manualshive.com logo in svg

Lancom WLC-4006, User Manual, Page: 15 / 113

Share
Download
Lancom WLC-4006 User Manual Download Page 15

LANCOM WLC

-

4006 -  LANCOM WLC

-

4025

 Chapter 1: Introduction

15

EN

The Access Point sends a "discovery request message" at the beginning of
communication to determine the available WLAN Controllers. This request is
sent as a broadcast. However, because in some structures a potential WLAN
Controller cannot be reached by a broadcast, special addresses from addi-
tional WLAN Controllers can also be entered into the configuration of the
Access Points. 

DNS names of WLAN Controllers can also be resolved. All Access
Points with LCOS 7.22 or higher have the default name 'WLC-Address'
pre-configured so that a DNS server can resolve this name to a
LANCOM WLAN Controller. This also makes it possible to reach WLAN
Controllers that are not located in the same network, without having
to configure the Access Points.

From the available WLAN Controllers, the Access Point selects the best one
and queries it for the structure of the DTLS connection. For the Access Point,
the "best" WLAN Controller is the one with the least load, i.e., the lowest ratio
of managedAccess Points compared to the maximum possible Access Points.
In case of two or more equally "good" WLAN Controllers, the Access Point
selects the nearest one in the network, i.e., the one with the fastest response
time.

The WLAN Controller then uses an internal random number to determine a
unique and secure session key which it uses to protect the connection to the
Access Point. The WLAN Controller also automatically creates a self-signed
certificate for the Access Point with which it can later uniquely identify itself
to the WLAN Controller. 

The Access Point is provided with the configuration for the integrated SCEP
client via the secure DTLS connection – the Access Point is then able to retrieve
its certificate from the SCEP CA via SCEP. Once this is done, the assigned con-
figuration is transferred to the Access Point.

SCEP stands for Simple Certificate Encryption Protocol; CA for Certifi-
cation Authority. Refer to the LCOS reference manual for further infor-
mation about digital certificates, CAs and SCEP.

Summary of Contents for WLC-4006

Page 1: ...LANCOM WLC 4006 LANCOM WLC 4025...

Page 2: ...entation if they were present at the time of printing Trademarks Windows Windows Vista Windows XP and Microsoft are registered trademarks of Microsoft Corp The LANCOM Systems logo LCOS and the name LA...

Page 3: ...be seamlessly integrated any IP connection will do Smaller sites also benefit from the RADIUS EAP server integrated into the LANCOM WLAN Controller At the same time the LANCOM WLAN Controllers ensure...

Page 4: ...anual and reference manual The documentation of your device consists of the following parts Installation guide User manual Reference manual You are now reading the user manual It contains all informat...

Page 5: ...discussed in this manual or require any further support The area Support will help you with many answers to frequently asked questions FAQs Furthermore the knowledgebase offers you a large reserve of...

Page 6: ...2 System requirements 20 2 2 1 Configuring the LANCOM devices 20 2 2 2 Operating access points in managed mode 21 2 3 Introducing the LANCOM WLAN Controller 21 2 3 1 Status displays 21 2 3 2 LC displa...

Page 7: ...Further configuration details 61 4 3 1 Accept new Access Points into the WLAN infrastructure manually 61 4 3 2 Manually removing Access Points from the WLAN infra structure 63 4 3 3 Inheritance of pa...

Page 8: ...3 1 Wizard for LANconfig 85 5 3 2 Wizard for WEBconfig 85 5 4 The firewall wizard 85 5 4 1 Wizard for LANconfig 86 5 4 2 Configuration under WEBconfig 86 5 5 The security checklist 87 6 Setting up In...

Page 9: ...etBIOS routing 102 8 2 Settings for the dial in computer 103 8 3 Instructions for LANconfig 103 8 4 1 Click VPN for LANCOM Advanced VPN Client 104 8 5 Instructions for WEBconfig 105 9 Appendix 106 9 1...

Page 10: ...tions medium air requires effective coordination of the Access Points to avoid frequency interference and optimize network performance Access Points in public places pose a potential security risk bec...

Page 11: ...via UDP This also makes DTLS suitable for the transfer of VoIP packets unlike TLS because even after the loss of a packet the subsequent packets can be authenticated again Data channel optionally als...

Page 12: ...igence Split MAC With this variant only a portion of the WLAN functions are transferred to the WLAN Controller Normally realtime applications will continue to be processed in the Access Point the non...

Page 13: ...nfrastructure of this type prevents the WLAN Controller from becoming a central bottleneck that has to process large portions of the overall data traffic In remote MAC and split MAC architectures all...

Page 14: ...t is already configured at least one WLAN module is manually set to operate as managed Configuring the Access Points Page 79 The Access Point searches for a WLAN Controller in the LAN on behalf of the...

Page 15: ...tion For the Access Point the best WLAN Controller is the one with the least load i e the lowest ratio of managedAccess Points compared to the maximum possible Access Points In case of two or more equ...

Page 16: ...he certificate and configuration provided they are not explicitly deactivated in the configuration The management and configuration data will then be transferred via the CAP WAP tunnel The payload dat...

Page 17: ...e configuration in the Access Point all other functions can be managed separately This division of the configuration tasks makes LANCOM WLAN Controllers perfect for building a company wide WLAN infras...

Page 18: ...S EAP TTLS PEAP MSCHAP or MSCHAPv2 Proxy mode for external RADIUS EAP servers forwarding and realm handling 802 11e WME Automatic VLAN tagging 802 1p in the Access Points Conversion to DiffServ attrib...

Page 19: ...erading NAT PAT to conceal individual LAN workstations behind a single pub lic IP address Stateful inspection firewall Firewall filter for blocking individual IP addresses protocols and ports MAC addr...

Page 20: ...essories If anything is missing please contact your retailer or the address stated on the delivery slip of the unit 2 2 System requirements 2 2 1 Configuring the LANCOM devices Computers that connect...

Page 21: ...or higher and a current loader version 1 86 or higher 2 3 Introducing the LANCOM WLAN Controller This section introduces your device We will give you an overview of all status displays connections and...

Page 22: ...d colour Flashing means that the LED lights up very briefly in the respective col our and stay then clearly longer approximately 10x longer switched off Inverse flashing means the opposite The LED lig...

Page 23: ...after power up Green On perma nently Device operational Red green Blinking alter nately Device insecure Configuration password not set Orange green In the housing cover blinking alternately with the o...

Page 24: ...monitor shows you when a charge or time limit has been reached To reset the toll protec tion activate the context menu right mouse click Reset charge and time limits The charge settings are defined in...

Page 25: ...st one expected access point has not been found Off No VPN tunnel established Green Blinking Connection establishment Green Flashing First connection Green Inverse flashing Other connections Green On...

Page 26: ...r have to be updated before the Access Point can be accepted by a WLAN Controller As soon as the Access Point has made contact to the WLAN Controller the LEDs resume their normal function as described...

Page 27: ...Number of authenticated Access Points Number of expected Access Points actively configured Number of new discovered and as yet unauthenticated Access Points Number of unfound expected Access Points If...

Page 28: ...ted by someone pressing the reset button too long With the suitable setting the behavior of the reset but ton can be controlled accordingly Reset button This option controls the behavior of the reset...

Page 29: ...leads to a loss on the WLAN encryption settings within the device and that the default WEP key is active again Connector for the IEC cable LANCOM WLC 4025 or power supply unit LANCOM WLC 4006 Power sw...

Page 30: ...LANCOM WLC 4006 use only the supplied power adapter The use of the wrong power adapter can be of danger to the device or persons Supply power and switch on Using the IEC cable supply power to the devi...

Page 31: ...l of your LANCOM routers and LANCOM access points WLANmonitor enables the observation and surveillance of wireless LAN networks Clients connected to the access points are shown and even non authentica...

Page 32: ...le free access to the device 3 1 Which information is necessary The basic configuration wizard will take care of the basic TCP IP configuration of the device and protect the device with a configuratio...

Page 33: ...uration is optional You may also select man ual configuration instead Make your selection after the following considera tions Choose automatic configuration if you are not familiar with networks and I...

Page 34: ...ministrators can be set up Further information can be found in the section Managing rights for different administrators in the LCOS reference manual In the managed mode the LANCOM Wireless Routers and...

Page 35: ...address from a suitable address range to the LANCOM Confirm your choice with Next Specify whether or not the router should act as a DHCP server Make your selection and confirm with Next In the follow...

Page 36: ...wo server processes exchange the assignment of IP addresses to symbolic names within the LAN between each other After powered on unconfigured LANCOM devices check first whether a DHCP server is alread...

Page 37: ...configuration PC Network with DHCP server If a DHCP server is active in the LAN to assign IP addresses an unconfigured LANCOM device will turn off its own DHCP server It will change into DHCP client m...

Page 38: ...config Start your web browser e g Internet Explorer Firefox Opera and call the LANCOM Router there http IP address of the LANCOM or with a name as discribed above If you cannot access an unconfigured...

Page 39: ...ult your device may offer different wiz ards than those shown here If you have chosen automatic TCP IP configuration please continue with Step If you would like to configure the TCP IP settings manual...

Page 40: ...with a password In the next window select your DSL provider from the list that is displayed Confirm your choice with Apply If you select My provider is not listed here you must enter the transfer pro...

Page 41: ...uses DHCP to specify its own IP address as that of the default gateway and DNS server The PCs must therefore be configured so that they automatically obtain their own IP address and the IP addresses...

Page 42: ...LANCOM WLC 4006 LANCOM WLC 4025 Chapter 3 Basic configuration 42 EN...

Page 43: ...set to the Access Point mode Instructions on setting the operating mode for WLAN modules are to be found under Configuring the Access Points Page 79 4 1 Basic settings for the LANCOM WLAN Controller...

Page 44: ...from a time server by means of the Network Time Pro tocol NTP Information on NTP and its configuration can be found in the LCOS reference manual As soon as the WLAN Controller has valid time informat...

Page 45: ...l tab activate the options for the automatic acceptance of new Access Points and the provision of a default configuration Automatically accept new Access Points Enables the WLAN Controller to provide...

Page 46: ...tion method suitable for the WLAN cli ents being used and enter a key or passphrase as applicable Deactivate the MAC check Instructions on the use of MAC filter lists in managed WLAN infrastructures c...

Page 47: ...COM WLC 4006 LANCOM WLC 4025 Chapter 4 Configuring the WLAN Controller 47 EN Create a new WLAN profile give it an unique name and assign the above logical WLAN network and physical WLAN parameters to...

Page 48: ...ters Upon assignment of the configuration the Access Points change their status in the WLAN Controller management from New Access Point to Expected Access Point and they are listed in the device displ...

Page 49: ...accept new APs Auto accept Enables the WLAN Controller to provide all new Access Points with a configuration even those not in possession of a valid certificate Enables the WLAN Controller to provide...

Page 50: ...various settings that are to be assigned to the Access Points The allocation of WLAN profiles to the Access Points is set in the AP table The following parameters can be defined for every WLAN profile...

Page 51: ...defined in a profile Consequently each LANCOM Access Point be it a model offering 2 4 GHz or 5 GHz support can choose from a maximum of eight logical WLAN networks Physical WLAN parameters A set of p...

Page 52: ...ork name Name of the logical WLAN network under which the settings are saved This name is only used for internal administration of logical networks Maximum 32 ASCII characters Inheritance Selection of...

Page 53: ...ntinue to operate with the configuration stored in flash for the time period entered here The Access Point can also continue to work with this flash configuration after a local power outage If there i...

Page 54: ...uration provided by the WLAN Controller is not stored in flash memory but in RAM meaning that a power outage causes the configuration to be lost immediately 9999 Continues working indefinitely with th...

Page 55: ...are to be inherited Inheritance of parameters Page 64 Country The country in which the Access Point is to be operated This information is used to define country specific settings such as the permitted...

Page 56: ...l values 0 Switches the use of VLAN off 1 Switches the use of VLAN on the management network remains untagged however 2 to 4094 Switches the use of VLAN on the management network uses the VLAN ID set...

Page 57: ...he Access Point in managed mode Maximum 251 ASCII characters WLAN profile WLAN profile from the list of defined profiles WLAN profiles Page 50 WLAN interface 1 Frequency of the first WLAN module This...

Page 58: ...mmunications over the control channel Without encryption the control data is exchanged as plain text In both cases authentication is by certificate Values DTLS no default Special values Default makes...

Page 59: ...notification Values Active Access Point notification Missing Access Point notification New Access Point notification Default parameters For some parameters default values can be defined centrally and...

Page 60: ...activate the WLAN module Values 2 4 GHz 5 GHz off WLAN interface 2 Frequency of the second WLAN module This parameter can also be used to deactivate the WLAN module Values 2 4 GHz 5 GHz off Encryption...

Page 61: ...ccess Point with the right hand mouse key From the context menu that pops up you select the configuration which is to be assigned to the device Assignment of the configuration causes the Access Point...

Page 62: ...configuration New Access Points that do not have a valid certificate and do not have an entry in the AP table can be manually accepted by means of a wizard in WEBconfig A configuration is selected tha...

Page 63: ...il assignment of the certificate is completed 4 3 2 Manually removing Access Points from the WLAN infrastructure The following actions are required to remove an Access Point under manage ment of the W...

Page 64: ...e to inherit selected properties from the logical WLAN networks and the physical WLAN parameters You should initially generate the basic settings that are valid for the majority of the managed Access...

Page 65: ...WLAN Controllers are employed in parallel in the same WLAN infra structure for load balancing or if a device is being replaced or reconfigured the same root certificates should always be used to avoi...

Page 66: ...entries for SCEP CA as data type one after the other and confirm with Start download PKCS12 container with CA backup PKCS12 container with RA backup The backup file is then stored to your data medium...

Page 67: ...vice certificates issued for the individual Access Points by the SCEP CA If the root certificates only were backed up then any issued device certificates can no longer be revoked For this reason the f...

Page 68: ...Start upload 4 3 6 Backup solutions LANCOM WLAN Controllers manage a large number of Access Points which in turn may have a large number of WLAN clients associated with them WLAN Controllers thus play...

Page 69: ...ation to ensure that checks on the certificate validity period all produce the same result Apart from these basic settings you can choose between two different backup scenarios Backup with redundant W...

Page 70: ...icates Because the Access Points are also entered into the backup controller s AP table along with their MAC addresses the backup controller can fully take over the management of the Access Points Cha...

Page 71: ...A LANCOM Access Point in managed mode will search the LAN for a WLAN Controller that will provide the configuration During this search the Access Point may find var ious suitable WLAN Controllers The...

Page 72: ...on After being started the Access Points search for a WLAN Controller by emitting a discovery message In this case all three LANCOM WLAN Controllers respond to this message the Access Points select th...

Page 73: ...s from primary and secondary WLAN Controllers then primary controllers are preferred From the available WLAN Controllers the Access Point selects the one with the lowest load i e that with the lowest...

Page 74: ...e RADIUS requests are automatically forwarded to the WLAN Controller This forwards the request in turn to the configured RADIUS server The RADIUS server can check the access rights of the WLAN clients...

Page 75: ...n external RADIUS server An external RADIUS server is required for the automatic assignment of a VLAN ID based on registration data To forward RADIUS requests to another RADIUS server use LANconfig to...

Page 76: ...ints or permanently removing them from the WLAN infrastructure Occasionally it is necessary to temporarily deactivate or even permanently remove a WLAN Controller managed Access Point Access Point dea...

Page 77: ...from the WLAN infrastructure In order to permanently remove an Access Point from a centrally managed WLAN infrastructure the certificates in the SCEP client have to be either deleted or revoked If yo...

Page 78: ...ess the utilized frequency band and channel Using the right hand mouse key a context menu can be opened for the Access Points and the following commands are available Assign new Access Point to profil...

Page 79: ...il they discover a suitable WLAN Controller or until the operating mode of the WLAN module is changed manually When shipped the WLAN modules in LANCOM Wireless Routers are set to the Access point oper...

Page 80: ...nge the operating mode for multiple devices you can use a simple script on the devices with the following lines Script 7 22 23 08 2007 lang English flash 0 cd Setup Interfaces WLAN Operational set WLA...

Page 81: ...LAN VPN in combination with external VPN gate way 5 1 1 Closed network Each Wireless LAN according to IEEE 802 11 has its own network name SSID This network name serves as identification and enables a...

Page 82: ...sources of passphrase sharing LEPS uses an additional column in the ACL to assign an individual passphrase consisting of any 4 to 64 ASCII characters to each MAC address The connection to the access p...

Page 83: ...cases a combination of these two mechanisms is possible Further details to WLAN security and the used encoding methods can be found in the LCOS reference manual 5 1 5 802 1x EAP The international indu...

Page 84: ...in case of smallest suspicion of a leak LEPS prevents the global spread of passphrases Activate LEPS to enable the use of individual passphrases 5 3 The security settings wizard Access to the configu...

Page 85: ...Inspection ping blocking and Stealth mode in the the firewall configuration The wizard will inform you when entries are complete Complete the con figuration with Finish 5 3 2 Wizard for WEBconfig Unde...

Page 86: ...e setup wizard Configuring Firewall and confirm your choice with Next In the following windows select the services protocols the rule should be related to Then you define the source and destination st...

Page 87: ...ration If you do not require remote configuration then deactivate it If you require remote configuration then be sure to assign a password protec tion for the configuration see previous section The fi...

Page 88: ...ombinations of protocols TCP UDP ICMP can be filtered It is particularly easy to set up the filters with LANconfig The Rules tab under Firewall QoS can assist you to define and change the filter rules...

Page 89: ...II characters to each MAC address The connection to the access point and the subsequent encryption with IEEE 802 11i or WPA is only possible with the right combination of passphrase and MAC address Ha...

Page 90: ...period Have you ensured that the reset button is safe from accidental configuration resets ome devices simply cannot be installed under lock and key There is con sequently a risk that the configurati...

Page 91: ...r any further transfer parameters to configure your Internet access Only the authentication data that are supplied by your provider are required Additional information for unknown Internet providers I...

Page 92: ...an also be used with flat rate billing to con tinuously check the function of the remote station You also have the option of keeping flat rate connections alive if required Dropped connections are the...

Page 93: ...the following window select your country and your Internet provider if possible and enter your access information Depending on their availability the wizard will display additional options for your I...

Page 94: ...more extensive configuration measures for both devices however Please refer to the reference manual for more information in this regard A setup wizard handles the configuration of the connection in th...

Page 95: ...ic VPN connections can be enabled not only between gateways with fixed static IP addresses but even between gate ways with dynamic IP addresses Entry Gateway 1 Gateway 2 Type of the local IP address s...

Page 96: ...r in our example 10 0 1 x and 10 0 2 x These network numbers may not be identical Unlike when accessing the Internet all of the IP addresses in the involved net works are visible on the remote side wh...

Page 97: ...Extranet VPN mode is hidden behind its gateway s address 10 10 2 100 and on of its IP stations e g 10 10 2 13 accesses the IP station 10 10 1 2 of the branch office then the branch office s IP statio...

Page 98: ...required computer 7 3 1 Click VPN for networks site to site The site to site coupling of networks is now very simple with the help of the 1 Click VPN wizard It is even possible to simultaneously coupl...

Page 99: ...he devices onto the entry for the central router The 1 Click VPN Site to Site Wizard will be started Enter a name for this access and select the address under which the router is accessible from the I...

Page 100: ...gu ration For details please see the reference manual Perform the configuration on both routers one at a time From the main menu launch the Connect two local area networks wiz ard Follow the wizard s...

Page 101: ...cts You must of course protect your LAN against unauthorized access Network couplings via VPN transmit data by IPSec The data are encrypted by AES 3 DES Blowfish or CAST encryption algorithms 8 1 Whic...

Page 102: ...users During both manual and automatic IP address assignment please ensure that only free addresses from the address range of your local network are used In our example the IP address 10 0 1 101 will...

Page 103: ...requires an Internet access a VPN client LANCOM Systems offers a 30 days trial version of the LANCOM Advanced VPN Client on the LANCOM CD A detailed description of the LANCOM Advanced VPN Client and...

Page 104: ...th 1 Click VPN Enter a name for this access and select the address under which the router is accessible from the Internet In the final step you can select how the access data is to be entered Save pro...

Page 105: ...to be used is Aggressive Mode IKE config mode The IKE config mode is activated the IP address infor mation for the LANCOM Advanced VPN Client is automatically assigned by the LANCOM VPN Router 8 5 In...

Page 106: ...EU CE certification EN 55022 EN 55024 EN 60950 Environment Temperature 41 00 F to 95 00 F at 80 max humidity non condensing 41 00 F to 104 00 F at 80 max humidity non condensing Package con tent LAN...

Page 107: ...hernet interface 10 100Base TX 8 pin RJ45 socket corresponding to ISO 8877 EN 60603 7 9 2 2 Configuration interface Outband 8 pin mini DIN socket Connector Pin IAE 1 T 2 T 3 R 4 PoE G 5 PoE G 6 R 7 Po...

Page 108: ...eclares that the devices of the type described in this documentation are in agreement with the basic requirements and other relevant regulations of the 1995 5 EC directive The CE declarations of confo...

Page 109: ...p with redundant WLAN Controllers 69 Blowfish 94 101 Broadcast 51 C CA 15 CAPWAP 11 14 16 17 CAPWAP tunneling 14 CAST 94 101 Certificate 43 44 49 61 62 65 Certificates Backup 65 Certification Authorit...

Page 110: ...Power adapter 30 Interconnection 94 Security aspects 94 Internet access 18 91 Authentication data 91 Flat rate 91 Internet provider 91 IP Filter 88 Lock ports 88 IP address 29 33 IP masquerading 19 IP...

Page 111: ...mber 15 44 Remote Access Service RAS Configuring the dial in computer 103 NetBIOS 102 Searching for Windows workgroups 102 Security aspects 101 Server 18 setup 101 TCP IP 102 User name 102 Remote conf...

Page 112: ...the LAN 41 TCP IP configuration Automatic 39 fully automatic 32 33 manual 32 33 TCP IP filter 19 88 TCP IP router Settings 96 Temperature 27 Time 27 Time information 43 TLS 11 U UDP 88 V Virtual Priva...

Page 113: ...LANCOM WLC 4006 LANCOM WLC 4025 Index 113 EN...

Reviews:

No comments