manualshive.com logo in svg

Intelicis Cedar 880AG, User Manual, Page: 36 / 105

Share
Download
Intelicis Cedar 880AG User Manual Download Page 36

 

                                                                                 

                                                                                

Cedar 880AG Enterprise Dual-Radio AP/Bridge

 

 

6 Security 

This chapter contains information on the following topics: 
 

 

Configure RADIUS profile 

 

Configure 802.1x authentication 

 

Configure MAC authentication 

 

Configure Filter to block certain traffic 

 
 

6.1 Overview 

6.1.1 802.1x Authentication 

 
Wireless Networks provide enormous flexibility, but they can also create potential 
security problems in the network. Extensible Authentication Protocol (EAP) is an 
authentication method that addresses the security issues in the wireless network. It is part 
of the 802.1x WLAN standards defined by IEEE. 
 
The IEEE 802.1x specification uses three important terms. The user or client who wants 
to be authenticated is called a supplicant. The actual server doing the authentication, 
typically a RADIUS server, is called the authentication server. And the device in 
between, such as a wireless access point, is called the authenticator. One of the key points 
of 802.1x is that the authenticator can be small and simple - all of the processing is done 
by the supplicant and the authentication server. This makes 802.1x ideal for wireless 
access points, which are typically small and have limited memory and processing power. 
 
Figure 6.1 illustrates a simple 802.1x authentication sequence. 
 
 

                                                                       

 

 

 

 36  

Summary of Contents for Cedar 880AG

Page 1: ...Cedar 880AG Enterprise Dual Radio Access Point Bridge User Guide Release 1 3 June 2007...

Page 2: ...enerates uses and can radiate radio frequency energy and if not installed and used in accordance with instruction manual may cause harmful interference with radio communications Operation of this equi...

Page 3: ...Enterprise Dual Radio AP Bridge this device is ensured to be within 15 ppm that an emission is maintained within the band of operation under all conditions of normal operation as specified in this us...

Page 4: ...iguration 15 3 1 Scan Tool 15 3 2 Default Setting 17 3 3 Web Management Interface 18 3 3 1 Menu 19 3 3 2 Tool Bar 19 4 System 22 4 1 System Setting 22 4 2 Change Password 23 4 3 Upgrade 24 4 4 System...

Page 5: ...60 7 3 4 Bridge Link with Multiple VLANs 61 8 Management 62 8 1 Management Setting 62 8 2 SNMP 62 9 Log 64 10 Monitor 65 10 1 Interfaces 65 10 2 Wireless Statistics 66 10 3 Rogue APs 66 10 4 Wireless...

Page 6: ...5 6 config radio 91 11 5 7 show brglnk 92 11 5 8 config brglnk 93 11 6 Management Commands 93 11 6 1 show telnet 93 11 6 2 config telnet 94 11 6 3 show ssh 94 11 6 4 config ssh 94 11 6 5 show web 95...

Page 7: ...Cedar 880AG Enterprise Dual Radio AP Bridge 11 8 8 Bridge Link with Multiple VLANs 102 Appendix I Recovery Procedure 104 7...

Page 8: ...g Description of the log file Monitor Description of how to monitor the system Command Line Interface Description of Command Line Interface CLI syntax 1 1 Wireless Network A wireless network is a flex...

Page 9: ...a very practical easy and in most cases inexpensive way to connect Ethernet LANs or extend the range of existing WLANs As illustrated in Figure 1 2 and 1 3 the access point can operate in point to po...

Page 10: ...locations Access point A serves as a base bridge while Access point B and C serve as non base bridges This is an ideal topology for central office to collect data from remote offices Figure 1 3 Point...

Page 11: ...ive wireless users and the type of service they are using e g VoIP are important factors to consider 1 4 Application Deployment Applications can be deployed easily after a network infrastructure is in...

Page 12: ...Point Mounting rubber foot for desktop installation 4 Power Adaptor CAT5 Ethernet cable RJ45 to RJ45 Cedar 880AG Product Resource CD 2 2 Physical Description 2 2 1 Top Panel Figure 2 1 Cedar 880AG To...

Page 13: ...the connection to PoE power source DB9 Connector This DB9 connector provides the connection to the PC serial port for local management A straight RS232 cable is needed not included in the package Ante...

Page 14: ...he power jack on the rear panel of Cedar 880AG Cedar 880AG also supports the 802 3af PoE standard If your switch or gateway has the capability to supply PoE to remote devices simply connect the Ethern...

Page 15: ...s the following functions z Discover Cedar AP s IP address MAC address and firmware version z Change AP s IP address z Upgrade AP s firmware z Switch on off AP s telnet SNMP and web interface Please f...

Page 16: ...s MAC address can be found at its back panel If the AP has acquired an IP address from the DHCP server use it to log in to AP s web interface section 3 3 5 If DHCP server is not available in the syst...

Page 17: ...The Cedar initial SNMP read write community name is private 8 In case SNMP telnet or web interface are accidentally turned off Scan Tool can be used to turn them back on again by clicking the Advanced...

Page 18: ...e is accessible from any web browser on the network Enter the Cedar IP address and port 8080 in the browser address line to activate the Cedar Web Interface You will be prompted for username and passw...

Page 19: ...reless Configure wireless parameters such as SSID radios Management Configure Telnet SSH and SNMP parameters Log Display system log file Monitor Display statistics and usage of the system 3 3 2 Tool B...

Page 20: ...nable and enter your privilege password Save All configuration changes must to be saved into the system One efficient way of doing this is by clicking Save The save operation is required otherwise cha...

Page 21: ...Cedar 880AG Enterprise Dual Radio AP Bridge Logout Click Logout to log out of the system Help Click Help to receive on line help information 21...

Page 22: ...tem Name is a descriptive string maximum length of 20 that describes the system The default value is none Login Name The administrator uses the combination of Login Name and Login Password to log in t...

Page 23: ...is time nist gov SNTP Offset The SNTP Server uses the UTC Universal Time Coordinated as the reference for the current time The SNTP offset specifies the number of hours to be added to or subtracted f...

Page 24: ...vilege mode The manufacture default value is changeitnow Changes to Login Password and or Privilege Password are saved automatically You do not need to save the changes by clicking Save in the tool ba...

Page 25: ...server as anonymous with no password Server IP The Server IP is the IP address of the local FTP or TFTP server where Cedar can retrieve the firmware An example of the Server IP is 192 168 15 184 File...

Page 26: ...Copy the command file to a local FTP server root directory Make sure the file can be retrieved via anonymous login with no password Copy the command file to a user s FTP home directory Make sure the f...

Page 27: ...TP Server IP address and the username and password Cedar uses to log in to the FTP Server If the username and password are not specified Cedar logs into the FTP server as anonymous with no password Ce...

Page 28: ...concept extends to a wireless network Wireless clients can be grouped into wireless sub networks A client can access the network by connecting to an AP which supports its assigned VLAN see Figure 5 1...

Page 29: ...IP addresses to computers on a network Dynamic addressing simplifies network administration because the software keeps track of IP addresses This means a new computer can be added to a network withou...

Page 30: ...for the AP The AP will always have the same IP address after each reboot IP address For DHCP mode The DHCP Server assigns a dynamic IP address to the AP For Static mode Enter the static IP address for...

Page 31: ...xample com rather than 198 105 232 4 5 2 2 VLAN Select Network VLAN to display the Virtual LANs in the system By default VLAN support is disabled in Cedar In this case a single lan with the VLAN ID un...

Page 32: ...ces associated with this VLAN The system initially comes with three interfaces eth0 Ethernet wlan0 wireless radio 1 and wlan1 wireless radio 2 Enabling VLAN support automatically creates new interface...

Page 33: ...erform this function DHCP Setting On Enable DHCP service Off default Disable DHCP service Pool Status The pool status should be turned on to enable DHCP service Net Specify the subnet where you want t...

Page 34: ...address network mask default gateway and DNS for your AP 2 Click Network IP from the Cedar web interface to modify the network settings 3 Select Static as the network mode The three parameters of IP...

Page 35: ...Network IP from Cedar web interface to modify the network settings 3 Select Tagged and enter the VLAN ID 4 The VLAN ID change takes effect immediately You will need to change the port which the AP is...

Page 36: ...It is part of the 802 1x WLAN standards defined by IEEE The IEEE 802 1x specification uses three important terms The user or client who wants to be authenticated is called a supplicant The actual serv...

Page 37: ...er responds with a success message which is then passed onto the supplicant The authenticator now allows access to the network with possible restrictions based on attributes that came back from the au...

Page 38: ...Click the existing profile name to enter the editing screen or click the Add button to create a new one Profile Name Enter a descriptive name for the profile The maximum length is 15 RADIUS NAS IP Wh...

Page 39: ...primary and or secondary authentication RADIUS server If the Cypress RADIUS server is used this secret must match the secret configured in the RADIUS Network Access Server NAS Accounting Server IP Add...

Page 40: ...ing is 3600 seconds 60 minutes Dynamic WepKey Length If dynamic WEP keys are used for data encryption this parameter defines the length of the generated keys in bits The default is 128 bits WebKey Upd...

Page 41: ...e Deny List Consult RADIUS Server if not found on the Permit or Deny Lists The client s MAC address is first checked against the Permit and Deny Lists If it is on the Permit List access is granted If...

Page 42: ...st priority and will be checked first When a condition is met e g the IP address matched action will be taken immediately e g permit or deny Otherwise the AP continues checking using the rest of the f...

Page 43: ...server For example User Name test1 Password xxx Type EAP 3 Click Security RADIUS from the Cedar web interface to display all the RAIDUS profiles 4 Click Add to add a new profile Enter the following s...

Page 44: ...ofiles 4 Click Add to add a new profile Enter the following sample data and use default for the rest of the parameters Profile Name myRADIUS Primary Auth Server IP Address 192 168 1 1 Primary Auth Ser...

Page 45: ...n a wireless user connects to the AP using a WLAN he may or may not be authorized to use that WLAN During the authentication phase the RADIUS server not only authenticates the user but also returns us...

Page 46: ...Cedar 880AG Enterprise Dual Radio AP Bridge Figure 7 1 Bridge Link in Multiple VLANs Network 7 2 Web Interface 7 2 1 Wireless Setting 46...

Page 47: ...on the AP does not perform any EAP related authentication Instead the AP relays the requests to a wireless switch and relies on the switch to perform this function The default setting is off 7 2 2 WL...

Page 48: ...Cedar 880AG Enterprise Dual Radio AP Bridge 48...

Page 49: ...ature is disabled VLAN ID Specify whether the VLAN ID tag will be used Untagged default The wireless packets of this WLAN are untagged Tagged VLAN ID The wireless packets of this WLAN are tagged with...

Page 50: ...e The key or passphrase configured on the client s machine must match those stored on the AP The administrator may choose one two or all three of the association mode and encryption method combination...

Page 51: ...option is disabled which allows any supported rate to be used Min Rate to Associate This parameter allows you to set a minimum rate required for association If a client station does not support any ra...

Page 52: ...Cedar 880AG Enterprise Dual Radio AP Bridge 52...

Page 53: ...Choose bg if you want to support both 802 11b and 802 11g devices super ag Enabling Super AG provides better performance by increasing radio throughput Channel Select a channel for the AP If auto is...

Page 54: ...nd receiving on nearby channels To prevent one radio from interfering with the other you may want to reduce its power Auto the default setting 1 20 dbm Mode Select one of the operating modes for AP Th...

Page 55: ...transmitted by an AP at regular intervals to announce the existence of the wireless network This parameter has a range of 20 to 1000 ms The default setting is to send a beacon once every 100 ms Preamb...

Page 56: ...d disassociate a station Stations that are sleeping in power save mode are disassociated first Channel Utilization to Deny This load balancing feature attempts to maintain a useable throughput for a p...

Page 57: ...ANs from different locations by connecting them wirelessly Select Wireless Bridge Link to list the available Bridge Links in the system Click the existing Bridge Link name to enter the editing screen...

Page 58: ...ges the further the distance the higher the power Adjust the link distance parameter as you see fit Name Enter a descriptive name for the Bridge Link The maximum length is 7 Link SSID Enter the SSID t...

Page 59: ...list box 6 Click Apply 7 Click Wireless Radio 2 from the Cedar web interface to display radio 2 parameters 8 Click myWLAN from the available WLAN list box and add it to the selected WLAN list box 9 Cl...

Page 60: ...y 11 Save the configuration 7 3 3 Bridge Link 1 Click Wireless Bridge Link from the Cedar web interface to display all the Bridge Links 2 Click Add to add a new Bridge Link Enter the following sample...

Page 61: ...ons in Chapter 5 3 2 to configure management VLAN ID 2 Follow instructions in Chapter 7 3 1 or 7 3 2 to create a WLAN Assign a VLAN ID to the WLAN When the WLAN is added to Radio 1 or 2 the system aut...

Page 62: ...administrator can modify the telnet SSH or Web interface setting by selecting Management from the menu 8 2 SNMP In addition to the command line interface and web interface the Cedar access point can...

Page 63: ...ing Enable or disable SNMP Read Only Community Name The SNMP community name for read only GET operations The default value is public Read Write Community Name The SNMP community name for read and writ...

Page 64: ...Cedar 880AG Enterprise Dual Radio AP Bridge 9 Log The Cedar log file can be viewed by selecting Log from the menu 64...

Page 65: ...terfaces Monitor radios Monitor Rogue APs Monitor wireless users Monitor wireless links 10 1 Interfaces Interface statistics are available for the administrator to monitor network activities Select Mo...

Page 66: ...etwork activities Select Monitor Radio to display radio 1 and radio 2 statistics 10 3 Rogue APs Cedar periodically scans its coverage area for information about other access points If any of the AP ap...

Page 67: ...P to display information about rogue APs The administrator needs to turn on the Rogue AP detection in the Radio screen in order to enable this feature 10 4 Wireless Users The administrator can select...

Page 68: ...s are received from the wireless user Tx Rate Transmission rate Idle Time The amount of the time the AP has remained inactive Channel Usage A ratio indicating how busy the AP is Rx Pkts Number of pack...

Page 69: ...bridge link Signal Signal to Noise Ratio at the AP when frames are received from the bridge link Tx Rate Transfer rate Idle Time The amount of the time the AP has remained inactive Channel Usage A ra...

Page 70: ...R is calculated according to the following formula the higher this number the better the signal quality It is highly recommended to maintain the SNR in green color larger than 36 SNR dB Signal dBm Noi...

Page 71: ...owing commands telnet 192 168 1 188 ssh 192 168 1 188 11 1 Base Commands 11 1 1 enable Syntax enable Description This command allows the user to enter the privileged mode to do advanced configuration...

Page 72: ...ave 11 1 4 quit Syntax quit Description This command allows the user to quit from current CLI session This command is equivalent to exit Example Cedar quit 11 1 5 exit Syntax exit Description This com...

Page 73: ...ption Reset the current system configuration to manufacturer default and reboot the system Example Cedar reset 11 1 8 up arrow Syntax Description Display the previous typed command from the command hi...

Page 74: ...ferent debug level can be used to control the amount of debug messages in the specified module Example Cedar debug enable global switch for debug messages Cedar debug auth 3 11 1 11 undebug Syntax und...

Page 75: ...ion Display system information including system login name model firmware version system time and system up time Example Cedar show system 11 2 2 config system Syntax config system name string login_n...

Page 76: ...ession time System time export The AP configuration can be exported to a file on an FTP server import The CLI command file can be imported from an FTP server Example Cedar config system name MyAP Ceda...

Page 77: ...me username username password password Description Upgrade system firmware The system uses the provided username and password to retrieve new firmware from either FTP or TFTP server and then performs...

Page 78: ...3 4 addr ip address netmask netmask address mode static dhcp clear Description Configure interface IP addresses and operation mode Each interface allows up to 5 different IP addresses clear It is use...

Page 79: ...eated automatically by the system when management vid mgmt_vid or WLAN vid is configured to value other than untagged aging The time interval an inactive MAC address remains in the MAC table before it...

Page 80: ...edar show ip dhcp pool 0 Cedar show ip dns Cedar show ip route 11 3 6 config ip Syntax config ip dhcp dns route Description dhcp Configure DHCP server related operations dns Configure DNS related oper...

Page 81: ...e Server IP address wins Windows Internet Name Server IP address gw Gateway IP address lease_time Valid time period for assigned IP from DHCP server Example Cedar config ip dhcp on Cedar config ip dhc...

Page 82: ...ly gw The gateway IP address of the specified route will apply if The interface of the specified route will apply Example Cedar config ip route add net 10 60 0 0 netmask 255 255 0 0 if lan Cedar confi...

Page 83: ...profile name del profile name profile name radius_failover_limit radius_nas_ip ip address primary_radius_retry_period primary_auth_ip ip address primary_auth_port primary_auth_secret string secondary...

Page 84: ...condary_auth_secret The secret for communicating with the secondary authentication radius server Default value is changeitnow primary_accounting_ip IP address of the primary accounting radius server p...

Page 85: ...Default is 3600 seconds wep_key_len The length of the generated dynamic WEP keys in bits Default is 128 bits Wep_key_interval The time interval the dynamic WEP keys will be re generated Default is 300...

Page 86: ...radius Example Cedar config auth mac profile add MAC Cedar config auth mac profile MAC denyadd 000cf157b3be Cedar config auth mac profile MAC auth_method radius 11 4 3 show filter Syntax show filter D...

Page 87: ...atch the rules will go to the immediate next rule to do further matching It is used for multiple rule chain priority 1 is the highest priority mac 000000000000 means all MAC addresses ip 0 0 0 0 means...

Page 88: ...e link Example Cedar show wireless summary Cedar show wireless rogue Cedar show wireless link 11 5 2 config wireless Syntax config wireless on off 80211d on off eap_relay on off Description 8021ld Ena...

Page 89: ...pa2 wpa psk wpa2 psk wpa wpa2 wpa psk wpa2 psk encrypt none wep tkip aes wep tkip wep aes tkip aes wep tkip aes wep_key_0 string that is 5 13 or 16 characters long wep_key_1 string that is 5 13 or 16...

Page 90: ...e The association type between the client and AP connection encrypt The encryption mechanism used for the association wep_key_ The WEP key used for encryption default_wep_key The index to the WEP key...

Page 91: ...eshold 256 2346 rts_threshold 0 2347 cts_protection on off antenna diversity 1 2 drop_load off 0 99 deny_load off 0 99 intra_bss on off rogue_detection on off wmm on off distance 0 50 kilometers wlana...

Page 92: ...reless clients to synchronize with the AP fragm_threshold Fragmentation threshold rts_threshold Request to send threshold cts_protection Enable Disable Clear to send protection antenna Antenna to rece...

Page 93: ...fig brglnk Syntax config brglnk add brglnk name del brglnk name brglnk name link_ssid string security_key string that is 8 to 63 characters lon Description link_ssid SSID used between the base and non...

Page 94: ...onfig telnet on off port port Description Configure TELNET server parameters port Port number which TELNET server will listen to Example Cedar config telnet port 12000 Cedar config telnet on 11 6 3 sh...

Page 95: ...ort 12000 Cedar config ssh on 11 6 5 show web Syntax show web Description Display WEB server configuration Example Cedar show web 11 6 6 config web Syntax config web on off port port Description Confi...

Page 96: ...ite on off Description Configure SNMP community settings name SNMP community name write Enable or disable write privilege Example Cedar config snmp on Cedar config snmp community private write on Ceda...

Page 97: ...scription Configure system log settings Example Cedar config syslog on Cedar config syslog clear 11 7 Miscellaneous Commands 11 7 1 ping Syntax ping host Description A utility to test the network conn...

Page 98: ...how arp Description Display ARP table information Example Cedar show arp 11 7 4 show memory Syntax show memory Description Display system memory usage information Example Cedar show memory 11 8 Exampl...

Page 99: ...6 To execute a CLI command file Cedar import system runtime_cfg 192 168 15 184 batch cli admin xxx 11 8 2 Network Commands Network parameter changes take effect immediately You can perform the follow...

Page 100: ...ig radius user_db add test1 test1 eap Cedar config radius user_db add test2 test2 eap 2 Create a RADIUS profile Cedar config auth radius profile add myRADIUS Cedar config auth radius profile myRADIUS...

Page 101: ...Cedar show auth profile myMAC 4 Save the configuration changes Cedar config save 11 8 5 WLAN with WPA and 802 1x Authentication 1 Create a WLAN Cedar config wlan add myWLAN Cedar config wlan myWLAN ss...

Page 102: ...edar show radio 2 3 Save the configuration changes Cedar config save 11 8 7 Bridge Link 1 Create a Bridge Link Cedar config brglnk add myLink Cedar config brglnk myLink link_ssid 123 Cedar config brgl...

Page 103: ...ar config wlan myWLAN radius_profile myRADIUS Cedar config wlan myWLAN 8021x_auth_profile my8021x Cedar config wlan myWLAN 8021x_auth on Cedar show wlan myWLAN 3 Follow instructions in Chapter 11 8 7...

Page 104: ...The baud rate for the serial port is 115200 Ethernet Dead Unit TFTP server 192 168 1 237 straight console cable 3 Power on the dead unit and you will see Start booting message in console Press the Con...

Page 105: ...nc Copyright C 2005 Devicescape Software Inc RAM 0x80010000 0x81000000 0x8006ad50 0x80fe1000 available FLASH 0xbe000000 0xbe7e0000 126 blocks of 0x00010000 bytes each Executing boot script in 4 000 se...

Reviews:

No comments