manualshive.com logo in svg

Fortress Technologies ES210, User Manual

Share
Download
Fortress Technologies ES210 User Manual Download Page 156

Bridge GUI Guide: Security Configuration

141

4.3.2.7

Local 802.1X Authentication Settings

The Bridge’s internal RADIUS server can be configured to 
authenticate 802.1X supplicant credentials using two possible 
EAP (Extensible Authentication Protocol) types.

NOTE:

 

EAP-TLS

provides a signifi-

cantly higher level of se-
curity than 

EAP-MD5

.

EAP-MD5 verifies an MD5 (Message-Digest algorithm 5) hash 
of each user’s password, which requires a user’s credentials to 
be present in the Bridge’s local user authentication service 
before the local 802.1X service can authenticate that user. 
Refer to Section 4.3.3.1 for guidance.

In order to use EAP-TLS (EAP with Transport Layer Security) 
public key cryptography authentication, you must import a valid 
EAP-TLS digital certificate for the local service and the root CA 
(Certificate Authority) certificate that signs the local server 
certificate. You must also import any root CA certificate(s) used 
to sign supplicant certificates, so that the local server can verify 
their authenticity. Refer to Section 6.2 for guidance. In addition, 
as noted below, three local server configuration settings apply 
only when 

EAP-TLS

 is selected for 

EAP Protocols

802.1X Authentication

 - turns the service on (

Enabled

) and 

off (

Disabled

, the default).

CRL Check

 - for EAP-TLS only, determines whether 

certificates used to authenticate 802.1X supplicants are 
checked against the lists of certificates that have been 
revoked by their issuing authorities. 

CRL Check

 is 

Disabled

 

by default. When the function is 

Enabled

, supplicant 

certificate chains are traced back to a trusted root 
certificate and each certificate's serial number is checked 
against the contents of the issuing authority’s CRL to verify 
that none of the certificates in the chain have been 
revoked, as described in RFC 3280. 

CRL Check

 does not 

apply to EAP-MD5 authentication.

Strict Check

 - for EAP-TLS only, controls strict checking of 

key usage and extended key usage extensions in the 
authentication server certificate. 

Strict Check

 is 

Enabled

 by 

default; you can turn it off by selecting 

Disabled

Strict Check

 

does not apply to EAP-MD5 authentication.

TLS Cipher

 - for EAP-TLS only, specifies the list of 

supported cipher suites, or sets of encryption and integrity 
algorithms, that the 802.1X service will accept:

All

 - the default, supports both 

Legacy

 and 

Suite B

 cipher 

suites (below)

Legacy

 - supports Diffie-Hellman with RSA keys 

(

DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA

)

Suite B

 - supports Diffie-Hellman with ECC keys 

(

ECDHE-ECDSA-AES128-SHA and ECDHE-ECDSA-

AES256-SHA

)

Summary of Contents for ES210

Page 1: ...Fortress Security System Secure Wireless Bridge and Security Controller Software GUI Guide www fortresstech com 2010 Fortress Technologies ...

Page 2: ...nd a valid ship to address This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Copyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscape s SSL TH...

Page 3: ...License Agreement EULA IMPORTANT PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY DOWNLOADING INSTALLING OR USING FORTRESS TECHNOLOGIES SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT FORTRESS TECHNOLOGIES INC WILL LICENSE ITS SOFTWARE TO YOU THE CUSTOMER END USER ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT THE ACT OF DOWNLOADING INS...

Page 4: ... license ii Make modifications to or adapt the Software or create a derivative work based on the Software or permit third parties to do the same iii Reverse engineer decompile or disassemble the Software to a human readable form except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction and iv Disclose provide or otherwise make available trade secrets ...

Page 5: ...ansfer or export of the software outside the U S may require a license from the Bureau of Industry and Security For questions call BIS at 202 482 4811 U S Government Customers The Software and associated documentation were developed at private expense and are delivered and licensed as commercial computer software as defined in DFARS 252 227 7013 DFARS 252 227 7014 or DFARS 252 227 7015 as a commer...

Page 6: ...tions or deficiencies in power or operating environment Unless specified otherwise Fortress does not warrant or support non Fortress products If any service or support is rendered such support is provided WITHOUT WARRANTIES OF ANY KIND DISCLAIMER OF WARRANTY THE WARRANTIES HEREIN ARE SOLE AND EXCLUSIVE AND NO OTHER WARRANTY WHETHER WRITTEN OR ORAL IS EXPRESSED OR IMPLIED TO THE EXTENT PERMITTED BY...

Page 7: ...DAMAGE TO YOUR RECORDS OR DATA OR 3 SPECIAL INCIDENTAL OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES INCLUDING LOST PROFITS OR SAVINGS EVEN IF FORTRESS OR ITS SOLUTION PROVIDER IS INFORMED OF THEIR POSSIBILITY SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO CUSTOMER Telephone Su...

Page 8: ...s that proper authorization to operate in this frequency has been obtained and user accepts full responsibility for any unauthorized use User agrees to indemnify and hold harmless Fortress Technologies Inc from any fines costs or expenses resulting from or associated with unauthorized use of this frequency range This EULA Addendum does not apply to Fortress products that do not contain 4 4 GHz rad...

Page 9: ...yments 5 Isolated FastPath Mesh Networks 6 Network Attached FastPath Mesh Networks 7 Separating and Rejoining in FastPath Mesh Networks 9 Bridging Loops in FastPath Mesh Networks 10 Traffic Duplication in FastPath Mesh Networks 11 STP Mesh Network Deployments 12 Point to Point Bridging Deployments 14 Wireless Client ES210 Bridge Deployments 14 Compatibility 15 2 Bridge GUI and Administrative Acces...

Page 10: ...istrator Interface Permissions 32 Administrator Passwords and Password Controls 33 Adding Administrative Accounts 34 Editing Administrative Accounts 37 Deleting Administrative Accounts 37 Changing Administrative Passwords 38 Unlocking Administrator Accounts 39 Administrator IP Address Access Control 39 SNMP Administration 41 Configuring SNMP v3 42 Configuring SNMP Traps 43 3 Network and Radio Conf...

Page 11: ...ess Bridge and Minimum RSS 72 User Cost Offset and FastPath Mesh Mode 72 BSS Switching Mode and Default VLAN ID 73 BSS G Band Only Setting 73 BSS WMM Setting 74 BSS DTIM Period 74 BSS RTS and Fragmentation Thresholds 75 BSS Unicast Rate Mode and Maximum Rate 76 BSS Multicast Rate 76 BSS Description 77 BSS Fortress Security Setting 77 BSS Wi Fi Security Settings 77 Configuring a Radio BSS 80 ES210 ...

Page 12: ...st Offset 103 Port Fortress Security 104 Port 802 1X Authentication 104 Port Default VLAN ID and Port Switching Mode 104 Port QoS Setting 105 Port Power over Ethernet 105 Configuring Ethernet Ports 106 QoS Implementation 107 VLANs Implementation 109 VLAN Mode 109 Native VLAN 111 VLAN ID Table 112 VLAN Map Records 113 ES210 Bridge Serial Port Settings 115 Configuring the Serial Port 115 Resetting t...

Page 13: ...cal Authentication Server State 138 Local Authentication Server Port and Shared Key 139 Local Authentication Server Priority 139 Local Authentication Server Max Retries and Retry Interval 139 Local Authentication Server Default Idle and Session Timeouts 139 Local Authentication Server Global Device User and Administrator Settings 140 Local 802 1X Authentication Settings 141 Configuring the Local R...

Page 14: ...t Interface Statistics 179 BSS Interface Statistics 180 Bridge Link Interface Statistics 181 VLAN Statistics 182 IPsec SAs Monitoring 182 FastPath Mesh Monitoring 183 FastPath Mesh Bridging Configuration 183 FastPath Mesh Statistics 184 FastPath Mesh Peers and Neighbors 186 Multicast Broadcast Forwarding 186 FastPath Mesh Multicast Groups 187 FastPath Mesh Routing Table 188 FastPath Mesh Loops 189...

Page 15: ...ificates 202 Importing and Deleting Signed Certificates 202 Assigning Stored Certificates to Bridge Functions 205 Changing and Clearing Certificate Assignments 206 Features Licensing 207 Obtaining License Keys 208 Licensing New Features 209 Network Tools 210 Support Package Diagnostics Files 211 Index I Glossary VIII ...

Page 16: ...ually indicated by their icons Examples appear to the right of this section in descending order of urgency NOTE may assist you in executing the task e g a conve nient software feature or notice of something to keep in mind 1 1 1 Related Documents Fortress software user guidance including this guide covers all current Fortress hardware platforms In addition to this guide Fortress Bridge software gu...

Page 17: ...g RADIUS Remote Authentication Dial in User Service WPA Wi Fi Protected Access and WPA2 IPsec Internet Protocol Security and NSA National Security Agency Suite B1 cryptography Fortress security systems can be configured to operate in full compliance with Federal Information Processing Standards FIPS 140 2 Security Level 2 1 3 1 Fortress Bridges and Controllers Fortress hardware devices include the...

Page 18: ...ipped with a GPS Global Positioning System receiver and associated antenna port 1 3 1 1 ES Series Model Numbers Fortress ES series model numbers provide information about the product platform and the number and type of radio s it contains Figure 1 breaks down the model number for an ES520 35 Secure Wireless Bridge Table 1 1 Radios and Ethernet Ports in Fortress Hardware Devices series Fortress mod...

Page 19: ...anagement tool that provides administration and monitoring functions in a menu and dialog driven format It is accessed over the network via the Bridge s IP address The Bridge GUI supports Microsoft Internet Explorer and Mozilla Firefox Using the Bridge GUI is covered in this user guide Bridge CLI The command line interface for Fortress Bridges provides administration and monitoring functions via a...

Page 20: ...l path selection and independent IPv6 mesh addressing and DNS Domain Name System distribution FastPath Mesh networks provide higher efficiency and greater mobility than networks using STP link management which does not require a license Although FastPath Mesh and STP networks serve the same essential functions the details of deploying them are not identical Each type of network is covered separate...

Page 21: ... Mesh enable a set of Fortress Bridges to form a fully functioning FastPath Mesh network as soon as they are connected Figure 1 1 Isolated FP Mesh Network with Access Network Connections In the case of an isolated wireless FP Mesh network as shown in Figure 1 1 on each Bridge to be used as an MP you must at minimum License FastPath Mesh on the Bridge on Maintain Licensing Select FastPath Mesh for ...

Page 22: ... the default and an IPv6 router is present on the network to provide routing prefixes additional IPv6 addresses will be present Each MP can also have a manually configured IPv4 address Refer to Section 3 4 2 for more on IP addressing on the Bridge To provide virtually configuration free DHCP and DNS services for Non Mesh Points on the FP Mesh network enable one or a few of the DHCP servers interna...

Page 23: ... the MBG s default gateway on Configure Administration Network Configuration be sure the interface that will connect to the hierarchical network is configured as an FP Mesh Access interface FastPath Mesh Mode is specified for wired interfaces on Configure Ethernet Settings EDIT Wireless interfaces are automatically and transparently configured as Access interfaces when Wireless Bridge is Disabled ...

Page 24: ...ork typically flows through only one MBG If two or more MBGs are used you can manually split traffic between the two MBGs by IPv4 address ranges 10 1 16 MBG1 10 2 16 MBG2 for example but it will still be the case that only one MBG will send traffic to any given FP Mesh node 1 4 1 3 Separating and Rejoining in FastPath Mesh Networks Mesh Points in a wireless FastPath Mesh network can separate and r...

Page 25: ...though the two MBGs are connected to the same LAN by their Access interfaces they are MPs in different FP Mesh networks and so are not also connected by Core interfaces Figure 1 4 Two FP Mesh Networks One MBG Attachment Point Each Connected to a Single Access Network When a FastPath Mesh network is attached to a hierarchical network by two or more Mesh Border Gateways the Mesh Points serving these...

Page 26: ... same LAN as shown in Figure 1 5 Figure 1 5 Two FP Mesh Networks Two MBGs Each Connected to a Single Access Network 1 4 1 5 Traffic Duplication in FastPath Mesh Networks Although you can attach more than one FP Mesh network simultaneously to more than one LAN configurations in which separate hierarchical networks are bridged by multiple FP Mesh networks will necessarily generate duplicate traffic ...

Page 27: ...works managed by Spanning Tree Protocol without any additional features licensing When STP is selected for Bridging Mode the default the Bridge can be used as a node in an STP managed mesh network while on a separate BSS also acting as an AP access point to WLAN client devices within range LAN 2 03 0HVK 3RLQW MBG 0HVK RUGHU DWHZD 0HVK RUH RQQHFWLRQ 0HVKļ LHUDUFKLFDO RQQHFWLRQ FFHVV QWHUIDFH Mesh A...

Page 28: ...he role of STP root if the existing root is lost by specifying the Bridge Priority order on individual Bridges in an STP network One or more of the linked Bridges or network nodes can also be configured to connect the mesh network to a LAN and or to serve as a WLAN AP for compatibly configured wireless clients within range Figure 1 7 shows an STP mesh network in which all connected nodes are servi...

Page 29: ...ut any link management with a Bridging Mode setting of Off If more than two Bridges will be networked Fortress strongly recommends using FastPath Mesh if licensed or STP link management 1 4 4 Wireless Client ES210 Bridge Deployments An ES210 Bridge can be dedicated to operate as a standard 802 11 wireless client by configuring a single station STA interface on its single internal radio ES210 Bridg...

Page 30: ...ared key modes and with Fortress Secure Client versions 2 5 6 and later In addition or as an alternative to the Bridge s native authentication service the Bridge can be used with an external RADIUS server Supported services include Microsoft Windows Server 2003 Internet Authentication Service IAS freeRADIUS version 2 1 open source ...

Page 31: ... can also import and select a different certificate for the Bridge s SSL function refer to Section 6 2 You can turn off GUI access to the Bridge altogether by disabling the user interface requiring administrators to access the Bridge exclusively through the CLI refer to Section 4 1 5 The Bridge GUI is enabled by default NOTE The default IP address is 192 168 254 254 Default passwords for precon fi...

Page 32: ...ount password has expired or has been expired for non conformance refer to Section 2 2 1 7 The User must change password Yes option is in effect for the account you are trying to log on Section 2 2 2 You can optionally view current password complexity requirements by clicking Complexity Requirements at the bottom of the Create a new password dialog NOTE You can view but not edit the list against w...

Page 33: ...intenance and diagnostic tools under Maintain 2 1 4 Using Bridge GUI Views The Bridge GUI initially opens in Simple View which displays an abbreviated set of items under the main menu headings on the left side of the page and provides a limited set of configuration settings on Configure screens To access the complete Bridge GUI click ADVANCED VIEW in the upper right corner of any page The Bridge G...

Page 34: ...to end it By default the Bridge is configured to end administrative sessions after 10 minutes of inactivity automatically logging the administrator off You can reconfigure the global administrative Session Idle Timeout refer to Section 2 2 1 4 2 2 Administrative Accounts and Access NOTE The precon figured admin Ad ministrator level account corresponds to the Crypto Officer role as defined by Feder...

Page 35: ... interface NOTE Preconfig ured accounts can not be deleted An administrator logged on to an Administrator level account can specify a number of global administrative account settings In Advanced View you can also add up to ten additional administrative accounts as well as reconfigure individual account settings and delete accounts NOTE Except for Session Idle Time out changes which take effect imm...

Page 36: ...Administrator level account and unlocked it If there is no other Administrator level account available you can unlock the account only through a direct physical connection to the Bridge s Console port with the Bridge CLI s unlock command Administrative access to the Console port is never locked Refer to the CLI Software Guide Administrator accounts are locked when you exceed the maximum permitted ...

Page 37: ... servers as determined by the settings on Configure RADIUS Settings When a Fortress or a third party RADIUS server is used to evaluate administrator logon credentials locally configured logon settings and password rules do not apply Administrative logon behavior and password rules are determined by the account settings in effect on that RADIUS server When the Bridge is configured to use a third pa...

Page 38: ...nabling local administrator authentication all platforms CAUTION For tress strongly rec ommends selecting Enabled for Auth Fail back to insure against administrative lockout in the event of network disruptions or adminis trator error 3 Click APPLY in the upper right of the screen 4 Select Configure Security from the menu on the left 5 In the Security screen s Logon Settings frame In Authentication...

Page 39: ...o use a remote Fortress RADIUS Server to authenticate administrators To use a RADIUS server running on another Bridge on the network to authenticate administrators for the local Bridge you must configure an entry for the server on the local Bridge s Authentication Servers page specifying Fortress Auth as its Server Type and Admin as a supported Auth Type refer to Section 4 3 1 Only administrators ...

Page 40: ...he specified password expiration period disables the function no password expiration warning will be issued When a Pass Expire Warning smaller than Pass Expiration is set the warning Your password will expire soon appears at the top of the first screen displayed initially Connections for Administrator level accounts whenever an administrator logs on beginning the specified number of days before ad...

Page 41: ... letters Pass Minimum Numbers Passwords must contain at least the specified number of numerals You can specify values from 0 zero to 5 a 0 value the default allows passwords containing no numerals Pass Minimum Punctuation Passwords must contain at least the specified number of symbols from the set _ excludes double and single quotation marks You can specify values from 0 zero to 5 a 0 value the de...

Page 42: ...ified number of new passwords have been created You can specify values of 0 zero to 10 A 0 value disables the check if Pass Minimum Delta above is also Disabled the default the same password can be used consecutively without any change provided it still conforms to the rest of the rules in effect Pass History Depth is disabled by default Password requirements settings are present only in Advanced ...

Page 43: ...is intended as a user configured informational field The Comment is displayed nowhere else You can configure a Warning Banner for display on the Bridge s administrator logon screens When a logon banner is present administrators are prompted to click to accept its conditions before they are permitted to proceed with the logon There is no Warning Banner configured by default Table 2 1 Global Adminis...

Page 44: ...ect Configure Administration from the menu on the left 2 Scroll down to the System Messages frame and Optionally enter information into the Comment field and or In the Warning Banner field enter or paste a message of up to 2000 characters or click UPLOAD BANNER FILE to upload text from an existing file 3 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes F...

Page 45: ... additional ten Learned administrative accounts can appear on the Admin Users page NOTE In order for any account in the local administrator da tabase to authenticate an administrator the Bridge must be using the local administrator database for that pur pose whether it has been configured for Lo cal administrator au thentication or has failed back to the local administrator database Section 2 2 1 ...

Page 46: ...een will be returned with an error message If you re enable the account the administrator will be allowed to log on normally At least one enabled Administrator level account must be present on the Bridge at all times You will not therefore be allowed to disable an Administrator level account if it is the only such account on the Bridge You can create new administrative accounts and edit them only ...

Page 47: ...View 2 2 2 4 Administrator Audit Requirement Whether and how an administrative account is subject to audit logging is configured in the Audit field Three options are available at the individual account level NOTE An individ ual account s Audit setting overrides global Logging settings Required the default Activity on the account will be included in the audit log Prohibited Activity on the account ...

Page 48: ... when the Bridge is in stalled You must configure a password for an administrative account at the time the account is created Passwords must conform to the rules in effect on the Bridge as configured in Security settings refer to Section 2 2 1 8 You can also view current password complexity requirements by clicking More Information in the upper right of the Edit Admin Users screen and then Passwor...

Page 49: ...set to Yes the administrator will be allowed to log on without changing the account password and User must change password will reset to No without effect You can force administrative account password changes only in Advanced View 2 2 2 8 Adding Administrative Accounts You can create new administrative accounts from an existing Administrator level account When the Bridge is configured to use the l...

Page 50: ...ATE PASSWORD to automatically generate a password that complies with the complexity requirements currently in effect Section 2 2 1 8 or Enter a New Password that complies with the complexity requirements currently in effect You can check the password against the list of words used by the Bridge s Password Dictionary function by clicking Password Dictionary CHECK PASSWORD The message Not Blackliste...

Page 51: ...n administrative authentication methods Up to ten such Learned accounts can be present They appear among configured accounts on the Admin Users page and in the local administrator database with a Learned status of Yes Learned account credentials can be authenticated only by the third party RADIUS server or Fortress user authentication database on which their accounts were originally configured A L...

Page 52: ...en enter new values for those settings you want to configure Your options are described in detail in sections 2 2 2 2 through 2 2 2 7 NOTE Changes to the account you are currently logged onto will take effect the next time you log on 4 Click APPLY in the upper right of the screen or CANCEL your changes Global administrative account logon behaviors and password requirements can be edited through Co...

Page 53: ...account password from Maintenance and Log Viewer accounts 1 Log on to the Bridge GUI through a Maintenance level or Log Viewer level account and select Configure Administration from the menu on the left 2 In the Change Your Password frame enter a New Password and re enter it in Confirm Password Figure 2 15 changing the password from within a Maintenance or Log Viewer level account all platforms NO...

Page 54: ...frame 4 Click OK in the confirmation dialog or CANCEL the action The account will be unlocked and the associated administrator will be able to log on normally with valid credentials The Lockout Duration can be set from 0 zero to 60 minutes a Lockout Duration of 0 the default disables the lockout function provided that Permanent Lockout is Disabled the default CAUTION If you ignore the relevant war...

Page 55: ...click Enabled Figure 2 18 Advanced View Admin IP Access Control Whitelist frame all platforms CAUTION If your current IP address is not on the administra tor IP ACL when you Enable it or you delete your address when the list is already enabled and you do not Cancel the change when prompted your session will end and your cur rent IP address will be blocked until it is added to the list of permitted...

Page 56: ...k Management Protocol SNMP version 3 The Fortress Management Information Bases MIBs for the Bridge are included on the Bridge CD ROM When SNMP v3 support is enabled the SNMP v3 user FSGSnmpAdmin access to the Bridge is authenticated via the SHA 1 message hash algorithm as defined in RFC 2574 User based Security Model USM for version 3 of the Simple Network Management Protocol SNMPv3 using the spec...

Page 57: ...otifications forwarded to specified trap destinations When SNMP Traps are Enabled you must configure SNMP Trap Destinations before traps can be sent Trap Destination IP IP Address of the NMS server Comment optional description of the trap destination Refer to Section 2 2 4 2 for detailed instructions System Contact establishes the E mail address for the Bridge s administrative SNMP contact System ...

Page 58: ...account and select ADVANCED VIEW in the upper right corner of the page then Configure Administration from the menu on the left 2 Scroll down to the SNMP frame and click Enabled for SNMP Traps to enable traps or Disabled to disable them 3 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes Table 2 2 Fortress SNMP Traps event type event status the Gatewaya ha...

Page 59: ...CLOSE the dialog to cancel your changes Configured traps are displayed in the SNMP Traps frame Figure 2 21 Advanced View Add Trap Destination dialog all platforms To edit a trap destination 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner of the page then Configure Administration from the menu on the left 2 Scroll down to the SNMP...

Page 60: ...NMP frame and If you want to delete one or more selected destinations click to check the box es for those you want delete or If you want to delete all destinations click All to place a check in all destination checkboxes 3 Click DELETE 4 Click OK in the confirmation dialog or Cancel your deletion Figure 2 23 Advanced View deleting an SNMP trap confirmation dialog all platforms Your changes are ref...

Page 61: ...total of eight per Bridge Alternatively an ES210 Bridge can be dedicated to act as a wireless client by configuring a single station STA interface on its single internal radio Compare your Bridge s model number on the Administration Settings screen under System Info to Table 1 1 on page 3 to determine the number of Ethernet ports with which the Bridge you are configuring is equipped and the number...

Page 62: ...the same radio frequency band Section 3 3 2 2 be set to the same channel Section 3 3 2 3 The BSSs that comprise the network must be enabled for bridging Section 3 3 4 3 be configured with the same SSID Section 3 3 4 2 Wireless bridging links must be formed over Fortress secured interfaces When a BSS s Wireless Bridge setting is Enabled the BSS s Fortress Security setting is automatically fixed on ...

Page 63: ...ides MPs connect to other MPs only on Core interfaces NMPs connect to MPs only on Access interfaces A given interface can be of only one type so MPs and NMPs cannot share an interface Per port FastPath Mesh Mode settings for radio BSSs and Ethernet ports are described in sections 3 3 4 4 and 3 7 3 respectively All MPs on a given FP Mesh network are peers Directly connected MPs are neighbors An MP ...

Page 64: ...Section 3 4 2 1 Although FastPath Mesh functionality does not require IPv4 it fully supports standard IPv4 addressing for all network nodes MPs and NMPs The DHCP and DNS servers internal to the Fortress Bridge can be enabled on any Mesh Point These severs provide virtually configuration free DHCP and DNS services for Non Mesh Points FastPath Mesh operates best when the DNS servers internal to all ...

Page 65: ...have been changed from their de faults sections 2 2 2 7 and 4 1 17 respectively Sections 3 2 1 1 through 3 2 1 7 describe the complete settings for configuring FastPath Mesh networking The first four settings in sections 3 2 1 1 3 2 1 4 are located in two places in the Bridge GUI Configure Administration Bridging Configuration Configure FastPath Mesh Global Settings Network Cost settings Section 3...

Page 66: ...que Local IPv6 Unicast Address as defined in RFC 4193 is generated for the Fortress Bridge Mesh Point in the format 7 bits 1 40 bits 16 bits 64 bits Prefix L Global ID Subnet ID Interface ID Prefix FC00 7 identifies the address as a Local IPv6 unicast address L 1 if the prefix is locally assigned 0 value definition t b d Global ID pseudo randomly allocated 40 bit global identifier used to create a...

Page 67: ...ed for the current MP Asymmetric neighbor cost overrides are not recommended NOTE If more than one cost over ride is specified for the same neighbor by dif ferent identifiers only the cost associated with the highest address type on the list shown at left will be applied To configure a neighbor cost override you must identify the FP Mesh interface the neighbor connects to and specify the node by a...

Page 68: ...e and flush the Multicast Broadcast Forwarding table on the same page Figure 3 2 Advanced View FastPath Mesh Settings screen all platforms 3 2 1 8 Configuring FastPath Mesh Settings Only Bridging Mode can be configured in both Bridge GUI views Other FastPath Mesh bridging settings are accessible only in Advanced View Basic FastPath Mesh settings are located in two places in the Bridge GUI more adv...

Page 69: ...In the Add a new Neighbor Cost dialog specify the Core interface through which the neighbor connects or will connect to the current MP From the Interface dropdown select a BSS currently configured on one of the MP s radio s or one of the MP s Ethernet ports or Leave Interface at the default New BSS and enter a valid BSS Name as it will be or is currently configured on one of the MP s radio s Enter...

Page 70: ...e action and or If you want to change the Mode of an existing subscription Click the EDIT button for the subscription s entry In the Edit a Multicast Group dialog select a new value for Mode you cannot change the Interface or Address Click APPLY in the dialog or CANCEL the action To delete Neighbor Costs or Multicast Groups You can delete a single entry or all entries in either list 1 Log on to th...

Page 71: ... STP link management a BSS on which bridging is disabled is acting as a conventional wireless AP On Bridges equipped with multiple radios Radio 1 is generally the better choice for the AP function because it can be configured to use the 2 4 GHz 802 11g frequency band By default BSSs configured on Radio 1 are therefore Disabled for WDS Any wireless device within range of the Bridge s radio can conn...

Page 72: ...variously equipped with one to four independent internal radios supporting various 802 11 capabilities or with no radios Compare your Bridge s model number on the Administration Settings screen under System Info to Table 3 3 above to determine the number of and type of radio s with which the Bridge you are configuring is equipped On Bridge GUI Radio Settings screens configuration settings for 4 4 ...

Page 73: ...ate the Bridge receives and transmits radio frequency signals normally You can also enable disable RF kill through Fortress Bridge chassis controls refer to the Fortress Hardware Guide for the Bridge you are configuring 3 3 1 2 Radio Distance Units The increment used to set Distance for the Bridges radio s refer to Section 3 3 2 7 is configured globally in Radio Units Metric the default the Distan...

Page 74: ...as they apply specifically to the Bridge s internal radios In some of the countries on the default Country Code list radios using the 802 11a frequency band will have no compliant channels available unless Advanced Radio operation has been licensed on the Bridge Refer to Section 3 3 2 for more detail on radio operation with and without an Advanced Radio license and to Section 6 3 for licensing inf...

Page 75: ...Country Code to take effect 2 In the Radio Settings screen s Advanced Global Radio Settings frame use the dropdown menus to specify new values for the setting s you want to change described above 3 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes 3 3 2 Individual Radio Settings The remaining settings that affect radio operation are configured per radio i...

Page 76: ...n 3 3 1 3 and in any of the additional countries in which the Bridge can be operated when Country is licensed Country Code is described in Section 3 3 1 3 Features licensing is covered in Section 6 3 Per radio settings are described in Sections 3 3 2 1 through 3 3 2 10 step by step instructions for changing them follow these sections 3 3 2 1 Radio Administrative State The Admin State setting simpl...

Page 77: ... could be automatically fixed on the 802 11g band and radios fixed on the 802 11a band could be disabled altogether Refer to Section 3 3 2 for more operational detail and consult your local regulatory authority for the applicable specifications and requirements for radio devices and transmissions 802 11n Options NOTE Although fully compatible with the IEEE standard Bridge 802 11n capable radios ca...

Page 78: ...sult your local regula tory authority for appli cable radio device and transmission rules and for DFS channel desig nations The channels available for user selection are determined by the frequency band the radio uses subject to the relevant regulatory domain rules In most regulatory domains certain channels in the 5 GHz frequency band are designated DFS Dynamic Frequency Selection channels DFS co...

Page 79: ...ain NOTE Antenna port labels corre sponds to radio num bering Radio 1 uses ANT1 and so on Measured in dBi decibels over isotropic Antenna Gain is used to determine allowable TxPower settings for the Bridge s current country of operation refer to Section 3 3 1 3 Consult the documentation for the antenna connected to the radio you are configuring to determine the antenna s gain The gain of the anten...

Page 80: ...lt your local regulatory authority for applicable specifications and requirements for radio devices and transmissions In environments with a dense distribution of APs and resulting potential for interference it may be desirable to select a lower Tx Power setting than the default Auto for a radio using the 802 11g band The Auto setting is otherwise appropriate for all radios You can configure TxPow...

Page 81: ... period refer to Section 3 3 4 8 In mesh network deployments all of the Bridges in the network must use the same Beacon Interval You can configure the number of milliseconds between beacons in whole numbers between 25 and 1000 You cannot disable the beacon The default Beacon Interval is 100 milliseconds which is optimal for almost all network deployments and recommended for bridging operation A lo...

Page 82: ...allows the radio to aggressively lower the receive threshold for the signal strength of connected nodes in order to compensate for unusual levels of local interference Noise Immunity is Disabled by default and Fortress recommends retaining the default unless operating conditions require a change 3 3 2 11 Configuring Individual Radio Settings Table 3 5 shows which Radio Settings appear in the two G...

Page 83: ... transmitting on a DFS channel must detect approaching radar on the channel vacate the channel within 10 seconds of doing so and stay off the channel for a minimum of 30 minutes thereafter Radios using the 2 4 GHz 802 11g frequency band or the 4 4 GHz military band are not subject to DFS 3 3 3 1 DFS Operation on the Bridge NOTE Consult your local regula tory authority for appli cable DFS channel d...

Page 84: ...l list of excluded channels by propagating their channel exclusions to all nodes Figure 3 9 Advanced View DFS Channel Exclusions list all radio equipped platforms Channels can be excluded in four ways The channel was manually added to the radio s excluded list see below NOTE While there can be no radar events on 4 4 GHz mili tary band radio it can receive a remote chan nel change from a net work p...

Page 85: ... list by clicking to place a check in the box to the left of its entry on Channel Exclusions and then clicking DELETE at the top of the frame Delete all channels by clicking All to check all their boxes and then DELETE Figure 3 11 deleting a channel exclusion all radio equipped platforms You must be in Advanced View to access the Channel Exclusions list 3 3 4 Radio BSS Settings NOTE An ES210 Bridg...

Page 86: ... to the current radio in order to create a BSS 3 3 4 2 BSS SSID and Advertise SSID You must specify a service set identifier in order to create a BSS You can manually enter an SSID of up to 32 alphanumeric characters or randomly generate a 16 digit ASCII string to use for the SSID The SSID associated with each BSS is a unique string of up to 32 characters normally included in the beacon and probe ...

Page 87: ...n the four radio ES440 Wireless Bridge is also Disabled by default for BSSs on Radio1 when it is left on the default 2 4 GHz 802 11g band and Enabled by default for BSSs on Radio 2 Radio 3 and Radio 4 Once a Wireless Bridge value has been established for a BSS the setting cannot be reconfigured You must delete the BSS and recreate it with the new Wireless Bridge value in order to make such a chang...

Page 88: ...he default is 1 Switching Mode establishes the BSS s behavior with regard to data packet VLAN tagging Access the default configures the interface to accept only 1 packets that do not contain VLAN tags and 2 specialized priority tagged packets which provide support for Ethernet QoS exclusive of VLAN implementations NOTE There is only one VLAN trunk per Bridge used by all Trunk ports It is defined b...

Page 89: ...eated as untagged and marked internally for Medium or Best Effort QoS handling The internal marking is used if the data is transmitted out an interface that requires marking such as another WMM enabled BSS or an 802 1Q VLAN trunk Refer to Section 3 8 for more on the Bridge s WMM and QoS implementation 3 3 4 8 BSS DTIM Period APs buffer broadcast and multicast messages for devices on the network an...

Page 90: ...imum size of the frames the BSS sends whole Frame sizes larger than the specified threshold are broken into smaller frames before they are transmitted An acknowledgement is sent for each frame received and if no acknowledgement is sent the frame is retransmitted The Frag Threshold is measured in bytes A value of zero 0 disables the function the default or whole values between 256 and 2345 are acce...

Page 91: ...uring the BSS The default depends on whether or not the radio is using 802 11n On a radio with an 802 11a or 802 11g Band setting the default Unicast Maximum Rate is 54 Mbps On a radio using any of the 802 11n settings in either frequency band the default Unicast Maximum Rate is 65 Mbps You can configure Unicast Rate Mode and Unicast Maximum Rate only in Advanced View 3 3 4 11 BSS Multicast Rate C...

Page 92: ... 1 Fortress Security is Enabled on BSSs by default When a BSS s Wireless Bridge setting is Enabled refer to Section 3 3 4 3 its Fortress Security setting is automatically fixed on Enabled and the Fortress Security field is view only Disabling Fortress Security on a BSS exempts all traffic on that BSS from Fortress s Mobile Security Protocol MSP Standard Wi Fi security protocols can be applied to t...

Page 93: ...ed exclusively by the BSS or you can configure it to be able to use either by selecting WPA2 Mixed WPA and WPA2 use EAP TLS Extensible Authentication Protocol Transport Layer Security to authenticate network connections via X 509 digital certificates In order for the Bridge to successfully negotiate a WPA WPA2 transaction you must have specified a locally stored key pair and certificate for the Br...

Page 94: ...ion is Disabled by default WPA PSK WPA2 PSK and WPA2 Mixed PSK Security WPA PSK Wi Fi Protected Access and WPA2 PSK are the pre shared key modes of WPA as distinguished from the enterprise modes described above You can specify that WPA PSK or WPA2 PSK be used exclusively by the BSS or you can configure it to be able to use either by selecting WPA2 Mixed PSK Pre shared key mode differs from enterpr...

Page 95: ...ect Configure Radio Settings from the menu on the left 2 If you are configuring one or more Advanced View settings see Table 3 7 click ADVANCED VIEW in the upper right corner of the page If not skip this step 3 In the Radio Settings screen s Radio Settings frame If you are creating a new BSS click the ADD BSS button for the radio to which you want to add the BSS or If you are reconfiguring an exis...

Page 96: ...net bridging can occur when the ES210 Bridge is in Station Mode NOTE On the ES210 the aux port is labeled Ethernet on the chassis the wan port Ethernet WAN For example on an ES210 on which the aux port is clear and the wan port is encrypted the defaults a typical Station Mode setup would use the aux port to connect one or more Ethernet devices If Fortress Security is Disabled on the WAN port it ca...

Page 97: ...must specify the network SSID for the ES210 Bridge to associate to 3 3 5 4 Station BSSID To disable roaming among multiple APs with the same SSID you can specify the MAC address of a single wireless AP to which the ES210 Bridge STA Interface is permitted to associate When you SCAN for wireless networks within range you can automatically fill in the BSSID field when you choose a network to associat...

Page 98: ...ted The Frag Threshold is measured in bytes A value of zero 0 disables the function the default or whole values between 256 and 2345 are accepted You can configure RTS and fragmentation thresholds only in Advanced View 3 3 5 7 Station Unicast Rate Mode and Maximum Rate NOTE You can configure the uni cast minimum rate in the Bridge CLI refer to the CLI Software Guide On a radio us ing any 802 11g b...

Page 99: ... Advanced View 3 3 5 9 Station Fortress Security Status Fortress Security is displayed view only for the STA Interface Fortress s MSP Mobile Security Protocol cannot be applied to the STA Interface so the field will always display Clear 3 3 5 10 Station Wi Fi Security Settings Your selection in the Wi Fi Security field of the Add Station Mode frame determines the additional fields you must configu...

Page 100: ...d DHE RSA AES256 SHA Suite B supports Diffie Hellman with ECC keys ECDHE ECDSA AES128 SHA and ECDHE ECDSA AES256 SHA In EAP TLS the authentication server selects the cipher suite to use from the list of supported suites sent by the client device or rejects the authentication request if none of the proposed suites are acceptable Subject Match optionally provides a character string to check against ...

Page 101: ...the Add Station Mode screen these additional settings apply to WPA PSK WPA2 PSK and WPA2 Mixed PSK selections Rekey Period specifies the interval at which new keys are negotiated Specify a new interval in whole seconds between 1 and 2147483647 inclusive or 0 zero to permit the same key to be used for the duration of the session Key Type determines whether the specified key is an ascii passphrase o...

Page 102: ...ty in Section 3 3 5 10 for more on the pre shared key 1 Log on to the Bridge GUI through an Administrator level account and select Configure Radio Settings from the menu on the left 2 If you are configuring one or more Advanced View settings see tables 3 5 and 3 9 click ADVANCED VIEW in the upper right corner of the page If not skip this step 3 Preconfigure the radio on which you will create the S...

Page 103: ...d on Add Station Mode in order to restrict the Bridge to connecting to only that AP The Bridge GUI returns the Add Station Mode frame with settings as described here for the network you selected Figure 3 19 preconfiguring the STA Interface to connect to a network ES210 8 In the Add Station Mode frame configure the STA Interface for operation If the connection requires a pre shared key for authenti...

Page 104: ...o display the ADD STATION and DELETE STATION buttons 5 Click the ADD STATION button NOTE For WPA PSK authentica tion you must enter the correct key in the WPA Key WPA Key Confirm fields as described in Section 3 3 5 10 These fields do not apply and are greyed out for En terprise WPA modes 6 In the Radio screen s Add Station Mode frame Enter at least a STA Name Section 3 3 5 2 and the SSID Section ...

Page 105: ...Enabling and Disabling ES210 Bridge Station Mode Station Mode is disabled by default in which state the preconfigured scanning interface used for network detection is disabled You must enable the function before you can manually configure a STA Interface or scan for a network To enable or disable Station Mode If one or more BSSs have been configured on the ES210 Bridge radio you must delete all BS...

Page 106: ...ent Settings The Bridge s configuration settings must include a Hostname which by default is based on the hardware series to which the Bridge belongs ES and its MAC address You can optionally identify redundant external Domain Name System servers Preferred DNS and Alternate DNS for the Bridge In Advanced View you can change the Bridge s default Domain name ftimesh local Bridge software itself incl...

Page 107: ...or both effectively disables the Bridge s ability to query external DNS servers Domain specifies the Bridge s local domain name To configure hostname and DNS Client settings 1 Log on to the Bridge GUI through an Administrator level account and select Configure Administration from the menu on the left 2 If you are changing the Bridge s local domain name select ADVANCED VIEW in the upper right corne...

Page 108: ...settings you must enter the Bridge s new IP address into a new instance of your browser 3 4 2 2 IPv6 Configuration NOTE Fortress s FastPath Mesh functionality includes independent IPv6 ad dressing which can supply additional IPv6 ULAs Unique Local Addresses refer to Sec tion 3 2 1 Internet Protocol version 6 is always enabled on the Bridge You can choose to allow all IPv6 settings to be automatica...

Page 109: ...ult gateways The rest of the settings in the IPv6 portion of the Network Configuration frame provide complete information about the current IPv6 configuration and are view only whether or not Auto Addressing is in effect Configured Global Address normally shows the manually configured IPv6 network address There can however be several seconds delay before a change in Configurable Global Address tak...

Page 110: ...System Date and Time Configuration Configure the Bridge s local System Date System Time and Time Zone in the Time Configuration frame System date and time settings are accessible regardless of the current Bridge GUI view Figure 3 21 Simple View Time Configuration frame all platforms The Bridge s internal clock is set in UTC Universal Time Coordinated by default The Bridge CLI includes an option to...

Page 111: ... do not specify a key for a configured NTP server the Bridge will synchronize its clock with that of the NTP server without shared key authentication The Bridge supports up to three NTP servers NTP Timeout applies globally to the configured server s Three settings establish each NTP server individually Figure 3 22 Advanced View Time Configuration frame all platforms NTP Timeout globally determines...

Page 112: ...enna connected the ES210 uses the signals of GPS satellites in range to triangulate its exact position on the globe It dynamically displays this information in Location fields and in Topology View details on Monitor Topology View refer to Section 5 4 Figure 3 23 GPS Location settings frame ES210 NOTE The ES210 GPS antenna port is shown in the Fortress ES210 Secure Wireless Bridge Hardware Guide At...

Page 113: ...Domain Name System services 3 6 1 IPv4 and IPv6 DHCP Services When the Bridge s internal DHCP servers are enabled the Bridge provides standard DHCP services to network DHCP clients You can observe current DHCP leases on Monitor Connections DHCP Leases tab Internal DHCP services use the internal DNS server see below and the locally configured DNS client settings and domain name on Configure Adminis...

Page 114: ...st and highest IPv4 addresses in the Bridge s IPv4 DHCP address pool If you enable the Bridge s internal IPv6 DHCP server and leave Auto Addressing at its default of Enabled you do not need to manually define the service s address pool Alternatively you can optionally disable Auto Addressing and specify the pool s start and end IPv6 addresses Figure 3 25 Advanced View DHCP configuration frames all...

Page 115: ...ve 3 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes When Bridge DHCP servers are enabled the fields that configure their address pools are grayed out to indicate that you cannot reconfigure the address pool while the server is running You must disable the server to re enable these fields for editing 3 6 2 DNS Service When enabled the default the Bridge...

Page 116: ...s and network resiliency in the absence of an external referral server Fortress therefore recommends that the DNS service be left at its a default of Enabled for FastPath Mesh network deployment Refer to Section 3 2 1 1 for more on FastPath Mesh bridging To configure the internal DNS server 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper righ...

Page 117: ... of all manually configured entries then click the DELETE button above the list 3 7 Ethernet Interface Settings Fortress Bridges are equipped for wired network connections with varying numbers of Ethernet ports with various optional characteristics Compare your Bridge s model number on the Administration Settings screen under System Info to Table 3 12 above to determine the number of Ethernet port...

Page 118: ...o the duplex communication in use by connected devices Auto the default NOTE Core can only be selected for FastPath Mesh Mode when the Fortress Securi ty selection for the port Section 3 7 4 matches that of the FP Mesh net work overall Section 3 2 1 2 Normally For tress Security should be Enabled for both 3 7 3 Port FastPath Mesh Mode and User Cost Offset Two settings configure the port s FastPath...

Page 119: ...iven Bridge model s Ethernet ports 3 7 5 Port 802 1X Authentication Enabling 802 1X Auth requires that devices connecting to the port are 802 1X supplicants successfully authenticated by the 802 1X service configured on or for the Bridge Enabled or allows non 802 1X authenticated devices to connect Disabled 802 1X is disabled on all ports by default Refer to Section 4 3 to configure an 802 1X serv...

Page 120: ... Service QoS tags included in the packets If a packet received on the port is transmitted wirelessly the Bridge uses the priority marking to determine its WMM Wi Fi Multimedia priority level If the packet egresses over an Ethernet port with a VLAN Switching Mode of Trunk described above the Bridge priority marking is inserted into the packet s VLAN tag for QoS processing Ethernet ports with a Swit...

Page 121: ...20 Secure Wireless Bridge Hardware Guide Figure 3 30 Advanced View Ethernet Port Settings screen lan port ES520 Table 3 13 shows which Ethernet Settings appear in the two GUI views 3 7 9 Configuring Ethernet Ports 1 Log on to the Bridge GUI through an Administrator level account and select Configure Ethernet Settings from the menu on the left 2 If you are configuring one or more Advanced View sett...

Page 122: ...onditions under which the Bridge sends VLAN tagged packets When VLANs are disabled the Bridge drops regular VLAN traffic but accepts specialized priority tagged packets in order to support Ethernet QoS exclusive of a VLAN implementation Priority tagged packets are those which include a VLAN tag with a VLAN ID of zero or null value VLAN ID The Bridge sorts this traffic into QoS priority queues acco...

Page 123: ...EEE specification recommends Critical QoS for traffic tagged with 802 1p user priority values 6 and 7 High packets are delivered after Critical and ahead of lower QoS levels WMM categorizes this level of service as Video IEEE recommends High QoS for traffic tagged with user priority values 4 and 5 Medium is Best Effort delivery packets are delivered after higher QoS levels but ahead of Low priorit...

Page 124: ...to a user defined routing map Each of the Bridge s Ethernet ports and each BSS configured on its radio s can be configured to use a specified VLAN The VLANs configured for these interfaces are automatically added to the Bridge s table of active VLAN IDs described below At its default configuration the Bridge has a VLAN Mode setting of Disabled The only VLAN configured on the Bridge is the native V...

Page 125: ... with its tags unchanged except that traffic tagged with the same VLAN ID as the ingress interface s Default VLAN ID is sent untagged The Bridge s Ethernet port Switching Mode and Default VLAN ID settings are covered in Section 3 7 6 Configuring these setting for radio BSSs is described in Section 3 3 4 5 VLAN Mode Translate In Translate VLAN Mode the Bridge alters the VLAN ID in the VLAN tag acco...

Page 126: ...manage the Bridge On an interface with a VLAN Switching Mode of Trunk you can access the Bridge s management interface only with packets tagged with the Bridge s Native VLAN ID You can manage the Bridge on an interface with a VLAN Switching Mode of Access only with untagged packets and only when the interface s Default VLAN ID matches the Bridge s global Native VLAN ID You can reconfigure the Brid...

Page 127: ...tion 3 9 4 you enter a VLAN ID not already present on the VLAN ID table as a Routable ID or Non Routable ID the new VLAN ID is automatically added to the table If in Configure Radio Settings BSS Interfaces EDIT ADD BSS or in Configure Switch Settings Switchports EDIT you enter a Default VLAN ID not already present on the VLAN ID table the new VLAN ID is automatically added to the table The setting...

Page 128: ... configuration 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner of the page then Configure VLAN from the menu on the left 2 In the VLAN Active ID Table click to check the box es of the VLAN s you want to delete or check the boxes of all unused VLAN IDs with ALL 3 Click DELETE 4 Click OK in the confirmation dialog or Cancel the del...

Page 129: ...e EDIT button for the record you want to change 3 Change the settings you want to reconfigure described above and click APPLY in the upper right of the screen or CANCEL your changes Your changes will be reflected in the record s entry at the bottom of the VLAN Map Records frame on the VLAN screen To delete VLAN map records You can delete VLAN map records individually or all at once 1 Log on to the...

Page 130: ...ou must reboot the Bridge in order to change the function of the ES210 Bridge serial port Enabling Serial Sensor Settings disables the serial port for Bridge CLI access The Bridge CLI remains accessible by a terminal emulation application over an SSH2 Secure Shell 2 network connection provided SSH Access is Enabled the default refer to Section 4 1 6 Disabling the Serial Sensor function re enables ...

Page 131: ...2 In the Serial Sensor Settings frame enter new values for those settings you want to configure described above 3 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes 4 If you changed the Admin State in Step 2 reboot the ES210 Bridge according to the instructions in Section 6 1 2 Restoring the ES210 Bridge s factory default configuration restores the serial ...

Page 132: ... ADVANCED VIEW Table 4 1 shows which settings are available in each view Figure 4 1 Simple View Fortress Security Settings frame all platforms In addition administrative password requirements and the retry timeout and lockout parameters for administrative accounts are set on the Security screen in the Logon Settings frame as described in Section 2 2 1 4 1 1 Operating Mode The Fortress Bridge can b...

Page 133: ... you must return the Bridge to your vendor for service or replacement DH 512 and DH 1024 key establishment Section 4 1 3 are no longer FIPS 140 2 compliant and are therefore not compatible with FIPS operating mode NOTE Only devic es configured on the Bridge to pass clear text on encrypted inter faces are permitted to do so even when Clear text Traffic is enabled Regardless of the current operating...

Page 134: ...to Section 6 3 While a Secure Client can employ only one key establishment option at a time the Bridge supports multiple key establishment selections allowing connecting Clients to use any enabled key establishment option NOTE Secure Cli ent versions earli er than 3 1 support only DH 512 key establish ment If you need to support pre 3 1 Secure Client devices you must include DH 512 A Secure Client...

Page 135: ...you disable the Bridge GUI from within the interface your current session will end You must re enable the Bridge GUI from the Bridge CLI before the former will again be accessible refer to the CLI Software Guide NOTE The Bridge s com mand line interface can always be accessed via a direct connection to the Bridge s serial Console port refer to the CLI Software Guide 4 1 6 Secure Shell Access to th...

Page 136: ...s are enabled you can configure the FIPS self test run interval the default is 86 400 seconds or 24 hours You can configure the interval at which the random number generator is reseeded the default is 86 400 seconds or 24 hours You can also determine whether random number generator RNG tests are run routinely continuous RNG tests are Enabled by default when the Bridge is in FIPS operating mode the...

Page 137: ... the Bridge s management interface can be accessed on interfaces enabled for Fortress Security refer to sections 3 3 4 13 and 3 7 4 for wireless and Ethernet interfaces respectively Encrypted Interface Management applies to any connection to an encrypted interface on the current Bridge local Fortress Secure Client connections connections through a remote Fortress controller device bridging links b...

Page 138: ...tween Fortress beacons in whole numbers between 1 and 3000 or disable the Fortress beacon by entering zero in the interval configuration field The default beacon interval of 30 seconds is appropriate for most networks Less frequent beacons longer intervals may be desirable where network bandwidth is in short supply You can configure the beacon interval only in Advanced View 4 1 15 Global Client an...

Page 139: ...skip this step 3 In the Security screen s Security Settings frame enter new values for the settings you want to change described in sections 4 1 1 through 4 1 14 above 4 Click APPLY in the upper right of the screen or RESET screen settings to cancel your changes Table 4 1 Security Settings Simple Advanced Views Advanced View Only Operating Mode FIPS Reseed Interval Encryption Algorithm FIPS Test I...

Page 140: ... 1 3 A manually entered 32 digit Access ID will not be accepted if DH 512 is selected for key establishment in the Bridge The length of a randomly generated Access ID is determined by the key establishment selections in effect when you click the GENERATE ACCESS ID button if DH 512 is selected a 16 digit hexadecimal Access ID is generated if DH 512 is not selected a 32 digit hexadecimal Access ID i...

Page 141: ...iti ate IKE v1 transactions but will accept IKE v1 connections from lega cy devices IKEv2 Internet Key Exchange version 2 as defined in RFC 4306 IPsec Tunnel Mode using ESP Encapsulating Security Payload as defined in RFC 4303 Strong standards based cryptographic algorithm suites including NSA National Security Agency Suite B6 AES 128 GCM 16B ICV7 AES 256 GCM 16B ICV Legacy AES 128 CBC Cipher Bloc...

Page 142: ...s you must specify those keys per peer refer to Section 4 2 3 below Once IPsec is globally enabled and configured you must specify at least one SPD entry configured to Apply IPsec on at least one Bridge interface before the Bridge can send and receive IPsec protected traffic refer to Section 4 2 2 Figure 4 4 IPsec Global Settings frame all platforms Global IPsec settings include Admin State global...

Page 143: ...with an unlimited amount of traffic permitted CAUTION If you disable IPsec when the function is in use all IKE and IPsec SAs will be immediately termi nated configured SPD entries will be disabled and IPsec traffic will cease to be sent or re ceived on any interface To configure global IPsec settings 1 Log on to the Bridge GUI through an Administrator level account and select Configure IPsec from ...

Page 144: ...associated with an SPD entry Interface Name and BSS Name associates the SPD entry with a particular interface on the Bridge The Interface Name dropdown provides a list of the Bridge s Ethernet interfaces The BSS Name dropdown provides a list of BSSs currently configured on one of the Bridge s internal radio s Use only one of these dropdown lists to specify only a single Ethernet or wireless interf...

Page 145: ...ge GUI through an Administrator level account and select Configure IPsec from the menu on the left 2 In the IPsec Settings screen s Security Policies frame click ADD SPD and on the resulting screen enter valid values for the settings described above 3 Click APPLY in the upper right of the screen or CANCEL the addition The SPD entries you add are listed in the Security Policies frame To delete IPse...

Page 146: ... IPsec peer to be authenticated by the PSK 3 On the same screen establish the key to be used to authenticate the specified IPsec peer NOTE The Secret Length parameter is ignored for manually entered PSKs If you want to specify a key In Key Type use the dropdown to specify whether the key you enter is an ASCII string or a series of Hex bytes In Key and Key Confirmation enter a key in the format you...

Page 147: ...en at least one ACL entry is configured It is disabled by default no ACL entries are present When the IPsec access control function is enabled the Bridge compares the Distinguished Names DNs contained in the X 509 digital certificates of authenticating IPsec peers against those recorded in the IPsec ACL If no match is found access is denied If a match is found access is allowed or denied according...

Page 148: ...bed above 3 Click APPLY in the upper right of the screen or CANCEL the addition The ACL entries you add are listed in the IPsec ACLs frame To delete IPsec ACL entries 1 Log on to the Bridge GUI through an Administrator level account and select Configure IPsec from the menu on the left 2 In the IPsec Settings screen s IPsec ACLs frame If you want to delete a single ACL entry or selected entries cli...

Page 149: ...cation types Auth Types that you want the Bridge to support you must specify at least one authentication server that supports that authentication type Auth Types include User Device Authentication 1 the user name and password as supplied by the user logging in and configured locally or on an authentication server providing user authentication to the network and 2 the unique hexadecimal Device ID g...

Page 150: ...enticating Secure Client devices and users Section 4 3 2 that will override the RADIUS server independent Secure Client idle timeout described above Individual user and device timeout settings override the local defaults Section 4 3 3 Figure 4 8 Simple View external RADIUS Server frames all platforms The Bridge can use up to four authentication servers at a time although in Simple View you can con...

Page 151: ...esponding RADIUS Server frame However the internal server can be added and complete settings for it can be accessed only on the Local Server tab as described in Section 4 3 2 4 3 1 1 Authentication Server State Name and IP Address NOTE The Server Name and IP Ad dress of the internal RA DIUS server Local Auth Sever and 127 0 0 1 re spectively are internal ly set and cannot be changed The Admin Stat...

Page 152: ...hentication Server Max Retries and Retry Interval The Max Retries setting determines how many times the Bridge will attempt to connect to the server before assuming it is unavailable and going on to the next relevant server on the priority list You can configure 1 to 10 maximum connection attempts the default is 3 Max Retries is available in only Advanced View Retry Interval specifies how long the...

Page 153: ... the NEW SERVER button in the upper left of the screen or If you want to edit an existing server click the EDIT button to the left of its entry on the Authentication Servers list 3 In the RADIUS Settings screen s Authentication Server frame enter new values for the settings you want to change described above 4 Click APPLY in the upper right of the screen or CANCEL your changes 4 3 2 The Local Auth...

Page 154: ... the maximum number of unsuccessful local authentication attempts a user or device is allowed before being locked out You can specify whole numbers between 1 and 10 the default is 3 A devices that exceeds the maximum allowable retry attempts to authenticate on the Bridge is locked out until the device s individual Auth State Mode is set to Allow First Such a device is locked out on every Bridge in...

Page 155: ... Device State set ting on the local authen tication server Allow the device will be allowed to connect provided its individual Auth State Mode is Allow First or Defer and a compatible Key Length has been specified for the device Pending the default the connection requires administrator action explicitly changing the device s individual Auth State Mode to Allow First or you can explicitly Deny All ...

Page 156: ... Protocols 802 1X Authentication turns the service on Enabled and off Disabled the default CRL Check for EAP TLS only determines whether certificates used to authenticate 802 1X supplicants are checked against the lists of certificates that have been revoked by their issuing authorities CRL Check is Disabled by default When the function is Enabled supplicant certificate chains are traced back to a...

Page 157: ...cate in the Bridge s local certificate store refer to Section 6 2 permits the Bridge to authenticate a supplicant using public key cryptography Figure 4 10 Advanced View Local Authentication Server tab all platforms 4 3 2 8 Configuring the Local RADIUS Server You can configure local authentication only in Advanced View 1 Log on to the Bridge GUI through an Administrator level account and select AD...

Page 158: ...rypted traffic on the Bridge s encrypted interfaces Administrative users use the Bridge s local user authentication service to log on to the management interface of another Fortress Bridge on the network or of the local Bridge when the administrative Authentication Method on that Bridge is set to RADIUS Administrative users pass only encrypted traffic on the Bridge s encrypted interfaces When an a...

Page 159: ...s are described in Section 2 2 2 3 Role Determines whether the user is a Secure Client user permitted access to only the Bridge secured network None or an administrator permitted access to both the network and to the management interface of a remote or local Bridge at the specified level of privileges Log Viewer Maintenance or Administrator Idle Timeout sets the amount of time the user s device ca...

Page 160: ...nt click the EDIT button for the account you want to reconfigure and enter new values for the settings you want to change 4 Click APPLY in the upper right of the screen or CANCEL the addition Newly created accounts are added to the User Entries list Figure 4 12 Advanced View User Entries frame all platforms To delete local user accounts You can delete a single user account selected accounts or all...

Page 161: ...ou must specify its MAC address and Fortress generated Device ID Default Device Authentication Settings As devices auto populate the Device Entries list they are permitted or denied immediate access to the network based on the Default Device State setting on the Configure RADIUS Local Server tab Allow devices will be allowed to connect by default Pending the default connections require an administ...

Page 162: ...address and its Fortress generated Device ID When a device auto populates the Device Entries list these values are detected and entered for the device When you manually add a device you must specify its MAC address and Device ID Consult the relevant Fortress documentation for the device you are adding for information on determining its Fortress Device ID The values and settings that configure indi...

Page 163: ... connections to the network If you want the device to be able to use a supported key establishment method other than that used for the initial connection you must manually enable it for the device Deny All prevents all access to the network all the device s attempts to exchange keys will be denied Defer whether the device is allowed to connect depends upon the local authentication server s Default...

Page 164: ...or all device accounts from the Bridge s internal RADIUS server 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner of the page then Configure RADIUS Settings from the menu on the left 2 On the RADIUS Settings screen click the Local Server tab 3 In the Device Entries frame If you want to delete a single device account or selected acc...

Page 165: ... Settings Local Server Default Idle Timeout globally determines the default Secure Client timeout on the Bridge s local authentication server When local authentication is enabled this setting overrides the timeout configured on the Security screen refer to Section 4 3 2 Configure RADIUS Settings Local Server NEW USER EDIT Idle Timeout determines the individual Secure Client s idle timeout on the B...

Page 166: ... Bridge secured network To control network access by specified MAC addresses 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner of the page then Configure Access Control from the menu on the left 2 In the resulting screen s MAC Access Whitelist frame click NEW MAC Figure 4 15 Advanced View Add a MAC filter entry dialog all platforms...

Page 167: ...eflects your changes If you attempt to enable the MAC Access Whitelist when the MAC address you are currently logged on through is not listed a dialog warns that proceeding will block network access for the computer you are currently using A dialog will also warn you if you are deleting your current MAC address from the list when the list is already enabled after you have cleared the usual confirm...

Page 168: ...ol from the menu on the left 2 In the Access Control screen s MAC Access Whitelist frame If you want to delete a single entry click to place a check in the box beside it then the DELETE button above the list or If you want to delete all entries click All to place a check in all entries boxes then click the DELETE button above the list 3 Click OK in the confirmation dialog or Cancel the deletion Th...

Page 169: ...d View Add a Controller entry dialog all platforms Access Control functions are available only in Advanced View To configure the Controller ACL 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner of the page then Configure Access Control from the menu on the left 2 In the Access Control screen s Controller Access List frame select th...

Page 170: ...W in the upper right corner of the page then Configure Access Control from the menu on the left 2 In the Access Control screen s Controller Access List frame If you want to delete a single entry click to place a check in the box beside it then the DELETE button above the list or If you want to delete all entries click All to place a check in all entries boxes then click the DELETE button above the...

Page 171: ... whether for Trusted Devices or APs must be uniquely named on the Bridge NOTE STP and Cisco Layer 2 VLAN management traffic to or from switch es in the Bridge s en crypted zone requires Pass All Traffic to be en abled checked MAC Address provides the MAC address of the device IP Address provides the network address of the device Device Type establishes the cleartext device as a wireless Access Poi...

Page 172: ...rding to the requirements of the AP When Trusted Device is the selected Device Type this field is greyed out Figure 4 21 Advanced View Access Point Settings frame all platforms 4 5 3 2 Trusted Devices Some wireless devices IP phones digital scales or printers for example are not equipped to run additional software such as the Fortress Secure Client In order to allow such a device onto the network ...

Page 173: ...nd on the resulting screen On the APs Trusted Devices screen configure basic cleartext device settings in the Trusted Device AP Settings frame If Access Point was selected for Type in the preceding step configure Access Point Settings for the device or If Trusted Device was selected for Type in the preceding step configure Well Known TD Ports for the device 3 Click APPLY in the upper right of the ...

Page 174: ...L reflects your changes 4 6 Remote Audit Logging The Bridge supports remote audit logging using the syslog standard with an external server and you can specify a threshold severity level for the events sent to syslog You can also specify a number of parameters by which to separately filter administrator and connecting device activity for audit logging 4 6 1 Enabling Audit Logging NOTE Remote log g...

Page 175: ...Individual administrative ac counts Audit settings refer to Section 2 2 2 4 override all other audit logging settings and the audit settings associated with a given MAC ad dress Section 4 6 2 3 override those in Global Auditing Settings You can globally configure the way in which administrative activity on the Bridge is filtered for audit logging Global settings will apply to an administrative ses...

Page 176: ...also Enabled all changes made by subject administrators to the Bridge s configuration can be sent to the audit log If Security is Disabled when Configuration is Enabled all changes except those to security settings can be logged When Configuration is Disabled Bridge reconfiguration by subject administrators will not be sent even if Security logging is Enabled In addition to the conditions describe...

Page 177: ...according to a hierarchy of categories ordered as shown above Each of the interface and Fortress security status controls for audit event logging can be set to one of three behaviors Required events originating from that interface or from an interface with the specified Fortress security status will be logged provided they are not Prohibited in a superior audit setting Prohibited events originatin...

Page 178: ...ogging by individual MAC address refer to Section 4 6 2 2 Audit by User Interface includes the possible administrative network interfaces SSH GUI SNMP Audit by Fortress Security includes Clear Interfaces and Encrypted Interfaces NOTE The Wire less interface type does not apply to Bridg es without radios and will not be present for those models refer to Table 1 1 on page 3 Audit by Interface Type i...

Page 179: ...nfigure audit logging for that MAC address and APPLY your changes Delete a MAC address from audit logging by clicking to place a check in the box to the left of its entry on MAC Auditing Settings and then clicking DELETE at the top of the frame Delete all MAC addresses by clicking All to check all their boxes and then DELETE 4 6 3 Learned Device Audit Logging The Bridge detects devices connecting ...

Page 180: ...e Learned Device Auditing Settings frame click to ENABLE DISABLE audit event logging of devices learned NOTE The Wire less interface type does not apply to Bridg es without radios and will not be present for those models refer to Table 1 1 on page 3 on one of the Clear Interfaces on one of the Encrypted Interfaces on a Wired interface on a Wireless interface 3 Click APPLY in the upper right of the...

Page 181: ...ained in Section 4 1 1 FIPS Bridge operation complies with FIPS 140 2 Security Level 2 Normal Bridge operation can be secured but does not meet FIPS requirements NOTE In FIPS ter minology the Bridge is in FIPS Bypass Mode BPM when cleart ext is permitted to pass on any of its encrypted interfaces Cleartext is the Cleartext Traffic setting as configured on Configure Security and described in Sectio...

Page 182: ...nt Details In Advanced View you can click the Username of any account listed in Configure Administration Administrator Settings for details of the account s creation and modification and a record of logon activity on the account since the Bridge last booted Figure 5 2 administrator Detailed Statistics dialog all platforms 5 3 System Information In addition to the configured or default values of th...

Page 183: ...e 3 and operating as a node in a wireless network the Topology View screen provides a visual representation of the network to which the Bridge belongs The screen displays an icon for the Bridge you are currently logged onto identified by a blue box around the its IP address and each of the Bridges nodes the current Bridge is connected to When you first view this screen the Bridges are arranged ran...

Page 184: ...w refer to Section 5 4 1 If you use your own image you can then manually place each of the nodes near their physical location to make the view more representative Alternatively you can use the Arrange icons at the top of the screen to view the nodes in a grid ellipse or in an STP tree configuration based on the STP root The STP tree view is not available until an STP root has been discovered which...

Page 185: ...ovide monitoring of all devices currently connected to the Bridge and simple network access controls for devices connected to the Bridge s encrypted interface s The last tab displays current leases on the Bridge s internal DHCP servers when enabled Each tab heading shows the type of connection displayed on the tab and in brackets a current count of connected devices of that type The Bridge s three...

Page 186: ...o which the device is connected is Encrypted Fortress Security is Enabled or Clear Fortress Security is Disabled Auth State the state of the device s network authentication process Possible values include Unknown connected not yet ready to proceed Initial ready to proceed waiting for device to respond Started response received authentication in process Success authentication succeeded network acce...

Page 187: ...cured network of the connected network node State the bridging status of the connected network node Possible values and meanings depend on the Bridge s current Bridging Mode setting Section 3 2 When STP is used for bridging possible values include Disabled the interface is not passing traffic Forwarding the interface is passing all traffic Listening the interface is listening for BPDUs Bridge Prot...

Page 188: ...e of the Bridge s radios that has been configured to use the same standard WPA2 WPA2 Mixed WPA2 PSK or WPA2 Mixed PSK refer to Section 3 3 4 14 Secure Client and WPA2 connections are shown on the Clients WPA2 tab of the Connections screen Figure 5 9 Connections screen Clients WPA2 tab all platforms8 The Connections screen displays these attributes of the connected device Client Type whether the de...

Page 189: ...ic keys exchanged with Client device Blocked key exchange with Client device failed Unbound Client device is not connecting via another Fortress controller device when it is expected to be Bound Client device is connecting via another Fortress controller device should be followed by Partner Connection States below Inferior DKey Received inferior dynamic key from Client device Key Failed key exchan...

Page 190: ...m on the Controller tab of the Connections screen Figure 5 10 Connections screen Controllers tab all platforms9 MAC Address the Media Access Control address of the controller device Hostname the network hostname of the device Device ID the device s unique hexadecimal Fortress generated identifier which provides device authentication on the Bridge secured network when device authentication is enabl...

Page 191: ...nterface the host device is connected through If the host was learned from a remote Bridge with a wireless bridging link to the current Bridge Interface identifies the internal radio on which the MRP mesh radio port link resides NOTE Device IDs are unique For tress generated identifi ers that enable device authentication on the Bridge secured net work Section 5 3 Device ID for devices connected th...

Page 192: ...ed Device IP Address the IP version 4 address of the device Device Name the Device Name configured for the device Port List ports the AP or Trusted Device is configured to access Auth State the state of the device s network authentication process Possible values include Unknown connected not yet ready to proceed Initial ready to proceed waiting for device to respond Started response received authe...

Page 193: ...any VLANs configured on the Bridge 5 6 1 Traffic Statistics The packets that the Bridge has transmitted and received the encrypted interface s since cryptographic processing was last started are shown in the Traffic Statistics frame Figure 5 13 Statistics screen Traffic Statistics frame all platforms Encrypted encrypted packets the packets received on a clear interface encrypted and then transmitt...

Page 194: ...tted on the interface Errors the total number of receive transmit errors reported on the interface The Statistics screen provides additional information according to interface type 5 6 2 1 Ethernet Interface Statistics Figure 5 14 Statistics screen Ethernet Interface Statistics frame ES210 ES440 ES820 For each of the Bridge s Ethernet interfaces the Bridge displays the Status and basic interface s...

Page 195: ...is a duplicate or sub optimal path When FastPath Mesh is used for bridging possible values include Disabled the interface is not passing traffic Forwarding All the interface is passing all traffic Blocking the interface is blocking all traffic Above these statistics the Bridge displays the global Ethernet MAC Address 5 6 2 2 BSS Interface Statistics On Bridges equipped with one or more radios refe...

Page 196: ...Media Access Control address of the virtual interface the BSS provides State the bridging status of the node from which the link is made Possible values and meanings depend on the Bridge s current Bridging Mode setting Section 3 2 When STP is used for bridging possible values include Disabled the interface is not passing traffic Forwarding the interface is passing all traffic Listening the interfa...

Page 197: ... Security Policy Database entry with the settings accessed through Configure IPsec refer to Section 4 2 NOTE If both data and time limits are configured an SA will expire at whichever comes first potentially when Remaining Time still shows a positive value Lifetime KB optionally a limit on the amount of data an SA can pass before being deleted can be globally set in kilobytes and the value display...

Page 198: ...Suite shows the cryptographic algorithm suite in use by the SA Figure 5 18 IPsec Status screen all platforms 5 8 FastPath Mesh Monitoring When FastPath Mesh is licensed Section 6 3 and enabled Section 3 2 1 the Bridge GUI provides an array of information on the configuration composition and operation of the FP Mesh network on Monitor Mesh Status 5 8 1 FastPath Mesh Bridging Configuration The setti...

Page 199: ...s that have linked directly to one of the current MP s FP Mesh Core interfaces since Statistics were last cleared Lost a count of neighbors above whose connection to the current MP has been lost since Statistics were last cleared because they have moved to a more remote location relative to the current MP or have left the network A neighbor can also be bounced into a Lost state and then back to a ...

Page 200: ...ghbor Packet Drops counts FP Mesh routing protocol packets dropped by the current Bridge since Statistics were last cleared New the number of routing protocol packets received from new neighbors and dropped because of congestion Holddown the number of routing protocol packets received from unstable neighbors and therefore dropped Other displays additional statistical information Max Used Ctl Packe...

Page 201: ... a peer the less preferred is any route to or through that peer IP Address the IPv4 address of the MP IPv6 Addresses all IPv6 addresses of the MP including the link local address the RFC 4193 unique local address and any other user configured or auto configured global addresses Figure 5 21 Mesh Status screen Peers frame all platforms For each MP listed on Peers under NMPs the MAC addresses of any ...

Page 202: ...on MAC address yes or only a listener no An MP becomes a talker for a multicast group when it receives a packet from a sender on one of the MP s FP Mesh Access interfaces or when the MP is manually configured as a Talker refer to Section 3 2 1 7 MPs do not show up as talkers on broadcast flows even though the broadcast source may be on one of the MP s Access interfaces Forwarding On the interfaces...

Page 203: ...aces also shows whether the group was Learned from IGMP as a listener or incoming data packet as a talker or whether the group was manually Configured Manually subscribing to multicast groups is described in Section 3 2 1 7 5 8 6 FastPath Mesh Routing Table NOTE The Routing Table shows only routes to other MPs FP Mesh computes and records many routes to a given destination While only the lowest co...

Page 204: ... address of the Mesh Point detected by the current MP on an FP Mesh Access interface Interface the FP Mesh Access interface on which the network MP is detected State whether that interface is blocking forwarding or disabled Reason why the interface is the current State above 5 9 System Log Monitoring The Bridge logs significant system activity and status information Access the log by clicking Moni...

Page 205: ...records are overwritten as new messages are added to the log Figure 5 27 System Log screen all platforms12 The Bridge s three status icons indicate the severity of System Log messages Notice or Info message is purely informational Warning unexpected event may indicate a problem require attention Error failure or attempted breach requires attention You can use the controls at the lower right of the...

Page 206: ...messages sent to the external audit log are identified as AUDIT messages Internally generated audit events are flagged AUDIT internal Audit events generated by administrative action additionally identify the account and interface the administrator was logged onto at the time of the event ...

Page 207: ... devices to rekey and reauthenticate If Cached Auth Credentials is Disabled users are prompted to re enter their user names and passwords in order to re establish their network connections If Allow Cached Credentials is Enabled the default locally authenticated users are reauthenticated transparently using their cached user credentials Section 4 1 13 Resetting connections can be useful after netwo...

Page 208: ...r from the Bridge CLI refer to the CLI Soft ware Guide To reboot the Bridge 1 Log on to the Bridge GUI through an Administrator level or Maintenance level account and select Maintain System from the menu on the left 1 In the System screen s Restart Controller Device frame click EXECUTE CAUTION When in blackout mode some model Bridges still exhibits a single initial blink of less than half a second...

Page 209: ... the time the Bridge s software was last upgraded CAUTION If Image for Next Boot indi cates INVALID do not se lect it or click EXECUTE To select the next boot image 1 Log on to the Bridge GUI through an Administrator level account and select Maintain System from the menu on the left 2 In the System screen s Version frame in Image for Next Boot select the next image to boot from the dropdown 3 Clic...

Page 210: ...e upgrade To upgrade Bridge software 1 Log on to the Bridge GUI through an Administrator level account and select Maintain System from the menu on the left 2 In the System screen s Upgrade Controller Device frame Click to Browse to the location of the Bridge upgrade file and select it for upload Enter the Upgrade Package Password fortress Ensure that the Distribute only do not upgrade this unit bo...

Page 211: ...ot partition If you boot from the non running boot partition settings will revert to those in effect at the time the Bridge s soft ware was last upgraded To revert to the previous software version Because it is not overwritten the software version the Bridge was running before the upgrade remains available in the event of a problem with the newer version of the software 1 Log on to the Bridge GUI ...

Page 212: ...igure 6 5 Backup System Settings frame all platforms To back up the Bridge configuration NOTE Backup file passwords must be a minimum of ten al phanumeric characters Strong passwords con tain a mix of upper and lower cases 1 Log on to the Bridge GUI through an Administrator level account and select Maintain System from the menu on the left 2 In the System screen s Backup System Settings frame opti...

Page 213: ...estore System Settings frame all platforms 5 Click OK to close the dialog informing you that a reboot is required to complete the restore procedure 6 In the same screen s Restart Controller Device frame click EXECUTE 6 1 7 Initiating FIPS Retests You can manually initiate the same self tests that the Bridge runs automatically in accordance with FIPS 140 2 Federal Information Processing Standards S...

Page 214: ...rted out of a secured location In order to fully restore the Bridge to its factory configuration defaults you must perform a separate restore operation for the software image on each of the Bridge s flash memory partitions refer to Section 6 1 4 You can reset to factory defaults only in Advanced View Figure 6 8 Advanced View Reset to Factory Defaults frame all platforms To restore the factory defa...

Page 215: ...ttings the Bridge will have to be reconfigured for use To do so you can re install it as you would a new Bridge Alternatively you can back the configuration up before you reset the Bridge to its defaults and then restore the backup configuration after you have manually configured network properties and passwords 6 2 Digital Certificates The Bridge automatically generates a self signed digital cert...

Page 216: ...4Wq LHJI7I3NerSNSDPODuJyz DGgfPdVbvU mICd4gNsTzjaB0bG WJ9ccc6DtyJ6lAk2N8Sv9l5IT6CGjLBFedQg 67WFokZq8H4i6EjfBrxXu0XrPp6IOIC2rsj51w END CERTIFICATE REQUEST In order to generate a CSR key pair you must provide a name to associate with the stored key pair and specify at least one X 500 distinguished name DN attribute CSR Name establishes a name for the public private key pair generated with the CSR Un...

Page 217: ...t Maintain Certificates from the menu on the left 2 In the X 509 Keys frame of the Certificates screen If you want to delete a single or selected key pair s click to place a checkmark in the box es beside the key s you want to eliminate or If you want to delete all key pairs click ALL at the top of the X 509 Keys list to checkmark all keys Click the DELETE CSR button or CANCEL the deletion 3 Click...

Page 218: ...ificate s public key from the dropdown If the certificate is a trust anchor certificate you must first check the box to indicate this see below and then enter a Certificate Name unique to the local certificate store The name does not have to be related to either the issuer or subject DN in the certificate Trusted Anchor when more than one root CA certificate is present selects which will serve as ...

Page 219: ...elete digital certificates NOTE If you de lete the self signed certificate the Bridge will automatically gen erate a new one You can delete a single or selected certificate s or all certificates in the Bridge s certificate store 1 Log on to the Bridge GUI through an Administrator level account and select Maintain Certificates from the menu on the left 2 In the X 509 Certificates frame of the Certi...

Page 220: ...upplicants when the Bridge s internal authentication server is configured to provide 802 1X authentication service refer to Section 4 3 2 to authenticate an ES210 Bridge as a wireless station when it is dedicated to act as a wireless Client refer to Section 3 3 5 10 Because Bridges used as wireless Clients must be dedicated to the function the EAP TLS certificate will only be used for one of these...

Page 221: ...nts 1 Log on to the Bridge GUI through an Administrator level account and select Maintain Certificates from the menu on the left 2 In the X 509 Certificates frame of the Certificates screen to the right of the certificate you want to assign click the relevant button for the function you want to assign it to USE SSL USE IPSEC or USE EAPTLS The selected function will be displayed for the newly assig...

Page 222: ...g There are various optional features on Fortress Bridges that you can enable only after entering or uploading valid license keys for these functions mesh FastPath Mesh enables Fortress s FastPath Mesh bridging link management function refer to Section 3 2 1 This feature applies to all Fortress Bridges advradio Advanced Radio enables 802 11a radio support for additional licensed and unlicensed fre...

Page 223: ... Security By default no licenses are installed nor licensed features enabled on the Bridge 6 3 1 Obtaining License Keys NOTE If you pur chased the Bridge with a license for a giv en feature the license key is included in your shipment You can ob tain special feature li censes after your initial purchase from Fortress Technologies A unique 20 character hexadecimal key is required for each licensed ...

Page 224: ...cense keys You can access Bridge GUI licensing screens and functions only in Advanced View NOTE Bridge fea ture licensing is unchanged when con figuration settings are restored from a backup file or reset to their fac tory defaults refer to Section 6 1 8 6 3 2 Licensing New Features 1 Log on to the Bridge GUI through an Administrator level account and select ADVANCED VIEW in the upper right corner...

Page 225: ...lick Apply 4 As the Bridge GUI indicates you must reboot the Bridge in order for the license to take effect Do so according to the directions in Section 6 1 2 NOTE The Mesh Path trace tool is intended for use only when FastPath Mesh is licensed and enabled on the Bridge 6 4 Network Tools Maintain Network provides standard ICMP Internet Control Message Protocol ping and traceroute tools If FastPath...

Page 226: ...a packet to the address according to your selection in Step 2 and display the Result 5 To interrupt the operation click STOP in the upper right of the screen 6 5 Support Package Diagnostics Files To assist in diagnosing a problem with the Bridge Technical Support may request that you generate a diagnostics file Diagnostics files encrypt the information collected from the Bridge so the file can be ...

Page 227: ...cure place Fortress Technical Support will need it to decrypt the support package file 3 Click DOWNLOAD and if your browser is set to block pop ups file downloads take the necessary actions to allow the file to download The progress of file generation is displayed 4 When the download completes Save the file support pkg to the location of your choice ...

Page 228: ...38 39 complexity 26 27 configuring requirements 27 defaults 16 20 33 34 expiration 25 individual account controls 33 34 unlocking 39 AES 128 192 256 see encryption algorithm altitude see location settings antennas see radios AP management rules 155 159 AP TD see cleartext devices archive settings see backup and restore associations configuring BSSs 70 81 monitoring 170 171 STA interface 87 89 audi...

Page 229: ...cer 118 D data compression 121 configuration steps 124 date and time system date and time 95 configuration steps 97 default Access ID 125 administrative passwords 16 20 33 34 Client device authentication settings 146 147 controller device authentication settings 153 encryption algorithm 118 idle timeout settings 139 144 IP address 16 93 operating mode 117 re keying interval 120 restoring defaults ...

Page 230: ...e 117 121 retesting 198 199 Fortress Secure Client see Secure Clients Fortress Security BSSs 77 Ethernet ports 104 FastPath Mesh 47 see also security settings fragmentation threshold 75 83 G GPS 97 98 guest devices see cleartext devices Trusted Devices guest device access guest management see cleartext devices guest devices managing the Bridge GUI 16 19 accessing 16 19 administrative accounts 19 c...

Page 231: ...1 military band radio 3 4 46 57 channels 63 DFS 69 EULA addendum vi regulation 59 monitor resolution 16 MSP 2 5 117 Access ID 125 126 beacon interval 123 configuration steps 124 encryption 118 key establishment 119 MSP Clients 173 re keying interval 120 see also security settings N network settings 91 95 configuration steps 92 95 DHCP services 98 100 DNS client settings 92 DNS service 100 102 host...

Page 232: ...70 90 rebooting 193 re keying interval 120 configuration steps 124 default 120 remote logging 159 165 individual administrative accounts 32 resetting factory defaults 199 200 resetting connections 192 restoring default settings 199 200 from a backup file 198 previous software version 196 RF kill 58 RTS threshold 75 83 S safety precautions 1 Secure Clients 5 compatibility 15 device authentication 1...

Page 233: ...89 191 see also audit logging system requirements 16 T third party AP management 155 159 time zone 95 configuration steps 97 timeout settings administrative timeouts 21 default 21 session and idle timeouts 123 124 139 140 144 145 default 139 144 145 topology 5 14 topology view 168 170 traceroute 210 211 transmit power settings 60 65 configuration steps 67 Trusted Devices 155 159 guest device acces...

Page 234: ...ired LAN and a WLAN to connect wireless devices within range to the LAN AES Advanced Encryption Standard a FIPS approved NIST standard for 128 192 256 bit data encryption for protecting sensitive unclassified U S government and related data also referred to as the Rijndael algorithm NIST FIPS approved AES in November 2001 administrator password In Fortress Technologies products a password that gua...

Page 235: ...tress Secure Client Controller Refer to Fortress Controller controller device See Fortress controller device Controller GUI The browser based graphical user interface through which the Fortress Controller is configured and managed locally or remotely Crypto Officer password A FIPS defined term sometimes Crypto password the administrator password in For tress devices operating in FIPS mode Data Lin...

Page 236: ... cipher suite negotiation and key exchange between two endpoints within PPP EAP TTLS EAP Tunneled TLS An EAP TLS protocol developed by Funk and Certicom that uses TLS to establish a secure connection between a client and server ES300 The Fortress hardware model identifier of the Secure Bridge ES520 The Fortress hardware model identifier of the Secure Wireless Bridge failover A device or system con...

Page 237: ...the monitor screen hash function Mathematical computation for deriving a condensed representation or hash value usu ally a fixed size string from a variable size message or data file HTTP Hypertext Transfer Protocol used to transmit and receive all data over the World Wide Web HTTPS HTTP Secure sockets HTTP with an encryption authentication layer IANA Internet Assigned Number Authority the organiz...

Page 238: ...it possible to search compliant directories to locate information and resources on a network LDAP is a streamlined version of the Directory Access Protocol part of the X 500 standard for network directory services LLC Logical Link Control one of two sublayers of OSI Layer 2 refer to DLC in which frame synchronization flow control and error checking takes place MAC Media Access Control one of two s...

Page 239: ...rmation Assurance Partnership a collaboration between NIST and the National Security Agency NSA in response to the Computer Security Act of 1987 PL 100 235 to promote sound security requirements for IT products and systems and appropriate measures for evaluating them NIST National Institute of Standards and Technology the U S Government agency responsi ble for publishing FIPS NMP Non Mesh Point in...

Page 240: ...t has the Fortress Secure Client installed and configured to permit the device to communicate on the Fortress secured network SFP Small Form Pluggable shorthand for fiber optic Small Form Pluggable transceiver SHA Secure Hash Algorithm cryptographic hash functions developed by the NSA and pub lished by NIST in FIPS 180 2 SHS Secure Hash Standard FIPS approved NIST standard specifying five secure h...

Page 241: ...ing UI User Interface the means by which a human end user provides input to and receives output from computer software ULA Unique Local Address an IPv6 globally unique unicast address subnet identifier defined in IETF RFC 4193 intended for local intranet communications and not intended to be routable on the Internet user authentication A mechanism for requiring users to submit established credenti...

Page 242: ...N Wireless Local Area Network A local area network that allows mobile users network access through radio waves rather than cables WMM Wi Fi Multimedia wireless quality of service implementation defined in subset of the IEEE standard 802 11e QoS for Wireless LAN WPA Wi Fi Protected Access a security protocol for wireless networks defined in the IEEE 802 11i amendment that uses 802 1X and EAP to res...

Reviews:

No comments

Brands by name

Popular brands

Load more brands