Motorola AP-7131 Series Reference Manual Download Page 598 | Manualshive

Page: 598 / 954

background image

8 - 28 WiNG 5.5 Access Point System Reference Guide

8.5 Wireless IPS (WIPS)

Security Configuration

The access point supports

Wireless Intrusion Protection Systems

(WIPS) to provide continuous protection against wireless

threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies. An
access point supports WIPS through the use of dedicated sensor devices designed to actively detect and locate unauthorized
AP devices. After detection, they use mitigation techniques to block the devices by manual termination, air lockdown, or port
suppression.

Unauthorized APs are untrusted and unsanctioned access points connected to a LAN that accept client associations. They can
be deployed for illegal wireless access to a corporate network, implanted with malicious intent by an attacker, or could just be
misconfigured access points that do not adhere to corporate policies. An attacker can install a unauthorized AP with the same
ESSID as the authorized WLAN, causing a nearby client to associate to it. The unauthorized AP can then steal user credentials
from the client, launch a man-in-the middle attack or take control of wireless clients to launch denial-of-service attacks.

A WIPS server can be deployed as a dedicated solution within a separate enclosure. When used with associated access point
radios, a WIPS deployment provides the following enterprise class security management features:

•

Threat Detection

- Threat detection is central to a wireless security solution. Threat detection must be robust enough to

correctly detect threats and swiftly help protect the wireless network.

•

Rogue Detection and Segregation

- A WIPS supported network distinguishes itself by both identifying and categorizing

nearby access points. WIPS identifies threatening versus non-threatening access points by segregating access points
attached to the network (unauthorized APs) from those not attached to the network (neighboring access points). The correct
classification of potential threats is critical for administrators to act promptly against rogues and not invest in a manual
search of thousands of neighboring access points.

•

Locationing

- Administrators can define the location of wireless clients as they move throughout a site. This allows for the

removal of potential rogues though the identification and removal of their connected access points.

•

WEP Cloaking

- WEP Cloaking protects organizations using the

Wired Equivalent Privacy

(WEP) security standard to protect

networks from common attempts used to crack encryption keys.

To define an access point’s WIPS configuration:

1. Select

Configuration

tab from the Web user interface.

2. Select

Security

3. Select

Wireless IPS

to display existing Wireless Intrusion Protection policy.

The

Wireless IPS

screen displays the

Settings

tab by default.

NOTE:

WIPS is not supported natively by an AP6511 or AP6521 model access point and

must be deployed using an external WIPS server resource.

«
...
596
597
598
599
600
...
»

Summary of Contents for AP-7131 Series

Page 1: ...Motorola Solutions WiNG 5 5 ACCESS POINT SYSTEM REFERENCE GUIDE ...

Page 2: ......

Page 3: ...MOTOROLA SOLUTIONS WING 5 5 ACCESS POINT SYSTEM REFERENCE GUIDE MN000160A01 Revision A October 2013 ...

Page 4: ...yright law The user shall not modify merge or incorporate any form or portion of a licensed program with other program material create a derivative work from a licensed program or use a licensed program in a network without written permission from Motorola Solutions The user agrees to maintain Motorola Solution s copyright notice on the licensed programs delivered hereunder and to include the same...

Page 5: ...x Icons 2 5 2 2 3 Table Icons 2 5 2 2 4 Status Icons 2 6 2 2 5 Configurable Objects 2 6 2 2 6 Configuration Objects 2 9 2 2 7 Configuration Operation Icons 2 10 2 2 8 Access Type Icons 2 10 2 2 9 Administrative Role Icons 2 11 2 2 10 Device Icons 2 11 Chapter 3 Quick Start 3 1 Using the Initial Setup Wizard 3 2 3 1 1 Typical Setup Wizard 3 5 3 1 1 1 Virtual Controller AP Mode 3 8 3 1 1 2 Standalon...

Page 6: ...apter 5 Device Configuration 5 1 RF Domain Configuration 5 2 5 1 1 RF Domain Sensor Configuration 5 4 5 1 2 RF Domain Alias Configuration 5 5 5 1 2 1 Network Basic Alias 5 6 5 1 2 2 Network Group Alias 5 9 5 1 2 3 Network Service Alias 5 11 5 2 System Profile Configuration 5 13 5 2 1 General Profile Configuration 5 14 5 2 2 Profile Radio Power 5 15 5 2 3 Profile Adoption Auto Provisioning Configur...

Page 7: ...37 5 2 9 Profile Critical Resources 5 141 5 2 10 Profile Services Configuration 5 144 5 2 10 1 Profile Services Configuration and Deployment Considerations 5 145 5 2 11 Profile Management Configuration 5 146 5 2 11 1 Upgrading AP6532 Firmware from 5 1 5 151 5 2 11 2 Profile Management Configuration and Deployment Considerations 5 151 5 2 12 Mesh Point Configuration 5 152 5 2 12 1 Vehicle Mounted M...

Page 8: ...2 6 1 2 6 MAC Registration 6 13 6 1 2 7 External Controller 6 13 6 1 2 8 WPA WPA2 TKIP 6 14 6 1 2 9 WPA2 CCMP 6 17 6 1 2 10 WEP 64 6 20 6 1 2 11 WEP 128 and KeyGuard 6 22 6 1 3 Configuring WLAN Firewall Support 6 24 6 1 4 Configuring Client Settings 6 32 6 1 5 Configuring WLAN Accounting Settings 6 34 6 1 6 Configuring Service Monitoring Settings 6 36 6 1 7 Configuring Client Load Balancing 6 38 6...

Page 9: ...figuration 9 1 Configuring Captive Portal Policies 9 2 9 1 1 Configuring a Captive Portal Policy 9 2 9 2 Setting the DNS Whitelist Configuration 9 14 9 3 Setting the DHCP Server Configuration 9 15 9 3 1 Defining DHCP Pools 9 15 9 3 2 Defining DHCP Server Global Settings 9 23 9 3 3 DHCP Class Policy Configuration 9 25 9 4 Setting the RADIUS Configuration 9 27 9 4 1 Creating RADIUS Groups 9 27 9 4 1...

Page 10: ... Summary Information 12 14 12 1 6 Adopted Device Upgrades 12 16 12 1 7 File Management 12 23 12 1 8 Adopted Device Restart 12 29 12 1 9 Captive Portal Pages 12 30 12 1 10 Re elect Controller 12 35 12 2 Certificates 12 37 12 2 1 Certificate Management 12 37 12 2 2 RSA Key Management 12 42 12 2 3 Certificate Creation 12 47 12 2 4 Generating a Certificate Signing Request CSR 12 49 12 3 Smart RF 12 52...

Page 11: ...n 13 61 13 3 4 1 Adopted APs 13 61 13 3 4 2 AP Adoption History 13 62 13 3 4 3 AP Self Adoption History 13 63 13 3 4 4 Pending Adoptions 13 64 13 3 5 AP Detection 13 65 13 3 6 Wireless Clients 13 66 13 3 7 Wireless LANs 13 67 13 3 8 Policy Based Routing 13 69 13 3 9 Radios 13 70 13 3 9 1 Status 13 71 13 3 9 2 RF Statistics 13 72 13 3 9 3 Traffic Statistics 13 73 13 3 10 Mesh 13 74 13 3 11 Interfac...

Page 12: ...ce 13 116 13 3 23 3 IP Firewall Rules 13 117 13 3 23 4 MAC Firewall Rules 13 118 13 3 23 5 NAT Translations 13 119 13 3 23 6 DHCP Snooping 13 120 13 3 24 VPN 13 122 13 3 24 1 IKESA 13 122 13 3 24 2 IPSec 13 123 13 3 25 Certificates 13 124 13 3 25 1 Trustpoints 13 124 13 3 25 2 RSA Keys 13 126 13 3 26 WIPS 13 127 13 3 26 1 WIPS Client Blacklist 13 127 13 3 26 2 WIPS Events 13 128 13 3 27 Sensor Ser...

Page 13: ...c License version 2 B 19 B 3 6 GNU Lesser General Public License 2 1 B 23 B 3 7 GNU General Public License version 3 B 28 B 3 8 ISC License B 36 B 3 9 GNU Lesser General Public License version 3 0 B 36 B 3 10 GNU General Public License 2 0 B 38 B 3 11 GNU Lesser General Public License version 2 0 B 43 B 3 12 GNU Lesser General Public License version 2 1 B 48 B 3 13 MIT License B 53 B 3 14 Mozilla ...

Page 14: ...x WiNG 5 5 Access Point System Reference Guide ...

Page 15: ...llowing Document Convention Notational Conventions Motorola Solutions Enterprise Mobility Support Center Motorola Solutions End User Software License Agreement NOTE In this guide AP7131 AP7161 and AP7181 are collectively represented as AP71XX NOTE ES6510 is an Ethernet Switch managed by a wireless controller such as RFS4000 RFS6000 RFS7000 NX9000 NX9500 NX9510 ES6510 does not have radios and does ...

Page 16: ...documents Bullets indicate lists of alternatives lists of required steps that are not necessarily sequential action items Sequential lists those describing step by step procedures appear as numbered lists NOTE Indicates tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in personal inju...

Page 17: ...acting Enterprise Mobility support please provide the following information Serial number of the unit Model number or product name Software type and version number Motorola Solutions responds to calls by e mail telephone or fax within the time limits set forth in support agreements If you purchased your Enterprise Mobility business product from a Motorola Solutions business partner contact that bu...

Page 18: ...t of acceptance by the end user then that agreement supersedes this End User License Agreement as to the end use of that particular Product 2 GRANT OF LICENSE 2 1 Subject to the provisions of this End User License Agreement Motorola Solutions grants to End User Customer a personal limited non transferable except as provided in Section 4 and non exclusive license under Motorola Solutions copyrights...

Page 19: ...t which End User Customer uses such Software End User Customer may make one additional copy for each computer owned or controlled by End User Customer at each such site End User Customer may temporarily use the Software on portable or laptop computers at other sites End User Customer must provide a written list of all sites where End User Customer uses or intends to use the Software 4 TRANSFERS 4 ...

Page 20: ...hich or for which the Software and Documentation have been provided by Motorola Solutions unless End User Customer breaches this End User License Agreement in which case this End User License Agreement and End User Customer s right to use the Software and Documentation may be terminated immediately by Motorola Solutions In addition if Motorola Solutions reasonably believes that End User Customer i...

Page 21: ...es of Action End User Customer must bring any action under this End User License Agreement within one year after the cause of action arises except that warranty claims must be brought within the applicable warranty period 11 7 Entire Agreement and Amendment This End User License Agreement contains the parties entire agreement regarding End User Customer s use of the Software and may be amended onl...

Page 22: ...8 WiNG 5 5 Access Point System Reference Guide ...

Page 23: ...e best aspects of independent and dependent architectures to create a smart network that meets the connectivity quality and security needs of each user and their applications based on the availability of network resources including wired networks By distributing intelligence and control amongst access points a WiNG 5 network can route directly via the best path as determined by factors including t...

Page 24: ...on and use of the WiNG 5 software designed specifically for AP6511 AP6521 AP6522 AP6532 AP6562 AP7131 AP7161 AP7181 AP8132 AP8232 access points and ES6510 model ethernet switch It does not describe the version of the WiNG 5 software designed for use with the RFS4000 RFS6000 RFS7000 NX4500 NX4524 NX6500 NX6524 NX9000 NX9500 and NX9510 For information on using WiNG 5 in a controller managed network ...

Page 25: ...sary backhaul Within a WiNG 5 network up to 80 of the network traffic can remain on the wireless mesh and never touch the wired network so the 802 11n load impact on the wired network is negligible In addition latency and associated costs are reduced while reliability and scalability are increased A WiNG 5 network enables the creation of dynamic wireless traffic flows so bottlenecks can be avoided...

Page 26: ...1 4 WiNG 5 5 Access Point System Reference Guide ...

Page 27: ... access point can manage up to 24 other access points of the same model and share data amongst managed access points In Standalone mode an access point functions as an autonomous non adopted access point servicing wireless clients If adopted to controller an access point is reliant on its connected controller for its configuration and management For information on how to access and use the access ...

Page 28: ...with a working Web browser 2 Set the computer to use an IP address between 192 168 0 10 and 192 168 0 250 on the connected port Set a subnet network mask of 255 255 255 0 3 To derive the access point s IP address using its MAC address 4 Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows 5 With the...

Page 29: ...d field 11 Select the Login button to load the management interface If this is the first time the management interface has been accessed the first screen to display will prompt for a change of the default access point password Then a dialogue displays to start the initial setup wizard For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 30: ... lists global icons available throughout the interface Logout Select this icon to log out of the system This icon is always available and is located at the top right hand corner of the UI Add Select this icon to add a row in a table When this icon is selected a new row is created in the table or a dialog box opens where you can enter values for that particular list Delete Select this icon to remov...

Page 31: ... To edit a policy select the policy and this icon Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to a device s profile configuration Mandatory Field Indicates the control s value is a mandatory configuration item You will not be allowed to proceed further without providing all mandatory values in the dialog ...

Page 32: ...ting Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has completed successfully without error Information This icon always precedes information displayed to the user This may either be a message displaying progress for a particular process or may just be a message from the system Device Configuration Represent...

Page 33: ...onfiguration has been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domain States an RF Domain configuration has been impacted RF Domain implement location based security restrictions applicable to all VLANs in a particular physical location Firewall Policy Indicates a Firewall policy has been impac...

Page 34: ...ovides IP addresses to wireless clients A DHCP server policy configures how DHCP provides these IP addresses RADIUS Group Indicates the configuration of RADIUS Group is being defined and applied A RADIUS group is a collection of RADIUS users with the same set of permissions RADIUS User Pools States a RADIUS user pool is being applied RADIUS user pools are a set of IP addresses that can be assigned...

Page 35: ...nfiguration Indicates an item capable of being configured by the access point s interface View Events Event History Defines a list of events Select this icon to view events or view the event history Core Snapshots Indicates a core snapshot has been generated A core snapshot is a file that records the status of all the processes and memory when a process fails Panic Snapshots Indicates a panic snap...

Page 36: ... Once committed changes cannot be reverted Commit and Save When selected changes are saved to the access point s configuration Web UI Defines a Web UI access permission A user with this permission is permitted to access an associated device s Web UI Telnet Defines a TELNET access permission A user with this permission is permitted to access an access point using TELNET SSH Indicates a SSH access p...

Page 37: ...eges A security level user is allowed to configure all security related parameters Monitor Indicates a monitor role This role provides no configuration privileges A user with this role can view all system configuration but cannot modify them Help Desk Indicates help desk privileges A help desk user is allowed to use troubleshooting tools like sniffers execute service commands view or retrieve logs...

Page 38: ...ple devices deployed in a common coverage area such as in a floor a building or a site Each RF Domain also contains policies that can determine a Smart RF or WIPS configuration Access Point This icon indicates any access point that is a part of the network Wireless Client This icon indicates any wireless client connected within the access point managed network ...

Page 39: ...amline the process of initially accessing the wireless network The wizard defines the access point s operational mode deployment location basic security network and WLAN settings For instructions on how to use the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 40: ...he default username admin in the Username field 3 Enter the default password motorola in the Password field 4 Select the Login button to load the management interface 5 If this is the first time the access point s management interface has been accessed the Initial Setup Wizard automatically displays NOTE When logging in for the first time you are prompted to change the password to enhance device s...

Page 41: ...er the different configuration parameters A few more configuration screens are available for customization when the Advanced Setup wizard is used The first page of the Initial Setup Wizard displays the Navigation Panel and Function Highlights for the configuration activities comprising the access point s initial setup This page also displays options to select the typical or advanced mode for the w...

Page 42: ... configuration parameters set correctly A red X defines the task as still requiring at least one parameter be defined correctly Figure 3 3 displays the navigation panel for the Typical Setup Wizard Figure 3 4 Initial Setup Wizard Navigation Panel Advanced Setup Wizard Figure 3 4 displays the navigation panel for the Advanced Setup Wizard NOTE Note the difference in the number of steps between the ...

Page 43: ...ters and creates a working network with the fewest steps The Typical Setup wizard consists of the following Network Topology Selection LAN Configuration WAN Configuration Wireless LAN Setup Summary And Commit Screen To configure the access point using the Typical Setup Wizard 1 Select Typical Setup from the Choose One type to Setup the Access Point field 2 Select Next The Initial Setup Wizard disp...

Page 44: ...r more information see Virtual Controller AP Mode on page 3 8 Standalone AP Select this option to deploy this access point as an autonomous access point A standalone AP is not managed by a Virtual Controller AP or adopted by a RFS series wireless controller For more information see Standalone Mode on page 3 9 NOTE If designating the access point as a Standalone AP Motorola Solutions recommends the...

Page 45: ...nfiguring the access point in the Adopted to Controller mode see Adopt to a controller on page 3 35 4 Select the Country Code where the access point is deployed Selecting a proper country of operation is a very critical task while configuring the access point as it defines the correct channels of operations and ensures compliance to the regulations for the selected country This field is only avail...

Page 46: ... access points can be connected to and managed by a single Virtual Controller AP of the same access point model These connected access points must be of the same model as the Virtual Controller AP To designate an access point as a Virtual Controller AP 1 From the Access Point Settings screen select Virtual Controller AP 2 Select Next The remainder of a Virtual Controller AP configuration is the sa...

Page 47: ... screen select Standalone AP 2 Select Next The remainder of a Standalone AP configuration is the same as a Virtual Controller Access Point CAUTION If designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile and the UI does no...

Page 48: ...cess point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Typical Setup ...

Page 49: ...owing DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the check box to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interface Range Enter a starting and ending IP Address range for client assignments on ...

Page 50: ...ain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s Wireless LAN interface configuration For more information see Wireless LAN Setup on page 3 1...

Page 51: ...igured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define Default Gateway information as the field will become enabled on the bottom portion of the screen The provided IP address is...

Page 52: ...rface Select the option to enable Network Address Translation on the selected GE interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s wireless LAN configuration For more information see Wireless LAN Setup on page 3 15 ...

Page 53: ...r phone system WLANs can therefore be configured around the needs of specific user groups even when they are not in physical proximity Up to two 2 WLANs can be configured for the access point using the wizard Figure 3 9 Initial Setup Wizard Wireless LAN Setup screen for Typical Setup Wizard 1 Set the following WLAN1 configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure ...

Page 54: ...played where additional updates can be made For more information on configuring the onboard RADIUS server see RADIUS Server Configuration on page 3 17 PSK authentication WPA2 encryption Configures a network that uses PSK authentication and WPA2 encryption Select this option to implement a pre shared key that must be correctly shared between the access point and requesting clients using this WLAN W...

Page 55: ...screen to configure the users for the onboard RADIUS server Use the screen to add modify and remove RADIUS users Figure 3 10 Initial Setup Wizard RADIUS Server Configuration screen for Typical Setup Wizard Use the Add User button to add a new RADIUS user A dialog displays where details about the user is entered ...

Page 56: ...e with creating another user select Create To create the user and close this dialog click Create Close To close the dialog and abandon the operation select Cancel Use the Modify User button to modify the details for an existing user in the RADIUS user database Select the user to modify details for and then click Modify User The username for the user cannot be modified using this dialog Use the Del...

Page 57: ...y and Commit screen is an additional means of validating the configuration before it is deployed Figure 3 12 Initial Setup Wizard Summary And Commit Screen of the Typical Setup Wizard If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summary either select the targe...

Page 58: ...ll also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically Up to two 2 controllers can be defined The access point will try to adopt to the controller defined in the Controller 1 field first Should the controller not be found then the access point tries to adopt to the controller defined in Controller 2 field When preferring layer 3...

Page 59: ... following Network Topology Selection LAN Configuration WAN Configuration Radio Configuration Wireless LAN Setup System Information Summary And Commit Screen To configure the access point using the Advanced Setup Wizard 1 Select Advanced Setup from the Choose One type to Setup the Access Point field 2 Select Next The Advanced Setup Wizard displays the Access Point Settings screen to define the acc...

Page 60: ...ies wireless controller For more information see Standalone Mode on page 3 9 Adopted to Controller Select this option when deploying the access point as a controller managed Dependent mode access point Selecting this option closes the Initial AP Setup Wizard An adopted access point obtains its configuration from a profile stored on its managing controller Any manual configuration changes are overw...

Page 61: ...to start configuring the access point in the selected mode If the Access Point Type is Virtual Controller AP or Standard AP see Network Topology Selection on page 3 24 If the Access Point Type is Adopted to Controller see Adopt to a controller on page 3 35 ...

Page 62: ...single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Advan...

Page 63: ...selected this field is not available When selecting this option define the following DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the check box to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interfac...

Page 64: ...hing IP address Primary DNS Enter an IP Address for the main Domain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Advanced Setup Wizard displays the Radio Configuration screen to set the access point s radios For more informatio...

Page 65: ...is configured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define the following Default Gateway information as the field will become enabled on the bottom portion of the screen The I...

Page 66: ...WAN Interface Select the option to enable Network Address Translation on the selected GE interface 2 Select Next The Advanced Setup Wizard displays the Radio Configuration screen to set the access point s radios For more information see Radio Configuration on page 3 29 ...

Page 67: ...GHz or 5 0 GHz radio band to use with the radio when selected as a Data Radio The selected band is used for WLAN client support Consider selecting one radio for 2 4 GHz and another for 5 0 GHz support if using a dual or three radio model when supporting clients in both the 802 11bg and 802 11n bands Power Level Use the spinner control to select a 1 23 dBm minimum power level to assign to this radi...

Page 68: ...rmanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor support exclusively When functioning as a sensor the radio scans in sensor mode across all channels within the 2 4 and 5 0 GHz bands to identify potential threats If dedicating a radio as a sensor resource a primary and secondary ADSP server must ...

Page 69: ...fic user groups even when they are not in physical proximity Use the Wireless LAN Setup screen to configure the WLAN parameters Up to two 2 WLANs can be configured for the access point Figure 3 19 Initial Setup Wizard WAN Configuration screen for Advanced Setup Wizard 1 Set the following WLAN1 Configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure the encryption and auth...

Page 70: ...e the drop down to specify the type of key provided Select ASCII or HEX to specify the key type provided in the WPA Key field EAP Authentication and WPA2 Encryption Configures a network that uses EAP authentication and WPA2 encryption Select this option to authenticate clients within this WLAN through the exchange and verification of certificates External RADIUS Server When selected provide the IP...

Page 71: ...point prompts for the correct country code on the first login A warning message also displays stating an incorrect country setting may result in illegal radio operation Selecting the correct country is central to legal operation Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted This is a required paramet...

Page 72: ...guration before it is deployed However if a screen displays settings not intended as part of the initial configuration the screen can be selected from within the Navigation Panel and its settings modified accordingly Figure 3 21 Initial Setup Wizard Summary and Commit screen for the Advanced Setup Wizard If the configuration displays as intended select Save Commit to implement these settings to th...

Page 73: ... controller defined in Controller 2 field When preferring layer 3 adoption configure how an IP is assigned to this access point Select Use DHCP to use DHCP to assign an IP address to this access point If this access point requires a static IP select Static IP Address Subnet and provide the appropriate IP address and net mask For your convenience the netmask is automatically set to 24 Also assign t...

Page 74: ...3 36 WiNG 5 5 Access Point System Reference Guide ...

Page 75: ...int managed network Use the dashboard to review the current network topology assess the network s component health and diagnose problematic device behavior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard Network View ...

Page 76: ...1 Select Dashboard Expand the System menu item on the upper left hand side of the UI and select either an access point or connected client The Dashboard screen displays the Health tab by default Figure 4 1 Dashboard Health tab 4 1 1 Dashboard Conventions The Dashboard screen displays device information using the following conventions Health Displays the state of the access point managed network In...

Page 77: ...utilization data for the access point managed network Figure 4 2 Dashboard Health tab For more information see Device Details Radio RF Quality Index Radio Utilization Index Client RF Quality Index 4 1 1 1 1 Device Details Health The Device Details field displays model and version information ...

Page 78: ...rcentage of the overall effectiveness of the RF environment It is a function of the data rate in both directions the retry rate and the error rate Figure 4 4 Dashboard Health tab Radio RF Quality Index field RF Quality displays as the average quality index for the single RF Domain utilized by the access point The table lists the bottom five 5 RF quality values for the RF Domain The quality is meas...

Page 79: ...ughput Refer to the number or errors and dropped packets to assess radio performance relative to the number of packets both transmitted and received Periodically select Refresh at the bottom of the screen to update the radio utilization information displayed Figure 4 5 Dashboard Health tab Radio Utilization Index field 4 1 1 1 4 Client RF Quality Index Dashboard Conventions The Client RF Quality I...

Page 80: ...ectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as the retry rate and the error rate The quality is measured as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Client MAC Displays the factory encoded MAC address assigned to each connected radio listed Use this information to assist in the identificat...

Page 81: ...point The Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a radio Figure 4 7 Dashboard Inventory tab The Inventory tab is partitioned into the following fields Radio Types WLAN Utilization Wireless Clients Clients by Radio Type ...

Page 82: ...entory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures how efficiently the RF medium is utilized It is defined as a percentage of the current throughput relative to the maximum throughput possible The quality is measured as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and ...

Page 83: ...a bar graph illustrating the number of connected clients currently operating on supported radio bands Figure 4 11 Dashboard Inventory tab Clients by Radio Type field For 5 0 GHz clients are displayed supporting the 802 11a and 802 11an radio bands For 2 4 GHz clients are displayed supporting the 802 11b 802 11bg and 802 11bgn radio bands Use this information to determine if all the access point s ...

Page 84: ...evice performance and utilization as well as the RF band channel and vendor For more information see Network View Display Options on page 4 11 To review a device s Network Topology select Dashboard Network View Figure 4 12 Network View Topology The left hand side of the Network View screen contains an expandable System Browser where access points can be selected and expanded to display connected c...

Page 85: ...are available None Select this option to keep the Network View display as it currently appears without any additional color or device interaction adjustments Utilization Select this option to filter based on the percentage of current throughput relative to maximum throughput Utilization results include Red Bad Utilization Orange Poor Utilization Yellow Fair Utilization and Green Good Utilization Q...

Page 86: ...iables in blue within the Network View display 3 Select the Update button to update the display with the changes made to the filter options Select Close to close the options field and remove it from the Network View 4 2 2 Device Specific Information Network View A device specific information screen is available for individual devices selected from within the Network View not the System Browser The...

Page 87: ...re as their general client support roles are quite similar However access point configurations may need periodic refinement and overrides from their original RF Domain administered design For more information see RF Domain Overrides on page 5 193 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same model Profiles can be used to...

Page 88: ...ement from its original RF Domain designation Unlike a RFS series wireless controller an access point supports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the RF Domain configuration Thus a configuration should only be overridden when needed For more inf...

Page 89: ...ferent geographical deployments Country Define the two digit country code set for the RF Domain The country code must be set accurately to avoid the policy s illegal operation as device radios transmit in specific channels unique to the country of operation Controller Managed Select the option to indicate this RF Domain is managed by adopting controllers or service platforms This option is disable...

Page 90: ...r sensor functionality is supported on the access point radio s available to each managed WLAN When an access point radio is functioning as a WIPS sensor it is able to scan in sensor mode across all legal channels within the 2 4 and 5 0 GHz band Sensor functionality is not provided by the access point alone The access point works in conjunction with a dedicated WIPS server To define a WIPS server ...

Page 91: ... profiles and RF Domains in the system Profiles aliases are defined from Configuration Devices System Profile Network Alias screen These aliases are available for use to a specific group of wireless controllers or access points Alias values defined in this profile override alias values defined within global aliases RF Domain aliases are defined from Configuration Devices RF Domain Alias screen The...

Page 92: ...ticular host device s IP address A network alias configuration is utilized for an IP address on a particular network An address range alias is a configuration for a range of IP addresses A basic alias configuration can contain multiple instances for each of the five 5 alias types To edit or delete a basic alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3...

Page 93: ...used to replace an IP address range in IP firewall rules 7 Select Add Row to define Host Alias settings Use the Host Alias field to create aliases for hosts that can be utilized at different deployments For example if a central network DNS server is set a static IP address and a remote location s local DNS server is defined this host can be overridden at the remote location At the remote location ...

Page 94: ...se the String Alias field to create aliases for strings that can be utilized at different deployments For example if the main domain at a remote location is called loc1 domain com and at another deployment location it is called loc2 domain com the alias can be overridden at the remote location to suit the local but remote requirement At one remote location the alias functions with the loc1 domain ...

Page 95: ...nfigured inside a network group alias A maximum of 32 network group alias entries can be created A network group alias is used in IP firewall rules to substitute hosts subnets and IP address ranges To edit or delete a network alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3 Select RF Domain 4 Select the Network Group Alias tab The following screen displ...

Page 96: ...e the Add Row button to specify the Start IP address and End IP address for the alias range or double click on an existing an alias range entry to edit it NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for...

Page 97: ...etwork service alias Use a service alias to associate more than one IP address to a network interface providing multiple connections to a network from a single IP node Network Service Alias can be used in the following location to substitute protocols and ports IP Firewall Rules To edit or delete a service alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices ...

Page 98: ...has to be created Use the drop down menu to select the protocol eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select ...

Page 99: ...t those who have had their configuration overridden from their previous profile designation These devices require careful administration as they no longer can be tracked and as profile members Their customized configurations overwrite their profile assignments until the profile can be re applied to the access point Each access point model is automatically assigned a default profile The default pro...

Page 100: ...eb UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI General configuration options display by default with the profile activated for use with this access point model Figure 5 8 General Profile screen 4 Select Add Row below the Network Time Protocol NTP table to define the configurations of NTP server resources used to obtain system time Up to 3 NTP servers ca...

Page 101: ... the budget available to the access point The CPLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted T...

Page 102: ...io s 802 3at Power Mode Use the drop down menu for each power mode to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is p...

Page 103: ...n access point solicits and receives multiple adoption responses from Virtual Controller APs available on the network These adoption responses contain loading policy information the access point uses to select the optimum Virtual Controller AP for adoption To define the access point profile s adoption configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Pro...

Page 104: ...lidation mechanism to ensure the availability of the adopting wireless controller Use the spinner to set a value from 1 120 seconds 8 Define the Adjacency Hold Time value This value sets the time after which the preferred controller group is considered down and unavailable to provide services Use the spinner to set a value from 2 600 seconds 9 Enter Controller Hostnames as needed to define resourc...

Page 105: ...rofile Wired 802 1X screen 5 Set the following Wired 802 1x Settings Routing Level Use the spinner controller to set the routing level for the Virtual Controller link The default setting is 1 IPSec Support Select to enable secure communication between the access point and wireless controllers IPSec GW Use the drop down menu to specify if the IPSec gateway resource is defined as a non DNS IP addres...

Page 106: ...s Point Radio Configuration WAN Backhaul Configuration PPPoE Configuration Additionally deployment considerations and guidelines for profile interface configurations are available for review prior to defining a configuration that could significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 5 53 Dot1x Guest VLAN Control Select thi...

Page 107: ...E1 POE LAN GE2 WAN AP7181 GE1 POE LAN GE2 WAN AP8132 AP8232 GE1 POE LAN GE2 WAN To define a profile s Ethernet port configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Ethernet Ports Figure 5 12 Profile Interfaces Ethernet Ports screen 5 Refer to the following to as...

Page 108: ...nk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN untagged traffic is directed over when us...

Page 109: ...x or full duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex Select eith...

Page 110: ... VLANs Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port allows packets from a list of VLANs you add to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default mode...

Page 111: ... define the following Trust ARP Responses Select this option to enable ARP trust on this access point port ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network The default value is disabled Trust DHCP Responses Select this option to enable DHCP trust on this port If enabled only DHCP responses are trusted a...

Page 112: ...ration to apply to this port Options include single host or multi host The default setting is single host Guest VLAN Specify a guest VLAN for this port from 1 4094 This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled Port Control Use the drop down menu to set the port control state to apply to this port Options include force authorized force un...

Page 113: ...information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigned to these VLANs operate in this spanning tree instance whenever...

Page 114: ...r MSTP An Edge Port is a port known to connect to a LAN which has no other bridges attached to it or is directly connected to an user device Link Type Select either the Point to Point or Shared radio button Selecting Point to Point indicates the port should be treated as connected to a point to point link Selecting Shared means this port should be treated as having a shared connection A port conne...

Page 115: ...inner control and then set the Priority The lower the priority the greater the likelihood of the port becoming a designated port 24 Select Add Row needed to include additional indexes 25 Select OK to save the changes made to the Ethernet port s security configuration Select Reset to revert to the last saved configuration 1000000000000 bits sec 20 1000000000000 bits sec 2 ...

Page 116: ...the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Virtual Interfaces Figure 5 16 Profile Interfaces Virtual Interfaces screen 5 Review the following parameters unique to each virtual interface configuration Name Displays the name of each listed Virtual Interface assigned when it was created The name is from 1 409...

Page 117: ...n existing one is being modified 7 If creating a new Virtual Interface use the Name spinner control to define a numeric ID from 1 4094 8 Define the following parameters from within the Properties field VLAN Displays the numerical VLAN ID associated with each listed interface IP Address Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface configuration Descri...

Page 118: ...as the designated means of providing an IP address this eliminates the means to assign one manually Selecting Secondary is preferred when wanting the option to either use Zero Config or manual assignments Zero Configuration or Zero Config is a wireless connection utility included with Microsoft Windows XP and later as a service that dynamically selects a network to connect based on a user s prefer...

Page 119: ...ireless Firewall on page 8 2 14 Use the VPN Crypto Map drop down menu to select and assign a VPN crypto map entry to this virtual interface The VPN Crypto Map entry defines the type of VPN connection and its parameters For more information see Defining Profile VPN Settings on page 5 106 15 Select the OK button located at the bottom right of the screen to save the changes to the Security screen Sel...

Page 120: ...he Port Channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name cannot be modified as part of the edit process Type Displays whether the type is port channel Description Lists a a short description 64 characters maximum describing the port channel or differentiating it from others with simila...

Page 121: ...ll duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port channel to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex Select eit...

Page 122: ...ative VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select this option to tag the native VLAN Access points support the IEEE 802 1Q specification for tagging frames and coordinati...

Page 123: ...reless Firewall on page 8 2 13 Refer to the Trust field to define the following Trust ARP Responses Select this option to enable ARP trust on this port channel ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the managed network The default value is disabled Trust DHCP Responses Select this option to enable DHCP tr...

Page 124: ... can be left unconfigured on an access point Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is disabled by default PortFast BPDU Filter Select Enable to invoke a BPDU filter for this PortFast enabled port channel Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDU...

Page 125: ...ng a shared connection A port connected to a hub is on a shared link while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setting is disabled by default Force Protocol V...

Page 126: ...ew the following radio configuration data to determine whether a radio configuration requires modification to better support the network Name Displays whether the reporting radio is radio 1 radio 2 or radio 3 AP7131 models can have up to 3 radios depending on the SKU AP6522 AP6522M AP6532 AP6562 AP8132 AP8232 AP7181 and AP7161 models have 2 radios while AP6521 and AP6511 models have 1 radio Type D...

Page 127: ...he Radio Settings tab Channel Lists the channel setting for the radio Smart is the default setting If set to Smart the access point scans non overlapping channels listening for beacons from other access points After the channels are scanned it selects the channel with the fewest access points In the case of multiple access points on the same channel it will select the channel with the lowest avera...

Page 128: ... party access point and bridge frames to it Lock RF Mode Select this option to lock Smart RF operation for this radio The default setting is disabled as Smart RF utilization will impact throughput Channel Use the drop down menu to select the channel of operation for the radio Only a trained installation professional should define the radio channel Select Smart for the radio to scan non overlapping...

Page 129: ...the radio to dynamically change the number of transmit chains This option is enabled by default Data Rates Once the radio band is provided the drop down menu populates with rate options depending on the 2 4 or 5 0 GHz band selected If the radio band is set to Sensor or Detector the Data Rates drop down menu is not enabled as the rates are fixed and not user configurable If 2 4 GHz is selected as t...

Page 130: ...ngs lengthening the time to let nodes sleep longer and preserve their battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold from 1 2 347 bytes for use by the WLAN s adopted access point radios RTS is a transmitting station s signal that requests a Clear To ...

Page 131: ...ct this option for the radio to transmit using a short preamble Short preambles improve throughput However some devices SpectraLink phones require long preambles The default value is disabled Guard Interval Use the drop down menu to specify a Long or Any guard interval The guard interval is the space between symbols characters being transmitted The guard interval is there to eliminate inter symbol...

Page 132: ...et a priority 1 6 for connection preference 21 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 22 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and then connect through ...

Page 133: ...e is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Frame Size Limit If a support mode is enable allowing A MPDU frames to be ...

Page 134: ... is Follow DTIM Host for Redirected Packets If packets are re directed from an access point radio define an IP address of a resource additional host system used to capture the re directed packets This address is the numerical non DNS address of the host used to capture the re directed packets Channel to Capture Packets Use the drop down menu to specify the channel used to capture re directed packe...

Page 135: ...I 40 MHz No SGI 40MHz With SGI 0 1 6 5 7 2 13 5 15 1 1 13 14 4 27 30 2 1 19 5 21 7 40 5 45 3 1 26 28 9 54 60 4 1 39 43 4 81 90 5 1 52 57 8 108 120 6 1 58 5 65 121 5 135 7 1 65 72 2 135 150 Table 5 2 MCS 2Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 2 13 14 4 27 30 1 2 26 28 9 54 60 2 2 39 43 4 81 90 3 2 52 57 8 108 120 4 2 78 86 7 162 180 5 2 104 ...

Page 136: ...single spatial streams MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 80 MHz No SGI 80MHz With SGI 0 6 5 7 2 13 5 15 29 3 32 5 1 13 14 4 27 30 58 5 65 2 19 5 21 7 40 5 45 87 8 97 5 3 26 28 9 54 60 117 130 4 39 43 3 81 90 175 5 195 5 52 57 8 108 120 234 260 6 58 5 65 121 5 135 263 3 292 5 7 65 72 2 135 150 292 5 325 8 78 86 7 162 180 351 390 9 n a n a 180 200 390 433 3 Table 5...

Page 137: ... communications PPP packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation The following 3G cards are supported Veri...

Page 138: ...aul card Enable WAN 3G Select this option to enable 3G WAN card support on the access point A supported 3G card must be connected for this feature to work Username Provide username for authentication support by the cellular data carrier Password Provide password for authentication support by the cellular data carrier Access Point Name APN Enter the name of the cellular data provider if necessary T...

Page 139: ...se configuration are optimally effective If the WAN card does not connect after a few minutes after a no shutdown check the access point s syslog for a detected ttyUSB0 No such file event If this event has occurred linux didn t detect the card Re seat the card If the WAN card has difficulty connecting to an ISP syslog shows that it retries LCP ConfReq for a long time ensure the SIM card is still v...

Page 140: ...operation is enabled it discovers an available server and establishes a PPPoE link for traffic slow When a wired WAN connection failure is detected traffic flows through the WWAN interface in fail over mode if the WWAN network is configured and available When the PPPoE link becomes accessible again traffic is redirected back through the access point s wired WAN link When the access point initiates...

Page 141: ... protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the numeri...

Page 142: ...y the PPPoE client Use the Show option to view the actual characters comprising the password Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmissio...

Page 143: ...v3 Profile Configuration IGMP Snooping Quality of Service QoS Spanning Tree Configuration Routing Dynamic Routing OSPF Forwarding Database Bridge VLAN Cisco Discovery Protocol Configuration Link Layer Discovery Protocol Configuration Miscellaneous Network Configuration Alias Before beginning any of the profile network configuration activities described in the sections above review the configuratio...

Page 144: ...ld need to remember a series of numbers 123 123 123 123 instead of an easy to remember domain name www domainname com To define the DNS configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select DNS Figure 5 30 Network DNS screen 5 Provide a default Domain Name used when res...

Page 145: ...he LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied To define an ARP supported configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options...

Page 146: ...OK button located at the bottom right of the screen to save the changes to the ARP configuration Select Reset to revert to the last saved configuration Device Type Specify the device type the ARP entry supports Host Router or DHCP Server Host is the default setting ...

Page 147: ...creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is r...

Page 148: ...age types SCCRQ SCCRP and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages AVP messages assist in the identification of a tunnelled peer UDP Listen Port Select this option to set the port used for listening to incoming traffic Select a p...

Page 149: ...3 tunnel policy assigned to each listed tunnel Local Hostname Lists the tunnel specific hostname used by each listed tunnel This is the hostname advertised in tunnel establishment messages Local Router ID Specifies the router ID sent in the tunnel establishment messages Establishment Criteria Specifies tunnel criteria between two peers Critical Resource Specifies the critical resource that should ...

Page 150: ...el configuration assign it a 31 character maximum Name 10 Define the following Settings required for the L2TP tunnel configuration Local IP Address Enter the IP address assigned as the local tunnel end point address not the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer I...

Page 151: ... vrrp master cluster master rf domain manager at the remote site and the controller at the NOC The tunnel is created based on the role of the remote peer always The tunnel is always created irrespective of the role of the local device vrrp master The tunnel is only created when the local device is a VRRP master cluster master The tunnel is only created when the local device is a cluster master rf ...

Page 152: ...ss Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the peer a hostname that can be used as matching criteria in the tunnel establishment process Router ID Specify the router ID sent in tunnel establishment messages with this specific peer Encapsulation Select either IP or UDP as the peer encapsulation protocol...

Page 153: ...this session A pseudowire is an emulation of a layer 2 point to point connection over a packet switching network PSN A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network Traffic Source Type Lists the type of traffic tunnelled in this session Traffic Source Value Define a VLAN range to include in the tunnel session Available VLAN range...

Page 154: ... the session This pseudowire ID is sent in a session establishment message to the L2TP peer MTU Displays each sessions s maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers in this session A larger MTU means processing fewer packets for the same amount of data Name Lists the name assigned to each listed manual session...

Page 155: ...tes of the largest protocol data unit the layer can pass between tunnel peers in this session A larger MTU means processing fewer packets for the same amount of data Remote Session ID Use the spinner control to set the remote session ID passed in the establishment of the tunnel session Assign an ID from 1 4 294 967 295 Encapsulation Select either IP or UDP as the peer encapsulation protocol The de...

Page 156: ...out for those links which do not require them To configure IGMP Snooping 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select IGMP Snooping Figure 5 38 IGMP Snooping screen 5 Set the following parameters to configure general IGMP Snooping values Enable IGMP Snooping Select this opti...

Page 157: ...IGMP version 1 2 or 3 The default IGMP version is 3 IGMP Query Interval Sets the IGMP query interval This parameter is used only when the querier functionality is enabled Define an interval value in Seconds 1 18000 seconds Minutes 1 300 minutes or Hours 1 5 hours up to maximum of 5 hours The default value is 60 seconds IGMP Robustness Variable Sets the IGMP robustness variable The robustness varia...

Page 158: ...en maps the 6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP header DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence DSCP specifies a specific per hop behavior applied to a packet To define an QoS configuration for DSCP mappings 1 Select ...

Page 159: ...he changes Select Reset to revert to the last saved configuration 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priority The valid values for this field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Networ...

Page 160: ...n in a single Bridge Protocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each M...

Page 161: ...onsiders valid in the spanning tree topology The available range is from 7 127 The default setting is 20 MST Config Name Define a 64 character maximum name for the MST region to use as an identifier for the configuration MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the ...

Page 162: ...gh the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to set the maximum time in seconds to listen for the root bridge The root bridge is the spanning tree bridge with the smallest lowest bridge ID Each bridge has a unique ID and a configurable priority number the bridge ID ...

Page 163: ...creating numerous host pools with manual bindings This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools To create static routes 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Routing Figure 5 41 Network Routing...

Page 164: ...wing parameters 11 Select the OK button located at the bottom right of the screen to save the changes Select Reset to revert to the last saved configuration Static Default Route Priority Use the spinner control to set the priority value 1 8 000 for the default static route This is weight assigned to this route versus others that have been defined The default setting is 100 DHCP Client Default Rout...

Page 165: ... area which does not receive route advertisements external to the autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer routing decisions are needed lowering s...

Page 166: ... address it does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passive Remo...

Page 167: ...heck Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted before the OSPF process is shut down The available ran...

Page 168: ...ration Edit to modify an existing configuration or Delete to remove a configuration Figure 5 44 Network OSPF Area Configuration screen Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 169: ...creating a stub Set a value from 1 16 777 215 Translate Type Define how messages are translated Options include translate candidate translate always and translate never The default setting is translate candidate Range Specify a range of addresses for routes matching address mask for OSPF summarization Name Displays the name defined for the interface configuration Type Displays the type of interfac...

Page 170: ...ireless networking device The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names SSIDs to the service The service then lists them in the user interface on the Wireless Networks tab in the connection s Properties or in the Wireless Network Connection dialog box accessible from the notification area A checked build version of the WZC service can be used b...

Page 171: ...the OSPF route configuration Selecting Edit allows for the modification of an existing IP firewall rules configuration For more information see Wireless Firewall on page 8 2 27 Use the VPN Crypto Map drop down menu to select and apply a VPN crypto map entry to apply to the OSPF dynamic route Crypto Map entries are sets of configuration parameters for encrypting packets passing through the VPN Tunn...

Page 172: ...ptions on left hand side of the UI 4 Expand the Network menu and select Forwarding Database Figure 5 48 Network Forwarding Database screen 5 Define a Bridge Aging Time from 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before it is deleted due to lack of activity If an entry replenishments a destination generating continuous ...

Page 173: ...VLAN ID if the destination MAC is on a different network segment 9 Provide an Interface Name used as the target destination interface for the target MAC address 10 Select OK to save the changes Select Reset to revert to the last saved configuration ...

Page 174: ... untag it When a data frame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Bridge VLAN forwards the data frame on the appropriate port s VLANs are useful to set separate networks to isolate some computers from others without actually having to have separate cabling and Ethernet switches Another common us...

Page 175: ... VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as edge VLAN the firewall enforces additional checks on hosts in that VLAN For example a host cannot move from an edge VLAN to another VLAN a...

Page 176: ...tomatic mode to let the access point determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel to use a shared tunnel for bridging traffic on the VLAN Tunnel must be selected to successfully create a mesh connection between two Standalone APs isolated tunnel Select isolated tunnel to use a dedicated tunnel for ...

Page 177: ...s under bridge configuration are overridden Forward Unknown Multicast Packets Select this option to enable forwarding of multicast packets from unregistered multicast groups If disabled the unknown multicast forward feature is also disabled for this bridge VLAN This settings is enabled by default Interface Names Select the interface used for IGMP snooping over a multicast router Multiple interface...

Page 178: ...acket are not flooded on the wired port IGMP membership is also learnt on it and only if present then it is forwarded on that port Source IP Address Define an IP address applied as the source address in the IGMP query packet This address is used as the default VLAN querier IP address IGMP Version Use the spinner control to set the IGMP version compatibility to either version 1 2 or 3 The default s...

Page 179: ...ct Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Cisco Discovery Protocol Figure 5 52 Network Cisco Discovery Protocol CDP screen 5 Enable disable CDP and set the following settings 6 Select the OK button located at the bottom right of the screen to save the changes to the CDP configuration Select Reset to revert to the last saved...

Page 180: ...contains one Link Layer Discovery Protocol Data Unit LLDP PDU A single LLDP PDU is transmitted in a single 802 3 Ethernet frame To set the LLDP configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Link Layer Discovery Protocol Figure 5 53 Network Link Layer Discovery P...

Page 181: ...he Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Miscellaneous Figure 5 54 Network Miscellaneous screen 5 Select the Include Hostname in DHCP Request option to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 6 Select the DHCP Persistent Lease option to retain the lease ...

Page 182: ...ese aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override alias values defined in a global alias profiles ...

Page 183: ...VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN alias is used to replace VLANs in the following locations Bridge VLAN IP...

Page 184: ...ed to replace hostnames in the following locations IP Firewall Rules DHCP 8 Select Add Row to define Network Alias settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overridden at the remot...

Page 185: ...tworks in the form 192 168 10 0 24 or IP address range in the form 192 168 10 10 192 168 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for Host Network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias...

Page 186: ...ect Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a bla...

Page 187: ...k group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing Subnets ca...

Page 188: ...multiple connections to a network from a single IP node A network service alias can be used to substitute protocols and ports in IP firewall rules To edit or delete a network service alias configuration 1 Select Configuration tab from the web user interface 2 Select System Profiles 3 Select Network to expand it and display its sub menus 4 Select the Alias item the Basic Alias screen displays 5 Sel...

Page 189: ... created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter...

Page 190: ...e is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Static routes while easy can be overwhelming within a large or complicated network Each time there is a change someone must manually make changes to reflect the new route If a link goes down even if there is a second path the router would ignore it and consider the link down Static routes require ...

Page 191: ...icy wireless client role policy WEP shared key authentication and NAT policy applied For more information refer to the following sections Defining Profile VPN Settings Defining Profile Security Settings Setting the Certificate Revocation List CRL Configuration Setting the Profile s NAT Configuration Setting the Profile s Bridge NAT Configuration ...

Page 192: ... utilized for each IPSec peer however for remote VPN deployments one crypto map is used for all the remote IPSec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional features flexibility and configuration simplicity for the IPSec standard IKE automatically negotiates IPSec SAs and enables secure com...

Page 193: ...not exactly agree on the lifetime though if they do not there is some clutter for a superseded connection on the peer defining the lifetime as longer DPD Retries Lists each policy s maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer This screen only appears when IKEv1 is selected Name If creating a new IKE policy assign it a name 32 character m...

Page 194: ...ble range is from 1 100 The default setting is 5 IKE LifeTime Set the lifetime defining how long a connection encryption authentication keys should last from successful key negotiation to expiration Set this value in either Seconds 600 86 400 Minutes 10 1 440 Hours 1 24 or Days 1 This setting is required for both IKEv1 and IKEV2 Name If creating a new IKE policy assign the target peer tunnel desti...

Page 195: ...nnection and data transfer Authentication Type Lists whether the peer configuration has been defined to use pre shared key PSK or RSA Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s the first algorithm known to be suitable for signing as well as encryption If using IKEv2 this screen displays both local and remote authentication as both ends of the VPN connection requ...

Page 196: ... connection require authentication RSA is the default value for both local and remote authentication regardless of IKEv1 or IKEv2 Authentication Value or Local Authentication Value Define the authentication string shared secret that must be shared by both ends of the VPN tunnel connection The string must be from 8 21 characters long If using IKEv2 both a local and remote string must be specified f...

Page 197: ... creation Again a transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic Authentication Algorithm Lists each transform sets s authentication scheme used to validate identity credentials The authentication scheme is either HMAC SHA or HMAC MD5 Encryption Algorithm Displays each transform set s encryption method for protecting transmitte...

Page 198: ...ansform set define a 32 character maximum name to differentiate this configuration from others with similar attributes Authentication Algorithm Set the transform sets s authentication scheme used to validate identity credentials Use the drop down menu to select either HMAC SHA or HMAC MD5 The default setting is HMAC SHA Encryption Algorithm Set the transform set encryption method for protecting tr...

Page 199: ...te auto or remote VPN configuration defined for each listed crypto map configuration With site to site deployments an IPSEC Tunnel is deployed between two gateways each at the edge of two different remote networks With remote VPN an access point located at remote branch defines a tunnel with a security gateway This facilitates the endpoints in the branch office to communicate with the destination ...

Page 200: ...in the same crypto map provides the flexibility to connect to multiple peers from the same interface based on the sequence number from 1 1 000 Type Displays the site to site manual site to site auto or remote VPN configuration defined for each listed crypto map configuration IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration Each firewall policy conta...

Page 201: ...configuration uses a list of entries based on a sequence number Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface based on this selected sequence number from 1 1 000 Type Define the site to site manual site to site auto or remote VPN configuration defined for each listed crypto map configuration ...

Page 202: ...l keys Options include None 2 5 and 14 The default setting is None Lifetime kB Select this option to define a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes Lifetime seconds Select this option to define a lifetime in ...

Page 203: ...rs depending on the selected IKE mode 30 Set the following IKEv1 or IKe v2 Settings Authentication Method Use the drop down menu to specify the authentication method used to validate the credentials of the remote VPN client Options include Local on board RADIUS resource if supported and RADIUS designated external RADIUS resource If selecting Local select the Add Row button and specify a User Name ...

Page 204: ...guration 36 Select the Remote VPN Client tab The Remote VPN Client screen provides options for configuring the remote VPN client AAA Policy Select the AAA policy used with the remote VPN client AAA policies define RADIUS authentication and accounting parameters The access point can optionally use AAA server resources when using RADIUS as the authentication method to provide user database informati...

Page 205: ...ions taken upon the detection of a dead peer within the IPSec VPN tunnel connection Shutdown Select this option to disable the remote VPN client The default is disabled Transform Set Configure the transform set used to specify how traffic is protected within the crypto ACL defining the traffic that needs to be protected Select the appropriate traffic set from the drop down menu or click the icon n...

Page 206: ...ciation is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes The default settings is 4 608 000 kilobytes IPsec Lifetime seconds Set a lifetime in seconds for the duration of an IPSec VPN security association Once the set value is exceeded the association is timed out Options include Seconds 120 86 400 Minutes 2 1 440 Hours 1 24 or Days 1 The default setting is 3 ...

Page 207: ...as dead The available range is from 1 100 The default number of messages is 5 NAT Keep Alive Define the interval or frequency of NAT keep alive messages for dead peer detection Options include Seconds 10 3 600 Minutes 1 60 and Hours 1 The default setting is 20 seconds Cookie Challenge Threshold Use the spinner control to define the threshold 1 100 that when exceeded enables the cookie challenge me...

Page 208: ...to its last saved configuration Group ID Configure the ID string used for IKE authentication String length can be between 1 64 characters Authentication Type Set the IPSec Authentication Type Options include PSK Pre Shared Key or rsa Authentication Key Set the common key for authentication between the remote tunnel peer Key length is between 8 21 characters IKE Version Configure the IKE version to...

Page 209: ...rted devices to use a WEP key to access the network using this profile The access point other proprietary routers and Motorola Solutions clients use the key algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers This option is disabled by default 6 Client Identity is a set of un...

Page 210: ...vocation Figure 5 74 Profile Security Certificate Revocation List CRL Update Interval screen 5 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a private key was found and nobody had access to it its ...

Page 211: ...of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows an access...

Page 212: ...re not editable but new configurations can be added or existing ones deleted as they become obsolete Static NAT creates a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address transla...

Page 213: ...77 Profile Security Static NAT screen Source tab 10 To map a source IP address from an internal network to a NAT IP address click the Add button The following screen displays Figure 5 78 Profile Security Static NAT screen New Source entry ...

Page 214: ...able from TCP The default setting is Any Source IP Enter the address used at the internal end of the static NAT configuration This address once translated will not be exposed to the outside world when the translation address is used to interact with the remote destination Source Port Use the spinner control to set the local port number used at the internal end of the static NAT configuration The d...

Page 215: ...Security Static NAT screen Destination tab 13 Select Add to create a new NAT destination configuration or Delete to permanently remove a NAT destination Existing NAT destination configurations are not editable Figure 5 80 NAT Destination Add screen ...

Page 216: ...UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadcast delivery not available from TCP The default setting is Any Destination IP Enter the address used at the source en...

Page 217: ...s used to interact with the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overload Type Lists the Overload Type used with the listed IP ACL rule Options include NAT Pool One Global Address...

Page 218: ... is the default setting Interface Use the drop down menu to select the VLAN ID from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Ensure the VLAN selected represents the intended network traffic within the NAT supported configuration VLAN1 is available by default Optionally select the wwan1 radio button if the access point model supp...

Page 219: ...Device Configuration 5 133 21 Select OK to save the changes made to the dynamic NAT configuration Select Reset to revert to the last saved configuration ...

Page 220: ...ernet Internet traffic is routed to the NoC and from there routed to the Internet This increases the access time for the end user on the client To resolve latency issues Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet Traffic towards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with ac...

Page 221: ...e Lists the communication medium outgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP Lists the add...

Page 222: ...owing deployment guidelines to ensure the profile configuration is optimally effective Ensure the contents of the certificate revocation list are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated NAT alone does not provide a firewall If deploying NAT on a profile add a firewall on the profile to block undesirable traffic from being ro...

Page 223: ...n link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state they m...

Page 224: ...l index from 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical ...

Page 225: ... of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Delete If adding or editing a VRRP configuration the following screen displays Figure 5 88 Profiles VRRP screen 8 If creating a new VRRP configuration assign a Virtual Router ID from 1 255 In addition to functioning as numerical identifier the ID identifies the access p...

Page 226: ...uter is available to preempt a lower priority backup router resource The default setting is enabled When selected the Preempt Delay option becomes enabled to set the actual delay interval for pre emption This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority Preempt Delay If the Preempt option is selected use the spinner contr...

Page 227: ... a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue to monitored on that VLAN Critical resources can be configured for access points and wireless controllers using their respective profiles To define critical resources 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Syste...

Page 228: ... is selected a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource 9 Select Add Row to define the following for critical resource configurations IP Address Provide the IP address of the critical resource This is the address used by the access point to ensure the critical resource is available Up to four addresses can be defined Mode Set the ...

Page 229: ...ress used as the source address in ARP packets used to detect a critical resource on a layer 2 interface Generally the source address 0 0 0 0 is used in the APR packets used to detect critical resources However some devices do not support the above IP address and drop the ARP packets Use this field to provide an IP address specifically used for this purpose The IP address used for Port Limited Mon...

Page 230: ...rary and restrictive access to the access point managed network A captive portal provides secure authenticated access using a standard Web browser Captive portals provides authenticated access by capturing and re directing a wireless user s Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network Once logged into the captive p...

Page 231: ...es provided or if the profile should support guest access at all Profile configurations supporting a captive portal should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from guest devices DHCP s lack of an authentication mechanism means a DHCP server supported profile cannot check if a client ...

Page 232: ...MP These management access configurations can be applied strategically to profiles as resource permissions dictate Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define a profile s management configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand si...

Page 233: ...n overall pattern that may be negatively impacting performance using the configuration defined for the access point s profile Enable Message Logging Select this option to enable the profile to log system events to a user defined log file or a syslog server Selecting this radio button enables the rest of the parameters required to define the profile s logging configuration This option is disabled b...

Page 234: ... console logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on cr...

Page 235: ...he outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Password for SMTP Server Specify the sender s username password on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Enable Configuration Update Select this option t...

Page 236: ...and running The Service Watchdog is enabled by default 19 Select OK to save the changes made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware version using its associated Virtual Controller AP s most recent firmware file for that model The only availa...

Page 237: ...emory to save the new password 8 To upgrade firmware using a FTP server use the upgrade command ftp username password 169 254 0 1 AP6532 5 4 0 0 047R img Alternatively a user can upgrade the AP6532 firmware using a TFTP server using the upgrade command tftp 169 254 0 1 AP6532 5 4 0 0 047R img The AP6532 downloads the firmware from FTP TFTP server This process will take a few minutes 9 When finishe...

Page 238: ...hand side of the UI 4 Select Mesh Point The Mesh Point screen displays Figure 5 96 Mesh Point Configuration Mesh Point screen The Mesh Point screen displays a list of configured MeshConnex policies on this device 5 Refer to the following for more information on the Mesh Point screen Mesh Connex Policy Displays the name of the selected Mesh Connex policy Is Root Displays the root status of the mesh...

Page 239: ...nnex Policy To edit an existing policy select it from the drop down and click the Edit icon For more information on creating or editing a Mesh Connex policy see MeshConnex Policy on page 6 87 Is Root From the drop down menu select the root behavior of this access point Select True to indicate this access point is a root node for this mesh network Select False to indicate this access point is not a...

Page 240: ...o is always selected Preferred Neighbor Enter the MAC address of the mesh point device that is the preferred neighbor Preferred Root Enter the MAC address of the mesh point root that is the preferred root Preferred Interface From the drop down menu select the preferred interface for forming a mesh network Minimum Threshold Enter the minimum value for SNR above which a candidate for the next hop in...

Page 241: ... Configure the channel width that mesh point automatic channel scan should assign to the selected radio The available options are Automatic Indicates the channel width is calculated automatically This is the default value 20 MHz Indicates the width between two adjacent channels is 20 MHz 40 MHz Indicates the width between two adjacent channels is 40 MHz Priority Meshpoint Configure the mesh point ...

Page 242: ...n performing an off channel scan Off channel Scan Frequency Configure the time duration in seconds between two consecutive Off Channel Scans Set a duration between 1 60 seconds Meshpoint Root Sample Count Configure the number of scans to be performed for data collection before a mesh channel is selected Set a value between 1 10 scans MeshpointRoot Channel Hold Time Configure the minimum duration t...

Page 243: ...el scan This is the mesh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected SNR Delta Configure the signal to noise ratio delta value for path selection When path selection happens this value is considered for selecting the optimal path A better candidate on a different channel must...

Page 244: ...5 158 WiNG 5 5 Access Point System Reference Guide Figure 5 100 Mesh Point Auto Channel Selection Path Method Root Path Metric screen ...

Page 245: ...sh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected Meshpoint Path Minimum Configure the minimum path metric value for a mesh connection to be established Set a value between 100 20 000 Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automatic...

Page 246: ...uration System Profile Configuration An access point profile s advanced configuration is comprised of defining connected client load balance settings a MINT protocol configuration and miscellaneous settings NAS ID access point LEDs and RF Domain Manager To set an access point profile s advanced configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile fr...

Page 247: ... Select Client Load Balancing from the expanded Advanced menu Figure 5 101 Advanced Profile Configuration Client Load Balancing screen 2 Use the drop down menu to define a SBC strategy Options include Prefer 5GHz Prefer 2 4 GHz and distribute by ratio The default value is Prefer 5GHz 3 Set the following Neighbor Selection Strategies Use probes from common clients Select this option to use probes f...

Page 248: ...l is over utilized This setting is enabled by default Selecting this feature enables parameters within the Channel Load Balancing field for assigning weightage and throughput values Max Band Load Difference Considered Equal Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing 2 4 and 5GHz radio band load balances The default setting is 1 ...

Page 249: ...red Equal Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing access point 2 4GHz radio load balances The default setting is 1 Thus using a default setting of 10 means 10 is considered inconsequential when comparing access point radio load balances exclusively on the 2 4GHz radio band Min Value to Trigger 2 4GHz Channel Balancing Use the...

Page 250: ... than a high client connection count The default setting is 10 Min Value to Trigger Load Balancing Use the spinner control to set the access point radio threshold value from 0 100 used to initiate load balancing across other radios When the radio load exceeds the defined threshold load balancing is initiated The default is 5 Max AP Load Difference Considered Equal Use the spinner control to set a ...

Page 251: ...uthentication A secure network requires users know about certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MINT are such that these...

Page 252: ...erval and adjacency hold time settings used by managed devices to securely communicate amongst one another within the IPSec network Figure 5 103 Advanced Profile Configuration MINT Protocol screen IP tab 10 Select Add to create a new Link IP configuration or Edit to modify an existing MINT configuration Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjus...

Page 253: ...of links one on each end point However that is error prone and does not scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link as a forced link Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set an interval in eit...

Page 254: ...vices use to securely communicate amongst one another Figure 5 105 Advanced Profile Configuration MINT Protocol screen VLAN tab 13 Select Add to create a new VLAN link configuration or Edit to modify an existing configuration IPSec GW Define either an IP address or hostname for the IPSec gateway NOTE If creating a mesh link between two access points in Standalone AP mode you will need to ensure a ...

Page 255: ...ed by peers for interoperation when supporting the MINT protocol Routing Level If adding a new VLAN use the spinner control to define a routing level of either 1 or 2 Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default interval is...

Page 256: ...ADIUS message originates 4 Select the Turn on LEDs radio button to ensure this access point s LED remain continuously illuminated Deployments such as hospitals prefer to keep their wireless devices from having illuminating LEDs as they have been reported to disturb their patients this setting however is enabled by default Select the Flash Pattern radio button to enable the access point to blink in...

Page 257: ...the network 8 Set the Aging Time value for Client Bridge Use the spinner control to set a value in days hours minutes and seconds 9 Select OK to save the changes made to the profile s Advanced Miscellaneous configuration Select Reset to revert to the last saved configuration 5 2 14 Environmental Sensor Configuration System Profile Configuration An AP8132 sensor module is a USB environmental sensor...

Page 258: ... intensity is used to determine whether the access point s deployment location is currently populated with clients Shutdown WLAN Radio at Low Limit of Light Threshold Select this option to power off the AP8132 s radios if the light intensity falls below the set threshold If enabled select All both AP8132 radios radio 1 or radio 2 Low Limit of Light Threshold Set the low threshold limit from 0 1 00...

Page 259: ...d back to the access point s Environment screens within the Statistics node This setting is enabled by default Enable Humidity Sensor Select this option to enable the module s humidity sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is enabled by default Polling Interval for All Sensors Set an interval in either Seconds 1 100 or Mi...

Page 260: ...f designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile while the UI only provides one per access point model Consequently the two interfaces cannot be used collectively to manage profiles without an administrator encounte...

Page 261: ...n to change the selected access point s designation from Standalone to Virtual Controller AP Remember only one Virtual Controller can manage up to 24 access points of the same model Thus an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation 7 Select the Adopt Unknown APs Automatically option...

Page 262: ...t location defined Additionally the number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual Controller AP mode To override a managed device s basic configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides 4 Select a target device MAC address from either the device browser in the lower left hand s...

Page 263: ...e Coordinate Optionally provide the longitude coordinate where the device is located The valid value for this field is in the range 180 0000 degrees to 180 0000 degrees When provided this enables the device to be mapped on the geolocation map Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exceed 64 characters Assigning an...

Page 264: ...by the CA s private key Depending on the public key infrastructure the digital certificate includes the owner s public key the certificate expiration date the owner s name and other public key owner information Each certificate is digitally signed by a trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual A trustpoint represents a CA identity pa...

Page 265: ...to its last saved configuration HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop down menu where an existing certificate trustpoint can be leveraged To leverage an existing device certificate for use with this target device select the Launch Manager button For more information see Manage Certificates on page 5 180 SSH RSA Key Either use the defa...

Page 266: ...elected device an existing stored certificate can be leveraged from a different device Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices To configure trustpoints for use with certificates 1 Select Launch Manager from either the HTTPS Trustpoint SSH RSA Key or RADIUS Server Certificate parameters Figur...

Page 267: ...ertificate Details to review the certificate s properties self signed credentials validity period and CA information 3 To optionally import a certificate select the Import button from the Certificate Management screen The Import New Trustpoint screen displays Figure 5 114 Certificate Management Import New Trustpoint screen ...

Page 268: ...t the Trustpoint from a location on the network To do so select From Network and provide the following information Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation List CRL CRLs a...

Page 269: ...te for publication on a Web server or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and do not generate a second key unless y...

Page 270: ...onal keys or import export keys to and from remote locations Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address information to the l...

Page 271: ... the Certificate Management screen Figure 5 116 Certificate Management RSA Keys screen 3 Select a listed device to review its current RSA key configuration Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select the Generate Key but...

Page 272: ...cate select the Import button from the RSA Keys screen Figure 5 118 Certificate Management Import New RSA Key screen 8 Define the following configuration parameters required to import a RSA key Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key from 1 024 2 048 bits Motorola Solutions recommends leaving this value at the...

Page 273: ...ries of asterisks URL Provide the complete URL to the location of the RSA key Protocol If selecting Advanced select the protocol used for importing the target key Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 usb2 usb3 and usb4 IP Address If selecting Advanced enter IP addr...

Page 274: ...ccess point and the server Select the Show option to expose the actual characters used in the passphrase Leaving the Show option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key Protocol If selecting Advanced select the protocol used for exporting the RSA key Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port ...

Page 275: ...ate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create Certificate from the upper left hand side of the Certificate Management screen IP Address If selecting Advanced en...

Page 276: ...lect the existing key used by both the device and the server or repository of the target RSA key Create New Select this option to create a new RSA key Provide a 32 character name to identify the RSA key Use the spinner control to set the size of the key from 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting 1024 to ensure optimum functionality For more inform...

Page 277: ... is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create CSR from the upper left hand side of the Certificate Management screen State ST Enter a State for the state or province name...

Page 278: ...4 Use Existing Select this option to use an existing RSA key Use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certif...

Page 279: ...or example an AP6532 RF Domain override can only be applied to another AP6532 model access point To define a device s RF Domain override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select RF Domain Overrides Organizational U...

Page 280: ...eployment location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the access point s configuration and wireless network Time Zone Use the drop down menu to select the geographic time zone supporting its deployment location Country Code Use the drop down menu to select the ...

Page 281: ... Figure 5 123 Profile Wired 802 1X screen 6 Set the following Wired 802 1x Settings 7 Select OK to save the changes to the 802 1x override configuration Select Reset to revert to the last saved configuration Dot1x Authentication Control Select this option to globally enable 802 1x authentication for the access point This setting is disabled by default Dot1x AAA Policy Use the drop down menu to sel...

Page 282: ...device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particular site Use device overrides to define configurations overriding the parameters set by the target device s original profile configuration To define a general profile override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configura...

Page 283: ...guration Radio Power Overrides Adoption Overrides Profile Interface Override Configuration Overriding the Network Configuration WAN Backhaul Overrides Overriding a Security Configuration Overriding a Services Configuration Overriding a Management Configuration Overriding an Advanced Configuration Overriding Mesh Point Configuration Overriding Environmental Sensor Configuration AutoKey Select this ...

Page 284: ... resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or ...

Page 285: ...er Mode and the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is pr...

Page 286: ...sioned At adoption an access point solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an existing parameter 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser i...

Page 287: ...nd unavailable to provide services Set a value from 2 600 seconds 10 Use the spinner control to set the Controller VLAN This is the VLAN the Virtual Controller is reachable on Select from 1 4094 There is no default value for this setting 11 Use the Add Row button to populate the Controller Hostnames table with the following host pool and routing parameters for defining the preferred adoption resou...

Page 288: ...ect to enable secure communication between the access point and the wireless controllers IPSec GW Use the drop down menu to specify if the IPSec Gateway resource is defined as a non DNS IP address or a hostname Once defined provide the numerical IP or hostname A hostname cannot exceed 64 characters Force Select to enable the link to the adopting controller or the controller group to be created eve...

Page 289: ...to change modify parameters of an access point s Ethernet Port configuration The following ports are available on supported access point models AP6511 fe1 fe2 fe3 fe4 up1 AP6521 GE1 POE LAN AP6522 AP6522M GE1 POE LAN AP6532 GE1 POE LAN AP6562 GE1 POE LAN AP7131 GE1 POE LAN GE2 WAN AP7161 GE1 POE LAN GE2 WAN AP7181 GE1 POE LAN GE2 WAN AP8132 AP8232 GE1 POE LAN GE2 WAN To define an Ethernet port con...

Page 290: ... the port are expected as untagged and mapped to the native VLAN If set to Trunk the port allows packets from a list of VLANs added to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged fra...

Page 291: ...led radio button to define this port as active to the profile it supports Select the Disabled radio button to disable this physical port in the profile It can be activated at any future time when needed Speed Set the speed at which the port can receive and transmit the data Select either 10 Mbps 100 Mbps 1000 Mbps Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate...

Page 292: ...ghbors Mode Select either the Access or Trunk radio button to set the VLAN switching mode over the port If Access is selected the port accepts packets only form the native VLANs Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port allows packets from a list of...

Page 293: ...nus to select the firewall rules to apply to this profile s Ethernet port configuration The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances 16 If a firewall rule does not exist suiting the data protection needs of the target port configuration select the Create icon to define a new rule configuration For more information...

Page 294: ...ge traffic from any host to this port Guest VLAN Set the Guest VLAN on which traffic is bridged from a wired port when the selected port is considered unauthorized Port Control Set how the port bridges traffic Select one of the following options Automatic The port is set to the state as received from the authentication server force authorized Any traffic on the port is considered authenticated and...

Page 295: ...e STP calculation happens Multiple Spanning Tree Protocol MSTP provides an extension to RSTP to optimize the usefulness of VLANs MSTOP allows for a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree topology If there is just one VLAN in the access point managed network a single spanning tree works fine However if the network ...

Page 296: ...ble this feature Select None to disable 26 Select the Enable Port Fast option to enable or disable PortFast PortFast enables reducing the time taken for a port to complete the MSTP state changes from Blocked to Forward PortFast must only be enabled on ports on the wireless controller which are directly connected to a Server Workstation and not to another hub or controller PortFast can be left unco...

Page 297: ...tions 6 Select Virtual Interfaces Figure 5 131 Device Overrides Virtual Interfaces screen 7 Review the following parameters unique to each Virtual Interface configuration to determine whether a parameter override is warranted NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove a device s override go to the Basic Configuration screen s ...

Page 298: ...ic Configuration screen displays by default regardless of a whether a new Virtual Interface is being created or an existing one is being modified 10 If creating a new Virtual Interface use the spinner control to define a numeric ID from 1 4094 Admin Status A green check mark defines the listed Virtual Interface configuration as active and enabled with its supported profile A red X defines the Virt...

Page 299: ...uration or Zero Config is a wireless connection utility included with Microsoft Windows XP and later as a service that dynamically selects a network to connect based on a user s preference and various default settings Zero config can be used instead of a wireless network utility from the manufacturer of a computer s wireless networking device The access point can use Zero Config for IP assignments...

Page 300: ...sting configuration For more information see Wireless Firewall on page 8 2 Figure 5 133 Device Overrides Virtual Interfaces Security screen 16 Use the IP Inbound Firewall Rules drop down menu to select the firewall rule configuration to apply to this Virtual Interface 17 Use the VPN Crypto Map drop down menu to define the cryptography map to use with this virtual interface The VPN Crypto Map entry...

Page 301: ...tes to the network by maintaining a complete topology table of the network and sends the updates to the other routers in the network using multicast Setting a high value increases the chance of this interface becoming a DR Setting this value to Zero 0 prevents this interface from being elected a DR Cost Select this option to enable or disable OSPF cost settings Use the spinner to configure a cost ...

Page 302: ...m the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Expand the Interface menu and select Port Channels The following screen displays Figure 5 135 Device Overrides Port Channels screen 6 Refer to the following to review existing port channel configurations and their current status Key ID Set the unique MD5 Authen...

Page 303: ...channel s intended function Admin Status Select the Enabled radio button to define this port channel as active to the profile it supports Select the Disabled radio button to disable this port channel configuration within the profile It can be activated at any future time when needed The default setting is disabled Speed Select the speed at which the port channel can receive and transmit the data S...

Page 304: ...to Trunk the port channel allows packets from a list of VLANs you add to the trunk A port channel configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default setting Native VLAN Use the spinner control to define a numerical ID from 1 4094 The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no ...

Page 305: ...xisting firewall rule configuration For more information see Wireless Firewall on page 8 2 14 Refer to the Trust field to define the following Trust ARP Responses Select this option to enable ARP trust on this port channel ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the managed network The default value is dis...

Page 306: ...orts on the wireless controller directly connected to a server workstation and not another hub or controller PortFast can be left unconfigured on an access point Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is disabled by default Enable PortFast BPDU Filter Select Enable to invoke a BPDU filter for this Po...

Page 307: ...lecting Shared means this port should be treated as having a shared connection A port connected to a hub is on a shared link while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard M...

Page 308: ...oyment objective To define a radio configuration override for an access point 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target access point from the device browser in the lower left hand side of the UI 5 Select Interface to expand its sub menu options 6 Select Radios Figure 5 139 Device Overrides Access Point Rad...

Page 309: ...was added or modified Admin Status Defines the radio as either enabled or disabled for client or sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be listed as a sensor to define the radio as not providing typical WLAN support If the radio is a client bridge it will be listed as a client brid...

Page 310: ...pecify an existing QoS policy to apply to the access point radio in respect to its intended radio traffic If there s no existing QoS policy suiting the radio s intended operation select the Create icon Association ACL Use the drop down menu to specify an existing Association ACL policy to apply to the radio An Association ACL is a policy based Access Control List ACL that either prevents or allows...

Page 311: ...nutes When selected the radio can return back to its original channel of operation once the thirty minute period is over When not selected the radio cannot return back to its original channel of operation ever after the mandatory thirty minute evacuation period is over Transmit Power Set the transmit power of the selected access point radio If using a dual or a three radio model AP7131 each radio ...

Page 312: ...A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates For more information on 802 11n MCS rates see MCS Data Rates on page 5 49 Radio Placement Use the drop down menu to specify whether the radio...

Page 313: ...point radios RTS is a transmitting station s signal that requests a Clear To Send CTS response from a receiving client This RTS CTS procedure clears the air where clients are contending for transmission time Benefits include fewer data collisions and better communication with nodes that are hard to find or hidden because of other active nodes in the transmission path Control RTS CTS by setting an ...

Page 314: ... to save the changes and overrides to the WLAN Mapping Select Reset to revert to the last saved configuration 16 Select the Legacy Mesh tab Guard Interval Use the drop down menu to specify a Long or Any guard interval The guard interval is the space between symbols characters being transmitted The guard interval eliminates inter symbol interference ISI ISI occurs when echoes or reflections from on...

Page 315: ...o save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and connect through them Portal operation begins beaconing immediately and accepts connections from other mesh supported nodes In genera...

Page 316: ... Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Frame Size Limit If a suppo...

Page 317: ... is a specialized network interface card that allows a network device to connect transmit and receive data over a Cellular Wide Area Network Certain AP7131N model access points have a PCI Express card slot that supports 3G WWAN cards The WWAN card uses Point to Point Protocol PPP to connect to the Internet Service Provider ISP and gain access to the Internet PPP is the protocol used for establishi...

Page 318: ...xpand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Interface to expand its submenu items 5 Select WAN Backhaul Figure 5 144 Device Overrides WAN Backhaul screen 6 Refer to the WAN 3G Backhaul configuration to specify WAN card settings NOTE A blue override icon to the left of a parameter defines the parameter as having an o...

Page 319: ...ion methods as specified by the PPPoE protocol PPPoE enables WiNG supported controllers and access points to establish a point to point connection to an ISP over existing Ethernet interface To provide this point to point connection each PPPoE session learns the Ethernet address of a remote PPPoE client and establishes a session PPPoE uses both a discover and session phase to identify a client and ...

Page 320: ...orms a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID In discovery the PPPoE client discovers a server to host the PPPoE connection To create a PPPoE point to point configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device b...

Page 321: ...PPoE protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the nu...

Page 322: ...ion by the PPPoE client Select Show to display the actual characters comprising the password Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmissio...

Page 323: ...erriding a Miscellaneous Network Configuration Overriding Alias Configuration 5 4 5 4 1 Overriding the DNS Configuration Overriding the Network Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP addresses If one DNS server doesn t know how to translate a parti...

Page 324: ...n Address Resolution Protocol ARP is a protocol for mapping an IP address to a hardware MAC address ARP provides protocol rules for making this correlation and providing address conversion in both directions This ARP assignment can be overridden NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configurati...

Page 325: ...dress that replied To define an ARP supported configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select ARP Figure 5 147 Device Overrides Network ARP screen 6 Set or override...

Page 326: ...ssion originator and responder need to know the psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is reflected by the state of the L2TP V3 session If a L2TP V3 session is do...

Page 327: ...64 character maximum hostname to specify the name of the host that sent tunnel messages Tunnel establishment involves exchanging 3 message types SCCRQ SCCRP and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages AVP messages assist in the ...

Page 328: ...e tunnel specific hostname used by each listed tunnel This is the hostname advertised in tunnel establishment messages Local Router ID Specifies the router ID sent in the tunnel establishment messages Establishment Criteria Specifies the criteria that should be met for a tunnel between two peers to be created and maintained Critical Resource Specifies the critical resource that should exist for a ...

Page 329: ...ce IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests MTU Set the maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the laye...

Page 330: ... used by this tunnel This is the hostname advertised in tunnel establishment messages Local Router ID Specify the router ID sent in tunnel establishment messages with a potential peer device Establishment Criteria Specify the establishment criteria for creating a tunnel The tunnel is only created if this device is one of the following vrrp master cluster master rf domain manager The tunnel is alwa...

Page 331: ...address for tunnel establishment Host Name Assign the peer a hostname that can be used as matching criteria in the tunnel establishment process Router ID Specify the router ID sent in tunnel establishment messages with this specific peer Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmission model without implicit handshake...

Page 332: ...P address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in a session establishment message to the L2TP peer MTU Displays each sessions...

Page 333: ...ding to incoming tunnel create requests it would use the IP address on which it had received the tunnel create request IP Set the IP address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message to the L2TP peer M...

Page 334: ...onfiguration tab from the Web UI 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select IGMP Snooping Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmissi...

Page 335: ...r role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports IGMP multicast packet are not flooded on the wired port IGMP membership is also learnt on it and only if present then forwarded on that port An AP71xx model access point can also be an IGM...

Page 336: ...t models To define an QoS configuration for DSCP mappings 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select Quality of Service Maximum Response Time Specify the maximum time from 1...

Page 337: ...e Spanning Tree Protocol MSTP provides an extension to RSTP to optimize the usefulness o f VLANs MSTOP allows for a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree topology DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification 802 1p Priority Assign a 802 1p priority...

Page 338: ...n for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigned to these VLANs operate in this spanning tree instance whenever they are ...

Page 339: ...etting is 20 MST Config Name Define a 64 character maximum name for the MST region as an identifier MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the Enable or Disable radio buttons to enable disable interoperability with Cisco s version of MSTP which is incompatible wit...

Page 340: ...tached to a port it does not immediately start to forward data It first processes BPDUs and determines the network topology When a host is attached the port always goes into the forwarding state after a delay of while it goes through the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinne...

Page 341: ...xisting policy after selecting it in the drop down list For more information on policy based routing see Policy Based Routing PBR on page 7 2 8 Select Add Row as needed to include single rows with in the static IPv4 route table 9 Add IP addresses and network masks in the Network column 10 Provide the Gateway used to route traffic 11 Refer to the Default Route Priority field and set the following p...

Page 342: ... autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes that is The only way for traffic to get routed outside of the area is A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer routing decisions are needed lower...

Page 343: ... an IP address it does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passiv...

Page 344: ...me area Areas limit LSAs and encourage aggregate routes VRRP Mode Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF rese...

Page 345: ...o create a new OSPF configuration Edit to modify an existing configuration or Delete to remove a configuration Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 346: ...tion Type Select either None simple password or message digest as credential validation scheme used with the OSPF dynamic route The default setting is None Type Set the OSPF area type as either stub totally stub nssa totally nssa or non stub Default Cost Select this option to set the default summary cost advertised if creating a stub Set a value from 1 16 777 215 Translate Type Define how messages...

Page 347: ...erface configuration Type Displays the type of interface Description Lists each interface s 32 character maximum description Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route s virtual interface connection VLAN Lists the VLAN IDs set for each listed OSPF route virtual interface IP Address Displays the IP addresses defined as virtual interfaces f...

Page 348: ...ter s wireless networking device The drivers for the wireless adapter query the NDIS Object IDs and pass the available network names SSIDs to the service The service then lists them in the user interface on the Wireless Networks tab in the connection s Properties or in the Wireless Network Connection dialog box accessible from the notification area A checked build version of the WZC service can be...

Page 349: ...itional wired firewall appliances Select the Create icon to define a new set of IP firewall rules that can be applied to the OSPF route configuration Selecting Edit allows for the modification of an existing IP firewall rules configuration For more information see Wireless Firewall on page 8 2 33 Select the VPN Crypto Map to use with this VLAN configuration Use the drop down menu to apply an exist...

Page 350: ...rk and sends the updates to the other routers in the network using multicast Setting a high value increases the chance of this interface becoming a DR Setting this value to Zero 0 prevents this interface from being elected a DR Cost Select to enable or disable OSPF cost settings Use the spinner to configure a cost value in the range 1 65535 Use this option to set the OSPF cost of this interface OS...

Page 351: ... its forwarding database with known MAC addresses and their locations on the network This information is then used to decide to filter or forward the packet This forwarding database assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar device models To define or override a forwarding database configuration 1 Selec...

Page 352: ...work it forwards the packet to the segment If the destination MAC is on the same network segment the packet is dropped filtered 10 Define or override the target VLAN ID if the destination MAC is on a different network segment 11 Provide an Interface Name used as the target destination interface for the target MAC address 12 Select OK to save the changes and overrides Select Reset to revert to the ...

Page 353: ... 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select Bridge VLAN Figure 5 166 Device Overrides Network Bridge VLAN screen 6 Review the following VLAN configuration parameters to determine whether an override is warranted NOTE A blue override icon to the left of a parameter defines the parameter as having an...

Page 354: ...d with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as edge VLAN the firewall enforces additional checks on hosts in that VLAN For example a host cannot move from an edge VLAN to another VLAN and still keep firewall flows active Trust ARP Response When ARP trust is ena...

Page 355: ...ded VLAN traffic over level 2 links 14 Set or override the following Layer 2 Firewall parameters Bridging Mode Specify one of the following bridging mode for use on the VLAN Automatic Select Automatic mode to let the controller determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel to use a shared tunnel for...

Page 356: ...ectivity This feature is enabled by default Enable IGMP Snooping Select this option to enable IGMP snooping If disabled snooping on this bridge VLAN is disabled This feature is enabled by default If disabled the settings under bridge configuration are overridden Forward Unknown Multicast Packets Select this option to enable the access point to forward multicast packets from unregistered multicast ...

Page 357: ...ive It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present The controller can perform the IGMP querier role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports I...

Page 358: ... It allows a device to learn higher layer management and connection endpoint information from adjacent devices Using LLDP an access point is able to advertise its own identification capabilities and media specific configuration information and learn the same information from connected peer devices LLDP information is sent in an Ethernet frame at a fixed interval Each frame contains one Link Layer ...

Page 359: ...e profile When numerous DHCP leases are assigned an administrator can better track the leases when hostnames are used instead of devices Enable LLDP Select this option to enable LLDP on the access point LLDP is enabled by default When enabled an access point advertises its identity capabilities and configuration information to connected peers and learns the same from them Hold Time Use the spinner...

Page 360: ...equest option to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 7 Select the DHCP Persistent Lease option to retain the last DHCP lease used across a reboot if the access point s designated DHCP server is unavailable This feature is enabled by default 8 Select the OK button to save the changes and overrides Select Reset to revert to the last saved con...

Page 361: ...hese aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override alias values defined in a global alias profiles...

Page 362: ...deployments For example if a named VLAN is defined as 10 for the central network and the VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote d...

Page 363: ...tion An address range alias can be used to replace an IP address range in IP firewall rules 9 Select Add Row to define Network Alias settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overr...

Page 364: ...form 192 168 10 0 24 or IP address range in the form 192 168 10 10 192 168 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias A maximum of ...

Page 365: ...create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a blank column i...

Page 366: ...te the network group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasi...

Page 367: ...ork service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand it and display its sub menu...

Page 368: ...uration can have an override applied as needed to meet the changing data protection requirements of a NOTE The Network Service Alias Name always starts with a dollar sign Protocol Specify the protocol for which the alias has to be created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is sele...

Page 369: ...use the inbuilt wizards to override the VPN parameters The user interface provides two 2 wizards that provide different levels of configuration The following screen displays Figure 5 177 Security Configuration Wizard screen The following options are available Quick Setup Wizard Use this wizard to setup basic VPN Tunnel on the device This wizard is aimed at novice users and enables them to setup a ...

Page 370: ...ned for most of the parameters Figure 5 178 VPN Quick Setup Wizard 1 Provide the following information to configure a VPN tunnel Tunnel Name Provide a name for the tunnel Tunnel name must be such that it easily identifies the tunnel uniquely Tunnel Type Configure the tunnel type as one of the following Site to Site Provides a secured connection between two sites Remote Access Provides access to a ...

Page 371: ...el Source Provide the source network along with its mask Destination Provide the destination network along with its mask Peer Configures the peer for this tunnel The peer device can be specified either by its hostname or by its IP address Authentication Configure the authentication used to identify peers The following can be configured Certificate Use a certificate to authenticate Pre Shared Key U...

Page 372: ...tunnel between two remote sites as indicated in the image Remote Access is used to create a tunnel between an user device and a network as indicated in the image Interface Select the interface to use Interface can be a Virtual LAN VLAN or WWAN or PPPoE depending on the interfaces available on the device Traffic Selector ACL This field creates the Access Control List ACL that is used to control who...

Page 373: ...dentity Configure the local identity for the VPN Tunnel IP Address The local identity is an IP address FQDN The local identity is a Fully Qualified Domain Name FQDN Email The local identity is an E mail address Remote Identity Configure the remote identity for the VPN Tunnel IP Address The remote identity is an IP address FQDN The remote identity is a Fully Qualified Domain Name FQDN Email The rem...

Page 374: ...cryption The encryption to use for creating the tunnel Authentication The authentication used to identify tunnel peers Mode The mode of the tunnel This is how the tunnel will operate From the drop down select any pre configured Transform Set or click the Create New Policy to create a new transform set Encryption This field is enabled when Create New Policy is selected in Transform Set field This i...

Page 375: ...ireless controller with minimum configuration pushed through DHCP option settings 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options Mode This field is enabled when Create New Policy is selected in Transform Set field The mode indicates how packets are transported through the tunnel Tunnel Use this mode when the tunnel is b...

Page 376: ...curity configuration overridden from that applied in the profile To define a profile s security settings and overrides 1 Select Devices from the Configuration tab Group ID Configure the ID string used for IKE authentication String length can be between 1 64 characters Authentication Type Set the IPSec Authentication Type Options include PSK Pre Shared Key or rsa Authentication Key Set the common k...

Page 377: ...ride applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Firewall Policy Select the firewall policy used by devices with this profile Use the icons next to this field to create or add new firewall policies Wireless Client Role Policy Select the Wireless Client Role Policy used by devic...

Page 378: ...and side of the UI 4 Select Security to expand its sub menu options 5 Select Certificate Revocation Figure 5 185 Device Overrides Certificate Revocation screen 6 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If fo...

Page 379: ...routing device for the purpose of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT provides outbound Internet access to wired and wireless hosts Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows the access point to ...

Page 380: ...cies created thus far Any of these policies can be selected and applied to a profile 7 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile Figure 5 187 Device Overrides Security NAT Pool screen ...

Page 381: ...tion to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Figure 5 188 Device Overrides Static NAT screen To map a source IP address from an internal network t...

Page 382: ...on guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadcast delivery not available from TCP The default setting is Any Source IP Enter the address used at the internal end of the static NAT configuration This address o...

Page 383: ...nter the port number of the matching packet to the specified value This option is valid only if the direction specified is destination Network Select Inside or Outside NAT as the network direction The default setting is Inside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter int...

Page 384: ...onnection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or ...

Page 385: ...t setting Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual a...

Page 386: ...g NAT pool used with the dynamic NAT configuration Overload IP If One Global IP Address is selected as the Overload Type define an IP address used as a filter address for the IP ACL rule ACL Precedence Lists the administrator assigned priority set for the listed source list ACL The lower the value listed the higher the priority assigned to this ACL rule Source List ACL Use the drop down menu to se...

Page 387: ...wards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with access to the Internet To define a Bridge NAT configuration that can be applied to a profile 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides from the options on left hand side of the UI 4 Expand the Security menu and select Bridge NAT Interfac...

Page 388: ...the communication medium outgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or w wan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP Lists the address us...

Page 389: ... to configure IP addresses and address ranges that can used to access the Internet 10 Select Add Row to set the IP address range settings for the Bridge NAT configuration Interface Lists the outgoing layer 3 interface on which traffic is re directed The interface can be an access point WWAN or PPPoE interface Traffic can also be redirected to a designated VLAN NAT Pool Displays the NAT pool used b...

Page 390: ... System Reference Guide Figure 5 196 Profile Security Source Dynamic NAT screen Add Row field 11 Select OK to save the changes made within the Add Row and Dynamic NAT screens Select Reset to revert to the last saved configuration ...

Page 391: ... MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state they monitor the m...

Page 392: ...nitially defined This ID identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual router ID Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway addre...

Page 393: ...tion on the VRRP protocol specifications available publicly refer to http www ietf org rfc rfc3768 txt version 2 and http www ietf org rfc rfc5798 txt version 3 7 From within the VRRP tab select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Dele...

Page 394: ...ine the following VRRP General parameters Description In addition to an ID assignment a virtual router configuration can be assigned a textual description up to 64 characters to further distinguish it from others with a similar configuration Priority Use the spinner control to set a VRRP priority setting from 1 254 The access point uses the defined setting as criteria in selection of a virtual rou...

Page 395: ...ty Preempt Delay If the Preempt option is selected use the spinner control to set the delay interval in seconds for preemption Interface Select this value to enable disable VRRP operation and define the AP7131 VLAN 1 4 094 interface where VRRP will be running These are the interfaces monitored to detect a link failure Sync Group Select this option to assign a VRRP sync group to this VRRP ID s grou...

Page 396: ...scovered For example a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue to monitored on that VLAN Critical resources can be configured for access points and wireless controllers using their respective profiles To define critical resources 1 Select the Configuration tab from the Web UI 2 Select De...

Page 397: ... selected a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource 9 Select Add Row to define the following for critical resource configurations IP Address Provide the IP address of the critical resource This is the address used by the access point to ensure the critical resource is available Up to four addresses can be defined Mode Set the pin...

Page 398: ...eld Sets the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface Generally the source address 0 0 0 0 is used in the APR packets used to detect critical resources However some devices do not support the above IP address and drop the ARP packets Use this field to provide an IP address specifically used for this purpose The IP address used f...

Page 399: ... for use with this profile A captive portal is guest access policy for providing temporary and restrictive access to the network The primary means of securing such guest access is a captive portal A captive portal configuration provides secure authenticated access using a standard Web browser A captive portal provides authenticated access by capturing and re directing a user s Web browser session ...

Page 400: ...es as resource permissions dictate for the profile Additionally overrides can be applied to customize a device s management configuration if deployment requirements change and a devices configuration must be modified from its original device profile configuration Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define or overr...

Page 401: ... logging configuration This option is disabled by default Remote Logging Host Use this table to define numerical non DNS IP addresses for up to three external resources where logged system events can be sent on behalf of the profile Select Clear as needed to remove an IP address Facility to Send Log Messages Use the drop down menu to specify the local server facility if used for the profile event ...

Page 402: ...4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Time to Aggregate Repeated Mess...

Page 403: ...uration Update Select this option to enable automatic configuration file updates for the controller profile from a location external to the access point If enabled the setting is disabled by default provide a complete path to the target configuration file used in the update Enable Firmware Update Select this option to enable automatic firmware updates from a user defined remote location This value...

Page 404: ...e able to communicate with other nodes in the network and where the node can maintain more than one path to its peers Mesh network provides robust reliable and redundant connectivity to all the members of the network When one of the participant node in a mesh network becomes unavailable the other nodes in the network are still able to communicate with each other either directly or through intermed...

Page 405: ...tion 5 319 Figure 5 207 Device Overrides Mesh Point screen 5 Select Add to create a new mesh point configuration or Edit to override an existing one Select Delete to delete a mesh point configuration after selecting it ...

Page 406: ...7 Is Root From the drop down menu select the root behavior of this access point Select True to indicate this access point is a root node for this mesh network Select False to indicate this access point is not a root node for this mesh network A Root Mesh Point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Root Selection Method Use the drop dow...

Page 407: ...rk is considered This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network Signal Strength Delta Enter a delta value in dB A candidate for selection as a next hop in a dynamic mesh network must have a SNR higher than the value configured here This field along with the Minimum Threshold and Sustained Time Period are u...

Page 408: ...Hz frequencies Refer to the following for more information on the Auto Channel Selection Dynamic Root Selection screen These descriptions are common for configuring the 2 4 GHZ and 5 0 4 9 GHz frequencies Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio The available options are Automatic Indicates the channel width is calculated ...

Page 409: ... range of 20 250 milliseconds for the Off Channel Duration field This is the duration that the scan dwells on each channel when performing an off channel scan Off Channel Scan Frequency Configure the time duration in seconds between two consecutive Off Channel Scans Set a duration between 1 60 seconds Meshpoint Root Sample Count Configure the number of scans to be performed for data collection bef...

Page 410: ...matic channel scan This is the mesh point that given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected SNR Delta Configure the signal to noise ratio delta value for path selection When path selection occurs this set value is considered for selecting the optimal path A better candidate on a dif...

Page 411: ...Device Configuration 5 325 Figure 5 211 Mesh Point Auto Channel Selection Path Method Root Path Metric screen ...

Page 412: ... given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected Meshpoint Path Minimum Configure the minimum path metric value for a mesh connection Set a value between 100 20 000 Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automatic channel selection for mes...

Page 413: ...erride Configuration Disable Dynamic Chain Selection radio setting The default value is enabled This setting is disabled from the Command Line Interface CLI using the dynamic chain selection command or in the UI refer Radio Override Configuration Disable A MPDU Aggregation if the intended vehicular speed is greater than 30 mph For more information see Radio Override Configuration ...

Page 414: ...t certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MiNT are such that these scenarios continue to function as expected with minima...

Page 415: ... override it Using probes from common clients Select this option to enable neighbor selection using probe requests from common clients between the neighbor device and this device Using notifications from roamed clients Select this option to enable neighbor selection using notifications from clients roamed from other devices Using smart rf neighbor detection Select this option to enable neighbor se...

Page 416: ...s secondary to maintaining client association The default setting is 90 Weightage given to Throughput Use the spinner control to assign a weight between 0 100 the access point uses to prioritize 2 4 and 5 GHz radio throughput in the overall access point load calculation Assign this value higher if throughput and radio performance are considered mission critical within the access point managed netw...

Page 417: ...nsidered Equal Use the spinner control to set a value between 0 100 considered an adequate discrepancy when comparing 2 4 and 5GHz radio band load balances on this access point The default setting is 10 Thus using a default setting of 1 means 1 is considered inconsequential when comparing 2 4 and 5 GHz load balances on this access point Band Ratio 2 4GHz Use the spinner control to set a loading ra...

Page 418: ...from 0 60 seconds The default setting has the option disabled Max confirmed Neighbors Use the spinner to set the maximum number of learned neighbors stored at this device Minimum signal strength for smart rf neighbors Use the spinner to set the minimum signal strength of neighbor devices that are learnt through Smart RF before being recognized as neighbors Level 1 Area ID Select this option to ena...

Page 419: ...en IP tab The IP tab displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another 24 Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration MLCP IP Select this option to enable MINT Link Creation Protocol MLCP by IP Address MI...

Page 420: ...matching pair of links one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Port To specify a custom port for MiNT links select this option and use the spinner control to define or override the port number from 1 65 535 Forced Link Select this option to specify the MiNT link...

Page 421: ...it to override an existing MINT configuration Adjacency Hold Time Set or override a hold time interval in either Seconds 2 600 or Minutes 1 10 for the transmission of hello packets The default interval is 46 seconds IPSec Secure Select this option to use a secure link for IPSec traffic This setting is disabled by default When enabled both the header and the traffic payload are encrypted IPSec GW D...

Page 422: ... 094 used by peer controllers for interoperation when supporting the MINT protocol Routing Level Use the spinner control to define or override a routing level of either 1 or 2 Link Cost Use the spinner control to define or override a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set or override an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hell...

Page 423: ...lete 35 Use the drop down menu to configure the access point s Meshpoint Behavior This field configures the access point s mobility behavior The default is External fixed and indicates that the mesh point is fixed The value vehicle mounted indicates that the mesh point is mobile This feature is only available on an AP7161 model access point 36 Use the Root Path Monitor Interval to configure the in...

Page 424: ...nsor screen displays Figure 5 219 Profile Environmental Sensor screen 5 Override or set the following Light Sensor settings for the AP8132 s sensor module NOTE This feature is available on the AP8132 model only Enable Light Sensor Select this option to enable the light sensor on the module This setting is enabled by default Polling Time to Determine if Light is On Off Define an interval in Seconds...

Page 425: ...le Temperature Sensor Select this option to enable the module s temperature sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is enabled by default Enable Motion Sensor Select this option to enable the module s motion sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is...

Page 426: ...olicies can have their event notification configurations modified as device profile requirements warrant To define an access point event policy 1 Select Devices from the Configuration menu 2 Select Event Policy Figure 5 220 Event Policy screen 3 Ensure the Activate Event Policy option is selected to enable the screen for configuration This option needs to remain selected to apply the event policy ...

Page 427: ...ccess control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit periodic beacons for each BSS A beacon advertises the SSID security requirements supported data rates of the wireless network to enable clients to locate and connect to the WLAN WLANs are mapped to radios on each acc...

Page 428: ...6 2 WiNG 5 5 Access Point System Reference Guide Figure 6 1 Configuration Wireless menu ...

Page 429: ...button to update the SSID designation Description Displays the brief description assigned to each listed WLAN when it was either created or modified WLAN Status Lists each WLAN s status as either Active or Shutdown A green check mark defines the WLAN as available to clients on all radios where it has been mapped A red X defines the WLAN as shutdown meaning even if the WLAN is mapped to radios it s...

Page 430: ...fer to the Encryption Type column to verify if there is some sort of data protection used with the WLAN or risk using this WLAN with no protection at all Encryption Type Displays the name of the encryption scheme used by each listed WLAN to secure client membership transmissions None is listed if encryption is not used within this WLAN In case of no encryption refer to the Authentication Type colu...

Page 431: ...LAN s properties WLANs can also be removed as they become obsolete by selecting Delete Figure 6 3 WLAN Basic Configuration screen 5 Refer to the WLAN Configuration field to define the following WLAN If adding a new WLAN enter its name in the space provided Spaces between words are not permitted The name could be a logical representation of the WLAN coverage area engineering marketing etc If editin...

Page 432: ...WLAN inactive meaning even if the WLAN is mapped to radios it is not available for clients to associate QoS Policy Use the drop down menu to assign an existing QoS policy to the WLAN If needed select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of a selected QoS Policy QoS helps ensure each WLAN receives a fair share of the overall bandwidth either...

Page 433: ...ions Basic WLAN Configuration Before defining a WLAN s basic configuration refer to the following deployment guidelines to ensure the configuration is optimally effective Deploy separate VLAN for providing secure WLAN access Define separate VLAN for each WLAN providing guest access ...

Page 434: ...sted users or devices access an access point managed WLAN Authentication is enabled per WLAN to verify the identity of both users and devices Authentication is a challenge and response procedure for validating user credentials such as user name password and secret key information A client must authenticate to an access point to receive resources from the network 802 1x EAP 802 1x EAP PSK MAC and P...

Page 435: ...alone scheme for securing a WLAN WEP is typically used with WLAN deployments supporting legacy clients New deployments should use either WPA or WPA2 encryption Encryption applies a specific algorithm to alter its appearance and prevent unauthorized hacking Decryption applies the algorithm in reverse to restore the data to its original form A sender and receiver must employ the same encryption decr...

Page 436: ...ect the Edit icon to modify the selected AAA policy s configuration Authentication authorization and accounting AAA is a framework for intelligently controlling access to the network enforcing user authorization policies and auditing and tracking usage These combined processes are central for securing wireless client resources and wireless network data flows For information on defining a new AAA p...

Page 437: ...dio buttons for the Open WEP 64 WEP 128 WPA WPA2 TKIP WPA2 CCMP and Keyguard encryption options as additional measures for the WLAN 7 Either select an existing AAA Policy from the drop down menu or select the Create icon to the right of the AAA Policy parameter to display a screen where new AAA policies can be created A default AAA policy is also available if configuring a WLAN for the first time ...

Page 438: ...security screen Select the Captive Portal Enable option if authenticated guess access is required with the selected WLAN This feature is disabled by default 7 Select the Captive Portal if Primary Authentication Fails option to enable the captive portal policy if the primary authentication is unavailable 8 Select the Captive Portal Policy to use with the WLAN from the drop down menu If no relevant ...

Page 439: ...ain speeding the logon The MAC Registration feature must be enabled for each captive portal WLAN To enable MAC Registration 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify its properties 5 Select Security 6 Refe...

Page 440: ...802 11i WPA provides more sophisticated data encryption than WEP WPA is designed for corporate networks and small business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person The encryption method is Temporal Key Integrity Protocol TKIP TKIP addresses WEP s weaknesses with a re keying mechanism a per packet mixing function a message integr...

Page 441: ... as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the administrator from entering the 256 bit key each time keys are generated Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 86 400 seconds Some clien...

Page 442: ...ster re association Pairwise Master Key PMK Caching Pairwise Master Key PMK Caching is a technique for sidestepping the need to re establish security each time a client roams to a different switch Using PMK caching clients and switches cache the results of 802 1X authentications Therefore access is much faster when a client roams back to a switch to which the client is already authenticated Opport...

Page 443: ... same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally different result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the provided keys are used to derive other ...

Page 444: ...ould not have enough data using a single key to attack the deployed encryption scheme Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the admi...

Page 445: ...pre authentication a client can perform an 802 1X authentication with other detected access points while still connected to its current access points When a device roams to a neighboring access points the device is already authenticated thus providing faster re association Pairwise Master Key PMK Caching Pairwise Master Key PMK Caching is a technique for sidestepping the need to re establish secur...

Page 446: ...uthentication to provide user and device authentication and dynamic WEP key derivation and periodic key rotation 802 1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered WEP 64 uses a 40 bit key concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter ...

Page 447: ... any alphanumeric string The wireless controller other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 fields to specify key numbers For WEP 64 40 bit key the keys are 10 hexadecimal chara...

Page 448: ...1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered If 802 1X support is not available on the legacy device MAC authentication should be enabled to provide device level authentication WEP 128 and KeyGuard use a 104 bit key which is concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP may be all a small business user n...

Page 449: ...e button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key numbers For WEP 128 104 bit key the keys ar...

Page 450: ...l overview see Wireless Firewall on page 8 2 WLANs use Firewalls like Access Control Lists ACLs to filter mark packets based on the WLAN from which they arrive as opposed to filtering packets on Layer 2 ports An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions rules a packet must satisfy to match the ACE The order of conditions in the...

Page 451: ...ewall Rules or Outbound IP Firewall Rules using the drop down menu If no rules exist select the Create icon to create a new firewall rule configuration Select the Edit icon to modify the configuration of a selected firewall If creating a new rule provide a name up to 32 characters long 7 Select the Add button ...

Page 452: ...dually as their filtering attributes require a more refined update a Select the Edit Rule icon to the left of a particular IP Firewall rule configuration to update its parameters collectively Figure 6 11 WLAN Security IP Firewall Rules Edit Rule screen b Click the icon within the Description column top right hand side of the screen and select IP filter values as needed to add criteria into the con...

Page 453: ...ess or network group configuration used as a basis matching criteria for this IP ACL rule Source options include Any Indicates any host device in any network Network Indicates all hosts in a particular network Subnet mask information has to be provided for filtering based on network Host Indicates a single host with a specific IP address Alias Indicates a collection of IP addresses or hostnames or...

Page 454: ...ype ICMP messages are used for packet flow control or generated in IP error responses ICMP errors are directed to the source IP address of the originating packet Assign an ICMP type from 1 10 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code Many ICMP types have a corresponding code helpful for troubleshooting networ...

Page 455: ...t select Create to display a screen where Firewall rules can be created 12 Select the Add Row button 13 Select the added row to expand it into configurable parameters Figure 6 13 WLAN Security MAC Firewall Rules screen 14 Define the following parameters for either the inbound or outbound MAC Firewall Rules Allow Every MAC firewall rule is made up of matching criteria rules The action defines what ...

Page 456: ... employs to interoperate within the network once authenticated by the access point s local RADIUS server Set the VLAN form 1 4094 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu to specify an Ethertype of either ipv6 arp wisp or monitor 8021q An Ethertype is a two octet field within...

Page 457: ...match Select this radio button to check for a source MAC mismatch in the ARP header and Ethernet header This setting is enabled by default DHCP Trust Select this radio button to enable DHCP trust on this WLAN This setting is disabled by default Wireless Client Denied Traffic Threshold If enabled any associated client exceeding the thresholds configured for storm traffic is either deauthenticated o...

Page 458: ...points can support up to 256 clients per access point AP6511 and AP6521 models can support up to 128 clients per access point Client load balancing can be enforced for the WLAN as more and more WLANs are deployed 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create a new WLAN or s...

Page 459: ...fic is distributed In a WLAN each device normally connects to an access point with the strongest signal Depending on the number and locations of the clients this arrangement can lead to excessive demand on one access point and under utilization of others resulting in degradation of overall network performance With 802 11k if the access point with the strongest signal is loaded to its capacity a cl...

Page 460: ...ioning local versus remote users and how to best accommodate each Remote user information can be archived to a remote location for periodic network and user permission administration To configure WLAN accounting settings 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an addi...

Page 461: ...s disabled by default Syslog Host Specify the IP address or hostname of the external syslog host where accounting records are routed Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed The default port is 514 Proxy Mode Use the drop down menu to define how syslog accounting is conducted Options include None Through Wir...

Page 462: ...nitoring feature enables the captive portal administrators to indicate to all users that the service is temporarily unavailable As the service unavailable information is immediately displayed to the users users are less likely to complain The reasons a captive portal service becomes unavailable can be broadly classified as When the RADIUS authentication server becomes unavailable The RADIUS server...

Page 463: ...ers are automatically migrated to the VLAN defined in the Adoption Monitoring VLAN field Adoption Monitoring VLAN Use the spinner control to select the VLAN that users are migrated to when a device s connection to its adopting controller is lost DHCP Server Monitoring Enable Select to enable monitoring the configured DHCP Server When the connection to the monitored DHCP server is lost all captive ...

Page 464: ...N Client Load Balancing screen 6 Set the following Load Balance Settings generic to both the 2 4 GHz and 5 0 GHz bands Enforce Client Load Balancing Select this radio button to enforce a client load balance distribution on this WLAN This setting is disabled by default Loads are balanced by ignoring association and probe requests Probes and association requests are not responded to forcing a client...

Page 465: ...cy The default value is 60 Probe Request Interval Enter a value in seconds from 0 10 000 to set an interval for client probe requests beyond which association is allowed for clients on the 2 4 GHz frequency The default setting is 10 seconds Single Band Clients Select this option to enable single band client associations on the 5 0 GHz frequency even if load balancing is available The default setti...

Page 466: ...s NAS Identifier Specify what is included in the RADIUS NAS Identifier field for authentication and accounting packets This is an optional setting and defaults are used if no values are provided NAS Port The profile database on the RADIUS server consists of user profiles for each connected network access server NAS port Each profile is matched to a user name representing a physical port When the a...

Page 467: ...pplicable to client traffic associated with this WLAN only If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associat...

Page 468: ...channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates 802 11n MCS rates are defined as follows both with and without short guard intervals SGI Table 6 1 MCS 1Stre...

Page 469: ...CS 3Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 3 19 5 21 7 40 5 45 1 3 39 43 3 81 90 2 3 58 5 65 121 5 135 3 3 78 86 7 162 180 4 3 117 130 7 243 270 5 3 156 173 3 324 360 6 3 175 5 195 364 5 405 7 3 195 216 7 405 450 Table 6 4 MCS 802 11ac theoretical throughput for single spatial streams MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40M...

Page 470: ...1 5 135 263 3 292 5 7 65 72 2 135 150 292 5 325 8 78 86 7 162 180 351 390 9 n a n a 180 200 390 433 3 Enable Select this option to forward logging messages to an external syslog server Host Use the field to provide a hostname IP address of the remote syslog server Use the drop down menu to select the type of host address Port Use the spinner control to configure the port on which the external sysl...

Page 471: ... in a meshed network and its connection to the mesh is lost then all WLANs on the access point that have this option enabled are shut down Shutdown on Primary Port Link Loss When there is a loss of link on the primary wired link on the access point all the WLANs on the access point that have this option enabled are shut down Shutdown on Critical Resource Down If critical resource monitoring is ena...

Page 472: ...N to shutdown if any one or all of the access point s configured critical resources are not reachable or available This setting is disabled by default Shutdown on Unadoption Select to enable the WLAN to shutdown if the access point is unadopted from its wireless controller This setting is disabled by default Days Configure the days on which the WLAN is accessible Select from one of the following A...

Page 473: ...OK when completed to update this WLAN s Advanced settings Select Reset to revert to the last saved configuration Select Exit to exit the screen End Time Configure the time when the WLAN is unavailable End time is configured as HH MM AM PM ...

Page 474: ...olicies supports an ideal QoS configuration for the intended data traffic for this WLAN select the Add button to create new policy Select the radio button of an existing WLAN and select OK to map the QoS policy to the WLAN displayed in the banner of the screen Use the WLAN Quality of Service QoS screen to add a new QoS policy or edit an existing policy Each access point model supports up to 32 WLA...

Page 475: ...on this WLAN is low priority on the radio SVP Prioritization A green check mark defines the policy as having Spectralink Voice Prioritization SVP enabled to allow the access point to identify and prioritize traffic from Spectralink Polycomm phones using the SVP protocol Phones using regular WMM and SIP are not impacted by SVP prioritization A red X defines the QoS policy as not supporting SVP prio...

Page 476: ...given access category packets are then added to one of four independent transmit queues one per access category voice video best effort or background in the client The client has a collision resolution mechanism to address collision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should...

Page 477: ...dio This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video Optimized fo...

Page 478: ...load information element in beacons and probe response packets This feature is enabled by default Configure Non WMM Client Traffic Use the drop down menu to specify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include Video Voice Normal and Low The default setting is Normal Transmit Ops Use the slider to set the maxi...

Page 479: ... are used for lower priority traffic The available range is from 0 15 The default value is 4 ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Higher values are used for lower priority traffic The available range is from 0 15 The default value is 10 Transmit Ops Use...

Page 480: ...QoS rate limit configurations for data transmitted from the access point upstream and data transmitted from a WLAN s wireless clients back to their associated access point radios downstream AP6511 and AP6521 model access points do not support rate limiting on an individual client basis Before defining rate limit thresholds for WLAN upstream and downstream traffic Motorola Solutions recommends you ...

Page 481: ...os to associated clients on this WLAN Enabling this option does not invoke rate limiting for data traffic in the downstream direction This feature is disabled by default Rate Define an upstream rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defined rate is ...

Page 482: ...ze for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the ups...

Page 483: ...reshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the downstream direction This is a percentage of the maximum burst size for vide...

Page 484: ... traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for client video traffic in the upstream direction This...

Page 485: ...generated Background traffic consumes the least bandwidth of any access category so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Best Effort Traffic Set a percentage for client best effort traffic in the downstream direction This is a percentage of the maximum burst size for norma...

Page 486: ...lticast mask an administrator can indicate which frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast Mask Secondary Set a secondary multicast mask for the WLAN QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients...

Page 487: ...reshold must be defined for WLAN Before enabling rate limiting on a WLAN a baseline for each traffic type should be performed Once a baseline has been determined a minimum 10 margin should be added to allow for traffic bursts The bandwidth required for real time applications such as voice and video are very fairly easy to calculate as the bandwidth requirements are consistent and can be realistica...

Page 488: ...er priority from completely dominating the wireless medium thus ensuring lower priority traffic is still supported by connected radios IEEE 802 11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery U APSD that provides a mechanism for wireless clients to retrieve packets buffered by an access point U APSD reduces the amount of signaling frames sent from a...

Page 489: ...figure an access point radio s QoS policy 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Radio QoS Policy to display a high level display of existing Radio QoS policies Figure 6 26 Radio Quality of Service QoS screen 4 Refer to the following information for a radio QoS policy Radio QoS Policy Displays the name of each radio QoS policy This is the name set for each listed...

Page 490: ...n of frames for any traffic class by looking at the amount of traffic the client is receiving and sending If a client sends more traffic than configured for an admission controlled traffic class the traffic is forwarded at the priority of the next non admission controlled traffic class This applies to clients that do not send TPSEC frames only Voice A green check mark indicates voice prioritizatio...

Page 491: ... selected for the back off mechanism Lower values are used for higher priority traffic The available range is from 0 15 The default value is 3 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low number The default value is 0 AIFSN Set the current AIFSN from1 15 ...

Page 492: ...m of a numerical range From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic like video The available range is from 0 15 The default value is 4 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low...

Page 493: ...ssion control for voice supported client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription This value ensures the radio s bandwidth is available for high bandwidth voice traffic if anticipated on the wireless medium or other access category traffic if voice support is not prioritized Voice traffic requires longer radio airtime to process...

Page 494: ...to a different managed access point radio Select from 0 256 clients The default value is 10 Reserved for Roam Set the roam utilization in the form of a percentage of the radio s bandwidth allotted to admission control for normal background supported clients who have roamed to a different managed radio The available percentage range is from 0 150 with 150 available to account for over subscription ...

Page 495: ...rm of a percentage of the radio s bandwidth allotted to admission control for low client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription Best effort traffic only needs a short radio airtime to process so set an intermediate airtime value if the radio QoS policy is reserved to support background data The default value is 75 Maximum Wire...

Page 496: ...owed Specify the maximum number of wireless clients from 0 256 allowed to use accelerated multicast The default value is 25 When wireless client count exceeds the above limit When the wireless client count using accelerated multicast exceeds the maximum number set the radio to either Reject new wireless clients or to Revert existing clients to a non accelerated state The default setting is Reject ...

Page 497: ...Delay for Best Effort Specify the maximum time in milliseconds to delay best effort traffic The default setting is 150 millisecond Max Delay for Background Specify the maximum time in milliseconds to delay background traffic The default setting is 250 millisecond Max Delay for Streaming Video Specify the maximum time in milliseconds to delay streaming video traffic The default setting is 150 milli...

Page 498: ...n WMM clients on the same WLAN Non WMM clients are always assigned a best effort access category Motorola Solutions recommends default WMM values be used for all deployments Changing these values can lead to unexpected traffic blockages and the blockages might be difficult to diagnose Overloading an access point radio with too much high priority traffic especially voice degrades the overall servic...

Page 499: ... a WLAN see Configuring Advanced WLAN Settings on page 6 40 Each supported access point model can support up to 32 Association ACLs with the exception of AP6511 and AP6521 models that support 16 WLAN Association ACLs To define an Association ACL deployable with a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Association ACL to display a high level display of existi...

Page 500: ... the Association ACL settings Select Reset to revert to the last saved configuration Precedence The rules within a WLAN s ACL are applied to packets based on their precedence values Every rule has a unique sequential precedence value you define You cannot add two rules s with the same precedence value The default precedence is 1 so be careful to prioritize ACLs accordingly as they are added Starti...

Page 501: ...nds using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name ACLs after specific WLANs as individual ACL policies can be used by more than one WLAN You cannot apply more than one MAC based ACL to a Layer 2 interface If a MAC ACL is already configured on a Layer 2 interface and a...

Page 502: ... If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Smart RF policy is mapped the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped the radio selects a random channel If the radio is a dedicated sensor it stops termination on that channel if a neighboring access point detects radar The access point att...

Page 503: ...hboring radios when radio interference is detected When interference is detected Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio If a client s signal to noise value is above the threshold the transmit power is increased until the signal to noise rate falls below the threshold This setting is enabled by default Co...

Page 504: ...rameters can be updated Use the Channel and Power screen to refine Smart RF power settings over both the 5 0 GHz and 2 4 GHz radio bands and select channel settings in respect to the access point s channel usage Figure 6 33 SMART RF Channel and Power screen 9 Refer to the Power Settings field to define Smart RF recovery settings for the access point s 5 0 GHz 802 11a and 2 4 GHz 802 11bg radio NOT...

Page 505: ...ry channel the system is configured for dynamic 20 40 operation When 20 40 is selected clients can take advantage of wider channels 802 11n clients experience improved throughput using 40 MHz while legacy clients either 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to work...

Page 506: ...index as defined in the table with the lowest index being executed first NOTE The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen Day Use the drop down menu to select a day of the week to apply the override Selecting All will apply the policy every day Selecting weeke...

Page 507: ...0 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency from 0 50 This is the frequency radios scan channels on non peer radios The default setting is 5 for both 2 4 GHz and 5 0 GHz bands Sample Count Use the spinner control to set a sample scan count value from 1 15 This is the number of radio RF readings gathered before data is sent to the Smart RF master Th...

Page 508: ...s selected as the Sensitivity setting from the Smart RF Basic Configuration screen 5GHz Neighbor Power Threshold Use the spinner control to set a value from 85 to 55 dBm the access point s 5 0 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within the access point s radio coverage area The default value is ...

Page 509: ...is allowed to compensate for a potential coverage hole The default setting is 3 Dynamic Sample Threshold Use the spinner control to set the number of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select this radio button to allow Smart RF to scan for excess interference from supported radio devices WLANs ar...

Page 510: ...ected to a radio the radio does not change its channel even though required based on the interference recovery determination made by the smart master The default setting is 50 5 GHz Channel Switch Delta Use the spinner to set a channel switch delta from 5 35 dBm for the 5 0 GHz radio This parameter is the difference between noise levels on the current channel and a prospective channel If the diffe...

Page 511: ...nd AP6521 model access points can support up to 128 clients per access point or radio The default setting is 1 SNR Threshold Use the spinner control to set a signal to noise SNR threshold from 1 75 dB This is the SNR threshold for an associated client as seen by its associated AP radio When exceeded the radio increases its transmit power to increase coverage for the associated client The default v...

Page 512: ...ion it s a temporary measure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist Motorola Solutions recommends that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS it will switch channels if radar is detected If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is d...

Page 513: ...f each MP to MP link MeshConnex uses this data to dynamically form and continually maintain paths for forwarding network frames In MeshConnex systems a Mesh Point MP is a virtual mesh networking instance on a device similar to a WLAN AP On each device up to 4 MPs can be created and 2 can be created per radio MPs can be configured to use one or both radios in the device If the MP is configured to u...

Page 514: ...status of each configured mesh point either Enabled or Disabled Descriptions Displays any descriptive text entered for each of the configured mesh points Control VLAN Displays VLAN number for the control VLAN on each of the configured mesh points Allowed VLANs Displays the list of VLANs allowed on each of the configured mesh points Security Mode Displays the security for each of the configured mes...

Page 515: ...om the drop down menu To use mesh point style beacons select mesh point from the drop down menu The default value is mesh point Is Root Select this option to specify the mesh point as a root Control VLAN Use the spinner control to specify a VLAN to carry mesh point control traffic The valid range for control VLAN is from 1 4094 The default value is VLAN 1 Allowed VLAN Specify the VLANs allowed to ...

Page 516: ...authentication for the mesh point Select psk to set a pre shared key as the authentication for the mesh point If psk is selected enter a pre shared key in the Key Settings field Pre Shared Key When the security mode is set as psk enter a 64 character HEX or an 8 63 ASCII character passphrase used for authentication on the mesh point Unicast Rotation Interval Define an interval for unicast key tran...

Page 517: ...s Mesh points can communicate as long as they support the same basic MCS as well as non 11n basic rates The selected rates apply to associated client traffic within this mesh point only 5 0 GHz Mesh Point Choose the Select button to configure radio rates for the 5 0 GHz band Define both minimum Basic and optimal Supported rates as required for 802 11a and 802 11n rates supported by the 5 0 GHz rad...

Page 518: ...ic is supported within this mesh point If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they su...

Page 519: ...or each mesh point The Quality of Service screen displays a list of Mesh QoS policies available to mesh points Each Mesh QoS policy can be selected to edit its properties If none of the exiting Mesh QoS policies supports an ideal QoS configuration for the intended data traffic of this mesh point select the Add button to create new policy Select an existing Mesh QoS policy and select Edit to change...

Page 520: ...nd unknown unicast packets that typically transmit and receive from each supported WMM access category If thresholds are defined too low normal network traffic required by end user devices will be dropped resulting in intermittent outages and performance problems A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction Mesh Rx Rate Limit Display...

Page 521: ...Mesh Tx Rate Limit Select this option to enable rate limiting for all data received from any mesh point in the mesh This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received over the mesh point from all access categories Traffic that exceeds the defined rate is dropped...

Page 522: ...f the maximum burst size for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general transmit rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for v...

Page 523: ...t to a lower value once a general receive rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for video traffic in the receive direction This is a percentage of the maximum burst size for video traffic Video traffic exceeding the defined threshold is dropped and a log message is generated Video traffic consumes sig...

Page 524: ...old is dropped by the client and a log message is generated The default threshold is 0 0 implies no early random drops will occur Neighbor Tx Rate Limit Select this radio button to enable rate limiting for data transmitted from connected wireless clients Enabling this option does not invoke rate limiting for data traffic in the transmit direction This feature is disabled by default Rate Define a r...

Page 525: ...d is 0 0 means no early random drops will occur Disable Multicast Streaming Select this option to disable Multicast Streaming on the mesh point Automatically Detect Multicast Streams Select this option tto have bridged multicast packets converted to unicast to provide better overall airtime utilization and performance The administrator can either have the system automatically detect multicast stre...

Page 526: ...her relevant information Only relevant information is presented to the client which enables it to decide with network to join To define a Passpoint Policy 1 Select Configuration 2 Select Wireless 3 Select Passpoint Policy to display existing Passpoint policies Figure 6 46 Wireless Passpoint Policy screen 4 Refer to the following configuration data for existing Passpoint policies Name Displays the ...

Page 527: ...dly name for the operator running the hotspot service Enter a string not longer than 64 characters Venue Name Enter a friendly name for the venue in which this hotspot service is running Enter a string not longer than 252 characters Venue Name Lang Use this table to provide encoding information to display the Venue Name in other languages Use this table to provide the language Code and the hexadec...

Page 528: ...6 102 WiNG 5 5 Access Point System Reference Guide ...

Page 529: ...es For more information on the network configuration options available to the access point refer to the following Policy Based Routing PBR L2TP V3 Configuration AAA Policy AAA TACACS Policy Alias For configuration caveats specific to Configuration Network path refer to Network Deployment Considerations on page 7 42 ...

Page 530: ... a WLAN ports or SVI mark the packet the new marked DSCP value is used for matching Incoming WLAN Packets can be filtered by the incoming WLAN There are two ways to match the WLAN If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN then this WLAN is used for selection If the device doing policy based routing does not have an onboard radio and a pa...

Page 531: ...If not drop the packet Fallback Fallback to destination based routing if none of the configured next hops are reachable or not configured This is enabled by default Mark IP DSCP Set IP DSCP bits for QoS using an ACL The mark action of the route maps takes precedence over the mark action of an ACL To define a PBR configuration 1 Select Configuration tab from the web UI 2 Select Network 3 Select Pol...

Page 532: ...oute map consists of multiple entries each carrying a precedence value An incoming packet is matched against the route map with the highest precedence lowest numerical value DSCP Displays each policy s DSCP value used as matching criteria for the route map DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification Packets are filtered based on the traffic...

Page 533: ...raffic class defined in the IP DSCP field One DSCP value can be configured per route map entry Role Policy Use the drop down to select a Role Policy to use with this route map Click the Create icon to create a new Role Policy To view and modify an existing policy click the Edit icon User Role Use the drop down menu to select a role defined in the selected Role Policy This user role is used while d...

Page 534: ...nal considerations Next Hop secondary If the primary hop request were unavailable a second resource can be defined Set either the IP address of the virtual resource or select the Interface option and define either a wwan1 pppoe1 or a VLAN interface Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination the configured default next hop is used This value is ...

Page 535: ...efault Local PBR Select this option to implement policy based routing for this access point s packet traffic This setting is enabled by default so the match and action clauses defined within the Route Maps tab are implemented until disabled using this setting Use CRM Select the Use CRM Critical Resource Management option to monitor access point link status Selecting this option determines the disp...

Page 536: ...2TP V3 tunnel needs to be established between the tunneling entities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the pseudowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for ...

Page 537: ... between L2TP V3 hello keep alive messages exchanged within the L2TP V3 control connection Reconnect Attempts Lists each policy s maximum number of reconnection attempts to reestablish a tunnel between peers Reconnect Interval Displays the duration set for each listed policy between two successive reconnection attempts Retry Count Lists the number of retransmission attempts set for each listed pol...

Page 538: ...e L2 Path Recovery Indicates if L2 Path Recovery is enabled to learn servers gateways and other network devices behind a L2TPV3 tunnel Cookie size L2TP V3 data packets contain a session cookie which identifies the session pseudowire corresponding to it Use the spinner control to set the size of the cookie field present within each L2TP V3 data packet Options include 0 4 and 8 The default setting i...

Page 539: ...ry Time Out Use the spinner control to define the interval in seconds before initiating a retransmission of a L2TP V3 signaling message The available range is from 1 250 with a default value of 5 Rx Window Size Specify the number of packets that can be received without sending an acknowledgement The available range is from 1 15 with a default setting of 10 Tx Window Size Specify the number of pack...

Page 540: ... describing what the user is authorized to perform These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions The database could be located locally on the access point or be hosted remotely on a RADIUS server Remote RADIUS servers authorize users by associating attribute value ...

Page 541: ... a process and a stop notice at the end of a process The start accounting record is sent in the background The requested process begins regardless of whether the start accounting notice is received by the accounting server Request Interval Lists the interval at which an access point sends a RADIUS accounting request to the RADIUS server NAC Policy Lists the Network Access Control NAC filter used t...

Page 542: ...as either Host onboard self or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The...

Page 543: ...in name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Using NAI each ISP need not have all the accounts for al...

Page 544: ...om 1 10 The default is 3 Request Timeout Specify the time from 1 60 seconds for the access point s re transmission of request packets If this time is exceeded the authentication session is terminated The default is 3 seconds Retry Timeout Factor Specify the time from 50 200 seconds between retry timeouts for the access points s re transmission of request packets The default is 100 DSCP Specify the...

Page 545: ...isplays the type of AAA server in use either Host onboard self or onboard controller Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of request pack...

Page 546: ... but it need not be a valid E mail address or a fully qualified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between ...

Page 547: ...econds between two successive re transmission attempts of request packets Specify a value from 50 200 seconds The default is 100 seconds DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is from 0 63 with a default value of 34 NAI Routing Enable Displays NAI routing status AAA servers identify clients using the NAI The...

Page 548: ...is Start Stop Request Interval Set the periodicity of the interim accounting requests The default is 30 minutes Accounting Server Preference Select the server preference for RADIUS Accounting The options are Prefer Same Authentication Server Host Uses the authentication server hostname as the host used for RADIUS accounting This is the default setting Prefer Same Authentication Server Index Uses t...

Page 549: ...s the time after which an EAP Request to a wireless client is retried ID Request Timeout Defines the time 1 60 seconds after which an EAP ID Request to a wireless client is retried The default setting is 30 seconds Retransmission Scale Factor Configures the scaling of the retransmission attempts Timeout at each attempt is a function of the request timeout factor and client attempts number 100 defa...

Page 550: ...rate accounting authentication and authorization services Some of the services provided by TACACS are Authorizing each command with the TACACS server before execution Accounting each session s logon and log off event Authenticating each user with the TACACS server before enabling access to network resources To define unique AAA TACACS configurations 1 Select the Configuration tab from the Web UI 2...

Page 551: ...n it was initially created The name cannot be edited within a listed profile Accounting Access Method Displays the method used to access the AAA TACACS Accounting server Options include all SSH Console or Telnet Authentication Access Method Displays the method used to access the AAA TACACS Authentication server Options include all SSH Console Telnet or Web Authorization Access Method Displays the ...

Page 552: ...Reference Guide Figure 7 14 AAA TACACS Policy New Policy screen 6 Provide a name for the AAA TACACS policy in the AAA TACACS Policy field The name can be up to 32 characters long Click Continue The Authentication tab displays by default ...

Page 553: ...e of the AAA TACACS authentication server Port Displays the port on which the TACACS authentication server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of request packets The default is 3 seconds If this time is exceeded the authentication sessi...

Page 554: ...efine or edit the port on which the AAA TACACS server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Secret Specify the secret password used for authentication on the selected AAA TACACS server By default the secret is displayed as asterisks When a secret is entered it must be confirmed in the Reconfirm text box Request Attempts Display...

Page 555: ...P address or hostname of the AAA TACACS accounting server Port Displays the port on which the TACACS accounting server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of request packets The default is 3 seconds If this time is exceeded the authenti...

Page 556: ...AAA TACACS server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Secret Specify the secret password used for authentication on the selected AAA TACACS server By default the secret is displayed as asterisks When a secret is entered it must be confirmed in the Reconfirm text box Request Attempts Displays the number of attempts a client ca...

Page 557: ...e of the AAA TACACS authorization server Port Displays the port on which the TACACS authorization server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of request packets The default is 3 seconds If this time is exceeded the authentication session...

Page 558: ...he AAA TACACS server listens to traffic within the access point managed network The port range is 1 65 535 The default port is 49 Secret Specify the secret password used for authentication on the selected AAA TACACS server By default the secret is displayed as asterisks When a secret is entered it must be confirmed in the Reconfirm text box Request Attempts Displays the number of attempts a client...

Page 559: ...ccounting Access Method Specify the access methods for which accounting must be performed From the drop down select one of all Accounting is performed for all types of access console Accounting is performed only for console access ssh Accounting is performed only for access through SSH telnet Accounting is performed only for access through Telnet ...

Page 560: ...counting for session start and session stop events Authentication Access Method Specify the access methods for authentication all Authentication is performed for all types of access console Authentication is performed only for console access ssh Authentication is performed only for access through SSH telnet Authentication is performed only for access through Telnet web Authentication is performed ...

Page 561: ...ands Select this option to enable privileged commands executed without command authorization Privileged commands can alter change the authorization server configuration Service Name Configure a shell service for user authorization Service Protocol Configure a protocol for user authentication using the service in the Service Name field NOTE 5 entries can be made in the Service Protocol Settings tab...

Page 562: ...onfiguration Devices RF Domain Alias screen These aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override al...

Page 563: ...entral network and the VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN Alias can be used to replace VLANs in the followi...

Page 564: ...rements A host alias can be used to replace hostnames in the following locations IP Firewall Rules DHCP 7 Select Add Row to define Network Alias settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL ...

Page 565: ...twork configurations Network configurations are complete networks in the form 192 168 10 0 24 or IP address range in the form 192 168 10 10 192 168 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 host entries eight 8 network entries and eight 8 IP addresses r...

Page 566: ...ect Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a bla...

Page 567: ... group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing Subnets can...

Page 568: ...s to a network interface providing multiple connections to a network from a single IP node A network service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Configuration tab from the web user interface 2 Select Network 3 Select the Alias item the Basic Alias screen displays 4 Select the Network Service Alias tab The...

Page 569: ... created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter...

Page 570: ...t guidelines to ensure the configuration is optimally effective In respect to L2TP V3 data transfers on the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete In respect to L2TP V3 the control connection keep alive mechanism of L2TP V3 can serve as a monitoring mechanism for the pseudowires associated with a control connection ...

Page 571: ...ion to protect and secure data at each vulnerable point in the network This security is offered at the most granular level with role and location based secure access available to users based on identity as well as the security posture of the client device There are multiple dimensions to consider when addressing the security of an access point managed wireless network including Wireless Firewall C...

Page 572: ...l device from first to last When a rule matches the network traffic processed by an access point the firewall uses that rule s action to determine whether traffic is allowed or denied Rules comprise of conditions and actions A condition describes a packet traffic stream A condition defines constraints on the source and destination devices the service for example protocols and ports and the incomin...

Page 573: ...fic or respond so slowly the device becomes unavailable in respect to its defined data rate DoS attacks are implemented by either forcing targeted devices to reset or consuming the devices resources so it can no longer provide service 4 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays s...

Page 574: ...ices Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port port 7 Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network For those that do not have port 7 open they will send an unreachable message back to the originator further clogging the network with more tr...

Page 575: ...CMP router solicitation multicasts onto the network and routers must respond as defined in RFC 1122 By sending ICMP Router Solicitation packets ICMP type 9 on the network and listening for ICMP Router Discovery replies ICMP type 10 hackers can build a list of all of the routers that exist on a network segment Hackers often use this scan to locate routers that do not reply to ICMP echo requests Smu...

Page 576: ...ion rate and threshold of outstanding connections Optionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get established in a configurable interval the software intervenes and terminates the connection attempt TCP Null Scan Hackers use the TCP NULL scan to i...

Page 577: ...ide of the screen to enable the screen s parameters for configuration Ensure this option stays selected to apply the configuration to the access point profile Figure 8 2 Wireless Firewall screen Storm Control tab Twinge The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes This can crash some Windows systems UDP Short Header Enables the UDP Short Header denial ...

Page 578: ... the access point user interface 13 Select the Advanced Settings tab Use the Advanced Settings tab to enable disable the firewall define application layer gateway settings flow timeout configuration and TCP protocol checks Traffic Type Use the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Broadcast Multicast and Unicast Interface Ty...

Page 579: ...e the firewall as either Enabled or Disabled The firewall is enabled by default If disabling the firewall a confirmation prompt displays stating NAT wireless hotspot proxy ARP deny static wireless client and deny wireless client sending not permitted traffic excessively will be disabled 15 Select OK to continue disabling the captive portal ...

Page 580: ...tect if the client is sending routed packets to the correct MAC address IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection This feature is enabled by default and set to Warning IPMAC Routing Conflict Action Use the drop down menu to set the action taken when an attack is detected Options include Log Only Drop Only or Log and Drop The default setting is Log an...

Page 581: ... to allow Apple s FaceTime video calling traffic through the firewall using its default port This feature is enabled by default Log Dropped ICMP Packets Use the drop down menu to define how dropped ICMP packets are logged Logging can be rate limited for one log instance every 20 seconds Options include Rate Limited All or None The default setting is None Log Dropped Malformed Packets Use the drop ...

Page 582: ...etting is 30 seconds Check TCP states where aSYNpackettearsdown the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow The default setting is enabled Check unnecessary resends of TCP packets Select the check box to enable the checking of unnecessary resends of TCP packets The default setting is enabled Check Sequenc...

Page 583: ...ed device from first to last When a rule matches the network traffic an access point is processing the firewall uses that rule s action to determine whether traffic is allowed or denied To add or edit an IP based Firewall Rule policy 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select IP Firewall to display existing IP firewall policies Figure 8 4 IP Firewall Policy s...

Page 584: ... group of variables or selected and updated individually as their filtering attributes require a more refined update a Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively Figure 8 6 WLAN Security IP Firewall Rules Edit Rule screen b Click the icon within the Description column top right hand side of the screen and select IP fil...

Page 585: ...o proceed to its destination Source Select the source for creating the ACL Source options include Any Indicates any host device in any network Network Indicates all hosts in a particular network Subnet mask information has to be provided for filtering based on network Host Indicates a single host with a specific IP address Alias Indicates a collection of IP addresses or hostnames or IP address ran...

Page 586: ... ICMP messages are used for packet flow control or generated in IP error responses ICMP errors are directed to the source IP address of the originating packet Assign an ICMP type from 1 10 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code Many ICMP types have a corresponding code helpful for troubleshooting network i...

Page 587: ...eeded to add additional IP Firewall Rule configurations Select the Remove icon as required to remove selected IP Firewall Rules 11 Select OK when completed to update the IP Firewall rules Select Reset to revert back to the last saved configuration ...

Page 588: ...t their network by limiting how and what these BYODs can access on and through the corporate network Device fingerprinting feature enables administrators to control how BYOD devices access the network and control their access permissions To configure device fingerprinting 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select Device Fingerprinting to display existing dev...

Page 589: ...are included Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 9 Security Device Fingerprinting New Client Identity screen 5 Select Pre defined and use the drop down menu to select from a list of pre defined client identities Once a client identity is selected from the drop down menu the DHCP Match Criteria fiel...

Page 590: ...re request discover any and all Use this option to select the message type on which the fingerprint is matched request Indicates the fingerprint is only checked with any DHCP request message received from any device discover Indicates the fingerprint is only checked with any DHCP discover message received from any device any Indicates the fingerprint is checked with either the DHCP request or the ...

Page 591: ...HCP discover messages Match Option The Match Option field contains the following options Option Codes This indicates that the Option Codes passed in the DHCP request discover message is used for matching Options are passed in the DHCP discover request messages as Option Code Option Type Option Value sets When Option Codes is selected all the Option Code passed in the DHCP discover request are extr...

Page 592: ...nfiguration information from a DHCP server The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices For example Apple devices have Match Type Use the drop down menu to select how the signatures are matched The available options are Exact The complete signature string completely matches the st...

Page 593: ...s used to identify clients and then use these signatures to classify and assign permissions to them Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 13 Security Device Fingerprinting Client Identity Group New Client Identity Group 13 Provide a name in the Name field for the new client identity and click the OK ...

Page 594: ... this group Use the buttons next to the drop down to manage and create new Client Identity policies 16 Use the Precedence control to set the precedence for the Client Identity This index sets the sequence the client identity in this Client Identity Group is checked or matched 17 Click Ok to save changes Click Reset to revert all changes made to this screen Click Exit to close the Client Identity G...

Page 595: ...lt is a typical allow deny or mark designation to packet traffic To add or edit a MAC based Firewall Rule policy 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select MAC Firewall Rules to display existing MAC Firewall Rule policies Figure 8 15 MAC Firewall Rules screen 4 Select Add to create a new MAC Firewall Rule Select an existing policy and select Edit to modify th...

Page 596: ...firewall to not to allow a packet to proceed to its destination Permit Instructs the firewall to allow a packet to proceed to its destination Source MAC Destination MAC Enter both Source MAC and Destination MAC addresses Access points use the source IP address destination MAC address as basic matching criteria Provide a subnet mask if using a mask Action The following actions are supported Log Eve...

Page 597: ...tive of the shared SSID each user employs to interoperate within the network once authenticated by the RADIUS server The VLAN ID can be from 1 4094 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu to specify an Ethertype of either other ipv4 arp rarp appletalk aarp mint wisp ipx 802 ...

Page 598: ...es the following enterprise class security management features Threat Detection Threat detection is central to a wireless security solution Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network Rogue Detection and Segregation A WIPS supported network distinguishes itself by both identifying and categorizing nearby access points WIPS identi...

Page 599: ...ection field to define the following detection settings for this WIPS policy 8 Refer to the Device Categorization field to associate a Device Categorization Policy with this Wireless IPS policy Select the Add icon to create a new Device Categorization policy or select the Edit icon to modify an existing Device Categorization policy Enable Rogue AP Detection Select the check box to enable the detec...

Page 600: ...ly tabs also available Figure 8 18 Wireless IPS screen WIPS Events Excessive tab The Excessive tab lists events with the potential of impacting network performance An administrator can enable or disable event filtering and set the thresholds for the generation of the event notification and filtering action An Excessive Action Event is an event where an action is performed repetitively and continuo...

Page 601: ...nts as required A green checkmark defines the event as enabled for tracking against its threshold values A red X defines the event as disabled and not tracked by the WIPS policy Each event is disabled by default Filter Expiration Set the duration an event generating client is filtered This creates a special ACL entry and frames coming from the client are dropped The default setting is 0 seconds Th...

Page 602: ... excessive action event representing a potential threat to the network This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against i...

Page 603: ...ure the Activate Wireless IPS Policy option remains selected to enable the screen s configuration parameters A WIPS signature is the set or parameters or pattern used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them Name Displays the name of the excessive action event representing a potential threat to the network This column lists the event being tr...

Page 604: ...ted A signature name cannot be modified as part of the edit process Signature Displays whether the signature is enabled A green checkmark defines the signature as enabled A red X defines the signature as disabled Each signature is disabled by default BSSID MAC Displays each BSS ID MAC address used for matching purposes Source MAC Displays each source packet MAC address for matching purposes Destin...

Page 605: ...dress used for matching and filtering with the signature Source MAC Define a source MAC address for the packet examined for matching filtering and potential device exclusion using the signature Destination MAC Set a destination MAC address for a packet examined for matching filtering and potential device exclusion using the signature Frame Type to Match Use the drop down menu to select a frame typ...

Page 606: ...ture 27 Select OK to save the updates to the WIPS Signature configuration Select Reset to revert to the last saved configuration The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Wireless Client Threshold Specify the threshold limit per client that when exceeded signals t...

Page 607: ...d jeopardizing the data managed by the access point and its connected clients Use the Device Categorization screen to apply neighboring and sanctioned approved filters on peer access points operating in this access point s radio coverage area Detected client MAC addresses can also be filtered based on their classification in this access point s coverage area To categorize access points and clients...

Page 608: ...ameters to add a device to a list of devices sanctioned for network operation Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification Use the drop down menu to designate the target device as either Sanctioned or Neighboring Device Type Use the drop down menu to designate the target device as either an access point or client MAC...

Page 609: ...ive WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy Since an organization s security goals vary the security policy should document site specific concerns The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time Vulnerability and activity ...

Page 610: ...8 40 WiNG 5 5 Access Point System Reference Guide ...

Page 611: ...sting clients and local RADIUS client authentication For more information refer to the following Configuring Captive Portal Policies Setting the DNS Whitelist Configuration Setting the DHCP Server Configuration Setting the RADIUS Configuration Refer to Services Deployment Considerations on page 9 45 for tips on how to optimize the access point s configuration ...

Page 612: ...network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable option Captive portal authentication does not provide end user data encryption but it can be used with static WEP WPA PSK or WPA2 PSK encryption Each supported access point model can support up to 32 captive portal policies with the exception of AP6511 and AP6521 models whi...

Page 613: ...s Internal Self the access point maintains the captive portal internally while External centralized means the captive portal is being supported on an external server Hosting VLAN Interface When Centralized Server is selected as the Captive Portal Server Mode a VLAN is defined where the client can reach the controller 0 is the default value Connection Mode Lists each policy s connection mode as eit...

Page 614: ...ty access and whitelist basic configuration before defining HTML pages for guest user access AAA Policy Lists each AAA policy used to authorize client guest access requests The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication When a captive portal policy is created or modified a AAA policy must be defined ...

Page 615: ...Services Configuration 9 5 Figure 9 2 Captive Portal Policy screen Basic Configuration tab ...

Page 616: ...ontrol to set the VLAN where the client can reach the controller 0 is the default value Captive Portal Server Set a numeric IP address non DNS hostname for the server validating guest user permissions for the captive portal policy This option is only available if hosting the captive portal on an External Centralized server resource Connection Mode Select either HTTP or HTTPS to define the connecti...

Page 617: ...e the Add Row button to populate the whitelist table with Host and IP Index parameters that must be defined for each whitelist entry Terms and Conditions page Select this option with any access type to include terms that must be adhered to for captive portal access These terms are included in the Terms and Conditions page when No authentication required is selected as the access type otherwise the...

Page 618: ... server information for billing auditing and reporting user data such as captive portal start and stop times executed commands such as PPP number of packets and number of bytes Accounting enables wireless network administrators to track captive portal services users are consuming Enable RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting for the captive porta...

Page 619: ...ge displays by default Syslog Host When syslog accounting is enabled use the drop down menu to determine whether an IP address or a host name is used as a syslog host The IP address or hostname of an external server resource is required to route captive portal syslog events to that destination Syslog Port When syslog accounting is enabled define the numerical syslog port to route traffic with the ...

Page 620: ...e portal The Fail page asserts the authentication attempt has failed and the user is not allowed access using this captive portal policy and must provide the correct login information again to access the Internet The No Service page asserts that the captive portal service is temporarily unavailable due to technical reasons Once the services become available the captive portal user is automatically...

Page 621: ...s accessing each specific page In the case of the Terms and Conditions page the message can be the conditions requiring agreement before guest access is permitted Footer Text Provide a footer message displayed on the bottom of each page The footer text should be any concluding message unique to each page before accessing the next page in the succession of captive portal Web pages Main Logo URL The...

Page 622: ...ess client access is provided Welcome URL Define the complete URL for the location of the Welcome page The Welcome page asserts the user has logged in successfully and can access resources via the captive portal Fail URL Define the complete URL for the location of the Fail page The Fail page asserts authentication attempt has failed and the client cannot access the captive portal and the client ne...

Page 623: ... point maintains its own set of Advanced Web pages for custom captive portal creation Refer to Operations Devices File Transfers and use the Source and Target fields to move captive portal pages as needed to managed devices that may be displaying and hosting captive portal connections Select the Web Page Auto Upload check box to enable automatic upload of captive portal Web pages For more informat...

Page 624: ...e 2 Select Services 3 Select DNS Whitelist The DNS Whitelist screen displays those existing whitelists available to a captive portal 4 Select Add to create a whitelist Edit to modify a selected whitelist or Delete to remove a whitelist a If creating a whitelist assign it a name up to 32 characters Use the Add Row button to populate the whitelist table with Host and IP Index parameters that must be...

Page 625: ...l Each class in a pool is assigned an exclusive range of IP addresses DHCP clients are compared against classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a single VLAN a...

Page 626: ...ation is obsolete it can be deleted Subnet Displays the network address and mask used by clients requesting DHCP resources Domain Name Displays the domain name used with this network pool Hostnames are not case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Boot Fil...

Page 627: ...CP discovery and requests between the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Select Alias to use a network alias with the subnet configuration For more information see Alias on page 7 34 Domain Name Provide the domain name used with this pool Domain...

Page 628: ...Select Reset to revert to the last saved configuration 10 Select the Static Bindings tab from within the DHCP Pools screen A binding is a collection of configuration parameters including an IP address associated with or bound to a DHCP client Bindings are managed by DHCP servers DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses Static bin...

Page 629: ...onfiguration Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client is using a Hardware Address or Client Identifier as its identifier type Value Lists the hardware address or client identifier value assigned to the client when added or last modified IP Address Displays the ...

Page 630: ...Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Select Alias to use a string alias with the domain name configuration For more information see Alias on page 7 34 Boot File Enter the name of ...

Page 631: ... to use a network alias with the DNS server configuration For more information see Alias on page 7 34 Within the Network field define one or more Default Routers to resolve routes to other parts of the network Up to 8 IP addresses can be provided for Default Routers Select Alias to use a network alias with the default routers configuration For more information see Alias on page 7 34 20 Select OK w...

Page 632: ...h the BOOTP Next Server configuration For more information see Alias on page 7 34 Enable Unicast Unicast packets are sent from one location to another location there s just one sender and one receiver Select this option to forward unicast messages to just a single device within the network pool This setting is disabled by default NetBIOS Node Type Set the NetBIOS Node Type used with this pool The ...

Page 633: ...on and gateways 26 Select the Add Row button to add individual options for Destination and Gateway addresses 27 Select OK to save the updates to the DHCP pool s Advanced settings Select Reset to revert the screen back to its last saved configuration 9 3 2 Defining DHCP Server Global Settings Setting the DHCP Server Configuration Setting a DHCP server global configuration entails defining whether B...

Page 634: ...numerical IP address or ASCII string or Hex string Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value 4 Select OK to save the updates to the DHCP server global settings Select Reset to revert to the last saved configuration Ignore BOOTP Requests Select the check box to ignore BOOTP requests BOOTP requests boot remote systems within the...

Page 635: ...er to the DHCP Class Policy screen to review existing DHCP class names and their current multiple user class designations Multiple user class options enable a user class to transmit multiple option values to DHCP servers supporting multiple user class options Either add a new class policy edit the configuration of an existing policy or permanently delete a policy as required To review DHCP class p...

Page 636: ... 32 characters 4 Select a row within the Value column to enter a 32 character maximum value string 5 Select the Multiple User Class radio button to enable multiple option values for the user class This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options 6 Select OK to save the updates to this DHCP class policy Select Reset to revert to th...

Page 637: ...olicies User policies include dynamic VLAN assignment and access based on time of day The access point uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS RADIUS authentication configured with the RADIUS service Dynamic VLAN assignment is achieved based on the RADIUS server response A user who associates to WLAN1 mapped to VLAN1 can be assigned a different VLAN after auth...

Page 638: ... Displays the group name or identifier assigned to each listed group when it was created The name cannot exceed 32 characters or be modified as part of the group s edit process Guest User Group Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each group A red X designates the group as hav...

Page 639: ... Helpdesk support access network admin Wired and wireless access security admin Grants full read write access system admin System administrator access VLAN Displays the VLAN ID used by the group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the access point managed network once authenticated by the local RADIUS server Time Start Specifies th...

Page 640: ... to permanently remove a selected group Figure 9 17 RADIUS Group Policy Add screen 5 Define the following Settings to define the user group configuration RADIUS Group Policy If creating a new RADIUS group assign it a name to help differentiate it from others with similar configurations The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process Guest User Group Selec...

Page 641: ...e RADIUS group as a management group If set as management group assign a role to the members of the group using the Access drop down menu allowing varying levels of administrative rights This feature is disabled by default Access If a group is listed as a management group assign how the devices can be accessed Available access types are Web Web access through browser is permitted SSH SSH access th...

Page 642: ...ther temporary or permanent A pool can contain a single user or group of users To configure a RADIUS user pool and unique user IDs 1 Select Configuration tab from the web user interface 2 Select Services 3 Expand the RADIUS menu option and select User Pools Figure 9 18 RADIUS User Pool screen 4 Select Add to create a new user pool Edit to modify the configuration of an existing pool or Delete to r...

Page 643: ...ss can be set uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group Displays the group name each configured user ID is a member Email Id Displays the configured E mail ID for this user This is the address used when communicating with users in this pool Telephone Displays the configured telephone number for this user This is the number used w...

Page 644: ...t exceed 64 characters Password Provide a password unique to this user The password cannot exceed 32 characters Select the Show check box to expose the password s actual character string Leaving the option unselected displays the password as a string of asterisks Guest User Select the check box to designate this user as a guest with temporary access The guest user must be assigned unique access ti...

Page 645: ...rified along with optionally other information The access point s RADIUS server policy can also be configured to refer to an external LDAP resource to verify the user s credentials The creation and utilization of a single RADIUS server policy is supported To manage the access point s RADIUS server policy 1 Select Configuration tab from the web user interface 2 Select Services 3 Expand the RADIUS m...

Page 646: ...e RADIUS Server Policy screen displays with the Server Policy tab displayed by default 4 Select the Activate RADIUS Server Policy button to enable the parameters within the screen for configuration Ensure this option remains selected or this RADIUS server configuration is not applied to the access point profile ...

Page 647: ...e feature This settings is enabled by default When enabled if the LDAP server does not contain the requested information it indicates to the LDAP client that it does not have the requested information and provides the client with another LDAP server that could have the requested information It is up to the client to contact the other LDAP server for its information Local Realm Define the LDAP Real...

Page 648: ...ssword Use LDAP agent settings to locally authenticate the user Additionally an authentication utility such as Samba must be used to authenticate the user Samba is an open source software used to share services between Windows and Linux machine Do Not Verify Username Only enabled when TLS is selected in Authentication Type When selected user name is not matched but the certificate expiry is checke...

Page 649: ...RADIUS access request packet and verifies the server possesses a shared secret for the client If the server does not possess a shared secret for the client the request is dropped If the client received a verified access accept packet the username and password are considered correct and the user is authenticated If the client receives a verified access reject message the username and password are c...

Page 650: ... and ensure the Activate RADIUS Server Policy button remains selected A user s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources The proxy server checks the information in the user access request and either accepts or rejects the request If the proxy server accepts the request it returns configuration information specifying the type of connection serv...

Page 651: ...t a value from 1024 65535 The default port is 1812 23 Enter the RADIUS client s Shared Secret for authenticating the RADIUS proxy 24 Select the Show check box to expose the shared secret s actual character string Leave the option unselected to display the shared secret as a string of asterisks 25 Select the OK button to save the changes Select the Reset button to revert to the last saved configura...

Page 652: ...elete to remove a LDAP server from the list of those available Redundancy Displays whether the listed LDAP server IP address has been defined as a primary or secondary server resource Designating at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server were to become unavailable IP Address Displays the IP address of the external LDAP serve...

Page 653: ...rver acting as the data source for the RADIUS server Login Define a unique login name used for accessing the remote LDAP server resource Consider using a unique login name for each LDAP server to increase the security of the connection between the access point and remote LDAP resource Port Use the spinner control to set the physical port used by the RADIUS server to secure a connection with the re...

Page 654: ...d password for the LDAP server Select the Show check box to expose the password s actual character string Leave the option unselected to display the password as a string of asterisks The password cannot 32 characters Password Attribute Enter the LDAP server password attribute The password cannot exceed 64 characters Group Attribute LDAP systems have the facility to poll dynamic groups In an LDAP d...

Page 655: ...nt shared secret password If a shared secret is compromised only the one client poses a risk as opposed all the additional clients that potentially share that secret password Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location Designating at least one second...

Page 656: ...9 46 WiNG 5 5 Access Point System Reference Guide ...

Page 657: ...y reduce an attack footprint and free resources too To set Management Access administrative rights access control permissions authentication refer to the following Creating Administrators and Roles Setting the Access Control Configuration Setting the Authentication Configuration Setting the SNMP Configuration SNMP Trap Configuration Refer to Management Access Deployment Considerations on page 10 1...

Page 658: ...efault Figure 10 1 Management Policy Administrators screen 3 Refer to the following to review existing administrators 4 Select Add to create a new administrator configuration Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when editing an administrator s con...

Page 659: ...le can be assigned Web UI Select this option to enable access to the access point s Web UI Telnet Select this option to enable access to the access point using TELNET SSH Select this option to enable access to the access point using SSH Console Select this option to enable access to the access point s console Superuser Select this option to assign complete administrative rights to this user This e...

Page 660: ...ut administrative rights The Monitor option provides read only permissions Help Desk Assign this option to someone who typically troubleshoots and debugs reported problems The Help Desk manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the access point Web User Select this option to assign privileges to add users for captive ...

Page 661: ...tion as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better security than others and are more desirable To set user access control configurations 1 Select Configuration 2 Select Management 3 Select Access Control from the list of Management Policy options in the upper lef...

Page 662: ...ice access HTTP provides limited authentication and no encryption Enable HTTPS Select the check box to enable HTTPS device access HTTPS Hypertext Transfer Protocol Secure is more secure than plain HTTP HTTPS provides both authentication and data encryption as opposed to just authentication NOTE If an AP6511 or AP6521 s external RADIUS server is not reachable HTTPS or SSH management access to the a...

Page 663: ...e a new one IP based firewalls function like Access Control Lists ACLs to filter mark packets based on the IP from which they arrive as opposed to filtering packets on layer 2 ports IP firewalls implement uniquely defined access control policies so if you do not have an idea of what kind of access to allow or deny a firewall is of little value and could provide a false sense of network security So...

Page 664: ...ource will need to interoperate with a RADIUS and LDAP Server AAA Servers to provide user database information and user authentication data If there is no AAA policy suiting your RADIUS authentication requirements either select the Create icon to define a new AAA policy or select an existing policy from the drop down menu and select the Edit icon to update its configuration For more information on...

Page 665: ...ured AAA TACACS policy 8 Select OK to update the configuration Select Reset to revert to the last saved configuration Authentication Select to enable TACACS authentication on login Accounting Select to enable TACACS accounting on login Fallback Select to enable fallback to use local authentication if TACACS authentication fails Authorization Select to enable TACACS authorization on login ...

Page 666: ...entication mechanism to monitor and configure supported devices The read only community string is used to gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to monitor a system s performance and other parameters To define SNMP management values 1 Select ...

Page 667: ... Security Model USM for message security and the View based Access Control Model VACM for access control The architecture supports the concurrent use of different security access control and message processing techniques SNMPv3 is enabled by default Community Define a public or private community designation By default SNMPv2 community strings on most devices are set to public for the read only com...

Page 668: ...te destination 1 Select Configuration Management 2 Select SNMP Traps from the list of Management Policy options in the upper left hand side of the UI Figure 10 6 Management Policy screen SNMP Traps tab 3 Select the Enable Trap Generation check box to enable trap creation using the trap receiver configuration defined in the lower portion of the screen This feature is disabled by default 4 Refer to ...

Page 669: ...services like HTTPS SSH and SNMPv3 should be used when possible as they provide both data privacy and authentication By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Legacy Motorola Solutions devices may use other community strings by default Motorola Solutions recommends SNMPv3 be used for devi...

Page 670: ...10 14 WiNG 5 5 Access Point System Reference Guide ...

Page 671: ...e Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail Numerous tools are available within the Diagnostics menu Some allow event filtering some enable log views and some allow you to manage files generated when hardware or software issues are detected Diagnostic capabilities include Fault Management Crash Files Advanced ...

Page 672: ... By default all events are enabled and an administrator has to turn off events if they don t require tracking Figure 11 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing events Events can be filtered based on severity module received source MAC of the event device MAC of the event and MAC address of the wireless client 3 Define the following Custom...

Page 673: ...creen 7 Refer to the following event parameters to assess nature and severity of the displayed event Module Select the module from which events are tracked When a single module is selected events from other modules are not tracked Remember this when interested in events generated by a particular module Individual modules can be selected such as TEST LOG FSM etc or all modules can be tracked by sel...

Page 674: ...ld to filter events to display To filter messages further select a RF Domain from the Filter by RF Domain field 11 In the Access Point s tab select the RF Domain from the Select a RF Domain field to filter events to display To filter messages further select a device from the Filter by Device field Module Displays the module used to track the event Events detected by other modules are not tracked M...

Page 675: ...e not tracked Message Displays error or status message for each event Severity Displays event severity as defined for tracking from the Configuration screen Severity options include All Severities All events are displayed regardless of severity Critical Only critical events are display Error Only errors display Warning Only warnings display Informational Only informational events display no critic...

Page 676: ...rom those displayed in the lower left hand side of the UI Figure 11 4 Crash Files screen The screen displays the following for each reported crash file 4 Select a listed crash file and select the Copy button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button File Name Displays t...

Page 677: ...enu UI Debugging View UI Logs View Sessions 11 3 1 UI Debugging Advanced Use the UI Debugging screen to view debugging information for a selected device To review device debugging information 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options By default NETCONF Viewer is selected Once a target ID is selected its debugging information displays within the NETCONF Viewer ...

Page 678: ...n 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select Schema Browser from the navigation pane on the left The following screen displays Figure 11 6 UI Debugging screen Schema Browser The Scheme Browser displays the Configuration tab by default The Schema Browser displays two fields regardless of the Configuration Statistics or Actions tab selected Use the left ...

Page 679: ...g messages generated by the device Logs are classified as Flex Logs and Error Logs These logs provide a real time look into the state of the device and provide useful information for debugging and trouble shooting issues To display the logs 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View UI Logs menu item to display the logs By default the Flex Log...

Page 680: ...creen displays a list of all sessions associated with this device A session is created when a user name password combination is used to access the device to interact with it for any purpose Use the following to view a list of sessions associated with this device 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View Sessions menu item to display the users...

Page 681: ...elect Delete Cookie Displays the number of cookies created by this session From Displays the IP address of the device process initiating this session Role Displays the role assigned to the user name as displayed in the User column Start Time Displays the start time of this session This is the time at which the user successfully created this session User Displays the user name of the account used t...

Page 682: ...11 12 WiNG 5 5 Access Point System Reference Guide ...

Page 683: ...n to other managed devices Self Monitoring At Run Time RF Management Smart RF is a Motorola Solutions innovation designed to simplify RF configurations for new deployments while over time providing on going deployment optimization and radio performance improvements The Smart RF functionality scans the RF network to determine the best channel and transmit power for each managed access point radio F...

Page 684: ...ging Firmware and Configuration Files Rebooting the Device Locating a Device Upgrading Device Firmware Viewing Device Summary Information Adopted Device Upgrades File Management Adopted Device Restart Captive Portal Pages Re elect Controller These tasks can be performed on individual access points and wireless clients 12 1 1 Managing Firmware and Configuration Files Devices Firmware and configurat...

Page 685: ...ion on page 12 3 Show Startup Config Select this option to display the startup configuration of the selected device The startup configuration is displayed in a separate window Select Execute to perform the function For more information on viewing and managing the startup configuration see Managing Startup Configuration on page 12 6 Clear Crash Info Select this option to clear the crash dump files ...

Page 686: ... 12 3 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 4 Device Browser Options for a device 3 Select Show Running Config to display the Running Configuration window ...

Page 687: ... Refer to the following to configure the export parameters Protocol Select the protocol used for exporting the running configuration Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting the running configuration This option is not valid for cf usb1 usb2 usb3 and usb4 ...

Page 688: ...elect Show Startup Config to display the Startup Configuration window Host Enter IP address or the hostname of the server used to export the running configuration to This option is not valid for local cf usb1 usb2 usb3 and usb4 Path File Specify the path to the folder to export the running configuration to Enter the complete relative path to the file on the server User Name Define the user name us...

Page 689: ... parameters required to export or import the startup configuration to or from an external server Refer to the following to configure the remote server parameters Protocol Select the protocol used for exporting or importing the startup configuration Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 local ...

Page 690: ...guration to This option is not valid for local cf usb1 usb2 usb3 and usb4 Use the drop down to select the type of host information Host can be one of Host Name or IP Address Path File Specify the path to the folder to export or import the startup configuration to Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server Thi...

Page 691: ... file is used by Motorola Solutions Support Center to debug the issue and provide a solution to correct the error condition To view and manage the crash information files 1 Select a target device from the left hand side of the UI Figure 12 9 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 10 Device Browser...

Page 692: ...owser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 13 Device Browser Options for a device 3 To reboot the device select the Reload item File Name Displays the full path to the crash file Size Displays the size of the crash information file in kilobytes Last Modified Displays the timestamp the crash information file wa...

Page 693: ...e this device to reload Use this option for devices that are unresponsive and do not reload normally Delay Use the spinner to configure a delay in seconds before the device is reloaded Set this value to 0 to reload the device immediately Description Use the text box to provide a brief description detailing the reason to reload this device Current Boot Displays the current running firmware Displays...

Page 694: ...ner to set a value for Flash LED Duration This is the duration in minutes the device will flash its LEDs Once this duration expires the LEDs starts operating normally 5 Click Locator ON to start flashing the LEDs Click Locator OFF to stop the LEDs from flashing and resume normal operation Click Close to close this window 12 1 4 Upgrading Device Firmware Devices To update the firmware of an access ...

Page 695: ...irmware Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 local Port Use the spinner control or manually enter the value to define the port used by the protocol for importing the firmware upgrade file This option is not valid for local cf usb1 usb2 usb3 and usb4 Host Enter IP address or the hostname of the server used to import the firmware file This option is not valid for local...

Page 696: ...ce Details Summary screen displays by default when the Operations menu item is selected from the main menu Path File Specify the path to the firmware file Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server This field is only available if the selected protocol is ftp or sftp Password Specify the user account password ...

Page 697: ...e date the Primary and Secondary firmware image was built for the selected device Install Date Displays the date the firmware was installed on the access point Fallback Lists whether fallback is currently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render t...

Page 698: ... navigate to the device to manage the firmware and configuration files on and select it Figure 12 22 Device Summary screen 4 Select Adopted Device Upgrade tab The following screen displays NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode and cannot be initiated by Standalone APs Additionally upgrades can only be performed on access points of the same model as t...

Page 699: ...sfer pro tocol Device Type List Select the access point model to specify which model is available to upgrade by the Virtual Controller AP Upgrades can only be made to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed Scheduled Upgrade Time To perform the upg...

Page 700: ...ot impact its current client support and operation No Reboot Select this option to prevent upgraded access points from being rebooted This ensures that the access point remains in operation with its current firmware This option is useful to ensure the access point remains operational until ready to take it offline for the required reboot Staggered Reboot Select this option to do a staggered reboot...

Page 701: ...de to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed URL Enter a URL pointing to the location of the image file Advanced Basic Select Advanced to list additional options for the image file location including protocol host and path Additional options displ...

Page 702: ...er Protocol A hostname or IP address is required Port and path are optional cf Select this option to specify a file location on a Compact Flash card installed on the device This option might not be available on all devices usb1 usb2 usb3 usb4 Select this option to specify the file location on one of the USB 1 USB 2 USB 3 or USB 4 ports of the device This option might not be available on all device...

Page 703: ...raded Lists the number of devices waiting to receive a firmware image from their provisioning access point Each device can have its own upgrade time defined so the upgrade queue could be staggered Number of devices waiting in queue to be rebooted Lists the number of devices waiting to reboot before actively utilizing its upgraded image The Device Upgrade List list allows an administrator to disabl...

Page 704: ... for a reboot etc Upgrade Time Displays whether the upgrade is immediate or set by an administrator for a specific time This is helpful to ensure a sufficient number of devices remain in service at any given time Reboot Time Displays whether a reboot is immediate or time set by an administrator for a specific time Reboots render the device offline so planning reboots carefully is central to ensuri...

Page 705: ...Downloading Updating Scheduled Reboot Rebooting Done Cancelled Done No Reboot Time Displays the time when the device was upgraded Retries Displays the number of retries if any during the upgrade If this number is more than a few the upgrade configuration should be revisited Upgraded By Displays the hostname of the device that upgraded this device Last Status Displays the time of the last status up...

Page 706: ...12 24 WiNG 5 5 Access Point System Reference Guide Figure 12 27 Device Summary screen 4 Click File Management The following screen displays ...

Page 707: ... screen 5 The pane on the left of the screen displays the directory tree for the selected device Use this tree to navigate around the device s directory structure When a directory is selected all files in that directory is listed in the pane on the right ...

Page 708: ...te the new folder Click the Refresh button to refresh the view in the screen 8 To delete a folder select the folder in the directory tree on the left Click Delete Folder button The following popup displays Figure 12 30 Devices File Management Delete Confirmation screen File Name Displays the name of the file Size Kb Displays the size of the file in kilobytes Last Modified Displays the timestamp fo...

Page 709: ...en the device and a remote location The transfer can be done as follows From remote server to the device From device to remote server From a location on the device to another location on the same device 10 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity Source Select Server to indicate the source of the f...

Page 710: ...is option is not valid for cf usb1 usb2 usb3 and usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file This parameter is required only when Server is selected as the Source User Name If Advanced is selec...

Page 711: ...w the Adopted Device Restart screen 1 Select Operations from the main menu 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Figure 12 32 Device Summary screen 4 Select Adopted Device Restart The following screen displays NOTE The Adopted Device Restart tab is not available at the RF Domain level of the UI s hierarchal tree A RF D...

Page 712: ...ireless network Once logged into the captive portal additional Terms and Conditions Welcome and Fail pages provide the administrator with a number of options on screen flow and appearance Captive portal authentication is used primarily for guest or visitor access to the network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable opt...

Page 713: ...en 4 Select Captive Portal Pages The following screen displays NOTE If selecting the Captive Portal Pages screen from the RF Domain level of the UI s hierarchal tree there s an additional Upload from Controller option to the right of the Captive Portal List drop down menu Select this option to upload captive portal page support from this device s managing controller ...

Page 714: ...to immediately start the process of the update Use the date hour fields to configure a specific date and time for upload 7 The All Devices table lists the hostname and MAC address of all devices adopted by this access point Use the arrow buttons to move selected devices from the All Devices table to the Upload List table The Upload List table lists the devices to which the captive portal pages are...

Page 715: ...meters of the required file transfer activity Protocol If Advanced is selected choose the protocol for file management Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 This parameter is required only when Server is selected as the Source and Advanced is selected Port If Advanced is selected specify the port for transferring files This option is not available for cf usb1 usb2 usb...

Page 716: ...Hostname is not required Hostname If needed specify a Hostname of the server transferring the file This option is not valid for cf usb1 usb2 usb3 and usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file...

Page 717: ...display at either the system or device levels of the hierarchal tree 3 Select the Re elect Controller tab Hostname Displays the hostname of the target device MAC Displays the factory assigned MAC address of the target device State Displays the target device s state Progress Displays the progress of the upload to the target device Retries Displays the number of retires attempted for upload to the t...

Page 718: ...e for RF Domain Manager candidacy Use the button to move all listed access points into the Selected APs table The re election process can be achieved through the selection of an individual access point or through the selection of several access points with a specific Tunnel Controller Name matching the selected access points 5 Select Re elect to designate the Selected AP s as resources capable of ...

Page 719: ...a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication can be used by a client to access resources i...

Page 720: ...cate Management Trustpoints screen The Trustpoints screen displays for the selected MAC address 3 Refer to the Certificate Details to review certificate properties self signed credentials validity period and CA information 4 Select the Import button to import a certificate ...

Page 721: ...Operations 12 39 Figure 12 40 Certificate Management Import New Trustpoint screen ...

Page 722: ...tion to import the Trustpoint from a location on the network To do so select From Network and provide the following information Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation Li...

Page 723: ...ctive Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates Figure 12 41 Certificate Management Export Trustpoint screen ...

Page 724: ... generate additional keys or import export keys to and from remote locations Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address info...

Page 725: ...Management RSA Keys screen Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select Generate Key to create a new key with a defined size ...

Page 726: ...on 6 To optionally import a RSA Key select the Import button from the RSA Keys screen Figure 12 44 Certificate Management Import New RSA Key screen Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum ...

Page 727: ...d displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is dependent on the selected protocol Protocol Select the protocol used for importing the target key Available o...

Page 728: ...rase Leaving the option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is also dependent on the selected protocol Protocol Select the protocol used for ex...

Page 729: ...lic or private CAs A self signed certificate is a certificate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate that can be applied to a device 1 Select Operations 2 Select Certificates 3 Select Create Certificate IP Address If using Advanced settings enter IP address of the server used to export the RSA key This option is not...

Page 730: ...ine 32 character name used to identify the RSA key Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more information on creating a new RSA key see RSA Key Management on page 12 42 RSA Key Use Existing Select the radio button and use the drop down menu to se...

Page 731: ...e authority maintains the right to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operations 2 Select Certificates 3 Select Create CSR State ST Enter a State Prov for the state or province name used in the certificate This is a required field City L Enter a C...

Page 732: ...a Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more information see RSA Key Management on page 12 42 Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certificate The default setti...

Page 733: ...nal unit issuing the certificate enter it here Email Address Provide an E mail address used as the contact address for issues relating to this CSR Domain Name Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy absolutely To distinguish an FQDN from a regular domain name a trailing period is added ex somehost example c...

Page 734: ...l configurations as the basis to conduct Smart RF calibration operations 12 3 1 Managing Smart RF for a RF Domain Smart RF When calibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the...

Page 735: ...mine whether a new channel assignment was warranted to compensate for a coverage hole Channel Lists the current channel assignment for each listed access point as potentially updated by an Interactive Calibration Use this data to determine whether a channel assignment was modified as part of an Interactive Calibration If a revision was made to the channel assignment a coverage hole was detected on...

Page 736: ...the Interactive Calibration has calculated Write Writes the new channel and power values to the radios under their respective device configurations Discard Discards the results of the Interactive Calibration without applying them to their respective devices Commit Commits the Smart RF module Interactive Calibration results to their respective access point radios 6 Select the Run Calibration option...

Page 737: ...firmware version for full functionality and utilization An access point must be rebooted to implement a firmware upgrade Take advantage of the reboot scheduling mechanisms available to the access point to ensure its continuously available during anticipated periods of heavy wireless traffic utilization Within a well planned RF Domain any associated radio should be reachable by at least one other r...

Page 738: ...12 56 WiNG 5 5 Access Point System Reference Guide ...

Page 739: ...eless clients associations adopted AP information rogue APs and WLANs Access point statistics can be exclusively displayed to validate connected access points their VLAN assignments and their current authentication and encryption schemes Wireless client statistics are available for an overview of client health Wireless client statistics includes RF quality traffic utilization and user details Use ...

Page 740: ...entory Adopted Devices Pending Adoptions Offline Devices Device Upgrade Licenses 13 1 1 Health System Statistics The Health screen displays the overall performance of the managed network system This includes device availability overall RF quality resource utilization and network threat perception To display the health of the network 1 Select the Statistics menu from the Web UI 2 Select the System ...

Page 741: ...ffline devices 6 The Traffic Utilization table displays the top 5 RF Domains with the most effective resource utilization Utilization is dependent on the number of devices connected to the RF Domain 7 The Device Types table displays the kinds of devices detected within the system Each device type displays the number currently online and offline Top 5 Displays the top 5 RF Domains in terms of usage...

Page 742: ...tory screen displays information about the physical hardware managed within the system by its members Use this information to assess the overall performance of wireless devices To display the inventory statistics 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select Inventory from the left hand side of the UI Worst 5 Displays five RF Domains w...

Page 743: ...n terms of the number of wireless clients adopted 7 Select Refresh to update the statistics counters to their latest values 13 1 3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the network entire system Use this screen to view a list of devices and their current status Top Radio Displays the radios index of each listed top radio RF Domain Displa...

Page 744: ...splay configuration and network address information in greater detail Model Number Lists the model number of each AP that s been adopted since this screen was last refreshed Config Status Displays the configuration file version in use by each listed adopted device Use this information to determine whether an upgrade would increase the functionality of the adopted device Config Errors Lists any err...

Page 745: ...ing Adoptions screen displays the following MAC Address Displays the MAC address of the device pending adoption Select the MAC address to view device configuration and network address information in greater detail Type Displays the AP type IP Address Displays the current IP Address of the device pending adoption VLAN Displays the VLAN the device pending adoption will use as a virtual interface wit...

Page 746: ...dd to Devices Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP Refresh Click the Refresh button to update the list of pending adoptions Hostname Lists the administrator assigned hostname provided when the device was added to the network MAC Address Displays the factory encoded MAC address of each listed offline device Type Displays the offl...

Page 747: ... Floor Lists the administrator assigned deployment floor where the offline device has been detected Connected To Lists the offline s device s connected controller service platform or peer model access point Last Update Displays the date and time stamp of the last time the device was detected within the network Click the arrow next to the date and time to toggle between standard time and UTC Refres...

Page 748: ...the administrator assigned hostname of the device receiving an update History ID Displays a unique timestamp for the upgrade event Last Update Status Displays the initiation completion or error status of each listed upgrade operation Time Last Upgraded Lists the date and time of each upgrade operation Retries Count Displays the number of retries required in an update operation State Displays the d...

Page 749: ...ntroller or service platform to a cluster member to compensate for an access point s license deficiency Total AP Licenses Displays the total number of access point connection licenses currently available to this device AP License Usage Lists the number of access point connections currently utilized by this device out of the total available under the terms of the current license Remaining AP Licens...

Page 750: ...ice Cluster AP Adoption Licenses Displays the current number of access point adoption licenses utilized by controller or service platform connected access points within a cluster Cluster Total AP Licenses Displays the total number of access point adoption licenses available to controller or service platform connected access point within a cluster Cluster AAP Adoption Licenses Displays the current ...

Page 751: ...emaining number of AP licenses available from the pooled license capabilities of cluster members AAP Licenses Installed Lists the number of Adaptive Access Point connections available under the terms of current licenses Borrowed AAP Licenses Displays the number of Adaptive Access Point licenses temporarily borrowed from a cluster member to compensate for an AAP license deficiency Total AAP License...

Page 752: ...s that determine Access SMART RF and WIPS configuration Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device Health Inventory Devices AP Detection Wireless Clients Device Upgrade Wireless LANs Radios Mesh Mesh Point SMART RF WIPS Captive Portal 13 2 1 Health RF Domain Statistics The Health ...

Page 753: ...chart depicts their status 6 The Radio Quality field displays information on the RF Domain s RF quality The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry and error rate This area also lists the worst 5 performing radios in the RF Domain The RF Quality Index can be interpreted as 0 20 Very poor quality...

Page 754: ... Domain member access points Top 5 Displays the five RF Domain utilized WLANs with the highest average quality indices WLAN Name Displays the WLAN Name for each of the Top 5 WLANs in the access point RF Domain Radio Type Displays the radio type as either 5 GHz or 2 4 GHz Max User Rate Displays the maximum recorded user rate in kbps Top 5 Radios Displays five radios with the best average quality in...

Page 755: ...st Mcast Packets Displays the total number of broadcast multicast packets transmitted and received within the access point RF Domain Management Packets This is the total number of management packets processed within the access point RF Domain Tx Dropped Packets Lists total number of dropped data packets within the access point RF Domain Rx Errors Displays the number of errors encountered during da...

Page 756: ...rts One chart displays for 5 GHz channels and the other for 2 4 GHz channels 7 The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members Total Wireless Clients Displays the total number of clients connected to RF Domain members AP Name Displays the clients connected and reporting access point The name displays as a link that can be selected...

Page 757: ...work IP address To display RF Domain member device statistics 1 Select the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select Devices from the RF Domain menu Figure 13 10 RF Domain Devices screen Device Displays the system assigned name of each device that s a member of the RF Domain The name displays as a link that can ...

Page 758: ...dels can support from 1 3 radios depending on the hardware SKU AP6532 AP6522 AP6562 AP71xx AP8132 and AP8232 models have two radios AP6511 and AP6521 models have one radio An ES6510 is a controller or service platform manageable Ethernet Switch with no embedded device radios IP Address Displays the IP address each listed device is using a network identifier Refresh Select the Refresh button to upd...

Page 759: ...SI Displays the Received Signal Strength Indicator RSSI of the detected access point Use this variable to help determine whether a device connection would improve network coverage or add noise Reported by Displays the MAC address of the RF Domain member reporting the access point Clear All Select Clear All to reset the statistics counters to zero and begin a new data collection Refresh Select the ...

Page 760: ...lient is currently utilizing with its connected access point within the RF Domain AP Hostname Displays the administrator assigned hostname of the access point to which the client is connected Radio MAC Lists the hardware encoded MAC address of the access point radio to which the client is currently connected within the RF Domain WLAN Displays the name of the WLAN the wireless client is currently u...

Page 761: ...g with a history ID appended to it for each upgrade operation Last update Status Displays the last status message from the RF Domain member device performing the upgrade operation Time Last Upgrade Displays a timestamp for the last successful upgrade Retries Count Lists the number of retries needed for each listed RF Domain member update operation State Lists whether the upgrade operation is compl...

Page 762: ... Displays the Service Set ID SSID assigned to the WLAN upon its creation within the network Traffic Index Displays the traffic utilization index of each listed WLAN which measures how efficiently the traffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 modera...

Page 763: ...t Status Figure 13 15 RF Domain Radio Status screen The Radio Status screen displays the following Rx User Data Rate Displays the average data rate per user for packets received on each listed RF Domain member WLAN Disconnect All Clients Select the Disconnect All Clients button to terminate each listed client s WLAN membership from this RF Domain Refresh Select the Refresh button to update the sta...

Page 764: ...asting on Configured Channel Lists each radio s defined operating channel to help assess if the radio is no longer transmitting on its configured channel Neighbor radios are often required to assist non functioning peers in the same coverage area Power Current Config Displays the current power level the radio is using for its transmissions Configured Power Lists each radio s defined transmit power...

Page 765: ...the level of noise in X dbm format reported by each listed RF Domain member access point SNR Displays the signal to noise ratio SNR of each listed RF Domain member radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data receive rate for each RF Domain member radio s physical...

Page 766: ...y radio information in greater detail Tx Bytes Displays the total number of bytes transmitted by each RF Domain member access point radio This includes all user data as well as any management overhead data Rx Bytes Displays the total number of bytes received by each RF Domain member access point radio This includes all user data as well as any management overhead data Tx Packets Displays the total...

Page 767: ...ure 13 18 RF Domain Mesh screen The RF Domain Mesh screen displays the following Tx Dropped Displays the total number of transmitted packets which have been dropped by each RF Domain member access point radio This includes all user data as well as any management overhead packets that were dropped Rx Errors Displays the total number of received packets which contained errors for each RF Domain memb...

Page 768: ...n of each RF Domain member device 4 Use the N W S and E buttons to move the map in the North East West and South directions respectively The slider next to these buttons enables zooming in and out of the view The available fixed zoom levels are World Country State Town Street and House 5 Use the Maximize button to maximize this view to occupy the complete screen Use the Refresh button to update th...

Page 769: ...e root mesh at the centre and the other mesh device arranged around it In the Hierarchical arrangement the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such Use the Meshpoint Name drop down to select a mesh point to see the graphical representation of that mesh point The view can further be filtered based on the values Neigh...

Page 770: ...e bottom portion of the screen displays tabs for General Path Root Multicast Path Neighbors Security and Proxy Refer to the following The General tab displays the following Mesh Point Name Displays the name of each configured mesh point in the RF Domain MAC Displays the MAC Address of each configured mesh point in the RF Domain Hostname Displays the administrator assigned hostname for each configu...

Page 771: ...RF Domain Meshpoint Identifier The identifier is used to distinguish between other mesh points both on the same device and on other devices This is used by a user to setup the preferred root configuration Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Next Hop IFID The Interface ID of the mesh point that traffic is being directed to Is Root...

Page 772: ...ric between the neighbor and their root mesh point Interface Bias This field lists any bias applied because of Preferred Root Interface Index Neighbor Bias This field lists any bias applied because of Preferred Root Next Hop Neighbor IFID Root Bias This field lists any bias applied because of Preferred Root MPID Mesh Point Name Displays the name of each configured mesh point in the RF Domain Subsc...

Page 773: ...g the frequency of the radio that is used to communicate with the neighbor Mesh Root Hops The number of devices between the neighbor and its root mesh point If the neighbor is a root mesh point this value will be 0 If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point this value will be 1 Each mesh point between the neighbor and its root mesh point is counted as ...

Page 774: ...his neighbor Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Radio Interface This indicates the interface that is used by the device to communicate with this neighbor The values are 2 4 and 5 0 indicating the frequency of the radio that is used to communicate wi...

Page 775: ... the mesh point Age Displays the age of the proxy connection for each of the mesh points in the RF Domain Proxy Owner The owner s MPID is used to distinguish the neighbor device Persistence Displays the persistence duration of the proxy connection for each of the mesh points in the RF Domain VLAN The VLAN ID used as a virtual interface with this proxy A value of 4095 indicates that there is no VLA...

Page 776: ...igured as Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Yes No Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Yes No Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Interface ID Uniquel...

Page 777: ...ric A measure of the quality of the path A lower value indicates a better path State Indicates whether the path is currently Valid of Invalid Binding Indicates whether the path is bound or unbound Timeout The timeout interval in seconds The interpretation this value will vary depending on the value of state If the state is Init or In Progress the timeout duration has no significance If the state i...

Page 778: ...the amount of time left before the security validity check is initiated If the state is Failed the timeout duration is the amount of time after which the system will retry Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Neighbor MP ID The MAC Address that the de...

Page 779: ...condary next hop to the recommended root to has a good potential route metric 6 A next hop to an alternate root node 5 A downstream node currently hopping through to get to the root 4 A downstream node that could hop through to get to the root but is currently not hopping through any node look at authentication as this might be an issue 3 A downstream node that is currently hopping through a diffe...

Page 780: ... Keep Alive Yes indicates the local MP acts as a supplicant to authenticate the link and not let it expire if possible No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or...

Page 781: ...by mesh points in the RF Domain Data Bytes Bytes Total Bytes Displays the total amount of data in Bytes that has been transmitted and received by mesh points in the RF Domain DataPacketsThroughput Kbps Transmitted Packets Displays the total amount of data in packets transmitted by mesh points in the RF Domain DataPacketsThroughput Kbps Received Packets Displays the total amount of data in packets ...

Page 782: ...ve errors from mesh points in the RF Domain Broadcast Packets Tx Bcast Mcast Pkts Displays the total number of broadcast and multicast packets transmitted from mesh points in the RF Domain Broadcast Packets Rx Bcast Mcast Pkts Displays the total number of broadcast and multicast packets received from mesh points in the RF Domain Broadcast Packets Total Bcast Mcast Pkts Displays the total number of...

Page 783: ... the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu 4 Expand the SMART RF menu and select Summary The summary screen enables administrators to assess the efficiency of RF Domain member device channel distributions sources of interference potentially requiring Smart RF adjustments top performing RF Domain memb...

Page 784: ...art RF initiated power level changes reported for this top performing RF Domain member radio Channel Changes Displays the number of Smart RF initiated channel changes reported for this top performing RF Domain member radio Coverage Changes Displays the number of Smart RF initiated coverage changes reported for this top performing RF Domain member radio Time Period Lists the frequency Smart RF acti...

Page 785: ...dual access point hostnames can selected and the RF Domain member radio can reviewed in greater detail Attenuation is a measure of the reduction of signal strength during transmission Attenuation is the opposite of amplification and is normal when a signal is sent from one point to another If the signal attenuates too much it becomes unintelligible Attenuation is measured in decibels The radio s c...

Page 786: ...he descriptions and types of Smart RF events impacting RF Domain member devices Figure 13 27 RF Domain Smart RF History screen The SMART RF History screen displays the following RF Domain member historical data Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain ...

Page 787: ...in member device Description Provides a more detailed description of the Smart RF event in respect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference Refresh Select the Refresh button to update the statistics counters to their latest values ...

Page 788: ...enu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Expand the WIPS menu item and select Client Blacklist Figure 13 28 RF Domain WIPS Client Blacklist screen The WIPS Client Blacklist screen displays the following Event Name Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member access point Blackliste...

Page 789: ...cted by a RF Domain member access point Reporting AP Displays the MAC address of the RF Domain member access point reporting the event Originating Device Displays the MAC address of the device generating the event Detector Radio Displays Access Point radio number detecting the event AP7131N models can have from 1 3 radios depending on the SKU AP6532 AP6522 AP6562 AP71xx AP8132 and AP8232 models ha...

Page 790: ...elect Captive Portal from the RF Domain menu Figure 13 30 RF Domain Captive Portal The screen displays the following Captive Portal data for requesting clients Client MAC Displays the MAC address of each listed client requesting captive portal access to the controller or service platform managed network This address can be selected to display client information in greater detail Hostname Lists the...

Page 791: ...se as a virtual interface for captive portal operation with the access point Remaining Time Displays the time after which a connected client is disconnected from the captive portal Refresh Select the Refresh button to update the statistics counters to their latest values ...

Page 792: ...WIPS sensor captive portal NTP and load information Access point statistics consists of the following Health Device Device Upgrade Adoption AP Detection Wireless Clients Wireless LANs Policy Based Routing Radios Mesh Interfaces RTLS PPPoE OSPF L2TPv3 Tunnels VRRP Critical Resources LDAP Agent Status GRE Tunnels Dot1x Network DHCP Server Firewall VPN Certificates WIPS Sensor Servers Captive Portal ...

Page 793: ...n Expand a RF Domain and select one of its connected access points 3 Select Health Figure 13 31 Access Point Health screen The Device Details field displays the following information Hostname Displays the AP s unique name as assigned within the network A hostname is assigned to a device connected to a computer network Device MAC Displays the MAC address of the AP This is factory assigned and canno...

Page 794: ...th the RAM System Clock Displays the system clock information RF Quality Index Displays access point radios having very low quality indices RF quality index indicates the overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Radio Id Displays a radio s hardware encoded MAC address The ID appears as a link that can be selected to show radio utilization in greater deta...

Page 795: ...o help distinguish its exact SKU and country of operation Serial Number Displays the numeric serial number set for the access point Version Displays the software firmware version on the access point Boot Partition Displays the boot partition type Fallback Enabled Displays whether this option is enabled This method enables a user to store a known legacy version and a new version in device memory Th...

Page 796: ...access point s current file description Maximum File Description Displays the access point s maximum file description CPU Load 1 Minute Lists this access point s CPU utilization over a 1 minute span CPU Load 5 Minutes Lists this access point s CPU utilization over a 5 minute span CPU Load 15 Minutes Lists this access point s CPU utilization over a 15 minute span Number Displays the number of fans ...

Page 797: ...ion string Secondary Build Date Displays the build date when this version was created Secondary Install Date Displays the date this secondary version was installed Secondary Version Displays the secondary version string FPGA Version Displays whether a FPGA supported firmware load is being utilized PoE Firmware Version Displays whether a PoE supported firmware load is being utilized Upgrade Status ...

Page 798: ...g Refresh Select Refresh to update the statistics counters to their latest values Upgraded By Device Displays the device that performed the upgrade Type Displays the model of the access point The updating access point must be of the same model as the access point receiving the update Device Hostname Displays the administrator assigned hostname of the device receiving the update History ID Displays...

Page 799: ...cess point their RF Domain memberships and network service information To view adopted access point statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select Adopted APs Figure 13 34 Access Point Adopted APs screen The ...

Page 800: ...isted access point type adopted by this access point RF Domain Name Displays each access point s RF Domain membership An access point can only share RF Domain membership with other access points of the same model Model Number Displays each listed access point s numeric model AP6532 AP6511 etc Status Displays each listed access point s configuration status to help determine its service role Errors ...

Page 801: ...access points AP MAC Address Displays the MAC address of each access point this access point has attempted to adopt Reason Displays the reason code for each event listed Event Time Displays day date and time for each access point adoption attempt Refresh Select the Refresh button to update the screen s statistics counters to their latest values Event History Displays the self adoption status of ea...

Page 802: ...en provides the following MAC Address Displays the MAC address of the device pending adoption Type Displays the access point s model type IP Address Displays the current network IP Address of the device pending adoption VLAN Displays the current VLAN used as a virtual interface by device pending adoption Reason Displays the status as to why the device is still pending adoption and has not yet succ...

Page 803: ...n The AP Detection screen displays the following Unsanctioned AP Displays the MAC address of a detected access point that is yet to be authorized for interoperability within the access point managed network Reporting AP Displays the hardware encoded MAC address of the radio used by the detecting access point Select an access point to display configuration and network address information in greater...

Page 804: ... and perhaps unsanctioned access point Last Seen Displays the time in seconds the unsanctioned access point was last seen on the network Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection Refresh Select the Refresh button to update the screen s statistics counters to their latest values Client MAC Displays the hardcoded MAC address assig...

Page 805: ...er Band Displays the 802 11 radio band on which the listed wireless client operates AP Hostname Displays the administrator assigned hostname of the access point to which this access point is adopted Radio MAC Displays the MAC address of the radio which the wireless client is using WLAN Displays the name of the WLAN the access point s using with each listed client Use this information to determine ...

Page 806: ...are 0 20 very low utilization 20 40 low utilization 40 60 moderate utilization 60 and above high utilization Radio Count Displays the cumulative number of peer access point radios deployed within each listed WLAN Tx Bytes Displays the average number of transmitted bytes sent on each listed WLAN Tx User Data Rate Displays the transmitted user data rate in kbps for each listed WLAN Rx Bytes Displays...

Page 807: ... side of the screen Expand a RF Domain and select one of its connected access points 3 Select Policy Based Routing Figure 13 41 Access Point Policy Based Routing screen The Policy Based Routing screen displays the following Precedence Lists the numeric precedence priority assigned to each listed PBR configuration A route map consists of multiple entries each carrying a precedence value An incoming...

Page 808: ...os display as selectable links within each of the three access point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Additionally navigate the Traffic WMM TSPEC Wireless LANs and Graph options available on the upper left hand side of the screen to review radio traffic utilizat...

Page 809: ...ation Radio Displays the name assigned to the radio as its unique identifier The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Radio MAC Displays the factory encoded hardware MAC address assigned to the radio Radio Type Displays the radio as either supporting the 2 4 or 5 GHZ radio band State Lists a radio s On Off operational...

Page 810: ...displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Signal Displays the radio s current power level in dBm SNR Displays the signal to noise ratio of the radio s associated wireless clients Tx Physical Layer Rate Displays the data transmit rate for the radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays th...

Page 811: ...tion index of the radio This is expressed as an integer value 0 20 indicates very low utilization and 60 and above indicate high utilization Quality Index Displays an integer that indicates overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Refresh Select the Refresh button to update the screen s statistics counters to their latest values Radio Displays the name a...

Page 812: ...Rx Packets Displays the total number of packets received by each listed radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps user data is transmitted by each listed radio This rate only applies to user data and does not include management overhead Rx User Data Rate Displays the rate in kbps user data is received by the radio This ...

Page 813: ...eneral tab displays by default Figure 13 46 Access Point General Interface screen Interface Statistics support the following Client Displays the system assigned name of each member of the mesh network Client Radio MAC Displays the MAC address of each client radio in the mesh network Portal Mesh points connected to an external network and forward traffic in and out are mesh portals Mesh points must...

Page 814: ...ce is currently UP or DOWN Media Type Displays the physical connection type of the interface Medium types include Copper Used on RJ 45 Ethernet ports Optical Used on fibre optic gigabit Ethernet ports Protocol Displays the routing protocol used by the interface MTU Displays the maximum transmission unit MTU setting configured on the interface The MTU value represents the largest packet size that c...

Page 815: ...he interface Collisions Displays the number of collisions over the selected interface Late Collisions A late collision is any collision that occurs after the first 64 octets of data have been sent Late collisions are not normal and usually the result of out of specification cabling or a malfunctioning device Excessive Collisions Displays the number of excessive collisions Excessive collisions occu...

Page 816: ...g packet Rx Over Errors Displays the number of overflow errors received Overflows occur when a packet size exceeds the allocated buffer size Tx Errors Displays the number of packets with errors transmitted on the interface Tx Dropped Displays the number of transmitted packets dropped from the interface Tx Aborted Errors Displays the number of packets aborted on the interface because a clear to sen...

Page 817: ...3 Select Interfaces 4 Select Network Graph Figure 13 47 Access Point Interface Network Graph screen 13 3 12 RTLS Access Point Statistics The real time locationing system RTLS enables accurate location determination and presence detection capabilities for Wi Fi based devices Wi Fi based active RFID tags and passive RFID tags While the operating system does not support locationing locally it does re...

Page 818: ...the number of Nack no acknowledgement frames received from RTLS supported radio devices providing locationing services Acks Displays the number of Ack acknowledgment frames received from RTLS supported radio devices providing locationing services Lbs Displays the number of location based service LBS frames received from RTLS supported radio devices providing locationing services AP Status Provides...

Page 819: ... on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select PPPoE Figure 13 49 Access Point PPPoE screen The Configuration Information field screen displays the following Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS Refresh Select the Refresh button to update the screen s statistic...

Page 820: ...ly on the destination IP address found in IP packets Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen OSPF Summary OSPF Neighbors OSPF Area Details OSPF Route Statistics OSPF Route Statistics OSPF State Authentication Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer access point Supported au...

Page 821: ...mpliance information and LSA data OSPF version 2 was originally defined within RFC versions 1583 and 2328 The general field displays whether compliance to these RFCs have been satisfied The OSPF Link State Advertisement LSA Throttling feature provides a dynamic mechanism to slow down link state advertisement updates in OSPF during times of network instability It also allows faster OSPF convergence...

Page 822: ...bute routes received from other external ASs throughout its own autonomous system Routers in other areas use ABR as next hop to access external addresses Then the ABR forwards packets to the ASBR announcing the external addresses SPF Refer to the SPF field to assess the status of the shortest path forwarding SPF execution last SPF execution SPF delay SPF due in SPF hold multiplier SPF hold time SP...

Page 823: ...ighbor Info tab Figure 13 51 Access Point OSPF Neighbor Info tab The Neighbor Info tab describes the following Router ID Displays the router ID assigned for this OSPF connection The router is a level three Internet Protocol packet switch This ID must be established in every OSPF instance If not explicitly configured the highest logical IP address is duplicated as the router identifier However sinc...

Page 824: ... the default node and select an access point for statistical observation 3 Select OSPF 4 Select the Area Details tab Request Count Lists the connection request count hello packets to connect to the router interface discover neighbors and elect a designated router Retransmit Count Lists the connection retransmission count attempted in order to connect to the router interface discover neighbors and ...

Page 825: ...outer LSA Lists the Link State Advertisements of the router supporting each listed area ID The router LSA reports active router interfaces IP addresses and neighbors Network LSA Displays which routers are joined together by the designated router on a broadcast segment e g Ethernet Type 2 LSAs are flooded across their own area only The link state ID of the type 2 LSA is the IP interface address of ...

Page 826: ...outing table entries to an ABR or Autonomous System Boundary Router ASBR Border routers maintain an LSDB for each area supported They also participate in the backbone 5 Refer to External Routes tab NSSA LSA Routers in a Not so stubby area NSSA do not receive external LSAs from Area Border Routers but are allowed to send external routing information for redistribution They use type 7 LSAs to tell t...

Page 827: ... between routers Each external route can also be tagged by the advertising router enabling the passing of additional information between routers on the boundary of the autonomous system The External Routes tab displays a list of external routes the area impacted cost path type tag and type 2 cost Cost factors may be the distance of a router round trip time network throughput of a link or link avai...

Page 828: ...tocol takes advantage of broadcast capability An OSPF network route makes further use of multicast capabilities if they exist Each pair of routers on the network is assumed to communicate directly The Network Routes tab displays the network name impacted OSPF area cost destination and path type 7 Select the Router Routes tab Figure 13 55 Access Point OSPF Router Routes tab An internal or router ro...

Page 829: ... node and select an access point for statistical observation 3 Select OSPF 4 Select the OSPF Interface tab Figure 13 56 Access Point OSPF Interface tab The OSPF Interface tab describes the following Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes Zero config and DHCP can be used to generate route addresses or a primary and secondary addres...

Page 830: ...b Figure 13 57 Access Point OSPF State tab The OSPF State tab describes the following OSPF Enabled Lists whether OSPF has been enabled for each listed interface OSPF is disabled by default UP DOWN Displays whether the OSPF interface the dynamic route is currently up or down for each listed interface An OSPF interface is the connection between a router and one of its attached networks OSPF state Di...

Page 831: ...b UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select L2TPv3 Figure 13 58 Access Point L2TPv3 screen OSPF ignore state monitor timeout Displays the timeout that when exceeded prohibits the access point from detecting changes to the OSPF link state OSPF max ignore state count Displays whether an OS...

Page 832: ...ession This is the peer pseudowire ID for the session This source and destination IDs are exchanged in session establishment messages with the L2TP peer CTRL Connection ID Displays the router ID s sent in tunnel establishment messages with a potential peer device Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection Up Time...

Page 833: ... invalid packet checksums invalid packet types invalid virtual route IDs TTL errors packet length errors and invalid non matching VRRP versions 5 Refer to the Router Operations Summary for the following status VRID Lists a numerical index 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a pack...

Page 834: ...Expand a RF Domain and select one of its connected access points 3 Select Critical Resources Figure 13 60 Access Point Critical Resources screen Interface Name Displays the interfaces selected on the access point to supply VRRP redundancy failover support Version Display VRRP version 3 RFC 5798 or 2 RFC 3768 as selected to set the router redundancy Version 3 supports sub second centisecond VRRP fa...

Page 835: ... Server on page 9 35 To view access point LDAP agent statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select LDAP Agent Status Critical Resource Name Lists the name of the critical resource monitored by the access point Critical resources are device...

Page 836: ...mary Lists the primary IP address of a remote LDAP server resource used by the access point to validate PEAP MS CHAP v2 authentication requests When a RADIUS server policy s data source is set to LDAP this is the first resource for authentication requests LDAP Agent Secondary Lists the secondary IP address of a remote LDAP server resource used by the access point to validate PEAP MS CHAP v2 authen...

Page 837: ...plays the current operational state of the GRE tunnel Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel Tunnel Id Displays the session ID of an established GRE tunnel This ID is only viable while the tunnel is operational Total Packets Received Displays the total number of packets received from a peer at the remote end of the GRE tunnel Total Packets Se...

Page 838: ...Lists whether guest VLAN control has been allowed or enabled This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled A green checkmark designates guest VLAN control as enabled A red X defines guest VLAN control as disabled System Auth Control Lists whether Dot1x authorization is globally enabled for the access point A green checkmark designates Dot1x auth...

Page 839: ...ed to maintain a BESM Lists whether an authentication request is pending on the listed port Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port Guest VLAN Lists the guest VLAN utilized for the listed port This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled Host Lists whether the host is a single entity or...

Page 840: ...Entries Network The Route Entries screen displays the destination subnet gateway and interface for routing packets to a defined destination When an existing destination subnet does not meet the needs of the network add a new destination subnet subnet mask and gateway To view route entries 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of...

Page 841: ...ides details about the Integrate Gateway Server IGS which is a router connected to an access point The IGS performs the following Issues IP addresses Throttles bandwidth Destination Displays the IP address of the destination route address FLAGS The flag signifies the condition of the direct or indirect route A direct route is where the destination is directly connected to the forwarding host With ...

Page 842: ...d expand the menu to reveal its sub menu items 4 Select Bridge Figure 13 66 Access Point Network Bridge screen 5 Review the following bridge configuration attributes 6 Select Refresh to update the counters to their latest values 13 3 21 4 IGMP Network Internet Group Management Protocol IGMP is a protocol used for managing members of IP multicast groups The access point listens to IGMP network traf...

Page 843: ...ast Router MRouter field displays the following VLAN Displays the group VLAN where the multicast transmission is conducted Group Address Displays the Multicast Group ID supporting the statistics displayed This group ID is the multicast address that hosts are listening to Port Members Displays the ports on which multicast clients have been discovered by the access point For example ge1 radio1 etc V...

Page 844: ...hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select DHCP Options Figure 13 68 Access Point Network DHCP Options screen MiNT IDs Lists MiNT IDs for each listed VLAN MiNT provides the means to secure access point profile communications at the transport layer Using MiNT an access point can ...

Page 845: ...from the boot server The image file contains the image of the operating system the client will run DHCP servers can be configured to support BOOTP Configuration Displays the name of the configuration file on the DHCP server Legacy Adoption Displays historical device adoption information on behalf of the access point Adoption Displays adoption information on behalf of the access point Refresh Selec...

Page 846: ...en The Cisco Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each listed device Local Port Displays the local port name access point physical port for each CDP capable device Supported access point models have un...

Page 847: ...covery Figure 13 70 Access Point Network LLDP screen The Link Layer Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each device in the table Enabled Capabilities Displays which device capabilities are currently e...

Page 848: ... allocation and delivery of host specific configuration parameters IP address network mask gateway etc from a DHCP server to a host To view DHCP server statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select DHCP and expand the menu to reveal its su...

Page 849: ...onal state of the DHCP server to assess its availability as a viable IP provisioning resource IP Address Displays the IP address assigned to the requesting client Name Displays the domain name mapping corresponding to the listed IP address IP Address Displays the IP address for clients requesting DHCP provisioning resources Client Id Displays the client s ID used to differentiate requesting client...

Page 850: ...ngs Figure 13 72 Access Point DHCP Server Bindings screen The DHCP Bindings screen displays the following Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources IP Address Displays the IP address for each DHCP resource requesting client DHCP MAC Address Displays the hardware encoded MAC address client Id of each DHCP resource requesting client Clear Select ...

Page 851: ...ork s DHCP Networks 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand the a RF Domain and select one of its connected access points 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select Networks The DHCP Networks screen displays the following Figure 13 73 Access Point DHCP Network screen Name Displays ...

Page 852: ...k unauthorized access while permitting authorized communications It s a device or set of devices configured to permit or deny access to the controller or service platform managed network based on a defined set of rules This screen is partitioned into the following Packet Flows Denial of Service IP Firewall Rules MAC Firewall Rules NAT Translations DHCP Snooping ...

Page 853: ...play for each individual packet type To view access point packet flows statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Packet Flows 5 Periodically select Refresh to update th...

Page 854: ...he types of attack number of times it occurred and the time of last occurrence To view access point DoS attack information 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Denial of Serv...

Page 855: ...ide of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select IP Firewall Rules Figure 13 76 Access Point Firewall IP Firewall Rules screen The IP Firewall Rules screen displays the following Precedence Displays the precedence value applied to packets The rules within an Access Control Entries ACL list...

Page 856: ...t System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select MAC Firewall Rules Figure 13 77 Access Point Firewall MAC Firewall Rules screen The MAC Firewall Rules screen displays the following information Precedence Displays a precedence value which...

Page 857: ...acing IP address assigned to a 10 100 1000 Ethernet port or 3G card To view the Firewall s NAT translations 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select NAT Translations Figure 13 78...

Page 858: ...ation port for the forward NAT flow contains ICMP ID if it is an ICMP flow Reverse Source IP Displays the source IP address for the reverse NAT flow Reverse Source Port Displays the source port for the reverse NAT flow contains ICMP ID if it is an ICMP flow Reverse Dest IP Displays the destination IP address for the reverse NAT flow Reverse Dest Port Displays the destination port for the reverse N...

Page 859: ...dress is reserved for re connection after its last use Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses This is useful for example in education and customer environments where client users change frequently Use longer leases if there are fewer users Time Elapsed Since Last Updated Displays the time the server ...

Page 860: ...transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic One crypto map is utilized for each IPsec peer however for remote VPN deployments one crypto map is used for all the remote IPsec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional...

Page 861: ...packet it creates a secure tunnel and sends the packet through the tunnel to its destination Version Displays each peer s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms State Lists the state of each listed peer s security association whether established or not Lifetime Displays the lifetime for the duration of each listed pee...

Page 862: ...addresses for peers sharing security associations SAs for tunnel interoperability When a peer sees a sensitive packet it creates a secure tunnel and sends the packet through the tunnel to its destination Local IP Address Displays each listed peer s local tunnel end point IP address This address represents an alternative to an interface IP address Protocol Lists the security protocol used with the ...

Page 863: ...y Used Displays the name of the key pair generated separately or automatically when selecting a certificate IS CA Indicates whether this certificate is an authority certificate Yes No Is Self Signed Displays whether the certificate is self signed Yes No Server Certificate Present Displays whether a server certification is present or not Yes No CRL Present Displays whether a Certificate Revocation ...

Page 864: ... in the selected access point RSA Keys are generally used for establishing a SSH session and are a part of the certificate set used by RADIUS VPN and HTTPS To view the RSA Key details 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Certificates and exp...

Page 865: ...name of the blacklisted client the time when the client was blacklisted the total time the client remained in the network etc The screen also provides WIPS event details For more information see WIPS Client Blacklist WIPS Events 13 3 26 1 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by this access point using WIPS Blacklisted clients are not allowed to ass...

Page 866: ...listed Displays the time when the client was blacklisted by this access point Total Time Displays the time the unauthorized now blacklisted device remained in this access point s WLAN Time Left Displays the time the blacklisted client remains on the list Refresh Select the Refresh button to update the statistics counters to their latest values Event Name Displays the name of the detected wireless ...

Page 867: ... select one of its connected access points 3 Select Sensor Servers Figure 13 86 Access Point Sensor Servers screen The Sensor Servers screen displays the following Refresh Select the Refresh button to update the screen s statistics counters to their latest values IP Address Hostname Displays a list of sensor server IP addresses or administrator assigned hostnames These are the server resources ava...

Page 868: ...nt Captive Portal screen The Captive Portal screen displays the following Client MAC Displays the MAC address of requesting wireless clients The client address displays as a link that can be selected to display configuration and network address information in greater detail Client IP Displays the IP addresses of captive portal resource requesting wireless clients Captive Portal Displays the IP add...

Page 869: ...ed statistics of an associated NTP Server of an access point Use this screen to review the statistics for each access point The Network Time statistics screen consists of two tabs NTP Status NTP Association 13 3 29 1 NTP Status Network Time To view the Network Time statistics of an access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand s...

Page 870: ...een Precision Displays the precision of the time clock in Hz The values that normally appear in this field range from 6 for mains frequency clocks to 20 for microsecond clocks Reference Time Displays the time stamp the access point s clock was last synchronized or corrected Reference Displays the address of the time source the access point is synchronized to Root Delay The total round trip delay i...

Page 871: ...ly reduces its offset to zero Poll Displays the maximum interval between successive messages in seconds to the nearest power of two Reach Displays the status of the last eight SNTP messages If an SNTP packet is lost the lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server IP Address Displays...

Page 872: ... Channel The graph section displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Request Events displays the Time Client Capability State WLAN and Requested Channels for all client request events on the access point Remember AP6532 and AP71xx models can support up to 256 c...

Page 873: ...reen Expand a RF Domain and select one of its connected AP8132 access points 3 Select Environment Figure 13 91 Access Point Environmental Sensor screen Light tab The Light tab displays by default with additional Temperature Motion and Humidity tabs available for unique sensor reporting Each of these sensor measurements helps the administrator determine whether the immediate deployment area is occu...

Page 874: ...lp determine whether the AP8132 can be upgraded or powered off during specific hours of the day 7 Select the Temperature tab Figure 13 92 Access Point Environmental Sensor screen Temperature tab 8 Refer to the Temperature table to assess the sensor s detected temperature within the AP8132 s immediate deployment area Temperature is measured in centigrade The table displays the Current Temperature c...

Page 875: ...inute Average Motion count per interval Compare these two items to determine whether the AP8132 s deployment location remains consistently occupied by client users For more information on enabling the sensor see Environmental Sensor Configuration on page 5 171 13 Refer to the Motion Trend Over Last Hour graph to assess the fluctuation in user movement over the last hour Use this graph in combinati...

Page 876: ...ins consistently humid often a by product of temperature For more information on enabling the sensor see Environmental Sensor Configuration on page 5 171 17 Refer to the Humidity Trend Over Last Hour graph to assess the fluctuation in humidity over the last hour Use this graph in combination with the Temperature and Motions graphs in particular to assess the deployment area s activity levels 18 Re...

Page 877: ...improve client performance Wireless clients statistics can be assessed using the following criteria Health Details Traffic WMM TSPEC Association History Graph 13 4 1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client To view the health of a wireless client 1 Select the Statistics menu from the Web UI 2 Select System fro...

Page 878: ...g associated or blacklisted IP Address Displays the IP address the selected wireless client is currently utilizing as a network identifier WLAN Displays the client s connected access point WLAN membership This is the WLAN whose QoS settings should account for the clients s radio traffic objective Radio MAC Displays the access point radio MAC address the wireless client is connected to on the netwo...

Page 879: ...ity index can be interpreted as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems SNR Displays the signal to noise SNR ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbing i...

Page 880: ...etails Total Bytes Displays the total bytes processed by the access point s connected wireless client Total Packets Displays the total number of packets processed by the wireless client User Data Rate Displays the average user data rate in both directions Physical Layer Rate Displays the average packet rate at the physical layer in both directions Tx Dropped Packets Displays the number of packets ...

Page 881: ... via its connected access point controller or service platform The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail OS Lists the client s operating system Android etc Browser Displays the browser type used by the client to facilitate its wireless connection Type Lists the client manufacturer or vendor Role Lists the client...

Page 882: ...by the wireless client without it being dis associated from the access point SM Power Save Mode Displays whether this feature is enabled on the wireless client The spatial multiplexing SM power save mode allows an 802 11n client to power down all but one of its radios This power save mode has two sub modes of operation static operation and dynamic operation Power Save Mode Displays whether this fe...

Page 883: ...ion request to an access point This association request is sent as a frame This frame carries information about the client and the SSID of the network it wishes to associate After receiving the request the access point considers associating with the client and reserves memory space for establishing an AID for the client Max AMSDU Size Displays the maximum size of AMSDU AMSDU is a set of Ethernet f...

Page 884: ...easures how efficiently the traffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput This screen also provides the following Total Bytes Displays the total bytes processed in both directions by the access point s connected client Total Packets Displays the total number of data packets processed in both directions by the access point s ...

Page 885: ...t holds any network packet to be sent to this radio RF Quality Index Displays information on the RF quality of the selected wireless client The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error rate The RF quality index value can be interpreted as 0 20 Very low utilization 20 40 Low uti...

Page 886: ...reless Client WMM TPSEC screen The top portion of the screen displays the TSPEC stream type and whether the client has roamed The Ports Stats field displays the following R Value R value is a number or score used to quantitatively express the quality of speech in communications systems This is used in digital networks that carry Voice over IP VoIP traffic The R value can range from 1 worst to 100 ...

Page 887: ...e screen Expand a RF Domain an access point then a connected client 3 Select Association History Figure 13 99 Wireless Client Association History screen Refer to the following to discern this client s access point association history Direction Type Displays whether the WMM TPSEC data stream is in the uplink or downlink direction Request Time Lists each sequence number s request time for WMM TPSEC ...

Page 888: ...ected client 3 Select Graph 4 Use the Parameters drop down menu to define from 1 3 variables assessing client signal noise transmit or receive values 5 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 minutes 20 minutes or 1 hour 30 seconds is the default value Figure 13 100 Wireless Client Graph Select an available point in ...

Page 889: ...mber If you have a problem with your equipment contact support for your region Support and issue resolution is provided for products under warranty or that are covered by an services agreement Contact information and Web self service is available by visiting http supportcentral motorolasolutions com support Customer Support Web Site The Support Central Web site located at http supportcentral motor...

Page 890: ...A 2 WiNG 5 5 Access Point System Reference Guide ...

Page 891: ...egarding licenses acknowledgments and required copyright notices for open source packages used in these Motorola Solutions products Access Points AP8232 AP8132 AP7181 AP7161 AP7131 AP6562 AP6532 AP6522 AP6521 AP6511 AP5181 AP5131 AP650 AP622 AP621 Wireless Switches NX9510 NX9500 NX9000 NX6524 NX6500 ...

Page 892: ...se of open source B 2 Open Source Software Used Motorola s Support Central Web site located at http supportcentral motorolasolutions com provides information and online assistance including developer tools software downloads product manuals support contact information and online repair requests Name Version URL License Apache Web Server 1 3 41 http www apache org Apache License Version 2 0 Asteris...

Page 893: ...re dhcp ISC License diffutils 2 8 1 http www gnu org software diffutils GNU General Public License version 2 dmalloc 5 5 2 http dmalloc com None dmidecode 2 11 http savannah nongnu org projects dmidecod e GNU General Public License version 2 dnsmasq 2 47 http www thekelleys org uk dnsmasq doc htm l GNU General Public License version 2 dosfstools 2 11 http www daniel baumann ch software dosfst ools...

Page 894: ... Public License version 2 hotplug 1 3 http sourceforge net projects linux hotplug GNU General Public License version 2 hotplug2 0 9 http isteve bofh cz isteve hotplug2 GNU General Public License version 2 i2ctools 3 0 3 http www lm sensors org wiki I2CTools GNU General Public License version 2 ipaddr 2 1 0 http code google com p ipaddr py Apache License Version 2 0 ipkg utils 1 7 http www handheld...

Page 895: ...pg error 1 6 ftp ftp gnupg org GnuPG libgpg error GNU Lesser General Public License 2 1 libharu 2 1 0 http libharu org MIT License libhttp parser None None MIT License libiconv 1 14 http savannah gnu org projects libiconv GNU General Public License 2 0 libjson 0 10 http sourceforge net projects libjson The BSD License libkerberos 0 1 http web mit edu kerberos dist The BSD License libncurses 5 4 ht...

Page 896: ...p 20060717 http ltp sourceforge net GNU General Public License version 2 lxml 2 3beta1 http lxml de The BSD License lzma 4 32 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzma 4 57 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzo 2 03 http www oberhumer com opensource lzo GNU General Public License version 2 M2Crypto 0 21 1 http chandlerpro...

Page 897: ...se Open Scales 2 2 http openscales org GNU Lesser General Public License version 3 0 OpenStreetMap http www openstreetmap org Creative Commons Attribution ShareAlike License version 3 0 openldap 2 4 25 http www openldap org foundation The Open LDAP Public License openllpd 0 0 3alpha http openlldp sourceforge net GNU General Public License version 2 openssh 5 4p1 http www openssh com The BSD Licens...

Page 898: ... projects psmisc GNU General Public License version 2 pure ftpd 1 0 22 http www pureftpd org project pure ftpd The BSD License pychecker 0 8 18 http pychecker sourceforge net The BSD License pyparsing 1 5 1 http sourceforge net projects pyparsing The BSD License pyxapi 0 1 http www pps jussieu fr 7Eylg PyXAPI GNU General Public License version 2 qdbm 1 8 77 http qdbm sourceforge net GNU General Pu...

Page 899: ...e strongswan 4 4 0 http www strongswan org GNU General Public License version 2 stunnel 4 31 http www stunnel org GNU General Public License version 2 sysstat 9 0 5 http sebastien godard pagesperso orange fr GNU General Public License version 2 tar 1 17 http www gnu org software tar GNU General Public License version 2 tcpdump 4 0 0 http www tcpdump org The BSD License u boot trunk 2010 03 3 0 htt...

Page 900: ...om personal Jean_Tourrilh es Linux Tools html GNU General Public License version 2 wpa_supplicant 2 0 http hostap epitest fi wpa_supplicant The BSD License wuftpd 1 0 21 http wu ftpd therockgarden ca WU FTPD Software License XenAPI None http docs vmd citrix com XenServer 4 0 1 api client examples python index html GNU General Public License version 2 xen 4 1 2 http www xen org GNU General Public L...

Page 901: ...purposes of this License Derivative Works shall not include works that remain separable from or merely link or bind by name to the interfaces of the Work and Derivative Works thereof Contribution shall mean any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inc...

Page 902: ...ur use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License without any additional terms or conditions Notwithstanding the above nothin...

Page 903: ... IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE U...

Page 904: ... Attribution ShareAlike 6 Licensor means the individual individuals entity or entities that offer s the Work under the terms of this License 7 Original Author means in the case of a literary or artistic work the individual individuals entity or entities who created the Work or if no individual or entity can be identified the publisher and in addition i in the case of a performance the actors singe...

Page 905: ...to collect royalties through any statutory or compulsory licensing scheme can be waived the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License and 3 Voluntary License Schemes The Licensor waives the right to collect royalties whether individually or in the event that the Licensor is a member of a collecting society that ad...

Page 906: ...itute publishing entity journal for attribution Attribution Parties in Licensor s copyright notice terms of service or by other reasonable means the name of such party or parties ii the title of the Work if supplied iii to the extent reasonably practicable the URI if any that Licensor specifies to be associated with the Work unless such URI does not refer to the copyright notice or licensing infor...

Page 907: ...icense 2 Each time You Distribute or Publicly Perform an Adaptation Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License 3 If any provision of this License is invalid or unenforceable under applicable law it shall not affect the validity or enforceability of the emainder of the terms of this License and wi...

Page 908: ...mission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following...

Page 909: ...01 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This Ge...

Page 910: ...ence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Library or any portion of it thus forming a work based on the Library and copy and distribute such modific...

Page 911: ...file that is part of the Library the object code for the work may be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure ...

Page 912: ... modify sublicense link with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License since you have not signed it However nothing else grants you...

Page 913: ...ving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EI...

Page 914: ... restrict the users of a free program by obtaining a restrictive license from a patent holder Therefore we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the GNU Lesser General Public License ap...

Page 915: ...rary does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and di...

Page 916: ...ith the object code 5 A program that contains no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses the Library with the Library creates an ex...

Page 917: ...e library facilities that are a work based on the Library side by side in a single library together with other library facilities not covered by this License and distribute such a combined library provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted and provided that you do these two things a Accompany the combined libr...

Page 918: ...erns Each version is given a distinguishing version number If the Library specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Library does not specify a license version number you may choose any version ever publi...

Page 919: ...same freedoms that you received You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights Developers that use the GNU GPL protect your rights with two steps 1 assert copyright on the software and 2 offer you this License giving you legal permission to copy distribute and or modify it For the developers and authors protection th...

Page 920: ...erion 1 Source Code The source code for a work means the preferred form of the work for making modifications to it Object code means any non source form of a work A Standard Interface means an interface that either is an official standard defined by a recognized standards body or in the case o interfaces specified for a particular programming language one that is widely used among developers worki...

Page 921: ...r this License with respect to the covered work and you disclaim any intention to limit operation or modification of the work as a means of enforcing against the work s users your or third parties legal rights to forbid circumvention of echnological measures 4 Conveying Verbatim Copies You may convey verbatim copies of the Program s source code as you receive it in any medium provided that you con...

Page 922: ...onding Source may be on a different server operated by you or a third party that supports equivalent copying facilities provided you maintain clear directions next to the object code saying where to find the Corresponding Source Regardless of what server hosts the Corresponding Source you remain obligated to ensure that it is available for as long as needed to satisfy these requirements e Convey t...

Page 923: ...ing warranty or limiting liability differently from the terms of sections 15 and 16 of this License or b Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it or c Prohibiting misrepresentation of the origin of that material or requiring that modified versions of such material be mar...

Page 924: ...r in interest had or could give under the previous paragraph plus a right to possession of the Corresponding Source of the work from the predecessor in interest if the predecessor has it or can get it with reasonable efforts You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License For example you may not impose a license fee royalty or other ...

Page 925: ...ey do not excuse you from the conditions of this License If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not convey it at all For example if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program the only way yo...

Page 926: ... copy modify and or distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY S...

Page 927: ...ch copy of the object code that the Library is used in it and that the Library and its use are covered by this License b Accompany the object code with a copy of the GNU GPL and this license document 4 Combined Works You may convey a Combined Work under terms of your choice that taken together effectively do not restrict modification of the portions of the Library contained in the Combined Work an...

Page 928: ...t specify a version number of the GNU Lesser General Public License you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply that proxy s public statement of acceptance of any version is permanent ...

Page 929: ...aring because most developers did not use the libraries We concluded that weaker conditions might promote sharing better However unrestricted linking of non free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves This Library General Public License is intended to permit developers of non free programs to use free libraries while prese...

Page 930: ...pendent of the application Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Library and can be reasonably consider...

Page 931: ... above you may also combine or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Librar...

Page 932: ...y subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties with this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by co...

Page 933: ...ING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR...

Page 934: ...se simply using the library and is analogous to running a utility program or application program However in a textual and legal sense the linked executable is a combined work a derivative of the original library and the ordinary General Public License treats it as such Because of this blurred distinction using the ordinary General Public License for libraries did not effectively promote software s...

Page 935: ...ains meaningful For example a function in a library to compute square roots has a purpose that is entirely well defined independent of the application Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the mo...

Page 936: ...ns above you may also compile or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Libr...

Page 937: ...rein You are not responsible for enforcing compliance by third parties to this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this Licens...

Page 938: ...S INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES B 3 12 ...

Page 939: ...of the original library The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It...

Page 940: ... Library and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a The modified work must itself be a software library b You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change c You must cause the whole of the work to be licensed at no charge to all ...

Page 941: ...gh the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ten lines or less in length then the use of t...

Page 942: ...rwise to copy modify sublicense link with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 9 You are not required to accept this License since you have not signed it However nothing ...

Page 943: ...ftware and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED...

Page 944: ...sults from an addition to deletion from or modification of the contents of Covered Software or 2 any new file in Source Code Form that contains any Covered Software 1 11 Patent Claims of a Contributor means any patent claim s including without limitation method process and apparatus claims in any patent Licensable by such Contributor that would be infringed but for the grant of the License by the ...

Page 945: ...nation of its Contributions with other software except as part of its Contributor Version or 3 under Patent Claims infringed by Covered Software in the absence of its Contributions This License does not grant any rights in the trademarks service marks or logos of any Contributor except as may be necessary to comply with the notice requirements in Section 3 4 2 4 Subsequent Licenses No Contributor ...

Page 946: ... disclaimers of warranty or limitations of liability contained within the Source Code Form of the Covered Software except that You may alter any license notices to the extent required to remedy known factual inaccuracies 3 5 Application of Additional Terms You may choose to offer and to charge a fee for warranty support indemnity or liability obligations to one or more recipients of Covered Softwa...

Page 947: ... liable to You for any direct indirect special incidental or consequential damages of any character including without limitation damages for lost profits loss of goodwill work stoppage computer failure or malfunction or any and all other commercial damages or losses even if such party shall have been informed of the possibility of such damages This limitation of liability shall not apply to liabil...

Page 948: ... list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version number You may use this Software under terms of this license revision or under the terms of any su...

Page 949: ...TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes oftware written by Tim Hudson tjh cryptsoft com B 3 17 WU FTPD Software License WU FTPD SOFTWARE LICENSE Use modification or redistribution including dis...

Page 950: ...ation of Liability THIS SOFTWARE IS PROVIDED BY THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT NDIRE...

Page 951: ...y Available Software B 61 3 This notice may not be removed or altered from any source distribution Jean loup Gailly Mark Adler jloup gzip org madler alumni caltech edu jloup gzip org madler alumni caltech edu ...

Page 952: ...B 62 WiNG 5 5 Access Point System Reference Guide ...

Page 953: ......

Page 954: ...OROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2013 Motorola Solutions Inc All Rights Reserved MN000160A01 Revision A October 2013 ...

Reviews:

No comments

Related manuals for AP-7131 Series

Brand: ABB Pages: 66

Brand: Maco Pages: 38

Brand: ZALMAN Pages: 20

Brand: Pakedge Device & Software Pages: 20

Brand: Teagle Pages: 40

Brand: Alacritech Pages: 20

Sure Cross DX70

Brand: Banner Pages: 35

Brand: FOR-A Pages: 39

Brand: Alesis Pages: 61

ICS-G7748A Series

Brand: Moxa Technologies Pages: 10

Brand: Zonet Pages: 2

MegaRAID SATA 300-4XLP

Brand: LSI Pages: 3

Brand: Garderos Pages: 23

Brand: XMOS Pages: 6

Brand: Xenya Pages: 189

Brand: B+B SmartWorx Pages: 52

ZyXEL ZyAIR B-120

Brand: ZyXEL Communications Pages: 20

Brand: Infoblox Pages: 13

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands