manualshive.com logo in svg

HP E-MSM310, Management And Configuration Manual

The HP E-MSM310 is a high-performance wireless access point that seamlessly connects multiple devices. Take full control of your network with the comprehensive Management and Configuration Manual, available for free download from our website. Unlock the full potential of your device with this essential manual.

Share
Download
background image

Security

Using an external RADIUS server

6-2

Using an external RADIUS server

The AP can use one or more external RADIUS servers to perform a number of authentication 

and configuration tasks, including the tasks shown in the table below. 

Note

On VSCs that have the 

Use HP MSM controller

 option enabled (creating an access-

controlled VSC), see the 

MSM7xx Controllers Management and Configuration Guide

 

for details on how user authentication is configured.

When a VSC has the 

Use HP MSM controller

 option disabled (creating a non-access-

controlled VSC), an external RADIUS server can be used to validate user credentials for 

WPA, 802.1X, or MAC-based authentication as described in this section.

Configuring a RADIUS client profile on the AP

The AP enables you to define up to 16 RADIUS profiles. Each profile defines the settings for a 

RADIUS client connection. To support a client connection, you must create a client account 

on the RADIUS server. The settings for this account must match the profile settings you 

define on the AP. 

For backup redundancy, each profile supports a primary and secondary server.

The AP can function with any RADIUS server that supports RFC 2865 and RFC 2866. 

Authentication occurs via authentication types such as: EAP-MD5, CHAP, MSCHAP v1/v2, 

LEAP, PAP, EAP-TLS, EAP-TTLS, EAP-PEAP. EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC.

Note

If you change a RADIUS profile to connect to a different server while users are active, all 

RADIUS traffic for active user sessions is immediately sent to the new server. 

Task

For more information see

Validating administrator login 

credentials.

Authenticating administrative credentials using 

an external RADIUS server on page 2-4

.

Validating user login credentials for 

WPA, 802.1X, or MAC-based 

authentication types on non-access-

controlled VSCs.

Wireless protection on page 4-16

.

MAC-based authentication on page 4-19

.

Retrieving RADIUS attributes on a 

per-user basis on non-access-

controlled VSCs.

Configuring user accounts on a RADIUS server on 

page 6-5

.

Storing accounting information for 

each user on non-access-controlled 

VSCs.

Accounting support is enabled under 

Wireless 

protection on page 4-16

 or 

MAC-based 

authentication on page 4-19

.

Summary of Contents for E-MSM310

Page 1: ...5400zl Switches Installation and Getting Started Guide HP MSM3xx MSM4xx Access Points Management and Configuration Guide HP MSM3xx MSM4xx Access Points Management and Configuration Guide ...

Page 2: ......

Page 3: ...HP MSM3xx MSM4xx Access Points Management and Configuration Guide ...

Page 4: ... statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Hewlett Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett Packard Warranty See the warranty information included w...

Page 5: ...s 1 5 Key features 1 5 Controlled mode versus autonomous mode 1 6 Controlled mode 1 6 Autonomous mode 1 7 Summary 1 9 Safety information 1 10 Professional Installation Required 1 10 Servicing 1 10 HP support 1 11 Before contacting support 1 11 Getting started 1 11 Online documentation 1 11 2 Management Management tool 2 2 Starting the management tool 2 2 Customizing management tool settings 2 3 Ad...

Page 6: ...server 2 11 Server settings 2 11 Security 2 12 Security considerations 2 12 CLI 2 12 Configuring CLI support 2 13 Secure shell access 2 13 Authenticate CLI logins using 2 13 Serial port access 2 14 System time 2 14 LEDs 2 15 Country 2 16 3 Wireless configuration Wireless coverage 3 2 Factors limiting wireless coverage 3 2 Radio power 3 2 Antenna configuration 3 2 Interference 3 2 Physical characte...

Page 7: ...on 3 23 Channel 3 23 Interval 3 25 Time of day 3 25 Automatic channel exclusion list 3 26 Antenna selection 3 26 Antenna gain 3 27 Max clients 3 27 Advanced wireless settings 3 27 Collect statistics for wireless clients 3 27 Tx beamforming 3 28 RTS threshold 3 28 Spectralink VIEW 3 28 Tx protection 3 29 Guard interval 3 29 Maximum range ack timeout 3 30 Distance between APs 3 30 Beacon interval 3 ...

Page 8: ...sing more than one authentication type in a VSC 4 3 Deployment with a controller 4 3 Management with VLANs 4 4 Viewing and editing VSC profiles 4 5 VSC configuration options 4 5 General 4 7 If Use HP MSM Controller option is enabled 4 7 If Use HP MSM Controller option is disabled 4 7 Virtual AP 4 9 WLAN 4 9 Wireless clients 4 11 Quality of service 4 12 Allowed wireless rates 4 13 Egress VLAN 4 14 ...

Page 9: ...Upstream downstream traffic marking 4 26 Upstream traffic marking 4 26 Downstream traffic marking 4 26 5 Network configuration Port configuration 5 2 Port configuration information 5 2 Bridge port configuration 5 3 Assign IP address via 5 3 Bridge spanning tree protocol 5 3 Port configuration 5 4 VLAN 5 4 Link 5 5 Wireless port configuration 5 5 VLAN support 5 5 Defining a VLAN 5 5 Creating a netw...

Page 10: ...tes 5 15 Configuration 5 15 Active routes 5 15 Default routes 5 16 IP QoS 5 16 Configuration 5 17 Settings 5 17 Example 5 18 Create the profiles 5 18 Assign the profiles to a VSC 5 19 802 1X supplicant 5 20 6 Security Using an external RADIUS server 6 2 Configuring a RADIUS client profile on the AP 6 2 To define a RADIUS profile 6 3 Configuration settings 6 3 Configuring user accounts on a RADIUS ...

Page 11: ... pair 6 15 Default installed private key public key certificate chains 6 15 Certificate usage 6 16 Changing the certificate assigned to a service 6 17 About certificate warnings 6 17 MAC lockout 6 17 7 Local mesh Introduction 7 2 Local mesh link types 7 3 Static local mesh links 7 3 Terminology 7 3 Configuration guidelines 7 3 Dynamic local mesh links 7 4 Terminology 7 4 Operational modes 7 5 Node...

Page 12: ...nance Config file management 8 2 Manual configuration file management 8 2 Backup configuration 8 2 Reset configuration 8 3 Restore configuration 8 3 Scheduled operations 8 3 Software updates 8 4 Performing an immediate software update 8 5 Performing a scheduled update 8 5 Licenses 8 5 Factory installed licenses 8 6 User installed licenses 8 6 License management 8 6 Factory reset considerations 8 7...

Page 13: ...Equipment by Users in Private Household in the European Union B 5 Supported External Antennas B 5 Notice for Brazil Aviso aos usuários no Brasil B 6 Notice for Taiwan B 6 DOCs for the European Community B 6 C Connecting external antennas Introduction C 2 802 11n MIMO antennas for the E MSM466 C 2 802 11a b g antennas for MSM APs C 3 Optional 802 11a b g antennas for MSM APs C 4 Radio power level s...

Page 14: ...Contents xii ...

Page 15: ...roducts covered 1 2 Important terms 1 3 Conventions 1 3 New in this release 1 4 Introducing the MSM3xx 4xx Access Points 1 5 Key features 1 5 Controlled mode versus autonomous mode 1 6 Safety information 1 10 HP support 1 11 Getting started 1 11 Online documentation 1 11 ...

Page 16: ...ely above include alternative product names in parenthesis For example the MSM422 is also known as the E MSM422 Both names refer to the same product Except for E MSM430 E MSM460 and E MSM466 the original MSM product names without E are used throughout this document Model WW Americas Japan Israel E MSM430 J9651A J9650A J9652A J9653A E MSM460 J9591A J9590A J9589A J9618A E MSM466 J9622A J9621A J9620A...

Page 17: ...eract with the management tool user interface Refer to the following image for identification of key user interface elements and then the table below for example directions Ports If the AP you are configuring only has a single port this manual refers to it as Port 1 Ignore references to Port 2 Term Description AP or MSM AP Refers to any HP MSM3xx or MSM4xx Access Point Controller Refers to any HP ...

Page 18: ...items Do not include the vertical line New feature or enhancement For information see New access points This release supports the following new 802 11n dual radio access points E MSM430 E MSM460 and E MSM466 For for more information on these APs see E MSM430 E MSM460 and E MSM466 802 11n Access Points Quickstart Radio configuration on page 3 8 802 11n MIMO antennas for the E MSM466 on page C 2 Bro...

Page 19: ...network availability to areas without an Ethernet infrastructure 802 3af Power over Ethernet or external power cord Management Centrally controlled configured and updated with a Mobility or Access Controller Auto selection of RF channel and transmit power Per client event log of association security and DHCP activities for easy diagnosis Packet capture on a VSC or LAN interface In autonomous mode ...

Page 20: ...utonomous mode Note This guide explains how to install configure and operate HP MSM3xx MSM4xx Access Points in autonomous mode For detailed controlled mode instructions see the MSM7xx Controllers Management and Configuration Guide Controlled mode When operating in controlled mode APs are managed by an MSM7xx Controller controller On startup the AP must establish a management tunnel with a controll...

Page 21: ...us mode APs are managed individually using their integrated management tool This mode is suited to small scale deployments that can benefit from easy integration of wireless services into an existing network infrastructure Autonomous APs do not provide the benefits of centralized management and monitoring RADIUS DHCP server Web FTP server Management station Data Center Router MSM7xx Controller Sec...

Page 22: ...ices for employees Since the AP functions as a DHCP client and all its ports are bridged it simply creates a wireless extension to the existing network Security for the wireless network is provided using 802 1X The AP uses the existing RADIUS server on the corporate network to validate employee logins If you deploy more than one AP the APs can be Interconnected using a backbone LAN Linked with oth...

Page 23: ... in groups New configuration softwarecan be downloaded from a central location at a preset day and time Configuration changes Performed using the management tool on a controller Multiple APs can be updated at the same time Performed locally using each the management tool on each AP Remote configuration and management Automatic establishment of a secure tunnel to protect management and control traf...

Page 24: ...ith EN55022 Class B emissions requirements use shielded Ethernet cables Country of use In some regions you are prompted to select the country of use during setup Once the country has been set the AP will automatically limit the available wireless channels ensuring compliant operation in the selected country Entering the incorrect country may result in illegal operation and may cause harmful interf...

Page 25: ...the relevant Quickstart or section of the MSM3xx MSM4xx APs Installation and Getting Started Guide Then If operating in autonomous mode continue with the next chapter in this guide If operating in controlled mode see Working with controlled APs in the MSM7xx Controllers Management and Configuration Guide Online documentation For the latest documentation visit www hp com networking support and for ...

Page 26: ...Introduction Online documentation 1 12 ...

Page 27: ...gement tool 2 2 Starting the management tool 2 2 Customizing management tool settings 2 3 SNMP 2 7 Configuring SNMP settings 2 8 SOAP 2 11 Configuring the SOAP server 2 11 CLI 2 12 Configuring CLI support 2 13 System time 2 14 LEDs 2 15 Country 2 16 ...

Page 28: ...ble ASCII characters in length with at least 4 different characters Passwords are case sensitive Space characters and double quotes cannot be used Passwords must also conform to the selected security policy as described in Security policies on page 2 6 For information on starting the management tool for the first time see the relevant document as described in Getting started on page 1 11 A securit...

Page 29: ...Management Management tool Administrative user authentication Login credentials for administrative users can be verified using local account settings and or a RADIUS sever Local account settings A single manager and operator account can be configured locally under Manager account and Operator account on this page ...

Page 30: ...guring a RADIUS client profile on the AP on page 6 2 3 Under Administrative user authentication enable RADIUS and select the RADIUS profile you created In this example the profile is called RAD1 4 Test the RADIUS account to make sure it is working before you save your changes Specify the appropriate username and password and select Test As a backup measure you can choose to enable Local This will ...

Page 31: ... in An active manager session cannot be terminated by the login of an operator An operator session is always terminated if a manager logs in An active operator session cannot block a manager from logging in Login control If login to the management tool fails five times in a row bad username and or password login privileges are blocked for five minutes Once five minutes expires login privileges are...

Page 32: ...both numeric and alphabetic characters The settings under Login control must be configured as follows Lock access after nn login failures must be set to 6 or less Lock access for nn minutes must be set to 30 minutes or more The settings under Account inactivity logout must be configured as follows Timeout must be set to 15 minutes or less For more information on these guidelines refer to the Payme...

Page 33: ...the AP to use to provide standard HTTP access to the management tool These connections are met with a warning and the browser is redirected to the secure web server port Default is 80 Auto refresh This option controls how often the AP updates the information in group boxes that show the auto refresh icon in their title bar Under Interval specify the number of seconds between refreshes Web inactivi...

Page 34: ...g SNMP settings Select Management SNMP to open the SNMP agent configuration page By default the SNMP agent is enabled SNMP agent configuration in title bar is checked If you disable the agent the AP will not respond to SNMP requests ...

Page 35: ...Start linkUp linkDown authenticationFailure In addition the AP supports a number of custom notifications Select Configure Notifications For a descriptions of these notifications see the online help v1 v2c communities Community name Specify the password also known as the read write name that controls read write access to the SNMP agent A network management program must supply this name when attempt...

Page 36: ...The domain name or IP address of the SNMP notifications receiver to which the AP will send notifications UDP port The port on which the AP will send notifications Version The SNMP version 1 2c 3 for which this receiver is configured Community Username For SNMP v1 and v2c the SNMP Community name of the receiver For SNMP v3 the SNMP v3 Username of the receiver Security Use these settings to control ...

Page 37: ...onding to your MSM software version Configuring the SOAP server Select Management SOAP to open the SOAP server configuration page By default the SOAP server is enabled Server settings Secure HTTP SSL TLS Enable this option to configure the SOAP server for SSL TLS mode When enabled the Secure Sockets Layer SSL protocol must be used to access the SOAP interface Using client certificate When enabled ...

Page 38: ...rity considerations The SOAP server is configured for SSL TLS mode and the use of a X 509 client certificate is mandatory for SOAP clients The SOAP server is configured to trust all client certificates signed by the default Colubris SOAP CA installed on the AP Users should generate and install their own SOAP CA private key public key certificate to protect their devices from unauthorized access Th...

Page 39: ... attempts via SSH login to the CLI is locked for 5 minutes After the lockout expires each subsequent unsuccessful login attempt re activates the lockout period This behavior repeats until a successful login is completed Note Depending on your SSH configuration your client may make several login attempts with each connection attempt Supported clients The following SSH clients have been tested with ...

Page 40: ...cess On APs with serial console ports you can opt to provide CLI access via the serial port You can also use hardware flow control and set the speed for CLI access via the serial port System time Select Management System time to open the System time page This page enables you to configure the time server and time zone information 1 Set timezone DST as appropriate 2 Set Time server protocol to Simp...

Page 41: ... available to the AP you can temporarily set the time manually with the Set date time manually option However It is important to configure a reliable time server on the AP Correct time is particularly important when a service controller is used Synchronization and certificate problems can occur if the time is not accurate LEDs Select Management LEDs to control operation of the status lights on the...

Page 42: ...ting frequencies channels that you can configure on the Wireless Radio s page Only frequencies that conform to the regulations in your area will be available Caution Incorrectly entering the country code may result in illegal operation and may cause harmful interference to other systems Please consult with a professional installer who is trained in RF installation and knowledgeable about local reg...

Page 43: ...ting 802 11n and legacy wireless clients 3 7 Radio configuration 3 8 Radio configuration parameters 3 16 Advanced wireless settings 3 27 Wireless neighborhood 3 32 Scanning modes 3 32 Viewing scan results 3 34 Identifying unauthorized APs 3 34 Viewing wireless information 3 35 Viewing all wireless clients 3 35 Viewing wireless client data rates 3 37 Wireless access points 3 39 ...

Page 44: ...lity to create bigger wireless cells However cell size should generally not exceed the range of transmission supported by wireless users If it does users will be able to receive signals from the AP but will not be able to reply rendering the connection useless Further when more than one AP operates in an area you must adjust wireless cell size to reduce interference between APs An automatic power ...

Page 45: ...ers on different floors in a concrete building Such installations require a separate wireless AP on each floor Configuring overlapping wireless cells Overlapping wireless cells occur when two or more APs are operating within transmission range of each other This may be under your control for example when you use several cells to cover a large location or out of your control for example when your n...

Page 46: ...ich means that adjacent channels overlap and interfere with each other as follows To avoid interference APs in the same area must use channels that are separated by at least 25 MHz 5 channels For example if an AP is operating on channel 3 and a second AP is operating on channel 7 interference occurs on channel 5 For optimal performance the second AP should be moved to channel 8 or higher With the ...

Page 47: ...separation between overlapping channels is 25 MHz five channels the recommended maximum number of overlapping cells you can have in most regions is three The following table gives examples relevant to North America Japan and Europe applies to 22 MHz channels in the 2 4 GHz band In North America you can create an installation as shown in the following figure Reducing transmission delays by using di...

Page 48: ...ea using three channels as shown in the following figure Using three frequencies to cover a large area in North America Gray areas indicate overlap between two cells that use the same frequency Distance between APs Not supported on E MSM430 E MSM460 E MSM466 In environments where the number of wireless frequencies is limited it can be beneficial to adjust the receiver sensitivity of the AP To make...

Page 49: ...mitted using Direct Sequence Spread Spectrum DSSS modulation Since older 802 11b only clients cannot detect OFDM transmissions 802 11g clients must protect their transmissions by first sending a frame using DSSS modulation This frame usually a CTS to self or RTS CTS exchange alerts 802 11b clients to not attempt to transmit for a specified period of time If protection is not used 802 11b clients m...

Page 50: ...e Radio s configuration page The contents of this page will vary depending on the product The following screen shots show the Radio s configuration page for each AP type For all screen shots Operating mode is set to Access Point and Local Mesh and Advanced wireless settings has been expanded to show the complete set of configurable settings E MSM466 ...

Page 51: ...Wireless configuration Radio configuration 3 9 E MSM460 and E MSM430 ...

Page 52: ...Wireless configuration Radio configuration 3 10 MSM422 ...

Page 53: ...Wireless configuration Radio configuration 3 11 MSM410 ...

Page 54: ...Wireless configuration Radio configuration 3 12 MSM335 radio 1 and 2 ...

Page 55: ...Wireless configuration Radio configuration 3 13 MSM335 radio 3 ...

Page 56: ...Wireless configuration Radio configuration 3 14 MSM320 ...

Page 57: ...Wireless configuration Radio configuration 3 15 MSM310 ...

Page 58: ... stations cannot connect Monitor Disables AP and local mesh functions Use this option for continuous scanning across all channels in all wireless modes See the results of the scans by selecting Wireless Neighborhood This mode also enables 802 11 traffic to be traced using the Tools Network trace feature Sensor Enables RF sensor functionality on the radio HP APs are smart APs and do not forward bro...

Page 59: ...ess point only Local mesh only Monitor Sensor Parameter Access point and Local mesh Access point only Local mesh only Monitor Sensor Regulatory domain Wireless mode Channel width Channel extension Channel Interval Time of day Automatic channel exclusion list Antenna selection Antenna gain Max clients Collect statistics for wireless clients Tx beamforming RTS threshold Spectralink VIEW Tx protectio...

Page 60: ...P allows both 802 11n and legacy 802 11b g clients to associate The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel This alerts associated 802 11n clients to use protection when transmitting The AP also uses protection when necessary when sending 802 11n data The type of protection is configurable by setting the Tx protection parameter Sup...

Page 61: ... the beacon that it sends So clients sending data to the AP will use protection but data sent from the AP will not be protected Note This mode is sometimes incorrectly called Greenfield Greenfield is an 802 11n specific preamble that can be used by clients and APs HP APs do not support this preamble and therefore do not support Greenfield mode When to use this mode Use this mode when the AP is ins...

Page 62: ...el that the AP will use and all potential wireless client devices support 802 11n 802 11n a HP refers to this mode as Compatibility mode because the AP allows both 802 11n and legacy clients to associate The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel This alerts associated 802 11n clients to use protection when transmitting The AP als...

Page 63: ...ion mechanisms RTS CTS or CTS to self when sending 802 11n data to prevent disruption to legacy clients associated on the same channel 802 11b This is a legacy mode that can be used to support older wireless client stations 802 11b g This is a legacy mode that can be used to support older wireless client stations Supported on MSM410 MSM422 radio 1 Frequency band 2 4 GHz Data rates For 802 11n clie...

Page 64: ...ghput Select the Channel width that will be used for 802 11n traffic Available options are 20 MHz Uses the standard channel width of 20 MHz Recommended when the AP is operating in the 2 4 GHz band and multiple networks must co exist in the same location Auto 20 40 MHz The AP will advertise 40 MHz support to clients but will use 20 MHz for each client that does not support 40 MHz Note On the E MSM4...

Page 65: ... channel frequency for wireless services The channels that are available are determined by the radio installed in the AP and the regulations that apply in your country Automatic channel selection Use the Automatic option to have the AP select the best available channel Control how often the channel selection is re evaluated by setting the Interval parameter On the E MSM430 E MSM460 E MSM466 Scanni...

Page 66: ...1a operation in European countries These options are automatically enabled as required Channels used by dynamic frequency selection DFS for radar avoidance are identified with an asterisk On the MSM410 MSM422 radio 1 E MSM430 E MSM460 E MSM466 When Wireless mode is 802 11n 5 GHz or 802 11n a and Channel width is Auto 20 40 MHz the channel numbers in the Channel list include either a 1 or 1 to thei...

Page 67: ...from re evaluating their channel at the same time a random delay between 0 and 2 hours is added to the time of day for each AP Select Disabled to have the scan performed once when you select Save and then only when the AP is restarted This also prevents continuous scanning from being performed on the MSM310 MSM320 MSM335 MSM410 and MSM422 Time of day Not available in Monitor or Sensor modes When t...

Page 68: ...3 31 When creating a point to point local mesh link it is recommended that you use an external directional antenna MSM310 MSM310 R and MSM320 Select Diversity Main or Auxiliary according to the following guidelines For a single antenna connect one antenna to either Main or Aux and select the corresponding value For maximum wireless coverage install an omnidirectional antenna on the Main and Aux an...

Page 69: ... C will increase performance only on the receive side Radio 2 supports diversity via its two internal antennas but not when using an external antenna Antenna gain Supported on MSM310 MSM310 R MSM320 MSM320 R E MSM466 Not available in Monitor or Sensor modes For optimum performance this parameter must be set to the gain of the antenna at the selected frequency DFS channel Max clients Not available ...

Page 70: ...two methods Note Beamforming only works with wireless clients that are configured to support it RTS threshold Not available in Monitor or Sensor modes Use this parameter to control collisions on the link that can reduce throughput If the Status Wireless page shows increasing values for Tx multiple retry frames or Tx single retry frames adjust this value until the errors clear Start with a value of...

Page 71: ... clients to stay off the air while the AP is transmitting data to 802 11n clients This method of protection is supported by most 802 11g or 802 11a clients but is not supported for 802 11b only clients and should not be used if such clients are expected on the network Guard interval Supported on MSM410 MSM422 radio 1 E MSM430 E MSM460 E MSM466 Not available in Monitor or Sensor modes This paramete...

Page 72: ...talled in your location You are experiencing throughput problems In all other cases use the default setting of Large If you have installed multiple APs reducing the receiver sensitivity helps to reduce the amount of cross talk between the wireless stations to better support roaming clients It also increases the probability that client stations connect with the nearest AP Available settings Large A...

Page 73: ...eless mode channel width band or channel selected you may need to configure the radio with a reduced transmit power setting When using Automatic channel selection with an external antenna in the 2 4 GHz band all channels must be set to the lowest acceptable value for your regulatory domain For a list of supported antennas see the Accessories section for your AP at www hp com networking support for...

Page 74: ... to discover the operating frequencies of other APs in your area for site planning purposes It can also be used to flag discovered APs as either authorized APs or rogue APs This is useful for monitoring the installation of wireless access points in your company s work areas to ensure that new APs which could be a security risk if improperly configured are not deployed without your knowledge Scanni...

Page 75: ...adio to operate in monitor mode For example if radio 1 is set to automatic channel scanning and radio 2 is in monitor mode scanning occurs on radio 2 and interruptions on radio 1 do not occur Background scanning MSM310 MSM320 MSM335 MSM410 MSM422 only For any other radio configuration scanning is controlled by the settings on the Network Wireless neighborhood page To enable scanning select the Rep...

Page 76: ... scanned AP does not appear in the list of authorized APs it is displayed in the Unauthorized access points list Creating the list of authorized APs The list of authorized APs must be defined in an external file in XML format Each entry in the file comprises two items MAC address and SSID Each entry should appear on a new line The easiest way to create this file is to wait for a scan to complete t...

Page 77: ...SID 00 03 52 07 f5 11 AP_1 00 03 52 07 f5 23 AP_2 00 03 52 07 f5 12 AP_3 simple ap list Reformat the list to appear as follows 00 03 52 07 f5 11 AP_1 00 03 52 07 f5 23 AP_2 00 03 52 07 f5 12 AP_3 Viewing wireless information The AP provides several pages where you can view information related to wireless operations Viewing all wireless clients To view information on all wireless client stations se...

Page 78: ...uthenticates with both 802 1X and MAC only the 802 1X indication is shown Association time Indicates how long the client station has been associated with the AP Signal Indicates the strength of the radio signal received from client stations Signal strength is expressed in decibel milliwatt dBm The higher the number the stronger the signal Noise Indicates how much background noise exists in the sig...

Page 79: ...via any 802 11n mode Rates are shown for each supported MCS modulation coding scheme The size of the bar indicates the amount of traffic sent or received at each MCS MCS Data rates in Mbps Channel width Guard interval 20 MHz 800 ns 20 MHz 400 ns 40 MHz 800 ns 40 MHz 400 ns 0 6 50 7 20 13 50 15 00 1 13 00 14 4 47 00 30 00 2 19 50 21 70 40 50 45 00 3 26 00 28 90 54 00 60 00 4 39 00 43 30 81 00 90 00...

Page 80: ...60 00 10 39 00 43 30 81 00 90 00 11 52 00 57 80 108 00 120 00 12 78 00 86 70 162 00 180 00 13 104 00 115 6 216 00 240 00 14 117 00 130 00 243 00 270 00 15 130 00 144 40 270 00 300 00 16 130 00 144 40 270 00 300 00 17 130 00 144 40 270 00 300 00 18 130 00 144 40 270 00 300 00 19 130 00 144 40 270 00 300 00 20 130 00 144 40 270 00 300 00 21 130 00 144 40 270 00 300 00 22 130 00 144 40 270 00 300 00 ...

Page 81: ...66 Disabled HT protection G protection is disabled B clients G protection is enabled because a B client is connected to the AP B APs G protection is enabled because a B client is connected to another AP on the same channel used by the AP AG clients HT protection is enabled because a non HT client is connected to the AP AG APs HT protection is enabled because a non HT AP is present on the same chan...

Page 82: ... not being able to transmit for example when scanning Tx retry limit exceeded The number of times an MSDU is not transmitted successfully because the retry limit is reached due to no acknowledgment or no CTS received Tx multiple retry frames The number of MSDUs successfully transmitted after more than one retransmission on the total of all associated fragments May be due to collisions noise or int...

Page 83: ...wn on the E MSM460 The total number of packets that could not be sent due to the following errors Rx retry limit exceeded and TX discards wrong SA Rx packets Not shown on the E MSM460 The total number of packets received Rx dropped Not shown on the E MSM460 The number of received packets that were dropped due to lack of resources on the AP This should not occur under normal circumstances A possibl...

Page 84: ...agement received successfully while there was another reception going on above the carrier detect threshold but with bad or incomplete PLCP Preamble and Header the message in message path 2 in the modem Rx MSG in msg fragments The number of MPDUs of type Data or Management received successfully while there was another good reception going on above the carrier detect threshold the message in messag...

Page 85: ...guration options 4 5 General 4 7 Virtual AP 4 9 Egress VLAN 4 14 Wireless security filters 4 14 Wireless protection 4 16 MAC based authentication 4 19 Location aware 4 19 MAC filter 4 19 IP filter 4 20 VSC data flow 4 21 Stand alone deployment 4 21 AP deployed with a controller 4 22 Quality of service QoS 4 23 Priority mechanisms 4 24 Upstream DiffServ tagging 4 25 Upstream downstream traffic mark...

Page 86: ...d Each VSC is configured with a different wireless network name SSID and the quality of service QoS feature is used to set the priority of user traffic Stand alone deployment An autonomous AP can be deployed as a stand alone device to provide wireless networking support for an existing wired network The AP essentially creates a wireless extension to the existing wired network bridging wireless use...

Page 87: ...r added flexibility you can enable both the 802 1X and VSC based MAC authentication at the same time MAC authentication always takes place first If it fails 802 1X is then attempted Deployment with a controller Autonomous APs can also be used with a controller to create a public access network infrastructure In this type of deployment all VSCs are access controlled which means that the AP forwards...

Page 88: ...r each wireless network is carried on its own VLAN This leaves only management traffic from the autonomous AP on VLAN 10 A static IP is assigned on both ends to permit the two devices to communicate SSID Employee SSID Employee SSID Guest VLAN ID 20 SSID Guest VLAN ID 20 VSC Profiles VSC Profiles Autonomous AP Controller SSID VSC3 VLAN ID 40 VSC Profiles VSC Profiles Default VLAN ID 10 IP address 1...

Page 89: ...add a new profile select Add New VSC Profile In either case the Add Edit Virtual Service Community page opens providing all VSC profile options The following sections provide an overview of each VSC option and how it is used For complete descriptions of individual parameters see the online help in the management tool VSC configuration options This section provides an overview of all the configurat...

Page 90: ...Working with VSCs VSC configuration options 4 6 The following screen capture shows the configuration of the default VSC profile The description that follow describe how to configure each parameter ...

Page 91: ...he RADIUS server Also once authenticated user traffic is restricted by the Wireless security filters option Only traffic addressed to the controller is permitted These filters can be disabled if required If Use HP MSM Controller option is disabled This creates a non access controlled VSC which allows the AP to operate independent of a controller and manage user authentication itself using the serv...

Page 92: ...Wireless security filters Available but wireless traffic is restricted to the controller Available but wireless traffic is restricted to the default gateway Can be changed Wireless protection Available but user authentication must be performed by the controller Available User authentication can be performed by any external RADIUS server MAC based authentication Available but user authentication mu...

Page 93: ...y of service and Allowed wireless rates WLAN Use these settings to define the characteristics of the wireless network Name SSID Specify a name to uniquely identify the wireless network associated with this VSC Each client computer that wants to connect to this VSC must use this name The name is case sensitive DTIM count Defines the DTIM period in the beacon Client stations use the DTIM to wake up ...

Page 94: ...tering is enabled DHCP broadcast requests are never forwarded on the wireless port DHCP broadcast offers are never forwarded on the wireless port unless the target of the offer is an associated client on the wireless interface ARP broadcast requests are never forwarded out the wireless port unless the target of the ARP request is an associated client on the wireless interface Broadcast filtering s...

Page 95: ...nnected to the same VSC can communicate with each other The following settings are available No Blocks all user to user communication 802 1X Only authenticated 802 1X users can communicate All All authenticated and unauthenticated users can communicate Default setting IPV6 Only authenticated users using IP version 6 can communicate Configuring communication between different VSCs Communication bet...

Page 96: ...and VSC2 is set to All no communication is permitted between users on the two VSCs or between users on VSC1 However all users on VSC2 can communicate with each other If VSC1 is set to 802 1X and VSC2 set to All only 802 1X users can communicate between the two VSCs Quality of service The quality of service QoS feature provides a number of different mechanisms to prioritize wireless traffic sent to...

Page 97: ...support for each wireless mode Clients will only be able to connect at the rates that you select If a client does not support the selected rate and mode it will not be able to connect to this VSC The following examples are from the MSM410 and MSM422 and the E MSM430 E MSM460 and E MSM466 MSM410 MSM422 radio 1 E MSM430 E MSM460 and E MSM466 ...

Page 98: ...y to all wireless modes supported on both radios which are 802 11n a b g If you remove a rate it is removed for all wireless modes Egress VLAN Sets the VLAN to which this profile forwards traffic If you do not select a VLAN traffic is sent untagged VLAN s can also be assigned using other methods some of which may override the Egress VLAN See VLAN support on page 5 5 for details Wireless security f...

Page 99: ... as the default gateway for all wireless users If not user traffic will be blocked by the AP Custom Lets you define custom inbound and outbound security filters To use the default filters as a starting point select Get Default Filters Filters are specified using standard pcap syntax with the addition of a few HP specific placeholders These placeholders can be used to refer to specific MAC addresse...

Page 100: ...access the management tool on other HP APs Outgoing wireless traffic filters Applies to traffic sent from the AP to wireless users Accepted Any IP traffic coming from the upstream device except NetBIOS packets PPPoE traffic from the upstream device IP broadcast packets except NetBIOS ARP and DHCP Offer and ACK packets Any traffic coming from the AP itself including 802 1X Blocked All other traffic...

Page 101: ...460 E MSM430 WPA2 AES CCMP WPA2 802 11i with CCMP encryption If all your clients are WPA2 select this option for the maximum possible security WPA or WPA2 Mixed mode supports both WPA version 1 and WPA2 version 2 at the same time Some legacy WPA clients may not work if this mode is selected This mode is slightly less secure than using the pure WPA2 mode Authentication must occur via an external de...

Page 102: ...thentication methods Authentication must occur via an external device If Use HP MSM controller is enabled under General this must be an HP MSM Controller Otherwise a third party RADIUS server can be used For a complete description of all options see the online help Note For security reasons using 802 1X without enabling at least WEP encryption is not recommended WEP This option provides support fo...

Page 103: ...ntrol logins to the public access network based on the AP or group of APs to which a user is connected It is only available when Use HP MSM controller is enabled under General For each user login location aware sends the PHY Type SSID and VLAN to the controller It also includes the specified Group name MAC filter When enabled this option enables you to control access to the AP based on the MAC add...

Page 104: ...lient stations whose MAC addresses appear in the MAC address list can connect to the wireless network Block All client stations whose MAC addresses appear in the MAC address list are blocked from accessing the wireless network IP filter The IP filter enables you to block wireless to wired LAN traffic on this VSC based on its destination address Specify the list of destination IP addresses for whic...

Page 105: ...s Authentication MAC 802 1X HTML Access control features Egress Routing table VLAN GRE tunnel Ingress SSID LAN port via location ware VLAN LAN or Internet port Untagged LAN port Stand alone deployment AP deployed with a controller VSC on autonomous AP Ingress SSID from association Features Authentication MAC 802 1X Wireless security filters MAC filter IP filter Wireless traffic User and authentica...

Page 106: ...le VLAN All traffic on port 1 or 2 if available can be assigned to a VLAN AP deployed with a controller Ingress The AP only handles wireless traffic The SSID is the name of the wireless network that the user associates with Features Authentication Authentication can either 802 1X or MAC To validate user credentials the AP makes use of the controller For more information see the chapter on User aut...

Page 107: ... number of features that can be applied to user sessions Features can be enabled globally or on a per account basis Egress The controller enables user traffic to be forwarded to different output interfaces which include the routing table VLAN ID or IP GRE tunnel Quality of service QoS The quality of service QoS feature provides a number of different mechanisms to prioritize wireless traffic sent t...

Page 108: ... mechanisms Priority mechanisms are used to classify traffic on the VSC and assign it to the appropriate queue The following mechanisms are available 802 1p This mechanism classifies traffic based on the value of the VLAN priority field present within the VLAN header VSC based priority This mechanism is unique to HP It enables you to assign a single priority level to all traffic on a VSC If you en...

Page 109: ...queue 3 Upstream DiffServ tagging Enable this option to have the M111 apply differentiated services marking to upstream traffic Layer 3 upstream marking ensures end to end quality of service in your network Data originating on the wireless network can now be carried throughout the network wireless and wired with a consistent quality of service and priority This feature is enabled by default When t...

Page 110: ... to the AP OUTGOING TRAFFIC Traffic sent by the AP to the network L2 marking L3 marking UpstreamDiffServ tagging is enabled UpstreamDiffServ tagging is disabled 802 1p WMM 802 1p requires an egress VLAN to be defined for the VSC DiffServ Pass through Original layer 3 marking if any is preserved DiffServ DiffServ TOS TOS VSC based WMM Non WMM 802 1p requires an egress VLAN to be defined for the VSC...

Page 111: ...n refers to 802 1D and not 802 1p this guide uses the term 802 1p because it is more widely recognized The updated IEEE 802 1D ISO IEC 15802 3 MAC Bridges standard covers all parts of the Traffic Class Expediting and Dynamic Multicast Filtering described in the IEEE 802 1p standard ...

Page 112: ...Working with VSCs Quality of service QoS 4 28 ...

Page 113: ...5 5 Defining a VLAN 5 5 Defining an egress VLAN for a VSC 5 7 Configuring a default VLAN 5 8 Assigning VLANs to individual users 5 8 VLAN bridging 5 9 Bandwidth control 5 9 Discovery protocols 5 10 CDP 5 10 LLDP 5 10 TLV settings 5 12 DNS 5 14 DNS servers 5 14 DNS advanced settings 5 14 IP routes 5 15 Configuration 5 15 IP QoS 5 16 Configuration 5 17 Example 5 18 802 1X supplicant 5 20 ...

Page 114: ...rt 2 Port configuration information Status indicator Operational state of each port as follows Green Port is properly configured and ready to send and receive data Red Port is not properly configured is disabled or is disconnected Jack Physical interface to which a logical port is assigned Name Identifier for the port To configure a port select its name IP address IP addresses assigned to the port...

Page 115: ...r network administrator and then select Configure See the online help for descriptions of all configuration options Bridge spanning tree protocol When this option is enabled the AP uses the Spanning Tree Protocol to prevent undesirable loops from occurring in the network that may result in decreased throughput Spanning tree can be enabled for untagged ports and or VLAN ports When VLAN support is e...

Page 116: ...cally via RADIUS If you do traffic for these users will be blocked Restrict default VLAN to management traffic only The default VLAN can be restricted to carry management traffic only Management traffic includes All traffic that is exchanged with the controller login authentication requests replies All traffic that is exchanged with external RADIUS servers HTTPS sessions established by managers an...

Page 117: ...robust and flexible virtual local area network VLAN implementation that supports a wide variety of scenarios For example VLANs can be used to isolate management from user traffic or to route traffic over a local mesh connection You can map user traffic to a VLAN for each virtual service community VSC or on a per user basis by setting the appropriate RADIUS attributes in a user s account Up to 80 V...

Page 118: ...rm X Y where X and Y can be 1 to 4094 For example 50 60 You can define more than one VLAN range but each range must be distinct and contiguous VLANS with ranges cannot be assigned an IP address Ranges are useful when you need to support many different VLANs on the same port when assigning per user VLANs using RADIUS attributes 5 Select Save The definition is added to the Network profiles page Assi...

Page 119: ... on the same VLAN There is no support for obtaining a default gateway from the DHCP server Static Enables you to manually assign an IP address to the VLAN If you select this option you must specify a static IP address Mask and Gateway None Specifies that this VLAN has no IP address Use this when you define a VLAN range 6 Select Save Defining an egress VLAN for a VSC You can map egress traffic on e...

Page 120: ...PS sessions established by managers and operators of the management tool Incoming and outgoing SNMP traffic DNS requests and replies To assign a default VLAN see Port configuration on page 5 4 Assigning VLANs to individual users You can assign a VLAN to an individual user by setting the attributes Tunnel Medium Type Tunnel Private Group ID and Tunnel Type in the user s RADIUS account Restrictions ...

Page 121: ...ontrol select Network Bandwidth control If outgoing traffic arrives at the rate defined by the specified bandwidth limit or less it is processed without delay If outgoing traffic arrives at a rate that is greater than the defined bandwidth limit it causes the AP to throttle the traffic If the traffic rate is over limit for just a short burst the data will be queued and forwarded without loss If th...

Page 122: ...ement tool To enable CDP transmission select Network Discovery protocols LLDP The IEEE 802 1AB Link Layer Discovery Protocol LLDP provides a standards based method for network devices to discover each other and exchange information about their capabilities An LLDP device advertises itself to adjacent neighbor devices by transmitting LLDP data packets on all ports on which outbound LLDP is enabled ...

Page 123: ...w the AP on the other side of the link as a neighbor LLDP agent Select this option to enable the LLDP agent on port 1 Select Configure TLVs to customize TLV support Transmit Enable this option to have the agent transmit LLDP information to its neighbors Receive Enable this option to have the agent accept LLDP information from its neighbors LLDP over local mesh Enables support for LLDP on any activ...

Page 124: ... Description TLV Since this is an optional TLV if it is not available the Port ID TLV is used instead Controller name suffix if specified Up to 16 characters can be appended to the name To define the suffix for APs select Configuration LLDP To create the system name the items are concatenated using a hyphen as separator For example systemname portid suffix Note Once AP names are dynamically change...

Page 125: ...tem name is replaced by the dynamically generated name The controller can only have one system name If both the LAN and Internet ports have active agents then the name generated by the LAN port is used System description Type 6 Description of the system comprised of the following information operational mode hardware type hardware revision and firmware version System capabilities Type 7 Indicates ...

Page 126: ...ully resolved to an IP address by a remote DNS server it is stored in the cache This speeds up network performance because the remote DNS server does not have to be queried for subsequent requests for this host An entry stays in the cache until one of the following is true An error occurs when connecting to the remote host The time to live TTL of the DNS request expires The AP restarts DNS switch ...

Page 127: ... each with authentication assigned to a different RADIUS server operating on a different subnet and VLAN routing table entries may be required to ensure proper communication with the RADIUS servers Configuration To view and configure IP routes select Network IP routes Active routes This table shows all active routes on the AP You can add routes by specifying the appropriate parameters and then sel...

Page 128: ...sts the first route in the table is used The following information is shown for each default route Interface The port through which traffic is routed When you add a route the AP automatically determines the interface to be used based on the Gateway address Gateway IP address of the gateway to which the AP forwards routed traffic known as the next hop An asterisk is used by system routes to indicat...

Page 129: ...ually You can find IANA assigned protocol numbers at http www iana org Start port End port Optionally specify the first and last port numbers in the range of ports to which this IP QoS profile applies To specify a single port specify the same port number for both Start port and End port Port numbers are pre defined for a number of common protocols If the protocol you require does not appear in the...

Page 130: ...2 For Profile name specify Voice 3 Set Protocol to TCP 4 Set Start port to SIP Start port and End port are automatically populated with the correct value 5060 5 Set Priority to Very High 6 Select Save Note You could also create another profile using the same parameters but with Protocol set to UDP in order to handle any kind of SIP traffic 7 On the IP QoS Profile page select Add New Profile 8 Set ...

Page 131: ...iles to a VSC 1 Select VSC on the main menu and then select one of the VSC profiles in the Name column Scroll down to the Quality of service section under Virtual AP 2 Set Priority mechanism to IP QoS 3 For IP QoS profiles hold down the Ctrl key and then select Voice and Web 4 Select Save ...

Page 132: ...are not provided to other applications running on the AP The AP sends the EAPOL start and waits for the Request Identity On a time out the AP will perform a single retry On a second time out the 802 1X supplicant will become idle The switch is responsible for restarting the IEEE 802 1X authentication by sending an EAP Request Identity EAP Method Select the extensible authentication protocol method...

Page 133: ...Network configuration 802 1X supplicant 5 21 Anonymous Name used outside the TLS tunnel by all three EAP methods If this field is blank then the value specified for Username is used instead ...

Page 134: ...Network configuration 802 1X supplicant 5 22 ...

Page 135: ... profile on the AP 6 2 Configuring user accounts on a RADIUS server 6 5 Configuring administrative accounts on a RADIUS server 6 11 Managing certificates 6 12 Trusted CA certificate store 6 12 Certificate and private key store 6 14 Certificate usage 6 16 About certificate warnings 6 17 MAC lockout 6 17 ...

Page 136: ...ofile settings you define on the AP For backup redundancy each profile supports a primary and secondary server The AP can function with any RADIUS server that supports RFC 2865 and RFC 2866 Authentication occurs via authentication types such as EAP MD5 CHAP MSCHAP v1 v2 LEAP PAP EAP TLS EAP TTLS EAP PEAP EAP SIM EAP AKA EAP FAST and EAP GTC Note If you change a RADIUS profile to connect to a diffe...

Page 137: ...s 3 Configure the profile settings as described in the following section 4 Select Save Configuration settings Profile name Specify a name to identify the profile Settings Authentication port Specify a port on the RADIUS server to use for authentication By default RADIUS servers use port 1812 Accounting port Specify a port on the RADIUS server to use for accounting By default RADIUS servers use por...

Page 138: ...ted by your RADIUS Server PAP MSCHAP V1 and CHAP are less secure protocols NAS ID Specify the identifier for the network access server that you want to use for the AP By default the serial number of the AP is used The AP includes the NAS ID attribute in all packets that it sends to the RADIUS server Always try primary server first Enable this option if you want to force the AP to contact the prima...

Page 139: ...h the appropriate username and password The AP provides support for a number of standard RADIUS user attributes including those for authentication and accounting Refer to your RADIUS documentation for more information on how to use these attributes Access Request attributes This table lists all attributes supported in Access Request packets for each authentication type Attribute Admin login 802 1X...

Page 140: ...ommunicate with the RADIUS server NAS Port 32 bit unsigned integer A virtual port number starting at 1 Assigned by the AP NAS Port Type 32 bit unsigned integer Always set to 19 which represents WIRELESS_802_11 Service Type 32 bit unsigned integer Set to LOGIN_USER State string As defined in RFC 2865 User Name string The username assigned to the user Or if MAC authentication is enabled the MAC addr...

Page 141: ...nt will not be read as the RADIUS Access Accept overrides whatever indication is contained inside this packet Idle Timeout 32 bit unsigned integer Maximum idle time in seconds allowed for the user Once reached the user session is terminated with termination cause IDLE TIMEOUT Omitting the attribute or specifying 0 disables the feature Session Timeout 32 bit unsigned integer Maximum time a session ...

Page 142: ...specific VLAN number to a customer In this case it must be set to the VLAN ID Tunnel Type Used only when assigning a specific VLAN number to a customer In this case it must be set to VLAN Vendor specific Microsoft MS MPPE Recv Key As defined by RFC 3078 MS MPPE Send Key As defined by RFC 3078 Access Reject attributes Access Reject RADIUS attributes are not supported Access Challenge attributes Thi...

Page 143: ...ue of the number of octets bytes received by the user Only present when Acct Status Type is Interim Update or Stop Acct Input Packets 32 bit unsigned integer Number of packets received by the user Only present when Acct Status Type is Interim Update or Stop Attribute 802 1X MAC Acct Input Gigawords Acct Input Octets Acct Input Packets Acct Output Gigawords Acct Output Octets Acct Output Packets Ac...

Page 144: ...efault the value address is sent in IEEE format For example 00 02 03 5E 32 1A The format can be changed in the Wireless protection section of the VSC Profiles page MAC MAC Address of the radio Network Ports page By default the MAC address is sent in IEEE format For example 00 02 03 5E 32 1A The format can be changed in the Wireless protection section of the VSC Profiles page Calling Station Id str...

Page 145: ...ed Access Request RADIUS attributes User Name string The username assigned to the user or a device when using MAC authentication NAS Identifier string The NAS ID set on the Security RADIUS page for the profile being used Service Type 32 bit unsigned integer As defined in RFC 2865 Set as follows Web Admin is SERVICE_TYPE_ADMINISTRATIVE Framed MTU 32 bit unsigned integer Hard coded value of 1496 MSC...

Page 146: ...ertificate store provides a repository for managing all certificates To view the certificate stores select Security Certificate stores Trusted CA certificate store This list displays all CA certificates installed on the AP The AP uses the CA certificates to validate the certificates supplied by peers during authentication Multiple CA certificates can be installed to support validation of peers wit...

Page 147: ...serial numbers of certificate that have been signed by the CA but that should be rejected Delete Select to remove the certificate from the certificate store Installing a new CA certificate 1 Specify the name of the certificate file or select Browse to choose from a list CA certificates must be in X 509 or PKCS 7 format 2 Select Install to install a new CA certificate CA certificate import formats ...

Page 148: ...llowing information is displayed for each certificate in the list ID A sequentially assigned number to help identify certificates with the same common name Issued to Name of the certificate holder Select the name to view the contents of the certificate X 509 certificate in PKCS 7 file One X 509 certificate Popular format with Microsoft products X 509 certificate in PEM file One or more X 509 certi...

Page 149: ...ess The name should be a domain name containing at least one dot If you try to add a certificate with an invalid name the default certificate is restored The name in the certificate is automatically assigned as the domain name of the AP 1 Specify the name of the certificate file or select Browse to choose one from a list Certificates must be in PKCS 7 format 2 Specify the PKCS 12 password 3 Select...

Page 150: ...ake sure that you install the entire certificate chain when you install a new certificate on the AP Note If you enable the Notifications option on the Management SNMP page and then select Configure Notifications and enable the Certificate about to expire notification under Maintenance an SNMP notification is sent to let you know when the AP SSL certificate is about to expire Certificate usage To s...

Page 151: ...eliminate these warnings you can do one of the following Obtain a registered X 509 SSL certificate from a recognized certificate authority and install it on the AP This is the best solution since it ensures that your certificate can be validated by any web browser A number of companies offer this service for a nominal charge These include Thawte Verisign and Entrust Become a private certificate au...

Page 152: ...ut 6 18 Adding a MAC lockout address 1 Select Security MAC lockout 2 Select Add New MAC Address 3 Specify the MAC address as six pairs of hexadecimal digits separated by colons For example 00 00 00 0a 0f 01 4 Select Save ...

Page 153: ...Static local mesh links 7 3 Dynamic local mesh links 7 4 Quality of service 7 6 Radio configuration 7 7 LLDP 7 9 Local mesh profiles 7 9 Configuring a local mesh profile 7 10 Sample local mesh deployments 7 16 RF extension 7 16 Building to building connections 7 17 Dynamic networks 7 18 ...

Page 154: ...network identifier local mesh ID restricts connectivity to local mesh nodes enabling distinct local meshes to be created with nodes in the same physical area Provides fall back operation to recover from node failure In a properly designed implementation redundant paths can be provided If a node fails the mesh will automatically reconfigure itself to maintain connectivity Maintains network integrit...

Page 155: ...o the two APs For example in the following scenario a static wireless link is created between AP 1 and AP 2 Each AP is connected to a separate physical network but both networks are on the same IP subnet 192 168 5 0 Traffic is bridged across the wireless link allowing User A to communicate with User B Terminology The following terms are used in this guide when discussing the static local mesh feat...

Page 156: ...al mesh is composed of five APs When the APs are started they automatically establish the connections to build the mesh based on their role master alternate master slave If AP 2 fails AP 4 automatically switches its connection to AP 3 Traffic is bridged across the wireless links allowing users connected to any AP to reach the root network Terminology The following illustration and table define ter...

Page 157: ...ther nodes Node discovery Discovery of another node to link with is limited to nodes with the same mesh ID The link is established with the node that has the best score based on the following calculation Score SNR Number of hops x SNR cost of each hop If a node looses its upstream link it automatically discovers and connects to another available node Alternate master node A node that is configured...

Page 158: ...automatic channel selection In this case the master selects the least noisy channel Slaves and alternate masters scan channels until they find the master then tune to the master channel and link with the master Configuration guidelines You can configure a total of six local mesh profiles on each node Each dynamic local mesh profile master or alternate master can be used to establish up to nine lin...

Page 159: ...he link is established on one radio the other is used to create downstream links This greatly improves throughput over single radio deployments Using 802 11a n for local mesh It is recommended that 802 11a n in the 5 GHz band be used for local mesh links whenever possible This optimizes throughput and reduces the potential for interference because Most Wi Fi clients support 802 11b or b g therefor...

Page 160: ...ust for local mesh links Therefore if you are also using a radio to access an AP adjusting this setting may lower the performance for users with marginal signal strength or when interference is present Essentially it means that if a frame needs to be retransmitted it will take longer before the actual retransmit takes place ...

Page 161: ...can be either static or dynamic If a profile defines a static local mesh link the profile can only be used to connect with another node with a profile that has matching settings If a profile defines a dynamic local mesh link it establishes links to other nodes as follows When a dynamic profile is active the AP constantly scans and tries to establish links as defined by the profile Role Upstream li...

Page 162: ...dd profiles select Wireless Local mesh To configure a profile select its name in the list Or to add a profile select Add New Profile Configuring a local mesh profile To configure a profile select its name in the list The Local mesh profile page opens ...

Page 163: ...re part of the local mesh For proper operation you should configure only one node as the policy manager Setting more than one node as the policy manager will prevent policies from being properly implemented Although the policy manager can be any node it is strongly recommended that you make the master node the policy manager When the local mesh is established all nodes search for the policy manage...

Page 164: ...ress of the radio on this AP on which the link will be established Dynamic Use this option to create dynamic local mesh installations Mode Three different roles can be assigned to a node master alternate master or slave The role assigned to a node governs how the node will establish upstream or downstream links with its peers The available configuration settings change depending on the role that i...

Page 165: ...lish downstream links with any other nodes Alternate Master An alternate master node must first establish an upstream link with a master or alternate master node before it can establish downstream link with an alternate master or slave node Mesh ID Unique number that identifies a series of nodes that can connect together to form a local mesh network ...

Page 166: ...rent from the current configuration the node loads the retrieved configuration Initial discovery time Alternate master or slave nodes Amount of time that will be taken to discover the best available master node The goal of this setting is to delay discovery until all the nodes in the surrounding area have had time to startup making the identification of the best master more accurate If this period...

Page 167: ...booting or disabling re enabling the profile This re connection happens during the initial discovery time After that period the regular best master identification mechanism will take over Allow forced links Alternate Master Slave only When enabled the node will accept any connection forced from a master and it will change its mesh ID in order to use the master mesh ID Allow forced links Alternate ...

Page 168: ...e to connect to that master without rebooting Sample local mesh deployments RF extension Local mesh provides an effective solution for extending wireless coverage in situations where it is impractical or expensive to run cabling to an AP In this scenario a wireless bridge is used to extend coverage of the wireless network Both APs are equipped with omni directional antennas enabling them to delive...

Page 169: ...orks in two adjacent buildings Each AP is equipped with a directional external antenna attached to radio 1 to provide the wireless link Omnidirectional antennas are installed on radio 2 to provide AP capabilities The two APs are placed within line of sight PUBLIC WL AN AP 4 AP 1 wireless link PUBLIC WL AN PUBLIC WL AN directional antenna Building A Building B directional antenna AP 2 AP 3 PUBLIC W...

Page 170: ... based on a balance between SNR signal to noise ratio and hops to provide the most efficient network topology If a node becomes unavailable the links dynamically adjust to find the optimum path to the master AP 1 ALTERNATE MASTER AP 2 MASTER ALTERNATE MASTER AP 3 ALTERNATE MASTER AP 4 ALTERNATE MASTER AP 5 ALTERNATE MASTER AP 6 ALTERNATE MASTER AP 4 When AP 4 is unavailable the network dynamically...

Page 171: ...ent 8 2 Manual configuration file management 8 2 Scheduled operations 8 3 Software updates 8 4 Performing an immediate software update 8 5 Performing a scheduled update 8 5 Licenses 8 5 Factory reset considerations 8 7 Generating and installing a feature license 8 7 ...

Page 172: ...he configuration file Before you install new software you should always back up your current configuration Select Backup to start the process You are prompted for the location in which to save the configuration file Configuration information is saved in the backup file as follows Certificates and private keys If you specify a password when saving the configuration file certificates and private key...

Page 173: ...t to restore 3 If the configuration file is protected with a password you must supply the correct password to restore the complete configuration If you supply an invalid password all settings are restored except for certificates and private keys 4 Select Restore to load the selected file Note The AP automatically restarts when once the configuration file has been loaded Scheduled operations The Sc...

Page 174: ... Even though configuration settings are preserved during software updates it is recommended that you backup your configuration settings before updating See Manual configuration file management on page 8 2 At the end of the update process the AP automatically restarts causing all users to be disconnected Once the AP resumes operation all users must reconnect To minimize network disruption use the s...

Page 175: ...t the specified URL is correct 5 Select Save or to commit the schedule and also update the software immediately select Save and Install Now Note Before a scheduled software update is performed only the first few bytes of the software file are downloaded to determine if the software is newer than the currently installed version If it is not the download stops and the software is not updated License...

Page 176: ...pend on these licenses will become temporarily unavailable Select Activate to re activate user installed licenses that have been deactivated Select Remove to delete all user installed licenses Before removing licenses be sure to first backup the license file to your hard drive by selecting Backup License management Use these options to order install and backup license files When you order a new fe...

Page 177: ...our license registration card follow this procedure to generate and install a feature license on your AP Generating a license 1 Go to www hp com networking mynetworking and sign in New users must first create an account 2 Select the My Licenses tab at the top of the page 3 In the Registration ID field type the License Registration ID found on your registration card Type the ID exactly as shown inc...

Page 178: ...information displayed on this page 9 When done select Generate license s to return to the main licenses page Installing a license If you are ready to install your new license on your AP go back to the AP management tool and do the following 1 Select Maintenance Licenses 2 Under Install license file select Browse and browse to your license file Select the file and then select Open 3 Select Install ...

Page 179: ...Appendix A Console ports A Console ports Contents Console port connector specifications A 2 MSM335 and MSM422 console port A 2 MSM410 E MSMS430 E MSM460 E MSM466 console port A 2 ...

Page 180: ...aight through serial cable male to female MSM410 E MSMS430 E MSM460 E MSM466 console port These APs provide an RJ 45 console serial port connector Use an RJ 45 to DB 9 adapter cable not supplied with an RJ 45 male connector on one end and a DB 9 female connector on the other end Wire the cable as follows Note The DSR and DTR signals are only supported on the MSM410 RJ 45 male Pins Signal Direction...

Page 181: ...ry information Contents Notice for U S A B 2 Notice for Canada B 3 Notice for the European Community B 4 Supported External Antennas B 5 Notice for Brazil Aviso aos usuários no Brasil B 6 Notice for Taiwan B 6 DOCs for the European Community B 6 ...

Page 182: ...tes uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and...

Page 183: ...uld not be less than 20 cm 8 inches during normal operation Notice for Canada For MSM310 MSM310 R MSM320 MSM325 MSM320 R MSM335 MSM422 E MSM430 E MSM460 and E MSM466 This device complies with the limits for a Class B digital device and conforms to Industry Canada standard ICES 003 Products that contain a radio transmitter comply with Industry Canada standard RSS210 and are labeled with an IC appro...

Page 184: ...may be operated indoors or outdoors in all EU and EFTA countries using the 2 4 GHz band Channels 1 13 except where noted below In France this device may use the entire 2400 2483 5 MHz band Channels 1 through 13 for indoor applications For outdoor use only the 2400 2454 MHz frequency band Channels 1 through 9 may be used For the latest requirements see http www art telecom fr L utilisation de cet e...

Page 185: ...described below and elsewhere in this guide Disposal of Waste Equipment by Users in Private Household in the European Union This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste Instead it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of was...

Page 186: ... não tem direito à proteção contra interferência prejudicial mesmo de estações do mesmo tipo e não pode causar interferência a sistemas operando em caráter primário Notice for Taiwan DGT LPD Low Power Device Statement DOCs for the European Community The following DOCs Declarations of Conformity apply to the European Community ...

Page 187: ...5 1 2008 12 EN 301 489 17 V2 1 1 2009 05 Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your...

Page 188: ...5 1 2008 12 EN 301 489 17 V2 1 1 2009 05 Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your...

Page 189: ...2009 05 Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MRLBB 0904 The RMN sh...

Page 190: ... Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MRLBB 0903 The RMN should no...

Page 191: ...01 489 17 V2 1 1 2009 05 Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MRLB...

Page 192: ...Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MRLBB 0802 The RMN should not be confused with the...

Page 193: ... 489 17 V2 1 1 2009 05 Health EN 50385 2002 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MRLBB ...

Page 194: ...2009 05 EN 62311 2008 Energy Use Regulation EC No 1275 2008 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your p...

Page 195: ...2311 2008 Energy Use Regulation EC No 1275 2008 Supplementary Information The product herewith complies with the requirements of the Low Voltage Directive 2006 95 EC the EMC Directive 2004 108 EEC and the R TTE Directive 1999 5 EC and carries the CE marking accordingly For regulatory identification purposes this product has been assigned a Regulatory Model Number RMN The RMN for your product is MR...

Page 196: ...Regulatory information B 16 ...

Page 197: ...ix C Connecting external antennas C Connecting external antennas Contents Introduction C 2 802 11n MIMO antennas for the E MSM466 C 2 802 11a b g antennas for MSM APs C 3 Radio power level setting example C 5 ...

Page 198: ... use any of the HP antennas discussed in this appendix with HP MSM access points Guides for the antennas discussed in this appendix are available online from www hp com networking support For Product Brand select ProCurve 802 11n MIMO antennas for the E MSM466 These four 802 11n MIMO antennas are certified only for use with the E MSM466 Access Point Caution Antennas J9169A and J9170A In the Europe...

Page 199: ...evices are designed to be compliant with the rules and regulations in locations they are sold and will be labeled as required Any changes or modifications to HP equipment not expressly approved by HP could void the user s authority to operate this device Use only antennas approved for use with this device Unauthorized antennas modifications or attachments could cause damage and may violate local r...

Page 200: ...Dual Band Diversity indoor antenna J8997A indoor only is a ceiling mounted spatial omnidirectional array Two independent vertically polarized radiators provide null free omnidirectional coverage for meeting rooms offices or other enclosed spaces 6 9 7 7 dBi Dual Band Directional antenna J8999A indoor outdoor is a directional patch array enclosed in a UV stable weatherproof radome The focused radia...

Page 201: ... chart screenshot below the intersection of row UNITED STATES and column 802 11g Mode J8997A indicates that the maximum radio power level is 15 dBm Please check the actual charts in the HP Antennas Power Level Setting Guide for current values Set the maximum power level of 15 dBm as follows MSM310 used as example 1 Launch the MSM AP management tool and log in 2 Select Wireless Radio 3 For Wireless...

Page 202: ...hot the tall dialog box is split in two 8 Select Save Additional information is available as follows For autonomous access points see Transmit power control on page 3 31 For controlled access points see Transmit power control in the MSM7xx Controllers Management and Configuration Guide Documentation is available online from www hp com networking support For Product Brand select ProCurve ...

Page 203: ...defaults D Resetting to factory defaults Contents Read this before resetting to factory defaults D 2 Resetting to factory defaults D 2 Using the reset button D 2 Using the management tool D 2 Factory defaulting ruggedized products D 4 ...

Page 204: ...92 168 1 1 User installed licenses are deactivated but are not deleted You must manually enable these licenses once the AP has restarted Factory installed licenses are always active Resetting to factory defaults Use the procedures in this section to set an AP to its factory default settings Using the reset button Note Not applicable to ruggedized APs This technique forces the AP into its factory d...

Page 205: ...ory defaults D 3 2 Under Reset configuration select Reset To reset the AP to factory defaults and FORCE it back into its default controlled mode follow this procedure 1 Select Maintenance System 2 Under Factory reset select Reset to Factory Default ...

Page 206: ...sover cable A Cat 5 Ethernet cable An 802 3af PoE power injector From the zip file extract the script file that corresponds to your version of Microsoft Windows into a folder such as C scripts These scripts are provided English MSMRemote en bat French MSMRemote fr bat German MSMRemote gr bat Italian MSMRemote it bat Spanish MSMRemote sp bat Note Microsoft Vista users must install and activate the ...

Page 207: ...or Data In port 5 Connect a Cat 5 Ethernet cable from the PoE injector Data and Power Out port directly to the AP 6 Open a command line session on the computer 7 In the folder containing the script specify the script name including its language identifier and the factory parameter like this MSMRemote en factory Press Enter to execute the script 8 Power on the PoE injector The script performs the r...

Page 208: ...Resetting to factory defaults Factory defaulting ruggedized products D 6 ...

Page 209: ......

Page 210: ...any L P The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP will not be liable for technical or editorial errors or omissions contained herein ...

Reviews:

No comments

Related manuals for E-MSM310

3Com AirConnect Read Me First preview
AirConnect
Brand: 3Com Pages: 2
Binatone WR1505N3 Quick Installation Manual preview
WR1505N3
Brand: Binatone Pages: 14
HABITECH RIVI RV65 Quick Setup preview
RIVI RV65
Brand: HABITECH Pages: 3
Kasda KW9621B Manual preview
KW9621B
Brand: Kasda Pages: 42
Ubiquiti airFiber AF-5 Quick Start Manual preview
airFiber AF-5
Brand: Ubiquiti Pages: 32
ZyXEL Communications NWA-3165 Specifications preview
NWA-3165
Brand: ZyXEL Communications Pages: 2
TP-Link TL-WR641G User Manual preview
TL-WR641G
Brand: TP-Link Pages: 86
Bountiful BWRG1000 User Manual preview
BWRG1000
Brand: Bountiful Pages: 58
Linksys MAX-STREAM AX4500 Quick Start Manual preview
MAX-STREAM AX4500
Brand: Linksys Pages: 6
D-Link DI-724P Manual preview
DI-724P
Brand: D-Link Pages: 101
LG ARND20BDAR2 Installation And Operation Manual preview
ARND20BDAR2
Brand: LG Pages: 56
LG LCB-003 Manual preview
LCB-003
Brand: LG Pages: 10
LG PWFMDD201 User Manual preview
PWFMDD201
Brand: LG Pages: 20
LG LCWB-001 User Manual preview
LCWB-001
Brand: LG Pages: 14
LG GoldStream LR3001 System Manual preview
GoldStream LR3001
Brand: LG Pages: 89
LG CR820 User Manual preview
CR820
Brand: LG Pages: 104
LG FM300 Service Manual preview
FM300
Brand: LG Pages: 128
LG WN8122E1 Manual preview
WN8122E1
Brand: LG Pages: 11

Brands by name

Popular brands

Load more brands