D-Link AirPremier DWL-2210AP Manual Download Page 64 | Manualshive

Page: 64 / 193

background image

64

64

Conﬁguring Security

The following sections describe how to conﬁgure Security settings on the D-Link
DWL-2210AP:

• Understanding Security Issues on Wireless Networks

• How Do I Know Which Security Mode to Use?

• Comparison of Security Modes for Key Management, Authentication and

Encryption Algorithms

• Does Prohibiting the Broadcast SSID Enhance Security?

• Navigating to Security Settings

• Conﬁguring Security Settings

• Broadcast SSID and Security Mode

• Plaintext

• Static WEP

• IEEE 802.1x

• WPA with RADIUS

• WPA-PSK

• Updating Settings

Understanding Security Issues on Wireless Networks

Wireless mediums are inherently less secure than wired mediums. For example, an
Ethernet NIC transmits its packets over a physical medium such as coaxial cable or
twisted pair. A wireless NIC broadcasts radio signals over the air allowing a wireless
LAN to be easily tapped without physical access or sophisticated equipment. A hacker
equipped with a laptop, a wireless NIC, and a bit of knowledge can easily attempt to
compromise your wireless network. One does not even need to be within normal range
of the access point. By using a sophisticated antenna on the client, a hacker may be
able to connect to the network from many miles away.

The D-Link DWL-2210AP provides a number of authentication and encryption schemes
to ensure that your wireless infrastructure is accessed only by the intended users. The
details of each security mode are described in the sections below.

See also the related topic, “Appendix A: Conﬁguring Security Settings on Wireless
Clients” in this manual.

«
...
62
63
64
65
66
...
»

Summary of Contents for AirPremier DWL-2210AP

Page 1: ...Manual Building Networks for People D Link AirPremier DWL 2210AP 802 11g Wireless Adaptive Access Point ...

Page 2: ...face 56 Enabling the Network Time Protocol Server 61 Conﬁguring Security 64 Conﬁguring Radio Settings 85 Controlling Access by MAC Address Filtering 90 Load Balancing 93 Conﬁguring Queues for Quality of Service 96 Conﬁguring the Wireless Distribution System 105 Setting Up Guest Access 113 Maintenance and Monitoring 117 Appendix A Conﬁguring Security Settings for Wireless Clients 130 Appendix B Tro...

Page 3: ...rer Version 6 0 or Netscape Navigator Version 6 0 and Above Computers with Windows Macintosh or Linux based operating systems with an installed Ethernet adapter Package Contents Note Using a power supply with a different voltage rating than the one included with the DWL 2210AP will cause damage and void the warranty for this product If any of the above items are missing please contact your reselle...

Page 4: ... Ethernet cable in this port in order to connect the DWL 2210AP to the local network LED stands for light emitting diode The DWL 2210AP has 3 LEDs Receptor for the Power Adapter Power Solid green light indicates connection Antenna connection WLAN Blinking green light indicates wireless activity Blinking green light indicates activity on the Ethernet Port solid green light indicates connection LAN ...

Page 5: ...rk WLAN deployment while providing state of the art wireless networking features The D Link DWL 2210AP provides best of breed security ease of administration and industry standards providing a standalone and fully secured wireless network without the need for additional management and security server software The D Link DWL 2210AP is a single band access point with one radio capable of broadcastin...

Page 6: ...Mbps IEEE 802 11g 11Mbps for IEEE 802 11b Wi Fi certiﬁcation Wireless Features Auto channel selection at startup Transmit power adjustment Wireless Distribution System WDS for connecting multiple access points wirelessly Extends your network with less cabling and provides a seamless experience for roaming clients Quality of Service QoS for enhanced throughput and better performance of time sensiti...

Page 7: ...nabled Clustering and Auto Management Automatic setup with Kickstart Provisioning and auto conﬁguration of APs through clustering and cluster rendezvous The administrator can specify how new access points should be conﬁgured before they are added to the network When new access points are added they can automatically rendezvous with the cluster and securely download the correct conﬁguration The pro...

Page 8: ...ardware watchdog Clustering and Auto Management continued Networking Dynamic Host Conﬁguration Protocol DHCP support for dynamically assigning network conﬁguration information to systems on the LAN Virtual Local Area Network VLAN support for Guest Access Maintainability Status monitoring and tracking views of the network including session monitoring client associations transmit receive statistics ...

Page 9: ...How Does the Access Point Obtain an IP Address at Startup Dynamic IP Addressing Static IP Addressing D Link DWL 2210AP The D Link DWL 2210AP is a wireless communications hub for devices on your network It provides continuous high speed access between your wireless and Ethernet devices in 802 11b and 802 11g The D Link DWL 2210AP offers an out of the box Guest Interface feature that allows you to c...

Page 10: ...he Access Point in Conﬁguring Basic Settings Conﬁguring Internal LAN Wireless Settings in Setting the Wireless Interface Conﬁguring Guest Network Wireless Settings in Setting the Wireless Interface Network Time Protocol NTP Enabling the Network Time Protocol Server None IP Address 192 168 0 50 The default IP address is used if you do not use a Dynamic Host Conﬁguration Protocol DHCP server You can...

Page 11: ...ed by your network setup and DHCP server conﬁguration Radio On Conﬁguring Radio Settings IEEE 802 11 Mode 802 11g Conﬁguring Radio Settings 802 11g Channel Auto Conﬁguring Radio Settings Beacon Interval 100 Conﬁguring Radio Settings DTIM Period 2 Conﬁguring Radio Settings 2346 Conﬁguring Radio Settings Fragmentation Threshold RTS Threshold 2347 Conﬁguring Radio Settings MAX Stations 2007 Conﬁgurin...

Page 12: ...or to the Internet you need a gateway device Rate Sets Mbps Basic Advertised Conﬁguring Radio Settings IEEE 802 1g 11 5 5 2 1 IEEE 802 1b 2 1 Broadcast SSID Allow Security Mode Broadcast SSID and Security Mode in Conﬁguring Security None plain text Authentication Type None MAC Filtering Allow any station unless in list Guest Login and Management Disabled Load Balancing Load Balancing Disabled Conﬁ...

Page 13: ...ect the access point to network and power in Quick Steps for Setup and Launch of Your Wireless Network After initial conﬁguration and launch of the ﬁrst access points on your new wireless network you can make subsequent conﬁguration changes through the Administration Web pages using a wireless connection to the Internal network For wireless connection to the access point your administration device...

Page 14: ...ws XP or Microsoft Windows 2000 Netscape Mozilla on Redhat Linux version 2 4 The administration Web browser must have JavaScript enabled to support the interactive features of the administration interface It must also support HTTP uploads to use the ﬁrmware upgrade feature Prelaunch Checklist You can run the KickStart Wizard on the D Link CD ROM on any Windows laptop or computer that is connected ...

Page 15: ...pports one or more of the IEEE 802 11 modes in which you plan to run the access point IEEE 802 11b and 802 11g modes are supported Wi Fi client adapters vary considerably The adapter can be a PC card built in to the client device a portable PCMCIA or PCI card types of NICs or an external device such as a USB or Ethernet adapter that you connect to the client by means of a cable The access point su...

Page 16: ...o set a proﬁle to the authentication mode used by the access point and provide a valid username and password certiﬁcate or similar user identity proof Security modes are Static WEP IEEE 802 1x WPA with RADIUS server and WPA PSK For information on conﬁguring security on the access point see the Conﬁguring Security section in this manual Wireless Client Computers continued Required Software or Compo...

Page 17: ...2210AP installed in a DHCP network in order to use the Kickstart Wizard When you run the KickStart Wizard on the CD ROM it discovers the D Link DWL 2210APs on the network and lists their IP addresses and MAC addresses In DHCP networks KickStart Wizard also provides a link to the administration Web pages of each access point using the IP address in the URL For more information about the KickStart W...

Page 18: ...n will appear Enter admin for Admin and Password The Web conﬁguration screen will appear You can change the static IP address of the DWL 2210AP so that it is within the range of your network If you do this you must also revert your computer s IP address to its previous setting within your network s range Static IP Addressing The D Link DWL 2210AP ships with a default Static IP Address of 192 168 0...

Page 19: ...cs covered here are Step 1 Unpack the access point Step 2 Connect the access point to network and power Step 3 Power on the access point Step 4 Run KickStart Wizard on the CD ROM to ﬁnd access points on the network Step 5 Log on to the Administration Web pages Step 6 Conﬁgure Basic Settings and start the wireless network Step 1 Unpack the access point Unpack the access point AP and familiarize you...

Page 20: ...ernet connection between the access point and the computer Connect one end of an Ethernet cable to the network port on the access point and the other end of the cable to the Ethernet port on the PC Step 1 Unpack the access point continued What s inside the box or Ethernet Cable Quick Steps for Setup D Link AirPremier DWL 2210AP 802 11g Wireless Adaptive Access Point Power over Ethernet base unit P...

Page 21: ...ction via Ethernet cable between the access point and the computer you will need to reconﬁgure the cabling for subsequent startup and deployment of the access point so that the access point is no longer connected directly to the PC but instead is connected to the LAN either via a Hub or directly It is possible to detect access points on the network using KickStart Wizard on the CD ROM with a wirel...

Page 22: ...on with non DHCP enabled networks Do not deploy more than one new AP on a non DHCP network because they will use the same default static IP addresses and conﬂict with each other For more information see Understanding Dynamic and Static IP Addressing on the D Link DWL 2210AP and How Does the Access Point Obtain an IP Address at Startup Run the CD ROM on a laptop or computer that is connected to the...

Page 23: ...ints 3 Review the list of access points found KickStart will detect the IP addresses of D Link DWL 2210APs Access points are listed with their locations Media Access Control MAC addresses and IP addresses If you are installing the ﬁrst access point on a single access point network only one entry will be displayed on this screen Verify the MAC addresses shown here against the hardware labels for ea...

Page 24: ...IP address for any access point in a cluster Once your other access points are conﬁgured you can also link to the Administration Web pages by using the IP address for any of the other D Link DWL 2210APs in a URL http IPAddressOfAccessPoint Quick Steps for Setup Step 4a Log on to the Administration Web pages when using Kickstart in a DHCP network When you follow the link from KickStart to the D Lin...

Page 25: ... 2210AP is installed in a network with no DHCP server after conﬁguring your computer s static IP address to be within the IP address range of the DWL 2210AP you will enter the IP address of the DWL 2210AP into the address ﬁeld of your web browser the browser window shown below will appear Field Default Setting Field Default Setting Username admin Password admin The user name is read only It cannot...

Page 26: ...uration Policy for New Access Points Choose to conﬁgure new access points automatically as new members of the cluster or ignore new access points If you set a conﬁguration policy to conﬁgure new access points automatically new access points added to this network will join the cluster and be conﬁgured automatically based on the settings you deﬁned here Updates to the Network settings on any cluster...

Page 27: ...computer to the LAN either via Ethernet cable or wireless client card Test LAN Connectivity with Wireless Clients Test the D Link DWL 2210AP by trying to detect it and associate with it from some wireless client devices See Wireless Client Computers in the PreLaunch Checklist Default Settings and Supported Administrator Client Platforms for information on requirements for these clients Secure and ...

Page 28: ... Review Describe the Access Point Provide Administrator Password and Wireless Network Name Set Conﬁguration Policy for New Access Points Update Basic Settings Summary of Settings Basic Settings for a Standalone Access Point Your Network at a Glance Understanding Indicator Icons Conﬁguring Basic Settings ...

Page 29: ... If you use KickStart Wizard to link to the Administration Web pages the Basic Settings page is displayed by default Fill in the ﬁelds on the Basic Settings screen as described on the following page Navigating to Basic Settings Conﬁguring Basic Settings ...

Page 30: ...onal purposes as a unique identiﬁer for an interface The address shown here is the MAC address for the bridge br0 This is the address by which the AP is known externally to other networks To see MAC addresses for Guest and Internal interfaces on the AP see the Status Interfaces tab Firmware Version Version information about the ﬁrmware currently installed on the access point As new versions of the...

Page 31: ...his network As you add more access points they will share this SSID The Service Set Identiﬁer SSID is an alphanumeric string of up to 32 characters Note If you are connected as a wireless client to the same AP that you are administering resetting the SSID will cause you to lose connectivity to the AP You will need to reconnect to the new SSID after you save this new setting Field Description The D...

Page 32: ... not join the cluster Existing clustered access points will not be aware of these standalone APs Therefore if you are viewing the Administration Web pages via the IP address of a clustered access point the new standalone APs will not show up in the list of access points on the Cluster Access Points tab The only way to see a standalone AP is to browse to it directly by using its IP address in the U...

Page 33: ...settings is shown along with information about next steps At initial startup no security is in place on the access point An important next step is to conﬁgure security as described in Conﬁguring Security in this manual At this point if you click Basic Settings again the summary of settings page is replaced by the standard Basic Settings conﬁguration options ne Update Basic Settings Conﬁguring Basi...

Page 34: ...APs on your network are available for service the Wireless Network Available icon is shown The clustering icon indicates whether the current access point is Clustered or Not Clustered that is standalone For information about clustering see Understanding Clustering in this manual The number of access points available for service on this network is indicated by the Access Points icon For information...

Page 35: ...Conﬁguration The D Link DWL 2210AP shows current basic conﬁguration settings for clustered access points location IP address MAC address status and availability and provides a way of navigating to the full conﬁguration for speciﬁc APs if they are cluster members Standalone access points or those which are not members of this cluster do not show up in this listing To conﬁgure standalone access poin...

Page 36: ... than a series of separate wireless devices What is a Cluster A cluster is a group of access points which are coordinated as a single group via D Link DWL 2210AP administration You cannot create multiple clusters on a single wireless network SSID Only one cluster per wireless network is supported How Many APs Can a Cluster Support Up to eight access points are supported in a cluster at any one tim...

Page 37: ...me SSID Administrator password Conﬁguration policy User accounts and authentication Wireless interface settings Guest Welcome screen settings Network Time Protocol NTP settings Radio settings Security settings QoS queue parameters MAC address ﬁltering Having a mix of APs on the network does not adversely affect D Link DWL 2210AP clustering in any way However it is helpful to understand the cluster...

Page 38: ... the cluster and does not share the cluster conﬁguration but rather requires manual conﬁguration that is not shared with other access points See Set Conﬁguration Policy for New Access Points and Removing an Access Point from the Cluster in this manual Standalone access points are not listed on the Cluster Access Points tab in the Administration UIs of APs that are cluster members You need to know ...

Page 39: ...e using Secure Sockets Layer typically referred to as SSL with private key encryption Both the cluster conﬁguration ﬁle and the user database are transmitted among access points using SSL Auto Synch of Cluster Conﬁguration If you are making changes to the AP conﬁguration that require a relatively large amount of processing such as adding several new users you may encounter a synchronization progre...

Page 40: ...s picking up cluster conﬁguration changes to conﬁgure advanced settings on a particular access point or to switch a standalone access point to cluster mode Field Description Understanding Access Point Settings The access points tab provides information about all access points in the cluster From this tab you can view location descriptions IP addresses enable activate or disable deactivate clustere...

Page 41: ...To make modiﬁcations to the location description 1 Navigate to the Basic Settings tab 2 Update the Location description in section 1 under Review Description of this Access Point 3 Click Update button to apply the changes Removing an Access Point from the Cluster To remove an access point from the cluster do the following 1 Click the checkbox next to the access point so that the box is checked 2 C...

Page 42: ...tion on using KickStart see Step 3 Run KickStart on the CD ROM to ﬁnd access points on the network in this manual Navigating to Conﬁguration Information for a Speciﬁc AP and Managing Standalone APs In general the D Link DWL 2210AP is designed for central management of clustered access points For access points in a cluster all access points in the cluster reﬂect the same conﬁguration In this case i...

Page 43: ...ou will need to set up and manage user accounts on the Administrative interface for that server On the User Management page you can create edit remove and view client user accounts Each user account consists of a user name and password The set of users speciﬁed here represent approved clients that can log in and use one or more access points to access local and possibly external networks via your ...

Page 44: ...d are shown You make modiﬁcations to an existing user account by ﬁrst selecting the checkbox next to a user name and then choosing an action See Editing a User Account in this manual Adding a User To create a new user do the following 1 Under Add a User provide information in the following ﬁelds Fields Description Username Provide a user name User names are alphanumeric strings of up to 256 charac...

Page 45: ...nts at the top of the User Management Administration Web page To make modiﬁcations to an existing user account ﬁrst click the checkbox next to the user name so that the box is checked A user account must be enabled for the user to log on as a client and use the access point You can enable or disable any user account With this feature you can maintain a set of user accounts and authorize or prevent...

Page 46: ...Enable A user with an account that is enabled can log on to the wireless access points in your network as a client Disabling a User Account To disable a user account click the checkbox next to the user name and click Disable A user with an account that is disabled cannot log on to the wireless access points in your network as a client However the user remains in the database and can be enabled lat...

Page 47: ...eive statistics signal strength and idle time The following Session Monitoring topics are covered here Navigating to Session Monitoring Understanding Session Monitoring Information Viewing Session Information for Access Points Sorting Session Information Refreshing Session Information Navigating to Session Monitoring To view session monitoring information click the Cluster Sessions tab ...

Page 48: ...hift from one clustered AP to another within the context of the same session A client station can roam between APs and maintain the session For information about monitoring associations and link integrity monitoring see Associated Wireless Clients in this manual User Name Indicates the client user name of IEEE 802 1x clients Note This ﬁeld is relevant only for clients that are connected to APs usi...

Page 49: ...nts You can view session information for all access points on the network at the same time or set the display to show session information for a speciﬁed access point chosen from the drop down menu at the top of the screen To view information on all access points select the Show all access points radio button at the top of the page To view session information on a particular access point select the...

Page 50: ...ngs including guest access are not shared across the cluster These settings must be conﬁgured individually on the Administration pages for each access point To get to the Administration pages for an access point that is a member of the current cluster click on its IP Address link on the Cluster Access Points page of the current AP For more information about which settings are shared by the cluster...

Page 51: ...51 Setting the Ethernet Wired Interface Navigating to Ethernet To set the wired address for an access point navigate to the Advanced Ethernet tab and update the ﬁelds as described in the following pages ...

Page 52: ...work devices like storage and printers Ethernet is the most common technology implementing a LAN Wi Fi IEEE is another very popular LAN technology The D Link DWL 2210AP allows you to conﬁgure two different LANs on the same access point one for a secure internal LAN and another for a public guest network with no security and little or no access to internal resources To conﬁgure these networks you n...

Page 53: ...on Guest Access By default the D Link DWL 2210AP ships with Guest Access disabled To enable Guest Access click Enabled To disable Guest Access click Disabled If you enable Guest access and conﬁgure the Guest and Internal interfaces to useVLANs you may lose connectivity to the access point First be sure to verify that the switch and DHCP server you are using can support VLANs per the IEEE 802 1Q st...

Page 54: ...ludes the IP addresses and netmask plus the address of its DNS servers and gateway Static IP indicates that all network settings are provided manually You must provide the IP address for the D Link DWL 2210AP its subnet mask the IP address of the default gateway and the IP address of at least one DNS nameserver If you select DHCP Client the D Link DWL 2210AP will acquire its IP Address subnet mask...

Page 55: ...tive name domain name of a network resource for example www dlink com to its numeric IP address for example 66 93 138 219 A DNS server is called a Nameserver There are usually two Nameservers a Primary Nameserver and a Secondary Nameserver You can choose Dynamic or Manual mode If you choose Manual you should assign static IP addresses manually If you choose Dynamic the IP addresses for the DNS ser...

Page 56: ...he network interface to the access point MAC address for access point and wireless network name also known as SSID The following sections describe how to conﬁgure the Wireless address and related settings on the D Link DWL 2210AP Navigating to Wireless Settings Conﬁguring the Radio Interface Conﬁguring Internal LAN Wireless Settings Conﬁguring Guest Network Wireless Settings Updating Settings ...

Page 57: ...t the wireless address for an access point navigate to the Advanced Wireless tab and update the ﬁelds as described below The following ﬁgure shows the Wireless settings page for a two radio AP The Administration Web page for the single radio AP will look slightly different ...

Page 58: ...authorities such as the Federal Communications Commission FCC or the International Telecommunication Union ITU R The default is Auto which picks the least busy channel at startup time Conﬁguring the Radio Interface The radio interface allows you to set the radio Channel and 802 11 mode as described below Field Description Indicates the Media Access Control MAC addresses for the interface A MAC add...

Page 59: ...e nodes each with a unique MAC Address This is accomplished by using multiple Basic Service Set Identiﬁers BSSIDs for a single access point The MAC address es shown for the Internal access point is the BSSID s for the Internal interface For the two radio AP two MAC addresses are shown one for each Radio on the Internal interface SSID Enter the SSID for the internal WLAN The Service Set Identiﬁer S...

Page 60: ...esented on the network as two or more nodes each with a unique MAC Address This is accomplished by using multiple Basic Service Set Identiﬁers BSSID for a single access point The MAC address es shown for the Guest access point is the BSSID s for the Guest interface SSID Enter the SSID for the guest network The Service Set Identiﬁer SSID is an alphanumeric string of up to 32 characters that uniquel...

Page 61: ...sts to servers using the returned time stamp to adjust its clock The timestamp will be used to indicate the date and time of each event in log messages See http www ntp org for more general information on NTP The following sections describe how to conﬁgure the D Link DWL 2210AP to use a speciﬁed NTP server Navigating to Time Protocol Settings Enabling or Disabling a Network Time Protocol NTP Serve...

Page 62: ...62 62 Enabling the Network Time Protocol Server Navigating to Time Protocol Settings To enable an NTP server navigate to the Advanced Time Protocol tab and update the ﬁelds as described below ...

Page 63: ...he network Using an NTP server gives your AP the ability to provide the correct time of day in log messages and session information See http www ntp org for more general information on NTP Choose to either enable or disable use of a network time protocol NTP server Enabled Disabled NTP Server If NTP is enabled select the NTP server you want to use You can specify the NTP server by host name or IP ...

Page 64: ...its its packets over a physical medium such as coaxial cable or twisted pair A wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped without physical access or sophisticated equipment A hacker equipped with a laptop a wireless NIC and a bit of knowledge can easily attempt to compromise your wireless network One does not even need to be within normal range o...

Page 65: ...rnet and printer access as on a guest network plain text mode no security may be the appropriate choice To prevent clients from accidentally discovering and connecting to your network you can disable the broadcast SSID so that your network name is not advertised If the network is sufﬁciently isolated from access to sensitive information this may offer enough protection in some situations This leve...

Page 66: ...d for regular use on the Internal network because it is not secure Plain text mode is the only mode in which you can run the Guest network which is by deﬁnition an unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN Therefore use plain text mode on the Guest network and on the Internal network for initial setup testing or problem solving only Se...

Page 67: ...hentication Recommendations Static WEP was designed to provide the security equivalent of sending unencrypted data through an Ethernet connection however it has major ﬂaws and it does not provide even this intended level of security Therefore Static WEP is not recommended as a secure mode The only time to use Static WEP is when interoperability issues make it the only option available to you and y...

Page 68: ...the variety of authentication methods supported and the lack of a standard implementation method Therefore IEEE 802 1x mode is not as secure a solution as Wi Fi Protected Access WPA If you cannot use WPA because some of your client stations do not have WPA then a better solution than using IEEE 802 1x mode is to use WPA with RADIUS mode instead and check the Allow non WPA IEEE 802 1x clients check...

Page 69: ... is WPA with RADIUS using CCMP AES encryption algorithm AES is a symmetric 128 bit block data encryption technique that works on multiple layers of the network It is the most effective encryption system currently available for wireless networks If all clients or other APs on the network are WPA CCMP compatible use this encryption algorithm The second best choice is WPA with RADIUS with the encrypt...

Page 70: ...ion similar to that of shared keys in WEP Key Management Encryption Algorithm User Authentication If there are older client stations on your network that do not supportWPA you can conﬁgure WPA with RADIUS with Both CCMP orTKIP and check the Allow non WPA IEEE 802 1x clients checkbox to allow non WPA clients This way you get the beneﬁt of IEEE 802 1x key management for non WPA clients along with ev...

Page 71: ...SSID Enhance Security You can suppress prohibit this broadcast to discourage stations from automatically discovering your access point When the AP s broadcast SSID is suppressed the network name will not be displayed in the List of Available Networks on a client station Instead the client must have the exact network name conﬁgured in the supplicant before it will be able to connect Disabling the b...

Page 72: ...n key settings consistent with access point security On a two radio AP these security settings apply to both radios Broadcast SSID and Security Mode To conﬁgure security on the access point select a security mode and ﬁll in the related ﬁelds as described in the following table Note you can also allow or prohibit the Broadcast SSID as an extra precaution as mentioned below Security modes other than...

Page 73: ...xt setting can be used For more information see Setting up Guest Access in this manual Security modes other than Plaintext apply only to conﬁguration of the Internal network on the Guest network you can use only Plaintext mode Field Description Plaintext Plain Text means any data transferred to and from the D Link DWL 2210AP is not encrypted There are no further options for Plaintext mode Plain te...

Page 74: ... The access point uses a key to transmit data to the client stations Each client station must use that same key to decrypt data it receives from the access point Client stations can use different keys to transmit data to the access point Or they can all use the same key but this is less secure because it means one station can decrypt the data being sent by another If you selected Static WEP Securi...

Page 75: ...haracters required updates automatically based on how you set Key Length and Key Type WEP Keys You can specify up to four WEP keys In each text box enter a string of characters for each key If you selected ASCII enter any combination of integers and letters 0 9 a z and A Z If you selected HEX enter hexadecimal digits any combination of 0 9 and a f or A F Use the same number of characters for each ...

Page 76: ... to associate does not ensure it can exchange trafﬁc with an access point A station must have the correct WEP key to be able to successfully access and decrypt data from an access point and to transmit readable data to the access point Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point When the authentication algorithm is s...

Page 77: ...can conﬁgure multiple WEP keys and deﬁne a client station transfer key index and then set the stations to encrypt the data they transmit using different keys This ensures that neighboring APs cannot decode each other s transmissions Example of Using Static WEP For a simple example suppose you conﬁgure three WEP keys on the access point In our example the Transfer Key Index for the AP is set to 3 T...

Page 78: ...s you conﬁgure multiple WEP keys and set a transfer index on the client station then you can specify different keys to be used for station to AP transmissions The standard Windows wireless client software does not allow you to do this To build on our example using Funk Odyssey client software you could give each of the clients WEP key 3 so that they can decode the AP transmissions with that key an...

Page 79: ...ers tab The access point requires a RADIUS server capable of EAP such as the Microsoft Internet Authentication Server or the D Link DWL 2210AP internal authentication server To work with Windows clients the authentication server must support Protected EAP PEAP and MSCHAP V2 When conﬁguring IEEE 802 1x mode you have a choice of whether to use the embedded RADIUS server or an external RADIUS server ...

Page 80: ... address and UDP port numbers for the different services it provides On the current release of the D Link DWL 2210AP the RADIUS server User Datagram Protocol UDP ports used by the access point are not conﬁgurable The D Link DWL 2210AP is hard coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting Select one of the following from the drop down menu Enter the Radius...

Page 81: ... AES mechanisms This mode requires the use of a RADIUS server to authenticate users and conﬁguration of user accounts via the Cluster Users tab When conﬁguring WPA with RADIUS mode you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide The D Link DWL 2210AP embedded RADIUS server supports Protected EAP PEAP and MSCHAP V2 If you selected WPA wit...

Page 82: ...ity of the network Counter mode CBC MAC Protocol CCMP is an encryption method for IEEE 802 11i that uses the Advanced Encryption Algorithm AES It uses a CCM combined with Cipher Block Chaining Counter mode CBC CTR and Cipher Block Chaining Message Authentication Code CBC MAC for encryption and message integrity When the authentication algorithm is set to Both both TKIP and AES clients can associat...

Page 83: ... in the text box The Radius IP is the IP address of the RADIUS server The D Link DWL 2210AP internal authentication server is 127 0 0 1 For information on setting up user accounts see Managing User Accounts in this manual Radius Key Enter the Radius Key in the text box The Radius Key is the shared secret key for the RADIUS server The text you enter will be displayed as characters to prevent others...

Page 84: ...uses a different key to encrypt data TKIP uses RC4 to perform the encryption which is the same as WEP But TKIP changes temporal keys every 10 000 packets and distributes them thereby greatly improving the security of the network Temporal Key Integrity Protocol TKIP is the default Counter mode CBC MAC Protocol CCMP is an encryption method for IEEE 802 11i that uses the Advanced Encryption Algorithm...

Page 85: ...s the AP emits You can specify whether the radio is on or off radio frequency RF broadcast channel beacon interval amount of time between AP beacon transmissions transmit power IEEE 802 11 mode in which the radio operates and so on The D Link DWL 2210AP is a single band access point with one radio capable of broadcasting in either IEEE 802 11b or IEEE 802 11g mode The IEEE mode along with other ra...

Page 86: ...86 86 Navigating to Radio Settings To specify radio settings navigate to Advanced Radio tab and update the ﬁelds as described below Conﬁguring Radio Settings ...

Page 87: ...network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second The Beacon Interval value is set in milliseconds Enter a value from 20 to 2000 DTIM Period The Delivery Trafﬁc Information Map DTIM message is an element included in some Beacon frames It indicates which client stations currently sleeping in low power mode have data buffered on the access point awai...

Page 88: ... threshold may help with some interference problems for example with microwave ovens By default fragmentation is off We recommend not using fragmentation unless you suspect radio interference The additional headers applied to each fragment increase the overhead on the network and can greatly reduce throughput RTS Threshold Specify an RTS Threshold value between 0 and 2347 The RTS threshold speciﬁe...

Page 89: ...er second Supported Rate Sets indicate rates that the access point supports You can check multiple rates click a checkbox to select or deselect a rate The AP will automatically choose the most efﬁcient rate based on factors like error rates and distance of client stations from the AP Basic Rate Sets indicate rates that the access point will advertise to the network for the purposes of setting up c...

Page 90: ...r example FE DC BA 09 87 65 Each wireless network interface card NIC used by a wireless client has a unique MAC address You can control client access to your wireless network by switching on MAC Filtering and specifying a list of approved MAC addresses When MAC Filtering is on only clients with a listed MAC address can access the network The following sections describe how to use MAC address ﬁlter...

Page 91: ...91 Controlling Access by MAC Address Filtering Navigating to MAC Filtering Settings To enable ﬁltering by MAC address navigate to the Advanced MAC Filtering tab and update the ﬁelds as described below ...

Page 92: ...C address then click Remove The stations in the list will either be allowed or prevented from accessing the AP based on how you set the Filter Updating Settings To apply your changes click Update Field Description This page allows you to control access to D Link DWL 2210AP based on Media Access Control MAC addresses Based on how you set the ﬁlter you can allow only client stations with a listed MA...

Page 93: ... a comparison of Session Monitoring data for multiple access points allows you to identify an access point that is consistently handling a disproportionately large percentage of wireless trafﬁc This can happen when location placement or other factors causes one access point to transmit the strongest signal to a majority of clients on a network By default that access point will receive most of clie...

Page 94: ...s a part in contributing to Quality of Service QoS for Voice Over IP VoIP and other such time sensitive applications competing for bandwidth and timely access to the air waves on a wireless network For more information about conﬁguring your network for QoS see Conﬁguring Queues for Quality of Service QoS in this manual Navigating to Load Balancing Settings On the Administration UI navigate to the ...

Page 95: ...ring in this manual Even when clients are disassociated from an AP the network will still provide continuous service to client stations if another access point is within range so that clients can reconnect to the network Clients should automatically retry the AP they were originally connected to and other APs on the subnet Clients who are disassociated from one AP should experience a seamless tran...

Page 96: ...k Update Settings Utilization rate limits relate to wireless bandwidth utilization Provide a bandwidth utilization rate percentage limit for this access point to indicate when to disassociate current clients When the utilization rate exceeds the speciﬁed limit a client currently associated with this access point will be disconnected If you specify 0 in this ﬁeld current clients will never be disco...

Page 97: ... of service is compromised the audio or video will be distorted QoS and Load Balancing By using a combination of load balancing see Load Balancing on page 95 and QoS techniques you can provide a high quality of service for time sensitive applications even on a busy network Load balancing is a way of better distributing the trafﬁc volume across access points QoS is a means of allocating bandwidth a...

Page 98: ...stablish multiple queues The queues provided offer built in prioritization and routing based on the type of data being transmitted The Administration UI provides a way for you to conﬁgure parameters on the queues QoS Queues and Type of Service ToS on Packets QoS on the D Link DWL 2210AP leverages existing information in the IP packet header related to Type of Service ToS Every IP packet sent over ...

Page 99: ...ssociated priorities and parameters for transmission are as follows Data 0 bulk Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example Data 1 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 2 interactive Highest priority queue minimum dela...

Page 100: ... on CSMA CA protocol deﬁnes the interframe space IFS between data frames Data frames wait for an amount of time deﬁned as the DCF interframe space DIF before transmitting This parameter is conﬁgurable Note that sending data frames in DIFs allows higher priority management and control frames to be sent in SIFs ﬁrst The DCF ensures that multiple access points do not try sending data at the same time...

Page 101: ...packet bursts allowed maximum burst length is a conﬁgurable parameter The value speciﬁed for the Minimum Contention Window is the upper limit of a range for the initial random backoff wait time The number used in the random backoff is initially a random number between 0 and the number deﬁned for the Minimum Contention Window If the ﬁrst random backoff time ends before successful transmission of th...

Page 102: ...nly not to that of the client stations To set up queues for QoS navigate to the Advanced QoS tab and conﬁgure settings as described below For the Guest interface QoS queue settings apply to the access point load as a whole both BSSes together On a two radio access point these settings apply to both radios but the trafﬁc for each radio is queued independently The exception to this is guest trafﬁc a...

Page 103: ... the hexadecimal values to describe this queue are in the following ranges 0x00 0X01 0X04 0X07 0X18 0X1F Data 2 interactive Highest priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue For information purposes the hexadecimal values to describe this queue are in the following ranges 0x10 0X17 Data 3 not used For more information see...

Page 104: ...l Max Contention Window The value speciﬁed here in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continue until a maximum number of retries allowed is reached For ...

Page 105: ... Using WDS to Bridge Distant Wired LANs Using WDS to Extend the Network Beyond the Wired Coverage Area Backup Links and Unwanted Loops in WDS Bridges Security Considerations Related to WDS Bridges Navigating to WDS Settings Conﬁguring WDS Settings Example of Conﬁguring a WDS Link Updating Settings Understanding the Wireless Distribution System A Wireless Distribution System WDS is an 802 11f techn...

Page 106: ...oo costly to wire the distant area with Ethernet cabling You can solve this problem by placing a second access point closer to second group of stations Poolside in our example and bridge the two APs with a WDS link This extends your network wirelessly by providing an extra hop to get to distant stations Using WDS to Bridge Distant Wired LANs In an ESS a network of multiple access points each acces...

Page 107: ...ions Related to WDS Bridges Static Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks Both access points in a given WDS link must be conﬁgured with the same security settings For static WEP either a static 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared Key is speciﬁed for data encryption You can enable St...

Page 108: ...ccess point to others navigate to the Advanced WDS tab and update the ﬁelds as described below The following ﬁgure shows the WDS settings page for the two radio AP The Administration Web page for the one radio AP will look slightly different Conﬁguring the Wireless Distribution System WDS ...

Page 109: ... only one WDS link between any pair of access points That is a remote MAC address may appear only once on the WDS page for a particular access point Both access points participating in a WDS link must be on the same Radio channel and using the same IEEE 802 11 mode See Conﬁguring Radio Settings in this manual for information on conﬁguring the Radio mode and channel Do not create loops with either ...

Page 110: ...solates guest clients from more sensitive areas of your internal network It is common to have security disabled on the guest network to provide open access Alternatively the internal network provides full access to protected information behind a ﬁrewall and requires secure logins or certiﬁcates for access When using WDS to link up one access point to another you need to identify within which of th...

Page 111: ...characters If you selected ASCII enter any combination of 0 9 If you selected HEX enter hexadecimal digits any combination of 0 9 and a f or A F These are the RC4 encryption keys shared with the stations using the access point Example of Conﬁguring a WDS Link When using WDS be sure to conﬁgure WDS settings on both access points on the WDS link For example to create a WDS link between a pair of acc...

Page 112: ...ab on MyAP1 Administration Web pages The MAC address for MyAP1 the access point you are currently viewing will show as the Local Address at the top of the page Conﬁgure a WDS interface for data exchange with MyAP2 Start by entering the MAC address for MyAP2 as the Remote Address and ﬁll in the rest of the ﬁelds to specify the network guest or internal security and so on Save the settings click Upd...

Page 113: ...solate guest clients from other more sensitive areas of the network No security is provided on the guest network only plaintext security mode is allowed Simultaneously you can conﬁgure a secure internal network using the same access point as your guest interface that provides full access to protected information behind a ﬁrewall and requires secure logins or certiﬁcates for access The Guest and In...

Page 114: ...LANs in this manual If you want to conﬁgure the Guest and Internal networks on Virtual LAN VLANs the switch and DHCP server you are using must support VLANs As a prerequisite step conﬁgure a port on the switch for handling VLAN tagged packets as described in the IEEE 802 1Q standard Guest Welcome Screen settings are shared among access points across the cluster When you update these settings for o...

Page 115: ...date to apply the changes Using the Guest Network as a Client Once the guest network is conﬁgured a client can access the guest network as follows 1 A guest client enters an area of coverage and scans for wireless networks 2 The guest network advertises itself via a Guest SSID or some similar name depending on how the guest SSID is speciﬁed in the Administration Web pages for the Guest interface 3...

Page 116: ...cess Deployment Example In the ﬁgure below the dotted red lines indicate dedicated guest connections All access points and all connections including guests are administered from the same D Link DWL 2210AP Administration Web pages ...

Page 117: ...mportant to ensure that you are accessing the Administration Web pages for the particular access point you want to conﬁgure For information on this see Navigating to Conﬁguration Information for a Speciﬁc AP and Managing Standalone APs in this manual The following maintenance and monitoring topics are covered Interfaces Event Log Statistics Associated Wireless Clients Rebooting the Access Point Re...

Page 118: ...tings The Internal interface includes the Ethernet MAC Address IP Address Subnet Mask and Associated Network Wireless Name SSID The Guest interface includes the MAC Address VLAN ID and Associated Network Wireless Name SSID If you want to change any of these settings click the Conﬁgure link On a two radio access point current wireless settings for both Radio One and Radio Two are shown On a one rad...

Page 119: ...dropping frames The D Link DWL 2210AP acquires its date and time information using the network time protocol NTP This data is reported in UTC format also known as Greenwich Mean Time You need to convert the reported time to your local time For information on setting the network time protocol see Enabling the Network Time Protocol Server in this manual The Radio Interface settings radio Mode and Ch...

Page 120: ... for a particular access point navigate to Status Statistics on the Administration Web pages for the access point you want to monitor The following ﬁgure shows the Transmit Receive page for a two radio AP The Administration Web page for the one radio AP will look slightly different ...

Page 121: ...A two radio access point has a different MAC address for each interface on each of its two radios VLAN ID Virtual LAN VLAN ID A VLAN is a software based logical grouping of devices on a network that allow them to act as if they are connected to a single physical network even though they may not be VLANs can be used to establish internal and guest networks on the same access point SSID Wireless net...

Page 122: ...every few seconds when no other trafﬁc is passing This allows the access point to detect when a client goes out of range even during periods when no normal trafﬁc is exchanged The client connection drops off the list of associated clients within 300 seconds of a client disappearing even if they do not disassociate but went out of range What is the Difference Between an Association and a Session An...

Page 123: ...nd Monitoring Rebooting the Access Point For maintenance purposes or as a troubleshooting measure you can reboot the D Link DWL 2210AP as follows 1 Click the Advanced Reboot tab 2 Click the Reboot button The AP reboots ...

Page 124: ...defaults and clear all settings including settings such as a new password or wireless settings 1 Click the Advanced Reset tab 2 Click the Reset button Factory defaults are restored Keep in mind that if you do reset the conﬁguration from this page you are doing so for this access point only not for other access points in the cluster For information on the factory default settings see Default Settin...

Page 125: ...t access point You must do this per access point you cannot upgrade ﬁrmware automatically across the cluster Keep in mind that a successful ﬁrmware upgrade restores the access point conﬁguration to the factory defaults See Default Settings for the D Link DWL 2210AP in this manual 2 If you know the path to the New Firmware Image ﬁle enter it in the textbox Otherwise click the Browse button and loca...

Page 126: ... the upgrade process Click OK to conﬁrm the upgrade and start the process The ﬁrmware upgrade process begins once you click Update and then OK in the popup conﬁrmation window The upgrade process may take several minutes during which time the access point will be unavailable Do not power down the access point while the upgrade is in process When the upgrade is complete the access point will restart...

Page 127: ...rovides real time statistics for all access points within range of the access point on which you are viewing the Administration Web pages To view information about other access points on the wireless network navigate to Status Neighbors Maintenance and Monitoring ...

Page 128: ...1 Wireless Networking Framework also referred to as peer to peer mode or an Independent Basic Service Set IBSS SSID The Service Set Identiﬁer SSID for the access point The SSID is an alphanumeric string of up to 32 characters that uniquely identiﬁes a wireless local area network It is also referred to as the Network Name The SSID is set in Basic Settings See Conﬁguring Basic Settings in this manua...

Page 129: ...s point is currently transmitting The current rate will always be one of the rates shown in Supported Rates Signal Indicates the strength of the radio signal emitting from this access point as measured in decibels Db of Beacons Shows the total number of beacons transmitted by this access point since it was last booted Last Beacon Shows the date and time of the most recent beacon was transmitted fr...

Page 130: ...he exact network name conﬁgured in the network connection properties before it will be able to connect The following sections describe how to set up each of the supported security modes on wireless clients of a network served by the D Link DWL 2210AP Network Infrastructure and Choosing Between Built in or External Authentication Server Make Sure the Wireless Client Software is Up to Date Accessing...

Page 131: ...ther IEEE 802 1x or WPA with RADIUS security mode The built in authentication server uses EAP PEAP authentication protocol I Want to Use an External RADIUS Server with EAP TLS Certiﬁcates or EAP PEAP We make the assumption that if you have an external RADIUS server and PKI CA setup you will know how to conﬁgure client security options appropriate to your security infrastructure beyond the fundamen...

Page 132: ...the Windows task bar Appendix A Conﬁguring Security Settings on Wireless Clients Or 1 From the Windows Start menu at the left end of the task bar Right click on the Wireless connection icon in your Windows task bar and select View available wireless networks Select the SSID of the network to which you want to connect and click Advanced to bring up the Wireless Network Connection Properties dialog ...

Page 133: ... case you would need to type in the exact network name to be able to connect to it Appendix A Conﬁguring Security Settings on Wireless Clients ThisbringsuptheWirelessNetwork Connection Properties dialog with the Association and Authentication tabs for the selected network Fromthelistof Availablenetworks select the SSID of the network to which you want to connect and click Conﬁgure Use this dialog ...

Page 134: ...ion Open to that network and Data Encryption Disabled as described below If you do have security conﬁgured on a client for properties of an unsecure network the security settings actually can prevent successful access to the network because of the mismatch between client and access point security conﬁgurations To conﬁgure the client to not use any security bring up the client Network Properties di...

Page 135: ... stream cipher called RC4 The access point uses a key to transmit data to the client stations Each client must use that same key to decrypt data it receives from the access point Different clients can use different keys to transmit data to the access point Or they can all use the same key but this is less secure because it means one station can decrypt the data being sent by another If you conﬁgur...

Page 136: ...se WEP in Shared mode must have a valid WEP key in order to associate with the AP Clients conﬁgured to use WEP as an Open system can associate with the AP even without a valid WEP key but a valid key will be required to actually view and exchange data For more information see Administrators Guide and Online Help on the access point Data Encryption WEP Network Key Provide the WEP key you entered on...

Page 137: ... now be able to associate and authenticate with the access point As a client you will not be prompted for a WEP key The WEP key conﬁgured on the client security settings is automatically used when you connect Authentication Tab Make sure that IEEE 802 1x authentication is disabled box should be unchecked Setting the encryption mode to WEP should automatically disable authentication Enable IEEE 802...

Page 138: ...AP referred to here as EAP PEAP If you conﬁgured the D Link DWL 2210AP to use IEEE 802 1x security mode If you are using the Built in Authentication server with IEEE 802 1x security mode on the D Link DWL 2210AP then you will need to set up wireless clients to use PEAP Additionally you may have an external RADIUS server that uses EAP PEAP If so you will need to 1 add the D Link DWL 2210AP to the l...

Page 139: ...y option Choose Protected EAP PEAP Disable click to uncheck Validate server certiﬁcate Choose secured password EAP MSCHAP v2 then click Conﬁgure Choose Open then click Properties Enable click to check IEEE 802 1x authentication Disable click to uncheck option to automatically use Windows logon name and password ...

Page 140: ...ed EAP Properties dialog and conﬁgure the following settings Protected EAP Properties Dialog Validate Server Certiﬁcate Disable this option click to uncheck the box Note This example assumes you are using the Built in Authentication server on the AP If you are setting up EAP PEAP on a client of an AP that is using an external RADIUS server you might certiﬁcate validation and choose a certiﬁcate de...

Page 141: ... CA server Consult the documentation for those products Some good starting points available on the Web for the Microsoft Windows PKI software are How to Install Uninstall a Public Key Certiﬁcate Authority for Windows 2000 at http support microsoft com default aspx scid kb EN US 231881 and How to Conﬁgure a Certiﬁcate Server at http support microsoft com default aspx scid kb en us 318710 3 To use t...

Page 142: ...IEEE 802 1x security mode with an external RADIUS server then conﬁgure IEEE 802 1x security with certiﬁcate authentication on each client as follows Choose WEP Data Encryption mode Choose Open Enable auto key option Choose Smart Card Certiﬁcate then click Properties Enable click to check IEEE 802 1x authentication ...

Page 143: ...ab Association Tab Network Authentication Open Data Encryption WEP Note An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each IEEE 802 11 frame This is the same encryption algorithm as is used for Static WEP therefore the data encryption method conﬁgured on the client for this mode is WEP This key is provided for me automatically Enable click to check Se...

Page 144: ...ng a TLS EAP Certiﬁcate for a Client in this manual Connecting to the Wireless Network with an IEEE 802 1x Client Using a Certiﬁcate IEEE 802 1x clients should now be able to connect to the access point using their TLS certiﬁcates The certiﬁcate you installed is used when you connect so you will not be prompted for login information The certiﬁcate is automatically sent to the RADIUS server for aut...

Page 145: ...mode and choose the Built in Authentication server you must conﬁgure client stations to use WPA with RADIUS and EAP PEAP If you conﬁgure the network access point to use this security mode with an external RADIUS server you must conﬁgure the client stations to use WPA with RADIUS and whichever security protocol your RADIUS server is conﬁgured to use WPA with RADIUS Client Using EAP PEAP The Built I...

Page 146: ...DWL 2210AP to use WPA with RADIUS security mode and to use either the Built in Authentication Server or an external RADIUS server that uses EAP PEAP First set up user accounts on the access point Cluster User Management then conﬁgure WPA security with PEAP authentication on each client as follows ...

Page 147: ... AES for the Data Encryption mode Choose Protected EAP PEAP Disable click to uncheck Validate server certiﬁcate Choose secured password EAP MSCHAP v2 then click Conﬁgure Choose WPA then click Properties Disable click to uncheck option to automatically use Windows logon name and password ...

Page 148: ...Conﬁgure the following settings on the Association and Authentication tabs on the Network Properties dialog Association Tab Network Authentication WPA Data Encryption TKIP or AES depending on how this option is conﬁgured on the access point Note When the Cipher Suite on the access point is set to Both then TKIP clients with a valid TKIP key and AES clients with a valid CCMP AES key can associate w...

Page 149: ... this section 4 Obtain a certiﬁcate for this client as described in Obtaining a TLS EAP Certiﬁcate for a Client in this manual If you conﬁgured the D Link DWL 2210AP to use WPA with RADIUS security mode with an external RADIUS server If you want to use IEEE 802 1x mode with EAP TLS certiﬁcates for authentication and authorization of clients you must have an external RADIUS server and a Public Key ...

Page 150: ...or the Data Encryption mode Choose Smart Card or other certiﬁcate and enable Authenticate as computer when info is available Then click Properties Enable click to check Validate server certiﬁcate Select check the name of the certiﬁcate on this client downloaded from RADIUS server in a prerequisite procedure ...

Page 151: ...a Encryption TKIP or AES depending on how this option is conﬁgured on the access point Note When the Cipher Suite on the access point is set to Both then TKIP clients with a valid TKIP key and AES clients with a valid CCMP AES key can associate with the access point For more information see Administrators Guide and Online Help on the access point 2 Conﬁgure these settings on the Authentication tab...

Page 152: ... TKIP Advanced Encryption Algorithm AES and Counter mode CBC MAC Protocol CCMP mechanisms PSK employs a pre shared key for an initial check of client credentials If you conﬁgured the D Link DWL 2210AP to use WPA PSK security mode then conﬁgure WPA PSK security on each client as follows Choose WPA PSK Choose either TKIP or AES for the Data Encryption mode Enter a network key that matches the one sp...

Page 153: ...client specify this same string as the network key The key is provided for me automatically This box should be disabled automatically based on other settings Authentication Tab Enable IEEE 802 1x authentication for this network Make sure that IEEE 802 1x authentication is disabled unchecked Setting the encryption mode to WEP should automatically disable authentication Appendix A Conﬁguring Securit...

Page 154: ...ws 2003 server The purpose of this procedure is to identify your D Link DWL 2210AP as a client to the RADIUS server The RADIUS server can then handle authentication and authorization of wireless clients for the AP This procedure is required per access point If you have more than one access point with which you plan to use an external RADIUS server you need to follow these steps for each of those A...

Page 155: ...10AP is hard coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting 2 In the left panel right click on RADIUS Clients node and choose New Radius Client from the popup menu 3 On the ﬁrst screen of the New RADIUS Client wizard provide information about the D Link DWL 2210AP to which you want your clients to connect A logical friendly name for the access point You mi...

Page 156: ...nﬁguring Security Settings on Wireless Clients 4 For the Shared secret enter the RADIUS Key you provided to the access point on the Advanced Security page Retype the key to conﬁrm IP address for the access point Click Next ...

Page 157: ...157 Appendix A Conﬁguring Security Settings on Wireless Clients 5 Click Finish The access point is now displayed as a client of the Authentication Server ...

Page 158: ...support microsoft com default aspx scid kb EN US 231881 and How to Conﬁgure a Certiﬁcate Server at http support microsoft com default aspx scid kb en us 318710 3 Wireless clients conﬁgured to use either WPA with RADIUS or IEEE 802 1x security modes with an external RADIUS server that supports TLS EAP certiﬁcates must obtain a TLS certiﬁcate from the RADIUS server This is an initial onetime step th...

Page 159: ...user name and password to access the RADIUS server The user name and password you need to provide here is for access to the RADIUS server for which you will already have user accounts conﬁgured at this point This document does not describe how to set up Administrative user accounts on the RADIUS server Please consult the documentation for your RADIUS server for these procedures 5 Click User Certiﬁ...

Page 160: ...0 Appendix A Conﬁguring Security Settings on Wireless Clients 6 Click Yes on the dialog displayed to install the certiﬁcate 7 Click Submit to complete and click Yes to conﬁrm the submittal on the popup dialog ...

Page 161: ...urity Settings on Wireless Clients 8 Click Install this certiﬁcate to install the newly issued certiﬁcate on your client station Also click Yes on the popup windows to conﬁrm the install and to add the certiﬁcate to the Root Store ...

Page 162: ...r button on the device Reset the access point from its Administration UI To do this go to http IPAddressOfAccessPoint navigate to Advanced Reset and click the Reset button IP addresses for APs are on the Cluster Access Points page for any cluster member Physically reset the access point by pressing the Reset button on the device In some extreme cases reboot or reset may not solve the problem In th...

Page 163: ...ped clustering on all of them Make sure that you ﬁrst Stop Clustering on every access point on the subnet and only then perform the next part of the process of resetting each one to the factory defaults 2 Reset each access point To do this go to the Administration Web pages of the access point you want to reset by entering its URL into the address bar of your Web browser http IPAddressOfAccessPoin...

Page 164: ...ngs including updated passwords Repeat this reset step for every access point in the cluster Table 2 Do not proceed to the next step until you have stopped clustering on all of access points in the preexisting cluster 3 Refresh the cluster view as follows On the Administration Web pages for any one of the access points click Cluster Access Points to bring up the Access Points cluster management pa...

Page 165: ...list Before proceeding to the last step verify that the cluster has reformed by making sure all are access points are listed 4 Review all conﬁguration settings and make modiﬁcations as needed Pay special attention to the security settings because after a reset Access Points run without any security in place ...

Page 166: ... EAP Encapsulation Over LANs EAPOL It establishes a framework that supports multiple authentication methods IEEE 802 1x authenticates users not machines 802 2 IEEE 802 2 IEEE Std 802 2 1998 deﬁnes the LLC layer for the 802 family of standards 802 3 IEEE 802 3 IEEE Std 802 3 2002 deﬁnes the MAC layer for networks that use CSMA CA Ethernet is an example of such a network 802 11 IEEE 802 11 IEEE Std ...

Page 167: ...xtension up to 54 Mbps to the 802 11b PHY while operating in the 2 4 GHz band It uses orthogonal frequency division multiplexing OFDM It supports data rates ranging from 1 to 54 Mbps 802 11i IEEE 802 11i is a developing IEEE standard for security in a wireless local area network WLAN It deﬁnes enhancements to the MAC Layer to counter the some of the weaknesses of WEP 802 11i will incorporate 802 1...

Page 168: ...on Beacon frames provide the heartbeat of a WLAN announcing the existence of the network and enabling stations to establish and maintain communications in an orderly fashion It carries the following information some of which is optional Bridge A connection between two local area networks LANs using the same protocol such as Ethernet or IEEE 802 1x The Timestamp is used by stations to update their ...

Page 169: ...a CCM mode of operation combining the Cipher Block Chaining Counter mode CBC CTR and the Cipher Block Chaining Message Authentication Code CBC MAC for encryption and message integrity AES CCMP requires a hardware coprocessor to operate CGI The Common Gateway Interface CGI is a standard for running external programs from an HTTP server It speciﬁes how to pass arguments to the executing program as p...

Page 170: ...ling wait times for channel access Wait times are determined by a random backoff timer which is conﬁgurable by deﬁning minimum and maximum contention windows DHCP The Dynamic Host Conﬁguration Protocol DHCP is a protocol specifying how a central server can dynamically provide network conﬁguration information to clients A DHCP server offers a lease for a pre conﬁgured period of time see LeaseTime t...

Page 171: ...iple access points forming a single subnetwork that can support more clients than a basic service set BSS Each access point supports a number of wireless stations providing broader wireless coverage for a large space for example an ofﬁce Ethernet Ethernet is a local area network LAN architecture supporting data transfer rates of 10Mbps to 1Gbps The Ethernet speciﬁcation is the basis for the IEEE 8...

Page 172: ...iated with both a router which use headers and forwarding tables to determine where packets are sent and a switch or bridge which provides the actual path for the packet in and out of the gateway Before a host on a LAN can access the Internet it needs to know the address of its default gateway HTML The Hypertext Markup Language HTML deﬁnes the structure of a document on the World Wide Web It uses ...

Page 173: ...usion Detection The Intrusion Detection System IDS inspects all inbound network activity and reports suspicious patterns that may indicate a network or system attack from someone attempting to break into the system It reports access attempts using unsupported or known insecure protocols IP The Internet Protocol IP speciﬁes the format of packets also called datagrams and the addressing scheme IP is...

Page 174: ...net Service Provider ISP is a company that provides access to the Internet to individuals and companies It may provide related services such as virtual hosting network consulting Web design etc Jitter Jitter is the difference between the latency or delay in packet transmission from one node to another across a network If packets are not transmitted at a consistent rate including Latency QoS for so...

Page 175: ... a higher level protocol over the PHY layer It provides an arbitration mechanism in an attempt to prevent signals from colliding It uses a hardware address known as the MAC address that uniquely identiﬁes each node of a network IEEE 802 network devices share a common 48 bit MAC address format displayed as a string of twelve 12 hexadecimal digits separated by colons for example FE DC BA 09 87 65 MD...

Page 176: ...ows the use of a single Internet connection Network Address See IP Address NIC A Network Interface Card is an adapter or expansion board inserted into a computer to provide a physical connection to a network Most NICs are designed for a particular type of network protocol and media for example Ethernet or wireless NTP The Network Time Protocol assures accurate synchronization of the system clocks ...

Page 177: ...is divided up and packaged into packets A packet includes a small chunk of the content to be sent along with its destination address and sender address Packets are pushed out onto the network and inspected by each node The node to which it is addressed is the ultimate recipient Packet Loss Packet Loss describes the percentage of packets transmitted over the network that did not reach their intende...

Page 178: ...ent access to speciﬁc servers or services PSK Pre Shared Key PSK see Shared Key Public Key A public key is used in public key cryptography to encrypt a message which can only be decrypted with the recipient s private or secret key Public key encryption is also called asymmetric encryption because it uses two keys or Difﬁe Hellman encryption Also see Shared Key QoS Quality of Service QoS deﬁnes the...

Page 179: ...age value RTP Real TimeTransport Protocol RTP is an Internet protocol for transmitting real time data like audio and video It does not guarantee delivery but provides support mechanisms for the sending and receiving applications to enable streaming data RTP typically runs on top of the UDP protocol but can support other transport protocols as well RTS A request to send RTS message is a signal sent...

Page 180: ...nning tree topology and reestablishes the link by activating the standby path Without spanning tree in place it is possible that both connections may be simultaneously live which could result in an endless loop of trafﬁc on the LAN Subnet Mask A Subnet Mask is a number that deﬁnes which part of an IP address is the network address and which part is a host address on the network It is shown in dott...

Page 181: ...y and CRC of each 802 11 frame before transmission It is an important component of the WPA and 802 11i security mechanisms ToS TCP IP packet headers include a 3 to 5 bit Type of Service ToS ﬁeld set by the application developer that indicates the appropriate type of service for the data in the packet The way the bits are set determines whether the packet is queued for sending with minimum delay ma...

Page 182: ...ses the Internet to connect its nodes It uses encryption and other mechanisms to ensure that only authorized users can access its nodes and that data cannot be intercepted WAN A Wide Area Network WAN is a communications network that spans a relatively large geographical area extending over distances greater than one kilometer A WAN is often connected through public networks such as the telephone s...

Page 183: ... uses high frequency radio waves rather than wires to communicate between its nodes WME Wireless Multimedia Enhancements WME is a subset of the 802 11e draft speciﬁcation It uses four priority queues between an Access Point and its clients WME provides an interim standards based QoS solution WPA Wi Fi Protected Access WPA is a Wi Fi Alliance version of the draft IEEE 802 11i standard It provides m...

Page 184: ...t WEP WPA TKIP AES PSK Mode WPA RADIUS Server Mode EAP MD5 TLS TTLS PEAP Embedded RADIUS Server Weak IV Avoidance Ignore Inhibit SSID Broadcast MAC Address Access Control List Wireless Frequency Range 2 4GHz to 2 4835GHz Technical Speciﬁcations Maximum wireless signal rate derived from IEEE Standard 802 11a and 802 11g speciﬁcations Actual data throughput will vary Network conditions and environme...

Page 185: ...02ft 92m 6Mbps Outdoors 328ft 100m 54Mbps 968ft 295m 11Mbps 1378ft 420m 6Mbps Antenna Type Dipole antenna with 5dBi gain Operating Voltage 48VDC 10 for PoE Technical Speciﬁcations continued Radio and Modulation Type For 802 11b DSSS DBPSK 1Mbps DQPSK 2Mbps CCK 5 5 and 11Mbps For 802 11g OFDM BPSK 6 and 9Mbps QPSK 12 and 18Mbps 16QAM 24 and 36Mbps 64QAM 48 and 54Mbps DSSS DBPSK 1Mbps DQPSK 2Mbps CC...

Page 186: ...m 6mW 7dBm 1mW 0dBm For 802 11g 63mW 18dBm 40mW 16dBm 32mW 15dBm 6mW 7dBm 1mW 0dBm Receiver Sensitivity For 802 11b 1Mbps 94dBm 2Mbps 90dBm 5 5Mbps 88dBm 11Mbps 85dBm For 802 11g 1Mbps 94dBm 2Mbps 91dBm 5 5Mbps 89dBm 6Mbps 91dBm 9Mbps 90dBm 11Mbps 86dBm 12Mbps 89dBm 18Mbps 87dBm 24Mbps 84dBm 36Mbps 80dBm 48Mbps 76dBm 54Mbps 73dBm ...

Page 187: ... to 40ºC Storing 4ºF to 149ºF 20ºC to 65ºC Humidity Operating 10 90 non condensing Storing 5 95 non condensing Certiﬁcations FCC Part 15 UL Dimensions L 5 59 inches 142mm W 4 29 inches 109mm H 1 22 inches 31mm Weight 0 44 lbs 200g Warranty 1 Year Environmental factors may adversely affect wireless range ...

Page 188: ...h our web site or by phone Tech Support for customers within the United States D Link Technical Support over the Telephone 877 453 5465 Monday to Friday 6 00am to 6 00pm PST D Link Technical Support over the Internet http support dlink com email support dlink com Tech Support for customers within Canada D Link Technical Support over the Telephone 800 361 5265 Monday to Friday 6 00am to 6 00pm PST ...

Page 189: ...urrent functional speciﬁcations for the Software as set forth in the applicable documentation from the date of original retail purchase of the Software for a period of ninety 90 days Warranty Period provided that the Software is properly installed on approved hardware and operated as contemplated in its documentation D Link further warrants that during the Warranty Period the magnetic media on whi...

Page 190: ...h defaced or removed Initial installation installation and removal of the product for repair and shipping costs Operational adjustments covered in the operating manual for the product and normal maintenance Damage that occurs in shipment due to act of God failures due to power surge and cosmetic damage Any hardware software ﬁrmware or other products or services provided by anyone other than D Link...

Page 191: ...ital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communication However there is no guarantee that interfere...

Page 192: ...192 192 5 12 05 Registration Register your D Link product online at http support dlink com register ...

Page 193: ...193 ...

Reviews:

No comments

Related manuals for AirPremier DWL-2210AP

Brand: Navini Networks Pages: 8

Brand: H3C Pages: 34

Brand: Fortinet Pages: 11

Brand: Belkin Pages: 104

Barricade SMC7004VWBR V.2

Brand: SMC Networks Pages: 82

Brand: Abocom Pages: 37

Brand: Medialink Pages: 105

EKI-6333AC-A Series

Brand: Advantech Pages: 42

Brand: MikroTik Pages: 6

Brand: ART2WAVE Pages: 12

Brand: Xterasys Pages: 74

Brand: 2xWireless Pages: 12

Cellferno M1200

Brand: PowerTec Pages: 12

Brand: Ebyte Pages: 13

Brand: AirLive Pages: 6

Brand: Ebyte Pages: 33

Brand: Draytek Pages: 4

Brand: Fritz! Pages: 127

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands