you can change the parameters of the spectrum analysis Modify the following settings and then click Update Interface Choose which interface you want to use to collect data by the band with which it is associated If you choose 2 4 GHz 11n b g then the SmartPath AP uses its wifi0 interface to monito...

Page 25: ...to the spectrum analysis page simply click this icon or perform the same steps to start an analysis Attempting to start an analysis while one is already running does not start a new instance rather it returns to the view of the current analysis in progress Stop When you click Stop the current analysis ends SmartPath EMS VMA appliance allows for 10 concurrent scans and SmartPath EMS Online displays...

Page 26: ...meters Band You can choose which band you want to monitor in this display 2 400 2 500 GHz 5 150 5 350 GHz 5 470 5 725 GHz or 5 725 5 850 GHz Channels Choose one of the channel combinations in the drop down list to display channel boundaries within the graph Center Use this control to scroll the graph right or left You can use the Center control in combination with the Span control to zoom in on a ...

Page 27: ... map reports the frequency on the horizontal axis the history in sweeps on the vertical axis and the power encoded as a set of colors Blue indicates low power levels whereas red indicates high power levels the gradient of colors from light blue through green yellow and orange indicates intermediate power levels On maximizing this display you gain access to the following additional display paramete...

Page 28: ...els 2 3 3 Troubleshooting Some of the most common issues that arise after deploying a new wireless network are RF interference RADIUS issues and desk top client issues The first step in troubleshooting is to look at logs and use debug commands Black Box offers an extensive set of event monitoring and debug tools that you can use through SmartPath EMS VMA the SmartPath AP network management sys tem...

Page 29: ...ps an attack when there are no more clients associated with the mitigated rogue AP for this length of time The default setting is 3600 seconds 1 hour If the SmartPath AP detects any associated clients before this length of time elapses it sends a deauth flood attack and resets the counter to begin the countdown again If there are no more clients associated with the AP after this length of time ela...

Page 30: ...2 3 6 Deploying with Confidence Moving a large enterprise or even a small one to a WLAN for the very first time need not be daunting If you have moderate experience with LAN deployments of other types and you have taken time to get answers to the important questions that will affect the network data load you have every prerequisite for success The bottom line is to remember to take stock of your p...

Page 31: ...ise floor Signal to Noise Ratio Distance Noise Received Signal Figure 2 10 Path loss in an open space When clients send a packet the ratio of the signal to noise SNR level defines the quality of the link which is directly related to the performance of the network Based on the SNR the client and AP negotiate a data rate in which to send the packet so the higher the SNR the better For good performan...

Page 32: ...GHz spectra Signal to Noise Ratio Distance Noise Received Signal Figure 2 12 Path loss with noise from a microwave Now that you have a sense of how Wi Fi performance changes over distance and with noise look at some ways to perform channel assignment If two access points are on the same channel right next to each other they are forced to share the same spectrum This means that they share the 54 Mb...

Page 33: ... most use a 7 to 1 pattern as is shown on the right in Figure 2 6 This channel layout is much more flexible than the 3 channel system and allows for much better capacity over all channels The last topic to cover is the concept of multipath When a client receives a transmission from an access point or vice versa the RF signal reaches the client first through a direct path but then shortly thereafte...

Page 34: ...l an admin manually unbinds it User Profile Reassignment SmartPath APs can reassign users to different user profiles based on their MAC addresses or OUIs operating systems and device domain names This allows a user to go on the network with the same credentials but be assigned one user profile when using one type of device and a different profile when using another NetConfig UI By default SmartPat...

Page 35: ...or to allow all except to a few destinations Multiple Default Routing It is now possible to configure multiple Layer 2 routes based on the VLAN ID of a user so that the SmartPath AP can route Layer 2 traffic through different Ethernet interfaces as appropriate This allows for example a guest user on a corporate network segment to access a more appropriate segment for routing to the Internet while ...

Page 36: ... 3af and 802 3at standards 3 1 Hardware Description The SmartPath AP is a multichannel wireless access point It is compatible with IEEE 802 11b g n 2 4 GHz and IEEE 802 11a n 5 GHz standards and supports a variety of wireless fidelity Wi Fi security protocols including Wi Fi Protected Access WPA and WPA2 You can see the hardware components on the SmartPath AP in Figures 3 1 and 3 2 Each component ...

Page 37: ... network or to a wired device such as a security camera through these ports using bridging They are compatible with 10 100 1000BASE T TX and auto matically negotiate half and full duplex connections with the connecting device They are autosensing and adjust to straight through and cross over Ethernet cables automatically For details see Section 3 2 Ethernet and Console Ports Power connector The 48...

Page 38: ...s over ETH0 8 1 Figure 3 3 View of the ETH0 PoE port on the SmartPath AP LWN602HA Table 3 2 PoE wire usage and pin assignments Pin Data Signal 802 3af Alternative A Data and Power on the Same Wires 802 3af Alternative B Data and Power on Separate Wires 802 3at Wiring Options MDI MDI X MDI or MDI X 1 2 3 4 1 Transmit DC DC DC1 DC1 DC1 DC1 2 Transmit DC DC DC1 DC1 DC1 DC1 3 Receive DC DC DC1 DC1 DC1...

Page 39: ...n them is that the white green solid green pair of wires and the white orange solid orange pair are reversed For straight through Ethernet cables using either the T568A or T568B standard the eight wires terminate at the same pins on each end For cross over Ethernet cables the wires terminate at one end according to the T568A standard and at the other according to T568B 3 2 1 Smart PoE The SmartPat...

Page 40: ...then the SmartPath AP transmits broadcast traffic through all the access interfaces ETH0 ETH1 and all wireless subinterfaces in access mode In addition to using ETH0 and ETH1 as individual interfaces you can combine them into an aggregate interface agg0 to increase throughput or combine them into a redundant interface red0 to increase reliability The logical red0 and agg0 interfaces support all th...

Page 41: ...the SmartPath AP uses when both interfaces have network connectivity Because the SmartPath AP uses eth0 as the primary interface by default it is unnecessary to specify primary in the first command above However it is included to make the role of eth0 as the primary interface obvious NOTE No extra configuration is necessary on the connecting switch or switches to support a redundant interface Inte...

Page 42: ...you can use the console cable that is available as an extra accessory Insert the RJ 45 connector into the SmartPath AP console port and attach the DB9 connector to the serial or COM port on your management system The management system must have a VT100 terminal emulation program such as Tera Term Pro a free terminal emulator or Hilgraeve Hyperterminal provided with Windows operating systems If you...

Page 43: ...g Power Dark No power Steady green Powered on and the firmware is running normally Pulsing green Firmware is booting up Steady amber Firmware is being updated Pulsing amber Alarm indicating a firmware issue has occurred Steady red Alarm indicating a hardware issue has occurred ETH0 and ETH1 Dark Ethernet link is down or disabled Steady green 1000 Mbps Ethernet link is up but inactive Pulsing green...

Page 44: ...or vertically the antennas hinge and swivel see Figure 3 8 Although cluster members automatically adjust their signal strength according to their environments you can resize the area of coverage by increasing or decreasing the signal strength manually by entering the interface wifi0 wifi1 radio power number command where number can be from 1 to 20 and represents a value in dBm 5 GHz Antenna for IE...

Page 45: ...e transmitter separates a single data stream into multiple spatial streams one for each RF chain an antenna various digital signal processing modules linked to the antenna The transmit antennas at the end of each RF chain then transmit their spatial streams The recipi ent s receive antennas obtain streams from all the transmit antennas In fact because of multipath they receive multiple streams fro...

Page 46: ...l others absorb it The receiver can end up receiving multiple copies of the original signal all kind of muddled together However the digital signal processors in the multiple receive chains are able to combine their processing efforts to sort through all the received data and reconstruct the original message Furthermore because the transmitter makes use of multiple RF chains there is an even riche...

Page 47: ...dards while continuing to support 802 11a and 802 11g clients To do that enter the following command no radio profile string allow 11b clients By blocking access to 802 11b clients their slower data rates cannot clog the WLAN when the amount of wireless traffic increases 3 5 Mounting the SmartPath AP LWN602HA Using the mounting plate and track clips you can mount the SmartPath AP to the tracks of ...

Page 48: ...ck 3 Through the oblong opening in the plate drill a hole in the ceiling tile not shown Then pass one or both Ethernet cables through the hole and if you plan to supply power from an AC power source rather than through PoE pass the power cable through as well Drill a hole in the ceiling tile and feed cables through here Ceiling Track Track Clip worms s eye view with ceiling tiles removed for clari...

Page 49: ...ion Locking the SmartPath AP LWN602HA To lock the SmartPath AP to the mounting plate use either a Kensington lock or the lock adapter that is included with the mounting kit and a small padlock not included To use a Kensington lock loop the cable attached to the lock around a secure object insert the T bar component of the lock into the device lock slot on the SmartPath AP and then turn the key to ...

Page 50: ... mounting plate Squeeze the hanger clip to pull the tabs on its feet inward until they snap upward into the two holes on either side of the larger hole Hanger clip Mounting plate Figure 3 15 Fitting the hanger clip to the mounting plate 3 Attach the SmartPath AP to the mounting plate and then attach the antennas to the connectors see Figure 3 16 With the SmartPath AP upside down align its port sid...

Page 51: ...til the claws on each leg grips the track below the top ridge see Figure 3 17 Remove the ceiling tile and enter the plenum Press the hanger frame onto the ceiling track Figure 3 17 Clipping the hanger frame onto the track 6 Insert the hanger clip upward through the center slot in the hanger frame and then twist it counterclockwise until the clip snaps into a locked position against the sides of th...

Page 52: ...mm 0 059 inch wire rope with hook and a locking device ERICO supplies these items in its CADDY SPEED LINK product line The part number for the quad toggle is SLD15QT250 and that for the set that includes the wire rope hook and locking device is SLD15L2T These items are available through various suppliers 1 With the recessed side of the mounting plate facing downward insert the four ends of the qua...

Page 53: ...n of the slots and holds the device firmly in place below the mounting plate 1 2 Mounting Plate The recommended holes for the four strands are shaded in Mounting plate Figure 3 19 Connecting the quad toggle and SmartPath AP to the mounting plate 3 Draw the wire rope over a support beam fasten the hook around the wire and pull the wire until the hook is snug against the underside of the beam 4 Push...

Page 54: ...ng PoE connect the power cord to a power source Height Correction If you accidentally pull too much wire rope through the locking device raising the SmartPath AP too high and you then need to lower it do the following Take a tool such as a screwdriver with a 1 8 flat tip and press it against the lip of the inner tube in the opposite direction from the arrow on the outside of the locking device see...

Page 55: ...rtPath AP Wall 1 With the two wings at the sides of the plate extending away from the surface attach the mounting plate to a secure object such as a wall or beam Use 8 screws for the oblong holes and 10 for the larger round ones 2 Cut or drill a hole through one of the openings in the mounting plate to pass the cables through to the SmartPath AP 3 Insert the tabs on the mounting plate into the slo...

Page 56: ...2 x 20 3 cm Weight 3 lb 1 36 kg Antennas Three omnidirectional 802 11b g n antennas and three omnidirectional 802 11a n antennas Serial port RJ 45 bits per second 9600 data bits 8 parity none stop bits 1 flow control none Ethernet ports autosensing 10 100 1000 Mbps both ports are compliant with the IEEE 802 3af standard and the forthcoming 802 at standard for PoE Power over Ethernet Power Specific...

Page 57: ... features Of particular interest is their support of 2x2 MIMO For more information see Section 3 4 1 MIMO and Section 3 4 2 Using MIMO with Legacy Clients 4 1 Hardware Description The SmartPath AP LWN602A is a multichannel wireless access point It contains a dual band radio that can operate at either 2 4 GHz or 5 GHz but not in both bands simultaneously The SmartPath AP contains a 2 4 GHz radio an...

Page 58: ...neously the device draws power through the power connector and automatically disables PoE The ETH0 port is compatible with 10 100 1000BASE T TX and automatically negotiates half and full duplex connections with the connecting device It is autosensing and adjusts to straight through and cross over Ethernet cables automatically For details see Section 4 2 Ethernet Port 48 VDC Power Connector The 48 ...

Page 59: ...the CLI enter no system led brightness soft dim off The four settings are represented graphically in Figure 4 2 Bright Soft Dim Off Bright Soft Dim Off Figure 4 2 Adjustable status indicator brightness levels 4 4 Antennas Antennas are an integral part of the SmartPath AP LWN602A The SmartPath AP LWN602A has four internal single band antennas Two of the antennas operate in the 2 4 GHz band IEEE 802...

Page 60: ...tion 1 Position the clip so one tab is over the edge of the ceiling track The ceiling track is shown as transparent to expose the tab above the track The two prongs press upward against the middle of the ceiling track 2 Press the other tab upward flexing the prongs against the track until the tab clears the edge of the track Position the clip so one tab is over the edge of the ceiling track The ce...

Page 61: ...way Then attach the SmartPath AP to the screws as explained in Section 4 5 2 Surface Mount Locking the SmartPath AP To lock the SmartPath AP to a secure object use a Kensington lock and cable Loop the cable around a securely anchored object insert the Kensington lock in the device lock slot in the SmartPath AP and engage the locking mechanism Figure 4 7 Device Lock Slot Kensington Security Lock Lo...

Page 62: ... stationary object For information see Locking the SmartPath AP in Section 4 5 1 4 6 Device Power and Environmental Specifications Understanding the specifications for the SmartPath AP LWN602A is necessary for optimal deployment and device operation The following specifications describe the physical features and hardware components the power adapter and PoE Power over Ethernet electrical requireme...

Page 63: ...the deployment of large numbers of SmartPath APs Scheduled firmware upgrades on SmartPath APs by location Exportation of detailed information on SmartPath APs for reporting Server Requirements Minimum Hardware Processor Dual core 2 GHz or better Memory 2 GB dedicated to SmartPath EMS Virtual Appliance at least 1 GB for the computer hosting it Disk 60 GB dedicated to SmartPath EMS Virtual Appliance...

Page 64: ...administrators managing their own set of SmartPath APs Without the expense of buying a physical appliance or SmartPath EMS VMA Virtual Appliance SmartPath EMS Online can be the most cost efficient choice for managing a small number of SmartPath APs After purchasing SmartPath EMS Online you receive your login URL and credentials in an e mail message After logging in you enter the SmartPath landing ...

Page 65: ...ackbox com remains connected to it If the SmartPath AP MAC address or serialnumber is not in Smartpath blackbox com then Smartpath blackbox com does not respond to the CAPWAP connection attempts from that SmartPath AP For details about the initial CAPWAP connection process see How SmartPath APs Connect to SmartPath EMS VMA in Section 8 4 6 1 Captive Web Portal Enhancements The default captive Web ...

Page 66: ...ch in this case occurs when a user clicks an image of the Black Box logo img src Black Box gif on a form with the action set as reg php the method set as post and an attribute set with the value of checkbox it then considers the user as having passed the registration process You can add as many links to the page as you like as long as each one has a different form name such as form1 form2 form3 an...

Page 67: ...timal paths that various mechanisms in the control plane determine The control plane is the logical division of traffic that Cluster members use to collaborate on how best to forward user data coordinate radio frequencies and provide Layer2 and Layer3 roaming capabilities with each other To the wired network Management System Figure 7 1 Three communication planes in the cooperative control archite...

Page 68: ...nnect the power cable to a 100 240 volt power source and turn on SmartPath EMS VMA The power switch is on the back panel of the device 2 Connect one end of an RS 232 serial cable to the serial port or COM port on your management system 3 Connect the other end of the cable to the male DB9 console port on SmartPath EMS VMA 4 On your management system run a VT100 emulation program using the following...

Page 69: ...e it for SmartPath EMS VMA management traffic Both SmartPath EMS VMA and SmartPath AP management traffic would need to flow on the operational network because SmartPath EMS VMA would need to communicate with the SmartPath APs from its MGT interface see Figure 7 3 However if the separation of both types of traffic is not an issue then using just the MGT interface is a simple approach to consider MG...

Page 70: ...twork Settings and Tools and then 1 again for View Set IP Netmask Gateway DNS Settings The serial connection settings are explained in Changing Network Settings in Section 7 1 Installing and Connecting to the SmartPath EMS VMA GUI A login prompt appears 4 Type the default name admin and password blackbox in the login fields and then click Log in Figure 7 4 Login screen 5 After logging in to SmartP...

Page 71: ...f the GUI shown below or click Home Administration License Management Copy the key from the e mail and paste it in the appropriate field Figure 7 7 GUI You are now logged in to the SmartPath EMS VMA GUI Later after completing the Global Settings page in the next steps you can check details about the installed entitlement key and licenses on the Home Administration License Management page You can a...

Page 72: ...Modify SmartPath EMS VMA displays the Guided Configuration page to assist you with the main configuration steps Device level settings for SmartPath APs The three major WLAN policy level configuration objects which reference all other configuration objects user profiles SSIDs and WLAN policies The transfer of the device and policy level settings from SmartPath EMS VMA to SmartPath APs 7 2 Introduct...

Page 73: ...dows in which you set and view various parameters Notifications SmartPath EMS VMA displays a summary of new SmartPath APs rogue clients rogue APs and alarms detected on managed SmartPath APs here Clicking a displayed number opens the relevant page with more details Some convenient aspects that the SmartPath EMS VMA GUI offers are the ability to clone configurations apply configurations to multiple...

Page 74: ...ath EMS VMA only shows the red line for transmitted frames because the mouse is over the red box next to Rx Frames in the legend 7 2 2 CAPWAP Latency Reports CAPWAP Latency Reports SmartPath EMS VMA tracks the average latency in its CAPWAP connections to each managed SmartPath AP and displays an icon indicating the average amount of current latency in the Connection column on the Monitor Access Po...

Page 75: ...e search icon and select the areas of the GUI that you want to include and clear those that you want to exclude see Figure 7 12 Figure 7 12 Search tool The following items are ignored when using the search tool The names of fields in dialog boxes The settings on the following Home Administration pages SmartPath EMS VMA Settings SmartPath EMS VMA Services and SPM Notification Mail List Certificates...

Page 76: ...hrase that you want to find with spaces See the SmartPath EMS VMA on line Help for more information on the Search tool 7 2 4 Multiselecting You can select multiple objects to make the same modifications or perform the same operation to all of them at once Select the check boxes to select multiple noncontiguous objects or shift click to select check boxes for multiple contiguous objects ...

Page 77: ...the top SmartPath AP and hold down the SHIFT key while selecting the checkbox for the eighth SmartPath AP from the top 7 2 5 Cloning Configurations When you need to configure multiple similar objects you can save time by configuring just the first object cloning it and then making slight modifications to the subsequent objects With this approach you can avoid re entering repeated data To clone an ...

Page 78: ...eorder itself alphanumerically or chronologically in either ascending or descending order Clicking the header a second time reverses the order in which the data is displayed By default displayed objects are sorted alphanumerically from the top by name If you click the name again the order is reversed that is the objects are ordered alphanumerically from the bottom Figure 7 16 Sorting event log ent...

Page 79: ...alog box to continue with its configuration When SmartPath APs are in the same subnet as SmartPath EMS VMA they can use CAPWAP Control and Provisioning of Wireless Access Points to discover SmartPath EMS VMA on the network CAPWAP works within a Layer 2 broadcast domain and is enabled by default on all SmartPath APs If the SmartPath APs and SmartPath EMS VMA are in different subnets then you can us...

Page 80: ... the connecting switch than the switch can provide you can set a maximum power level that SmartPath APs can request in their LLDP advertisements on the Configuration Advanced Configuration Network Objects LLDP CDP Profiles New page By default the maximum is 15 4 watts 7 4 Updating Software on SmartPath EMS VMA You can update the software running on SmartPath EMS VMA from either a local directory o...

Page 81: ...ng them NOTE When upgrading both SmartPath EMS VMA software and SmartPathOS firmware do so in this order Upgrade SmartPath EMS VMA SmartPath EMS VMA can manage SmartPath APs running the current version of SmartPathOS and also previous versions going back two major releases Upload the new SmartPathOS firmware to the managed SmartPath APs and reboot them to activate it Reload the SmartPathOS configu...

Page 82: ...are To use this option accurately make sure that both SmartPath EMS VMA and managed SmartPath AP clocks are synchronized Activate after Select to load the firmware on the selected SmartPath APs and activate it after a specified interval The range is 0 3600 seconds that is immediately to one hour The default is 5 seconds Activate at next reboot Select to load the firmware and not activate it The lo...

Page 83: ...ll SmartPath APs clear so that the data transfer along that path is not disrupted Therefore when updating a firmware image or configuration on SmartPath APs in a mesh environ ment make sure that the portal or a mesh point closer to the portal does not reboot before the upload to a mesh point farther away completes Switch SmartPath AP Portal SmartPath AP Mesh Point 1 SmartPath AP Mesh Point 2 Smart...

Page 84: ...ined in the first two examples Section 8 4 Example 4 Access and Backhaul on the Same Radio Section 8 5 Example 5 Connecting SmartPath APs to SmartPath EMS VMA Cable two SmartPath APs to the network to act as portals and set up a third one as a mesh point Put the SmartPath APs on the same subnet as SmartPath EMS VMA and allow them to make a CAPWAP connection to SmartPath EMS VMA Section 8 6 Example...

Page 85: ...nial of service DoS policies MAC filters and schedules and specify the SSID name that the SmartPath AP advertises in beacons and probe responses The profile name not the SSID name although they can both be the same is the one that appears in the Available SSIDs list in the WLAN Policy dialog box You will later choose this SSID when defining a WLAN policy in Section 8 3 When you type in a profile n...

Page 86: ...are in access mode In the series of examples in this chapter you set the 5 GHz radio in backhaul mode and the 2 4 GHz radio in access mode Therefore you assign the SSID to the 2 4 GHz band To see how the different SSID settings determine the way that the SmartPath AP advertises the SSID and how clients form associations with it see Figure 8 2 Beacons Client SSID test1 psk Key method WPA PSK or WPA...

Page 87: ...P devices in Section 8 5 NOTE A WLAN policy is different from a cluster Unlike the members of a WLAN policy who share a set of policy based configurations the members of a cluster communicate with each other and coordinate their activities as access points WLAN policy members share configurations Cluster members work together collaboratively Click Configuration Advanced Configuration Clusters New ...

Page 88: ...ed to configure items on the first page see Figure 8 3 Figure 8 3 WLAN policy general settings Click Configuration WLAN Policies New enter the following on the first page of the new WLAN policy dialog box leave all the other settings as they are and then click Save Name wlan policy test1 You cannot use spaces in the WLAN policy name Description Test WLAN policy for learning how to use the GUI remo...

Page 89: ...and back haul see below then the SmartPath AP selects the wifi1 interface to form the mesh link NOTE There are two places in the GUI that affect mesh failover the backhaul failover settings in the specified radio profile and the radio mode settings for the SmartPath AP To enable backhaul failover it must be enabled in the radio profile and the radio must be in either backhaul or dual mode Backhaul...

Page 90: ...s and determines that SmartPath AP 3 has the best signal quality SmartPath AP 2 changes its channel to match that of SmartPath AP 3 and establishes a mesh link on Channel 161 Figure 8 4 Overview of failover To configure a SmartPath AP to use access and backhaul simultaneously Click Monitor Access Points SmartPath APs select the check box next to the SmartPath AP you want to configure click Modify ...

Page 91: ... the switch uses PoE to provide power to SmartPath APs 1 and 2 Wired Link Wireless Link SmartPath EMS VMA Single Subnet Layer 2 Broadcasting Domain Router Firewall DHCP Server Switch PSE The switch delivers power to SmartPath AP1 and Smart Path AP2 through PoE SmartPath AP1 Portal SmartPath AP3 Mesh Point SmartPath AP3 receives power from a 100 240 VAC outlet SmartPath AP2 Portal SmartPath AP3 rec...

Page 92: ...fter the SmartPath AP has an IP address for its mgt0 interface and has discovered or has been configured with the SmartPath EMS VMA IP address it begins in the Discovery state For information about various ways that SmartPath APs can form a secure CAPWAP connection with a physical SmartPath EMS VMA appliance or a SmartPath EMS VMA Virtual Appliance in the same or different subnets and with SmartPa...

Page 93: ...covery Request message and responds with a Discovery Response Discovery State Sulking State The client sends a Join Request Join State Run State Idle State When the client determines its neighbor is dead it transitions from the Run state to the Idle state The CAPWAP client and server perform a DTLS Datagram Transport Layer Security handshake to establish a secure DTLS connection The server sends a...

Page 94: ...ach its default gateway By default the SSID name is host name _ac Form a wireless association with the SmartPath AP through this SSID check the IP address of the default gateway that the SmartPath AP assigns to your wireless client and then make an SSH or Telnet connection to the SmartPath AP at that IP address When you first connect the Initial CLI Configuration Wizard appears Because you do need...

Page 95: ...its LAN interface and that the IP address settings for the MGT interface are accurate see SP Admin SmartPath EMS VMA Settings Interface Settings in the SmartPath EMS VMA GUI What is the status of the CAPWAP client running on the SmartPath AP To check the CAPWAP status of a SmartPath AP enter the show capwap client command Compare the RUN state with the CAPWAP states explained in Figure 8 5 Check t...

Page 96: ...omain name or IP address or configure them so that they can learn it through DHCP or DNS settings When SmartPath APs have the IP address of the CAPWAP server they then send unicast CAPWAP Discovery Request messages to that address Log in to the CLI on the SmartPath AP and enter the IP address or domain name of the CAPWAP server capwap client server name string Configure the DHCP server to supply t...

Page 97: ...oadcasts CAPWAP Discovery messages on its local subnet for a CAPWAP server SmartPath EMS VMA If SmartPath EMS VMA is on the local network and responds they form a secure CAPWAP connection The SmartPath AP tries to connect to SmartPath EMS VMA using the following default domain name smartpathemsvma local_domain where local_domain is the domain name that a DHCP server supplied to the SmartPath AP If...

Page 98: ... same time select the checkbox in the header to the left of Host Name which selects the checkboxes of all the SmartPath APs and then click Modify The SmartPath APs Modify Multiple dialog box appears 4 From the WLAN Policy drop down list choose wlan policy test1 This is the WLAN policy that you created in Section 8 3 Do not modify any of the other basic settings 5 In the Optional Settings section e...

Page 99: ...hey are deployed from the New Country Code drop down list NOTE Be sure to choose the correct country An incorrect choice might result in illegal radio operation and cause harmful interference to other systems In the Activate after field set an interval in seconds after which the SmartPath AP reboots to activate the updated country code settings Make sure that the checkbox for SmartPath AP3 is sele...

Page 100: ...ee options found in the Settings section for uploading configurations are as follows Complete Upload This option uploads the complete configuration to the selected SmartPath APs and reboots them to activate their new configuration Delta Upload Compare with last SmartPath EMS VMA config This option uploads only the parts of the configuration that were not previously pushed to the SmartPath APs from...

Page 101: ...will reestablish their connections 8 7 Example 7 Selective Multicast Forwarding through GRE Tunnels SmartPath APs can selectively block or allow broadcast and multicast traffic through GRE tunnels to reduce traffic congestion You can filter traffic either by using a blacklist to block all broadcast and multicast traffic or to block all except to a few select destina tions or by using a whitelist t...

Page 102: ... Name text box This name can be up to 32 characters long 3 In the GRE Tunneling Selective Multicast Forwarding section select whether you want to begin with an open filter by selecting Allow All or a closed filter by selecting Block All NOTE For most applications you want to begin with a closed filter and then specify the multicast addresses you want to forward through the GRE tunnels The steps th...

Page 103: ...less network data transmitted by multiple stations on the same RF channel in an overlapping area must share the same physical transportation resource the available airtime When an access point transmits unicast traffic it uses a rate adaptation algorithm to determine the fastest data rate at which it can communicate with each station When transmitting multicast traffic the access point must choose...

Page 104: ...ditionally select Always If you do not want the SmartPath AP to use the multicast to unicast conversion feature but instead follow the standard 802 11 behavior for sending multicast frames select Disable In addition to the conversion technique SmartPath APs also perform Internet Group Management Protocol IGMP snooping to check if any multicast group members are associated and when they are not the...

Page 105: ...on server Section 9 3 Example 3 Providing Guest Access through a Captive Web Portal Provide controlled and limited wireless network access for guests This example includes the configuration of a captive web portal QoS policy IP firewall policy user profile and SSID Section 9 4 Example 4 Private PSKs Import a file of user names e mail addresses and other data to create private PSK users Assign the ...

Page 106: ...ure You need to make png of jpg files of drawings or blueprints showing the layout of each floor Also as an easy means of organizing the maps in the SmartPath EMS VMA GUI you create a file showing the three buildings HQ B1 HQ B2 and Branch 1 By using this drawing at the top topographical level you can display icons for each floor of each building You can then click an icon to link to its correspon...

Page 107: ...Update Root Map Name CorpOffices Note that spaces are not allowed in map level names This will be the map at the top of a hierarchical structure of maps After defining this map you can then add other maps beneath it Operational Environment Because the CorpOffices map does not contain any SmartPath AP icons it is an illustration of three buildings that you use to organize the submaps of the floors ...

Page 108: ... Map Name HQ B1 F1 Map Icon Floor Environment Because the environment is that of a typical office building choose Office The environment assists in the prediction of signal strength and attenuation shown in the heat maps Background Image Choose HQ B1 F1 png from the drop down list Map Width optional 120 feet SmartPath EMS VMA automatically calculates map height using the aspect ratio of the image ...

Page 109: ...to all Level 2 maps NOTE You can add up to seven levels to the map hierarchy You can also remove maps as long as they do not have any submaps or SmartPath AP icons on them To remove a map from the hierarchy right click it in the Map Hierarchy list select Remove from the short cut menu that pops up and then click Yes 9 1 2 Preparing the SmartPath APs There are several approaches that you can take w...

Page 110: ...o associate a SmartPath AP with a map and provide a description of where on the map each SmartPath AP belongs 1 Make copies of the maps you uploaded to SmartPath EMS VMA label them and take them with you for reference when installing the SmartPath APs 2 For each SmartPath AP that you install do the following 2 1 Make a serial connection to the console port and log in see Log in through the console...

Page 111: ...P after attempting to reach a DHCP server for about two minutes fails over to its default IP address 192 168 1 1 To access the NetConfig UI you have several options Manually set the network settings on your management system to 192 168 1 2 24 and connect an Ethernet cable between eth0 on the SmartPath AP and the Ethernet port on your system You can then open a browser and connect to the NetConfig ...

Page 112: ... discover a physical SmartPath EMS VMA appliance SmartPath EMS VMA Virtual Appliance or SmartPath EMS Online you can also specify a particular SmartPath EMS VMA instance To configure how the SmartPath AP communicates with SmartPath EMS VMA click SmartPath EMS VMA Configuration enter the following and then click Apply SmartPath EMS VMA IP Address or Host Name Type the IP address of the SmartPath EM...

Page 113: ...the firmware automatically select Activate at next reboot If you select this option the SmartPath AP loads the new firmware the next time it boots up 9 2 Example 2 IEEE 802 1x with an External RADIUS Server You can configure SmartPath APs to act as RADIUS authenticators also known as RADIUS clients or network access server NAS devices They forward IEEE 802 1X EAP user authentication requests and r...

Page 114: ...configuration to them In other words the SmartPath APs are already under SmartPath EMS VMA management by the time you begin the configuration in this example If that is not yet the case see Chapter 8 before continuing VLANs and User Profiles To begin you create two VLAN objects and then two user profiles each of which references one of the VLANs When you configure the SSID later you reference both...

Page 115: ... Default VLAN VLAN 10 Description For employees to use VLAN 10 6 To create a user profile for IT staff select the check box of the user profile that you just created Emp 1 and then click Clone The User Profiles dialog box appears with the settings for Emp 1 7 For Name enter IT 2 for Attribute Number enter 2 for Default VLAN choose VLAN 20 modify the text in the Description field to For IT staff to...

Page 116: ...stablishing a RADIUS session it is important that the shared secret be fairly strong Therefore you use the longest string possible 32 alphanumeric characters randomly arranged To see the text strings that you enter clear the Obscure Password checkbox Server Role Primary To provide server redundancy you can configure up to four RADIUS servers designating one as the primary server and the others as ...

Page 117: ...ects the SmartPath AP RADIUS authenticators to forward authentication requests from RADIUS supplicants to the RADIUS authentication server that you just defined Click Configuration SSIDs New enter the following leave all other values at their default settings and then click Save Profile Name corp wifi SSID corp wifi Description Employee and IT WLAN access 802 1X SSID Access Security WPA WPA2 802 1...

Page 118: ...icy that has already been applied to the SmartPath APs Add Remove SSID Profile select corp wifi in the Available SSID Profiles list click the right arrow to move it to the Selected SSID Profiles list click Apply to add the SSID to the WLAN policy and then click Save to save the modified policy and close its dialog box 2 Click Monitor Access Points SmartPath APs checkboxes for the two SmartPath AP ...

Page 119: ...t Several of these are examined first Registration Types Providing Network Settings and Modifying Captive Web Portal Pages and then a complete configuration example is presented 9 3 1 Registration Types There are five types of registration four are shown in Figure 9 7 that a captive Web portal can require of users Self Registration With this option users must complete a registration form and accep...

Page 120: ...rtPath AP itself Captive Web Portal with External DHCP and DNS Servers With this approach when the client of a previously unregistered visitor first associates with the guest SSID the SmartPath AP allows DHCP and DNS traffic to pass through so that the client can receive its address and TCP IP assignments and resolve domain names to IP addresses It also allows ICMP traffic for diagnostic purposes ...

Page 121: ...enforces a firewall policy that blocks ICMP services from registered users it will also block them from unregistered users In contrast to ICMP DHCP and DNS are essential services that must always be permitted by the SmartPath AP firewall The SmartPath AP allows DHCP traffic to pass between the client of an unregistered user and a DHCP server so that the client can receive its IP address and TCP IP...

Page 122: ... and forwards all types of traffic to the rest of the network as permitted by firewall policies assigned to that user profile Registration Quarantine MAC 0016 cf8c 57bc Registered MAC 0016 cf8c 57bc DHCP DNS HTTP Figures 9 9 and 9 10 Captive Web portal exchanges using HTTP To enable the captive web portal to forward DHCP and DNS traffic from unregistered users to external servers on the network cl...

Page 123: ...2 16 1 1 Lease 10 Seconds By default a SmartPath AP assigns IP addresses to subinterfaces for captive web portal use as follows wifi0 1 wifi0 7 172 16 1 1 172 16 7 1 wifi1 1 wifi1 7 172 16 11 1 172 16 17 1 3 4 DNS Querient DNS Server HTTP Client HTTP Server DNS Address Resolution HTTP Connection to the Captive Web Portal DNS Query DNS Reply HTTP GET Reply When the HTTP client sends a GET command t...

Page 124: ...3 3 Modifying Captive Web Portal Pages Black Box provides html files and images for use on the captive Web portal server and a tool in the GUI to modify the supplied text colors and images to better suit the needs of your organization The various file names and their purposes are as follows An example of the default web page components is shown in Figure 9 14 registration html the main login page ...

Page 125: ...on Requires users to enter data and accept a network use policy before being allowed to pass through the captive Web portal Both Auth Self reg Requires users to submit either one of the two types of registration Use Policy Acceptance Requires users to accept a network usage policy before accessing the network There is also a fifth option External Authentication which redirects unregistered users H...

Page 126: ...nal script reg php The background image foreground color header image and footer image function similarly to those on the Login page You can specify the same images or different ones on the result pages and you can use preloaded images or import others to use instead NOTICE The main difference between the success page and the login page is the notice that is displayed to users By default the notic...

Page 127: ...d Web files and the default network settings The DHCP DNS and ICMP traffic from the clients of unregistered users is allowed to pass through the SmartPath AP to external servers QoS Rate Limiting To allot guests with enough bandwidth to satisfy basic network access but not enough to interfere with employee traffic click Configuration Advanced Configuration QoS Policies Rate Control Queuing New ent...

Page 128: ...ick Apply Network select Object Name 10 0 0 0 8 In the IP Entry field enter 10 0 0 0 for the IP address 255 0 0 0 for the netmask choose Global for the type enter a useful description such as Deny RFC 1918 private addresses and then click Apply To save the address and close the dialog box click Save Repeat the above to create two more address objects one for 172 16 0 0 12 IP address 172 16 0 0 net...

Page 129: ...HIFT key while selecting multiple contiguous services and the CTRL key while selecting multiple contiguous or non contiguous services When you click Apply SmartPath EMS VMA generates a separate rule for each service SmartPath EMS VMA adds new rules to the bottom of the rule list so that if you enter the rules in the order presented above they will already be in the correct positions as shown in Fi...

Page 130: ...artPath EMS VMA the attribute number must be unique for each user profile that appears in the same WLAN policy You can set an attribute number between 1 and 4095 The default user profile default profile which cannot be deleted uses attribute 0 In this example you only associate the user profile to an SSID that authenticates users with a preshared key so the attri bute number is not used here It be...

Page 131: ...h he or she belongs These rates can be the same as or greater than the individual user rates Setting a rate limit of 2000 kbps provides guests with a basic amount of available bandwidth without interfering with the bandwidth usage of other users such as employees Scheduling Weight 5 The weight defines a preference for forwarding traffic It does not specify a percentage or an amount Its value is re...

Page 132: ...nd then click Save Profile Name guest SSID guest Description SSID for registering company guests SSID Access Security WPA WPA2 PSK Personal Use Default WPA WPA2 PSK Settings select Key Value and Confirm Value guest123 Enable Captive Web Portal select CWP guest1 Self Registration Access User Profile Self reg guests 3 SSID Broadcast Band 2 4 GHz 11n b g WLAN Policy To add the SSID to an existing WLA...

Page 133: ... then click Submit To test the captive Web portal 1 Take a wireless client near one of the SmartPath APs and form an association with the guest SSID entering guest123 when prompted for the preshared key 2 After the client has formed an association open a Web browser The SmartPath AP intercepts the HTTP or HTTPS traffic from your browser to the URL of its home page and redirects it to the login pag...

Page 134: ... Figure 9 17 SmartPath EMS Database SmartPath EMS Admin Private PSK User SmartPath AP Database E mail private PSK user accounts directly to users from SmartPath EMS While forming an association with the specified SSID users enter their PSK when prompted for a network key Users are authenticated Update private PSK user accounts in the SmartPath AP database and update the configurationwith a private...

Page 135: ...e on different SmartPath APs to differentiate their roles clearly However a single SmartPath AP can act as both a private PSK authenticator and server Step 1 Make a Private PSK User Group Create a user group for automatically generated private PSK users All users added to this group automatically inherit the attributes that you set for the group Click Configuration Advanced Configuration Authentic...

Page 136: ...ID a captive Web portal through which users can self register the private PSK user groups whose users you want to assign to people registering successfully and the user profiles that you want to apply to their traffic You also create a registration SSID which is a companion to the private PSK SSID being configured Users initially connect to the registration SSID to get their private PSKs Then they...

Page 137: ...when you configured it in Step 1 and remember it Click the New icon to open a section where you can create a user profile Type a name that includes the same number as the attribute of the private PSK user group that you created enter that number again in the Attribute Number field and enter the VLAN ID that you want the SmartPath AP to assign to traffic from these users If you want to configure ot...

Page 138: ...on Login Page The user completes the self registration form and submits it in an HTTP POST message The private PSK authenticator forwards the HTTP POST message to the captive Web portal on the private PSK server at 10 1 1 1 The private PSK authenticator forwards the HTTP redirection to the client The private PSK authenticator displays the success page which includes the private PSK and SSID 2 The ...

Page 139: ...00 seconds 10 minutes to 24 hours User Name Prefix Type a text string to be added to the beginning of to all automatically generated private PSK users You can also include the private PSK user validity period here by entering a text string such as 2 day 1 week 3 week and so on If you include numbers and special characters be sure to include them in the Character types used in generated PSKs and ma...

Page 140: ... of the year Automatically Binding a Private PSK to a Client MAC Address When configuring a private PSK SSID you have the option to bind a private PSK to the MAC address of the first client that uses it This provides tighter control over which devices can use the private PSK to access the network For example there might be a policy permitting network connections for corporate owned devices only an...

Page 141: ...Attribute Number 30 The SmartPath AP uses this attribute number to link the user profile to a user group with the same attribute You can use any number between 1 and 4095 Default VLAN 1 Description Corporate employees To define a user profile for contractors with a firewall policy that allows basic network protocols to the public network while blocking access to the internal network click Configur...

Page 142: ...ct the one you want to use to distinguish a type of client device If you want to create a user profile reassignment policy rule for a single device select MAC address or If you want to make a policy rule that applies to devices with a range of MAC addresses such as a shipment of company purchased laptops enter the MAC Address Range or If you want to set a policy rule for all clients with the same ...

Page 143: ... network SmartPath APs learn the domain for users devices from the domain name that users enter when logging in with their user name domain name and password SmartPath APs can discern the domain name when any of the following formats are used domain user _ name user _ name domain host user _ name domain Based on the ability of SmartPath APs to detect a specific domain name or the presence of any d...

Page 144: ...click New add the three client classification objects and the user profile reassignment and then click Apply The order of the rules within a policy is important SmartPath APs look for a match to the individual rules starting from the top and as soon as they find a match that is the rule that is applied To reorder the rules within a policy select the checkbox to the left of the ID of the rule that ...

Page 145: ...rement has significance in Section 9 4 4 9 4 5 Importing Private PSK Users Create a list of private PSK users in a csv file assign them to the two private PSK user groups Employees 30 and Contractors 35 and import the file to SmartPath EMS VMA 1 Define a set of private PSK users in a CSV formatted file and save it to your management system The left to right order of columns in file must be as foll...

Page 146: ...e Private PSK User Groups list and then click the right arrow to move them to the Selected Private PSK groups list User Profiles for Traffic Management Select Employees 30 and Contractors 35 in the Available User Profiles list and then click the right arrow to move them to the Selected User Profiles list SSID Broadcast Band 2 4 GHz 11n b g This is the broadcast band for the radio operating in acce...

Page 147: ...le 5 Using SmartPath AP Classifiers In SmartPath EMS VMA some network objects can support multiple definitions as long as each definition is uniquely classified by a map name SmartPath AP name or classifier tag and one of the definitions is classified as global The definition classified as global is what SmartPath EMS VMA applies when none of the other more specific classification types are applic...

Page 148: ...fice 4 Update all the SmartPath APs and note how the user profile at each site has the correct VLAN definition 9 5 1 Set SmartPath AP Classifiers Click Monitor Access Points SmartPath APs view mode Config and then click the column heading Topology Map to group the managed SmartPath APs by the map to which they are assigned Multiselect the SmartPath APs belonging to all the maps at Branch Office 2 ...

Page 149: ...ranch offices Click Configuration User Profiles user_profile_name choose branchVLAN 10 20 30 from the Default VLAN drop down list and then click Save The relationships among the objects from the SmartPath APs down to each VLAN definition are as follows SmartPath AP WLAN policy SSID user profile VLAN object VLAN definition VLAN 10 Type global branch2 VLAN 20 Type classifier branch2 branch3 VLAN 30 ...

Page 150: ...th AP can route Layer 2 traffic through different Ethernet interfaces as appropriate This allows for example a guest user on a corporate network segment to access a more appropriate segment for routing to the Internet while the SmartPath AP forwards traffic from an employee on a different VLAN through a different Ethernet interface Multiple Default Routes SmartPath APs with two Ethernet ports can ...

Page 151: ...e SmartPath AP forwards it out eth0 which is the egress interface in its default Layer 2 route Figure 9 21 Multiple default routes There are two places that require configuration to forward traffic in this way Steps 1 3 configure the Ethernet interfaces to accept tagged frames Steps 4 6 configure the SmartPath AP to forward the internal traffic between interfaces Furthermore the following process ...

Page 152: ...example 11 30 a non contiguous list of VLAN IDs separated by commas for example 15 20 25 or a combination of these formats for example 11 15 20 25 30 Be careful to avoid permitting access to the VLAN of your corporate network on an interface permitting access to the VLAN of your public network as this might expose your corporate data to guests and other non corporate users 4 Expand the Routing sec...

Page 153: ...e cluster member to another Best path routing for optimized data forwarding Automatic radio frequency and power selection Wired or Wireless Cluster Communications Backhaul Wireless Network Access Connections Wired Ethernet Network Connections Not shown Switches for wired backhaul connections and the portal link to the wired network Wireless Clients Cluster Members Wireless Clients Wireless Clients...

Page 154: ...fic between SmartPath APs and SmartPath EMS VMA and control traffic among cluster members interface mgt0 vlan number wifi0 and wifi1 interfaces wifi0 mode access wifi1 mode backhaul To change the mode of the wifi0 or wifi1 interface interface wifi0 wifi1 mode access backhaul wifi0 radio profile radio_g0 wifi1 radio profile radio_a0 To change the radio profile of the wifi0 or wifi1 interface to a d...

Page 155: ...rations refer to the management of a SmartPath AP and its connectivity to wireless clients the wired network and other cluster members The following list contains some key areas of device level configurations and relevant commands Management Administrators admin authentication method login parameters and admin privileges admin auth manager ip min password length read only read write root admin Log...

Page 156: ...u use a RADIUS server configure it to return attributes for the realm to which the wireless users belong After authenticating a user the server returns these attributes with the Access Accept message The attributes indicate which user profile to apply to the user and the profile in turn indicates the QoS policy to apply qos policy string interface interface ssid string Second configure a user prof...

Page 157: ... which is a file stored in nonvolatile flash memory See Figure 10 3 Note The commands in bold have not yet been saved which is why they do not appear in the current config Current Config in flash memory Running Config in DRAM The running config comprises the current config plus any commands that have not yet been saved The running config runs in DRAM The current config comprises saved commands plu...

Page 158: ...ig for diagnostics See Figure 10 5 Current Config existing config Backup Config newly uploaded config file After uploading a new config file the following two config files are stored in flash memory on the SmartPath AP When you reboot the SmartPath AP it tries to load the backup config Either of the following two results can occur If the newly loaded config file loads successfully it becomes the n...

Page 159: ...DHCP nor be able to communicate with SmartPath EMS VMA assuming that you are managing it through SmartPath EMS VMA In this case you would have to make a serial connection to the console port on the SmartPath AP and reconfigure its cluster settings through the CLI To avoid the above situation you can use a bootstrap config A bootstrap config is typically a small config file that comes last in the b...

Page 160: ...e bootstrap NOTE Similar to the way that a current config consists of the commands you added on top of the default config a bootstrap config consists of default definitions and settings plus whatever other settings you configure After it is loaded you can enter the following command to view the bootstrap file show config bootstrap If you want to run the bootstrap config enter the following command...

Page 161: ...the last example can apply equally well to the configurations in the others In Loading a Bootstrap Configuration in Section 11 5 you load a bootstrap config file on the SmartPath APs When a bootstrap config is present it loads instead of the default config whenever SmartPathOS is reset or if the current and backup configs do not load This example shows how using a bootstrap config can help minimiz...

Page 162: ... both interfaces provide access wifi0 at 2 4 GHz and wifi1 at 5 GHz enter this command interface wifi1 mode access Then in addition to binding SSID employee to wifi0 as explained in Step 2 also bind it to wifi1 Wireless Network 1 SmartPath AP Wireless clients associate with SmartPath AP 1 using SSID employee with the security suite WPA auto psk PSK N38bu7Adr0n3 wifi0 interface SSID employee Access...

Page 163: ...tocol suite and preshared key N38bu7Adr0n3 in standard ASCII American Standard Code for Information Interchange text interface wifi0 ssid employee You assign the SSID to the wifi0 interface which is in access mode by default When you make this assignment the SmartPath AP automatically creates subinterface wifi0 1 and uses that for the SSID The SmartPath AP LWN602HA supports up to eight per interfa...

Page 164: ...less client application and con nect to the employee SSID Then contact a network resource such as a web server 2 Log in to the SmartPath AP CLI and check that you can see the MAC address of the associated client and an indication that the correct SSID is in use by entering the following command show ssid employee station Check that the MAC address in the table matches that of the wireless client C...

Page 165: ...ork they act as portals In contrast SmartPath AP 3 is a mesh point Wireless Network 1 Wireless Network 2 SmartPath AP 1 Portal SmartPath AP 2 Portal SmartPath AP 3 Mesh Point Wireless Network 3 Cluster 1 DHCP Server Firewall Switch Internet Wired Cluster Backhaul Communications Wireless Cluster Backhaul Communications Wired Network Access Connections Wired Ethernet Network Communications SmartPath...

Page 166: ...e SmartPath AP model the default profile might be radio_a0 This is a profile for radio2 which operates in the 5 GHz frequency range as specified in the IEEE 802 11a and n standards show interface State Operational state Chan Channel Radio Radio profile U up D down Name MAC addr Mode State Chan VLAN Radio Cluster SSID Mgt0 0019 7700 0020 U 1 cluster1 Eth0 0019 7700 0020 backhaul U 1 cluster1 Wifi0 ...

Page 167: ... source After SmartPath AP 2 finishes booting up indicated when the Power LED changes from steady amber to steady green it auto matically discovers another member of cluster1 SmartPath AP 1 The two members use a preshared key based on their shared secret s1r70ckH07m3s to authenticate each other and AES to encrypt wired backhaul communications and AES CCMP to encrypt wireless backhaul communication...

Page 168: ... The following are the various cluster states that can appear Disv Discover Another SmartPath AP has been discovered but there is a mismatch with its cluster ID Neibor Neighbor Another SmartPath AP has been discovered whose cluster ID matches but it has not yet been authenticated CandPr Candidate Peer The cluster ID on a discovered SmartPath AP matches and it can accept more neighbors AssocPd Asso...

Page 169: ...Caching update times 60 No Supplicant Authenticator UID PMK PMKID Life Age TLC Hop AL 0 0016 cf8c 57bc 0019 7700 0024 0 1349 1615 1 46 195 1 YN show ssid employee station Chan channel number Pow Power in dBm A Mode Authentication mode Cipher Encryption mode A Time Associated time Auth Authenticated UPID User profile Identifier Phymode Physical mode Mac Addr IP Addr Chan Tx Rate Rx Rate Pow A Mode ...

Page 170: ...cess Connections WIred Ethernet Network Connections Wireless Network 1 Wireless Network 2 DHCP server SmartPath AP 1 SmartPath AP 3 SmartPath AP 2 Wireless Network 3 Active Directory Server Switch Firewall Internet RADIUS Server 10 1 1 10 The SmartPath APs receive Protected PEAP authentication requests from clients and forward them inside RADIUS authentication packets to the RADIUS server at 10 1 ...

Page 171: ...config NOTE Although all SmartPath APs in this example use the same shared secret they can also use different secrets 3 Enter the show interface mgt0 command to learn its IP address You need this address for Step 4 exit 4 Log in to SmartPath AP 3 and enter the same commands Step 4 Configure the RADIUS Server to accept authentication requests from the SmartPath APs Log in to the RADIUS server and d...

Page 172: ...enter other credentials to validate your identity click the prompt enter the user name and password that are stored on the RADIUS authentication server and then click OK If the supplicant is on a Macintosh computer and is not on a domain 1 View the available SSIDs in the area and select employee 2 Click Join Network 3 Accept the certificate that the RADIUS server provides assuming it is from a tru...

Page 173: ...s to work with Active Directory servers when SmartPath EMS VMA is running in Express mode The following section explains the simplified integration process Step 1 Configure Active Directory Settings for SmartPath AP RADIUS Servers Define a SmartPath AP as a RADIUS server and configure it to work with an Active Directory server The following steps explain the process when running SmartPath EMS VMA ...

Page 174: ...artPath EMS VMA attempts to retrieve the Active Directory server BaseDN If the SmartPath AP succeeds in retrieving this information it displays it along with the following message The Active Directory server IP address and the BaseDN were successfully retrieved It also displays the following options and shows the Domain Admin Credentials to Join Domain section Domain Admin Credentials to Join Doma...

Page 175: ... name that the SmartPath AP RADIUS server provides to authenticate itself to the Active Directory server when initiating a connection to request a user account lookup The form of the name must match the form that appears as an entry on the Active Directory server For example the entry name might be clusterap1 and be located in the LDAP directory structure at cn clusterap1 cn admins cn users dc bla...

Page 176: ...user profile attribute defined on SmartPath AP RADIUS authenticators By default the SmartPath AP RADIUS server maps the msRADIUSCallbackNumber attribute in Active Directory to the user profile attribute defined on SmartPath AP RADIUS authentica tors The attribute type set on the Active Directory server must be string and can be up to 32 characters long VLAN ID Enter the attribute name defined on t...

Page 177: ...when you are logged in to All VHMs If you are a VHM admin logged in to your VHM you can only see the attributes for those groups in your VHM Select read and write privileges for the features and maps that you want to enable for members of this group 3 To configure SmartPath EMS VMA to communicate with the RADIUS server click Home Administration SmartPath EMS VMA Services select HM Admin Authentica...

Page 178: ...ow the cluster members prioritize and process the traffic mapped to Classes 6 5 and 3 The QoS policy named voice is shown in Figure 11 9 and has these settings Class 6 voice Forwarding strict Cluster members forward traffic mapped to this class immediately without queuing it Maximum rate for all Class 6 traffic 512 kbps which supports an 8 to 64 kbps VoIP call depending on the compression that the...

Page 179: ... mail traffic has a better chance of being forwarded than other types of traffic when bandwidth is scarce Class 2 is for all types of traffic not mapped to an Black Box class such as HTTP for example Data QoS Policy voice You do not need to enter this command because it just sets the default values for class 2 It is shown to provide contrast with the previous command Figure 11 9 QoS policy voice f...

Page 180: ...1 Define two classifier profiles for the traffic types mac and service qos classifier profile employee voice mac qos classifier profile employee voice service qos classifier profile eth0 voice mac qos classifier profile eth0 voice service Classifier profiles define which components of incoming traffic SmartPath AP 1 checks Because you specify mac and service it checks the MAC address in the Ethern...

Page 181: ...he default settings for Class 2 traffic When you enter any one of the above commands the SmartPath AP automatically sets the maximum bandwidth for all members of the user group to which you later apply this policy and the bandwidth for any individual group member You leave the maximum traffic rate at the default 54 000 or 1 000 000 kbps depending on the SmartPath AP model that you are configuring ...

Page 182: ...a is WRR weighted round robin The SmartPath AP forwards traffic belonging to these classes by putting them into forwarding queues The weights determine how many bits per second go into each queue For every 30 bits that the SmartPath AP queues for class 2 it queues approximately 60 bits for class 3 and 90 bits for class 5 These amounts are approximations because the SmartPath AP also has an interna...

Page 183: ... net qos policy voice attribute 2 save config exit 3 Log in to SmartPath AP 3 and enter the same commands Step 5 Configure RADIUS server attributes 1 Log in to the RADIUS server and define the three SmartPath APs as RADIUS clients 2 Configure the following attributes for the realm to which the wireless user accounts in network 1 2 and 3 belong Tunnel Type GRE value 10 Tunnel Medium Type IP value 1...

Page 184: ... network and thereby become accessible over the network for further configuring For the second case a bootstrap config with a number of obstacles such as a hard to guess login name and password and a disabled access subinterface can make the firmware inaccessible and the device unusable SmartPath AP 1 and 2 are in locations that are not completely secure SmartPath AP 3 is a mesh point in a fairly ...

Page 185: ...hrough either of the portals SmartPath AP 1 or SmartPath AP 2 7 Save the configuration as a bootstrap config save config running bootstrap If anyone resets the current configuration the SmartPath AP will load this bootstrap config and thwart any thief from accessing the configuration and any wireless client from accessing the network NOTE Be careful to remember the login name and password defined ...

Page 186: ...this guide as a PDF as an easy way to copy and paste the commands Simply copy the blocks of text for configuring the SmartPath APs in each example and paste them at the command prompt NOTE The following sections omit optional commands such as changing the login name and password and commands used to check a configuration 11 8 1 Commands for Example 1 Enter the following commands to configure the S...

Page 187: ...id employee security protocol suite wpa auto 8021x save config SmartPath AP 2 aaa radius server first 10 1 1 10 shared secret s3cr3741n4bl0X ssid employee security protocol suite wpa auto 8021x save config SmartPath AP 3 aaa radius server 10 1 1 10 shared secret s3cr3741n4bl0X ssid employee security protocol suite wpa auto 8021x save config 11 8 4 Commands for Example 4 Enter the following command...

Page 188: ...0000 60 user profile employee net qos policy voice attribute 2 save config SmartPath AP 2 qos classifier map oui 00 12 3b qos 6 service mms tcp 1755 service smtp tcp 25 service pop3 tcp 110 qos classifier map service mms qos 5 qos classifier map service smtp qos 3 qos classifier map service pop3 qos 3 qos classifier profile employee voice mac qos classifier profile employee voice service qos class...

Page 189: ...loyee voice interface eth0 qos classifier eth0 voice For SmartPath APs supporting IEEE 802 11a b g qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 54000 60 For SmartPath APs supporting IEEE 802 11a b g n qos policy voice qos 6 strict 512 0 qos policy voice qos 5 wrr 20000 90 qos policy voice qos 3 wrr 1000000 60 user profile employee net qos policy voice attribute 2 save config 11 8...

Page 190: ... 11 Deployment Examples CLI show config bootstrap SmartPath AP 2 save config tftp 10 1 1 31 bootstrap security txt bootstrap show config bootstrap SmartPath AP 3 save config tftp 10 1 1 31 bootstrap meshpoint txt bootstrap show config bootstrap ...

Page 191: ...lity HTTPS Unregistered wireless client SmartPath AP Wi Fi subinterface in access mode 6 TCP 1024 65535 443 Required for captive Web portal functionality using a server key IKE SmartPath AP VPN client mgt0 interface SmartPath AP VPN server mgt0 interface 17 UDP 500 and 4500 for NAT Traversal 500 and 4500 for NAT Traversal Required for SmartPath AP VPN clients to connect to SmartPath AP VPN servers...

Page 192: ...rtPath APs and push delta configs HTTPS Management system SmartPath EMS VMA MGT port 6 TCP 1024 65535 443 Required for accessing the SmartPath EMS VMA and SmartPath EMS Online GUI SmartPath AP mgt0 interface SmartPath EMS VMA MGT port 6 TCP 1024 65535 443 Used to upload files SmartPathOS images full configs captive Web portals pages certificates from SmartPath EMS VMA and SmartPath EMS Online to S...

Page 193: ...C sublayer of Layer 2 AeroScout Reports AeroScout engine SmartPath AP mgt0 interface 17 UDP 1024 65535 1144 Required to report tracked devices to an AeroScout engine DHCP SmartPath AP mgt0 interface DHCP server 17 UDP 68 67 By default a SmartPath AP gets its IP address through DHCP Ekahau Ekahau Positioning Engine EPE SmartPath AP mgt0 interface 17 UDP 1024 65535 8552 8553 8554 Required for SmartP...

Page 194: ...th AP enter the following command show interface wifi0 wifi1 channel For example the output for the show interface wifi0 channel command on a SmartPath AP whose region code is FCC and country code is 840 United States shows that Channels 1 through 11 are available If a channel does not appear in this list you cannot configure the radio to use it The following list of country codes is provided for ...

Page 195: ...nstein 438 Lithuania 440 Luxembourg 442 Macau 446 Macedonia the former Yugoslav Republic of Macedonia 807 Malaysia 458 Malta 470 Mauritius 480 Mexico 484 Monaco Principality of Monaco 492 Morocco 504 Netherlands 528 New Zealand 554 Nicaragua 558 Norway 578 Oman 512 Pakistan Islamic Republic of Pakistan 586 Panama 591 Paraguay 600 Peru 604 Phillippines Republic of the Phillippines 608 Poland 616 Po...

Page 196: ... and racks and power and surge protection products to media converters and Ethernet switches all supported by free live 24 7 Tech support available in 30 seconds or less Copyright 2012 All rights reserved Black Box Corporation Black Box Tech Support FREE Live 24 7 Tech support the way it should be Great tech support is just 30 seconds away at 724 746 5500 or blackbox com LWN602A rev 4 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands