background image

69

Section 3:  Configuring the Access Point

LAPAC1750PRO Access Point Software User Manual

Figure 38: ACL

Table 46: ACL Configuration

Field

Description

ACL

ACL Name

Enter a name to identify the ACL  The name can 
contain from 1–31 alphanumeric characters and the 
following special characters: hyphen, underscore, 
backslash and colon  Spaces are not allowed 

ACL Type

Select the type of ACL to configure:

 

IPv4

 

IPv6

 

MAC

IPv4 and IPv6 ACLs control access to network 
resources based on Layer 3 and Layer 4 criteria  MAC 
ACLs control access based on Layer 2 criteria  

ACL RULE SETTING

ACL Name and Type Select the ACL to configure with the new rule  The 

list contains all ACLs added in the ACL Configuration 
section 

Rule

To configure a new rule to add to the selected ACL, 
select New Rule  To add an existing rule to an ACL or 
to modify a rule, select the rule number  
When an ACL has multiple rules, the rules are applied 
to the packet or frame in the order in which you add 
them to the ACL  There is an implicit deny all rule as 
the final rule 

Summary of Contents for LAPAC1750PRO

Page 1: ...LAPAC1750PRO User Guide ...

Page 2: ... 6 Configuring Security on the Wireless Access Point 6 Section 2 Viewing Access Point System Status 7 System Summary 7 Network Interfaces 8 Radio Statistics 10 Workgroup Bridge 13 Associated Client 13 TSPEC Client Associations 15 TSPEC Status and Statistics 16 TSPEC AP Statistics 17 Email Alert Status 18 System Log 18 Section 3 Configuring the Access Point 19 Administration 19 LAN 29 Wireless 33 S...

Page 3: ... Configuring IEEE 802 1X Authentication Configuring Security on the Access Point To manage the access point by using the Web interface the AP needs an IP address If you use VLANs or IEEE 802 1X Authentication port security on your network you might need to configure additional settings on the AP before it can connect to the network NOTE The access point is not designed to function as a gateway to ...

Page 4: ...Description Wi Fi Client Adapter Portable or built in Wi Fi client adapter that supports one or more of the IEEE 802 11 modes in which you plan to run the access point IEEE 802 11a 802 11b 802 11g 802 11n and 802 11ac modes are supported Wireless Client Software Client software such as Microsoft Windows Supplicant configured to associate with the access point Client Security Settings Security shou...

Page 5: ... if you bring up another WLAN AP on the same network the IP address for each AP will be unique Recovering an IP Address If you experience trouble communicating with the access point you can recover a static IP address by resetting the AP configuration to the factory defaults see Restoring Configuration on page 114 and To Restore the Factory Default Configuration on page 114 or you can get a dynami...

Page 6: ...er connected directly to the PC but instead is connected to the LAN either by using a hub or directly NOTE It is possible to detect access points on the network with a wireless connection However we strongly advise against using this method In most environments you may have no way of knowing whether you are actually connecting to the intended AP Also many of the initial configuration changes requi...

Page 7: ... work with your network For information about how to configure VLAN information see VLAN and IPv4 Address on page 29 8 If your network uses IEEE 802 1X port security for network access control you must configure the 802 1X supplicant information on the AP For information about how to configure the 802 1X user name and password see 802 1X Supplicant on page 65 Configuring the Ethernet Settings The ...

Page 8: ...nfigure the access point by using advanced features Once the wireless network is up and you can connect to the AP with some wireless clients you can add in layers of security create multiple virtual access points VAPs and configure performance settings NOTE The WLAN AP is not designed for multiple simultaneous configuration changes If more than one administrator is logged onto the Administration W...

Page 9: ...s page because the IP address is already assigned either by DHCP or statically through the Ethernet Settings page IPv6 Address Shows the IPv6 address assigned to the AP This field is not editable on this page because the IP address is already assigned either by DHCPv6 or statically through the Management IPv6 page IPv6 Address Status Shows the operational status of the static IPv6 address assigned...

Page 10: ... work with Microsoft Internet Explorer 7 IE7 and might not work with other browsers To connect to an IPv6 global address add square brackets around the IPv6 address For example if the AP global IPv6 address is 2520 230 abff fe00 2420 type the following address into the IE7 address field http 2520 230 abff fe00 2420 To connect to the iPv6 Link Local address replace the colons with hyphens add the i...

Page 11: ...S 2 The primary and secondary DNS servers to use for name to IPv6 address resolution Default IPv6 Gateway The default gateway for the IPv6 network interface To change the wired settings click the Edit link After you click Edit you are redirected to the VLAN and IPv4 Address page For information about configuring these settings see VLAN and IPv4 Address on page 29 Wireless Status The wireless setti...

Page 12: ...er of channels depending on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission FCC or the International Telecommunication Union ITU R Operational Bandwidth The size of the bandwidth in MHz the current channel is using To change the radio mode or channel settings click the Edit link After you click Edit you are redirected to the Radi...

Page 13: ... successfully transmitted MSDU frames where the multicast bit is set in the destination MAC address Duplicate Frame Count Number of times a frame is received and the Sequence Control field indicates it is a duplicate Failed Transmit Count Number of times an MSDU is not transmitted successfully due to transmit attempts exceeding either the short retry limit or the long retry limit Transmit Retry Co...

Page 14: ...ly identifies a wireless local area network The SSID is set on the VAP tab See Virtual Access Point VAP on page 43 Status Shows whether the interface is enabled up or disabled down MAC Address MAC address for the specified interface The AP has a unique MAC address for each interface Each radio has a different MAC address for each interface on each of its two radios VLAN ID Virtual LAN VLAN ID You ...

Page 15: ... to establish multiple internal and guest networks on the same AP The VLAN ID is set on the VAP tab See Configuring VAPs Statistics Table Total Packets The total number of Sent Received packets bridged between the wired clients in the workgroup bridge and the wireless network Total Bytes ThetotalnumberofSent Receivedbytesbridgedbetween the wired clients in the workgroup bridge and the wireless net...

Page 16: ...ter being received Drop Bytes The number of bytes that were dropped after being received TS Violate Packets The number of packets sent from a wireless client to the AP in excess of its active TS uplink bandwidth or for an access category requiring admission control to which the wireless client has not been admitted To Station These fields report information about traffic sent from the AP to a wire...

Page 17: ... conference feed from a corporate server To view TSPEC Client Association statistics click the System Status TSPEC Client Associations tab Figure 8 TSPEC Client Associations Table 10 TSPEC Client Associations Field Description Status Network Radio interface used by the client SSID The service set identifier associated with thisTS client Station Client station MAC address TS Identifier TSPEC Traffi...

Page 18: ...ckets in excess of an admitted TSPEC for which no TSPEC has been established when admission is required by the AP TSPEC Status and Statistics The TSPEC Status and Statistics page provides Summary information about TSPEC sessions by radio Summary information about TSPEC sessions by VAP Real time transmit and receive statistics for the TSPEC VAPs on all radio interfaces All transmit and receive stat...

Page 19: ...ss Category Total Packets Indicates the total number of TS packets sent in Transmit table or received in Received table by this Radio for the specified Access Category Total Voice Packets Indicates the total number of TS voice packets sent in Transmit table or received in Received table by this AP for this VAP Total Voice Bytes Indicates the total TS voice bytes sent in Transmit table or received ...

Page 20: ... total number of email failures so far The range is an unsigned integer of 32 bits The default is 0 Time Since Last Email Sent The time and date when the last email alert was sent The AP uses the system time to report the information If an email has not been sent since the device was reset the status is not sent System Log From the System Log page you can view the most recent system log generated ...

Page 21: ...nd system settings e g device name system contact We strongly recommended you choose a new password based on the standard guidelines for strong password security instead of using default password which is admin Figure 13 shows the System Settings page Figure 13 System Settings Table 15 System Settings page Field Description New Password Enter a new administrator password The characters you enter a...

Page 22: ...versal Time UTC also known as Greenwich Mean Time to their client systems NTP sends periodic time requests to servers using the returned time stamp to adjust its clock The timestamp is used to indicate the date and time of each event in log messages See http www ntp org for more information about NTP To configure the address of the NTP server that the AP uses or to set the system time manually cli...

Page 23: ... Start Configure the date and time to begin Daylight Savings Time for the System Time Daylight Saving End Configure the date and time to end Daylight Savings Time for the System Time DaylightSavings Offset Select the number of minutes to offset DST The default is 60 minutes NOTE After you configure the Time settings you must click Save to apply the changes and save the changes to startup configura...

Page 24: ... the number you configure in this field is reached the oldest log event is overwritten by the new log event NOTE To apply your changes click Save Changing some settings might cause the AP to stop and restart system processes If this happens wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low Configuring the Log Relay Host for Kernel...

Page 25: ...s low NOTE Hostnames are composed of series of labels joined with dots as are all domain names Each label must be between 1 and 63 characters long and the entire hostname including dots has a maximum of 253 characters If you enabled the Log Relay Host clicking Save will activate remote logging The AP will send its kernel messages in real time for display to the remote log server monitor a specifie...

Page 26: ...the lowest urgent level are considered non urgent Messages below the security level you specify are not sent via email See the Urgent Message field description for information about the security levels Mail Server Configuration Mail Server Address Specify the IP address or hostname of the SMTP server on the network Mail Server Security Specify whether to use SMTP over SSL TLSv1 or no security Open...

Page 27: ...26 info mini_http ssl 1175 Max concurrent connections of 20 reached Management Access You can create an access control list ACL that lists up to five IPv4 hosts and five IPv6 hosts that are authorized to access the AP management interface If this feature is disabled anyone can access the management interface from any network client by supplying the correct AP user name and password Figure 18 Manag...

Page 28: ... available only when HTTP access disabled HTTPS Server Status Enable or disable access through a Secure HTTP Server HTTPS HTTPS Port Specify the port number for HTTPS traffic default is 443 Maximum Sessions When a user logs in to the AP web interface a session is created This session is maintained until the user logs off or the session inactivity timer expires Enter the number web sessions includi...

Page 29: ... HTTP SSL Certificate as a backup file to your PC HTTP SSL Certificate File This field is available when the selected download method is TFTP Enter the filename of the certificate The filename is a 256 byte alphanumeric string The default is Mini_httpd pem Note File name should not contain spaces and successive Server IP The IPv4 or IPv6 address of the TFTP server where the file will be downloaded...

Page 30: ... priority in power allocation when the PSE doesn t have enough capacity to supply power to all connected devices The PoE priority can be one of the following Low High Critical Unknown Click Save to apply the changes and save the changes to startup configuration file Discovery Bonjour Bonjour is a software feature that allows the wireless access point and its services to be discovered on a local ne...

Page 31: ...e the IP address and other network information The management VLAN is VLAN 1 by default This VLAN is also the default untagged VLAN If you already have a management VLAN configured on your network with a different VLAN ID you must change the VLAN ID of the management VLAN on the AP To configure the LAN settings click the Configuration LAN VLAN and IPv4 Address tab Figure 22 VLAN and IPv4 Address T...

Page 32: ...teway in the text boxes DNS Name Servers Select the mode for the DNS In Dynamic mode the IP addresses for the DNS servers are assigned automatically via DHCP This option is only available if you specified DHCP for the Connection Type In Manual mode you must assign static IP addresses to resolve domain names NOTE After you configure the wired settings you must click Save to apply the changes and sa...

Page 33: ...efix length which is an integer in the range of 0 128 Static IPv6 Address Status Shows the operational status of the static IPv6 address assigned to the management interface of the AP The possible values are Operational and Tentative Note If an IPv6 address has not been manually configured the field is blank IPv6 Autoconfigured Global Addresses If the AP has been assigned one or more IPv6 addresse...

Page 34: ...ect Enable or Disable for the administrative mode of ISATAP ISATAP Capable Host Specify the IP address or DNS name of the ISATAP router The default value is isatap ISATAP Query Interval Specify how often the AP should send queries to the DNS server to attempt to resolve the ISATAP host name into an IP address The AP sends router solicitation messages only when the IP address of an ISATAP router is...

Page 35: ...es Each label must be between 1 and 63 characters long and the entire hostname including dots has a maximum of 253 characters Wireless The wireless features are located under the Configuration heading on the administration Web UI Radio Rogue AP Detection Virtual Access Point VAP Scheduler Scheduler Association Bandwidth Utilization MAC Filter WDS Bridge Workgroup Bridges Qos ...

Page 36: ...dio you select in this field Be sure to configure settings for both radios Status On Off Specify whether you want the radio on or off by selecting On or Off If you turn off a radio the AP sends disassociation frames to all the wireless clients it is currently supporting so that the radio can be gracefully shutdown and the clients can start the association process with other available APs MAC Addre...

Page 37: ...nk and with other wireless clients associated with a different VAP but not among wireless clients AeroScout Engine Protocol Support Options are Enabled or Disabled The default is Disabled When enabled Aeroscout devices are recognized and data is sent to an Aeroscout Engine AE for analysis The AE determines the geographical location of 802 11 capable devices such as STAs APs and AeroScout s line of...

Page 38: ...the 20 MHz and 40 MHz channels Set the field to 20 MHz to restrict the use of the channel bandwidth to a 20 MHz channel For the 802 11ac mode set the field to 40 MHz to prevent the radio from using the 80 MHz channel bandwidth Primary Channel 802 11n modes only This setting can be changed only when the channel bandwidth is set to 40 MHz A 40 MHz channel can be considered to consist of two 20 MHz c...

Page 39: ...les to guarantee that 802 11 transmissions do not cause interference with legacy stations or applications By default these protection mechanisms are enabled Auto With protection enabled protection mechanisms will be invoked if legacy devices are within range of the AP You can disable Off these protection mechanisms When protection is off legacy clients or APs within range can be affected by 802 11...

Page 40: ...n greatly reduce throughput RTS Threshold Specify a Request to Send RTS Threshold value between 0 and 2347 The RTS threshold indicates the number of octets in an MPDU below which an RTS CTS handshake is not performed Changing the RTS threshold can help control traffic flow through the AP especially one with a lot of clients If you specify a low threshold value RTS packets will be sent more frequen...

Page 41: ... above the set rate limit The default and maximum rate limit burst setting is 75 packets per second TSPEC Mode Regulates the overall TSPEC mode on the AP On The AP handles TSPEC requests according to the TSPEC settings you configure on the Radio page Use this setting if the AP handles traffic from QoS capable devices such as a Wi Fi certified phone Off The AP ignores TSPEC requests from client sta...

Page 42: ...is low Rogue AP Detection A Rogue AP is an access point that has been installed on a secure network without explicit authorization from a system administrator Rogue access points pose a security threat because anyone with access can mistakenly or maliciously install a wireless AP that can potentially allow unauthorized parties to access the network The status page for Rogue AP Detection provides r...

Page 43: ...ist the Delete button is available Click Delete to move the AP from the Trusted AP list to the Detected Rogue AP List Note TheDetectedRogueAPListandKnownAPListprovide information The LAPAC1750PRO Access Point does not have any control over the APs on the list and cannot apply any security policies to APs detected through the RF scan MAC Shows the MAC address of the neighboring AP Radio The Radio f...

Page 44: ...eived from this AP since it was first discovered Last Beacon Shows the date and time of the last beacon received from this AP Rates Shows supported and basic advertised rate sets for the neighboring AP Rates are shown in megabits per second Mbps All Supported Rates are listed with Basic Rates shown in bold Rate sets are configured on the Radio page To save the Known AP List to a file click Save Th...

Page 45: ...RADIUS server assignment If you use an external RADIUS server you can configure multiple VLANs on each VAP The external RADIUS server assigns wireless clients to the VLAN when the clients associate and authenticate If wireless clients use a security mode that does not communicate with the RADIUS server or if the RADIUS server does not provide the VLAN information you can assign a VLAN ID to each V...

Page 46: ...ve this new setting Broadcast SSID Specify whether to allow the AP to broadcast the Service Set Identifier SSID in its beacon frames The Broadcast SSID parameter is enabled by default When the VAP does not broadcast its SSID the network name is not displayed in the list of available networks on a client station Instead the client must have the exact network name configured in the supplicant before...

Page 47: ...nges to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens wireless clients will temporarily lose connectivity We recommend that you change AP settings when WLAN traffic is low None Plain text If you select None as your security mode no further options are configurable on the AP This mode means that any data transferred to and ...

Page 48: ...mber of characters required updates automatically based on how you set the key length and key type Authentication The authentication algorithm defines the method used to determine whether a client station is allowed to associate with the access point when static WEP is the security mode Open System authentication allows any client station to associate with the WAP device whether that client statio...

Page 49: ... valid AES CCMP key Clients not configured to use WPA Personal will not be able to associate with the AP Key The pre shared key is the shared secret key for WPA Personal Enter a string of between 8 and 63 characters Acceptable characters include upper and lower case alphabetic letters the numeric digits and special symbols such as and Broadcast Key Refresh Rate Enter a value to set the interval at...

Page 50: ...pe Specify the IP version that the RADIUS server uses Youcantogglebetweentheaddresstypestoconfigure IPv4 and IPv6 global RADIUS address settings but the AP contacts only the RADIUS server or servers for the address type you select in this field RADIUS IP Address RADIUS IPv6 Address Enter the IPv4 or IPv6 address for the primary RADIUS server for this VAP If the IPv4 RADIUS IP Address Type option i...

Page 51: ... is a standalone LAPAC1750PRO Access Point feature To configure the Radio and VAP scheduler select the Scheduler tab in the Manage section The Radio and VAP Scheduler allows you to configure a rule with a specific time interval for VAPs or radios to be operational thereby automating the enabling or disabling of the VAPs and radios One of the ways you can use this feature is to schedule radios to o...

Page 52: ...as not been set either manually or by specifying an NTP server to use ManagedMode Operational status is down because the AP is in managed mode Scheduler Profile The scheduler profile defines the list of profile names that can be associated to the VAP or Radio configuration Rules are associated with a named scheduler profile You can define up to 16 scheduler profile names By default no profiles are...

Page 53: ...change an existing rule select the rule update the values in the Rule Configuration area and click Modify Rule Remove Rule To delete a rule from a profile select the rule and click Remove Rule Save After making any modifications click Save to apply the changes and to save the settings Scheduler Association For a scheduler profile to take effect you must associate it with at least one radio or VAP ...

Page 54: ... a radio interface or a VAP interface you must click Save to apply the changes and to save the settings Bandwidth Utilization Use this page to load balance the distribution of wireless client connections across multiple access points You can set network utilization thresholds on the access point to maintain the speed and performance of the wireless network as clients associate and disassociate wit...

Page 55: ...xadecimal digits separated by colons for example 00 DC BA 09 87 65 Each wireless network interface card NIC used by a wireless client has a unique MAC address You can use the Administrator UI on the AP or use an external RADIUS server to control access to the network through the AP based on the MAC address of the wireless client This feature is called MAC Filtering To control access you configure ...

Page 56: ...n the previous field The Access Point allows up to 512 MAC addresses to be added to the station list Note If MAC authentication for the VAP is set to Local the AP uses the stations list to permit or deny the clients access to the network If the MAC authentication type is set to RADIUS the AP ignores the MAC addresses configured in this list and uses the list that is stored on the RADIUS server The...

Page 57: ...e does not add to the hop count It functions as a simple OSI layer 2 network device In the point to multipoint bridge mode one AP acts as the common link between multiple APs In this mode the central AP accepts client associations and communicates with the clients and other repeaters All other APs associate only with the central AP that forwards the packets to the appropriate wireless bridge for r...

Page 58: ...ted in this field The read only local address will change depending on which radio you select in this field Local Address Indicates the MAC addresses for this AP For each WDS link on a two radio AP the local address reflects the MAC address for the internal interface on the selected radio Radio 1 on wlan0 or Radio 2 on wlan1 Remote Address Specify the MAC address of the destination AP that is the ...

Page 59: ...onnected to the WDS AP in the main network even if the WDS link is broken The IP address is released when the WDS interface is brought administratively down Workgroup Bridges The Workgroup Bridge feature enables the AP to extend the accessibility of a remote network InWorkgroup Bridge mode the access point acts as a wireless station STA on the wireless LAN It can bridge traffic between a remote wi...

Page 60: ...up Bridge mode can be used as range extender to enable the BSS to provide access to remote or hard to reach networks A single radio can be configured to forward packets from associated STAs to another access point in the same ESS without using WDS NOTE Workgroup Bridge mode currently supports only IPv4 traffic NOTE Workgroup Bridge mode is not supported across a cluster Use the WorkGroup Bridge pa...

Page 61: ...tatus Access Point Interface Status Status is indicated as Up Enable or Down disable If the downstream interface is down wireless clients cannot connect to the access point VLAN ID TheVLAN ID on the local AP interface ThisVLAN ID should be the same VLAN ID as advertised on the Infrastructure Client Interface SSID Specify the SSID to broadcast to downstream clients Broadcast SSID Select this option...

Page 62: ...fic flowing from the AP to the client station Station Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the client station to the AP The default values for the AP and station EDCA parameters are those suggested by the Wi Fi Alliance in the Wi Fi MultiMedia WMM specification In normal use these values should not need to be changed Changing these values will affect the ...

Page 63: ...f wait time window for retry of a transmission ThevaluespecifiedforMinimumContentionWindowis the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and ...

Page 64: ...for different types of data transmitted from station to AP Data 0 Voice Highest priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video Highest priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP ...

Page 65: ... Select On to enable Automatic Power Save Delivery APSD which is a power management method APSD is recommended if VoIP phones access the network through the AP NOTE After you configure the QoS settings you must click Save to apply the changes and save the changes to startup configuration file Changing some settings might cause the AP to stop and restart system processes If this happens wireless cl...

Page 66: ... the IPv6 address of the primary global RADIUS server for example 2001 0db8 1234 abcd RADIUS IP or IPv6 Address 1 3 Enter up to three IPv4 or IPv6 addresses to use as the backup RADIUS servers The field label is RADIUS IP Address when the IPv4 RADIUS IP Address Type option is selected and RADIUS IPv6 Address when the IPv6 RADIUS IP Address Type option is selected If authentication fails with the p...

Page 67: ...02 1X Supplicant EAP Method Select the algorithm to be used for encrypting authentication user names and passwords The options are as follows MD5 A hash function defined in RFC 3748 that provides basic security PEAP Protected Extensible Authentication Protocol which provides a higher level of security than MD5 by encapsulating it within a TLS tunnel TLS Transport Layer Security as defined in RFC 5...

Page 68: ...Pv6 address of the TFTP server where the file is located The default is 0 0 0 0 After you specify the filename and server IP click Upload to initiate the file transfer NOTE After you configure the settings on the 802 1X Supplicant page you must click Save to apply the changes Changing some settings might cause the AP to stop and restart system processes If this happens wireless clients will tempor...

Page 69: ...le 45 QoS Global Settings Field Description Client QoS Enable or disable Client QoS operation on the AP Changing this setting will not affect the WMM settings you configure on the QoS page Radio Select Radio 1 or Radio 2 to specify which radio to configure VAP Specify the VAP that will have the Client QoS settings that you configure The QoS settings you configure for the selected VAP will not affe...

Page 70: ...fic from the AP in the outbound down direction DiffServ Policy Up Select the name of the DiffServ policy applied to traffic sent to the AP in the inbound up direction ACL ACLs are a collection of permit and deny conditions called rules that provide security by blocking unauthorized users and allowing authorized users to access specific resources ACLs can block any unwarranted attempts to reach net...

Page 71: ...4 and IPv6 ACLs control access to network resources based on Layer 3 and Layer 4 criteria MAC ACLs control access based on Layer 2 criteria ACL RULE SETTING ACL Name and Type Select the ACL to configure with the new rule The list contains all ACLs added in the ACL Configuration section Rule To configure a new rule to add to the selected ACL select New Rule To add an existing rule to an ACL or to m...

Page 72: ...o use a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets Once you select the field choose the protocol to match by keyword or enter a protocol ID Select From List Select one of the following protocols from the list IP ICMP IGMP TCP UDP Match to Value To match a protocol that is not listed by name enter ...

Page 73: ...riterion Destination Port Select this field to include a destination port in the match condition for the rule The destination port is identified in the datagram header Once you select the field choose the port name or enter the port number Select From List Select the keyword associated with the destination port to match ftp ftpdata http smtp snmp telnet tftp www Each of these keywords translates i...

Page 74: ... field to apply this criterion Source IPv6 Prefix Len Enter the prefix length of the source IPv6 address Source Port Select this option to include a source port in the match condition for the rule The source port is identified in the datagram header Once you select the option choose the port name or enter the port number Destination IPv6 Address Select this field to require a packet s destination ...

Page 75: ...n MAC address mask specifying which bits in the destination MAC to compare against an Ethernet frame A 0 indicates that the address bit is significant and an f indicates that the address bit is to be ignored A MAC mask of 00 00 00 00 00 00 matches a single MAC address VLAN ID Select this field and enter the VLAN IDs to compare against an Ethernet frame This field is located in the first only 802 1...

Page 76: ... attributes may be defined on a per class instance basis and it is these attributes that are applied when a match occurs A policy can contain multiple classes When the policy is active the actions taken depend on which class matches the packet Packet processing begins by testing the class match criteria for a packet A policy is applied to a packet when a class match within that policy is found Dif...

Page 77: ...the IP Protocol field in IPv4 packets or the Next Header field of IPv6 packets Once you select the field choose the protocol to match by keyword or enter a protocol ID Select From List Select one of the following protocols from the list IP ICMP IPv6 ICMPv6 IGMP TCP UDP Match to Value To match a protocol that is not listed by name enter the protocol ID The protocol ID is a standard value assigned b...

Page 78: ...iate field to apply this criterion Source IPv6 Prefix Length Enter the prefix length of the source IPv6 address Destination IPv6 Address Select this field to require a packet s destination IPv6 address to match the address listed here Enter an IPv6 address in the appropriate field to apply this criterion Destination IPv6 Prefix Length Enter the prefix length of the destination IPv6 address IPv6 Fl...

Page 79: ... the value in the header of an Ethernet frame Select an EtherType keyword or enter an EtherType value to specify the match criteria Select from List Select Select one of the following protocol types appletalk arp ipv4 ipv6 ipx netbios pppoe Match to Value Enter a custom protocol identifier to which packets are matched The value is a four digit hexadecimal number in the range of 0600 FFFF Class of ...

Page 80: ...ed against the TOS entered for this rule The TOS Mask can be used to compare specific bits Precedence Type of Service from the TOS field in the IP header of a packet against the TOS value entered for this rule 00 FF Delete Class Map Check to delete the class map selected in the Class Map Name menu The class map cannot be deleted if it is already attached to a policy To delete a Class Map select th...

Page 81: ... form of the policing style uses a single data rate and burst size resulting in two outcomes conform and nonconform Committed Rate Enter the committed rate in Kbps to which traffic must conform Committed Burst Enter the committed burst size in bytes to which traffic must conform Ideally burst size should be 1 5 times the committed rate in bytes for Rate Limiting to work properly For example if the...

Page 82: ...f no class is associated with the policy the field is empty Delete Policy Map Select this field to delete the policy map showing in the Policy Map Name menu To delete a Policy Map select the Delete Policy Map option and click Save Client QoS Status The Client QoS Status page shows the client QoS settings that are applied to each client currently associated with the AP To view QoS settings for an a...

Page 83: ...s denied DiffServ Policy Up Shows the name of the DiffServ policy applied to traffic sent to the AP in the inbound client to AP direction DiffServ Policy Down Shows the name of the DiffServ policy applied to traffic from the AP in the outbound AP to client direction SNMP This section describes how to configure the SNMP settings on the access point and contains the following subsections General Vie...

Page 84: ...lobal SNMP parameter that applies to SNMPv1 SNMPv2c and SNMPv3 Read Only Community Enter a read only community name The valid range is 1 256 characters The community name as defined in SNMPv2c acts as a simple authentication mechanism to restrict the machines on the network that can request data to the SNMP agent The name functions as a password and the request is assumed to be authentic if the se...

Page 85: ...om 10 10 1 129 through 10 10 1 254 can execute SNMP requests on managed devices In this example 10 10 1 128 is the network address and 10 10 1 255 is the broadcast address 126 addresses would be designated NMS IPv6 Address Name Specify the IPv6 DNS hostname or subnet of the machines that can execute get and set requests to the managed devices Trap Community Enter the global community string associ...

Page 86: ...n the Views page Table 51 SNMP Views Field Description View Name Enter a name to identify the MIB view View names can contain up to 32 alphanumeric characters Type Specifies whether to include or exclude the view subtree or family of subtrees from the MIB view OID Enter an OID string for the subtree to include or exclude from the view For example the system subtree is specified by the OID string 1...

Page 87: ...d and write access to default all MIB view which can be modified by the user NOTE The default groups RO and RW cannot be deleted NOTE The Access Point supports a maximum of 8 groups To define additional groups navigate to the Configuration SNMP Groups page and configure the settings that Table 52 describes Figure 44 SNMP Groups Table 52 SNMP Groups Field Description Name Specify a name to use to i...

Page 88: ...ps that have been defined on the AP Use the buttons on the page to perform the following tasks Add Add the new group to the SNMP Groups table Remove Remove the selected group from the SNMP Group table Save Apply and save the changed SNMP group settings Targets An SNMP target receives trap messages and forwards them to the SNMP manager Inform messages are not supported Each target is associated wit...

Page 89: ...ch user and configure per user security keys Each user is mapped to an SNMP group either from predefined or user defined groups configuredforauthenticationandencryptiontypeswithauthentication encryption pass phrases optional if authentication or encryption type is set to none For authentication only MD5 type is supported and for encryption only DES type is supported There are no default SNMP users...

Page 90: ...move the selected user from the SNMP Users table Save Apply and save the changed SNMP user settings Captive Portal This section describes the Captive Portal CP feature which allows you to block wireless clients from accessing the network until user verification has been established You can configure CP verification to allow access for both guest and authenticated users The access point CP feature ...

Page 91: ...lient information If the user does not enter authentication credentials within the authentication timeout period the client details are removed so that stale entries do not persist upon leaving The default authentication timeout is 300 seconds Additional HTTP Port HTTP traffic uses port 80 but you can configure an additional port for HTTP traffic Enter a port number between 1025 65535 Port number ...

Page 92: ...ows the CP Instance Configuration page when the Create option is selected from the Captive Portal Instances menu Figure 48 CP Instance Configuration Create Figure 49 on this page shows the CP Instance Configuration page when a CP instance has been created and is selected from the Captive Portal Instances menu The fields available also change depending on the option selected from the Verification m...

Page 93: ...either IPv4 or an IPv6 address to which the newly authenticated client is redirected if the URL Redirect Mode is enabled The IPv4 address should be in a form similar to http xxx xxx xxx xxx http 192 0 2 10 The IPv6 address should be in a form similar to http xxxx xxxx xxxx xxxx xxxx xxxx xxx x xxxx http 2001 DB8 CAD5 7D91 The range is from 0 to 256 characters Away Time The amount of time a user re...

Page 94: ...nt to the address you specify RADIUS Backup IP 1 3 Up to three IPv4 or IPv6 backup RADIUS server addresses If authentication fails with the primary server each configured backup server is tried in sequence RADIUS Current Specify which RADIUS server to use to authenticate clients primary Use the RADIUS server with the IP address configured in the RADIUS IP field backupone Use the RADIUS server with...

Page 95: ... Field Description RADIO Select the radio associated with the VAP to configure VAP The list of VAP IDs A CP instance can be associated with multiple VAPs Instance Name Select the instance to associate with each VAP If the menu is blank no instance is associated with the VAP Web Portal Customization When users initiate access to a VAP that is associated with a captive portal instance an authenticat...

Page 96: ...that this locale is associated with You can associate multiple locales with an instance When a user attempts to access a particular VAP that is associated with a CP instance the locales that are associated with that instance display as links on the authentication page The user can select a link to switch to that locale Locale ID The ID that is automatically assigned to the locale when it is create...

Page 97: ...ire name in quotes The range is from 1 to 512 characters The default is arial sans serif MS UI Gothic Browser Title The text to display in the browser title bar The range is from 1 to 128 characters The default is Captive Portal Browser Content The text that displays in the page header to the right of the logo The range is from 1 to 128 characters The default is Welcome to the Wireless Network Con...

Page 98: ...When users initiate access to a VAP that is associated to a captive portal instance an authentication page displays You can customize this page with your own logo and other graphics Up to 18 images can be uploaded assuming six locales with each locale having three images Click the Configuration Captive Portal Upload Custom Images tab to access the page which the following figure shows Figure 53 Up...

Page 99: ... create up to two additional user groups The fields available on the page depend on the option selected from the Captive Portal Groups menu Click the Configuration Captive Portal Local Groups tab to access the page which the following figure shows Figure 54 CP Local Groups The following table describes the fields on the CP Local Groups page that you use to create a CP local group Table 61 Captive ...

Page 100: ...ify a name for the local user After you create a user or select an existing user from the Captive Portal Users menu additional fields appear on the screen The following table describes the fields on the CP Local Users page that you use to configure settings for an existing CP local user Table 63 Creating Captive Portal Local Users Field Description Captive Portal Users Select the name of the user ...

Page 101: ...ion Captive Portal Authenticated Clients tab to access the page which the following figure shows Figure 56 CP Authenticated Clients The following table describes the fields on the CP Authenticated Clients page Table 64 Captive Portal Authenticated Client List Field Description Total Number of Authenticated Clients The number of clients that have successfully authenticated on any CP instance This n...

Page 102: ...ients page lists information about clients that attempted to authenticate on a Captive Portal and failed Click the Configuration Captive Portal Failed Authenticated Clients tab to access the page which the following figure shows Figure 57 CP Failed Authenticated Clients The following table describes the fields on the CP Failed Authenticated Clients page Table 65 Captive Portal Failed Authenticated...

Page 103: ...a single radio AP in the cluster changes the AP propagates the change to the first radio of all cluster members The configuration of the second radio on any dual radio APs in the cluster is not affected If a cluster contains only single radio APs and a dual radio AP joins the cluster then only radio 1 on the dual radio AP is configured with the cluster configuration Radio 2 on the AP remains as it...

Page 104: ...s in the cluster You must configure the same cluster name on each AP that is a member of the cluster The cluster name must be unique for each cluster you configure on the network Clustering IP Version Specify the IP version that the APs in the cluster use to communicate with each other Removing an Access Point from the Cluster To remove an access point from the cluster do the following 1 Go to the...

Page 105: ...s and Statistics Associations Clients web page directly on that AP To view a particular statistic for client sessions select an item from the Display drop down list and click Go You can view information about idle time data rate signal strength and so on all of which are described in detail in the table below A session in this context is the period of time in which a user on a client device statio...

Page 106: ...e Signal column label The entries will be sorted by signal strength Channel Management When Channel Management is enabled the access point automatically assigns radio channels used by clustered access points The automatic channel assignment reduces mutual interference or interference with other access points outside of its cluster and maximizes Wi Fi bandwidth to help maintain the efficiency of co...

Page 107: ...ss a cluster When Channel Management is enabled the radio channel is not synced across the cluster to other APs Click Start to resume automatic channel assignment When automatic channel assignment is enabled the Channel Manager periodically maps radio channels used by clustered access points and if necessary re assigns channels on clustered APs to reduce interference with cluster members or other ...

Page 108: ...hows the current and proposed channels for each AP Locked channels will not be re assigned and the optimization of channel distribution among APs will take into account the fact that locked APs must remain on their current channels APs that are not locked may be assigned to different channels than they were previously using depending on the results of the plan Table 70 Last Proposed Changes Field ...

Page 109: ...ply these settings Advanced settings will take affect when they are applied and influence how automatic channel management is performed Wireless Neighborhood The Wireless Neighborhood shows up to 20 access points per radio within range of every member of the cluster shows which access points are within range of which cluster members and distinguishes between cluster members and nonmembers NOTE The...

Page 110: ...e always shown at the top of the list with a heavy bar above and include a location indicator The colored bars to the right of each AP in the Neighbors list shows the signal strength for each of the neighbor APs as detected by the cluster member whose IP address is shown at the top of the column The color of the bar indicates the signal strength Dark Blue Bar A dark blue bar and a high signal stre...

Page 111: ...ss Shows the MAC address of the neighboring access point A MAC address is a hardware address that uniquely identifies each node of a network Channel Shows the channel on which the access point is currently broadcasting The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving Rate Shows the rate in megabits per second at which this access point is cur...

Page 112: ...s when it boots and to upload a new firmware image to the device Figure 63 Firmware Maintenance Table 74 Firmware Information and Management Field Description Active Image Identifies the firmware images on the system Active Image Firmware Version The version number of the image that is loaded during system boot Inactive Image Firmware Version The version number of the inactive backup image on the ...

Page 113: ...n process When the image switch is complete the access point restarts The AP resumes normal operation with the same configuration settings it had before the upgrade Firmware Upgrade As new versions of the access point firmware become available you can upgrade the firmware on your devices to take advantage of new features and enhancements The AP uses a TFTP client for firmware upgrades You can also...

Page 114: ...nce you click Upgrade and then OK in the popup confirmation window The upgrade process may take several minutes during which time the access point will be unavailable Do not power down the access point while the upgrade is in process When the upgrade is complete the access point restarts The AP resumes normal operation with the same configuration settings it had before the upgrade 1 To verify that...

Page 115: ...the Filename field including the xml file name extension and the path to the directory where you want to save the file NOTE File name should not contain spaces and successive 3 Enter the IP address of the TFTP server 4 Click Backup to save the file Use the following steps to save a copy of the current settings on an AP to a backup configuration file by using HTTP 1 Select HTTP for Download Method ...

Page 116: ...gs on an AP to a backup configuration file by using HTTP 1 Select HTTP for Upload Method 2 Use the Browse button to select the file to restore 3 Click the Restore button A File Upload or Choose File dialog box will pop up 4 Navigate to the directory that contains the file select the file to upload and click Open Only those files created with the Backup function and saved as xml backup configuratio...

Page 117: ...PC running the Wireshark tool The AP can capture the following types of packets 802 11 packets received and transmitted on radio interfaces Packets captured on radio interfaces include the 802 11 header 802 3 packets received and transmitted on the Ethernet interface 802 3 packets received and transmitted on the internal logical interfaces such as VAPs and WDS interfaces Click Maintenance Diagnost...

Page 118: ...d clients Packets not destined to the AP are not forwarded As soon as the capture is completed the radio reverts to non promiscuous mode operation Client Filter Enable Enable to use the WLAN client filter to capture only frames that are transmitted to or received from a WLAN client with a specified MAC address Client Filter MAC Address Specify a MAC address forWLAN client filtering Note The MAC fi...

Page 119: ... AP at the same time However you must start a separate Wireshark session for each interface You can configure the IP port number used for connecting Wireshark to the AP The default port number is 2002 The system uses 5 consecutive port numbers starting with the configured port for the packet capture sessions If a firewall is installed between the Wireshark PC and the AP these ports must be allowed...

Page 120: ...frames tends to be beacons typically sent every 100ms by all Access Points Although Wireshark supports a display filter for beacon frames it does not support a capture filter to prevent the AP from forwarding captured beacon packets to the Wireshark tool In order to reduce performance impact of capturing the 802 11 beacons you can disable the capture beacons mode The remote packet capture facility...

Page 121: ...2014 Belkin International Inc and or its affiliates All rights reserved BELKIN LINKSYS and many product names and logos are trademarks of the Belkin group of companies Third party trademarks mentioned are the property of their respective owners LNKPG 00129 Rev A01 ...

Reviews: