manualshive.com logo in svg

Extreme Networks Altitude 4000 Series, Reference Manual

The Extreme Networks Altitude 4000 Series Reference Manual is available for free download on our website. This comprehensive manual provides detailed instructions and information on how to maximize the potential of your Altitude 4000 Series product. Download your manual today from manualshive.com for easy access to vital product information.

Share
Download
background image

Extreme Networks, Inc.

3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800

http://www.extremenetworks.com

 

Altitude

TM

 4000 Series Access Point System 

Reference Guide 

Software Version 5.2

Published: November 2011
Part number: 120735-00 Rev 1

Summary of Contents for Altitude 4000 Series

Page 1: ...nroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com AltitudeTM 4000 Series Access Point System Reference Guide Software Version 5 2 Published November 2011...

Page 2: ...SummitStack Triumph Unified Access Architecture Unified Access RF Manager UniStack the Extreme Networks logo the Alpine logo the BlackDiamond logo the Extreme Turbodrive logo the Summit logos and the...

Page 3: ...figuration Operation Icons 22 Access Type Icons 23 Administrative Role Icons 23 Device Icons 24 Chapter 4 Quick Start 25 Using the Initial Setup Wizard 25 Chapter 5 Dashboard 45 Dashboard 45 Dashboard...

Page 4: ...guration 130 Managing Virtual Controllers 132 Overriding a Device Configuration 134 Basic Configuration 135 Assigning Certificates 137 Certificate Management 139 RSA Key Management 146 Certificate Cre...

Page 5: ...S Policy 264 Configuring a Radio s QoS Policy 265 Radio QoS Configuration and Deployment Considerations 272 AAA Policy 273 Association ACL 282 Association ACL Deployment Considerations 284 Smart RF Po...

Page 6: ...perations 389 Managing Firmware and Config Files 390 Upgrading Device Firmware 391 Managing File Transfers 393 Using the File Browser 395 AP Upgrades 396 Certificates 400 Certificate Management 401 RS...

Page 7: ...Viewing Interface Statistics Graph 476 Network 477 ARP Entries 477 Route Entries 478 Bridge 478 DHCP Options 481 Cisco Discovery Protocol 482 Link Layer Discovery Protocol 483 DHCP Server 484 DHCP Bi...

Page 8: ...Table of Contents AltitudeTM 4000 Series Access Point System Reference Guide 8 Graph 517 Appendix A Customer Support 519 Registration 519 Documentation 519...

Page 9: ...ired to transition to a more advanced configuration of the access point The installation guide is unique to the particular access point model purchased Altitude Access Point System Reference Guide thi...

Page 10: ...hat could result in personal injury or equipment damage Notational Conventions The following additional notational conventions are used in this document Italic text is used to highlight the following...

Page 11: ...update from the Virtual Controller AP s assigned profile configuration the administrator should apply a Device Override to change just that access point s configuration For more information on applyi...

Page 12: ...support is significantly reduced as traffic does not require an unnecessary backhaul Within a network up to 80 of the network traffic can remain on the AP wired mesh without going back to the central...

Page 13: ...in wired and wireless networks Thus users benefit from an extremely reliable network that adapts to meet their needs and delivers mixed media applications Firmware and configuration updates are suppo...

Page 14: ...Chapter 2 Overview AltitudeTM 4000 Series Access Point System Reference Guide 14...

Page 15: ...ent For information on how to access and use the Web UI see Accessing the Web UI on page 15 Glossary of Icons Used on page 17 Accessing the Web UI The access point uses a Graphical User Interface GUI...

Page 16: ...point s IP address using its MAC address a Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows b Wi...

Page 17: ...2 Access Type Icons on page 23 Administrative Role Icons on page 23 Device Icons on page 24 Global Icons Web UI Overview This section lists global icons available throughout the interface Logoff Selec...

Page 18: ...To edit a policy click on the policy and select this button Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to...

Page 19: ...ected that did not stop the process from completing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has complet...

Page 20: ...dicates a bridging policy configuration has been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domai...

Page 21: ...conjunction with captive portal to provide hotspot services to wireless clients DHCP Server Policy Indicates a DHCP server policy is being applied DHCP provides IP addresses to wireless clients A DHCP...

Page 22: ...s a file that records the status of all the processes and memory when a process fails Panic Snapshots Indicates a panic snapshot has been generated A panic snapshot is a file that records the status o...

Page 23: ...console access permission A user with this permission is permitted to access using the access point s serial console Superuser Indicates superuser privileges A superuser has complete access to all co...

Page 24: ...nds view or retrieve logs and reboot an access point Web User Indicates a Web user privilege A Web user is allowed accessing the access point s Web user interface System This icon indicates system wid...

Page 25: ...ons on how to use the initial setup wizard see Using the Initial Setup Wizard on page 25 Using the Initial Setup Wizard Once the access point is installed and powered on complete the following steps t...

Page 26: ...oints management interface has been accessed an introductory screen displays that outlines the parameters that can be configured sequentially using the setup wizard NOTE The Initial Setup Wizard displ...

Page 27: ...igation Panel and Introduction for the configuration activities comprising the access point s initial setup A green checkmark to the left of an item in the Navigation Panel defines the listed task as...

Page 28: ...to the previous screen in the Navigation Panel without saving your updates NOTE While you can navigate to any page in the navigation panel you cannot complete the Initial AP Setup Wizard until each t...

Page 29: ...same model Standalone AP Select this option to deploy this access point as an autonomous fat access point A standalone AP isn t managed by a Virtual Controller AP or adopted by a controller NOTE If de...

Page 30: ...the preferred controllers If using the static method you ll also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically NOTE The best way...

Page 31: ...t supported by just a single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas brid...

Page 32: ...rmation for the LAN interface Use DHCP Select the checkbox to enable an automatic network address configuration using the access point s DHCP server Static IP Address Subnet Enter an IP Address and a...

Page 33: ...ault Gateway Define a default gateway address for use with the default gateway This is a required parameter DNS Forwarding Select this option to allow a DNS server to translate domain names into IP ad...

Page 34: ...e required fields The port connected to the WAN Select the port used as the physical access point connection to the external network This ports available differ depending on the access point model dep...

Page 35: ...he ADSP Sensor Support field displays at the bottom of the screen only if a radio has been dedicated as a sensor 16 Set the following parameters for each radio Configure as a Date Radio Select this op...

Page 36: ...ce Select Static to assign the access point a permanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor...

Page 37: ...the Initial Setup Wizard AltitudeTM 4000 Series Access Point System Reference Guide 37 18 Set the following parameters for each if the WLAN configurations available as part of this Initial AP Setup W...

Page 38: ...is used WPA Key If a WPA key is required PSK Authentication and WPA2 Encryption enter an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting a...

Page 39: ...he Username Password Description and Actions columns to review credentials of existing RADIUS Server user accounts Add new accounts or edit the properties of existing accounts as updates are required...

Page 40: ...Re enter or modify the password as a means of confirming the password This is a required parameter Description Optionally provide a description of the user account as means of further differentiating...

Page 41: ...eless network Contact Specify the contact information for the administrator The credentials provided should accurately reflect the individual responding to service queries Country Select the Country w...

Page 42: ...h the NTP resource 27 If an NTP resource is unavailable set the System Date and Time calendar date time and AM PM designation 28 Optionally enter the IP address of a server used to provide system time...

Page 43: ...uide 43 30 If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summ...

Page 44: ...Chapter 4 Quick Start AltitudeTM 4000 Series Access Point System Reference Guide 44...

Page 45: ...havior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard on page 45 Netw...

Page 46: ...splays the Health tab by default Dashboard Conventions The Dashboard displays device information using the following conventions Health Displays information about the state of the access point managed...

Page 47: ...Health Health The Health tab displays information about the state of the access point managed network Information in this tab is classified as Device Details on page 48 Radio RF Quality Index on page...

Page 48: ...tment Periodically select Refresh at the bottom of the screen to update the data displayed Radio RF Quality Index Health The Radio RF Quality Index field displays a RF quality table for the access poi...

Page 49: ...t to wireless client load and radio band Periodically select Refresh at the bottom of the screen to update the RF quality data Radio Utilization Index Health The Radio Utilization Index field displays...

Page 50: ...ent radios connected to the access point The RF Quality Index measures the overall effectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as...

Page 51: ...ected access point The Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a spec...

Page 52: ...update the radio information WLAN Utilization Inventory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures h...

Page 53: ...client support requirements NOTE Altitude 4532 and Altitude 4700 series model access points can support up to 256 client connections to a single access point Altitude 4511 and Altitude 4521 4522 model...

Page 54: ...played using a number of different color options Access points and clients can be selected and viewed using various color schemes in respect to neighboring access points connected devices and performa...

Page 55: ...play connected clients Navigate the System Browser as required to review device connections within the access point managed network Many of these peer access points are available for connection to acc...

Page 56: ...4 GHz radio band and Blue 5 GHz radio band Selecting Band is a good way to determine whether 2 4 and 5 GHz radios are optimally deployed in respect to the access point client loads on both bands Chann...

Page 57: ...Access Point System Reference Guide 57 Optionally select the Statistics link at the bottom of the display a screen where Access Point device data can be reviewed on a much more granular level For mor...

Page 58: ...Chapter 5 Dashboard AltitudeTM 4000 Series Access Point System Reference Guide 58...

Page 59: ...dministered design For more information see RF Domain Overrides on page 153 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same...

Page 60: ...pports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the...

Page 61: ...by the access point alone The access point works in conjunction with a dedicated WIPS server Location Assign the physical location of the RF Domain This name could be as specific as the floor of a bui...

Page 62: ...by the RF Domain 6 Use the spinner control to specify the Port of each WIPS server The default port is 443 7 Select OK to save the changes to the AirDefense WIPS configuration or select Reset to Rever...

Page 63: ...ompared to the default radio configurations in previous WiNG 5 releases is that default profiles are used as pointers of an access point s configuration not just templates from which the configuration...

Page 64: ...complex programmable logic device CPLD The CPLD determines proper supply sequencing the maximum power available and other status information One of the primary functions of the CPLD is to determine t...

Page 65: ...ccess point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To define an access point s power configur...

Page 66: ...elect OK to save the changes made to the access point power configuration Select Reset to revert to the last saved configuration Profile Adoption Auto Provisioning Configuration Adoption is the proces...

Page 67: ...o save the changes made to the general profile configuration Select Reset to revert to the last saved configuration Profile Interface Configuration A access point profile can support customizable Ethe...

Page 68: ...d significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 91 Ethernet Port Configuration Profile Interface Configuration Displays th...

Page 69: ...n the port are expected as untagged and mapped to the native VLAN If set to Trunk the port allows packets from a list of VLANs added to the trunk A port configured as Trunk supports multiple 802 1Q ta...

Page 70: ...ransmit the data Select either 10 Mbps 100 Mbps 1000 Mbps Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission...

Page 71: ...you add to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default mode Native VLAN Use the spinner contro...

Page 72: ...define the following Trust ARP Responses Select the radio button to enable ARP trust on this access point port ARP packets received on this port are considered trusted and information from these pack...

Page 73: ...tion Profile Interface Configuration A Virtual Interface is required for layer 3 IP access to provide layer 3 service on a VLAN The Virtual Interface defines which IP address is associated with each V...

Page 74: ...ssigned when it was created The name is between 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed access point interface Des...

Page 75: ...he default value is disabled Enable Zero Configuration The access point can use Zero Config for IP assignments on an individual virtual interface basis Select Primary to use Zero Config as the designa...

Page 76: ...c Configuration screen Select Reset to revert to the last saved configuration 11 Select the Security tab 12 Use the Inbound IP Firewall Rules drop down menu to select the firewall rule configuration t...

Page 77: ...d select the Edit button The port channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name can...

Page 78: ...Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port These options are not available if Auto is...

Page 79: ...the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select the checkbox to tag the native...

Page 80: ...save the changes to the security configuration Select Reset to revert to the last saved configuration 15 Select the Spanning Tree tab Trust ARP Responses Select the check box to enable ARP trust on t...

Page 81: ...ceiving a BPDU Thus no BPDUs are processed The default setting is None Enable as Edge Port Select the check box to define this port as an edge port Using an edge private port you can isolate devices t...

Page 82: ...onfiguration Profile Interface Configuration An access point profile can have its radio configuration modified once its radios have successfully associated to the network To define a Access Point radi...

Page 83: ...the radio s configuration was added or modified Admin Status A red X defines the radio s admin status as currently disabled A green checkmark designates the admin status as enabled RF Mode Displays w...

Page 84: ...xisting Association ACL policy to apply to the access point radio An Association ACL is a policy based Access Control List ACL that either prevents or allows wireless clients from connecting to a acce...

Page 85: ...transmissions and receipts over two antennas for dual antenna models The default setting is dynamic based on the access point model deployed and its transmit power settings Enable Antenna Diversity S...

Page 86: ...ng the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold between 1 2 347 bytes for use by the WLAN s adop...

Page 87: ...model can support up to 8 BSS IDs 14 Select the OK button located at the bottom right of the screen to save the changes to the WLAN Mapping Select Reset to revert to the last saved configuration 15 S...

Page 88: ...lect the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 20 Select the Advanced Settings tab Me...

Page 89: ...PDU Modes Use the drop down menu to define the A MPDU mode supported Options include Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the defaul...

Page 90: ...packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twi...

Page 91: ...the following deployment guidelines to ensure these configuration are optimally effective WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card Enable WAN 3G Check this box t...

Page 92: ...onfiguration Setting an access point profile s network configuration is a large task comprised of numerous administration activities An access point profile network configuration process consists of t...

Page 93: ...Servers field provide the IP addresses of up to three DNS server resources available to the access point 8 Select OK to save the changes made to the DNS configuration Select Reset to revert to the las...

Page 94: ...ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address...

Page 95: ...priority voice traffic The profile QoS screen maps the 6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP head...

Page 96: ...s Select Reset to revert to the last saved configuration Static Routes Profile Network Configuration DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet cla...

Page 97: ...s 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Static Routes 5 Select Add Row as needed to include single rows in the static routes table 6...

Page 98: ...ase 5 Define a Bridge Aging Time between 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before being deleted due to lack of acti...

Page 99: ...n though they are on separate physical subnets The systems in conference rooms X and Y are managed by the same single device but ignore the systems that aren t using same VLAN ID Administrators often...

Page 100: ...An edge VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and...

Page 101: ...utomatic Select Automatic mode to let the access point determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel...

Page 102: ...d an administrator can better track the leases when hostnames are used instead of devices To include a hostnames in DHCP request 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Selec...

Page 103: ...ofile configuration is optimally effective Administrators often need to route traffic to interoperate between different VLANs Bridging VLANs are only for non routable traffic like tagged VLAN frames d...

Page 104: ...verage existing firewall wireless client role and WIPS policies and configurations and apply them to the profile s configuration This affords each profile a truly unique combination of data protection...

Page 105: ...improperly issued a certificate or if a private key is compromised The most common reason for revocation is the user no longer being in sole possession of the private key To define a CRL configuration...

Page 106: ...querading technique to hide private IP addresses behind a single public facing IP address NAT is a process of modifying network address information in IP packet headers while in transit across a traff...

Page 107: ...lists those NAT policies created thus far Any of these policies can be selected and applied to the access point profile 5 Select Add to create a new NAT policy that can be applied to a profile Select...

Page 108: ...NAT type either Inside or Outside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perime...

Page 109: ...is the default setting 12 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records ke...

Page 110: ...oth timeouts and retransmissions TCP establishes a full duplex virtual connection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP o...

Page 111: ...fied is destination Network Select Inside or Outside NAT as the network direction Inside is the default setting Source List ACL Lists the ACL defining packet selection criteria for the NAT configurati...

Page 112: ...ed will not be exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside NAT as the network direction for the dynamic N...

Page 113: ...e profile to block undesirable traffic from being routed For outbound Internet access a stateful firewall can be configured to deny all traffic If port address translation is required a stateful firew...

Page 114: ...ptive portal policy use the default captive portal policy or select the Create link to create a new captive portal configuration that can be applied to this profile For more information see Configurin...

Page 115: ...Management Configuration The access point has mechanisms to allow deny management access to the network for separate interfaces and protocols HTTP HTTPS Telnet SSH or SNMP These management access conf...

Page 116: ...Chapter 6 Device Configuration AltitudeTM 4000 Series Access Point System Reference Guide 116...

Page 117: ...verity coincides with the syslog logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4...

Page 118: ...servers require users to authenticate with a username and password before sending e mail through the server Enable Configuration Upgrade Select this option to enable automatic configuration file upda...

Page 119: ...e maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware version using i...

Page 120: ...ubnet mask of 255 255 0 0 3 Ping the Altitude 4532 from the computer to ensure IP connectivity 4 Open an SSH session on the computer and connect to the Altitude 4532 s IP address 5 Login with a userna...

Page 121: ...d configuration is comprised of defining connected client load balance settings a MINT protocol configuration and miscellaneous settings NAS ID access point LEDs and RF Domain Manager To set an access...

Page 122: ...n clients Select this option to use probes from shared clients in the neighbor selection process This feature is enabled by default to provide the best common group of available clients amongst access...

Page 123: ...d if wishing to prioritize client traffic on the 2 4 GHz radio band The higher the value set the greater the weight assigned to radio traffic load on the 2 4 GHz radio band The default setting is 1 Th...

Page 124: ...more important than a high client connection count The default setting is 10 Max 5GHz Load Difference Considered Equal Use the spinner control to set a value between 0 100 considered an adequate discr...

Page 125: ...ators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network...

Page 126: ...ile Level 1 Area ID Select the check box to enable a spinner control for setting the Level 1 Area ID between 1 4 294 967 295 The default value is disabled Designated IS Priority Adjustment Use the spi...

Page 127: ...tab to display the link IP network address information shared by the devices managed by the access point s MINT configuration The IP tab displays the IP address routing level link cost hello packet in...

Page 128: ...level of either 1 or 2 Listening Link Specify a listening link of either 0 or 1 UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone a...

Page 129: ...and Adjacency Hold Time managed devices use to securely communicate amongst one another Select Add to create a new VLAN link configuration or Edit to modify an existing configuration NOTE If creating...

Page 130: ...resenting a physical port When the wireless controller authorizes users it queries the user profile database using a username representative of the physical NAS port making the connection VLAN If addi...

Page 131: ...managed device as being capable of being the RF Domain manager for a particular RF Domain The default value is enabled The RF Domain manager can support up to 24 access point of the same model Altitud...

Page 132: ...not the CLI The CLI provides the ability to define more than one profile while the UI only provides one per access point model Consequently the two interfaces cannot be used collectively to manage pr...

Page 133: ...r s radio coverage area Each listed access point is listed by its assigned System Name MAC Address and Virtual Controller designation Only Standalone APs of the same model can have their Virtual Contr...

Page 134: ...tration and management of all the APs in the network in does introduce the risk of allowing device association to a potential rogue device That s why this setting is disabled by default 8 Select OK to...

Page 135: ...sic configuration parameters be set and its deployment location defined Additionally the number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual...

Page 136: ...the RF Domain or Profile the access points supports and is identified by Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exc...

Page 137: ...the owner s public key the certificate expiration date the owner s name and other public key owner information Each certificate is digitally signed by a trustpoint The trustpoint signing the certifica...

Page 138: ...tificate configurations Selecting Reset reverts the screen to its last saved configuration For more information on the certification activities refer to the following HTTPS Trustpoint Either use the d...

Page 139: ...ertificate Management Assigning Certificates If not wanting to use an existing certificate or key with a selected device an existing stored certificate can be leveraged from a different device Device...

Page 140: ...nt screen displays with the Trustpoints section displayed by default 2 Select a device from amongst those displayed to review its certificate information Refer to the Certificate Details to review the...

Page 141: ...e key used by both the device and the server or repository of the target trustpoint Select the Show textbox to expose the actual characters used in the key Leaving the Show checkbox unselected display...

Page 142: ...the default setting Cut and Paste Select the Cut and Paste radio button to copy an existing CA certificate into the cut and past field When pasting a valid CA certificate no additional network address...

Page 143: ...ng the Certificate Revocation List CRL Configuration on page 105 10 Define the following configuration parameters required for the Import of the CRL Trustpoint Name Enter the 32 character maximum name...

Page 144: ...for the Import of the CA certificate Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 and usb2 IP Address If selecting Advanced enter IP address...

Page 145: ...ficate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certif...

Page 146: ...RSA key is the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import export keys to and from remote locations Trustpoint Name Enter t...

Page 147: ...an have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected de...

Page 148: ...the server or repository of the target RSA key Select the Show textbox to expose the actual characters used in the passphrase Leaving the Show checkbox unselected displays the passphrase as a series o...

Page 149: ...signed to the RSA key Key Passphrase Define the key passphrase used by both the access point and the server Select the Show textbox to expose the actual characters used in the passphrase Leaving the S...

Page 150: ...er left hand side of the Certificate Management screen 3 Define the following configuration parameters required to Create New Self Signed Certificate Certificate Name Enter the 32 character maximum na...

Page 151: ...an identity certificate digitally signed with the private key of the CA To create a CSR Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s...

Page 152: ...Use Existing Key Select the radio button and use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Sele...

Page 153: ...point supports a single RF domain An access point RF Domain cannot be used on a different model access point For example an Altitude 4532 RF Domain override can only be applied to another Altitude 45...

Page 154: ...t location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the maintenance...

Page 155: ...iodic refinement from their original administered design Consequently a device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particu...

Page 156: ...er to the following to complete the override of the access point s entire profile configuration Radio Power Overrides Adoption Overrides Profile Interface Override Configuration AutoKey Select the rad...

Page 157: ...PLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces...

Page 158: ...s changed the access point requires a reset to implement the change If 802 3at is selected the access point assumes 23 26 watts are available 8 Set or override the Access Point radio s 802 3af Power M...

Page 159: ...an access point solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an exist...

Page 160: ...es made to the access point adoption configuration Select Reset to revert to the last saved configuration Profile Interface Override Configuration An access point requires its Virtual Interface be con...

Page 161: ...ne an Ethernet port configuration override 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select a target device by double clinking it from amongst those...

Page 162: ...rt Admin Status A green checkmark defines the port as active and currently enabled with the profile A red X defines the port as currently disabled and not available for use The interface status can be...

Page 163: ...When a frame is tagged the 12 bit frame VLAN ID is added to the 802 1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to The device reads the 12 bit VLAN ID and forwards the...

Page 164: ...face updates to a multicast address to advertise its presence to neighbors Cisco Discover Protocol Transmit Select the radio button to allow the Cisco discovery protocol for transmitting data on this...

Page 165: ...the native VLAN The IEEE 802 1Q specification is supported for tagging frames and coordinating VLANs between devices IEEE 802 1Q adds four bytes to each frame identifying the VLAN ID for upstream dev...

Page 166: ...tion networks for routing To review existing Virtual Interface configurations and either create a new Virtual Interface configuration modify override an existing configuration or delete an existing co...

Page 167: ...e the configuration of an existing Virtual Interface or Delete to permanently remove a selected Virtual Interface Name Displays the name of each listed Virtual Interface assigned when it was created T...

Page 168: ...eans of providing an IP address this eliminates the means to assign one manually Selecting Secondary is preferred when wanting the option to either use Zero Config or manual assignments None is the de...

Page 169: ...o Setting the Profile s NAT Configuration on page 106 for instructions on creating a profile s NAT configuration 14 Select OK button to save the changes and overrides to the Basic Configuration screen...

Page 170: ...vice menu to expand it into sub menu options 4 Select Interface to expand its sub menu options 5 Select Radios NOTE A blue override icon to the left of a parameter defines the parameter as having an o...

Page 171: ...er enabled or disabled for client or sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be lis...

Page 172: ...channel with the fewest access points In case of multiple access points on the same channel it will select the channel with the lowest average power level The default value is Smart Transmit Power Set...

Page 173: ...to specify whether the radio is located Indoors or Outdoors The placement should depend on the selected country of operation and its regulatory domain requirements for radio emissions The default sett...

Page 174: ...m recovery from electromagnetic interference and data collisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS thresho...

Page 175: ...sign each WLAN its own BSSID If using a single radio Altitude 4511 or Altitude 4521 access point there are 8 BSSIDs available If using a dual radio Altitude 4532 or Altitude 4700 series access point t...

Page 176: ...preference 20 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advance...

Page 177: ...value to None for high priority traffic to reduce packet delay A MPDU Modes Use the drop down menu to define the A MPDU mode Options include Transmit Only Receive Only Transmit and Receive and None Th...

Page 178: ...be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation To define a W...

Page 179: ...the WAN 3G Backhaul card Reset WAN Card If the WAN Card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card Enable WAN 3G Check...

Page 180: ...twork Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP add...

Page 181: ...to forward DNS queries if DNS resources are unavailable The DNS name servers are used to resolve IP addresses Use the Clear link next to each DNS server to clear the DNS name server s IP address from...

Page 182: ...packet length and format and sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine kn...

Page 183: ...the changes and overrides to the ARP configuration Select Reset to revert to the last saved configuration Overriding a Quality of Service QoS Configuration Overriding the Network Configuration Switch...

Page 184: ...per hop behavior that is applied to a packet This QoS assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar access...

Page 185: ...is eliminates the need for a long configuration file and reduces the resource space required to maintain address pools To create or override a static routes 1 Select Devices from the Configuration tab...

Page 186: ...c from a managed device to another network segment The default gateway connects the network to the outside network Internet The gateway is associated with a router which uses headers and forwarding ta...

Page 187: ...er similar device models To define or override a forwarding database configuration 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand s...

Page 188: ...try will remain in the a bridge s forwarding table before being deleted due to lack of activity If an entry replenishments a destination generating continuous traffic this timeout value will never be...

Page 189: ...te physical subnets The systems in conference rooms X and Y are managed by the same single entity but ignore the systems that aren t using same VLAN ID Administrators often need to route traffic to in...

Page 190: ...ssigned when it was created or modified The description should be unique to the VLAN s specific configuration and help differentiate it from other VLANs with similar configurations Edge VLAN Mode Defi...

Page 191: ...enabled DHCP packets from a DHCP server are considered trusted and permissible within the network DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks Bridging Mode Specify...

Page 192: ...n tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Network to expa...

Page 193: ...eless client role policy WEP shared key authentication NAT policy and VPN policy applied If an existing firewall client role or NAT policy is unavailable create the required security policy configurat...

Page 194: ...I 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Security to expand its sub menu options 5 Select General NOTE A blue override icon to the left of a parame...

Page 195: ...arget device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Security to expand its sub menu o...

Page 196: ...NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another In most deployme...

Page 197: ...sts those NAT policies created thus far Any of these policies can be selected and applied to a profile 6 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or...

Page 198: ...et the NAT type either Inside or Outside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a...

Page 199: ...ult setting 10 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records kept by the N...

Page 200: ...y an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram se...

Page 201: ...CL Lists an ACL name to define the packet selection criteria for the NAT configuration NAT is applied only on packets which match a rule defined in the access list These addresses once translated are...

Page 202: ...n the access list These addresses once translated will not be exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside...

Page 203: ...estrictive access to the network The primary means of securing such guest access is a hotspot A captive portal policy s hotspot configuration provides secure authenticated access using a standard Web...

Page 204: ...ion must be modified from its original device profile configuration Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define or o...

Page 205: ...Adoption Overrides AltitudeTM 4000 Series Access Point System Reference Guide 205...

Page 206: ...ogging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debu...

Page 207: ...le and firmware updates Username for SMTP Server Specify the username of the sender on the outgoing SMTP server Many SMTP servers require users to authenticate with an username and password before sen...

Page 208: ...nges and overrides made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrad...

Page 209: ...ever administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device o...

Page 210: ...he IP tab to display the link IP network address information shared by the devices managed by the MINT configuration Level 1 Area ID Select the box to enable a spinner control for setting the Level 1...

Page 211: ...b displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another Select A...

Page 212: ...UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamicall...

Page 213: ...o revert to the last saved configuration 17 Select the Advanced Miscellaneous menu item VLAN Define a VLAN ID between 1 4 094 used by peer controllers for interoperation when supporting the MINT proto...

Page 214: ...RF Domain Managers can support up to 512 client connections An Altitude 4511 or Altitude 4521 RF Domain Manager can support up to 256 client connections 22 Select the Priority radio button within the...

Page 215: ...point profile 4 Click the Add Row button at the bottom of the table to add a new critical resource 5 Set the following parameters to define the Critical Resource configuration Ping Interval Set the du...

Page 216: ...ular devices By default there s no enabled event policy and one needs to be created and implemented When initially displayed the Event Policy screen lists the access point interfaces Existing policies...

Page 217: ...of the screen and select an event module used to track the occurrence of each list event 5 Review each event and select or deselect the SNMP Syslog Forward to Switch or Email Notification option as r...

Page 218: ...Chapter 6 Device Configuration AltitudeTM 4000 Series Access Point System Reference Guide 218...

Page 219: ...such as guest access control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit...

Page 220: ...on to assess the attributes of each available WLAN WLAN Displays the name of each WLAN available to the access point Each WLAN can be selected and its SSID and client management properties modified Ea...

Page 221: ...N by means of load balance distribution The VLAN is picked from a pool assigned to the WLAN Keep in mind however typical deployments only map a single VLAN to a WLAN The use of a pool is strictly opti...

Page 222: ...Description Provide a textual description for the WLAN to help differentiate it from others with similar configurations A description can be up to 64 characters WLAN Status Select the Enabled radio bu...

Page 223: ...re defining a WLAN s basic configuration refer to the following deployment guidelines to ensure the configuration is optimally effective Extreme Networks recommends one VLAN be deployed for secure WLA...

Page 224: ...tication on page 226 PSK None on page 227 Secure guest access to the network is referred to as captive portal A captive portal is guest access policy for providing guests temporary and restrictive acc...

Page 225: ...urther protect user information forwarded over wireless controller managed WLANs The EAP process begins when an unauthenticated supplicant client device tries to connect with an authenticator in this...

Page 226: ...eset to revert back to the last saved configuration EAP EAP PSK and EAP MAC Deployment Considerations 802 1x EAP EAP PSK and EAP MAC Before defining a 802 1x EAP EAP PSK or EAP MAC supported configura...

Page 227: ...elect the Edit icon to modify the configuration of a selected AAA policy 6 Authentication authorization and accounting AAA is a framework for intelligently controlling access to the wireless client ma...

Page 228: ...efault Select the Captive Portal Policy to use with the WLAN from the drop down menu If no relevant policies exist select the Create icon to define a new policy to use with this WLAN or the Edit icon...

Page 229: ...WLAN WPA WPA2 TKIP configuration for the WLAN 5 Define the Key Settings 6 Define Key Rotation values Unicast messages are addressed to a single device on the network Broadcast messages are addressed t...

Page 230: ...roadcast Rotation Interval When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define an interval for broadcast ke...

Page 231: ...the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally differen...

Page 232: ...ave enough data using a single key to attack the deployed encryption scheme Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string bo...

Page 233: ...Rotation Interval When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define an interval for broadcast key transm...

Page 234: ...bit key concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter WEP algorithm for a hacker to potent...

Page 235: ...P 128 in key structure WEP can be used with open shared MAC and 802 1 X EAP authentications WEP is optimal for WLANs supporting legacy deployments when also used with 802 1X EAP authentication to prov...

Page 236: ...s to display a high level display of the existing WLANs available to the wireless controller managed network 2 Select the Add button to create an additional WLAN or select Edit to modify the propertie...

Page 237: ...cess control and is considered a first line of defense in protecting proprietary information within an access point managed WLAN The means by which this is accomplished varies but in principle a Firew...

Page 238: ...eless LANs Wireless LANs to display a high level display of the existing WLANs 2 Select the Add button to create a new WLAN or Edit to modify the properties of an existing wireless controller WLAN 3 S...

Page 239: ...ines what to do with the packet if it matches the specified criteria The following actions are supported Deny Instructs the Firewall to prohibit a packet from proceeding to its destination Permit Inst...

Page 240: ...ns for ICMP type and code Selecting either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions are supported Log Creates a log e...

Page 241: ...destination Source and Destination MAC Enter both Source and Destination MAC addresses The access point uses the source IP address destination MAC address as basic matching criteria Provide a subnet...

Page 242: ...an Ethertype of either ipv6 arp wisp monitor 8021q An EtherType is a two octet field within an Ethernet frame It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame...

Page 243: ...le to the wireless network 2 Select the Add button to create a new WLAN or select and existing WLAN and Edit to modify the properties of an existing WLAN 3 Select the Client Settings tab 4 Define the...

Page 244: ...the Firewall per wireless client This feature is disabled by default Enforce Client Load Balancing Select the checkbox to distribute clients evenly amongst associated Access Point radios This feature...

Page 245: ...ting WLAN 3 Select Accounting 4 Set the following Syslog Accounting information 5 Select Enable RADIUS Accounting to use an external RADIUS resource for AAA accounting When the radio button is selecte...

Page 246: ...S service should be used Extreme Networks recommends authorization policies be implemented when users need to be restricted to specific WLANs or time and date restrictions need to be applied Authoriza...

Page 247: ...ds 0 and 10 000 Minutes 0 166 or Hours 0 2 the access point uses to discover a client s band capabilities before associating The default is 24 seconds Capability Ageout Time Define a value in either S...

Page 248: ...lable to the wireless controller managed network 2 Select the Add button to create an additional WLAN or Edit to modify the properties of an existing WLAN 3 Select Advanced Allow Single Band Clients S...

Page 249: ...US server consists of user profiles for each connected network access server NAS port Each profile is matched to a username representing a physical port When the access point authorizes users it queri...

Page 250: ...they support basic MCS as well as non 11n basic rates The selected rates apply to associated client traffic within this WLAN only 6 Select OK when completed to update this WLAN s Advanced settings Sel...

Page 251: ...up to 32 WLAN QoS policies with the exception of Altitude 4511 and Altitude 4521 models which can only support 16 WLAN QoS policies NOTE WLAN QoS configurations differ significantly from QoS policies...

Page 252: ...o Video Optimized for video traffic Implies all traffic on this WLAN is prioritized as video traffic on the radio Normal Optimized for best effort traffic Implies all traffic on this WLAN is prioritiz...

Page 253: ...llision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should be granted the opportuni...

Page 254: ...n this radio This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is require...

Page 255: ...cify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include Video Voice Normal and Low Normal is the default setting Tra...

Page 256: ...e current Arbitrary Inter frame Space Number AIFSN between 2 15 The default value is 7 ECW Min The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range...

Page 257: ...nstream traffic Extreme Networks recommends you define the normal number of ARP broadcast multicast and unknown unicast packets that typically transmit and receive from each supported WMM access categ...

Page 258: ...eshold for the maximum the number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defined rate is dropped and a log message is generated The default s...

Page 259: ...ed threshold is dropped and a log message is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general upstream rate is known by the network admi...

Page 260: ...sage is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general downstream rate is known by the network administrator using a time trend analys...

Page 261: ...dropped and a log message is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general upstream rate is known by the network administrator using...

Page 262: ...t effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downst...

Page 263: ...condary multicast mask an administrator can indicate which frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast...

Page 264: ...ents supporting low and high priority traffic contend with one another for data resources The IEEE 802 11e amendment has defined Enhanced Distributed Channel Access EDCA mechanisms stating high priori...

Page 265: ...sions to their clients are controlled using per radio WMM settings while parameters used by wireless clients are controlled by a WLAN s WMM settings Access points support static QoS mechanisms per WLA...

Page 266: ...ients that do not send TPSEC frames only Implicit TPSEC A green checkmark defines the policy as requiring wireless clients to send their traffic specifications to an access point before they can trans...

Page 267: ...ng a high level of voice quality For higher priority traffic categories like voice the Transmit Ops value should be set to a low number The default value is 47 AIFSN Set the current AIFSN value betwee...

Page 268: ...Higher priority traffic video categories should have lower AIFSNs than lower priority traffic categories This will cause lower priority traffic to wait longer before attempting access The default valu...

Page 269: ...ireless clients to send their traffic specifications to the access point before they can transmit or receive data This feature is enabled by default 12 Set the following Voice Access admission control...

Page 270: ...ription This value helps ensure the radio s bandwidth is available for lower bandwidth normal traffic if anticipated to proliferate the wireless medium Normal background traffic only needs a short rad...

Page 271: ...fault value is 10 Enable Background Select the check box to enable admission control for lower priority traffic Only low traffic admission control is enabled not any of the other access categories eac...

Page 272: ...ult value is 25 When wireless client count exceeds the above limit When the wireless client count using accelerated multicast exceeds the maximum number set the radio to either Reject new wireless cli...

Page 273: ...a list of authentication methods and then applying the list to various access point interfaces The list defines the authentication schemes performed and their sequence The list must be applied to an...

Page 274: ...e Start Only Sends a start accounting notice to initiate user accounting Start Stop Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process The start ac...

Page 275: ...lf or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Dis...

Page 276: ...generic form The specific form which must contain the user portion and may contain the portion identifies a single user The generic form allows all users in a given or without a to be configured on a...

Page 277: ...3 seconds If this time is exceeded the authentication session is terminated Retry Timeout Factor Specify the amount of time between 50 and 200 seconds between retry timeouts for the access points s re...

Page 278: ...the time between 1 and 60 seconds for the access point s re transmission of request packets The default is 5 seconds If this time is exceeded the authentication session is terminated Request Attempts...

Page 279: ...AI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user The generic form allows all users in a gi...

Page 280: ...points re transmission of request packets The default is 100 DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is betwe...

Page 281: ...nce Guide 281 Protocol for MAC Captive Portal Authentication The authentication protocol Password Authentication Protocol PAP or Challenge Handshake Authentication Protocol CHAP when the server is use...

Page 282: ...thentication Server Index Uses the same index as the authentication server for RADIUS accounting Select Accounting Server Independently Allows users to specify a RADIUS accounting server separate from...

Page 283: ...L screen displays for defining a new ACL or modifying a selected ACL 3 Select the Add Row button to add an association ACL template that requires configuration 4 If creating a new Association ACL prov...

Page 284: ...costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio Smart RF centralizes the decision process and makes intelligent RF configura...

Page 285: ...RF is not a solution it s a temporary measure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist CAUTION Smart RF is not able to detect...

Page 286: ...le radio button to enable Smart RF for immediate inclusion within a RF Domain Smart RF is enabled by default Auto Assign Sensor Select the radio button to auto assign an access point sensor radio for...

Page 287: ...the 5 GHz band 4 dBm is the default setting 5 0 GHz Maximum Power Use the spinner control to select a 1 20 dBm maximum power level Smart RF can assign a radio in the 5 GHz band 17 dBm is the default s...

Page 288: ...er 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to working radios to avo...

Page 289: ...monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen 11 Enable or disabl...

Page 290: ...either Seconds 1 120 or Minutes 0 2 The default setting is 6 seconds for both the 5 and 2 4 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency between 0 50 Thi...

Page 291: ...ing neighbor recovery Set the time in either Seconds 0 86 400 Minutes 0 1 440 or Hours 0 24 or Days 0 1 The default setting is 1 hour 5 0 GHz Neighbor Recovery Power Threshold Use the spinner control...

Page 292: ...of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select the radio button to allow Smart RF to scan for exces...

Page 293: ...dio This parameter is the difference between noise levels on the current channel and a prospective channel If the difference is below the configured threshold the channel will not change The default s...

Page 294: ...performed during scheduled maintenance intervals or non business hours For Smart RF to provide effective recovery RF planning must be performed to ensure overlapping coverage exists at the deployment...

Page 295: ...etwork The means by which this is accomplished varies but in principle a Firewall can be thought of as mechanisms both blocking and permitting data traffic within the wireless network Firewalls implem...

Page 296: ...strict traffic exchanged between hosts hosts residing on separate WLANs or hosts forwarding traffic to wired devices For more information refer to the following Defining a Firewall Configuration on pa...

Page 297: ...oS packets is dropped No further action is taken Log Level Select this option to enable logging to the system log Then select a standard Syslog level from the Log Level drop down menu Ascend Ascend Do...

Page 298: ...nd routers on a network Of course a hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network In some instances however routers may not send update...

Page 299: ...ptionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get...

Page 300: ...he Storm Control tab 7 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to app...

Page 301: ...eway settings flow timeout configuration and TCP protocol checks Traffic Type Use the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Br...

Page 302: ...his feature is enabled by default DHCP Broadcast to Unicast Select the radio button to enable the conversion of broadcast DHCP offers to unicast Converting DHCP broadcast traffic to unicast traffic ca...

Page 303: ...ion for the maximum segment size of packets at a global level Max Fragments Datagram Set a value for the maximum number of fragments between 2 and 8 129 allowed in a datagram before it is dropped The...

Page 304: ...tes 1 540 or Hours 1 9 The default setting is 10 seconds Stateless TCP Flow Define a flow timeout value in either Seconds 1 32 400 Minutes 1 540 or Hours 1 9 The default setting is 90 seconds Stateles...

Page 305: ...IP ACL NOTE Once defined a set of IP Firewall rules must be applied to an interface to be a functional filtering tool To add or edit an IP based Firewall Rule policy 1 Select Configuration Security I...

Page 306: ...he access policy filter can also include other parameters specific to a protocol type like source and destination port for TCP UDP protocol Provide a subnet mask if needed Protocol Select the protocol...

Page 307: ...ackets based on the IP from which they arrive as opposed to filtering packets on Layer 2 ports Optionally filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses A MAC Firewall rule...

Page 308: ...ions are supported Deny Instructs the Firewall to not to allow a packet to proceed to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source and Destinati...

Page 309: ...not supported natively by an Altitude 4511 or Altitude 4521 model access point and must be deployed using an external WIPS server resource A WIPS server can be deployed as a dedicated solution within...

Page 310: ...ult 2 Select the Activate Firewall IPS Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to apply the config...

Page 311: ...S attacks come under this category Use the Excessive Action Events table to select and configure the action taken when events are triggered 8 Set the configurations of the following Excessive Action E...

Page 312: ...o set the intervals clients can be filtered upon the generation of each event 11 Set the following MU Anomaly Event configurations Filter Expiration Set the duration an event generating client is filt...

Page 313: ...r disable an event Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for...

Page 314: ...aly event This column lists the event tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each AP Anomaly ev...

Page 315: ...atching with the WIPS signature Match on SSID Lists each SSID used for matching purposes Enable Signature Select the radio button to enable the WIPS signature for use with the profile The default sign...

Page 316: ...administrator to focus on alarms on devices actually behaving in a suspicious manner An intruder with a device erroneously authorized could potentially perform activities that harm your organization...

Page 317: ...uration Security Device Categorization The Device Categorization screen lists the device authorizations defined thus far 2 Select Add to create a new Device Categorization policy Edit to modify the at...

Page 318: ...to add a device to a list of devices sanctioned for network operation 6 Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification...

Page 319: ...specifying a range of IP or MAC addresses to include or exclude from connectivity These MAC or IP access control mechanisms are configured as Firewall Rules to further refine client filter and matchin...

Page 320: ...lied Roles with lower numbers are applied before those with higher numbers While there s no default precedence for a role two or more roles can share the same precedence 6 Refer to the Match Expressio...

Page 321: ...uals The role is only applied when the authentication or encryption type does not match the exact method s specified by radio button selections Any The role is applied to any type This is the default...

Page 322: ...nd destination IP addresses and the unique rules and precedence orders assigned Both IP and non IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC Additional...

Page 323: ...e it from others that may have similar configurations Allow Every IP Firewall rule is made up of matching criteria rules The action defines what to do with the packet if it matches the specified crite...

Page 324: ...set of ICMP specific options to set the ICMP Type and Code Selecting either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions...

Page 325: ...Instructs the Firewall to prohibit a packet from proceeding to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination VLAN ID Enter a VLAN ID representative of t...

Page 326: ...guest user traffic from being routed to trusted networks and hosts Before configuring WIPS support refer to the following deployment guidelines to ensure the configuration is optimally effective WIPS...

Page 327: ...rained wireless network administrator can determine the criteria used to authorize or ignore devices You may want to consider your organization s overall security policy and your tolerance for risk ve...

Page 328: ...Chapter 8 Security Configuration AltitudeTM 4000 Series Access Point System Reference Guide 328...

Page 329: ...thenticated access using a standard Web browser Captive portals provide authenticated access by capturing and re directing a wireless user s Web browser session to a captive portal login page where th...

Page 330: ...ame of the external centralized server validating guest user permissions for the listed captive portal policy Captive Portal Server Mode Lists each hosting mode as either Internal Self or External cen...

Page 331: ...the policy s security access and whitelist basic configuration before HTML pages can be defined for guest user access AAA Policy Lists each AAA policy used to authorize client guest access requests T...

Page 332: ...Chapter 9 Services Configuration AltitudeTM 4000 Series Access Point System Reference Guide 332...

Page 333: ...r External centralized If the mode is Internal Self the access point is maintaining the captive portal internally while External centralized means the captive portal is being supported on an external...

Page 334: ...should be in the Whitelist Refer to the drop down menu of existing DNS White List entries to select a policy to be applied to this captive portal policy a If creating a new Whitelist assign it a name...

Page 335: ...ation screen Selecting Reset reverts the settings back to the last saved configuration 12 Select the Web Page tab to create HTML pages requesting wireless clients use to login and navigate within the...

Page 336: ...ptive portal policy The Welcome page asserts a user has logged in successfully and can access the captive portal The Fail page asserts the authentication attempt has failed and the user is not allowed...

Page 337: ...e Login Message Specify a message containing unique instructions or information for the users accessing each specific page In the case of the Terms and Conditions page the message can be the condition...

Page 338: ...rtal pages as needed to managed devices that may be displaying and hosting captive portal connections For more information refer to Managing File Transfers on page 393 Login URL Define the complete UR...

Page 339: ...tination Web server s should be in the Whitelist Each supported access point model can support up to 32 Whitelists with the exception of Altitude 4511 and Altitude 4521 models which can only support u...

Page 340: ...ver not an administrator All Altitude 4000 independent series access points Altitude 4500 series and Altitude 4700 series access points have an internal DHCP server resource The DHCP server groups wir...

Page 341: ...equest The name assigned cannot be modified as part of the edit process If a network pool configuration is obsolete it can be deleted Subnet Displays the network address and mask used by clients reque...

Page 342: ...en the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Dom...

Page 343: ...ng ranges of unavailable addresses is a good practice to ensure IP address resources are in reserve Select the Delete icon as needed to remove an excluded address range e Select OK to save the updates...

Page 344: ...nding configuration Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client...

Page 345: ...using this host pool Domain Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain na...

Page 346: ...b Assign a Value to each option with codes in the range 1 through 254 A vendor specific option definition only applies to the vendor class for which it is defined 14 Within the Network field define on...

Page 347: ...ets are sent from one location to another location there s just one sender and one receiver Select this option to forward unicast messages to just a single device within the network pool NetBIOS Node...

Page 348: ...he list of those available b Assign a Value to each option with codes in the range 1 through 254 A vendor specific option definition only applies to the vendor class for which it s defined 20 Refer to...

Page 349: ...able b Use the Type drop down menu to specify whether the DHCP option is being defined as a numerical IP address or ASCII string or Hex string Highlight an entry from within the Global Options screen...

Page 350: ...IP addresses from the defined range Refer to the DHCP Class Policy screen to review existing DHCP class names and their current multiple user class designations Multiple user class options enable a us...

Page 351: ...the RADIUS Configuration Remote Authentication Dial In User Service RADIUS is a client server protocol and software enabling remote access servers to authenticate users and authorize their access to...

Page 352: ...elect Configuration Services Select Configuration Services The upper left hand side of the user interface displays the RADIUS option The RADIUS Group screen displays by default For information on crea...

Page 353: ...nates the group as having permanent access to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions Management Group A green checkmark desi...

Page 354: ...on to assign only guest access and temporary permissions to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions This setting is disabled...

Page 355: ...designate the RADIUS group as a management group If set as management group assign a role to the members of the group using the Access drop down menu allowing varying levels of administrative rights...

Page 356: ...e a new user pool Edit to modify the configuration of an existing pool or Delete to remove a selected pool 4 If creating a new pool assign it a name up to 32 characters and select Continue The name sh...

Page 357: ...mporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group D...

Page 358: ...e password s actual character string Leaving the option unselected displays the password as a string of asterisks Guest User Select the checkbox to designate this user as a guest with temporary access...

Page 359: ...he access point s local RADIUS server has access to a database of authentication information used to validate client authentication requests The RADIUS server ensures the information is correct using...

Page 360: ...pplied to the access point profile 4 Define the following Settings required in the creation or modification of the server policy RADIUS User Pools Select the user pools to apply to this server policy...

Page 361: ...and PEAP TLS Uses TLS as the EAP type TLS and MD5 The EAP type is TTLS with default authentication using MD5 TTLS and PAP The EAP type is TTLS with default authentication using PAP TTLS and MSCHAPv2...

Page 362: ...ot possess a shared secret for the client the request is dropped If the client received a verified access accept packet the username and password are considered correct and the user is authenticated I...

Page 363: ...as a RADIUS server to the NAS whereas the proxy appears to act as a RADIUS client to the RADIUS server When the access point s RADIUS server receives a request for a user name containing a realm the s...

Page 364: ...to expose the shared secret s actual character string Leave the option unselected to display the shared secret as a string of asterisks 23 Click the OK button to save the changes Click the Reset butt...

Page 365: ...te to remove a LDAP server from the list of those available Redundancy Displays whether the listed LDAP server IP address has been defined as a primary or secondary server resource Designating at leas...

Page 366: ...tion between the access point and remote LDAP resource Port Use the spinner control to set the physical port used by the RADIUS server to secure a connection with the remote LDAP server resource The d...

Page 367: ...g at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server were to become unavailable Bind Password Enter a valid password for the LDAP serve...

Page 368: ...Chapter 9 Services Configuration AltitudeTM 4000 Series Access Point System Reference Guide 368...

Page 369: ...ministrative roles access control permissions authentication settings and SNMP settings are correctly set If the access point is a Virtual Controller AP these are the management settings used by adopt...

Page 370: ...ation Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when...

Page 371: ...SSH Console Select this option to enable access to the access point s console Superuser Select this option to assign complete administrative rights to this user This entails all the roles listed Syste...

Page 372: ...to function as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better secu...

Page 373: ...elnet access is disabled by default Telnet Port Set the port on which Telnet connections are made 1 65 535 The default port is 23 Change this value using the spinner control or by entering the port nu...

Page 374: ...ord required when logging in to the FTP server Reconfirm the password in the field provided to ensure it has been entered correctly The password cannot exceed 63 characters FTP Root Directory Provide...

Page 375: ...policy fro the drop down menu and select the Edit icon to update its configuration For more information on defining the configuration of a AAA policy see AAA Policy on page 273 5 Select OK to update...

Page 376: ...gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to...

Page 377: ...elect the checkbox to enable SNMPv3 support SNMPv3 adds security and remote configuration capabilities to previous versions The SNMPv3 architecture introduces the User based Security Model USM for mes...

Page 378: ...Management Access Deployment Considerations Before defining an access control configuration as part of a Management Access policy refer to the following deployment guidelines to ensure the configurati...

Page 379: ...em Reference Guide 379 Extreme Networks recommends SNMPv3 be used for device management as it provides both encryption and authentication Enabling SNMP traps can provide alerts for isolated attacks at...

Page 380: ...Chapter 10 Management Access Policy Configuration AltitudeTM 4000 Series Access Point System Reference Guide 380...

Page 381: ...ed when hardware or software issues are detected Diagnostic capabilities include Fault Management on page 381 Crash Files on page 384 Advanced Diagnostics on page 385 Fault Management Fault management...

Page 382: ...e of their severity Critical Only critical events are displayed Error Only errors are displayed Warning Only warnings are displayed Informational Only informational events are displayed Module Select...

Page 383: ...er Use the View Events screen to track and troubleshoot events using source and severity levels defined in the Configure events screen 6 Refer to the following event parameters to assess nature and se...

Page 384: ...vice Crash Files Use the Crash Files screen to review files created when an access point encounters a critical error or malfunction Timestamp Displays the timestamp time zone specific each listed even...

Page 385: ...button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button Advanced Diagnostics...

Page 386: ...Real Time NETCONF Messages area lists an XML representation of any message generated by the system The main display area of the screen is updated in real time Refer to the Request Response and Time T...

Page 387: ...Access Point System Reference Guide 387 Schema Browser Advanced Diagnostics Use the schema browser to navigate To review device debugging information 1 Select Diagnostics Advanced to display the UI De...

Page 388: ...pdated 3 Expand a configuration parameter to review its settings The Configuration tab provides an ideal place to verify if the last saved configuration differs from default settings or has been erron...

Page 389: ...nd transmit power for each managed access point radio For more information refer to the following Device Operations on page 389 Certificates on page 400 Smart RF on page 416 Refer to Operations Deploy...

Page 390: ...n only be performed on access points of the same model as the Virtual Controller AP These tasks can be performed on individual access points and wireless clients Managing Firmware and Config Files Dev...

Page 391: ...rently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render...

Page 392: ...e Details screen By default the Firmware Upgrade screen displays a URL field to enter the URL destination location of the device s firmware file Enter the complete path to the firmware file 3 If neede...

Page 393: ...To administrate files for managed devices Port Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates This option is not valid for cf usb1 and...

Page 394: ...to indicate the file is on the access point itself File If the source is Access Point enter the name of the file to be transferred Protocol If advanced is selected select the protocol for file manage...

Page 395: ...rring the file This option is not valid for cf usb1 and usb2 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If a...

Page 396: ...nce defined select the Create Folder button to implement 4 Optionally use the Delete Folder or Delete File buttons to remove a folder or file from within a memory resource AP Upgrades Device Operation...

Page 397: ...e to take place at a specified time enter a date and time Select whether you require an immediate reboot once the AP is updated If you would like a reboot later schedule the time accordingly The AP mu...

Page 398: ...ame and the primary MAC Address are listed in the table Cancel Clicking the Cancel button will clear any options in this screen and cancel AP updates in progress Update Firmware Clicking the Update Fi...

Page 399: ...include tftp Select this option to specify a file location using Trivial File Transfer Protocol A port and IP address or hostname are required A path is optional ftp Select this option to specify a f...

Page 400: ...uration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One ke...

Page 401: ...tes If not wanting to use an existing certificate or key with a selected device an existing stored certificate can be leveraged from a different device for use with the target device Device certificat...

Page 402: ...de 402 1 Select Operations Certificates The Trustpoints screen displays for the selected MAC address 2 Refer to the Certificate Details to review certificate properties self signed credentials validit...

Page 403: ...ual characters used in the key Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint Protocol if using Advance...

Page 404: ...radio button to provide network address information to the location of the target CA certificate The number of additional fields that populate the screen is also dependent on the selected protocol Thi...

Page 405: ...ation with an enrolled identity certificate From Network Select the From Network radio button to provide network address information to the location of the target CRL The number of additional fields t...

Page 406: ...of the CA certificate Hostname If using Advanced settings provide the hostname of the server used to import the CRL This option is not valid for cf usb1 and usb2 Path If using Advanced settings specif...

Page 407: ...ey If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates 16 Define the following configuration pa...

Page 408: ...ns generate additional keys or import export keys to and from remote locations 1 Select Operations Certificates 2 Select RSA Keys Key Passphrase Define the key used by both the access point and the se...

Page 409: ...erate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 3 Select Generate Key to create a new key with a defined size 4 Select...

Page 410: ...e Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key If needed select Advanced to expand the dialog to display...

Page 411: ...rs used in the passphrase Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key If needed select Advanced to expand t...

Page 412: ...te the key supported Select OK to proceed with the deletion or Cancel to revert back to the last saved configuration Certificate Creation Certificates The Certificate Management screen provides the fa...

Page 413: ...t the radio button and use the drop down menu to select the existing key used by both the access point and the server or repository of the target RSA key Create a New RSA Key To create a new RSA key s...

Page 414: ...ht to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operat...

Page 415: ...between 1 024 2 048 bits Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more information see RSA Key Management on page 408 Certific...

Page 416: ...alibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received fr...

Page 417: ...ded to the network This index helps distinguish this radio from others within the RF Domain with similar configurations This value is not subject to change as a result of a calibration activity but ea...

Page 418: ...Calibration has calculated Write Writes the new channel and power values to the radios under their respective device configurations Discard Discards the results of the Interactive Calibration without...

Page 419: ...button Operations Deployment Considerations Before defining the access point s configuration using the Operations menu refer to the following deployment guidelines to ensure the configuration is opti...

Page 420: ...Chapter 12 Operations AltitudeTM 4000 Series Access Point System Reference Guide 420...

Page 421: ...ed clients Individual access point or connected clients can be reviewed in isolation as well The access point user interface allows you filter statistics by System Statistics on page 421 RF Domain on...

Page 422: ...access point supported system and its connected clients This includes information on device availability overall RF quality resource utilization and network threat perception To display the health of...

Page 423: ...cally select Refresh to update the statistics counters to their latest system health values Inventory System Statistics Worst 5 Displays five RF Domains with the lowest quality indices in the wireless...

Page 424: ...d navigation pane 3 Select Inventory from the System menu 4 The Device Types table displays an exploded pie chart depicting system wide access point distribution 5 The Radios table displays radios in...

Page 425: ...to update the inventory to its latest device membership information Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the access points in the system b...

Page 426: ...ays the type of device adopted to an access point system member RF Domain Name Displays the adopting access point s RF Domain name Model Number Displays the model number of the access point providing...

Page 427: ...es screen provides the following information for devices pending access point connection Adoption Time Displays the time when the listed adopted device was connected to its associated access point Upt...

Page 428: ...as to why the device is still pending adoption Discovery Option Displays the discovery option code for each AP listed pending adoption Last Seen Displays the date and time stamp of the last time the...

Page 429: ...is access point s RF Domain including data from all its members VLAN Displays the current VLAN number of the device pending adoption RF Domain Name Displays the name of this access point s RF Domain m...

Page 430: ...ocal point for the radio system and acts as a central registry of applications hardware and capabilities It also serves as a mount point for all the different pieces of the hardware system file 5 The...

Page 431: ...splays the radio MAC of the wireless client Vendor Displays the vendor name of the wireless client Total WLANs Displays the total number of WLANs managed by RF Domain member access points Top 5 Displa...

Page 432: ...RT RF within the access point RF Domain RF Domain Threat Level Indicates the threat from the wireless clients trying to find network vulnerabilities within the access point RF Domain The threat level...

Page 433: ...ibution of the different radio types 5 The Radios by Channel field displays the total number of radios using the 5GHz and 2 4GHz bands within the access point RF Domain 6 The Wireless Clients table di...

Page 434: ...item from under the System node on the top left hand side of the screen 3 Select Access Points from the RF Domain menu MAC Address Displays the Media Access Control MAC address of the RF Domain member...

Page 435: ...bership with access points of the same model Client Count Displays the number of clients connected with each listed access point Altitude 4532 and Altitude 4700 series access points can support up to...

Page 436: ...nts connected to RF Domain member access points To review a RF Domain s access point connected wireless clients BSSID Displays the Broadcast Service Set ID SSID of the network to which the detected ac...

Page 437: ...ss is hard coded at the factory and can not be modified WLAN Displays the name of the access point defined WLAN the wireless client is currently using for its access point interoperation Hostname Disp...

Page 438: ...ffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 moderate...

Page 439: ...ect Status This Radio Status screen provides the following information Radio Displays the name assigned to each listed RF Domain member access point radio Each name displays as a link that can be sele...

Page 440: ...cess point was defined to use Compare the configured channel with the current channel to ensure the radio is supporting client traffic on the correct intended channel Configured Power Displays the pow...

Page 441: ...mber access point radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data r...

Page 442: ...ad packets Rx Packets Displays the total number of packets received by each RF Domain member access point radio This includes all user data as well as any management overhead packets Tx User Data Rate...

Page 443: ...the configured hostname for each client connected to a RF Domain member access point Client Radio MAC Displays the Media Access Control for each client connected to a RF Domain member access point Po...

Page 444: ...Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu This screen provides the following information Individual...

Page 445: ...de 445 Select the Energy Graph tab for a RF Domain member access point radio to review the radio s operating channel and noise level and neighbor count This information helps assess whether Smart RF n...

Page 446: ...see WIPS Client Blacklist on page 446 WIPS Events on page 447 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by WIPS Blacklisted clients are not allowed to ass...

Page 447: ...n 3 Expand the WIPS menu item and select WIPS Events Event Name Displays the name of the wireless intrusion event detected by a RF Domain member access point Blacklisted Client Displays the MAC addres...

Page 448: ...tatistics menu from the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select Captive Portal from the RF Domain menu Event Name Displays the name...

Page 449: ...aptive portal access Client IP Displays the IP address of each listed client using its connected RF Domain member access point for captive portal access Captive Portal Lists the name of the captive po...

Page 450: ...mprising the RF Domain Radio MAC Displays the radio MAC address of each access point radio comprising the RF Domain Radio Index Displays the numerical identifier assigned to each access point radio wi...

Page 451: ...on page 477 DHCP Server on page 484 Firewall on page 487 Certificates on page 494 WIPS on page 497 Sensor Servers on page 499 Captive Portal on page 500 Network Time on page 501 Load Balancing on page...

Page 452: ...ude 4760 Altitude 4511 or Altitude 4521 Model Number Displays the access point s model to help further differentiate the access point from its peers RF Domain Name Displays the access point s RF Domai...

Page 453: ...e System Clock Displays the system clock information Bottom Radios Displays radios having very low quality indices RF quality index indicates the overall RF performance The RF quality indices are 0 50...

Page 454: ...s a user to store a known legacy version and a new version in device memory The user can test the new software and use an automatic fallback which loads the old version on the access point if the new...

Page 455: ...Displays the fan speed Number Displays the number of temperature elements used by the access point Temperature Displays the current temperature in Celsius to assess a potential access point overheat...

Page 456: ...an access point for statistical observation 3 Select AP Upgrade Primary Build Date Displays the build date when this access point firmware version was created Primary Install Date Displays the date t...

Page 457: ...t performed the upgrade Type Displays the model of the access point The updating access point must be of the same model as the access point receiving the update MAC Displays the MAC address of the acc...

Page 458: ...d the Adoption menu item 4 Select Adopted APs 5 The Adopted APs screen displays the following Access Point Displays the name assigned to the access point as part of its device configuration Type Lists...

Page 459: ...int Adoption time Displays each listed access point s time of adoption by this access point whose MAC address displays in the banner of the screen Uptime Displays each listed access point s in service...

Page 460: ...ollowing MAC Address Displays the MAC address of the device pending adoption Type Displays the AP type AP4600 AP4700 AP4511 AP4532 etc IP Address Displays the current IP Address of the device pending...

Page 461: ...statistical observation 3 Select AP Detection This screen provides the following information Unsanctioned Displays the MAC address of a detected unauthorized access point Reporting AP Displays the har...

Page 462: ...observation 3 Select Wireless Clients This screen displays the following wireless client data Clear All Select the Clear All button to clear the screen of its current status and begin a new data colle...

Page 463: ...d side of the screen expand the default node and select an access point for statistical observation 3 Select Wireless LANs This screen displays the following access point WLAN utilization information...

Page 464: ...expand the default node and select an access point for statistical observation 3 Select Critical Resources Traffic Index Displays the traffic utilization index which measures how efficiently the WLAN...

Page 465: ...access point placement An Altitude 4700 model access point can support from 2 3 radios IP Address Lists the IP address of the critical resource This is the address the device assigned and is used by t...

Page 466: ...ccess point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Use the Details s...

Page 467: ...ng information Radio Displays the name assigned to the radio as its unique identifier Radio MAC Displays the factory encoded hardware MAC address and assigned to the radio Radio Type Defines whether t...

Page 468: ...nique identifier Signal Displays the radio s current power level in dBm SNR Displays the signal to noise ratio of the radio s associated wireless clients Tx Physical Layer Rate Displays the data trans...

Page 469: ...int for statistical observation 3 Expand Radios 4 Select Traffic Statistics This screen provides the following information Quality Index Displays an integer that indicates overall RF performance The R...

Page 470: ...ets Rx Packets Displays the total number of packets received by each listed radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps use...

Page 471: ...the RF Domain mesh network Client Hostname Displays the configured hostname for each access point in the RF Domain mesh network Client Radio MAC Displays the MAC address for each access point in the R...

Page 472: ...ormation on a selected access point interface such as its MAC address type and TX RX statistics To view the general interface statistics 1 Select the Statistics menu from the Web UI 2 Select System fr...

Page 473: ...ce The General field describes the following Name Displays the name of the access point interface selected from the upper left hand side of the screen Altitude 4700 Altitude 4532 Altitude 4760 Altitud...

Page 474: ...hat you can add to the trunk Metric Displays the metric value associated with the route through the selected interface Maximum Speed Displays the maximum speed at which the selected interface transmit...

Page 475: ...eive Error Displays the number of received packets failed because of an internal MAC sublayer that is not a late collision excessive collision count or a carrier sense error Bad CRC Displays the CRC e...

Page 476: ...d at the interface First in First Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival FIFO entails no priority for traffic There is only one queu...

Page 477: ...ress or network layer address is known To view an access point s ARP statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the scree...

Page 478: ...technique used in networks Bridging makes no assumption about where a particular address is located It relies on the flooding and examination of source addresses in received packet headers to locate u...

Page 479: ...is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet Using an appropriate algorithm a multicast router instructs...

Page 480: ...re the multicast transmission is conducted Group Address Displays the Multicast Group ID supporting the statistics displayed This group ID is the multicast address hosts are listening to Port Members...

Page 481: ...rovides the DHCP server name image file on the DHCP server and its configuration To view a network s DHCP Options 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane...

Page 482: ...ork and expand the menu to reveal its sub menu items 4 Select Cisco Discovery Protocol Server Information Displays the IP address of the DHCP server used on behalf of the access point Image File Displ...

Page 483: ...tistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation Capabilities Di...

Page 484: ...ic configuration parameters IP address network mask gateway etc from a DHCP server to a host Capabilities Displays the capabilities code for the device either Router Trans Bridge Source Route Bridge H...

Page 485: ...tems 4 Select General The General screen displays the following DHCP Bindings Network Interfaces Displays the interface used for the newly created DHCP configuration State Displays the current state o...

Page 486: ...valid client request the server assigns the computer an IP address a lease the validity of time and other IP configuration parameters The Networks screen provides network pool information such as the...

Page 487: ...ch individual packet type The Packet Flows screen displays data traffic packet flow utilization The chart represents the different protocol flows supported and displays a proportional view of the flow...

Page 488: ...ommunications requests so it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable DoS attacks are implemented by either forcing the targeted computer s...

Page 489: ...t is secured through the use of Internet Protocol security Block a connection Rules can be created for either inbound or outbound traffic To view the IP firewall rules Attack Type Displays the Denial...

Page 490: ...to bypass the access point s security filters Firewall rules can be created to support one of the three actions listed below that match the rule s criteria Allow a connection Allow a connection only i...

Page 491: ...wall s NAT translations 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for...

Page 492: ...is an ICMP flow Forward Dest IP Displays the destination IP address for the forward NAT flow Forward Dest Port Displays the destination port for the forward NAT flow contains an ICMP ID if it is an IC...

Page 493: ...n be issued to client requests on this interface IP Address Displays the IP address used for DHCP discovery and requests between the DHCP server and DHCP clients Netmask Displays the subnet mask used...

Page 494: ...he trustpoint signing the certificate can be a certificate authority corporate or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration para...

Page 495: ...em Reference Guide 495 The Certificate Details field displays the following Subject Name Lists details about the entity to which the certificate is issued Alternate Subject Name Displays alternative d...

Page 496: ...1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation...

Page 497: ...AN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities Basic forms of this behavior can be monitored and reported without a dedicated WIPS When the...

Page 498: ...s WIPS The WIPS Events screen details the wireless intrusion event by an access point To view the WIPS events statistics Event Name Displays the name of the wireless intrusion event detected by this a...

Page 499: ...To view the network address and status information of the sensor server resources available to the access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on...

Page 500: ...directed to a Web page To view the captive portal statistics of an access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the scree...

Page 501: ...em time The access point can also use several forms of NTP messaging to sync system time with authenticated network traffic The Network Time screen provides detailed statistics of an associated NTP Se...

Page 502: ...rvation 3 Select Network Time The NTP Status screen displays by default with the following information Clock Offset Displays the time differential between the access point s time and its NTP resource...

Page 503: ...for statistical observation 3 Select Network Time and expand the menu to reveal its sub menu items 4 Select the NTP Association tab Reference Displays the address of the time source the access point...

Page 504: ...the lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server IP Address Displays the numerical...

Page 505: ...lso be filtered for display Each element can either be displayed individually or collectively in the graph To view the access point s load balance in a filtered graph format 1 Select the Statistics me...

Page 506: ...graph section displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Reque...

Page 507: ...eviewed through the following Health on page 507 Details on page 510 Traffic on page 512 WMM TSPEC on page 514 Association History on page 516 Graph on page 517 Health Wireless Client Statistics The H...

Page 508: ...e selected wireless client WLAN Displays the client s access point WLAN membership BSS Displays the basic service station ID BSS of the network the wireless client belongs to VLAN Displays the VLAN ID...

Page 509: ...icates possible network or hardware problems SNR Displays the signal to noise ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbing...

Page 510: ...n access point to display its connected client MAC addresses 3 Select a client MAC address from those connected to the selected access point 4 Select Details The Wireless Client area displays the foll...

Page 511: ...ys whether this feature is enabled or not To prolong battery life the 802 11 standard defines an optional Power Save Mode which is available on most 80211 clients End users can simply turn it on or of...

Page 512: ...rces and synchronize with a radio NIC An NIC begins the association process by sending an association request to an access point This association request is sent as a frame This frame carries informat...

Page 513: ...cast Mcast Packets Displays the total number of broadcast management packets processed by the client Management Packets Displays the number of management packets processed by the client Tx Dropped Pac...

Page 514: ...e retry rate and the error rate The RF quality index value can be interpreted as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and above High utilization Retry Rate Dis...

Page 515: ...s this feature is disabled A green check mark indicates this feature is enabled Video Displays the status of prioritization for video traffic A red X indicates this feature is disabled A green check m...

Page 516: ...lay its connected client MAC addresses 3 Select a client MAC address from those connected to the selected access point 4 Select Association History Parameter Displays the parameter for defining the tr...

Page 517: ...vigation pane on the left hand side of the screen expand the default node and expand an access point to display its connected client MAC addresses 3 Select a client MAC address from those connected to...

Page 518: ...se transmit or receive values 6 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 minutes 20 minutes or 1 hour 30 seconds is the...

Page 519: ...the Technical Assistance Center User Guide at www extremenetworks com go TACUserGuide The Extreme Networks eSupport website provides the latest information on Extreme Networks products including the l...

Page 520: ...Appendix A Customer Support AltitudeTM 4000 Series Access Point System Reference Guide 520...

Page 521: ......

Reviews:

No comments

Related manuals for Altitude 4000 Series

iBall Baton iB-WAP150N User Manual preview
iB-WAP150N
Brand: iBall Baton Pages: 71
Alfa Network AWAP05O User Manual preview
AWAP05O
Brand: Alfa Network Pages: 226
US Robotics 8004 - Quick Installation Manual preview
8004 -
Brand: US Robotics Pages: 108
Modecom wc-wr11se Quick Start Manual preview
wc-wr11se
Brand: Modecom Pages: 48
Aruba AP-270 Installation Manual preview
AP-270
Brand: Aruba Pages: 20
Ebyte E76-433M20S User Manual preview
E76-433M20S
Brand: Ebyte Pages: 10
SUNDRAY AP-S800 Installation Manual preview
AP-S800
Brand: SUNDRAY Pages: 20
4IPNET EAP330 Handbook preview
EAP330
Brand: 4IPNET Pages: 17
4IPNET EAP100 User Manual preview
EAP100
Brand: 4IPNET Pages: 48
HPE Aruba AP-318 Product End-Of-Life Disassembly Instructions preview
Aruba AP-318
Brand: HPE Pages: 4
Axis 9010 User Manual preview
9010
Brand: Axis Pages: 60
Gemotech RemoDAQ-8554A User Manual preview
RemoDAQ-8554A
Brand: Gemotech Pages: 24
Zadako Z431R User Manual preview
Z431R
Brand: Zadako Pages: 30
T&D RTR-5W User Manual preview
RTR-5W
Brand: T&D Pages: 167
Ubiquiti NanoBeam NBE-5AC-19 Quick Start Manual preview
NanoBeam NBE-5AC-19
Brand: Ubiquiti Pages: 24
Draytek Vigor 2100V Declaration Of Conformity preview
Vigor 2100V
Brand: Draytek Pages: 1
Novatel Sprint mifi 4082 Getting Started preview
Sprint mifi 4082
Brand: Novatel Pages: 86
D-Link DI-713P Quick Install Manual preview
DI-713P
Brand: D-Link Pages: 13

Brands by name

Popular brands

Load more brands