Home
/
Extreme Networks
/
Summit WM20
/
User Manual

Extreme Networks Summit WM20, User Manual, Page: 109 / 270

Share

Page: 109 / 270

Extreme Networks Summit WM20 User Manual Download Page 109

Authentication for a WM-AD

Summit WM20 User Guide, Software Release 4.2

109

The first five of these VSAs provide information on the identity of the specific Wireless AP that is
handling the wireless device, enabling the provision of location-based services.

The RADIUS message also includes RADIUS attributes Called-Station-Id and Calling-Station-Id in order
to include the MAC address of the wireless device.

NOTE

Extreme-URL-Redirection is supported by MAC-based authentication.

Defining Authentication for a WM-AD for Captive Portal

For Captive Portal authentication, the wireless device connects to the network, but can only access the
specific network destinations defined in the non-authenticated filter. For more information, see

“Defining Non-authenticated Filters” on page 124

. One of these destinations should be a server, either

internal or external, which presents a Web page login screen—the Captive Portal. The wireless device
user must input an ID and a password. This request for authentication is sent by the Summit WM
Controller to a RADIUS server or other authentication server. Based on the permissions returned from
the authentication server, the Summit WM Controller implements policy and allows the appropriate
network access.

Captive Portal authentication relies on a RADIUS server on the enterprise network. There are three
mechanisms by which Captive Portal authentication can be carried out:

●

Internal Captive Portal

– The Summit WM Controller presents the Captive Portal Web page, carries

out the authentication, and implements policy.

●

External Captive Portal

– After an external server presents the Captive Portal Web page and carries

out the authentication, the Summit WM Controller implements policy.

●

External Captive Portal with internal authentication

– After an external server presents the Captive

Portal Web page, the Summit WM Controller carries out the authentication and implements policy.

To define authentication by Captive Portal:

1

From the main menu, click

WM-AD Configuration

. The

WM-AD Configuration

screen is

displayed.

2

In the left pane

WM Access Domains

list, click the WM-AD you want to set up authentication by

Captive Portal for. The

Topology

tab is displayed.

3

Click the

Auth & Acct

tab. On the

Auth & Acct

tab, there are three options:

Extreme-BSS-MAC

6

string

Sent to RADIUS
server

The name of the BSS-ID the client is
associating to. It is used in assigning
policy and billing options, based on service
selection and location.

Table 4: Vendor-Specific Attributes (Continued)

Attribute Name

ID

Type

Messages

Description

«
...
107
108
109
110
111
...
»

Summary of Contents for Summit WM20

Page 1: ...etworks Inc 3585 Monroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Summit WM20 User Guide Software Version 4 2 Published January 2008 Part number 120398 00 Rev 01 ...

Page 2: ...ng others are trademarks or registered trademarks of Extreme Networks Inc or its subsidiaries in the United States and or other countries Adobe Flash and Macromedia are registered trademarks of Adobe Systems Incorporated in the U S and or other countries Avaya is a trademark of Avaya Inc Merit is a registered trademark of Merit Network Inc Internet Explorer is a registered trademark of Microsoft C...

Page 3: ... of the Summit WM Controller Access Points and Software Solution 21 Conventional Wireless LANS 21 Elements of the Summit WM Controller Access Points and Software Solution 22 Summit WM Controller Access Points and Software and Your Network 24 Network Traffic Flow 25 Network Security 26 WM Access Domain Services 28 Static Routing and Routing Protocols 28 Packet Filtering Policy 29 Mobility and Roami...

Page 4: ...Modifying a Wireless AP s Properties 68 Modifying the Wireless AP s Radio Properties 70 Setting up the Wireless AP Using Static Configuration 75 Configuring Dynamic Radio Management 77 Modifying a Wireless AP s Properties Based on a Default AP Configuration 79 Modifying the Wireless AP s Default Setting Using the Copy to Defaults Feature 79 Configuring APs Simultaneously 80 Performing Wireless AP ...

Page 5: ...hentication 140 Defining Priority Level and Service Class for WM AD Traffic 141 Defining the Service Class for the WM AD 142 Configuring the Priority Override 142 Working with Quality of Service QoS 143 QoS Modes 143 Configuring the QoS Policy on a WM AD 145 Bridging Traffic Locally 148 Chapter 6 Availability and Controller Functionality 151 Availability Overview 151 Availability Prerequisites 152...

Page 6: ...ntenance 202 Updating Summit WM Controller Software 202 Updating Operating System Software 204 Backing up Summit WM Controller Software 206 Restoring Summit WM Controller Software 208 Upgrading a Summit WM Controller Using SFTP 210 Configuring Summit WM Controller Access Points and Software Logs and Traces 211 Viewing Log Alarm and Trace Messages 211 Glossary 217 Networking Terms and Abbreviations...

Page 7: ...246 European Community 247 Certifications of Other Countries 253 Altitude 350 2 Int AP 15958 and Altitude 350 2 Detach 15939 Access Points 253 Optional Approved 3rd Party External Antennas 254 Antenna Diversity 254 Optional 3rd Party External Antennas for the United States 254 Optional 3rd Party External Antennas for Canada 258 Optional 3rd Party External Antennas the European Community 262 Index ...

Page 8: ...Table of Contents Summit WM20 User Guide Software Release 4 2 8 ...

Page 9: ...how it discovers and registers with the Summit WM Controller how to view and modify the radio configuration and how to enable Dynamic Radio Frequency Management Chapter 4 WM Access Domain Services provides an overview of WM Access Domain Services WM AD the mechanism by which the Summit WM Controller Access Points and Software controls and manages network access Chapter 5 WM Access Domain Services ...

Page 10: ...terface such as menu items and section of pages as well as the names of buttons and text boxes For example Click Logout Monospace font is used in code examples and to indicate text that you type For example Type https wm20 address mgmt port The following symbols are used to draw your attention to additional information NOTE Notes identify useful information that is not essential such as reminders ...

Page 11: ...orne materials that can conduct electricity Well ventilated and away from sources of heat including direct sunlight Away from sources of vibration or physical shock Isolated from strong electromagnetic fields produced by electrical devices Secured enclosed and restricted access ensuring that only trained and qualified service personnel have access to the equipment In regions that are susceptible t...

Page 12: ...urge suppressor line conditioner or uninterruptible power supply to protect the system from momentary increases or decreases in electrical power For hot swappable power supplies do not slam PSU into the bay If multiple power supplies are used in a controller connect each power supply to different independent power sources If a single power source fails it will affect only that power supply to whic...

Page 13: ...chassis so that it is always available when you need to handle ESD sensitive components Ensure that all cables are installed in a manner to avoid strain Use tie wraps or other strain relief devices Replace power cord immediately if it shows any signs of damage General Safety Precautions Ensure that you conform to the following guidelines Do not attempt to lift objects that you think are too heavy ...

Page 14: ...y grounded before plugging the AC supply power cord into a PSU Note the following country specific requirements Argentina The supply plug must comply with Argentinean standards Australia 10 A minimum service receptacle AS 3112 for 110 220 VAC power supplies Denmark The supply plug must comply with section 107 2 D1 standard DK2 1a or DK2 5a Japan 10 A service receptacle JIS 8303 for 110 220 VAC pow...

Page 15: ...n this unit are not user replaceable Contact your Extreme Service personal for complete product replacement WARNING If replacement is attempted the following guidelines must be followed to avoid danger of explosion 1 replaced with the same or equivalent type as recommended by the battery manufacturer 2 dispose of the battery in accordance with the battery manufacturer s recommendation ...

Page 16: ...licht Ausreichender Abstand zu Quellen die Erschütterungen oder Schläge Stöße hervorrufen können Isolierung von starken elektromagnetischen Feldern wie sie durch Elektrogeräte erzeugt werden Sicherer abgeschlossener Arbeitsbereich mit beschränktem Zugang sodass nur geschultes und qualifiziertes Servicepersonal Zugriff auf das Gerät hat In für elektrische Stürme anfälligen Gebieten wird empfohlen d...

Page 17: ... Netzteile jeweils an unterschiedliche unabhängige Stromquellen anzuschließen Auf diese Weise ist bei einem Ausfall einer einzelnen Stromquelle nur das daran angeschlossene Netzteil betroffen Wenn alle Netzteile eines einzelnen Controller an dieselbe Stromquelle angeschlossen sind ist der gesamte Controller für einen Ausfall der Stromversorgung anfällig Leistungsspezifikationen für Netzteile von E...

Page 18: ... Bauteile Zum Schutz ESD gefährdeter Bauteile grundsätzlich vor der Aufnahme von Arbeiten an Leiterplatten oder Modulen ein Armband anlegen Leiterplatten nur in antistatischer Verpackung transportieren Vor der Aufnahme von Arbeiten an Leiterplatten diese immer auf einer geerdeten Fläche ablegen Verlegen von Kabeln Kabel so verlegen dass keine Schäden entstehen oder Unfälle z B durch Stolpern verur...

Page 19: ...eit verschieden Extreme Networks empfiehlt daher ausdrücklich einen Elektroinstallateur zu beauftragen um die sachgemäße Geräteerdung und Stromverteilung für Ihre spezifische Installation sicherzustellen Austauschen und Entsorgen von Batterien Im Umgang mit Batterien sind folgende Hinweise zu beachten Austauschen der Lithium Batterie Die in diesem Gerät enthaltenen Batterien können nicht vom Anwen...

Page 20: ...About this Guide Summit WM20 User Guide Software Release 4 2 20 ...

Page 21: ...etworks operating on multiple floors in more than one building and is ideal for public environments such as airports and convention centers that require multiple access points This chapter provides an overview of the fundamental principles of the Summit WM Controller Access Points and Software system Conventional Wireless LANS Wireless communication between multiple computers requires that each co...

Page 22: ...ows a single Summit WM Controller to control many Wireless APs making the administration and management of large networks much easier There can be several Summit WM Controllers in the network each with a set of registered Wireless APs The Summit WM Controllers can also act as backups to each other providing stable network availability In addition to the Summit WM Controllers and Wireless APs the s...

Page 23: ...plies access policies Simplifying the Wireless APs makes them cost effective easy to manage and easy to deploy Putting control on an intelligent centralized Summit WM Controller enables Centralized configuration management reporting and maintenance High security Flexibility to suit enterprise Scalable and resilient deployments with a few Summit WM Controllers controlling hundreds of Wireless APs T...

Page 24: ...ork routing and authentication techniques Prevents rogue devices Unauthorized access points are detected and identified as harmless or dangerous rogue APs Provides accounting services Logs wireless user sessions user group activity and other activity reporting enabling the generation of consolidated billing records Offers troubleshooting capability Logs system and session activity and provides rep...

Page 25: ...d for an external Captive Portal server RADIUS Accounting Server Remote Access Dial In User Service RFC2866 A server that is required if RADIUS Accounting is enabled Simple Network Management Protocol SNMP A Manager Server that is required if forwarding SNMP messages is enabled Check Point Server Check Point Event Logging API A server for security event logging that is required if a firewall appli...

Page 26: ...tatic route if dynamic routing is not preferred Network Security The Summit WM Controller Access Points and Software system provides features and functionality to control network access These are based on standard wireless network security practices Current wireless network security methods provide protection These methods include Shared Key authentication that relies on Wired Equivalent Privacy W...

Page 27: ...ween the wireless device and the network until authentication is complete Authentication by 802 1x standard uses Extensible Authentication Protocol EAP for the message exchange between the Summit WM Controller and the RADIUS server When 802 1x is used for authentication the Summit WM Controller provides the capability to dynamically assign per wireless device WEP keys called per station WEP keys i...

Page 28: ...ces associated with a WM AD directly to a specified core VLAN The following lists how many WM ADs the Summit WM20 Controller can support WM20 Up to 8 WM ADs The Wireless AP radios can be assigned to each of the configured WM ADs in a system Each AP can be the subject of 8 WM AD assignments corresponding to the number of SSIDs it can support Once a radio has all 8 slots assigned it is no longer eli...

Page 29: ...mit WM APs are setup as bridges that bridge wireless traffic to the local subnet In bridging configurations the user obtains an IP address from the same subnet as the AP If the user roams within APs on the same subnet it is able to keep using the same IP address However if the user roams to another AP outside of that subnet its IP address is no longer valid The user s client device must recognize ...

Page 30: ...ion to the CTP header this is referred to as Adaptive QoS Quality of Service QoS management is also provided by Assigning high priority to an SSID configurable Adaptive QoS automatic Support for legacy devices that use SpectraLink Voice Protocol SVP for prioritizing voice traffic configurable System Configuration Overview To set up and configure the Summit WM Controller and Wireless APs follow the...

Page 31: ...WM AD Setup Set up one or more virtual subnetworks on the Summit WM Controller For each WM AD configure the following Topology Configure the WM AD RF Assign the Wireless APs radios to the WM AD Authentication and Accounting Configure the authentication method for the wireless device user and enable the accounting method RAD Policy Define filter ID values and WM AD Groups Filtering Define filtering...

Page 32: ...Overview of the Summit WM Controller Access Points and Software Solution Summit WM20 User Guide Software Release 4 2 32 ...

Page 33: ...tegrate with an existing wired Local Area Network LAN The rack mountable Summit WM Controller provides centralized management network access and routing to wireless devices that use Wireless APs to access the network It can also be configured to handle data traffic from third party access points The Summit WM Controller provides the following functionality Controls and configures Wireless APs prov...

Page 34: ... Control console port One USB Server port future use Built in PSU Hard Drive Fans and Controller card not field replaceable Supporting up to 32 APs WM200 Four Data ports 10 100 1000 BaseT One Management port 10 100 BaseT One Console port DB9 serial Redundant and Field Replaceable Power modules Redundant and Field Replaceable Fan modules Field Replaceable Supervisory module Field Replaceable Networ...

Page 35: ...it is recommended that you configure the time zone during the initial installation and configuration of the Summit WM Controller to avoid network interruptions For more information see Configuring Network Time on page 158 To configure a physical port to attach to a VLAN define the VLAN as part of the IP address assignment Applying the Product License Key Apply a product license key file If a produ...

Page 36: ...cation and accounting configuration is optional It only applies to Captive Portal or AAA WM ADs RAD Policy Define filter ID values and WM AD Groups This configuration is optional Filtering Define filtering rules to control network access Multicast Define groups of IP addresses for multicast traffic This configuration is optional By default the multicast feature is disabled Privacy Select and confi...

Page 37: ... Summit WM Controller by one of two methods Use the method described in Console Port for Summit WM20 Controller on page 238 to access Summit WM20 Controller console Use the Command Line Interface CLI commands For more information see the Summit WM20 CLI Reference Guide Use a laptop computer with a Web browser Connect the supplied cross over Ethernet cable between the laptop and management Ethernet...

Page 38: ...r Summit WM20 User Guide Software Release 4 2 38 4 In the User Name box type your user name The default is admin 5 In the Password box type your password The default is abc123 6 Click Login The Summit WM GUI main menu screen is displayed ...

Page 39: ... id you used to login in For example admin Port Status is the connectivity state of the port M represents the Management interface which is on eth0 and the numbered lights reflect the esa ports on the system Green indicates the interface is up and running Red indicates the interface is down 7 From the main menu click Summit Switch Configuration The Summit WM Controller Configuration screen is disp...

Page 40: ... subnet mask for the IP address to separate the network portion from the host portion of the address typically 255 255 255 0 Management Gateway Specifies the default gateway of the network Primary DNS Specifies the primary DNS server used by the network Secondary DNS Specifies the secondary DNS server used by the network 11 To save your changes click OK NOTE The Web connection between the computer...

Page 41: ...he management port configuration settings the next step is to connect the Summit WM Controller to your enterprise network To connect the Summit WM Controller to your enterprise network 1 Disconnect your computer from the Summit WM Controller management port 2 Connect the Summit WM Controller management port to the enterprise Ethernet LAN The Summit WM Controller resets automatically 3 Log on to th...

Page 42: ...all data ports Port configuration allows for the explicit state of the administration state for each interface By default data interface states will be disabled You can then enable each of the data interfaces individually A disabled interface does not allow data to flow receive transmit VLAN ID Parameter You can define a specific VLAN tag to be applied to a particular interface All packets associa...

Page 43: ...he Summit WM Controller assumes control over the layer 3 functions including DHCP Router Port Use a router port definition for a port that you want to connect to a OSPF area to exchange routes to other OSPF routers Wireless APs can be attached to a router port The Summit WM Controller will create a virtual WM AD port and handle wireless device traffic in the same manner as a host port NOTE Third p...

Page 44: ...Management Port Settings and Interfaces screen is displayed The lower portion of the Summit WM Controller Configuration screen displays the number of Ethernet ports of the Summit WM Controller Summit WM20 Two Ethernet ports Table 2 Port Types and Functions Port Type Host 3rd Party AP Router WM AD OSPF route advertisement No No Selectable Route wireless device traffic only No Wireless AP support Ye...

Page 45: ...he drop down list Host Port Specifies a port for connecting Wireless APs with no OSPF routing function on this port Third Party AP Port Specifies a port to which you will connect third party access points Router Port Specifies a port that you want to connect to an upstream next hop router for OSPF route advertisement in the network NOTE For OSPF routing on a port the port must be configured as a r...

Page 46: ...address type 0 0 0 0 5 In the Gateway box type the IP address of the specific router port or gateway on the same subnet as the Summit WM Controller to which to forward these packets This is the IP address of the next hop between the Summit WM Controller and the packet s ultimate destination 6 Click Add The new route is added to the list of routes 7 Select the Override dynamic routes checkbox to gi...

Page 47: ...u must Define one data port as a router port in the IP Addresses screen Enable OSPF globally on the Summit WM Controller Define the global OSPF parameters Enable or disable OSPF on the port that you defined as a router port Ensure that the OSPF parameters defined here for the Summit WM Controller are consistent with the adjacent routers in the OSPF area This consistency includes the following If t...

Page 48: ...6 In the Area ID box type the area 0 0 0 0 is the main area in OSPF 7 From the Area Type drop down list select one of the following Default The default acts as the backbone area also known as area zero It forms the core of an OSPF network All other areas are connected to it and inter area routing happens via a router connected to the backbone area Stub The stub area does not receive external route...

Page 49: ...ion drop down list select the authentication type for OSPF on your network None or Password The default setting is None 7 If Password was selected as the authentication type in the Password box type the password If None was selected as the Authentication type leave this box blank This password must match on either end of the OSPF connection 8 Type the following Hello Interval Specifies the time in...

Page 50: ...sers connected on a WM AD the WM AD configuration itself must have allow management enabled and users will only be able to target the WM AD interface specifically NOTE You can also enable management traffic in the WM AD definition For example on the Summit WM Controller s data interfaces both physical interfaces and WM AD virtual interfaces the built in exception filter prohibits invoking SSH HTTP...

Page 51: ...les give you the capability of restricting access to a port for specific reasons such as a Denial of Service DoS attack The filtering rules are set up in the same manner as filtering rules defined for a WM AD specify an IP address and then either allow or deny traffic to that address For more information see Configuring Filtering Rules for a WM AD on page 122 The rules defined for port exception f...

Page 52: ...ss 5 From the Protocol drop down list select the protocol you want to specify for the filter This list may include UDP TCP IPsec ESP IPsec AH ICMP The default is N A 6 Click Add The new filter is displayed in the Filter section of the screen 7 To select the new filter click it 8 To allow traffic select the Allow checkbox 9 To adjust the order of the filtering rules click Up or Down to position the...

Page 53: ...s Points and Software Once you have configured the WM AD and registered and assigned APs to the WM AD the Summit WM Controller Access Points and Software system configuration is complete Ongoing operations of the Summit WM Controller Access Points and Software system can include the following Summit WM Controller System Maintenance Wireless AP Maintenance Client Disassociate Logs and Traces Report...

Page 54: ...Configuring the Summit WM Controller Summit WM20 User Guide Software Release 4 2 54 ...

Page 55: ... traffic to an Ethernet LAN The Wireless AP is provided with proprietary software that allows it to communicate only with the Summit WM Controller The Wireless AP physically connects to a LAN infrastructure and establishes an IP connection to the Summit WM Controller The Wireless AP has no user interface instead the Wireless AP is managed through the Summit WM GUI The Wireless AP s configuration i...

Page 56: ...multaneously For more information see Topology for a WM AD on page 98 The Unlicensed National Information Infrastructure U NII bands are three frequency bands of 100 MHz each in the 5 GHz band designated for short range high speed wireless networking communication The Wireless AP supports the full range of 802 11a 5 15 to 5 25 GHz U NII Low Band 5 25 to 5 35 GHz U NII Middle Band 5 725 to 5 825 GH...

Page 57: ...e Location Protocol SLP Directory Agent DA followed by a unicast SLP request to the Directory Agent To use the DHCP and unicast SLP discovery method you must ensure that the DHCP server on your network supports Option 78 DHCP for SLP RFC2610 The Wireless APs use this method to discover the Summit WM Controller This solution takes advantage of two services that are present on most networks DHCP Dyn...

Page 58: ...port IP address and binding key Once the Wireless AP is registered with a Summit WM Controller the Wireless AP must be configured After the Wireless AP is registered and configured it can be assigned to a WM Access Domain Service WM AD to handle wireless traffic Default Wireless AP Configuration Default AP configuration simplifies the registration after discovery process Default Wireless AP config...

Page 59: ...owered off Off Green Off Beginning of Power On Self Test POST 0 5 seconds Off Off Off POST Off Red Off Failure during POST Green Off Green Random delay State displayed only after a vulnerable reset Green Off Off Green Green Off Vulnerable time interval The Wireless AP resets to factory default if powered off for three consecutive times during this state No vulnerable period when AP is resetting to...

Page 60: ...o a power source to initiate the discovery and registration process For more information see Connecting the Wireless AP to a Power Source and Initiating the Discovery and Registration Process on page 63 Adding a Wireless AP Manually Option An alternative to the automatic discovery and registration process of the Wireless AP is to manually add and register a Wireless AP to the Summit WM Controller ...

Page 61: ... minimum configuration which only allows it to maintain an active link with the controller for future state change The AP s radios are not configured or enabled Pending APs are not eligible for configuration operations WM AD Assignment default template Radio parameters until approved If the Summit WM Controller recognizes the serial number the controller uses the existing registration record to au...

Page 62: ...t Allow only approved Altitude APs to connect The Allow all Altitude APs to connect option is selected by default For more information see Security Mode on page 60 4 In the Discovery Timers section type the discovery timer values in the following boxes Number of retries Delay between retries The number of retries is limited to 255 in a five minutes discovery period The default number of retries is...

Page 63: ...matic discovery and registration process of the Wireless AP is to manually add and register a Wireless AP to the Summit WM Controller The Wireless AP is added with default settings For more information see Modifying Wireless AP Settings on page 64 To add and register a Wireless AP manually 1 From the main menu click Altitude APs The Altitude AP screen is displayed 2 Click Add Altitude AP The Add A...

Page 64: ...ation states to modify their settings For example this feature is useful when approving pending Wireless APs when there are a large number of other Wireless APs that are already registered From the Access Approval screen click Pending to select all pending Wireless APs then click Approve to approve all selected Wireless APs Modifying a Wireless AP s Status If during the discovery process the Summi...

Page 65: ...reen was set to register only approved Wireless APs Pending AP is removed from the Active list and is forced into discovery Release Release foreign Wireless APs after recovery from a failover Releasing an AP corresponds to the Availability functionality For more information see Chapter 6 Availability and Controller Functionality Delete Delete this Wireless AP from the WM AD Configuring the Default...

Page 66: ...ion is enabled by default Country Select the country of operation This option is only available with some licenses 5 In the Radio Settings section modify the following Enable Radio Select the radios you want to enable DTIM Beacon Period For each radio type the desired DTIM Delivery Traffic Indication Message period the number of beacon intervals between two DTIM beacons To ensure the best client p...

Page 67: ... in the vicinity of this AP Select Long if compatibility with pre 11b clients is required Protection Mode Select a protection mode None Auto or Always The default and recommended setting is Auto Select None if 11b APs and clients are not expected Select Always if you expect many 11b only clients Protection Rate Select a protection rate 1 2 5 5 or 11 Mbps The default and recommended setting is 11 O...

Page 68: ...ns in Discovery and Registration Overview on page 56 7 In the Dynamic Radio Management section modify the following Enable Select Enable or Disable Coverage Select Shaped or Standard Shaped coverage adjusts the range based on neighboring Wireless APs and standard coverage adjusts the range to the client that is the most distant as indicated by its signal strength Avoid WLAN For each radio select O...

Page 69: ...less AP s properties as an access point 1 From the main menu click Altitude APs The Altitude APs screen is displayed 2 In the Wireless AP list click the Wireless AP whose properties you want to modify The WAP Properties tab displays Wireless AP information 3 Modify the Wireless AP s information ...

Page 70: ...eboot Use broadcast for disassociation Select if you want the Wireless AP to use broadcast disassociation when disconnecting all clients instead of disassociating each client one by one This will affect the behavior of the AP under the following conditions If the Wireless AP is preparing to reboot or to enter one of the special modes DRM initial channel selection If a BSSID is deactivated or remov...

Page 71: ...ar in the Base Settings section The following lists how many WM ADs each Summit WM Controller can support WM20 Up to 8 WM ADs The AP radios can be assigned to each of the configured WM ADs in a system Each radio can be the subject of 8 WM AD assignments corresponding to the number of SSIDs it can support Once a radio has all 8 slots assigned it is no longer eligible for further assignment The BSS ...

Page 72: ...e power ratio in decibel dB of the measured power referenced to one milliwatt If Dynamic Radio Management DRM was enabled on the DRM screen this option is read only Rx Diversity Select Alternate for the best signal from both antennas or Left or Right to choose either of the two diversity antennas The default and recommended selection is Alternate If only one antennae is connected use the correspon...

Page 73: ...s is required Protection Mode Select a protection mode None Auto or Always The default and recommended setting is Auto Select None if 11b APs and clients are not expected Select Always if you expect many 11b only clients Protection Rate Select a protection rate 1 2 5 5 or 11 Mbps The default and recommended setting is 11 Only reduce the rate if there are many 11b clients in the environment or if t...

Page 74: ...s above which the packets will be fragmented by the AP prior to transmission The default value is 2346 which means all packets are sent unfragmented Reduce this value only if necessary 802 11a Select to enable the 802 11a radio Channel Select the wireless channel that the Wireless AP will use to communicate with wireless devices Depending on the regulatory domain based on country some channels may...

Page 75: ...e Max Basic Rate NOTE Radio a channels 100 to 140 occupy the 5470 5725 MHz band in the regulatory domains of the European Union and European Union free trade countries Radio B G Channels 12 and 13 are not available in North America Radio B G channel 14 is only available in Japan No of Retries for Background BK Select the number of retries for the Background transmission queue The default value is ...

Page 76: ... to a specific VLAN and type the value in the box Untagged Select if you want this AP to be untagged This option is selected by default CAUTION Caution should be exercised when using this feature If a VLAN tag is not configured properly the connectivity with the AP will be lost To configure the AP VLAN do the following Connect the AP to the Summit WM Controller or to the network point that does no...

Page 77: ...n if necessary If the AP IP address is not configured properly connecting to the AP may not be possible To recover from this situation you will need to reset the AP to its factory default settings For more information see Resetting the AP to Its Factory Default Settings on page 199 6 In the Add box type the IP address of the Summit WM Controller that will control this Wireless AP 7 Click Add The I...

Page 78: ...Ps select the checkbox corresponding to the Wireless AP you want to configure for DRM The DRM properties are populated with default values when DRM is enabled 6 In the Coverage drop down list select Std Standard Coverage Adjusts the range to the client that is the most distant as indicated by its signal strength Shpd Shaped Coverage Adjusts the range based on neighboring Wireless APs 7 If applicab...

Page 79: ...s use the Reset to Defaults feature on the WAP Properties tab To configure a Wireless AP with the system s default AP settings 1 From the main menu click Altitude APs The Altitude APs screen is displayed 2 In the Altitude AP list click the Wireless AP whose properties you want to modify The WAP Properties tab displays Wireless AP information 3 Click Reset to Defaults to have the Wireless AP inheri...

Page 80: ... Simultaneously In addition to configuring APs individually you can also configure multiple APs simultaneously by using the AP Multi edit functionality To configure APs simultaneously 1 From the main menu click Altitude APs The Altitude APs screen is displayed 2 In the left pane click WAP Multi edit 3 In the Altitude AP list select one or more APs to edit To select multiple APs select the appropri...

Page 81: ...e Periodically the software used by the Wireless APs is altered for reasons of upgrade or security The new version of the AP software is installed from the Summit WM Controller The software for each Wireless AP can be uploaded either immediately or the next time the Wireless AP connects Part of the Wireless AP boot sequence is to seek and install its software from the Summit WM Controller Although...

Page 82: ...ides Controlled Upgrade settings Selected by default Allows for the selection of a default revision level firmware image for all APs in the domain As the AP registers with the controller the firmware version is verified If it does not match the same value as defined for the default image the AP is automatically requested to upgrade to the default image 6 Select the Do not upgrade WAP images if cur...

Page 83: ...ve the image file from User ID The user ID that the controller should use when it attempts to log in to the FTP server Password The corresponding password for the user ID Confirm The corresponding password for the user ID to confirm it was typed correctly Directory The directory on the server in which the image file that is to be retrieved is stored Filename The name of the image file to retrieve ...

Page 84: ...lect the software image you want to use for the upgrade 6 In the list of registered Altitude APs select the checkbox for each Wireless AP to be upgraded with the selected software image 7 Click Apply WAP image version The selected software image is displayed in the Upgrade To column of the list 8 To save the software upgrade strategy to be run later click Save for later 9 To run the software upgra...

Page 85: ...ly by the Summit WM Controller s Dynamic Host Configuration Protocol DHCP server within the assigned range NOTE If the WM AD is in branch mode the Summit WM Controller s DHCP server will not assign IP addresses to the wireless devices For a routed WM AD you can allow the enterprise network s DHCP server to provide the IP addresses for the WM AD by enabling DHCP Relay The assigned addresses must be...

Page 86: ...ces can selectively be enabled including DHCP Relay allowing you to use the controller to become the default DHCP server for the VLAN if applicable Before defining a WM AD the following properties must be determined A user access plan for both individual users and user groups The RADIUS attribute values that support the user access plan The location and identity of the Wireless APs that will be us...

Page 87: ...ring Sales Finance Role such as student teacher library user Status such as guest administration technician For each user group you should set up a filter ID attribute in the RADIUS server and then associate each user in the RADIUS server to at least one filter ID name You can define specific filtering rules by filter ID attribute that will be applied to user groups to control network access Filte...

Page 88: ...ing lists how many WM ADs each Summit WM Controller can support WM20 Up to 8 WM ADs Each AP s radio can be assigned to any of the WM ADs defined in the system with up to 8 assignments per radio Once a WM AD definition is saved the Summit WM Controller updates this information on the Wireless AP The WM AD broadcasts the updates during beacon transmission unless the SSID beacon is suppressed on the ...

Page 89: ...o access it The Summit WM Controller supports two modes of Captive Portal authentication Internal Captive Portal The controller s own Captive Portal authentication page configured as an editable form is used to request user credentials External Captive Portal An entity outside of the Summit WM Controller is responsible for handling the user authentication process presenting the credentials request...

Page 90: ...equests one Both Captive Portal and AAA 802 1x authentication mechanisms in Summit WM Controller Access Points and Software rely on a RADIUS server on the enterprise network You can identify and prioritize up to three RADIUS servers on the Summit WM Controller in the event of a failover of the active RADIUS server the Summit WM Controller will poll the other servers in the list for a response Once...

Page 91: ...he type of authentication used No authentication network assignment by SSID Only the default filter will apply Specific network access can be defined Authentication by captive portal network assignment by SSID The non authenticated filter will apply before authentication Specific network access can be defined The filter should also include a rule to allow all users to get as far as the Captive Por...

Page 92: ...rd AES or by Temporal Key Integrity Protocol TKIP Two modes are available Enterprise Specifies 802 1x authentication and requires an authentication server Pre Shared Key PSK Relies on a shared secret The PSK is a shared secret pass phrase that must be entered in both the Wireless AP or router and the WPA clients WM AD Global Settings Before defining a specific WM AD define the global settings that...

Page 93: ...tion between controller and the RADIUS server 4 In order to proofread your password before saving the configuration click Unmask The password is displayed To mask the password click Mask This precautionary step is highly recommended in order to avoid an error later when the Summit WM Controller attempts to communicate with the RADIUS server 5 To add the server to the list click Add 6 To remove a s...

Page 94: ...r a new voice stream Max Video VI BW for roaming streams The maximum allowed overall bandwidth on the new AP when a client with an active video stream roams to a new AP and requests admission for the video stream Max Video VI BW for new streams The maximum allowed overall bandwidth on an AP when an already associated client requests admission for a new video stream These global QoS settings apply ...

Page 95: ...liar with the WM AD concepts you can now set up a new WM AD Setting up a new WM AD involves the following general steps Step one Create a WM AD name Step two Define the topology parameters Step three Configure the WM AD For information on setting up a new WM AD see Chapter 5 WM Access Domain Services Configuration ...

Page 96: ...WM Access Domain Services Summit WM20 User Guide Software Release 4 2 96 ...

Page 97: ...eless device users where the Summit WM Controller acts as a default gateway to wireless devices For each WM AD you define its topology authentication accounting RADIUS servers filtering multicast parameters privacy and policy mechanism When you set up a new WM AD additional tabs appear only after you save the topology A critical topology option to define for a WM AD is the WM AD type Routed WM AD ...

Page 98: ...ed defining the topology for your WM AD save the topology settings Once your topology is saved you can then access the remaining WM AD tabs and continue configuring your WM AD There are two options for network assignment SSID The SSID determines the WM AD to which a user profile will be assigned user topology IP filters Has Captive Portal authentication or no authentication as well as MAC based au...

Page 99: ...llows a client to associate to the AP and exist on the network without having authentication Every associated user has a user session tracked by the Summit WM Controller from the time of association with the AP Users can be temporarily or longer for SSID assigned WM ADs be in the non authenticated state Pre timeout is the maximum amount of time allowed to elapse from the last time any traffic was ...

Page 100: ...reen is displayed 2 In the left pane WM Access Domains list click the WM AD you want to define the session timeout parameters for The Topology tab is displayed 3 In the Idle pre box type the number of minutes that a client is allowed to be idle on the WM AD before authentication 4 In the Idle post box type the number of minutes that a client is allowed to be idle on the WM AD after authentication ...

Page 101: ...ically Captive Portal enforcement In addition third party APs have a specific set of filters third party applied to them by default which allows the administrator to provide different traffic access restrictions to the third party AP devices for the users that use those resources The third party filters could be used to allow access to third party APs management operations for example HTTP SNMP 4 ...

Page 102: ...LAN at AP port The IP address definition is only required for a routed WM AD or VLAN bridged WM AD To define the IP address for the WM AD 1 From the main menu click WM AD Configuration The WM AD Configuration screen is displayed 2 In the left pane WM Access Domains list click the WM AD you want to define the IP address for The Topology tab is displayed 3 In the Gateway box type the Summit WM Contr...

Page 103: ...le address in the From box and type the last available address in the to box Click Add for each IP range you provide To specify a IP address select the Single Address option and type the IP address in the box Click Add for each IP address you provide To save your changes click Save The Address Exclusion screen closes 5 The Broadcast Address box populates automatically based on the Gateway IP addre...

Page 104: ... the controller s WM AD interface on the VLAN become either the actual DHCP server enable DHCP or become the relay agent for DHCP requests To set the name server configuration 1 From the main menu click WM AD Configuration The WM AD Configuration screen is displayed 2 In the left pane WM Access Domains list click the WM AD you want to set the name server configuration for The Topology tab is displ...

Page 105: ...n the case of relay the Summit WM Controller does not handle DHCP requests from users but instead forwards the requests to the indicated DHCP server NOTE The DHCP Server must be configured to match the WM AD settings In particular for Routed WM AD the DHCP server must identify the Summit WM Controller s interface IP as the default Gateway router for the subnet Users intending to reach devices outs...

Page 106: ...operties click Save Assigning Wireless AP Radios to a WM AD If two Summit WM Controllers have been paired for availability for more information see Availability Overview on page 151 each Summit WM Controller s registered Wireless APs will appear as foreign in the list of available Wireless APs on the other Summit WM Controller Once you have assigned a Wireless AP radio to eight WM ADs it will not ...

Page 107: ... disabled It is recommended to enable this option Apply power back off Select to enable the AP to use reduced power as does the 11h client By default this option is disabled It is recommended to enable this option Process client IE requests Select to enable the AP to accept IE requests sent by clients via Probe Request frames and responds by including the requested IE s in the corresponding Probe ...

Page 108: ... to determine if the wireless client s MAC address is authorized to access the network Vendor Specific Attributes In addition to the standard RADIUS message you can include Vendor Specific Attributes VSAs The Summit WM Controller Access Points and Software authentication mechanism provides six VSAs for RADIUS and other authentication mechanisms Table 4 Vendor Specific Attributes Attribute Name ID ...

Page 109: ...Controller implements policy and allows the appropriate network access Captive Portal authentication relies on a RADIUS server on the enterprise network There are three mechanisms by which Captive Portal authentication can be carried out Internal Captive Portal The Summit WM Controller presents the Captive Portal Web page carries out the authentication and implements policy External Captive Portal...

Page 110: ...on Summit WM20 User Guide Software Release 4 2 110 Auth Use to define authentication servers MAC Use to define servers for MAC based authentication Acct Use to define accounting servers 4 Click Auth The Authentication fields are displayed ...

Page 111: ...used to access the RADIUS server The default is 1812 7 In the of Retries box type the number of times the Summit WM Controller will attempt to access the RADIUS server 8 In the Timeout box type the maximum time that a Summit WM Controller will wait for a response from the RADIUS server before attempting again 9 In the NAS Identifier box type the Network Access Server NAS identifier The NAS identif...

Page 112: ...E If you have already assigned a server to either MAC based authentication or accounting and you want to use it again for authentication highlight its name in the list next to the Up and Down buttons and select the Use server for Authentication checkbox The server s default information is displayed Defining the RADIUS Server Priority for RADIUS Redundancy If more than one server has been defined f...

Page 113: ...oint for AAA WM ADs there is no need for a client password below 7 In the User ID box type the user ID that you know can be authenticated 8 In the Password box type the corresponding password 9 Click Test The Test Result screen is displayed 10 To view a summary of the RADIUS configuration click View Summary The RADIUS summary screen is displayed 11 To save your changes click Save Configuring Capti...

Page 114: ...a label for the user login field 7 In the Password Label box type the text that will appear as a label for the user password field 8 In the Header URL box type the location of the file to be displayed in the Header portion of the Captive Portal screen This page can be customized to suit your organization with logos or other graphics CAUTION If you use logos or graphics ensure that the graphics or ...

Page 115: ... those identifiers 16 To provide users with a logoff button select Logoff The Logoff button launches a pop up logoff screen allowing users to control their logoff 17 To provide users with a status check button select Status check The Status check button launches a pop up window which allows users to monitor session statistics such as system usage and time left in a session 18 To save your changes ...

Page 116: ...ltering for a WM AD on page 90 Defining Authentication for a WM AD for AAA If network assignment is AAA with 802 1x authentication the wireless device must successfully complete the user authentication verification prior to being granted network access This enforcement is performed by both the user s client and the AP The wireless device s client utility must support 802 1x The user s EAP packets ...

Page 117: ...n fields are displayed 5 From the RADIUS drop down list select the server you want to use for Captive Portal authentication and then click Use The server s default information is displayed The RADIUS servers are defined in the Global Settings screen For more information see WM AD Global Settings on page 92 ...

Page 118: ... The Vendor Specific Attributes must be defined on the RADIUS server 11 If applicable select Set as primary server 12 To save your changes click Save NOTE If you have already assigned a server to either MAC based authentication or accounting and you want to use it again for authentication highlight its name in the list next to the Up and Down buttons and select the Use server for Authentication ch...

Page 119: ...k Use The server s default information is displayed and a red asterisk is displayed next to MAC indicating that a server has been assigned The RADIUS servers are defined in the Global Settings screen For more information see WM AD Global Settings on page 92 6 If applicable to use a server that has already been used for another type of authentication or accounting select the server you want to use ...

Page 120: ...nges click Save Defining Accounting Methods for a WM AD The next step in configuring a WM AD is to define the methods of accounting Accounting tracks the activity of a wireless device users There are two types of accounting available Summit WM Controller accounting Enables the Summit WM Controller to generate Call Data Records CDRs in a flat file on the Summit WM Controller RADIUS accounting Enabl...

Page 121: ...o define the filter ID values for a WM AD These filter ID values must match those set up on the RADIUS servers NOTE This configuration step is optional If filter ID values are not defined the system uses the default filter as the applicable filter group for authenticated users within a WM AD However if more user specific filter definitions are required for example filters based on a user s departm...

Page 122: ...e box type the name of a WM AD group you want to create and define within the selected parent WM AD 8 Click the corresponding Add button The Group Name will appear as a child of the parent WM AD in the left pane WM Access Domains list 9 To your changes click Save Configuring Filtering Rules for a WM AD The next step in configuring a WM AD is to configure the filtering rules for a WM AD In an AAA W...

Page 123: ...les may inadvertently create security lapses in the system s protection mechanism or create a scenario that filters out packets that are required by the system NOTE Use exception filters only if absolutely necessary It is recommended to avoid defining general allow all or deny all rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic The exce...

Page 124: ...d in the Topology tab for this WM AD 7 Click Add The information is displayed in the Filter Rules section of the tab 8 Select the new filter then select the Allow checkbox applicable to the rule you defined 9 Edit the order of a filter by selecting the filter and clicking the Up and Down buttons The filtering rules are executed in the order you define here 10 To save your changes click Save NOTE F...

Page 125: ...TP traffic outside of those defined in the non authenticated filter will be redirected NOTE Although non authenticated filters definitions are used to assist in the redirection of HTTP traffic for restricted or denied destinations the non authenticated filter is not restricted to HTTP operations The filter definition is general Any traffic other than HTTP that the filter does not explicitly allow ...

Page 126: ... 6 For Captive Portal assignment define a rule to allow access to the default gateway for this WM AD Select IP Port Type the default gateway IP address that you defined in the Topology tab for this WM AD 7 Click Add The information is displayed in the Filter Rules section of the tab 8 Select the new filter then do the following If applicable select In to refer to traffic from the wireless device t...

Page 127: ...l URLs mentioned in the page definition Here is another example of a non authenticated filter that adds two more filtering rules The two additional rules do the following Deny access to a specific IP address Allows only HTTP traffic Table 5 Non authenticated filter example A In Out Allow IP Port Description x x x IP address of default gateway WM AD Interface IP Allow all incoming wireless devices ...

Page 128: ...lso send back to the Summit WM Controller a filter ID attribute value associated with the user For an AAA WM AD a Login LAT Group identifier for the user may also be returned WM AD Policy is also applicable for Captive Portal and MAC based authorization If the filter ID attribute value or Login LAT Group attribute value from the RADIUS server matches a filter ID value that you have set up on the S...

Page 129: ... destination IP address You can also specify an IP range a port designation or a port range on that IP address In the Protocol drop down list select the applicable protocol The default is N A 6 Click Add The information is displayed in the Filter Rules section of the tab 7 Select the new filter then do the following If applicable select In to refer to traffic from the wireless device that is tryin...

Page 130: ...or any traffic that did not match a filter A final Allow All rule in a default filter will ensure that a packet is not dropped entirely if no other match can be found WM AD Policy is also applicable for Captive Portal and MAC based authorization To define the filtering rules for a default filter 1 From the main menu click WM AD Configuration The WM AD Configuration screen is displayed 2 In the lef...

Page 131: ...mple A In Out Allow IP Port Description x x Intranet IP range Deny all access to an IP range x x Port 80 HTTP Deny all access to Web browsing x x Intranet IP Deny all access to a specific IP x x x Allow everything else Table 10 Default Filter Example B In Out Allow IP Port Description x Port 80 HTTP on host IP Deny all incoming wireless devices access to Web browsing the host x Intranet IP 10 3 0 ...

Page 132: ...multicast traffic can be enabled as part of a WM AD definition This mechanism is provided to support the demands of VoIP and IPTV network traffic while still providing the network access control Define a list of multicast groups whose traffic is allowed to be forwarded to and from the WM AD The default behavior is to drop the packets For each group defined you can enable Multicast Replication by g...

Page 133: ...by selecting one of the radio buttons IP Group Type the IP address range Defined groups Select from the drop down list 6 Click Add The group is added to the list above 7 To enable the wireless multicast replication for this group select the corresponding Wireless Replication checkbox 8 To modify the priority of the multicast groups select the group row and click the Up or Down buttons A Deny All r...

Page 134: ... up to eight SSIDs Each AP can participate in up to 8 WM ADs For each WM AD only one WEP key can be specified It is treated as the first key in a list of WEP keys Wi Fi Protected Access WPA Pre Shared key PSK Privacy in PSK mode using a Pre Shared Key PSK or shared secret for authentication WPA PSK is a security solution that adds authentication to enhanced WEP encryption and key management WPA PS...

Page 135: ...select Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box The WEP Key box is automatically filled by the corresponding Hex code 7 To save your changes click Save To configure privacy by WPA PSK for a Captive Portal WM AD 1 From the main menu click WM AD Configuration The WM AD Configuration screen is displayed 2 In the left pane WM Access Domai...

Page 136: ... 2 8 To enable re keying after a time interval select Broadcast re key interval If this checkbox is not selected the Broadcast encryption key is never changed and the Wireless AP will always use the same broadcast key for Broadcast Multicast transmissions This will reduce the level of security for wireless communications 9 In the Broadcast re key interval box type the time interval after which the...

Page 137: ...ryption Standard with Counter Mode CBC MAC Protocol AES CCMP NOTE In order to use WPA with 802 1x authentication network assignment must be AAA To set up static WEP privacy for an AAA WM AD 1 From the main menu click WM AD Configuration The WM AD Configuration screen is displayed 2 In the left pane WM Access Domains list click the AAA WM AD you want to configure privacy by WPA PSK for a Captive Po...

Page 138: ...rivacy for an AAA WM AD The WM AD Privacy feature supports Wi Fi Protected Access WPA v1 and WPA v2 a security solution that adds authentication to enhanced WEP encryption and key management The authentication portion of WPA for AAA is in Enterprise Mode Specifies 802 1x with Extensible Authentication Protocol EAP Requires a RADIUS or other authentication server Uses RADIUS protocols for authentic...

Page 139: ...th Wireless AP Step two Wireless AP blocks the client s network access while the authentication process is carried out the Summit WM Controller sends the authentication request to the RADIUS authentication server Step three The wireless client provides credentials that are forwarded by the Summit WM Controller to the authentication server Step four If the wireless device client is not authenticate...

Page 140: ...is checkbox is not selected the Broadcast encryption key is never changed and the Wireless AP will always use the same broadcast key for Broadcast Multicast transmissions This will reduce the level of security for wireless communications 8 In the Broadcast re key interval box type the time interval after which the broadcast encryption key is changed automatically The default is 3600 9 To save your...

Page 141: ... are enabling the integration of internet telephony technology on wireless networks Various issues including Quality of Service QoS call control network capacity and network architecture are factors in VoIP over 802 11 WLANs Wireless voice data requires a constant transmission rate and must be delivered within a time limit This type of data is called isochronous data This requirement for isochrono...

Page 142: ...verride is enabled the configured service class overrides the queue selection in the downlink direction the 802 1P UP for the VLAN tagged Ethernet packets and the UP for the wireless QoS packets WMM or 802 11e according to the mapping in Table 13 If Priority Override is enabled and the WM AD is not locally bridged the configured DSCP value is used to tag the IP header of the encapsulated packets T...

Page 143: ...ify and prioritize the uplink traffic 802 11e If enabled the AP will accept WMM client associations and will classify and prioritize the downlink traffic for all 802 11e clients The 802 11e clients will also classify and prioritize the uplink traffic Turbo Voice If any of the above QoS modes are enabled the Turbo Voice mode is available If enabled all the downlink traffic that is classified to the...

Page 144: ...he QoS tagging within the packets as set by the wireless devices and the host devices on the wired network Both Layer 3 tagging DSCP and Layer 2 802 1d tagging are supported and the mapping is conformant with the WMM specification If both L2 and L3 priority tags are available then both are taken into account and the chosen AC is the highest resulting from L2 and L3 If only one of the priority tags...

Page 145: ...together with QoS modes Legacy WMM or 802 11e DL voice traffic is sent via Turbo Voice queue instead of voice queue A separate turbo voice queue allows for some WM ADs to use the Turbo Voice parameters for voice traffic while other WM ADs use the voice parameters for voice traffic If WMM mode is also enabled WMM clients use Turbo Voice like contention parameters for UL voice traffic If 802 11e mod...

Page 146: ...ower Save Delivery U APSD feature Works in conjunction with WMM and or 802 11e and it is automatically disabled if both WMM and 802 11e are disabled Step 6 Configure Global Admission Control Enable admission control Admission control protects admitted traffic against new bandwidth demands Available for Voice and Video To configure QoS Policy on a WM AD 1 From the main menu click WM AD Configuratio...

Page 147: ...affic for all 802 11e clients The 802 11e clients will also classify and prioritize the uplink traffic If selected the Turbo Voice and the Advanced Wireless QoS options are displayed Turbo Voice Select to enable all downlink traffic that is classified to the Voice VO AC and belongs to that WM AD to be transmitted by the AP via a queue called Turbo Voice TVO instead of the normal Voice VO queue Whe...

Page 148: ...s while being in power save mode This feature works in conjunction with WMM and or 802 11e and it is automatically disabled if both WMM and 802 11e are disabled Use Global Admission Control for Voice VO Select to enable admission control for Voice With admission control clients are forced to request admission in order to use the high priority access categories in both downlink and uplink direction...

Page 149: ...ed as a single WM AD VLAN with different SSIDs on different radios An effective scenario of the configuration described above in which the same subnet is used with different SSIDs on radio a and b g is when this configuration is defined consistently on all APs It would allow dual band a b g clients to associate to one of the radios by specifying the correct SSID This is particularly effective with...

Page 150: ...WM Access Domain Services Configuration Summit WM20 User Guide Software Release 4 2 150 ...

Page 151: ...he second Summit WM Controller provides the wireless network and a pre assigned WM AD for the Wireless AP NOTE During a failover event the maximum number of failover APs a backup controller can accommodate is equal to the maximum number of APs supported by the hardware platform NOTE Wireless APs that attempt to connect to a backup controller during a failover event are assigned to the WM AD that i...

Page 152: ...the primary and secondary Summit WM Controllers are identical platforms For more information on availability support between platforms see the Summit WM20 Technical Reference Guide Verify the network accessibility for the TCP IP connection between the two controllers The availability link is established as a TCP session on port 13907 Set up a DHCP server for AP subnets to support Option 78 for SLP...

Page 153: ... AP assignments are used An alternate method to setting up APs includes 1 Add each Wireless AP manually to each Summit WM Controller 2 From the AP Properties screen click Add Wireless AP 3 Define the Wireless AP and click Add Wireless AP Manually defined APs will inherit the default AP configuration settings CAUTION If two Summit WM Controllers are paired and one has the Allow All option set for W...

Page 154: ...options Allow all Altitude APs to connect If the Summit WM Controller does not recognize the serial number it sends a default configuration to the Wireless AP Or if the Summit WM Controller recognizes the serial number it sends the specific configuration port and binding key set for that Wireless AP Allow only approved Altitude APs to connect If the Summit WM Controller does not recognize the seri...

Page 155: ... During an outage if the remaining Summit WM Controller is the secondary controller It registers as the SLP service ru_manager To view SLP activity 1 From the main menu click Altitude APs The Altitude APs screen is displayed 2 In the left pane click AP Registration The Altitude APs Registration screen is displayed 3 To confirm SLP registration click the View SLP Registration button A pop up screen...

Page 156: ...e AP is assigned to different WM ADs on the two controllers it will reboot Because of the pairing of the two Summit WM Controllers the Wireless AP will then register with the other Summit WM Controller All user sessions using the AP that fails over will terminate unless the Maintain client sessions in event of poll failure option is enabled on the AP Properties tab or AP Default Settings screen NO...

Page 157: ...r the critical messages for the failover mode message in the information log of the remaining Summit WM Controller in the Reports and Displays section of the Summit WM Controller 2 After recovery on the Summit WM Controller that did not fail select the foreign Wireless APs and click on the Release button on the Access Approval screen Defining Management Users In this screen you define the login us...

Page 158: ...displayed 2 In the left pane click the Management Users option The Management Users screen is displayed 3 To select a user to be modified click it 4 In the Password box type the new password for the user 5 In the Confirm Password retype the new password 6 To change the password click Change Password To remove a Summit WM Controller management user 1 From the main menu click Summit Switch The Summi...

Page 159: ...or Ocean drop down list 5 From the Time Zone Region drop down list select the appropriate time zone region for the selected country 6 To apply your changes click Apply Time Zone To set system time parameters 1 From the main menu click Summit Switch The Summit Switch Configuration screen is displayed 2 In the left pane click Network Time The Network Time screen is displayed 3 To use system time sel...

Page 160: ...gram Interface On the ELA server the event messages are tracked and analyzed so suspicious messages can be forwarded to a firewall application that can take corrective action Check Point created the OPSEC Open Platform for Security alliance program for security application and appliance vendors to enable an open industry wide framework for inter operability When ELA is enabled on the Summit WM Con...

Page 161: ... The default is 100 milliseconds ELA Retry Interval Specifies the amount of time in milliseconds you want the system to wait before attempting a re connection between Summit WM Controller and the Check Point gateway The default is 2000 milliseconds ELA Message Queue Size Specifies the number of messages the log queue holds if the Summit WM Controller and the Check Point gateway become disconnected...

Page 162: ... SNMP The Summit WM Controller Access Points and Software system supports Simple Network Management Protocol SNMP Version 1 and 2c SNMP a set of protocols for managing complex networks is used to retrieve Summit WM Controller statistics and configuration information SNMP sends messages called protocol data units PDUs to different parts of a network Devices on the network that are SNMP compliant ca...

Page 163: ...roller is the only point of SNMP access for the entire system In effect the Summit WM Controller proxies sets gets and alarms from the associated Wireless APs Enabling SNMP on the Summit WM Controller You can enable SNMP on the Summit WM Controller to retrieve statistics and configuration information To enable SNMP Parameters 1 From the main menu click Summit Switch The Summit Switch Configuration...

Page 164: ...lt this option is enabled When this option is enabled all Wireless APs and their interfaces are published as interfaces of the Summit WM Controller when you retrieve topology statistics and configuration information using the SNMP protocol Topology statistics and configuration information on Wireless APs are retrievable using both proprietary and standard MIB The Publish AP as interface of control...

Page 165: ... 4 2 165 3 In the Target IP Address box type the IP address of the destination computer 4 To test a connection to the target IP address click Ping A pop up window is displayed with the ping results The following is an example of a screen after clicking the Ping button ...

Page 166: ...net between your computer and the target IP address click Trace Route A pop up window is displayed with the trace route results The following is an example of a screen after clicking the Trace Route button Configuring Web Session Timeouts You can configure the time period to allow Web sessions to remain inactive before timing out ...

Page 167: ...yed 3 In the Web Session Timeout box type the time period to allow the Web session to remain inactive before it times out This can be entered as hour minutes or as minutes The range is 1 minute to 168 hours 4 Select the Show WM AD names on the Wireless AP SSID list checkbox to allow the names of the WM ADs to appear in the SSID list for Wireless APs 5 To save your settings click Save NOTE Screens ...

Page 168: ...Availability and Controller Functionality Summit WM20 User Guide Software Release 4 2 168 ...

Page 169: ...tive Portal and RAD policy for the third party AP WM AD on page 170 Step 4 Define filtering rules for the third party APs on page 171 To set up third party APs Step 1 Define a data port as a third party AP port 1 From the main menu click Summit Switch The Summit Switch Configuration screen is displayed 2 From the left pane click IP Address The Management Port Settings and Interfaces screen is disp...

Page 170: ... SSID 4 To define a WM AD for a third party AP select the Use 3rd Party AP checkbox 5 Continue configuring your WM AD as described in Configuring Topology for a WM AD for Captive Portal on page 99 NOTE Bridge Traffic at AP and MAC based authentication are not available for third party WM ADs Step 3 Define authentication by Captive Portal and RAD policy for the third party AP WM AD 1 Click the Auth...

Page 171: ...y access point s layer 3 IP routing capability and set the access point to work as a layer 2 bridge Here are the differences between third party access points and Wireless APs on the Summit WM Controller Access Points and Software system A third party access point exchanges data with the Summit WM Controller s data port using standard IP over Ethernet protocol The third party access points do not ...

Page 172: ...Working With Third Party APs Summit WM20 User Guide Software Release 4 2 172 ...

Page 173: ...Summit WM series Spy is a mechanism that assists in the detection of rogue APs Summit WM series Spy functionality does the following Wireless AP Runs a radio frequency RF scanning task Alternating between scan functions providing its regular service to the wireless devices on the network Summit WM Controller Runs a data collector application that receives and manages the RF scan messages sent by t...

Page 174: ...sis Engine select the Enable Summit Spy Analysis Engine checkbox 4 To enable the Summit Spy Data Collection Engine on this Summit WM Controller select the Enable Local Summit Spy Data Collection Engine checkbox 5 To save your changes click Apply NOTE Currently the Summit WM Controller WM20 does not support the Remote Collection Engines functionality of the Summit WM Controller Access Points and So...

Page 175: ...is displayed as part of the Scan Group If it becomes active it will be sent a scan request during the next periodic scan To run the Summit WM series Spy scan task mechanism 1 From the main menu click Summit Spy The Summit Spy screen is displayed 2 Click the Scan Groups tab 3 In the Scan Group Name box type a unique name for this scan group 4 In the Altitude APs list select the checkbox correspondi...

Page 176: ...ireless AP within the Scan Group will initiate a scan of the RF space The range is from one minute to 120 minutes 10 To initiate a scan using the periodic scanning parameters defined above click Start Scan 11 To initiate an immediate scan that will run only once click Run Now NOTE If necessary you can stop a scan by clicking Stop Scan A scan must be stopped before modifying any parameters of the S...

Page 177: ...n SSID critical alarm Known Wireless AP with an unknown SSID major alarm In ad hoc mode major alarm NOTE In the current release there is no capability to initiate a DoS attack on the detected rogue access point Containment of a detected rogue requires an inspection of the geographical location of its Scan Group area where its RF activity has been found Working With Summit WM Series Spy Scan Result...

Page 178: ...ry The Rogue Summary report is displayed in a pop up window 6 To clear all detected rogue devices from the list click Clear Detected Rogues NOTE To avoid the Summit WM series Spy s database becoming too large it is recommended that you either delete Rogue APs or add them to the Friendly APs list rather than leaving them in the Rogue list ...

Page 179: ...ion of the Friendly AP s tab To delete an AP from the Summit WM series Spy scan results 1 From the main menu click Summit Spy The Summit Spy screen is displayed 2 Click the Rogue Detection tab 3 To delete a specific AP from the Summit WM series Spy scan results click the corresponding Delete button The AP is removed from the list 4 To clear all rogue access points from the Summit WM series Spy sca...

Page 180: ...in menu click Summit Spy The Summit Spy screen is displayed 2 Click the Friendly APs tab 3 To select an access point from the Friendly AP Definitions list to delete click it 4 Click Delete The selected access point is removed from the Friendly AP Definitions list 5 To save your changes click Save To modify a friendly AP 1 From the main menu click Summit Spy The Summit Spy screen is displayed 2 Cli...

Page 181: ...e Release 4 2 181 Maintaining the Summit WM Series Spy List of APs To maintain the Wireless APs 1 From the main menu click Summit Spy The Summit Spy screen is displayed 2 Click the WAP Maintenance tab Inactive APs and known third party APs are displayed 3 Select the applicable APs ...

Page 182: ... RF Data Collector Engine You can also delete the selected third party APs if they are removed from the corresponding WM AD in the RF Collector Engine or if that WM AD has been deleted from the WM AD list Viewing the Scanner Status Report When the Summit WM series Spy is enabled you can view a report on the connection status of the RF Data Collector Engines with the Analysis Engine To view the Sum...

Page 183: ...to the communication system of the other controller but has not synchronized with the Data Collector Ensure that the Data Collector is running on the remote controller Red The Analysis Engine is aware of the Data Collector and attempting connection If no box is displayed the Analysis Engine is not attempting to connect with that Data Collector Engine NOTE If the box is displayed red and remains re...

Page 184: ...Working With the Summit WM Series Spy Summit WM20 User Guide Software Release 4 2 184 ...

Page 185: ...he Displays The following displays are available in the Summit WM Controller Access Points and Software system Active Wireless APs Active Clients by Wireless AP Active Clients by WM AD Port WM AD Filter Statistics WM AD Interface Statistics Wireless Controller Port Statistics Wireless AP Availability Wired Ethernet Statistics by Wireless AP Wireless Statistics by Wireless AP System Information Man...

Page 186: ... the AP has sent that data to a client and Packets Rec d means the AP has received packets from a client Viewing the Wireless AP Availability Display This display reports the active connection state of a Wireless AP availability to the Summit WM Controller for service Depending on the state of the Wireless AP the following is displayed Green Wireless AP is configured on the Summit WM Controller an...

Page 187: ...ireless APs Two displays are snapshots of activity at that point in time on a selected Wireless AP Wired Ethernet Statistics by Altitude AP Wireless Statistics by Altitude AP The statistics displayed are those defined in the 802 11 MIB in the IEEE 802 11 standard To view wired Ethernet statistics by Altitude AP 1 From the main menu click Reports Displays The Reports Displays screen is displayed 2 ...

Page 188: ...stics by Altitude AP display option The Wireless Statistics by Altitude APs display opens in a new browser window 3 In the Wired Statistics by Altitude APs display click a registered Wireless AP to display its information 4 Click the appropriate tab to display information for each radio on the Wireless AP 5 To view information on selected associated clients click View Client The Associated Clients...

Page 189: ...ime Conn is the length of time that a client has been on the system not just on an AP If the client roams from one AP to another the session stays therefore Time Conn does not reset A client is displayed as soon as the client connects or after refresh of screen The client disappears as soon as it times out Viewing the System Information and Manufacturing Information Displays System Information Dis...

Page 190: ... The Manufacturing Information display opens in a new browser window Viewing Reports The following reports are available in the Summit WM Controller Access Points and Software system Forwarding Table routes defined in the Summit WM Controller Routing Protocols screen OSPF Neighbor if OSPF is enabled in the Routing Protocols screen OSPF Linkstate if OSPF is enabled in the Routing Protocols screen A...

Page 191: ...t you want to view Forwarding Table OSPF Neighbor OSPF Linkstate WAP Inventory NOTE The WAP Inventory report opens in a new browser window All other reports appear in the current browser window The following is an example of a Forwarding Table report NOTE If you open only automatically refreshed reports the Web management session timer will not be updated or reset Your session will eventually time...

Page 192: ...ponding radio PL Power Level Defined in the Wireless AP radio properties pages BR Basic Rate Only applies to Wireless APs running 3 1 or earlier ORS Operational Rate Set Only applies to Wireless APs running 3 1 or earlier MnBR Minimum Basic Rate For more information see the Wireless AP radio configuration tabs MxBR Maximum Basic Rate MxOR Maximum Operational Rate RxDV Receive Diversity TxDV Tx Div...

Page 193: ...cally Configured IP If the Wireless AP s IP address is configured statically the IP address is displayed Netmask If the Wireless AP s IP address is configured statically the netmask that is statically configured for the Wireless AP Gateway If the Wireless AP s IP address is configured statically the IP address of the gateway router that the Wireless AP will use SWM Search List The list of IP addre...

Page 194: ...Working With Reports and Displays Summit WM20 User Guide Software Release 4 2 194 ...

Page 195: ...sues you want to cut the connection with a particular wireless device You can view all the associated wireless devices by MAC address on a selected Wireless AP You can do the following Disassociate a selected wireless device from its Wireless AP Add a selected wireless device s MAC address to a blacklist of wireless clients that will not be allowed to associate with the Wireless AP Backup and rest...

Page 196: ... by selecting the search parameters from the drop down lists and typing a search string in the Search box and clicking Search You can also use the Select All or Clear All buttons to help you select multiple clients 5 Click Disassociate The client s session terminates immediately Blacklisting a client The Blacklist tab displays the current list of MAC addresses that are not allowed to associate A c...

Page 197: ...selecting the search parameters from the drop down lists and typing a search string in the Search box and clicking Search You can also use the Select All or Clear All buttons to help you select multiple clients 5 Click Add to Blacklist The selected wireless client s MAC address is added to the blacklist To blacklist a wireless device client using its MAC address 1 From the main menu click Altitude...

Page 198: ...o save your changes click Save To clear an address from the blacklist 1 From the main menu click Altitude APs The Altitude APs Configuration screen is displayed 2 From the left pane click Client Management The Disassociate tab is displayed 3 Click the Blacklist tab 4 To clear an address from the blacklist select the corresponding checkbox in the MAC Addresses list 5 Click Remove Selected The selec...

Page 199: ...ist file is exported Resetting the AP to Its Factory Default Settings You can reset the Wireless AP to its factory default settings The AP boot up sequence includes a random delay interval followed by a vulnerable time interval During the vulnerable time interval 2 seconds the LEDs flash in a particular sequence to indicate that the Summit WM Controller is in the vulnerable time interval For more ...

Page 200: ...s and a collector a syslog server receives the messages without relaying them NOTE The log statements Low water mark level was reached and Incoming message dropped because of the rate limiting mechanism indicate that there is a burst of log messages coming to the event server and the processing speed is slower than the incoming rate of log messages These messages do not indicate that the system is...

Page 201: ...on the network 5 For each enabled syslog server in the Port box type a valid port number to connect on The default port for syslog is 514 6 To include all system messages select the Include all service messages checkbox If the box is not selected only component messages logs and traces are relayed This setting applies to all three servers The additional service messages are DHCP messages reporting...

Page 202: ... address reverts to 192 168 10 1 and the license key is removed Halt system The system enters the halted state which stops all functional services and the application To restart the system the power to the system must be reset 4 Click Apply Now The system is immediately halted Performing Summit WM Controller Software Maintenance You can update the core Summit WM Controller software files and the O...

Page 203: ... compatible upgrade RPM and OS patch and the Skip backup during RPM un install options remain disabled 4 To launch the upgrade with the selected image click on the Upgrade Now button 5 In the dialog box that is displayed confirm the upgrade At this point all sessions are closed The previous software is uninstalled automatically The new software is installed The Summit WM Controller reboots automat...

Page 204: ... of AP and they require different images 4 Click Download The image is downloaded and added to the list To delete a Summit WM Controller software image 1 From the main menu click Summit Switch The Summit Switch Configuration screen is displayed 2 From the left pane click Software Maintenance The SWM Software tab is displayed 3 To delete a software image from the list in the Available SWM Images li...

Page 205: ...mage 1 From the main menu click Summit Switch The Summit SwitchConfiguration screen is displayed 2 From the left pane click Software Maintenance The SWM Software tab is displayed 3 Click the OS Software tab 4 To download a new image to be added to the list in the Download Image section type the following FTP Server The IP of the FTP server to retrieve the image file from User ID The user ID that t...

Page 206: ...removed from the list Backing up Summit WM Controller Software You can backup the Summit WM Controller database You can also schedule the backups to occur When a scheduled backup is defined you can configure to have the scheduled backup copied to an FTP server when the backup is complete To back up the Summit WM Controller software 1 From the main menu click Summit Switch The Summit Switch Configu...

Page 207: ...sword for the user ID to confirm it was typed correctly Directory The directory on the server where the image file will be stored Filename The name that will be given to the image file when it is stored on the FTP server Platform The AP hardware type to which the image applies The are several types of AP and they require different images 5 Click Upload The backup is uploaded and added to the list ...

Page 208: ...to User ID The user ID that the controller should use when it attempts to log in to the FTP server Password The corresponding password for the user ID Confirm The corresponding password for the user ID to confirm it was typed correctly Directory The directory on the server where the image file will be stored 8 To save your changes click Save Restoring Summit WM Controller Software You can restore ...

Page 209: ...ce The System Maintenance screen is displayed 3 Click the Restore tab 4 To download an image for restore which will be added to the list in the Download for Restore section type the following FTP Server The FTP server to retrieve the image file from User ID The user ID that the controller should use when it attempts to log in to the FTP server Password The corresponding password for the user ID Co...

Page 210: ...ummit WM Controller supports any SFTP client NOTE You must enable management traffic before you try to connect with a SFTP client Specify the exact image path for the corresponding SW package see directory information below Otherwise the Summit WM Controller cannot locate them for SW upgrades updates To upload an image file 1 Launch the SFTP client point it to the Summit WM Controller and login in...

Page 211: ...dministrative changes made to the system the GUI Audit displays changes to the Graphical User Interface on the Summit WM Controller Traces Messages that display activity by component for system debugging troubleshooting and internal monitoring of software CAUTION In order for the Debug Info option on the Wireless AP Traces screen to return Trace messages this option must enabled while Wireless AP ...

Page 212: ... log statements Low water mark level was reached and Incoming message dropped because of the rate limiting mechanism indicate that there is a burst of log messages coming to the event server and the processing speed is slower than the incoming rate of log messages These messages do not indicate that the system is impaired in any way To view logs 1 From the main menu click Logs Traces The Logs Trac...

Page 213: ...ck Logs Traces The Logs Traces screen is displayed 2 Click one of the Traces tabs The following is an example of the Summit WM Controller traces The events are displayed in chronological order sorted by the Timestamp column 3 To sort the display by Type or Component click the appropriate column heading 4 To filter the traces by severity in order to display only Info Minor Major or Critical traces ...

Page 214: ...he Audit screen is displayed The events are displayed in chronological order sorted by the Timestamp column 3 To sort the display by User Section Page or Audit Message click the appropriate column heading 4 To clear the audits from the list click Clear Audits 5 To refresh the information in any display click Refresh 6 To export information from a display as an HTML file click the Export button ...

Page 215: ... To clear logs 1 From the main menu click Logs Traces The Logs Traces screen is displayed 2 Click one of the Log tabs The following is an example of the Summit WM Controller logs The events are displayed in chronological order sorted by the Timestamp column 3 To clear the logs click Clear Log Messages ...

Page 216: ...Performing System Maintenance Summit WM20 User Guide Software Release 4 2 216 ...

Page 217: ...ES encryption includes 4 stages that make up one round Each round is then iterated 10 12 or 14 times depending upon the bit key size For the WPA2 802 11i implementation of AES each round is iterated 10 times AES CCMP AES uses the Counter Mode CBC MAC Protocol CCMP CCM is a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication The two u...

Page 218: ...ber dialed Call data is stored in a PC database CHAP Challenge Handshake Authentication Protocol One of the two main authentication protocols used to verify a user s name and password for PPP Internet connections CHAP is more secure than PAP because it performs a three way handshake during the initial link establishment between the home and remote machines It can also repeat the authentication any...

Page 219: ... Agents The User Agent issues a multicast Service Request SrvRqst on behalf of the client application specifying the services required The User Agent will receive a Service Reply SrvRply specifying the location of all services in the network which satisfy the request For larger networks a third entity called a Directory Agent receives registrations from all available Service Agents A User Agent se...

Page 220: ... through an access point which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS The server asks the access point for proof of identity which the access point gets from the user and then sends back to the server to complete the authentication EAP TLS provides for certificate based and mutual authentication of the client and the network It...

Page 221: ...dles secure roaming quality of service and user authentication The central management controller also handles AP configuration and management A fat or thick AP architecture concentrates all the WLAN intelligence in the access point The AP handles the radio frequency RF communication as well as authenticating users encrypting communications secure roaming WLAN management and in some cases network r...

Page 222: ...ertext Transfer Protocol over Secure Socket Layer or HTTP over SSL is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server HTTPS uses Secure Socket Layer SSL as a sublayer under its regular HTTP application layering HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer TCP IP SSL uses a 40 bit key size ...

Page 223: ...l called Transmission Control Protocol TCP which establishes a virtual connection between a destination and a source IPC Interprocess Communication A capability supported by some operating systems that allows one process to communicate with another process The processes can be running on the same computer or on different computers connected through a network IPsec IPsec ESP IPsec AH Internet Proto...

Page 224: ...n See WPA and TKIP L LAN Local Area Network License installation LSA Link State Advertisements received by the currently running OSPF process The LSAs describe the local state of a router or network including the state of the router s interfaces and adjacencies See also OSPF M MAC Media Access Control layer One of two sublayers that make up the Data Link Layer of the OSI model The MAC layer is res...

Page 225: ...ast communication over a network between a single sender and a single receiver N NAS Network Access Server a server responsible for passing information to designated RADIUS servers and then acting on the response returned A NAS Identifier is a RADIUS attribute identifying the NAS server RFC2138 NAT Network Address Translator A network capability that enables a group of computers to dynamically sha...

Page 226: ...tform for Security is a security alliance program created by Check Point to enable an open industry wide framework for interoperability of security products and applications Products carrying the Secured by Check Point seal have been tested to guarantee integration and interoperability OS Operating system OSI Open System Interconnection An ISO standard for worldwide communications that defines a n...

Page 227: ...tocol TCP layer of TCP IP divides the file into packets Each packet is separately numbered and includes the Internet address of the destination The individual packets for a given file may travel different routes through the Internet When they have all arrived they are reassembled into the original file by the TCP layer at the receiving end PAP Password Authentication Protocol is the most basic for...

Page 228: ... such technologies as Frame Relay Asynchronous Transfer Mode ATM Ethernet and 802 1 networks SONET and IP routed networks QoS features provide better network service by supporting dedicated bandwidth improving loss characteristics avoiding and managing network congestion shaping network traffic setting traffic priorities across the network Quality of Service QoS A set of service requirements to be...

Page 229: ... LAN segment into multiple smaller segments is one of the most common ways of increasing available bandwidth on the LAN SLP Service Location Protocol A method of organizing and locating the resources such as printers disk drives databases e mail directories and schedulers in a network Using SLP networking applications can discover the existence location and configuration of networked devices With ...

Page 230: ...y the occurrence of conditions such as a threshold that exceeds a predetermined value SSH Secure Shell sometimes known as Secure Socket Shell is a Unix based command interface and protocol for securely getting access to a remote computer SSH is a suite of three utilities slogin ssh and scp secure versions of the earlier UNIX utilities rlogin rsh and rcp With SSH commands both ends of the client se...

Page 231: ...net can be used to increase the bandwidth on the network by breaking the network up into segments SVP SpectraLink Voice Protocol a protocol developed by SpectraLink to be implemented on access points in order to facilitate voice prioritization over an 802 11 wireless LAN that will carry voice packets from SpectraLink wireless telephones Switch In networks a device that filters and forwards packets...

Page 232: ...acket key mixing function a message integrity check MIC an extended initialization vector IV with sequencing rules and a re keying mechanism The encryption keys are changed rekeyed automatically and authenticated between devices after the rekey interval either a specified period of time or after a specified number of packets has been transmitted TLS Transport Layer Security See EAP Extensible Auth...

Page 233: ...etwork A network of computers that behave as if they are connected to the same wire when they may be physically located on different segments of a LAN VLANs are configured through software rather than hardware which makes them extremely flexible When a computer is physically moved to another location it can stay on the same VLAN without any hardware reconfiguration The standard is defined in IEEE ...

Page 234: ...t Naming Service A system that determines the IP address associated with a particular network computer called name resolution WINS supports network client and server computers running Windows and can provide name resolution for other computers with special arrangements WINS supports dynamic addressing DHCP by maintaining a distributed database that is automatically updated with the names of comput...

Page 235: ...mode of WPA for users without an enterprise authentication server Instead for authentication a Pre Shared Key is used The PSK is a shared secret passphrase that must be entered in both the Wireless AP or router and the WPA clients This preshared key should be a random sequence of characters at least 20 characters long or hexadecimal digits numbers 0 9 and letters A F at least 24 hexadecimal digits...

Page 236: ...it WM series Spy is a mechanism that assists in the detection of rogue access points The feature has three components 1 a radio frequency RF scanning task that runs on the Wireless AP 2 an application called the Data Collector on the Summit WM Controller that receives and manages the RF scan messages sent by the Wireless AP 3 an Analysis Engine on the Summit WM Controller that processes the scan d...

Page 237: ... Width dimension is without adjustable rack mounting brackets provided Weight Approx 16 lbs 7 3 Kg Hard Drive 80 GB SATA Drive Integrated Not a Field Replaceable Unit FRU PSU Integrated Not a FRU Fans Integrated Not a FRU Controller Card Data Mgmt Control plane processing Integrated Not a FRU Management Ports 1x10 100 1000 Copper Ethernet Management port auto sensing 1 USB 2 0 Device Slave Port Co...

Page 238: ...ropriate driver and install it on your host machine The link to download the virtual serial driver is the following http www silabs com tgwWebApp public web_content products Microcontrollers USB en mcu_vcp htm Table 20 Summit WM20 Controller Panel Legend Legend Item Description 1 Power Switch Power socket on the rear panel 2 Management Port eth0 Used to access WM20 Management via the GUI interface...

Page 239: ...8N1 no flow 9600 bps 8 bits no parity 1 stop bit no flow Summit WM20 Controller LED Indicators Summit WM20 Controller s LEDs The Summit WM20 Controller has four lights on its front panel NOTE The hot swap lever is not enabled in the current release Pulling the hot swap lever will not affect the normal operation if the Summit WM20 Controller is already running However if you attempt to reboot the S...

Page 240: ...ut Summit WM20 Controller LED States and Corresponding System States Table 21 Summit WM20 Controller LED States and Corresponding System States System state Status LED Activity LED Power up BIOS POST Blinking Amber Green System booting failed to boot Off Green Startup Manager Task Started Solid Amber Blinking Amber Startup Manager Task completes the startup All components active Solid Green Blinki...

Page 241: ...tory information regarding operation of the Altitude 350 2 Access Point Only authorized Extreme Networks service personnel are permitted to service the system Procedures that should be performed only by Extreme Networks personnel are clearly identified in this guide Changes or modifications made to the Summit WM series switch or the Altitude APs which are not expressly approved by Extreme and part...

Page 242: ...ity IEC EN 61000 4 2 Electrostatic Discharge 8kV Contact 15kV Air Criteria A IEC EN 61000 4 3 Radiated Immunity 10V m Criteria A IEC EN 61000 4 4 Transient Burst 1kV Criteria A IEC EN 61000 4 5 Surge 2kV L L 2kV L G Level 3 Criteria A IEC EN 61000 4 6 Conducted Immunity 0 15 80MHz 10V m mod RMS Criteria A IEC EN 61000 4 11 Power Dips Interruptions 30 25 periods Criteria C Country Specific VCCI Cla...

Page 243: ... Humidity 10 93 RH Shock 18g 6ms Sinusoidal Vibration 5 62Hz Velocity 5mm s 62 500 Hz 2G Random Vibration 5 20 Hz 1 0 ASD w 3dB oct from 20 200 Hz Packaging Drop 1 meter RoHS RoHS 6 China RoHS WEEE Short term test condition Environmental Operating Conditions for Summit WM100 1000 Summit WM200 2000 and Altitude 350 2 AP Environmental Standards EN ETSI 300 019 2 1 v2 1 2 Class 1 2 Storage EN ETSI 30...

Page 244: ...ecuring local licenses certifications regulatory approvals For details and information on the most recent country specific requirements for the Altitude 350 2 AP go to the following website http www extremenetworks com go rfcertification htm United States FCC Declaration of Conformity Statement This device complies with Part 15 of the FCC Rules Operation is subject to the following two conditions ...

Page 245: ...rt guide for the device to which Altitude 350 2 AP is connected Any other installation or use of the product violates FCC Part 15 regulations NOTE Operation of the Altitude 350 2 AP is restricted for indoor use only in the UNII 5 15 5 25 GHz band in accordance with 47 CFR 15 407 e CAUTION This Part 15 radio device operates on a non interference basis with other devices operating at this frequency ...

Page 246: ...h for an uncontrolled environment End users must follow the specific operating instructions for satisfying RF exposure compliance This device has been tested and has demonstrated compliance when simultaneously operated in the 2 4 GHz and 5 GHz frequency ranges This device must not be co located or operated in conjunction with any other antenna or transmitter NOTE The radiated output power of the A...

Page 247: ...ity in the 5250 5350 MHz and 5650 5850 MHz bands and these radars could cause interference and or damage to LE LAN devices European Community The Altitude 350 2 APs are wireless ports designed for use in the European Union and other countries with similar regulatory restrictions where the end user or installer is allowed to configure the wireless port for operation by entry of a country code relat...

Page 248: ...Altitude 350 2 AP outdoors it is their responsibility to insure operation in accordance with these rules frequencies and power output The Altitude 350 2 AP must not be operated until proper regional software is downloaded Table 24 European Conformance Standards Safety 73 23 EEC Low Voltage Directive LVD CB Scheme IEC 60950 1 2001 with all available country deviations GS Mark EN 60950 1 2001 Plenum...

Page 249: ...ess port The user or installer is responsible to ensure the first Altitude 350 2 wireless port is properly configured The software within the switch will automatically limit the allowable channels and output power determined by the current country code entered Incorrectly entering the country of operation or identifying the proper antenna used may result in illegal operation and may cause harmful ...

Page 250: ...garia Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor Denmark Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor Cyprus Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor Czech Rep Indoor Only Indoor Only Expect to Open Fall 2006 Indoor or Outdoor Estonia Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor Finland Indoor Only Indoor Only Indoor or Outdoor Indo...

Page 251: ...or or Outdoor Indoor or Outdoor U K Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor Turbo Mode Not Allowed in 5GHz Not Allowed in 5GHz Not Allowed in 5GHz Same 2 4 GHz rules as above AdHoc Mode Not Allowed Not Allowed Not Allowed Same 2 4 GHz rules as above a Belgium requires that the spectrum agency be notified if you deploy wireless links greater than 300 meters in outdoor public are...

Page 252: ... la directive 1999 5 CE qui lui sont applicables Swedish Harmed intygar Extreme Networks att denna Radio LAN device star I overensstammelse med de vasentliga egenskapskrav och ovriga relevanta bestammelser som framgar av direktiv 1999 5 EG Danish Undertegnede Extreme Networks erklarer herved at folgende udstyr Radio LAN device overholder de vasentlige krav og ovrige relevante krav i direktiv 1999 ...

Page 253: ...ntry the device will be operated within Altitude 350 2 Int AP 15958 and Altitude 350 2 Detach 15939 Access Points The Altitude 350 2 AP models are Wi Fi certified under Certification ID WFA4279 for operation in accordance with IEEE 802 11a b g The Altitude 350 2 Altitude APs with Internal and External antennas are designed and intended to be used indoors NOTE Operation in the European Community an...

Page 254: ...iversity is configured appropriately on both radios Optional 3rd Party External Antennas for the United States The Altitude 350 2 Detach AP 15939 APs can also be used with optional certified 3rd party antennas However in order to comply with the local laws and regulations an approval may be required by the local regulatory authorities The following optional antennas have been tested and approved f...

Page 255: ...elect an operating channel on the Wireless APs configuration screens and the corresponding allowed max power from the values listed in Table 29 DO NOT select a higher power than the value listed in Table 29 Table 28 List of FCC Approved Antennas Model Application Shape Gain dBi Frequency MHz Coax Cable Length Type Connector Type Cushcraft 1 SR2405135 Dxxxxxx indoor Directional 5 2400 2500 3 feet 1...

Page 256: ...m Power limit dBm Power limit dBm Power limit dBm 11b 2412 1 16 18 17 16 17 17 2417 2 17 17 17 16 17 17 2422 3 18 18 18 18 18 18 2427 4 18 18 18 18 18 18 2432 5 18 18 18 18 18 18 2437 6 18 18 18 18 18 18 2442 7 18 18 18 18 18 18 2447 8 18 18 18 18 18 18 2452 9 18 18 18 18 18 18 2457 10 18 18 18 18 18 18 2462 11 18 18 18 18 18 18 11g 2412 1 10 13 13 10 12 13 2417 2 14 15 15 14 15 14 2422 3 15 16 16...

Page 257: ...lect the power values listed in Table 30 DO NOT select a higher power than the value listed in Table 30 11a 5180 36 N S 17 17 17 17 N S 5200 40 N S 17 17 17 17 N S 5220 44 N S 17 17 17 17 N S 5240 48 N S 17 17 17 17 N S 5260 52 N S 18 18 18 18 N S 5280 56 N S 18 18 18 18 N S 5300 60 N S 18 18 18 18 N S 5320 64 N S 18 18 18 18 N S 5745 149 N S 15 N S 15 15 N S 5765 153 N S 15 N S 15 15 N S 5785 157...

Page 258: ...ed for use with the External Antenna model CAUTION When using an approved 3rd party external antenna other than the default the power must be adjusted according to these tables Professional Installation This device must be professionally installed The following are the requirements of professional installation The device cannot be sold retail to the general public or by mail order It must be sold ...

Page 259: ...ating channel on the Wireless APs configuration screens and the corresponding allowed max power from the values listed in Table 32 DO NOT select a higher power than the value listed in Table 32 Table 31 List of IC Industry Canada Approved Antennas Model Application Shape Gain dBi Frequency MHz Coax Cable Length Type Connector Type Cushcraft 1 SR2405135 Dxxxxxx indoor Directional 5 2400 2500 3 feet...

Page 260: ...m Power limit dBm Power limit dBm Power limit dBm 11b 2412 1 16 18 17 16 17 17 2417 2 17 17 17 16 17 17 2422 3 18 18 18 18 18 18 2427 4 18 18 18 18 18 18 2432 5 18 18 18 18 18 18 2437 6 18 18 18 18 18 18 2442 7 18 18 18 18 18 18 2447 8 18 18 18 18 18 18 2452 9 18 18 18 18 18 18 2457 10 18 18 18 18 18 18 2462 11 18 18 18 18 18 18 11g 2412 1 10 13 13 10 12 13 2417 2 14 15 15 14 15 14 2422 3 15 16 16...

Page 261: ...lect the power values listed in Table 33 DO NOT select a higher power than the value listed in Table 33 11a 5180 36 N S 17 17 17 17 N S 5200 40 N S 17 17 17 17 N S 5220 44 N S 17 17 17 17 N S 5240 48 N S 17 17 17 17 N S 5260 52 N S 18 18 18 18 N S 5280 56 N S 18 18 18 18 N S 5300 60 N S 18 18 18 18 N S 5320 64 N S 18 18 18 18 N S 5745 149 N S 15 N S 15 15 N S 5765 153 N S 15 N S 15 15 N S 5785 157...

Page 262: ...approved for use with the External Antenna model CAUTION When using an approved 3rd party external antenna other than the default the power must be adjusted according to these tables Professional Installation This device must be professionally installed The following are the requirements of professional installation The device cannot be sold retail to the general public or by mail order It must be...

Page 263: ...listed in Table 35 Table 34 Approved Antenna List for Europe Model Location Type Gain dBi Frequency MHz Huber Suhner 1 SOA 2454 360 7 20 DF outdoor capable Omni 6 8 2400 2500 4900 5875 2 SPA 2456 75 9 0 DF outdoor capable Planar 2 or 1 inputs 9 2400 2500 5150 5875 3 SPA 2400 80 9 0 DS outdoor capable Planar 2 inputs 8 5 2300 2500 4 SWA 0859 360 4 10 V outdoor capable Omni 7 2400 5875 5 SOA 2400 36...

Page 264: ...m Power limit dBm 11b 2412 1 15 14 14 15 15 9 15 2417 2 15 14 14 15 15 9 15 2422 3 15 14 14 15 15 9 15 2427 4 15 14 14 15 15 9 15 2432 5 15 14 14 15 15 9 15 2437 6 15 14 14 15 15 9 15 2442 7 15 14 14 15 15 9 15 2447 8 15 14 14 15 15 9 15 2452 9 15 14 14 15 15 9 15 2457 10 15 14 14 15 15 9 15 2462 11 15 14 14 15 15 9 15 2467 12 15 14 14 15 15 9 15 2472 13 15 14 15 15 15 10 15 11g 2412 1 15 13 14 15...

Page 265: ...S N S 16 5320 64 16 16 N S 16 N S N S 16 5500 100 20 19 N S 20 N S N S 20 5520 104 20 19 N S 20 N S N S 20 5540 108 20 19 N S 20 N S N S 20 5560 112 20 19 N S 20 N S N S 20 5580 116 20 19 N S 20 N S N S 20 5600 120 20 19 N S 20 N S N S 20 5620 124 20 19 N S 20 N S N S 20 5640 128 20 19 N S 20 N S N S 20 5660 132 20 19 N S 20 N S N S 20 5680 136 20 19 N S 20 N S N S 20 5700 140 20 19 N S 20 N S N S...

Page 266: ...r this transmitter must be installed to provide a separation distance of at least 20 cm from all persons and must not be co located or operating in conjunction with another antenna or transmitter Table 36 Auto Channel Selection Antenna 11a dBm 11b g dBm 1 16 15 2 16 13 3 N S 13 4 16 15 5 N S 15 6 N S 9 7 16 15 ...

Page 267: ...hanisms 134 set up a WM AD topology 99 view sample page 115 Check Point event logging 160 configuring Captive Portal internal external 114 static routes 45 controller back up software configuration 206 define management user names passwords 157 define network time synchronization 158 enable ELA event logging Check Point 160 events during a failover 156 paired for availability 151 restore software ...

Page 268: ...pes and levels 211 M MAC based authentication 118 Management Information Bases MIBs supported 162 management port management traffic on data port 45 modify management port settings 39 port based filtering 50 management traffic enabling on a WM AD 100 multicast for a WM AD 132 N network assignment by AAA 137 by SSID for Captive Portal 99 options for a WM AD 87 network time synchronization 158 next ...

Page 269: ...d 162 publish AP as interface of controller 164 software maintenance of Controller software 202 maintenance of Wireless AP software 81 SSID network assignment for Captive Portal 99 static configuration of Wireless AP 75 static routes configuring 45 viewing forwarding table report 47 syslog event reporting define parameters 200 T third party APs defining a WM AD for 100 in Summit Spy feature 180 to...

Page 270: ...ic configuration 75 view statistics 187 WM Access Domain WM AD multicast 132 WM Access Domain Services WM AD authentication by AAA 802 1x 116 authentication by Captive Portal 109 define filtering rules 122 defined 85 for third party APs 170 global settings 92 network assignment overview 87 privacy for AAA 137 privacy overview 134 set up for VoIP 141 topology for Captive Portal 99 ...

Reviews:

No comments