background image

 

Certificate setup is now complete. 

802.1x Authentication Setup 

1.

 

Select 

Start > Control Panel > Network Connections

2.

 

Right-click on the 

Wireless Network Connection

, and select 

Properties

.  

3.

 

Select the 

Authentication

 tab, and ensure that 

Enable network access control using IEEE 

802.1X 

is selected, and 

Smart Card or other Certificate

 is selected from the 

EAP type

 

136

 

 

Summary of Contents for LAPAC2600

Page 1: ...User Guide AC2600 Dual Band Wireless Access Point LAPAC2600 1 ...

Page 2: ... 7 Setup Wizard 9 Chapter 3 Configuration 13 Administration 13 LAN 24 Wireless 30 Captive Portal 64 ACL 76 Cluster 83 Chapter 4 System Status 92 Status 92 Chapter 5 Maintenance 103 Maintenance 103 Diagnostics 110 Appendix A Troubleshooting 113 Overview 113 General Problems 113 Appendix B About Wireless LANs 115 Overview 115 Wireless LAN Terminology 115 2 ...

Page 3: ...nd Server Configuration 119 Overview 119 Using WEP 119 Using WPA2 PSK 120 Using WPA2 Enterprise 120 802 1x Server Setup Windows 2000 Server 122 802 1x Client Setup on Windows XP 132 Using 802 1x Mode without WPA 139 3 ...

Page 4: ... connected Blue Blinking Software upgrade in process Solid System is normal at least one wireless device connected Red Solid Booting process or update failed hard reset or service required Ports and Button Power Port Connect the AC power adapter to this port Note Use only the adapter that came with your access point Ethernet Port 1 Use an RJ45 CAT5e or better cable to connect the LAPAC2600 to netw...

Page 5: ...port LAG you can only use one Ethernet port at a time on your LAPAC2600 Reset Button Press and hold this button for less than 15 seconds to power cycle device Press and hold for longer than 15 seconds to reset the device to factory default settings Mounting Guide To avoid overheating do not install your access point if ambient temperatures exceed 104 F 40 C Install on a flat stable surface near th...

Page 6: ...e Secure mounting bracket to the ceiling tile with flathead screw and nut Route the Ethernet cable through the Ethernet cable hole 5 Replace tile in ceiling 6 Connect the Ethernet cable and or AC power adapter to your device 7 Slide the device into the bracket Turn access point clockwise until it locks IMPORTANT Improper or insecure mounting could result in damage to the device or personal injury ...

Page 7: ...ng browsers Firefox 3 5 or later Chrome 8 or later Safari 5 or later Internet Explorer 8 or later Setup Procedure Make sure device is powered on before you continue setup If LED light is off check that AC power adapter or PoE cable is properly connected on both ends Access device s browser based setup 1 Use the included cable to connect the access point to your network via a network switch or rout...

Page 8: ... does not have a DHCP Server If there is no DHCP server in your network the access point will fall back to its default IP address 192 168 1 252 with a network mask of 255 255 255 0 Or if your PC s IP address is not compatible with this you must change your PC s IP address to an unused value in the range 192 168 1 1 192 168 1 254 with a network mask of 255 255 255 0 See Appendix A Windows TCP IP p ...

Page 9: ...ll be part of a cluster master or slave go to Configuration Cluster Settings Status page instead 1 Click the Quick Start tab on the main menu 2 On the first screen click Launch 3 Set the password on the Device Password screen if desired 4 Configure the time zone date and time for the device on System Settings screen 9 ...

Page 10: ...5 On the IPv4 Address screen configure the IP address of the device Static or Automatic then click Next 10 ...

Page 11: ...ettings The access point supports up to eight SSIDs per radio 7 On the Wireless Security Screen configure the wireless security settings for the device Click Next If you are looking for security options that are not available in the wizard go to Configuration Wireless Security page The access point supports more sophisticated security options there 11 ...

Page 12: ...8 On the Summary screen check the data to make sure they are correct and then click Submit to save the changes 9 Click Finish to leave the wizard 12 ...

Page 13: ...Configuration Administration User Accounts Go to Configuration Administration and select User Accounts to manage user accounts The access point supports up to five users one administrator and four normal users 13 ...

Page 14: ...Only administrator account has Read Write permission to the access point s admin interface All other accounts have Read Only permission New Password Enter the Password to connect to the access point s admin interface Password must be between 4 and 63 characters Special characters are allowed Confirm New Password Re enter password Time Go to Configuration Administration and select Time to configure...

Page 15: ...ly adjust clock for daylight saving changes Start Time Specify the start time of daylight saving End Time Specify the end time of daylight saving Offset Select the adjusted time of daylight saving NTP NTP Server 1 Enter the primary NTP server It can be an IPv4 address or a domain name Valid characters include alphanumeric characters _ and Maximum length is 64 characters NTP Server 2 Enter the seco...

Page 16: ...tration and select Log Settings to configure logs Logs record various types of activity on the access point This data is useful for troubleshooting but enabling all logs will generate a large amount of data and adversely affect performance 16 ...

Page 17: ... characters are allowed Password Enter the Password to login to your SMTP server The Password can include up to 32 characters Special characters are allowed Email Address for Logs Enter the email address the log messages are to be sent to Valid characters include alphanumeric characters _ and Maximum length is 64 characters Log Queue Length Enter the length of the queue up to 500 log messages The ...

Page 18: ...Management Access Go to Configuration Administration and select Management Access page to configure the management methods of the access point 18 ...

Page 19: ...o HTTP clients and servers Enable to allow Web access by HTTPS protocol HTTPS Port Specify the port for HTTPS It can be 443 default or from 1024 to 65535 From Wireless Enable wireless devices to connect to access point s admin page Disabled by default Access Control By default no IP addresses are prohibited from accessing the device s admin page You can enable access control and enter specified IP...

Page 20: ...ttings Configure the SNMPv3 settings if you want to use SNMPv3 Username Enter the username It includes 0 to 32 characters Special characters are allowed Authentication Protocol None or HMAC MD5 Authentication Key 8 to 32 characters Special characters are allowed Privacy Protocol None or CBC DES Privacy Key 8 to 32 characters Special characters are allowed Access Control Access Control When SNMP is...

Page 21: ...SSL Certificate Go to Configuration Administration and select SSL Certificate to manage the SSL certificate used by HTTPS 21 ...

Page 22: ...ination File Enter the name of the destination file TFTP Server Enter the IP address for the TFTP server Only support IPv4 address here Export Click to export the SSL certificate to the TFTP server Restore from TFTP Server Source File Enter the name of the source file TFTP Server Enter the IP address for the TFTP server Only support IPv4 address here Install Click to install the file to the device...

Page 23: ...iguration Administration and select LED to enable or disable the LED on the top cover of LACAP2600 LED LED Display If disabled the LED will be off even when the access point is working By default LED is enabled on 23 ...

Page 24: ...LAN Network Setup Go to Configuration LAN Network Setup to configure basic device settings VLAN settings and settings for the LAN interface including static or dynamic IPv4 IPv6 address assignment 24 ...

Page 25: ...the untagged traffic VLAN ID or change the VLAN ID for a SSID Untagged VLAN ID Specifies a number between 1 and 4094 for the untagged VLAN ID The default is 1 Traffic on the VLAN that you specify in this field is not be tagged with a VLAN ID when forwarded to the network Untagged VLAN ID field is active only when untagged VLAN is enabled VLAN 1 is the default for both untagged VLAN and management ...

Page 26: ...Advanced Go to Configuration LAN Advanced to configure advanced network settings of the access point 26 ...

Page 27: ...able auto negotiation ensure link speed and duplex Full are identical on both sides Operational Auto Negotiation Current Auto Negotiation mode of the Ethernet port Port Speed Select the speed of the Ethernet port Available only when Auto Negotiation is disabled The option can be 10M 100M or 1000M default Operational Port Speed Displays the current port speed of the Ethernet port Duplex Mode Select...

Page 28: ...ter the desired login password The password includes 4 to 63 characters Special characters are allowed Discovery Settings Bonjour Enable if administrator wants the access point to be discovered by Bonjour enabled devices automatically If VLAN is enabled the discovery packets will be sent out via management VLAN only The access point supports http and https services LLDP Enable if administrator wan...

Page 29: ...and IGMPv3 in IGMP Snooping MLD Snooping MLD Multicast Listener Discovery is a component of the Internet Protocol Version 6 IPv6 suite MLD is used by IPv6 routers for discovering multicast listeners on a directly attached link much like IGMP is used in IPv4 Multicast Listener Discovery MLD Snooping provides multicast containment by forwarding traffic only to those clients that have MLD receivers f...

Page 30: ...s Basic Settings Go to Configuration Wireless Basic Settings to configure your wireless radio and SSIDs Advanced wireless settings such as Band Steering Channel Bandwidth are on the Advanced Settings screen 30 ...

Page 31: ...nnections by 802 11N 802 11B and 802 11G wireless stations Select the desired option for radio 2 N A Mixed allow connection by 802 11A and N wireless stations only N only allow connection by 802 11N wireless stations only AC only allow connection by 802 11AC wireless stations only A N AC Mixed allow connection by 802 11A 802 11N and 802 11AC wireless stations Wireless Channel Select wireless chann...

Page 32: ...2 11k Enable or disable 802 11k of the SSID The 802 11k protocol provides mechanisms for APs and clients to measure the available radio resources dynamically In an 802 11k enabled network APs and clients can send neighbor reports beacon reports and link measurement reports to each other This allows the APs and clients to take appropriate connection actions for next hop if client has weak connectio...

Page 33: ...curity Mode Disabled No security Anyone using the correct SSID can connect to your network WEP The 802 11b standard Data is encrypted before transmission but the encryption system is not very strong WPA2 Personal This is a further development of WPA PSK and offers even greater security using the AES Advanced Encryption Standard method WPA WPA2 Personal This method sometimes called Mixed Mode allow...

Page 34: ...eless client must support 802 1x and provide the RADIUS authentication data when required All data transmission is encrypted using the WPA2 AES standard Keys are automatically generated so no key input is required WPA WPA2 Enterprise This method sometimes called Mixed Mode allows clients to use either WPA Enterprise with TKIP or WPA2 Enterprise with AES RADIUS RADIUS mode utilizes RADIUS server fo...

Page 35: ...t Encryption Keys are 10 Hex characters 128 Bit Encryption Keys are 26 Hex characters Passphrase Generate a key or keys instead of entering them directly Enter a word or group of printable characters in the Passphrase box and click the Generate button to automatically configure the WEP key It consists of 1 to 30 characters Key Value Enter a key in hexadecimal format Note Due to hardware limitation...

Page 36: ...WPA2 Personal This is a further development of WPA Personal and offers even greater security 36 ...

Page 37: ... Fast Roaming 802 11r is enabled some clients without 802 11r supported may fail to connect to the network Only one SSID of the AP can be enabled with Fast Roaming 802 11r WPA Algorithm The encryption method is AES Wireless stations must also use AES Pre shared Key Enter the key value It is 8 to 63 ASCII characters or 64 HEX characters Other wireless stations must use the same key Key Renewal Spec...

Page 38: ...ireless stations must use the same key Key Renewal Specify the value of Group Key Renewal It s a value from 600 to 36000 and default is 3600 WPA automatically changes secret keys after a certain period of time The group key interval is the period of time in between automatic changes of the group key which all devices on the network share Constantly keying the group key protects your network agains...

Page 39: ...WPA2 Enterprise This version of WPA2 Enterprise requires a RADIUS Server on your LAN to provide the client authentication Data transmissions are encrypted using the WPA2 AES standard 39 ...

Page 40: ...d some clients without 802 11r supported may fail to connect to the network Only one SSID of the AP can be enabled with Fast Roaming 802 11r Primary Server Enter the IP address of the RADIUS Server on your network Primary Server Port Enter the port number used for connections to the RADIUS Server It is a value from 1 to 65534 and default is 1812 Primary Shared Secret Enter the key value to match t...

Page 41: ...eriod of time in between automatic changes of the group key which all devices on the network share Constantly keying the group key protects your network against intrusion as the would be intruder must cope with an ever changing secret key WPA WPA2 Enterprise WPA WPA2 Enterprise requires a RADIUS Server on your LAN to provide the client authentication Data transmissions are encrypted using WPA WPA2...

Page 42: ...ections to the Backup RADIUS Server It is a value from 1 to 65534 and default is 1812 Backup Shared Secret Enter the key value to match the Backup RADIUS Server It consists of 1 to 64 characters WPA Algorithm The encryption method is TKIP or AES Key Renewal Timeout Specify the value of Group Key Renewal It is a value from 600 to 36000 and default is 3600 second WPA automatically changes secret key...

Page 43: ...o 65534 and default is 1812 Primary Shared Secret Enter the key value to match the RADIUS Server It consists of 1 to 64 characters Backup Server The Backup Authentication Server will be used when the Primary Authentication Server is not available Backup Server Port Enter the port number used for connections to the Backup RADIUS Server It is a value from 1 to 65534 and default is 1812 Backup Shared...

Page 44: ...Rogue AP Detection Go to Configuration Wireless Rogue AP Detection to detect the unexpected or unauthorized access point installed in a secure network environment 44 ...

Page 45: ...usted AP List MAC Address The MAC address of the Rogue AP SSID The SSID of the Rogue AP Channel The channel of the Rogue AP Security The security method of the Rogue AP Signal The signal level of the Rogue AP Trusted AP List Action Click Untrust to move the AP to the Rogue AP List MAC Address The MAC address of the Trusted AP SSID The SSID of the Trusted AP Channel The channel of the Trusted AP Se...

Page 46: ...less Scheduler to configure a rule with a specific time interval for SSIDs to be operational Automate enabling or disabling SSIDs based on the profile definition Support up to 16 profiles and each profile can include four time rules 46 ...

Page 47: ...us It includes the following situations System time is outdated Scheduler is inactive because system time is outdated Administrative Mode is disabled Scheduler is disabled by administrator Active Scheduler is active Scheduler Profile configuration New Profile Name Enter the name for new profile Profile Name Select the desired profile from the list to configure Day of the Week Select the desired da...

Page 48: ...o 2 is for 5 GHz Scheduler Association SSID The index of SSID SSID Name The name of the SSID Profile Name Choose the profile that is associated with the SSID If the profile associated with the SSID is deleted then the association will be removed Option None means no scheduler profile is associated Interface Status The status of the SSID It can be Enabled or Disabled Scheduler only works when the S...

Page 49: ...Connection Control Go to Configuration Wireless Connection Control to define whether listed client stations may authenticate with the access point 49 ...

Page 50: ...o wireless network You can enter up to 20 MAC addresses of wireless stations or choose the MAC address from Wireless Client List RADIUS Primary Backup RADIUS Server Enter the IP address of the RADIUS Server Primary Backup RADIUS Server Port Enter the Port number of the RADIUS Server Primary Backup Shared Secret This is shared between the wireless access point and the RADIUS Server while authentica...

Page 51: ...or 5GHz Rate Limit SSID The index of SSID SSID Name The name of the SSID Upstream Rate Enter a maximum upstream rate for the SSID The range is from 0 to 400 Mbps for Radio 1 and from 0 to 1000 Mbps for Radio 2 0 means no limitation Downstream Rate Enter a maximum downstream rate for the SSID The range is from 0 to 400 Mbps for Radio 1 and from 0 to 1000 Mbps for Radio 2 0 means no limitation 51 ...

Page 52: ...n Wireless QoS Quality of Service to specify priorities for different traffic coming from your wireless client Lower priority traffic will be slowed down to allow greater throughput or less delay for high priority traffic 52 ...

Page 53: ...rnet or WDS interface WMM Enable or disable WMM WMM Wi Fi Multimedia is a component of the IEEE 802 11e wireless LAN standard for QoS WMM provides prioritization of wireless data packets from different applications based on four access categories voice video best effort and background For an application to receive the benefits of WMM QoS both it and the client running that application have to have...

Page 54: ...of linking them with a wired backbone WDS only works and interacts with LAPN300 LAPN600 LAPAC1200 LAPAC1750 or LAPAC2600 devices The access point can act as WDS Root or WDS Station WDS Root Receives WDS connections from remote WDS Stations WDS Station Connects to remote WDS Root Supports up to 4 WDS Stations on each wireless radio 54 ...

Page 55: ...tatic channel is configured on both APs Do not use Auto channel option when you enable WDS as both APs in a WDS link must be on the same radio channel If Auto option is configured there is chance two access points run on different channels and WDS link cannot establish Workgroup Bridge and WDS will not work at the same time on one wireless radio When Workgroup Bridge is enabled WDS will be disable...

Page 56: ...ollowing settings of the device are identical to the WDS Root that will be connected Radio IEEE 802 11 Mode Channel Bandwidth Channel Note It is highly recommended that static channel is configured on both APs Do not use Auto channel option when you enable WDS as both APs in a WDS link must be on the same radio channel If Auto option is configured there is chance two access points run on different...

Page 57: ...he WDS Station forwards to the remote WDS Root only packets in the VLAN list Packets not in the VLAN list cannot be forwarded to the remote WDS Root The VLAN List is only applicable when VLAN is enabled The VLAN list includes 1 to 8 VLAN IDs separated by such as 100 200 300 400 500 600 700 800 Security Mode The type of encryption to use on the WDS link It must be unique to the access point on the ...

Page 58: ...ion STA on the wireless LAN It can bridge traffic between a remote wired network and a wireless LAN When Workgroup Bridge is enabled SSID configuration still works to provide wireless services to clients All access points participating in Workgroup Bridge must have the identical settings for Radio interface IEEE 802 11 mode Channel Bandwidth Channel Auto is not recommended 58 ...

Page 59: ...channel If Auto option is configured there is a chance two access points will run on different channels which prevents Workgroup Bridge link from being established Remote AP Settings SSID Enter the name of the SSID to which Workgroup Bridge will connect Click Site Survey to choose from the list You must do this for Workgroup Bridge to connect to a remote access point Remote MAC Address Normally Wo...

Page 60: ...ct the desired mode from the list Disabled WPA Personal WPA2 Personal WPA Enterprise WPA2 Enterprise Advanced Settings Go to Configuration Wireless Workgroup Bridge to configure advanced parameters of wireless radios 60 ...

Page 61: ...less Radio Select the desired radio from the list Radio 1 is for 2 4GHz and Radio 2 is for 5GHz Worldwide Mode 802 11d Worldwide Mode 802 11d enables the access point to direct connected wireless devices to radio settings specific to where in the world the devices are in use Channel Bandwidth Select the designed channel bandwidth for the wireless radio 20MHz Select if you are not using any 802 11n...

Page 62: ...transmissions of beacon frames The value range is between 40 and 1000 milliseconds and default is 100 milliseconds DTIM Interval Enter the Delivery Traffic Information Map DTIM period an integer from 1 to 255 beacons The default is 1 beacon The DTIM message is an element included in some beacon frames It indicates which client stations currently sleeping in low power mode have data buffered on the...

Page 63: ...e fragmentation threshold an integer from 256 to 2346 The default is 2346 The fragmentation threshold is a way of limiting the size of packets frames transmitted over the network If a packet exceeds the fragmentation threshold you set the fragmentation function is activated and the packet is sent as multiple 802 11 frames If the packet being transmitted is equal to or less than the threshold fragm...

Page 64: ... wireless network Users must enter authentication credentials before their wireless client devices can access the Internet Global Configuration Go to Configuration Captive Portal Global Configuration to change settings and modify captive portal authentication access port number if needed 64 ...

Page 65: ...lt You can configure an additional port for that process HTTP Port Once Additional HTTP Port is enabled define an additional port for HTTP protocol The value can be 80 or 1024 to 65535 and is 80 by default The HTTP Port must be different from the HTTP port in Administration Management Access page Additional HTTPS Port HTTPS portal authentication uses the HTTPS management port by default You can co...

Page 66: ...Portal Profiles Go to Configuration Captive Portal Portal Profiles to define detailed settings for Captive Portal profile Create up to two profiles 66 ...

Page 67: ...d wireless clients will be directed after logging in at Captive Portal Choose Original URL or Promotion URL Redirect to Original URL If Landing Page is enabled this setting redirects authenticated wireless clients from the Captive Portal login screen to the URL the user typed in Promotion URL Enter a URL to which authenticated clients will be redirected from the Captive Portal login page Landing P...

Page 68: ...RADIUS Server Backup Server The Backup Authentication Server will be used when the Primary Authentication Server is not available Backup Server Port Enter the port number used for connections to the Backup RADIUS Server Backup Shared Secret Enter the key value to match the Backup RADIUS Server Password Only Authentication Password The password for the profile Wireless clients only need one passwor...

Page 69: ... User Name Enter the name of the user account The user name includes 1 to 32 characters Special characters except and are allowed Password Enter the password of the user account The password must be between 4 and 32 characters in length Special characters except and are allowed Confirm Password Re enter the password to confirm it 69 ...

Page 70: ...Local Group Go to Configuration Captive Portal Local Group to configure group settings Groups include multiple local users and are mapped to Captive Portal profiles Up to two groups are supported 70 ...

Page 71: ...onfigure its user members Members User members of the selected group You can select one user and click button to remove it Other Users Other users which don t belong to the selected group You can select one user and click button to add it into the group Web Customization Go to Configuration Captive Portal Web Customization to customize the authentication web page of Captive Portal 71 ...

Page 72: ... Customize text to go with the login box Default text for different authentication options Local Authentication Radius Authentication You can login using your username and password Password Only Authentication You can login using your password Local Authentication Click Connect to login User Label Customize the username text box Enter up to 16 characters The default is Username Password Label Cust...

Page 73: ...nticated The default is You have logged on successfully Please keep this window open when using the wireless network Failure Text Customize the text that shows when authentication fails Enter up to 128 characters The default is Bad username or password Profile Association Go to Configuration Captive Portal Profile Association to associate defined Captive Portal profiles with SSIDs 73 ...

Page 74: ...d with the SSID If the profile associated with the SSID is deleted then the association will be removed If None is selected it means no profile is associated Client Information Go to Configuration Captive Portal Client Information to view the status of wireless clients that are authenticated by Captive Portal 74 ...

Page 75: ...t has a specific amount of time within which it may reconnect without re authentication The timer starts when the client disconnects from the SSID After the time reaches zero the client is de authenticated If the timeout is set to 0 the client is not de authenticated Measured in seconds Session Timeout The remaining time of the authenticated session The timer starts when the client is authenticate...

Page 76: ...downstream To create ACLs and associate them to an interface perform the following steps 1 Create ACLs To add a new ACL type in a name and choose IPv4 or IPv6 Click Add ACL To add a rule to a specific ACL select the ACL name from the ACL Names dropdown list and select a priority from the Rule Index dropdown list After that you can define what kind of traffic to permit or deny Always remember there...

Page 77: ...ACL Profiles Go to Configuration ACL ACL Profiles to configure ACL profiles and their rules 77 ...

Page 78: ...bled by default Action Whether the ACL rule permits or denies an action Match Every Packet Rule matches the frame or packet regardless of its contents If this is checked you cannot configure any other matching condition listed below e g Protocol Source IP Port Destination IP Port Match Protocol Use a Layer 3 or Layer 4 protocol as a matching condition Set the protocol value with following methods ...

Page 79: ...uld be written as 0 0 0 255 To match traffic by source IP address from 192 168 2 0 to 192 168 2 254 enter the source IP as 192 168 2 0 and wildcard mask as 0 0 0 255 To match a specific source IP address e g 192 168 2 100 enter the source IP as 192 168 2 100 and wildcard mask as 0 0 0 0 If the ACL type is IPv6 set an IPv6 address and its prefix length The range for IPv6 prefix length is 0 to 128 M...

Page 80: ... match traffic by destination IP address from 192 168 2 0 to 192 168 2 254 enter destination IP as 192 168 2 0 and wildcard mask as 0 0 0 255 To match a specific destination IP address e g 192 168 2 100 enter the destination IP as 192 168 2 100 and wildcard mask as 0 0 0 0 If the type of ACLs is IPv6 set an IPv6 address and its prefix length as destination IP The range for IPv6 prefix length is 0 ...

Page 81: ...1110 af41 Match packets with AF41 dscp 100010 af42 Match packets with AF42 dscp 100100 af43 Match packets with AF43 dscp 100110 cs1 Match packets with CS1 precedence 1 dscp 001000 cs2 Match packets with CS2 precedence 2 dscp 010000 cs3 Match packets with CS3 precedence 3 dscp 011000 cs4 Match packets with CS4 precedence 4 dscp 100000 cs5 Match packets with CS5 precedence 5 dscp 101000 cs6 Match pa...

Page 82: ...mize Monetary Cost 0001 Maximize Reliability 0010 Maximize Throughput 0100 Minimize Delay 1000 IPv6 Flow Label A number that is unique to an IPv6 packet is used by end stations to signify QoS handling in routers The range is 0 to 1048575 ACL Association Go to Configuration ACL ACL Association to associate defined ACL profiles with SSIDs 82 ...

Page 83: ...nied ACL Name Up Choose the profile that is associated with the SSID for upstream from wireless client to access point traffic If the profile associated with the SSID is deleted the association will be removed If None is selected no profile is associated When a packet or frame is received by the access point the ACL s rules are checked for a match The packet or frame is processed if it is permitte...

Page 84: ...r settings instead of slaves When firmware is upgraded on the master all slaves within the same cluster will receive the upgrade Clustered access points share these configurations User Accounts Time Settings Log Settings Management Access Discovery Settings IGMP MLD Snooping Wireless Network Mode SSID Settings Wireless Security Rogue AP Detection Wireless Scheduler Wireless Scheduler Association W...

Page 85: ...n and assign the access point to be the master Note If system detects there is one Master already existed in the same cluster the new access point that likes to become master will be assigned to slave automatically Slave Enable the cluster function and assign the access point to be the slave Note When the cluster function is enabled WDS and workgroup bridge will be disabled automatically 85 ...

Page 86: ...Master 86 ...

Page 87: ... Name Name of the cluster for the LAP device to join for example lab cluster All access points with the same cluster name belong to the same cluster Length of this value is from 4 to 32 bytes and special characters are allowed This is a mandatory field if the cluster function is turned on Backup Master When an access point works as a cluster slave it can be enabled as a backup master When master g...

Page 88: ...ion with a unique MAC address maintains a connection with the wireless network The session begins when the WLAN client logs on to the network and the session ends when the WLAN client either logs off intentionally or loses the connection for some other reason When one wireless client of Captive Portal roams from one access point to another in the same cluster it need not re authenticate 88 ...

Page 89: ...second Link Rate Indicates the link rate of the client Unit is Mbps Signal The signal strength of the client is displayed Unit is dBm Rx Total The total bytes which are received from the client by the access point Unit is Byte Tx Total The total bytes which are sent to the client by the access point Unit is Byte Rx Rate Current transfer rate of the data which are received from the client by the ac...

Page 90: ...cluster When channel management is enabled the access point automatically assigns radio channels within a cluster Auto channel assignment reduces mutual interference or interference with other access points outside of its cluster and maximizes Wi Fi bandwidth to help maintain efficient communication over the wireless network 90 ...

Page 91: ...iately Scan according to the day time specified No Clients Scan only if no clients are connected to the wireless radio If there are clients connected the access point will complete the Auto Channel operation the next scheduled time when no clients are connected Current Channels Type Member type of the access point It can be Master Slave or Backup Master Location Where the access point is physicall...

Page 92: ...Chapter 4 System Status Status System Summary Go to System Status Status System Summary for status of the access point 92 ...

Page 93: ...he last restart or reboot System Time The current date and time Power Source The power source of the access point It can be Power over Ethernet PoE or Power Adapter When two power sources are plugged in Power Adaptor will be displayed LAG Status Indicates the status of LAG Link Aggregation It can be Inactive or Active When LAG is inactive only one Ethernet port works at a given time LAG only works...

Page 94: ...Buttons Refresh Click to update the data on the screen 94 ...

Page 95: ...LAN Status Go to System Status Status LAN Status to see settings and status of LAN interface 95 ...

Page 96: ...N change the untagged traffic VLAN ID or change the VLAN ID for a SSID Untagged VLAN ID Displays the untagged VLAN ID Traffic on the VLAN that you specify in this field is not be tagged with a VLAN ID when forwarded to the network VLAN 1 is the default ID for untagged VLAN and management VLAN Management VLAN Displays the Management VLAN ID The VLAN associated with the IP address you use to connect...

Page 97: ... which the wireless access point is attached the same value as the PCs on that LAN segment Primary DNS The primary DNS address provided by the DHCP server or configured manually Secondary DNS The secondary DNS address provided by the DHCP server or configured manually Wireless Status Go to System Status Status Wireless Status to see settings and status of wireless radios and SSIDs 97 ...

Page 98: ...nly the 20 MHz channel is in use When set to 20 40 MHz Wireless N connections will use 40 MHz channel but Wireless B and Wireless G will still use 20 MHz channel SSID Status Interface SSID index SSID Name Name of the SSID Status Status of the SSID Enabled or Disabled MAC Address MAC Address of the SSID VLAN ID VLAN ID of the SSID Priority The 802 1p priority of the SSID Scheduler State N A No sche...

Page 99: ...ch data is received Remote MAC MAC Address of the destination access point which is on the other end of the WDS link to which data is sent or handed off and from which data is received Connection Status Status of the WDS Station Disabled Connected or Not Connected Workgroup Bridge Status Status Status of the Workgroup Bridge Enabled or Disabled Local MAC MAC address of the Workgroup Bridge Remote ...

Page 100: ...he list The interfaces include eight SSIDs per radio SSID Name Name of the SSID to which the client connects Client MAC The MAC address of the client SSID MAC MAC of the SSID to which the client connects Link Rate The link rate of the client Unit is Mbps RSSI The signal strength of the client Unit is dBm Online Time How long this client has been online Unit is seconds 100 ...

Page 101: ...t in Transmit table or received in Received table by the interface Total Bytes The total bytes sent in Transmit table or received in Received table by the interface Total Dropped Packets The total number of dropped packets sent in Transmit table or received in Received table by the interface Total Dropped Bytes The total number of dropped bytes sent in Transmit table or received in Received table ...

Page 102: ...ee a list of system events such as login attempts and configuration changes Log Messages Log Messages Show the log messages Buttons Refresh Update the data on screen Save Save the log to a file on your PC Clear Delete the existing logs from device 102 ...

Page 103: ...the same cluster will be updated as well Do not power off the device or disconnect the Ethernet cable during the upgrade The access point will reboot automatically after the upgrade is complete To perform the firmware upgrade from local PC 1 Click Choose File to navigate to the location of the upgrade file 2 Select the upgrade file Its name will appear next to the Choose File button 3 Click Upgrad...

Page 104: ...ware available 2 Click the OK on the popup dialogue box to start the firmware download and upgrade if a new version of firmware is available Configuration Copy Save Go to Maintenance Maintenance Configuration Copy Save to copy configurations within the access point and delete copied configurations 104 ...

Page 105: ...Copy configuration file from one to another Source Configuration can be one of following Backup Configuration if it exists Current Configuration Destination Configuration can be one following Backup Configuration Current Configuration Need note that Source Configuration and Destination Configuration cannot be same and if you copy Backup Configuration to Current Configuration device will reboot aft...

Page 106: ...le from the device You can save it to external storage e g your PC or network storage You can also upload a previously saved configuration file from external storage to the device It is highly recommended you save one extra copy of the configuration file to external storage after you are done with access point setup 106 ...

Page 107: ...locate where you want to save the file rename it if you like and click Save Restore Configuration To restore settings from a backup file 1 Choose a destination file It can be Backup Configuration or Current Configuration 2 Click Choose File 3 Locate and select the previously saved backup file 4 Click Restore Backup Restore to from TFTP server Backup Configuration To create a backup file of the cur...

Page 108: ...r the source file name stored in TFTP server 3 Enter the IP address for the TFTP server Only IPv4 addresses are supported 4 Click Restore Factory Default It s highly recommended you save your current configuration file before you restore to factory default settings To save your current configuration file click Maintenance Configuration Backup Restore 108 ...

Page 109: ...e parameters of current AP and its slaves to factory defaults Cluster settings and non sharable parameters will not reset Reset All Parameters to Factory Default No Don t restore to factory defaults Reboot Go to Maintenance Maintenance Reboot to power cycle the device The current configuration file will remain after reboot Device Reboot If you click Save when the Yes radio button is selected the d...

Page 110: ...ibility of a host on the network General IP Type Enter the IP type of destination address IP or URL Address Enter the IP address or domain name that you want to ping Packet Size Enter the size of the packet Times to Ping Select the desired number from the drop list 5 10 15 Unlimited 110 ...

Page 111: ... one specified network interface The network interface can be radio SSID or LAN Network Interface Select the desired network interface from the drop down list The interface can be Radio SSID or Ethernet Start Capture Click to start the capture You will be asked to specify a local file to store the packets Stop Capture Click to stop the capture 111 ...

Page 112: ...tem detail information such as configuration file system status and statistics data hardware information operational status The information is useful in troubleshooting and working with technical support Click Download to download the device diagnostic log into a local file 112 ...

Page 113: ...e the case You can use the following method to determine the IP address of the wireless access point and then try to connect using the IP address instead of the name To find the access point s IP address 1 Open a MS DOS Prompt or Command Prompt Window 2 Use the Ping command to ping the wireless access point Enter ping followed by the default name of the wireless access point Default name is lap fo...

Page 114: ...ecurity settings on the PC match the settings on the access point On the PC the wireless mode is set to Infrastructure If using the Access Control feature the PC s name and address is in the Trusted Stations list If using 802 1x mode ensure the PC s 802 1x software is configured correctly See Appendix C p 122 for details of setup for the Windows XP 802 1x client If using a different client refer t...

Page 115: ...irectly with each other Infrastructure Mode In Infrastructure Mode one or more access points are used to connect wireless stations e g notebook PCs with wireless cards to a wired Ethernet LAN The wireless stations can then access all LAN resources Note Access points can only function in Infrastructure Mode and can communicate only with wireless stations that are set to Infrastructure Mode SSID ESS...

Page 116: ...sing multiple access points it is better if adjacent access points use different channels to reduce interference The recommended channel spacing between adjacent access points is five channels e g use Channels 1 and 6 or 6 and 11 In Infrastructure Mode wireless stations normally scan all channels looking for an access point If more than one access point can be used the one with the strongest signa...

Page 117: ...ave a client login on the RADIUS server Each user must have a user login on the RADIUS server Each user s wireless client must support 802 1X and provide the login data when required All data transmission is encrypted using the WPA standard Keys are automatically generated so no key input is required WPA2 Enterprise This version of WPA2 requires a RADIUS server on your LAN to provide the clientaut...

Page 118: ... WEP encryption If this option is used The access point must have a client login on the RADIUS server Each user must have a user login on the RADIUS server Each user s wireless client must support 802 1X and provide the login data when required All data transmission is encrypted using the WEP standard You only have to select the WEP key size the WEP key is automatically generated 118 ...

Page 119: ...of each wireless station is also more complex Using WEP For each of the following items each wireless station must have the same settings as the wireless access point Mode On each PC the mode must be set to Infrastructure SSID ESSID This must match the value used on the wireless access point The default value is LinksysSMB24Gfor radio 1 and LinksysSMB5G for radio 2 Note The SSID is case sensitive ...

Page 120: ... radio 1 and LinksysSMB5Gfor radio 2 Note The SSID is case sensitive Wireless Security On each client wireless security must be set to WPA2 PSK The pre shared key entered on the access point must also be entered on each wireless client The encryption method e g TKIP AES must be set to match the access point Using WPA2 Enterprise This is the most secure and most complex system WPA Enterprise mode p...

Page 121: ... system so keys do NOT have to be entered on each wireless station You can also use a static WEP key EAP MD5 The wireless access point supports both methods simultaneously RADIUS Server Configuration If using WPA2 Enterprise mode the RADIUS server on your network must be configured as follows It must provide and accept certificates for user authentication There must be a client login for the wirel...

Page 122: ...ompts ensure that DNS is installed and enabled during installation Services Installation 1 Select the Control Panel Add Remove Programs 2 Click Add Remove Windows Components from the left side 3 Ensure that the following components are selected Certificate Services After enabling this you will see a warning that the computer cannot be renamed and joined after installing certificate services Select...

Page 123: ...4 Click Next 5 Select Enterprise root CA and click Next 6 Enter the information for the Certificate Authority and click Next 123 ...

Page 124: ...on Services are running and must be stopped before continuing Click OK then Finish DHCP server configuration 1 Click on Start Programs Administrative Tools DHCP 2 Right click on the server entry and select New Scope 3 Click Next when the New Scope Wizard Begins 4 Enter the name and description for the scope click Next 124 ...

Page 125: ...Yes I want to configure these options now and click Next 9 Enter the router address for the current subnet The router address may be left blank if there is no router Click Next 10 For the parent domain enter the domain you specified for the domain controller setup and enter the server s address for the IP address Click Next 11 If you don t want a WINS server just click Next 12 Select Yes I want to...

Page 126: ...ools Certification Authority 2 Right click Policy Settings and select New Certificate to Issue 3 Select Authenticated Session and Smartcard Logon select more than one by holding down the Ctrl key Click OK 4 Select Start Programs Administrative Tools Active Directory Users and Computers 5 Right click on your active directory domain and select Properties 126 ...

Page 127: ...y tab chooseDefault Domain Policy then click Edit 7 Select Computer Configuration Windows Settings Security Settings Public Key Policies right click Automatic Certificate Request Settings New Automatic Certificate Request 127 ...

Page 128: ...r click Next 10 Ensure that your Certificate Authority is checked click Next 11 Review the policy change information and click Finish 12 Click Start Run type cmd and press Enter Enter secedit refreshpolicy machine_policy This command may take a few minutes to take effect 128 ...

Page 129: ... address or name of the wireless access point and set the shared secret as entered on the Security Settings of the wireless access point 5 Click Finish 6 Right click on Remote Access Policies select New Remote Access Policy 7 Assuming you are using EAP TLS name the policy eap tls and click Next 8 Click Add If you don t want to set any restrictions and a condition is required select Day And Time Re...

Page 130: ...lect Grant remote access permission Click Next 11 Click Edit Profile and select the Authentication tab Enable Extensible Authentication Protocol and select Smart Card or other Certificate Deselect other authentication methods listed Click OK 130 ...

Page 131: ...12 Select No if you don t want to view the help for EAP Click Finish 131 ...

Page 132: ... 1x client implementation If using Windows 2000 you can install SP3 Service Pack 3 to gain the same functionality If you don t have either of these systems you must use the 802 1x client software provided with your wireless adapter Refer to your vendor s documentation for setup instructions The following instructions assume You are using Windows XP You are connecting to a Windows 2000 server for a...

Page 133: ... 2 Start your Web browser In the address box enter the IP address of the Windows 2000 Server followed by certsrv e g http 192 168 0 2 certsrv 3 You will be prompted for a user name and password Enter the User name and Password assigned to you by your network administrator and click OK 133 ...

Page 134: ...4 On the first screen below select Request a certificate click Next 5 Select User certificate request and selectUser Certificate click Next 6 Click Submit 134 ...

Page 135: ...7 A message will be displayed and the certificate will be returned to you Click Install this certificate 8 You will receive a confirmation message Click Yes 135 ...

Page 136: ...ntrol Panel Network Connections 2 Right click on the Wireless Network Connection and select Properties 3 Select the Authentication tab and ensure that Enable network access control using IEEE 802 1X is selected and Smart Card or other Certificate is selected from the EAP type 136 ...

Page 137: ...works typically use EAP TLS This is a dynamic key system so there is no need to enter key values Enabling Encryption To enable encryption for a wireless network 1 Click on the Wireless Networks tab 2 Select the wireless network from the Available networks list and click Configure 3 Select and enter the correct values as advised by your network administrator For example to use EAP TLS you would ena...

Page 138: ...Setup for Windows XP and 802 1x client is now complete 138 ...

Page 139: ...key is provided for me automatically Instead you must enter the WEP key manually ensuring it matches the WEP key used on the access point Note On some systems the 64 bit WEP key is shown as 40 bit and the 128 bit WEP key is shown as 104 bit This difference arises because the key input by the user is 24 bits less than the key size used for encryption 139 ...

Page 140: ...LNKPG 00333 Rev A00 140 ...

Reviews: