manualshive.com logo in svg

Motorola Solutions WiNG 5.2.6, Reference Manual, Page: 477 / 670

Share
Download
Motorola Solutions WiNG 5.2.6 Reference Manual Download Page 477

Operations 11 - 15

11.2 Certificates

A certificate links identity information with a public key enclosed in the certificate.

A

certificate authority

(CA) is a network authority that issues and manages security credentials and public keys for

message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key
is contained within the certificate and is called a CA certificate. A browser must contain this CA certificate in its Trusted
Root Library so it can trust certificates

signed

by the CA's private key.

Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration
date, the owner's name and other public key owner information.

Each certificate is digitally signed by a

trustpoint

. The trustpoint signing the certificate can be a certificate authority,

corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific
configuration parameters, and an association with an enrolled identity certificate.

SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/password.
One key is private and the other is public key.

Secure Shell

(SSH) public key authentication can be used by a client to access

resources, if properly configured. A RSA key pair must be generated on the client.

For more information on certification activities, refer to the following:

Certificate Management

RSA Key Management

Certificate Creation

Generating a Certificate Signing Request (CSR)

11.2.1 Certificate Management

Certificates

If not wanting to use an existing certificate or key with a selected device, an existing

stored

certificate can be leveraged

from a different device for use with the target device. Device certificates can be imported and exported to a secure remote
location for archive and retrieval as they are required for application to other managed devices.

To configure trustpoints for use with certificates:

1. Select

Operations

>

Certificates.

Summary of Contents for Solutions WiNG 5.2.6

Page 1: ...Motorola Solutions WiNG 5 2 6 Access Point System Reference Guide ...

Page 2: ......

Page 3: ... 5 2 2 4 Status Icons 2 6 2 2 5 Configurable Objects 2 6 2 2 6 Configuration Objects 2 8 2 2 7 Configuration Operation Icons 2 9 2 2 8 Access Type Icons 2 9 2 2 9 Administrative Role Icons 2 10 2 2 10 Device Icons 2 11 Chapter 3 Quick Start 3 1 Using the Initial Setup Wizard 3 2 Chapter 4 Dashboard 4 1 Dashboard 4 2 4 1 1 Dashboard Conventions 4 2 4 1 1 1 Health 4 3 4 1 1 2 Inventory 4 7 4 2 Netwo...

Page 4: ...icate Revocation List CRL Configuration 5 62 5 3 6 3 Setting the Profile s NAT Configuration 5 63 5 3 6 4 Profile Security Configuration and Deployment Considerations 5 71 5 3 7 Profile Services Configuration 5 71 5 3 7 1 Profile Services Configuration and Deployment Considerations 5 72 5 3 8 Profile Management Configuration 5 73 5 3 8 1 Upgrading AP 6532 Firmware from 5 1 to 5 2 5 79 5 3 8 2 Prof...

Page 5: ...g an Event Policy 5 201 Chapter 6 Wireless Configuration 6 1 Wireless LANs 6 3 6 1 1 Basic WLAN Configuration 6 4 6 1 1 1 WLAN Basic Configuration Deployment Considerations 6 7 6 1 2 Configuring WLAN Security 6 7 6 1 2 1 802 1x EAP EAP PSK and EAP MAC 6 9 6 1 2 2 MAC Authentication 6 11 6 1 2 3 PSK None 6 12 6 1 2 4 Captive Portal 6 13 6 1 2 5 WPA WPA2 TKIP 6 14 6 1 2 6 WPA2 CCMP 6 18 6 1 2 7 WEP ...

Page 6: ... Configuration 8 28 8 4 1 Creating RADIUS Groups 8 28 8 4 1 1 Creating RADIUS Groups 8 31 8 4 2 Defining User Pools 8 33 8 4 3 Configuring the RADIUS Server 8 36 8 5 Services Deployment Considerations 8 45 Chapter 9 Management Access 9 1 Creating Administrators and Roles 9 2 9 2 Setting the Access Control Configuration 9 5 9 3 Setting the Authentication Configuration 9 9 9 4 Setting the SNMP Confi...

Page 7: ...eless Clients 12 20 12 2 6 Wireless LANs 12 21 12 2 7 Radios 12 23 12 2 7 1 Status 12 23 12 2 7 2 RF Statistics 12 25 12 2 7 3 Traffic Statistics 12 26 12 2 8 Mesh 12 28 12 2 9 SMART RF 12 29 12 2 10 WIPS 12 32 12 2 10 1 WIPS Client Blacklist 12 32 12 2 10 2 WIPS Events 12 33 12 2 11 Captive Portal 12 34 12 2 12 Historical Data 12 35 12 2 12 1 Viewing Smart RF History 12 36 12 3 Access Point Stati...

Page 8: ...4 1 Packet Flows 12 83 12 3 14 2 Denial of Service 12 84 12 3 14 3 IP Firewall Rules 12 86 12 3 14 4 MAC Firewall Rules 12 88 12 3 14 5 NAT Translations 12 90 12 3 14 6 DHCP Snooping 12 92 12 3 15 Certificates 12 93 12 3 15 1 Trustpoints 12 94 12 3 15 2 RSA Keys 12 97 12 3 16 WIPS 12 98 12 3 16 1 WIPS Client Blacklist 12 99 12 3 16 2 WIPS Events 12 100 12 3 17 Sensor Servers 12 101 12 3 18 Captive...

Page 9: ...n Motorola Solutions WiNG 5 2 6 Access Point System Reference Guide this guide Describes the configuration of either a Standalone AP or Virtual Controller AP using the access point s initial setup wizard and resident WiNG access point software Motorola Solutions WiNG 5 2 6 Controller System Reference Guide Describes the configuration of dependent mode access points using the WiNG 5 2 6 controller ...

Page 10: ...ighlight the following Screen names Menu items Button names on a screen Bullets indicate Action items Lists of alternatives Lists of required steps that are not necessarily sequential Sequential lists e g those that describe step by step procedures appear as numbered lists NOTE Indicate tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING I...

Page 11: ...independent and dependent architectures to create a smart network that meets the connectivity quality and security needs of each user and their applications based on the availability of network resources including wired networks By distributing intelligence and control amongst access points a WiNG 5 network can route directly via the best path as determined by factors including the user location t...

Page 12: ...fically for AP 6511 AP 6521 AP 6532 AP 7131 AP 7161 and AP 8132 model access It does not describe the version of the WING 5 software designed for use with the RFS4000 RFS6000 RFS7000 and NX9000 Series models For information on using WING 5 within a controller managed network go to http supportcentral motorola com support product manuals do ...

Page 13: ...ire an unnecessary backhaul Within a WiNG 5 network up to 80 of the network traffic can remain on the wireless mesh and never touch the wired network so the 802 11n load impact on the wired network is negligible In addition latency and associated costs are reduced while reliability and scalability are increased A WiNG 5 network enables the creation of dynamic wireless traffic flows so bottlenecks ...

Page 14: ...1 4 WiNG 5 2 6 Access Point System Reference Guide ...

Page 15: ...4 other access points of the same model and share data amongst managed access points In Standalone mode an access point functions as an autonomous non adopted access point servicing wireless clients If adopted to controller an access point is reliant on its connected controller for its configuration and management For information on how to access and use the access point s Web UI see Accessing the...

Page 16: ...55 255 255 0 3 To derive the access point s IP address using its MAC address a Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows b With the Calculator displayed select View Scientific Select the Hex radio button c Enter a hex byte of the access point s MAC address For example F0 d Select the Dec ...

Page 17: ... 7 Select the Login button to load the management interface If this is the first time the management interface has been accessed the first screen to display will prompt for a change of the default access point password Then a dialogue displays to start the initial setup wizard For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 18: ...n lists global icons available throughout the interface Logoff Select this icon to log out of the system This icon is always available and is located at the top right hand corner of the UI Add Select this icon to add a row in a table When this icon is selected a new row is created in the table or a dialog box opens where you can enter values for that particular list Delete Select this icon to remo...

Page 19: ...policy and select this button Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to a device s profile configuration Mandatory Field Indicates the control s value is a mandatory configuration item You will not be allowed to proceed further without providing all mandatory values in this dialog Error in Entry Indi...

Page 20: ...ing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has completed successfully without error Information This icon always precedes information displayed to the user This may either be a message displaying progress for a particular process or may just be a message from the system Device Configuration Represents...

Page 21: ...des of the network RF Domain States an RF Domain configuration has been impacted RF Domain implement location based security restrictions applicable to all VLANs in a particular physical location Firewall Policy Indicates a Firewall policy has been impacted Firewalls provide a barrier that prevent unauthorized access to secure resources while allowing authorized access to external and internal res...

Page 22: ...ddresses RADIUS Group Indicates the configuration of RADIUS Group is being defined and applied A RADIUS group is a collection of RADIUS users with the same set of permissions RADIUS User Pools States a RADIUS user pool is being applied RADIUS user pools are a set of IP addresses that can be assigned to an authenticated RADIUS user RADIUS Server Policy Indicates a RADIUS server policy is being appl...

Page 23: ... this icon link to view the different logs generated by the user interface FLEX and the error logs Revert When selected any changes made after the last saved configuration are restored back to the last saved configuration Commit When selected all changes made to the configuration are written to the access point Once committed changes cannot be reverted Save When selected changes are saved to the a...

Page 24: ...owed to configure some general settings like boot parameters licenses auto install image upgrades etc Network Indicates network user privileges A network user is allowed to configure all wired and wireless parameters like IP configuration VLANs L2 L3 security WLANs radios etc Security Indicates security user privileges A security level user is allowed to configure all security related parameters M...

Page 25: ... indicates system wide impact Cluster This icon indicates a cluster A cluster is a set of access points that work collectively to provide redundancy and load sharing Access Point This icon indicates any access point that is a part of the network Wireless Client This icon defines any wireless client connected within the access point managed network ...

Page 26: ...2 12 WiNG 5 2 6 Access Point System Reference Guide ...

Page 27: ...amline the process of initially accessing the wireless network The wizard defines the access point s operational mode deployment location basic security network and WLAN settings For instructions on how to use the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 28: ... login screen displays Figure 3 1 Web UI Login Screen 2 Enter the default username admin in the Username field 3 Enter the default password motorola in the Password field 4 Click the Login button to load the management interface NOTE When logging in for the first time you re prompted to change the password to enhance device security in subsequent logins NOTE If you get disconnected when running th...

Page 29: ...wizard and move directly to access point s main user interface UI by selecting Not Now The setup wizard can also be disabled until the next time the access point is rebooted by selecting Never NOTE The Initial Setup Wizard displays the same pages and content for each access point model supported The only difference being the number of radios configurable by model as an AP 7131 model can support up...

Page 30: ...e Navigation Panel and Introduction for the configuration activities comprising the access point s initial setup A green checkmark to the left of an item in the Navigation Panel defines the listed task as having its minimum required configuration parameters set correctly A red X defines the task as still requiring at least one parameter be defined correctly ...

Page 31: ...vious screen in the Navigation Panel without saving your updates 7 Select Next The Initial AP Setup Wizard displays the Access Point Type screen to define the access point s Standalone versus Virtual Controller AP functionality and the way the access point is adopted to a controller NOTE While you can navigate to any page in the navigation panel you cannot complete the Initial AP Setup Wizard unti...

Page 32: ...ame model Standalone AP Select this option to deploy this access point as an autonomous fat access point A standalone AP isn t managed by a Virtual Controller AP or adopted by a RFS series controller NOTE If designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ...

Page 33: ...l also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically Figure 3 6 Initial Setup Wizard Adoption Settings 9 Select Next The Initial AP Setup Wizard displays the Access Point Mode screen to define the access point s routing or bridging mode functionality NOTE The best way to administer a network populated by numerous access points ...

Page 34: ...ployment supported by just a single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Thus select Bridge Mode when deploying this access point with numerous peer APs supporting clients on both the 2 4 and 5GHz radio bands 11 Sel...

Page 35: ...able When selecting this option define the following DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the checkbox to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interface Range Enter a starting and endi...

Page 36: ... for converting the name into its corresponding IP address cannot locate the matching IP address Primary DNS Enter an IP Address for the main Domain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 13 Select Next The Initial AP Setup Wizard displays...

Page 37: ...xternal network This ports available differ depending on the access point model deployed Access point models with a single port have this option fixed Enable NAT on the WAN Interface Select the checkbox to allow traffic to pass between the access point s WAN and LAN interfaces 15 Select Next The Initial AP Setup Wizard displays the Radio Configuration screen to define radio support for the 2 4GHz ...

Page 38: ...2 4GHz and another for 5GHz support if using a dual or three radio model when supporting clients in both the 802 11bg and 802 11n bands Power Level Use the spinner control to select a 1 23 dBm minimum power level to assign to this radio in selected 2 4 or 5 0 GHz band 1 dBm is the default setting Channel Mode Select either Random Best or Static Select Random for use with a 802 11a n radio To compl...

Page 39: ...int managed network If dedicating a radio as a sensor resource a primary and secondary ADSP server must be specified as an ADSP management resource Disable the Radio Select this option to disable this radio thus prohibiting it from either providing WLAN or sensor support Verify this course action with your network administrator before rendering the radio offline 17 Select Next The Initial AP Setup...

Page 40: ...cters is 32 Do not use This is a required parameter for each WLAN WLAN Type Set the data protection scheme used by clients and access points within the WLAN The following options are available No Authentication and no Encryption Select this option to provide no security between the access point and connected clients on this WLAN Captive Portal Authentication and No Encryption Select this option to...

Page 41: ...type requires a RADIUS server to validate user credentials designate whether the access point is using an External RADIUS Server resource or the access point s own Onboard RADIUS Server If using an external RADIUS server resource provide the IP address of the external server and the shared secret used to authenticate the request 19 Select Next The Initial AP Setup Wizard displays the RADIUS Server...

Page 42: ...sername If adding a new user account create a username up to X characters in length The username cannot be revised if modifying the user configuration This is a required parameter Password Provide or modify a password between X X characters in length entered each time a requesting client attempts access to the AP managed network using the access point s onboard RADIUS server This is a required par...

Page 43: ...mation The system time can either be set manually or be supplied by a dedicated Network Time Protocol NTP resource Figure 3 13 Initial AP Setup Wizard Country Date Time 24 Refer to the Country and Time Zone field to set the following device deployment information Location Define the location of the access point The Location parameter acts as a reminder of where the AP can be located within the Mot...

Page 44: ...er used to provide system time to the access point Once the IP address is entered the Network Time Protocol NTP functionality is engaged automatically for synchronization with the NTP resource 27 If an NTP resource is unavailable set the System Date and Time calendar date time and AM PM designation 28 Optionally enter the IP address of a server used to provide system time to the access point Once ...

Page 45: ...0 If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summary either select the target page from the Navigational Panel or use the Back button ...

Page 46: ...3 20 WiNG 5 2 6 Access Point System Reference Guide ...

Page 47: ...int managed network Use the dashboard to review the current network topology assess the network s component health and diagnose problematic device behavior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard Network View ...

Page 48: ...and the System menu item on the upper left hand side of the UI and select either an access point or connected client The Dashboard displays the Health tab by default Figure 4 1 Dashboard screen Health tab 4 1 1 Dashboard Conventions The Dashboard displays device information using the following conventions Health Displays information about the state of the access point managed network Inventory Dis...

Page 49: ...ate of the access point managed network Figure 4 2 Dashboard screen Health tab Information in this tab is classified as Device Details Radio RF Quality Index Radio Utilization Index Client RF Quality Index 4 1 1 1 1 Device Details Health The Device Details field displays model and version information ...

Page 50: ...tage of the overall effectiveness of the RF environment It s a function of the data rate in both directions the retry rate and the error rate Figure 4 4 Radio RF Quality Index RF Quality displays as the average quality index for the single RF Domain utilized by the access point The table lists the bottom five 5 RF quality values for the RF Domain The quality is measured as 0 20 Very poor quality 2...

Page 51: ...dium is used by the access point Traffic utilization is defined as the percentage of throughput relative to the maximum possible throughput Refer to the number or errors and dropped packets to assess radio performance relative to the number of packets both transmitted and received The Radio Id displays as a link that can be selected to display radio configuration and network address information in...

Page 52: ...ty Index measures the overall effectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as the retry rate and the error rate The quality is measured as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Client MAC Displays the factory encoded MAC address assigned to each connected radio listed Use this informa...

Page 53: ...Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a specific radio Figure 4 7 Dashboard screen Inventory tab The Inventory screen is partitioned into the following fields Radio Types WLAN Utilization Wireless Clients Clients by Radio Type ...

Page 54: ...resh at the bottom of the screen to update the radio information 4 1 1 2 6 WLAN Utilization Inventory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures how efficiently the RF medium is utilized It is defined as a percentage of the current throughput relative to the maximum throughput possible The quality is...

Page 55: ... display radio configuration and network address information in greater detail 4 1 1 2 8 Clients by Radio Type Inventory The Clients by Radio Type field displays a bar graph illustrating the number of connected clients currently operating on supported radio bands Figure 4 11 Clients by Radio Type For 5 GHz clients are displayed supporting the 802 11a and 802 11an radio bands For 2 4 GHz clients ar...

Page 56: ...s can be utilized to review device performance and utilization as well as the RF band channel and vendor For more information see Network View Display Options on page 4 11 To review a device s Network Topology select Dashboard Network View Figure 4 12 Network View The left hand side of the Network View display contains an expandable System Browser where access points can be selected and expanded t...

Page 57: ...ork View Options 2 The following display filter options are available None Select this option to keep the Network View display as it currently appears without any additional color or device interaction adjustments Utilization Select this option to filter based on the percentage of current throughput relative to maximum throughput Utilization results include Red Bad Utilization Orange Poor Utilizat...

Page 58: ...vided text field and select the Update button to isolate located variables in blue within the Network View display 3 Select the Update button to update the display with the changes made to the filter options Select Close to close the options field and remove it from the Network View 4 2 2 Device Specific Information Network View A device specific information screen is available for individual devi...

Page 59: ...wever access point configurations may need periodic refinement and overrides from their original RF Domain administered design For more information see RF Domain Overrides on page 5 120 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same model Profiles can be used to assign shared network wireless and security parameters to ac...

Page 60: ...int s RF Domain configuration may need periodic refinement from its original RF Domain designation Unlike a RFS series controller an access point supports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the RF Domain configuration Thus a configuration should...

Page 61: ...created by or impacting the RF Domain Time Zone Set the geographic time zone for the RF Domain The RF Domain can contain unique country codes and time zone information to access points deployed across different states or countries thus making them ideal for managing device configurations across different geographical deployments Country Define the two digit country code set for the RF Domain The c...

Page 62: ...econds for updates retrieved from the access point Window Index Use the spinner control to set a numerical index used as an identifier for each RF Domain statistics defined Sample Interval Use the spinner control to define the interval in seconds used by the access point to capture windowed statistics supporting the RF Domain configuration The default is 5 seconds Window Size Use the spinner contr...

Page 63: ... RF Domain WIPS is not supported on a WLAN basis rather sensor functionality is supported on the access point radio s available to each managed WLAN When an access point radio is functioning as a WIPS sensor it s able to scan in sensor mode across all legal channels within the 2 4 and 5 0 GHz band Sensor functionality is not provided by the access point alone The access point works in conjunction ...

Page 64: ...m Reference Guide 6 Use the spinner control to specify the Port of each WIPS server The default port is 443 7 Select OK to save the changes to the AirDefense WIPS configuration or select Reset to Revert to the last saved configuration ...

Page 65: ...ns overwrite their profile assignments until the profile can be re applied to the access point Each access point model is automatically assigned a default profile The default profile is available within the access point s configuration file Default profiles are ideal for single site deployments where several access points may need to share a common configuration For more information refer to the f...

Page 66: ...he general profile configuration Select Reset to revert to the last saved configuration AutoKey Select the radio button to enable an autokey configuration for the NTP resource The default setting is disabled Key If an autokey is not being used manually enter a 64 character maximum key the access point and NTP resource share to securely interoperate Prefer Select the radio button designate this par...

Page 67: ... determines the maximum power provided by the POE device and the budget available to the access point The CPLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s tr...

Page 68: ... Mode and the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is pref...

Page 69: ...and receives multiple adoption responses from Virtual Controller APs available on the network These adoption responses contain loading policy information the access point uses to select the optimum Virtual Controller AP for adoption To define the access point profile s adoption configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on...

Page 70: ...Enter Controller Hostnames as needed to define resources for adoption Hello Interval Select this option to define the interval of hello packet exchanges between the AP and its adopting controller Adjacency Hold Time Select this option to define the interval after which the link between the AP and controller is defined as lost and a new connection needs to be established Host Use the drop down menu...

Page 71: ...ses or Hostnames of adoption resources 10 Select OK to save the changes made to the general profile configuration Select Reset to revert to the last saved configuration Routing Level Use the spinner controller to set the routing level for the Virtual Controller link The default setting is 1 ...

Page 72: ...e s Interface configuration process consists of the following Ethernet Port Configuration Virtual Interface Configuration Port Channel Configuration Access Point Radio Configuration WAN Backhaul Configuration Additionally deployment considerations and guidelines for profile interface configurations are available for review prior to defining a configuration that could significantly impact the perfo...

Page 73: ...onfiguration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Ethernet Ports Figure 5 6 Profile Interfaces Ethernet Ports screen 5 Refer to the following to assess port status mode and VLAN configuration Name Displays the physical port name reporting runtime data and statistics Supported ports vary depe...

Page 74: ...d VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode Tag Native VLAN A green checkmark d...

Page 75: ... or full duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex Select eithe...

Page 76: ...ve VLAN which can be tagged or untagged Access is the default mode Native VLAN Use the spinner control to define a numerical Native VLAN ID between 1 4094 The native VLAN allows the access point to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode Th...

Page 77: ... rules to apply to this profile s Ethernet port configuration The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances 14 If a firewall rule does not exist suiting the data protection needs of the target port configuration select the Create icon to define a new rule configuration 15 Refer to the Trust field to define the foll...

Page 78: ...ort and a DHCP server can be connected only to a DHCP trusted port The default value is enabled ARP header Mismatch Validation Select the radio button to enable a mismatch check for the source MAC in both the ARP and Ethernet header The default value is disabled Trust 8021p COS values Select the radio button to enable 802 1p COS values on this port The default value is enabled Trust IP DSCP Select...

Page 79: ...2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Virtual Interfaces Figure 5 9 Profile Interfaces Virtual Interfaces screen Review the following parameters unique to each virtual interface configuration Name Displays the name of each listed Virtual Interface assigned when it was created The name is between 1 4094 and canno...

Page 80: ... created or an existing one is being modified 6 If creating a new Virtual Interface use the Name spinner control to define a numeric ID between 1 4094 7 Define the following parameters from within the Properties field VLAN Displays the numerical VLAN ID associated with each listed interface IP Address Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface conf...

Page 81: ...ity tab Enable Zero Configuration The access point can use Zero Config for IP assignments on an individual virtual interface basis Select Primary to use Zero Config as the designated means of providing an IP address this eliminates the means to assign one manually Selecting Secondary is preferred when wanting the option to either use Zero Config or manual assignments Primary IP Address Define the ...

Page 82: ...fic to and from connected clients If a firewall rule does not exist suiting the data protection needs of this Virtual Interface select the Create icon to define a new firewall rule configuration or the Edit icon to modify an existing configuration For more information see Wireless Firewall on page 7 2 13 Select the OK button located at the bottom right of the screen to save the changes to the Secu...

Page 83: ...it the configuration of an existing port channel select it from amongst those displayed and select the Edit button The port channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name cannot be modified as part of the edit process Type Displays whether the type is port channel Description Lists a...

Page 84: ...profile It can be activated at any future time when needed The default setting is disabled Speed Select the speed at which the port channel can receive and transmit the data Select either 10 Mbps 100 Mbps 1000 Mbps Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port These options are not availab...

Page 85: ...ackets from a list of VLANs you add to the trunk A port channel configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default setting Native VLAN Use the spinner control to define a numerical ID between 1 4094 The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the...

Page 86: ... the Edit icon to modify an existing firewall rule configuration 13 Refer to the Trust field to define the following Trust ARP Responses Select the check box to enable ARP trust on this port channel ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the managed network The default value is disabled Trust DHCP Respons...

Page 87: ...PortFast Select the check box to enable drop down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU Guard options This setting is disabled by default PortFast BPDU Filter Select Enable to invoke a BPDU filter for this portfast enabled port channel Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs The default setting is None Port...

Page 88: ...ink while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setting is disabled by default Force Protocol Version Sets the protocol version to either STP 0 Not Supported 1 ...

Page 89: ... Instance Index using the spinner control and then set the Priority The lower the priority a greater likelihood of the port becoming a designated port Select Add Row needed to include additional indexes 21 Select OK to save the changes made to the Ethernet Port Spanning Tree configuration Select Reset to revert to the last saved configuration ...

Page 90: ...creen 5 Review the following radio configuration data to determine whether a radio configuration requires modification to better support the network Name Displays whether the reporting radio is radio 1 radio 2 or radio 3 AP 7131 models can have up to 3 radios depending on the SKU AP 6532 AP 7161 and AP 8132 models have 2 radios and AP 6511 and AP 6521 models have 1 radio Type Displays the type of ...

Page 91: ...rt The radio band is set from within the Radio Settings tab Channel Lists the channel setting for the radio Smart is the default setting If set to smart the access point scans non overlapping channels listening for beacons from other access points After the channels are scanned it selects the channel with the fewest access points In the case of multiple access points on the same channel it will se...

Page 92: ...L the packet is dropped Select the Create icon to define a new Association ACL that can be applied to this profile RF Mode Set the mode to either 2 4 GHz WLAN or 5 GHz WLAN support depending on the radio s intended client support Set the mode to sensor if using the radio for rogue device detection The radio cannot support rogue detection when one of the radios is functioning as a WIPS sensor To se...

Page 93: ...smission power in dBm to connected clients The setting is disabled by default Dynamic Chain Selection Select the radio button for the radio to dynamically change the number of transmit chains This option is enabled by default Rate Once the radio band is provided the drop down menu populates with rate options depending on the 802 11b 802 11a or 802 11n band utilized If the radio band is set to Sens...

Page 94: ...rs Max Clients Use the spinner control to set a maximum permissible number of clients to connect with this access point radio The available range is between 1 256 for AP 6532 AP 7131 AP 7161 and AP 8132 models and from 1 128 for AP 6511 and AP 6521 models NOTE AP 6532 AP 7131 AP 7161 and AP 8132 model access points support up to 256 client connections to a single access point radio AP 6511 and AP ...

Page 95: ... the time to support streaming multicast audio and video applications that are jitter sensitive The default value is 100 milliseconds DTIM Interval BSSID Set a DTIM Interval to specify a period for Delivery Traffic Indication Messages DTIM A DTIM is periodically included in a beacon frame transmitted from adopted radios The DTIM period determines how often the beacon contains a DTIM for example 1 ...

Page 96: ...ta frame throughput An advantage is quickersystemrecoveryfromelectromagneticinterferenceanddatacollisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS threshold minimizes RTS CTS exchanges consuming less bandwidth for data transmissions A disadvantage is less help to nodes that encounter interference and collisions ...

Page 97: ...SID If using a single radio access point there are 8 BSSIDs available If using a dual radio access point there are 8 BSSIDs for the 802 11b g n radio and 8 BSSIDs for the 802 11a n radio Each supported access point model can support up to 8 BSS IDs 14 Select the OK button located at the bottom right of the screen to save the changes to the WLAN Mapping Select Reset to revert to the last saved conf...

Page 98: ...ect the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 19 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and then connect through them Portal operation begins beaconing immediately...

Page 99: ...ansmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Fra...

Page 100: ...itional host system used to capture the re directed packets This address is the numerical non DNS address of the host used to capture the re directed packets Channel to Capture Packets Use the drop down menu to specify the channel used to capture re directed packets The default value is channel 1 RIFS Mode Define a RIFS Mode using the drop down menu The RIFS mode determines whether interframe spac...

Page 101: ...ts and must be supported on the receiving client In the receiving end of the data path the access point updates beamforming data or the active entries when packets are received from an address matching an active entry If a packet is received from a beamforming client not an active entry the access point automatically replaces the oldest active entry In the transmit data path if a packet is destine...

Page 102: ...orwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation To define a WAN Backhaul configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3...

Page 103: ...ing the dialing sequence the WAN card is in an unknown state and will not accept a command Re seat the card and begin the dialup sequence again until the card is recognized If encountering a panic when conducting a hotplug power off the access point for one minute The access point could continue to panic or detect the descriptor of the last utilized WAN card Thus it s a good idea to clear the pani...

Page 104: ...file network configuration process consists of the following DNS Configuration ARP Quality of Service QoS Static Routes Forwarding Database Bridge VLAN Miscellaneous Network Configuration Before beginning any of the profile network configuration activities described in the sections above review the configuration and deployment considerations available in Profile Network Configuration and Deploymen...

Page 105: ...ames it s possible to access the resource even if the underlying machine friendly notation name changes Without DNS in the simplest terms you would need to remember a series of numbers 123 123 123 123 instead of an easy to remember domain name www domainname com To define the DNS configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options ...

Page 106: ...ailable to the access point 8 Select OK to save the changes made to the DNS configuration Select Reset to revert to the last saved configuration DNS Server Forwarding Click to enable the forwarding DNS queries to external DNS servers if a DNS query cannot be processed by the access point s own DNS resources This feature is disabled by default ...

Page 107: ...at and sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply so indicating ARP updates the ARP cache for future reference and then sends the packet to the MAC addre...

Page 108: ...rt to the last saved configuration Switch VLAN Interface Use the spinner control to select a VLAN for an address requiring resolution IP Address Define the IP address used to fetch a MAC Address MAC Address Displays the target MAC address that s subject to resolution This is the MAC used for mapping an IP address to a MAC address that s recognized on the network Device Type Specify the device type...

Page 109: ...en maps the 6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP header DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence DSCP specifies a specific per hop behavior that is applied to a packet To define an QoS configuration for DSCP mappings 1...

Page 110: ...een to save the changes Select Reset to revert to the last saved configuration 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priority The valid values for this field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 V...

Page 111: ... address pools To create static routes 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Static Routes Figure 5 26 Network Static Routes screen 5 Select Add Row as needed to include single rows in the static routes table 6 Add IP addresses and network masks in the Network column ...

Page 112: ... or forward the packet To define a forwarding database configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Forwarding Database Figure 5 27 Network Forwarding Database screen 5 Define a Bridge Aging Time between 0 10 1 000 000 seconds The aging time defines the length ...

Page 113: ... on a different network it forwards the packet to the segment If the destination MAC is on the same network segment the packet is dropped filtered 8 Define the target VLAN ID if the destination MAC is on a different network segment 9 Provide an Interface Name used as the target destination interface for the target MAC address 10 Select OK to save the changes Select Reset to revert to the last save...

Page 114: ...hat aren t using same VLAN ID Administrators often need to route traffic to interoperate between different VLANs Bridging VLANs are only for non routable traffic like tagged VLAN frames destined to some other device which will untag it When a data frame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Brid...

Page 115: ... clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as edge VLAN the firewall enforces additional checks on hosts in that VLAN For example a host cannot move from an edge VLAN to another VLAN and still keep firewall flows active Trust ARP Response When ARP trust is enabled a green ch...

Page 116: ...erentiate it from other VLANs with similar configurations 8 Define the following Extended VLAN Tunnel parameters Bridging Mode Specify one of the following bridging mode for use on the VLAN Automatic Select Automatic mode to let the access point determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel to use a...

Page 117: ...successfully create the mesh link between the two access points Trust ARP Response Select the radio button to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp cache poisoning attacks This feature is disabled by default Trust DHCP Responses Select the radio button to use DHCP packets from a DHCP server as trusted and permissible within the network DHCP packets are ...

Page 118: ...ect the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Miscellaneous Figure 5 30 Miscellaneous screen 5 Select the Include Hostname in DHCP Request checkbox to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 6 Select the DHCP Persistent Lease c...

Page 119: ... there is a change someone must manually make changes to reflect the new route If a link goes down even if there is a second path the router would ignore it and consider the link down Static routes require extensive planning and have a high management overhead The more routers that exist in a network the more routes needing to be configured If you have N number of routers and a route between each ...

Page 120: ... the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Security menu and select Settings Figure 5 31 Profile Security Settings screen 5 Select the radio button to require profile supported devices to use a WEP key to access the network using this profile The access point other proprietary routers and Motorola Solutions clients use the key alg...

Page 121: ...ct Certificate Revocation Figure 5 32 Security Certificate Revocation screen 5 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a private key was found and nobody had access to it its status could be ...

Page 122: ...NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows an access point to translate one or more internal private IP addresses to a single public facing IP address assigned to a 10 100 1000 Ethernet port or 3G card To define a NAT configuration th...

Page 123: ...he Source tab displays by default Name If adding a new NAT policy provide a name to help distinguish it from others with similar configurations The length cannot exceed 64 characters IP Address Range Define a range of IP addresses that are hidden from the public Internet NAT modifies network address information in the defined IP range while in transit across a traffic routing device NAT only provi...

Page 124: ...r on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Inside NAT is the default sett...

Page 125: ...n 5 67 Figure 5 36 Static NAT screen Destination tab 13 Select Add to create a new NAT destination configuration Edit to modify the attributes of an existing configuration or Delete to permanently remove a NAT destination ...

Page 126: ...DP and Any are available options TCP is a transport layer protocol used by applications requiring guaranteed delivery It s a sliding window protocol handling both timeouts and retransmissions TCP establishes a full duplex virtual connection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service no...

Page 127: ...te translations in the translation table Destination Port Use the spinner control to set the local port number used at the source end of the static NAT configuration The default value is port 1 NAT IP Enter the IP address of the matching packet to the specified value The IP address modified can be either source or destination based on the direction specified NAT Port Enter the port number of the m...

Page 128: ... once translated are not exposed to the outside world when the translation address is used to interact with the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN between 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overload Type Lists the Ove...

Page 129: ...ted will not be exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside NAT as the network direction for the dynamic NAT configuration Inside is the default setting Interface Use the drop down menu to select the VLAN ID between 1 4094 used as the communication medium between the source and destination points within ...

Page 130: ...ith the listed IP ACL rule Options include NAT Pool One Global Address and Interface IP Address Interface IP Address is the default setting If NAT Pool is selected provide the Overload IP address NAT Pool Provide the name of an existing NAT pool for use with the dynamic NAT configuration Optionally select the Create icon to define a new NAT Pool configuration Overload IP Enables the use of one glo...

Page 131: ...red to deny all traffic If port address translation is required a stateful firewall should be configured to only permit the TCP or UDP ports being translated 5 3 7 Profile Services Configuration A profile can contain specific guest access captive portal server configurations These guest network access permissions can be defined uniquely as profile requirements dictate To define a profile s service...

Page 132: ...eset to revert to the last saved configuration 5 3 7 1 Profile Services Configuration and Deployment Considerations Profile Services Configuration Before defining a profile s captive portal and DHCP configuration refer to the following deployment guidelines to ensure the profile configuration is optimally effective A profile plan should consider the number of wireless clients allowed on the profil...

Page 133: ...onfigurations can be applied strategically to profiles as resource permissions dictate Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define a profile s management configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Ma...

Page 134: ... Profile Management Settings screen 5 Refer to the Message Logging field to define how the profile logs system events It s important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined ...

Page 135: ...ed for the profile event log transfer Syslog Logging Level Event severity coincides with the syslog logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Console Logging Level Event severity coincides with the console lo...

Page 136: ... the last saved configuration 10 Select Firmware from the Management menu SMTP Server Specify either the Hostname or IP Address of the outgoing SMTP server where notification e mails are originated Port of SMTP If a non standard SMTP port is used on the outgoing SMTP server select this option and specify a port between 1 65 535 for the outgoing SMTP server Sender E mail Address Specify the e mail ...

Page 137: ...le the Use DHCP to Obtain Gateway DNS Servers option for that Virtual Interface Enable Firmware Upgrade Select this option to enable automatic firmware upgrades for this profile from a location external to the access point To use this option first create a Virtual Interface in the Interfaces section and enable the Use DHCP to obtain Gateway DNS Servers option for that Virtual Interface This value ...

Page 138: ...lt 17 Select OK to save the changes made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration Number of Concurrent Upgrades Use the spinner control to define the maximum number 1 20 of adopted APs that can receive a firmware upgrade at the same time Keep in mind that during a firmware upgrade the AP is offline and unable to perform its normal wireless cli...

Page 139: ...532 from the computer to ensure IP connectivity 4 Open an SSH session on the computer and connect to the AP 6532 s IP address 5 Login with a username and password of admin motorola The CLI will prompt for a new password Re enter the password and confirm 6 Within the CLI type enable 7 Enter commit write memory to save the new password 8 To upgrade firmware using a FTP server use the upgrade command...

Page 140: ...ds SNMPv3 be used for management profile configurations as it provides both encryption and authentication 5 3 9 Advanced Profile Configuration An access point profile s advanced configuration is comprised of defining connected client load balance settings a MINT protocol configuration and miscellaneous settings NAS ID access point LEDs and RF Domain Manager To set an access point profile s advance...

Page 141: ...om 1 3 radios depending on the SKU AP 6532 AP 7161 and AP 8132 models have 2 radios while AP 6511 and AP 6521 models have a single radio 1 Select Client Load Balancing from the expanded Advanced menu Figure 5 44 Advanced Client Load Balancing screen 2 Use the drop down menu to define a Band Steering Strategy Options include Prefer 5ghz Prefer 2 4 ghz and Distribute by ratio The default value is Pr...

Page 142: ...ance 2 4GHz Channel Loads Select this option to balance loads across channels in the 2 4 GHz radio band This can prevent congestion on the 2 4 GHz radio if a channel is over utilized This setting is enabled by default Selecting this feature enables parameters within the Channel Load Balancing field for assigning weightage and throughput values Balance 5GHz Channel Loads Select this option to balan...

Page 143: ...criteria for a client to be regarded as a common client in the neighbor selection process Minimum number of clients seen When Using probes from common clients is selected as a neighbor selection strategy use the spinner control to set the number of clients from 0 256 that must be shared by at least 2 access points to be regarded as neighbors in the neighbor selection process The default value is 1...

Page 144: ...esignations The default is 5 Weightage given to Client Count Use the spinner control to assign a weight between 0 100 the access point uses to prioritize 5GHz radio client count in the 5GHz radio load calculation Assign this value higher this 5GHz radio is intended to support numerous clients and their throughput is secondary to maintaining client association The default setting is 90 Weightage gi...

Page 145: ...iven to Throughput Use the spinner control to assign a weight between 0 100 the access point radio uses to prioritize radio throughput in the load calculation on both the 2 4 and 5 GHz radio bands Assign this value higher if throughput and radio performance are considered mission critical and of more importance than a high client connection count The default setting is 10 ...

Page 146: ...n A secure network requires users know about certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MINT are such that these scenarios c...

Page 147: ...n shared by the devices managed by the access point s MINT configuration Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting between 255 and 255 This is the value added to the base level DIS priority to influence the Designated IS DIS election A value of 1 or greater increases DISiness The default setting is 0 MLCP IP Check this box to enabl...

Page 148: ...tab The IP tab displays the IP address routing level link cost hello packet interval and Adjacency Hold Time managed devices use to securely communicate amongst one another within the managed network Select Add to create a new Link IP configuration or Edit to modify an existing MINT configuration ...

Page 149: ... of either 0 or 1 UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this box to specify the MiNT link as a forced link Link Cost Use the spinner control to define a link cost between 1 ...

Page 150: ...b displays the VLAN Routing Level Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another Select Add to create a new VLAN link configuration or Edit to modify an existing configuration NOTE If creating a mesh link between two access points in Standalone AP mode you ll need to ensure a VLAN is available to provide the necessary MINT li...

Page 151: ...interoperation when supporting the MINT protocol Routing Level If adding a new VLAN use the spinner control to define a routing level of either 1 or 2 Link Cost Use the spinner control to define a link cost between 1 10 000 The default value is 100 Hello Packet Interval Set an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default interval is 4 seconds Ad...

Page 152: ...ge originates 4 Select the Turn on LEDs radio button to ensure this access point s LED remain continuously illuminated Deployments such as hospitals prefer to keep their wireless devices from having illuminating LEDs as they have been reported to disturb their patients this setting however is enabled by default 5 Select the Capable radio button within the RF Domain Manager field to designate this ...

Page 153: ...32 RF Domain Manager can support up to 512 client connections An AP 6511 or AP 6521 RF Domain Manager can support up to 256 client connections 7 Select OK to save the changes made to the profile s Advanced Miscellaneous configuration Select Reset to revert to the last saved configuration ...

Page 154: ...me MAC Address and Virtual Controller designation Only Standalone APs of the same model can have their Virtual Controller AP designation changed NOTE If designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile while the UI on...

Page 155: ... points of the same model Thus an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation 7 Select the Adopt Unknown APs Automatically option to allow the Virtual Control to adopt APs it does not recognize While this option may help in the administration and management of all the APs in the netwo...

Page 156: ...ide to a device entails changing overriding the device s system name deployment area building floor and system clock To override a managed device s basic configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides 4 Select a target device MAC address from either the Device Browser in the lower left hand side of the UI or within the Device Overrides scree...

Page 157: ...F Domain or Profile the access points supports and is identified by Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exceed 64 characters Assigning an area is helpful when grouping access points in Profiles as access points in the same physical deployment location may need to share specific configuration parameters in respe...

Page 158: ...adio buttons to refine whether the updated time is for the AM or PM This time can be synchronized with the use of an external NTP resource When completed select Update Clock to commit the updated time to the device 8 Select OK to save the changes to the basic configuration Selecting Reset reverts the screen to its last saved configuration ...

Page 159: ...ation or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication c...

Page 160: ...the screen to its last saved configuration HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop down menu where an existing certificate trustpoint can be leveraged To leverage an existing device certificate for use with this target device select the Launch Manager button For more information see Certificate Management on page 5 103 SSH RSA Key Eithe...

Page 161: ...rted and exported to a secure remote location for archive and retrieval as required for application to other devices To configure trustpoints for use with certificates 1 Select Launch Manager from either the HTTPS Trustpoint SSH RSA Key or RADIUS Server Certificate parameters Figure 5 55 Certificate Management Trustpoints screen The Certificate Management screen displays with the Trustpoints secti...

Page 162: ... Key Passphrase Define the key used by both the device and the server or repository of the target trustpoint Select the Show textbox to expose the actual characters used in the key Leaving the Show checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint Protocol If selecting Advanced define the protocol used for importing ...

Page 163: ...id for cf usb1 and usb2 Path If selecting Advanced specify the path to the trustpoint Enter the complete relative path to the file on the server Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint signing the certificate A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enro...

Page 164: ...being in sole possession of the private key For information on creating the CRL used with a trustpoint refer to Setting the Certificate Revocation List CRL Configuration on page 5 63 Protocol If selecting Advanced select the protocol used for importing the target CA certificate Available options include tftp ftp sftp http cf usb1 usb2 Port If selecting Advanced use the spinner control to set the p...

Page 165: ...From Network radio button to provide network address information to the location of the target CRL The number of additional fields that populate the screen is dependent on the selected protocol Cut and Paste Select the Cut and Paste radio button to copy an existing CRL into the cut and past field When pasting a CRL no additional network address information is required URL Provide the complete URL ...

Page 166: ...ertificate Management Import Signed Cert screen 13 Define the following configuration parameters required for the Import of the CA certificate IP Address If selecting Advanced enter IP address of the server used to import the CRL This option is not valid for cf usb1 and usb2 Hostname If selecting Advanced provide the hostname of the server used to import the CRL This option is not valid for cf usb...

Page 167: ...S server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates URL Provide the complete URL to the location of the signed certificate Protocol If selecting Advanced select the protocol used for importing the target signed certificate Available...

Page 168: ...he actual characters used in the key Leaving the Show checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint Protocol If selecting Advanced select the protocol used for exporting the target trustpoint Available options include tftp ftp sftp http cf usb1 usb2 Port If selecting Advanced use the spinner control to set the po...

Page 169: ...ing key does not meet the needs of a pending certificate request generate a new key or import or export an existing key to and from a remote location Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s an algorithm that can be used for certificate signing and encryption When a device trustpoint is created the RSA key is the private key used with the trustpoint To review ...

Page 170: ...x displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select Generate Key to create a new key Figure 5 62 Certificate Management Generate RSA Key screen 5 Define the following configuration parameters required for the Import of the key Key Name Enter the 32 character maximum name as...

Page 171: ...the 32 character maximum name assigned to the RSA key Key Passphrase Define the key used by both the access point and the server or repository of the target RSA key Select the Show textbox to expose the actual characters used in the passphrase Leaving the Show checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key Protocol I...

Page 172: ...ent Export RSA Key screen 11 Define the following configuration parameters required for the Export of the RSA key Hostname If selecting Advanced provide the hostname of the server used to import the RSA key This option is not valid for cf usb1 and usb2 Path If selecting Advanced specify the path to the RSA key Enter the complete relative path to the key on the server Key Name Enter the 32 characte...

Page 173: ... with the certificate creator responsible for its legitimacy To create a self signed certificate 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create Certificate from the upper left hand side of the Certificate Management screen Protocol If selecting Advanced select the protocol used for expo...

Page 174: ...Use Existing Select the radio button and use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Create New To create a new RSA key select the radio button to define 32 character name used to identify the RSA key Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this...

Page 175: ...te digitally signed with the private key of the CA To create a CSR 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen Country C Define the Country of deployment for the certificate The field can be modified by the user to other values This is a required field and must not exceed 2 characters State ST Enter...

Page 176: ...ure optimum functionality For more information on creating a new RSA key see RSA Key Management on page 5 111 Use Existing Key Select the radio button and use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject ...

Page 177: ...on Name CN If there s a Common Name IP address for the organizational unit issuing the certificate enter it here Email Address Provide an email address used as the contact address for issues relating to this CSR Domain Name Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy To distinguish an FQDN from a regular domain...

Page 178: ... are quite similar However device configurations may need periodic refinement from their original RF Domain administered design Unlike a RFS series controller an access point supports a single RF domain An access point RF Domain cannot be used on a different model access point For example an AP 8132 RF Domain override can only be applied to another AP 8132 model access point To define a device s R...

Page 179: ...ic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Location Set the deployment location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the maintenance of the access point configuration and wireless net...

Page 180: ...the update interval is automatically adjusted by the RF Domain manager based on the access point s load The default setting is 0 Window Index Use the spinner control to set a numerical index used as an identifier for each RF Domain statistics configuration defined Sample Interval Use the spinner control to define the interval in seconds used to capture statistics supporting the listed RF Domain co...

Page 181: ...ns However device profile configurations may need periodic refinement from their original administered design Consequently a device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particular site Use Device Overrides to define configurations overriding the parameters set by the target device s original profile configuration To defin...

Page 182: ...verrides field and select Clear Overrides This will remove all overrides from the device AutoKey Select the radio button to enable an autokey configuration for the NTP resource This is a key randomly generated for use between the access point and its NTP resource The default setting is disabled Key If an autokey is not being utilized you must manually enter a 64 character maximum key shared for in...

Page 183: ...rofile configuration Radio Power Overrides Adoption Overrides Profile Interface Override Configuration Overriding the Network Configuration WAN Backhaul Overrides Overriding a Security Configuration Overriding a Services Configuration Overriding a Management Configuration Overriding an Advanced Configuration ...

Page 184: ...annot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To...

Page 185: ...er Mode and the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is pr...

Page 186: ...oint solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an existing parameter 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Profile Overrides 4 Select a target device from the Device Browser in the lower left hand side of...

Page 187: ...ween 1 4094 There is no default value for this setting 10 Use the Add Row button to populate the Controller Hostnames table with the following host pool and routing parameters for defining the preferred Virtual Controller adoption resource Hello Interval Select this option to define the interval of hello packet exchanges between the AP and its adopting controller Adjacency Hold Time Select this op...

Page 188: ...ss point adoption configuration Select Reset to revert to the last saved configuration Pool Use the spinner control to define the pool the Virtual Controller belong to The default setting is pool 1 Routing Level Use the spinner control to define the pool the Virtual Controller belong to The default setting is pool 1 ...

Page 189: ...ervice on a VLAN A virtual interface defines which IP address is associated with each connected VLAN ID An interface configuration can have overrides applied to customize the configuration to a unique deployment objective For more information refer to the following Ethernet Port Override Configuration Virtual Interface Override Configuration Radio Override Configuration ...

Page 190: ...lect the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select a target device by double clinking it from amongst those displayed within the Device Configuration screen Devices can also be selected directly from the Device Browser in the lower left hand side of the UI 4 Select Profile Overrides from the Device menu to expand it into sub menu options 5 Select Interf...

Page 191: ... be modified with the port configuration as required Mode Displays the profile s current switching mode as either Access or Trunk as defined within the Ethernet Port Basic Configuration screen If Access is selected the listed port accepts packets only from the native VLAN Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and m...

Page 192: ...longs to The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN When a frame is received with no 802 1Q header the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Allowed VLANs Displays the VLANs al...

Page 193: ...ress to advertise its presence to neighbors Cisco Discover Protocol Transmit Select the radio button to allow the Cisco discovery protocol for transmitting data on this port If enabled the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors Link Layer Discovery Protocol Receive Select this option to allow the Link Layer discovery protocol to be r...

Page 194: ...e does not support IEEE 802 1Q tagging it does not interpret the tagged frames When VLAN tagging is required between devices both devices must support tagging and be configured to accept tagged VLANs When a frame is tagged the 12 bit frame VLAN ID is added to the 802 1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to The device reads the 12 bit VLAN ID and forwards the ...

Page 195: ...t port configuration select the Create icon to define a new rule configuration For more information see Wireless Firewall on page 7 2 16 Refer to the Trust field to define the following Trust ARP Responses Select the radio button to enable ARP trust on this port ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the ...

Page 196: ...evert to the last saved configuration if you do not wish to commit the overrides Trust 8021p COS values Select the radio button to enable 802 1p COS values on this port The default value is enabled Trust IP DSCP Select the radio button to enable IP DSCP values on this port The default value is enabled NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MA...

Page 197: ...tion modify override an existing configuration or delete an existing configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select a target device by double clinking it from amongst those displayed within the Device Configuration screen Devices can also be selected directly from the Device Browser in the lower left hand side of the UI 4 Select Pr...

Page 198: ...e Displays the name of each listed Virtual Interface assigned when it was created The name is between 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed interface Description Displays the description defined for the Virtual Interface when it was either initially created or edited Admin Status A green checkmark defines the l...

Page 199: ...adio button to define this interface s current status within the network When set to Enabled the Virtual Interface is operational and available The default value is disabled Enable Zero Configuration The access point can use Zero Config for IP assignments on an individual virtual interface basis Select Primary to use Zero Config as the designated means of providing an IP address this eliminates th...

Page 200: ...ault setting 13 Select OK button to save the changes and overrides to the Basic Configuration screen Select Reset to revert to the last saved configuration 14 Select the Security tab Use DHCP to obtain Gateway DNS Servers Select this option to allow DHCP to obtain a default gateway address and DNS resource for one virtual interface This setting is disabled by default and only available when the Us...

Page 201: ...connected clients If a firewall rule does not exist suiting the data protection needs of this Virtual Interface select the Create icon to define a new firewall rule configuration or the Edit icon to modify or override an existing configuration For more information see Wireless Firewall on page 7 2 16 Select the OK button located at the bottom right of the screen to save the changes and overrides t...

Page 202: ...u options 4 Select Interface to expand its sub menu options 5 Select Radios Figure 5 77 Profile Overrides Access Point Radios screen 6 Review the following radio configuration data to determine whether a radio configuration requires modification or override NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic...

Page 203: ...n was added or modified Admin Status Defines the radio as either enabled or disabled for client or sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be listed as a sensor to define the radio as not providing typical WLAN support The radio band is set from within the Radio Settings tab Channel...

Page 204: ...ace the fields in the packet are compared to applied ACLs to verify the packet has the required permissions needed to be forwarded If a packet does not meet any of the ACL criteria the packet is dropped Select the Create icon to define a new Association ACL RF Mode Set the mode to either 2 4 GHz WLAN or 5 GHz WLAN support depending on the radio s intended client support Set the mode to Sensor if u...

Page 205: ...er transmissions in dBm The available range is 0 20 dBm Dynamic Chain Selection Select this option to allow the access point radio to dynamically change the number of transmit chains This setting is disabled by default The radio uses a single chain antenna for frames at non 802 11n data rates Rate Once the radio band is provided the drop down menu populates with rate options depending on the 802 1...

Page 206: ...t the maximum permissible client connections for this radio Set a value between 0 256 AP 6532 AP 7131 AP 7161 and AP 8132 model access points can support up to 256 clients per access point or radio AP 6511 and AP 6521 model access points can support up to 128 clients per access point or radio NOTE AP 6532 AP 7131 AP 7161 and AP 8132 model access points can support up to 256 client connections to a...

Page 207: ...r and preserve battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitter sensitive The default value is 100 milliseconds DTIM Interval Set a DTIM Interval to specify a period for Delivery Traffic Indication Messages DTIM A DTIM is periodically included in a beacon frame transmitted from adopted radios The DTIM indicates bro...

Page 208: ...tromagneticinterferenceanddatacollisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS threshold minimizes RTS CTS exchanges consuming less bandwidth for data transmissions A disadvantage is less help to nodes that encounter interference and collisions An advantage is faster data frame throughput Environments with le...

Page 209: ...an assign each WLAN its own BSSID If using a single radio AP 6511 or AP 6521 access point there are 8 BSSIDs available If using a dual radio AP 6532 AP 7161 or AP 8132 model access point there are 8 BSSIDs for the 802 11b g n radio and 8 BSSIDs for the 802 11a n radio 15 Select OK to save the changes and overrides to the WLAN Mapping Select Reset to revert to the last saved configuration 16 Select...

Page 210: ...n preference 20 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and connect through them Portal operation begins beaconi...

Page 211: ...ansmitOnly ReceiveOnly TransmitandReceiveandNone Thedefaultvalue is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Frame Size ...

Page 212: ...resource additional host system used to capture the re directed packets This address is the numerical non DNS address of the host used to capture the re directed packets Channel to Capture Packets Use the drop down menu to specify the channel used to capture re directed packets The default value is channel 1 RIFS Mode Define a RIFS Mode using the drop down menu The RIFS mode determines whether int...

Page 213: ...rted on the receiving client In the receiving end of the data path the access point updates beamforming data or the active entries when packets are received from an address matching an active entry If a packet is received from a beamforming client not an active entry the access point automatically replaces the oldest active entry In the transmit data path if a packet is destined for an active entr...

Page 214: ...onnections and many other types of point to point communications PPP packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encaps...

Page 215: ... WAN Interface name for the WAN 3G Backhaul card Reset WAN Card If the WAN Card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card Enable WAN 3G Check this box to enable 3G WAN card support on the device A supported 3G card must be connected to the device for this feature to work Username Provide your username for authenticat...

Page 216: ...to the original configuration Applying an override differentiates the device from the profile s configuration and requires careful administration to ensure this one device still supports the deployment requirements within the network A profile s network configuration process consists of the following Overriding the DNS Configuration Overriding an ARP Configuration Overriding a Quality of Service Q...

Page 217: ...ly domain names into notations used by different networking equipment for locating resources As a resource is accessed using human friendly hostnames it s possible to access the resource even if the underlying machine friendly notation name changes Without DNS you need to remember a series of numbers 123 123 123 123 instead of a domain name www domainname com To define the DNS configuration or app...

Page 218: ...des made to the DNS configuration Select Reset to revert to the last saved configuration NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Enable Domain Lookup Select the radio button to ...

Page 219: ... sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply indicating as such ARP updates the ARP cache for future reference and then sends the packet to the MAC address tha...

Page 220: ...the last saved configuration Switch VLAN Interface Use the spinner control to select a VLAN 1 4094 for an address requiring resolution IP Address Define the IP address used to fetch a MAC Address MAC Address Displays the target MAC address that s subject to resolution This is the MAC used for mapping an IP address to a MAC address that s recognized on the network Device Type Specify the device typ...

Page 221: ...fies a specific per hop behavior that is applied to a packet This QoS assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar access point models To define an QoS configuration for DSCP mappings 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side o...

Page 222: ...o save the changes and overrides Select Reset to revert to the last saved configuration DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priority The valid values for this field are 0 7 Up to 64 entries a...

Page 223: ...ation tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Network to expand its sub menu options 5 Select Static Routes Figure 5 87 Profile Overrides Network Static Routes screen 6 Select Add Row as needed to include single rows in the static routes table 7 Add IP addr...

Page 224: ...eway routes traffic from a managed device to another network segment The default gateway connects the network to the outside network Internet The gateway is associated with a router which uses headers and forwarding tables to determine where packets are sent providing the path for the packet in and out of the gateway Setting a default gateway for a device profile can help segregate network traffic...

Page 225: ...nformation is then used to decide to filter or forward the packet This forwarding database assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar device models To define or override a forwarding database configuration 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in th...

Page 226: ...ted from the forwarding table The default setting is 300 seconds 7 Use the Add Row button to create a new row within the MAC address table 8 Set or override a destination MAC Address address The bridge reads the packet s destination MAC address and decides to forward the packet or drop filter it If it s determined the destination MAC is on a different network it forwards the packet to the segment ...

Page 227: ...LANs are only for non routable traffic like tagged VLAN frames destined to some other device which will untag it When a data frame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Bridge VLAN forwards the data frame on the appropriate port s VLAN s are useful to set separate networks to isolate some comput...

Page 228: ...erentiate it from other VLANs with similar configurations Edge VLAN Mode Defines whether the VLAN is currently in edge VLAN mode An edge VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as ed...

Page 229: ...re the General tab can become enabled and the remainder of the settings defined VLAN IDs 0 and 4095 are reserved and unavailable 9 If creating a new Bridge VLAN provide a Description up to 64 characters unique to the VLAN s specific configuration to help differentiate it from other VLANs with similar configurations Trust DHCP Responses When DHCP trust is enabled a green checkmark displays When dis...

Page 230: ...riate outbound IP ACL is not available click the create button to make a new one MAC Outbound Tunnel ACL Select a MAC Outbound Tunnel ACL for outbound traffic from the drop down menu If an appropriate outbound MAC ACL is not available click the create button to make a new one NOTE If creating a mesh connection between two access points in Standalone AP mode Tunnel must be selected as the Bridging ...

Page 231: ...to expand it into sub menu options 4 Select Network to expand its sub menu options 5 Select Miscellaneous Figure 5 91 Profile Overrides Network Miscellaneous screen 6 Select the Include Hostname in DHCP Request checkbox to include a hostname in a DHCP lease for a requesting device This feature is disabled by default 7 Select the DHCP Persistent Lease checkbox to retain the last DHCP lease used acr...

Page 232: ...on Once created a configuration can have an override applied as needed to meet the changing data protection requirements of a device s deployed environment However in doing so this device must now be managed separately from the profile configuration shared by other identical models within the network For more information on applying an override to an existing device profile refer to the following ...

Page 233: ...tion overridden from that applied in the profile To define a profile s security settings and overrides 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Security to expand its sub menu options 5 Select General NOTE A blue overr...

Page 234: ... certificate or if a private key is compromised The most common reason for revocation is the user no longer being in sole possession of the private key To define a Certificate Revocation configuration or override 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expan...

Page 235: ... Trustpoint Name field The name cannot exceed 32 characters 8 Enter the resource ensuring the trustpoint s legitimacy within the URL field 9 Use the spinner control to specify an interval in hours after which the access point copies a CRL file from an external server and associates it with a trustpoint 10 Select OK to save the changes and overrides made within the Certificate Revocation screen Sel...

Page 236: ...8 private IP addresses behind a single public IP address NAT provides outbound Internet access to wired and wireless hosts Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows the access point to translate one or more private IP addresses to a single public facing IP address assigned to a 10 100 1000 Ethernet port or 3G card To define a NAT configura...

Page 237: ... those NAT policies created thus far Any of these policies can be selected and applied to a profile 6 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile ...

Page 238: ...he Static NAT tab The Source tab displays by default Name If adding a new NAT policy provide a name to help distinguish it from others with similar configurations The length cannot exceed 64 characters IP Address Range Define a range of IP addresses hidden from the public Internet NAT modifies network address information in the defined IP range while in transit across a traffic routing device NAT ...

Page 239: ...eter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Inside NAT is the default setting 10 Selec...

Page 240: ...tem Reference Guide Figure 5 97 NAT Destination screen 11 Select Add to create a new NAT destination configuration Edit to modify or override the attributes of an existing configuration or Delete to permanently remove a NAT destination ...

Page 241: ...are available options TCP is a transport layer protocol used by applications requiring guaranteed delivery It s a sliding window protocol handling both timeouts and retransmissions TCP establishes a full duplex virtual connection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guarantee...

Page 242: ...generate translations in the translation table Destination Port Use the spinner control to set the local port number used at the source end of the static NAT configuration The default value is port 1 NAT IP Enter the IP address of the matching packet to the specified value The IP address modified can be either source or destination based on the direction specified NAT Port Select the radio button ...

Page 243: ...o the outside world when the translation address is used to interact with the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN between 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overload Type Select the radio button to define the Overload ...

Page 244: ...for the dynamic NAT configuration Inside is the default setting Interface Select the VLAN between 1 4094 or WWAN used as the communication medium between the source and destination points within the NAT configuration Ensure the VLAN selected adequately supports the intended network traffic within the NAT supported configuration Overload Type Select the radio button of Overload Type used with the l...

Page 245: ...to sub menu options 4 Select Services Figure 5 101 Profile Overrides Services screen 5 Refer to the Captive Portal Hosting field to set or override a guest access configuration captive portal for use with this profile A captive portal is guest access policy for providing guests temporary and restrictive access to the network The primary means of securing such guest access is a hotspot A captive po...

Page 246: ... protocols HTTP HTTPS Telnet SSH or SNMP These management access configurations can be applied strategically to profiles as resource permissions dictate for the profile Additionally overrides can be applied to customize a device s management configuration if deployment requirements change and a devices configuration must be modified from its original device profile configuration Additionally an ad...

Page 247: ...Device Configuration 5 189 Figure 5 102 Profile Overrides Management Settings screen ...

Page 248: ...nd Log Messages Use the drop down menu to specify the local server facility if used for the profile event log transfer Syslog Logging Level Event severity coincides with the syslog logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logg...

Page 249: ...d SMTP port is used on the outgoing SMTP server check this box and specify a port between 1 and 65 535 for the outgoing SMTP server to use Sender E mail Address Specify the e mail address that notification e mails will be sent from This will be the from address on notification e mails Recipient s E mail Address Specify the e mail address es of recipients for email notifications Username for SMTP S...

Page 250: ...et configuration file used in the update Enable Firmware Update Select this option to enable automatic firmware upgrades from a user defined remote location This value is disabled by default Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware version using its associated Virtual Controller AP s most recent firmware file for that model Remember an a...

Page 251: ...a profile s MiNT and or NAS configurations MINT provides the means to secure controller profile communications at the transport layer Using MINT a device can be configured to only communicate with other authorized MINT enabled devices Access point managed devices can communicate with each other exclusively over a MINT security domain Keys can also be generated externally using any application like...

Page 252: ...nting a physical port When users are authorized it queries the user profile database using a username representative of the physical NAS port making the connection To set or override an advanced configuration 1 Select Devices from the Configuration menu 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides to expand its menu items 4 Selec...

Page 253: ...nk IP network address information shared by the devices managed by the MINT configuration Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting between 255 and 255 This is the value added to the base level DIS priority to influence the Designated IS DIS election A value of 1 or greater increases DISiness The default setting is 0 MLCP IP Check ...

Page 254: ...b The IP tab displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration ...

Page 255: ...can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Port To specify a custom port for MiNT links check this box and use the spinner control to define or override the port number between 1 and 65 535 Forced Link Check this box to specify the MiNT link as a forced link This setting is disabled by default Link Cost Use the spinner control to define or overrid...

Page 256: ... displays the VLAN Routing Level Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another 19 Select Add to create a new VLAN link configuration or Edit to override an existing MINT configuration NOTE If creating a mesh link between two access points in Standalone AP mode you ll need to ensure a VLAN is available to provide the necessar...

Page 257: ...ollers for interoperation when supporting the MINT protocol Routing Level Use the spinner control to define or override a routing level of either 1 or 2 Link Cost Use the spinner control to define or override a link cost between 1 10 000 The default value is 10 Hello Packet Interval Set or override an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default...

Page 258: ...designate this access point as capable of being the RF Domain manager for other access points within the RF Domain This setting is enabled by default The RF Domain Manager can support up to 24 access points of the same model An AP 6532 AP 7131 AP 7161 or AP 8132 RF Domain Manager can support up to 512 client connections An AP 6511 or AP 6521 RF Domain Manager can support up to 256 client connectio...

Page 259: ... a critical resource is unavailable By default there s no enabled critical resource policy and one needs to be created and implemented To define critical resources 1 Select Devices from the Configuration menu 2 Select Critical Resources Figure 5 111 Critical Resources screen 3 Ensure the Activate Critical Resources Policy button is selected to enable the parameters within the screen for configurat...

Page 260: ...ical resource This is the address the device is assigned and is used by the access point to ensure the critical resource is available Ping Mode Set the ping mode used when the availability of a critical resource is validated Select from arp only Use the Address Resolution Protocol ARP for only pinging the critical resource ARP is used to resolve hardware addresses when only the network layer addre...

Page 261: ...e access point interfaces Existing policies can have their event notification configurations modified as device profile requirements warrant To define an access point event policy 1 Select Devices from the Configuration menu 2 Select Event Policy Figure 5 112 Event Policy screen 3 Ensure the Activate Event Policy button is selected to enable the screen for configuration This option needs to remain...

Page 262: ...5 204 WiNG 5 2 6 Access Point System Reference Guide 6 Select OK to save the changes Select Reset to revert to the last saved configuration Delete obsolete rows as needed ...

Page 263: ...ations such as guest access control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit periodic beacons for each BSS A beacon advertises the SSID security requirements supported data rates of the wireless network to enable clients to locate and connect to the WLAN WLANs are mapped...

Page 264: ...6 2 WiNG 5 2 6 Access Point System Reference Guide Figure 6 1 Configuration Wireless ...

Page 265: ...escription Displays the brief description assigned to each listed WLAN when it was either created or modified WLAN Status Lists each WLAN s status as either Active or Shutdown A green checkmark defines the WLAN as available to clients on all radios where it has been mapped A red X defines the WLAN as shutdown meaning even if the WLAN is mapped to radios it s not available for clients to associate ...

Page 266: ... of the authentication scheme each listed WLAN is using to secure client transmissions None is listed if authentication is not used within a WLAN Refer to the Encryption Type column if no authentication is used to verify there is some sort of data protection used with the WLAN or risk using this WLAN with no protection at all Encryption Type Displays the name of the encryption scheme each listed W...

Page 267: ...acters SSID Enter or modify the Services Set Identification SSID associated with the WLAN The WLAN name is auto generated using the SSID until changed by the user The maximum number of characters for the SSID is 32 Description Provide a textual description for the WLAN to help differentiate it from others with similar configurations A description can be up to 64 characters WLAN Status Select the E...

Page 268: ... existing QoS policy to the WLAN If needed select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of a selected QoS Policy QoS helps ensure each WLAN receives a fair share of the overall bandwidth either equally or per the proportion configured For information on creating a QoS policy that can be applied to a WLAN see Configuring WLAN QoS Policies on ...

Page 269: ...gure 6 4 WLAN Security screen Authentication ensures only known and trusted users or devices access an access point managed WLAN Authentication is enabled per WLAN to verify the identity of both users and devices Authentication is a challenge and response procedure for validating user credentials such as username password and secret key information A client must authenticate to an access point to ...

Page 270: ...page 6 13 for information on assigning a captive portal policy to a WLAN Encryption is essential for WLAN security as it provides data privacy for traffic forwarded over a WLAN When the 802 11 specification was introduced Wired Equivalent Privacy WEP was the primary encryption mechanism WEP has since been interpreted as flawed in many ways and is not considered an effective standalone scheme for s...

Page 271: ... authentication requests are forwarded When using PSK with EAP packets are sent requesting a secure link using a pre shared key The access point and authenticating device must use the same authenticating algorithm and passcode EAP PSK is useful when transitioning from a PSK network to one that supports EAP The only encryption types supported with this are TKIP CCMP and TKIP CCMP To configure EAP o...

Page 272: ...ecommends a valid certificate be issued and installed on devices providing 802 1X EAP The certificate should be issued from an Enterprise or public certificate authority to allow 802 1X clients to validate the identity of the authentication server prior to forwarding credentials If using an external RADIUS server for EAP authentication Motorola Solutions Solutions recommends the round trip delay o...

Page 273: ...reate an additional WLAN or select an existing WLAN and Edit to modify the security properties of an existing WLAN 3 Select Security 4 Select MAC as the Authentication Type Selecting MAC enables the radio buttons for the Open WEP 64 WEP 128 WPA WPA2 TKIP WPA2 CCMP and Keyguard encryption options as additional measures for the WLAN 5 Either select an existing AAA Policy from the drop down menu or s...

Page 274: ...e to mimic a trusted device 6 1 2 3 PSK None Configuring WLAN Security Open system authentication can be referred to as no authentication since no actual authentication takes place When selecting PSK None a client requests and is granted authentication with no credential exchange NOTE Although None implies no authentication this option is also used when pre shared keys are used for encryption thus...

Page 275: ... Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify the properties of an existing WLAN 3 Select Security 4 Refer to the Captive Portal field within the WLAN security screen Select the Captive Portal Enable option if authenticated guess access is required with the selected WLAN This feature is disabled by default 5 Select the Captive Portal Policy to us...

Page 276: ... check and an extended initialization vector however TKIP also has vulnerabilities Wi Fi Protected Access 2 WPA2 is an enhanced version of WPA WPA2 uses the Advanced Encryption Standard AES instead of TKIP AES supports 128 bit 192 bit and 256 bit keys WPA WPA2 also provide strong user authentication based on 802 1x EAP To configure WPA WPA2 encryption on a WLAN 1 Select Configuration Wireless Wire...

Page 277: ...enough data using a single key to attack the deployed encryption scheme Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the administrator from...

Page 278: ... Selecting the Pre Authentication option enables an associated client to carry out an 802 1x authentication with another access point before it roams to it This enables a roaming client to send and receive data sooner by not having to conduct an 802 1x authentication after roaming With pre authentication a client can perform an 802 1X authentication with other detected access points while still co...

Page 279: ...nsure the configuration is optimally effective Though TKIP offers better security than WEP it can be vulnerable to certain attacks When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN Some use TKIP others use CCMP Since broadcast traffic needs to be understood by all clients the broadcast encryption type in this scenario is TKIP ...

Page 280: ...ork RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the provided keys are used to derive other keys Messages are encrypted using a 128 bit secret key and a 128 bit block of data The end result is an encryption scheme as secure as any for associated clients To configure WPA2 CCMP encryption on a WLAN 1 Select Configuration Wireless Wireless LANs to display a ...

Page 281: ...string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the administrator from entering the 256 bit key each time keys are generated ...

Page 282: ...nterval for unicast key transmission in seconds 30 86 400 Some clients have issues using unicast key rotation so ensure you know which clients are impacted before using unicast keys This value is disabled by default Broadcast Rotation Interval When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define an interval...

Page 283: ...lutions wireless networking equipment WPA2 CCMP supersedes WPA TKIP and implements all the mandatory elements of the 802 11i standard WPA2 CCMP introduces a new AES based algorithm called CCMP which replaces TKIP and WEP and is considered significantly more secure Exclude WPA2 TKIP Select this option for the access point to advertise and enable support for onlyWPA TKIP Selectthisoptionifcertainold...

Page 284: ...ted with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter WEP algorithm for a hacker to potentially duplicate but networks that require more security are at risk from a WEP flaw WEP is only recommended if there are client devices incapable of using higher forms of security The existing 802 11 standard alone of...

Page 285: ...oprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 fields to specify key numbers For WEP 64 40 bit key the keys are 10 hexadecimal characters in length Select one of these keys for de...

Page 286: ...uthentication and dynamic WEP key derivation and periodic key rotation 802 1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered If 802 1X support is not available on the legacy device MAC authentication should be enabled to provide device level authentication WEP 128 and KeyGuard use a 104 bit key which is concatenated with a 24 bit initialization v...

Page 287: ...the Generate button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola Solutions Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key numbers For ...

Page 288: ...ting data traffic For a Firewall overview see Wireless Firewall on page 7 2 WLANs use Firewalls like Access Control Lists ACLs to filter mark packets based on the WLAN from which they arrive as opposed to filtering packets on Layer 2 ports An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions rules a packet must satisfy to match the ACE...

Page 289: ...n existing inbound and outbound IP Firewall Rule using the drop down menu If no rules exist select the Create icon to create a new Firewall rule configuration Select the Edit icon to modify the configuration of a selected Firewall If creating a new rule providing a name up to 32 characters long 5 Select the Add Row button 6 Select the added row to expand it into configurable parameters ...

Page 290: ...e following actions are supported Deny Instructs the Firewall to prohibit a packet from proceeding to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source Enter both Source and Destination IP addresses The access point uses the source IP address destination IP address and IP protocol type as basic matching criteria The access filter can also include ...

Page 291: ...ing either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions are supported Log Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted Mark Modifies certain fields inside the packet and then permits them Therefore mark is an action with an implicit permit Mark Log Conducts both mark and...

Page 292: ... what to do with the packet if it matches the specified criteria The following actions are supported Deny Instructs the Firewall to not to allow a packet to proceed to its destination Permit Instructs the Firewall to allows a packet to proceed to its destination Source and Destination MAC Enter both Source and Destination MAC addresses The access point uses the source IP address destination MAC ad...

Page 293: ... is a two octet field within an Ethernet frame It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame Description Provide a description up to 64 characters for the rule to help differentiate it from others with similar configurations ARP Trust Select the radio button to enable ARP Trust on this WLAN ARP packets received on this WLAN are considered trusted and inf...

Page 294: ...1 4 Configuring Client Settings Wireless LANs Each WLAN can maintain its own client setting configuration These settings include wireless client inactivity timeouts and broadcast configurations An AP 6532 AP 7131 AP 7161 or AP 8132 model access point can support up to 256 clients per access point An AP 6511 or AP 6521 model can support up to 128 clients per access point Thus client load balancing ...

Page 295: ...s to this WLAN but as long as this setting is disabled on the other WLAN clients are not permitted to interoperate Wireless Client Power Use this parameter to set the maximum transmit power between 0 20 dBm available to wireless clients for transmission The default value is 20 dBm Wireless Client Idle Time Set the maximum amount of time wireless clients are allowed to be idle within this WLAN Set ...

Page 296: ...bled by default Proxy ARP Mode Use the drop down menu to define the proxy ARP mode as either Strict or Dynamic Proxy ARP is the technique used by the AP to answer ARP requests intended for another system By faking its identity the AP accepts responsibility for routing packets to the actual destination Dynamic is the default value Enforce DHCP Offer Validation Select the checkbox to enforce DHCP of...

Page 297: ...e WLAN Accounting logs contain information about the use of remote access services by users This information is of great assistance in partitioning local versus remote users and how to best accommodate each Remote user information can be archived to a remote location for periodic network and user permission administration To configure WLAN accounting settings 1 Select Configuration Wireless Wirele...

Page 298: ...set to revert the screen back to its last saved configuration Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed The default port is 514 Proxy Mode Use the drop down menu to define how syslog accounting is conducted Options include None Through Wireless Controller and Through RF Domain Manager Format Use the drop down...

Page 299: ...ends the WAN port round trip delay not exceed 150ms Excessive delay over a WAN can cause authentication and roaming issues When excessive delays exists a distributed RADIUS service should be used Motorola Solutions recommends authorization policies be implemented when users need to be restricted to specific WLANs or time and date restrictions need to be applied Authorization policies can also appl...

Page 300: ... both the 2 4 and 5 GHz bands Enforce Client Load Balancing Select the radio button to enforce a client load balance distribution on this WLAN AP 6532 AP 7131 AP 7161 and AP 8132 model access points can support 256 clients per access point An AP 6511 or AP 6521 model can support up to 128 clients per access point Therefore client load balancing can be enforced for the WLAN as more and more WLANs a...

Page 301: ...cy even if load balancing is available The default setting is enabled Max Probe Requests Enter a value between 0 and 10 000 for the maximum number of probe requests for client associations on the 2 4GHz frequency The default value is 48 Probe Request Interval Enter a value in seconds between 0 and 10 000 to set an interval for client probe requests beyond associate is allowed for clients on the 2 ...

Page 302: ...ort The profile database on the RADIUS server consists of user profiles for each connected network access server NAS port Each profile is matched to a username representing a physical port When the access point authorizes users it queries the user profile database using a username representative of the physical NAS port making the connection RADIUS Dynamic Authorization Select the radio button to ...

Page 303: ...efine both minimum Basic and Supported rates as required for the 802 11b rates 802 11g rates and 802 11n rates supported by the 2 4 GHz band and 802 11a and 802 11n rates supported by the 5 0 GHz radio band These are the rates wireless client traffic is supported within this WLAN ...

Page 304: ...nation of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates The MCS16 23 option is only available to AP8132 model access points and its ability to provide 3x3x3 MIMO support The selected rates apply to associated client traffic within this WLAN only 7 Select OK ...

Page 305: ...LANs Each QoS policy has its own radio button that can be selected to edit its properties If none of the exiting QoS policies supports an ideal QoS configuration for the intended data traffic of this WLAN select the Add button to create new policy Select the radio button of an existing WLAN and select OK to map the QoS policy to the WLAN displayed in the banner of the screen Use the WLAN Quality o...

Page 306: ...s different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video Optimized for video traffi...

Page 307: ...marily used by WMM capable voice devices The default setting is enabled Multicast Mask Primary Displays the primary multicast mask defined for each listed QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients in power save mode wake to check for frames However for certain applications and traffic type...

Page 308: ...fferent queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should be granted the opportunity to transmit TXOP The collision resolution algorithm responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each access category The minimum interframe space or A...

Page 309: ... This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video Optimized for v...

Page 310: ...PSD This is primarily used by WMM capable voice devices The default setting is enabled Enable QBSS Load IE Select this option to enable support for WMM QBSS load information element in beacons and probe response packets This setting is enabled by default Configure Non WMM Client Traffic Use the drop down menu to specify how non WMM client traffic is classified on this access point WLAN if the Wire...

Page 311: ...from 0 15 The default value is 3 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity The default value is 0 AIFSN Set the current Arbitrary Inter frame Space Number AIFSN between 2 15 The default value is 3 ECW Min The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range From this range...

Page 312: ...combined with the ECW Min to create the contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Higher values are used for lower priority traffic The available range is from 0 15 The default value is 10 Trust IP DSCP Select this option to trust IP DSCP values for WLANs The default value is disabled Trust 802 11 WMM QoS Select this op...

Page 313: ...ted from the access point upstream and data transmitted from a WLAN s wireless clients back to their associated access point radios downstream AP 6511 and AP6521 model access points do not support rate limiting on an individual client basis Before defining rate limit thresholds for WLAN upstream and downstream traffic Motorola Solutions recommends you define the normal number of ARP broadcast mult...

Page 314: ...ansmitted from access point radios to associated clients on this WLAN Enabling this option does not invoke rate limiting for data traffic in the downstream direction This feature is disabled by default Rate Define an upstream rate limit between 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received over the WLAN from all access categories...

Page 315: ...r using a time trend analysis The default threshold is 50 Best Effort Traffic Set a percentage for WLAN best effort traffic in the upstream direction This is a percentage of the maximum burst size for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower...

Page 316: ...obtained Once a baseline is obtained administrators should then add a minimum of a 10 margin to allow for traffic bursts at the site The default burst size is 320 kbytes Background Traffic Set a percentage value for WLAN background traffic in the downstream direction This is a percentage of the maximum burst size for low priority traffic Background traffic exceeding the defined threshold is droppe...

Page 317: ... rate is dropped and a log message is generated The default setting is 1000 kbps Maximum Burst Size Set a maximum burst size between 2 1024 kbytes The smaller the burst the less likely the upstream packet transmission will result in congestion forwirelessclienttraffic BytrendingthetypicalnumberofARP broadcast multicast and unknown unicast packets over a period of time the average rate for each acc...

Page 318: ...utton to enable rate limiting for data transmitted from Access Point radios to associated wireless clients Enabling this option does not invoke rate limiting for data traffic in the upstream direction This feature is disabled by default Rate Define an upstream rate limit between 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received from ...

Page 319: ...tage of the maximum burst size for video traffic Video traffic exceeding the defined threshold is dropped and a log message is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 25 Voice Traffic Set a percentage value for client vo...

Page 320: ...packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients in power save mode awake to check for frames However for certain applications and traffic types an administrator may want the frames transmitted immediately without waiting for the DTIM interval By configuring a primary and secondary multicast mask an administrator can indicate which frames are ...

Page 321: ...d if there are traffic types requiring special handling Disable Multicast Streaming Select this option to disable all Multicast Streaming on the WLAN This option is enabled by default Automatically Detect Multicast Streams Select this option to allow an administrator to have multicast packets that are being bridged converted to unicast to provide better overall airtime utilization and performance ...

Page 322: ... interval for each traffic class known as the Transmit Opportunity TXOP The TXOP prevents traffic of a higher priority from completely dominating the wireless medium thus ensuring lower priority traffic is still supported by connected radios IEEE 802 11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery U APSD that provides a mechanism for wireless client...

Page 323: ...ndwidth for WLAN sessions This form of per user rate limiting enables administrators to define uplink and downlink bandwidth limits for users and clients This sets the level of traffic a user or client can forward and receive over the WLAN If the user or client exceeds the limit excessive traffic is dropped Rate limits can be applied externally from a RADIUS server using Vendor Specific Attributes...

Page 324: ...tes the reception of frames for voice traffic when voice traffic was originated via SIP or SCCP control traffic If a client exceeds configured values the call is stopped and or received voice frames are forwarded at the next non admission controlled traffic class priority This applies to clients that do not send TPSEC frames only Implicit TPSEC A green checkmark defines the policy as requiring wir...

Page 325: ...radio QoS policy Voice A green checkmark indicates Voice prioritization QoS is enabled on the radio A red X indicates Voice prioritization QoS is disabled on the radio Best Effort A green checkmark indicates Best Effort QoS is enabled on the radio A red X indicates Best Effort QoS is disabled on the radio Video A green checkmark indicates Video prioritization QoS is enabled on the radio A red X in...

Page 326: ...r priority traffic The available range is from 0 15 The default value is 2 ECW Max The ECW Max is combined with the ECW Min to create a contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic The available range is from 0 15 The default value is 3 Transmit Ops Use the slider to set th...

Page 327: ...bined with the ECW Min to create a contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic like video The available range is from 0 15 The default value is 4 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher...

Page 328: ...to the access point before they can transmit or receive data This feature is enabled by default 12 Set the following Voice Access admission control settings for the radio QoS policy Enable Voice Select the check box to enable admission control for voice traffic Only voice traffic admission control is enabled not any of the other access categories each access category must be separately enabled and...

Page 329: ...ch access category must be separately enabled and configured This feature is disabled by default Maximum Airtime Set the maximum airtime in the form of a percentage of the radio s bandwidth allotted to admission control for normal background client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription This value helps ensure the radio s band...

Page 330: ...upporting the video access category as wireless clients supporting video use a greater proportion of resources than lower bandwidth traffic like low and best effort categories Maximum Roamed Wireless Clients Set the number of video supported wireless clients allowed to roam to a different access point radio Select from a range of 0 256 clients The default value is 10 roamed clients Reserved for Ro...

Page 331: ... admission control for clients who have roamed to a different access point radio The available percentage range is from 0 150 with 150 available to account for over subscription The default value is 10 Maximumnumberof wireless clients allowed Specify the maximum number of wireless clients between 0 and 256 allowed to use accelerated multicast The default value is 25 When wireless client count exce...

Page 332: ...ds default WMM values be used for all deployments Changing these values can lead to unexpected traffic blockages and the blockages might be difficult to diagnose Overloading an access point radio with too much high priority traffic especially voice degrades the overall service quality for all users TSPEC admission control is only available with newer voice over WLAN phones Many legacy voice device...

Page 333: ...scribing what the user is authorized to perform These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions The database could be located locally on the access point or be hosted remotely on a RADIUS server Remote RADIUS servers authorize users by associating attribute value AV ...

Page 334: ...g of a process and a stop notice at the end of a process The start accounting record is sent in the background The requested process begins regardless of whether the start accounting notice is received by the accounting server Request Interval Lists each AAA policy s interval an access point uses to send a RADIUS accounting request to the RADIUS server NAC Policy Lists the name Network Access Cont...

Page 335: ...ard self or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is between 1 and 10 attempts The de...

Page 336: ... specific form which must contain the user portion and may contain the portion identifies asingleuser Thegeneric formallows allusersin agiven or without a to be configured on a single command line Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of the NAI was to support roaming between dialup ISPs Using NAI each ISP need...

Page 337: ...ame of the RADIUS authentication server Port Define or edit the port on which the RADIUS server listens to traffic within then access point managed network The port range is 1 to 65 535 The default port is 1812 Server Type Select the type of AAA server as either Host onboard self or onboard controller AP 6511 and AP 6521 models do not have an onboard authentication resource and must use an externa...

Page 338: ...ault value of 46 NAI Routing Enable Check to enable NAI routing AAA servers identify clients using the NAI The NAI is a character string in the format of an e mail address as either user or user but it need not be a valid e mail address or a fully qualified domain name The NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the...

Page 339: ...ode Lists the method of proxy that browsers communicate with the RADIUS authentication server The mode could either be None Through Wireless Controller or Through RF Domain Manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is between 1 and 10 attempts The default...

Page 340: ...fied domain name The NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies asingleuser Thegeneric formallows allusersin agiven or without a to be configured on a single command line Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose ...

Page 341: ...the access point Host Specify the IP address or hostname of the RADIUS authentication server Port Define or edit the port on which the RADIUS server listens to traffic within the access point managed network The port range is 1 to 65 535 The default port is 1813 Server Type Select the type of AAA server as either Host onboard self or onboard controller Secret Specify the secret password used for a...

Page 342: ...le Displays NAI routing status AAA servers identify clients using the NAI The NAI is a character string in the format of an e mail address as either user or user but it need not be a valid e mail address or a fully qualified domain name The NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies asingleuser T...

Page 343: ...r is used for any non EAP authentication Options include PAP CHAP MS CHAP and MS CHAPv2 PAP is the default setting Accounting Packet Type Set the type of RADIUS Accounting Request packets generated Options include Stop Only Start Stop Start Interim Stop Start Stop is the default setting Request Interval Set the periodicity of the interim accounting requests The default is 30 minutes ...

Page 344: ...lling station id or called station id Server Pooling Mode Controls how requests are transmitted across RADIUS servers Failover implies traversing the list of servers if any server is unresponsive Load Balanced means using all servers in a round robin fashion The default setting is Failover Client Attempts Defines the number of times 1 10 an EAP request is transmitted to a Wireless Client before gi...

Page 345: ... Association ACL to a WLAN see Configuring Advanced WLAN Settings on page 6 39 Each supported access point model can support up to 32 Association ACLs with the exception of AP 6511 and AP 6521 models which can only support 16 WLAN Association ACLs To define an Association ACL deployable with a WLAN 1 Select Configuration Wireless Association ACL to display existing Association ACLs The Association...

Page 346: ...ct OK to update the Association ACL settings Select Reset to revert to the last saved configuration Precedence The rules within a WLAN s ACL are applied to packets based on their precedence values Every rule has a unique sequential precedence value you define You cannot add two rules s with the same precedence value The default precedence is 1 so be careful to prioritize ACLs accordingly as they a...

Page 347: ...nds using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name ACLs after specific WLANs as individual ACL policies can be used by more than one WLAN You cannot apply more than one MAC based ACL to a Layer 2 interface If a MAC ACL is already configured on a Layer 2 interface and a...

Page 348: ...intain wireless client performance and site coverage during dynamic RF environment changes which typically require manual reconfiguration to resolve To define the Smart RF configuration 1 Select Configuration Wireless Smart RF The Basic Configuration screen displays by default 2 Select the Activate SMART RF Policy option to enable the parameters on the screen for configuration The SMART RF configu...

Page 349: ...rt RF for immediate inclusion within a RF Domain Smart RF is enabled by default Auto Assign Sensor Select the radio button to auto assign an access point sensor radio for neighbor monitoring within the Smart RF supported network This setting is disabled by default Interference Recovery Select the radio button to enable Interference Recovery when radio interference is detected within the access poi...

Page 350: ...Hole Recovery Select the radio button to enable Coverage Hole Recovery when a radio coverage hole is detected within the Smart RF supported radio coverage area When coverage hole is detected Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio If a client s signal to noise value is above the threshold the transmit pow...

Page 351: ...n the 5 GHz band 4 dBm is the default setting 5 0 GHz Maximum Power Use the spinner control to select a 1 20 dBm maximum power level Smart RF can assign a radio in the 5 GHz band 17 dBm is the default setting 2 4 GHz Minimum Power Use the spinner control to select a 1 20 dBm minimum power level Smart RF can assign a radio in the 2 4 GHz band 4 dBm is the default setting 2 4 GHz Maximum Power Use t...

Page 352: ...t using 40 MHz while legacy clients either 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources 40MHz is the default setting 2 4 GHz Channels Use the drop down menu to select the 2 4 GHz ch...

Page 353: ...s Configuration 6 91 NOTE The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen ...

Page 354: ...0 or Minutes 0 2 The default setting is 6 seconds for both the 5 and 2 4 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency between 0 50 This is the frequency radios scan channels on non peer radios The default setting is 5 for both the 5 and 2 4 GHz bands Sample Count Use the spinner control to set a sample scan count value between 1 15 This is the number ...

Page 355: ...ting from the Smart RF Basic Configuration screen Power Hold Time Defines the minimum time between two radio power changes during neighbor recovery Set the time in either Seconds 0 3 600 Minutes 0 60 or Hours 0 1 The default setting is 0 seconds 5 0 GHz Neighbor Recovery Power Threshold Use the spinner control to set a value between 85 to 55 dBm the access point s 5 0 GHz radio uses as a maximum p...

Page 356: ...dio within the access point s radio coverage area The default value is 70 dBm Dynamic Sample Enabled Select this option to enable dynamic sampling Dynamic sampling enables an administrator to define how Smart RF adjustments are triggered by locking retry and threshold values This setting is disabled by default Dynamic Sample Retries Use the spinner control to set the number of retries 1 10 before ...

Page 357: ...s feature is enabled by default Noise Select the radio button to allow Smart RF to scan for excess noise from WiFi devices When detected Smart RF supported access points can change their channel and move to a cleaner channel This feature is enabled by default Channel Hold Time Defines the minimum time between channel changes during neighbor recovery Set the time in either Seconds 0 86 400 Minutes ...

Page 358: ...ference between noise levels on the current channel and a prospective channel If the difference is below the configured threshold the channel will not change The default setting is 20 dBm 2 4 GHz Channel Switch Delta Use the spinner to set a channel switch delta between 5 35 dBm for the 2 4 GHz radio This parameter is the difference between noise levels on the current channel and a prospective cha...

Page 359: ...del access points support up to 256 clients per access point or radio AP 6511 and AP 6521 model access points support up to 128 clients per access point or radio SNR Threshold Use the spinner control to set a signal to noise threshold between 1 75 dB This is the signal to noise threshold for an associated client as seen by its associated AP radio When exceeded the radio increases its transmit powe...

Page 360: ...alibration process impacts associated users and should not be run during business or production hours The calibration process should be performed during scheduled maintenance intervals or non business hours For Smart RF to provide effective recovery RF planning must be performed to ensure overlapping coverage exists at the deployment site Smart RF can only provide recovery when access points are d...

Page 361: ... network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network This security is offered at the most granular level with role and location based secure access available to users based on identity as well as the security posture of the client device There are multiple dimensions to consider when addressing the security of an access p...

Page 362: ...ed within the wireless network Rules are processed by a Firewall device from first to last When a rule matches the network traffic an access point is processing the Firewall uses that rule s action to determine whether traffic is allowed or denied Rules comprise conditions and actions A condition describes a packet traffic stream Define constraints on the source and destination device the service ...

Page 363: ...espond so slowly the device becomes unavailable in respect to its defined data rate DoS attacks are implemented by either forcing targeted devices to reset or consuming the devices resources so it can no longer provide service 2 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected ...

Page 364: ...to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port port 7 Each of those addresses that have port 7 open will respond to the request generating a lot...

Page 365: ...k does not have other routers the router may be configured to not send routing information packets onto the local network ICMP offers a method for router discovery Clients send ICMP router solicitation multicasts onto the network and routers must respond as defined in RFC 1122 By sending ICMP Router Solicitation packets ICMP type 9 on the network and listening for ICMP Router Discovery replies ICM...

Page 366: ...are s aggressive timeouts on half open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests When establishing a security policy using TCP intercept you can choose to intercept all requests or only those coming from specific networks or destined for specific servers You can also configure the connection rate and threshold of outst...

Page 367: ...the sequence number to be used by the sending host If they can do this they will be able to send counterfeit packets to the receiving host which will seem to originate from the sending host even though the counterfeit packets may originate from some third host controlled by the attacker TCP XMAS Scan The TCP XMAS Scan floods the target system with TCP packets including the FIN URG and PUSH flags T...

Page 368: ... impacting performance for the interface Thresholds are configured in terms of packets per second 8 Refer to the Storm Control Settings field to set the following Traffic Type Use the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Broadcast Multicast and Unicast Interface Type Use the drop down menu to define the interface for which ...

Page 369: ...r interface 13 Select the Advanced Settings tab Use the Advanced Settings tab to enable disable the Firewall define application layer gateway settings flow timeout configuration and TCP protocol checks Interface Name Use the drop down menu to refine the interface selection to a specific WLAN or physical port This helps with threshold configuration for potentially impacted interfaces Packets per Se...

Page 370: ...to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device Proxy ARP allows the Firewall to handle ARP routing requests for devices behind the Firewall This feature is enabled by default DHCP Broadcast to Unicast Select the radio button to enable the conversion of broadcast DHCP offers to unicast Converting DHCP broadcast traffic to unicast traffic can help...

Page 371: ...onds for DNS Snoop Entry DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateway s and uses this information to detect if the client is sending routed packets to a wrong MAC address IP TCP Adjust MSS Select this option and adjust the value for the maximum segment size MSS for TCP segments on the router Set a value between 472 bytes and 1 460 bytes to adjust th...

Page 372: ... None The default setting is None Enable Verbose Logging Select this option to enable verbose logging for dropped packets This setting is disabled by default TCP Close Wait Define a flow timeout value in either Seconds 1 32 400 Minutes 1 540 or Hours 1 9 The default setting is 30 seconds TCP Established Define a flow timeout value in either Seconds 1 32 400 Minutes 1 540 or Hours 1 9 The default s...

Page 373: ...tion Security IP Firewall Rules to display existing IP Firewall Rule policies Check TCP states whereaSYNpacket tears down the flow Select the checkbox to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATEandTCP_CLOSED_STATEandcreateanewflow The default setting is enabled Check unnecessary resends of TCP packets Select the checkbox to enable the checking of unnecessary resends of TCP pac...

Page 374: ...7 4 IP Firewall Rules screen 2 Select Add Row to create a new IP Firewall Rule Select an existing policy and click Edit to modify the attributes of the rule s configuration 3 Select the added row to expand it into configurable parameters for defining a new rule ...

Page 375: ...criteria The following actions are supported Deny Instructs the Firewall to not to allow a packet to proceed to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source Enter both Source and Destination IP addresses The access point uses the source IP address destination IP address and IP protocol type as basic matching criteria The access policy filter ...

Page 376: ...cy 1 Select Configuration Security MAC Firewall Rules to display existing MAC Firewall Rule policies Protocol Select the protocol used with the IP rule from the drop down menu IP is selected by default Selecting ICMP displays an additional set of ICMP specific Options for ICMP Type and code Selecting either TCP or UDP displaysan additional setofspecific TCP UDP sourceanddestinations port options A...

Page 377: ... screen 2 Select Add Row to create a new MAC Firewall Rule Select an existing policy and click Edit to modify the attributes of the rule s configuration 3 Select the added row to expand it into configurable parameters for defining the MAC based Firewall rule ...

Page 378: ... criteria rules The action defines what to do with the packet if it matches the specified criteria The following actions are supported Deny Instructs the Firewall to not to allow a packet to proceed to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source and Destination MAC Enter both Source and Destination MAC addresses Access points use the source ...

Page 379: ...ner control to specify a precedence for this MAC Firewall rule between 1 5000 Rules with lower precedence are always applied first to packets VLAN ID Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network once authenticated by the RADIUS server The VLAN ID can be between 1 and 4094 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagg...

Page 380: ...n used with associated access point radios a WIPS deployment provides the following enterprise class security management features Threat Detection Threat detection is central to a wireless security solution Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network Rogue Detection and Segregation A WIPS supported network distinguishes itself by...

Page 381: ...presents the duration event duplicates are not stored in history The default setting is 120 seconds 5 Refer to the Rogue AP Detection field to define the following detection settings for this WIPS policy Enable Rogue AP Detection Select the checkbox to enable the detection of unsanctioned APs from this WIPS policy The default setting is disabled Wait Time to Determine AP Status Define a wait time ...

Page 382: ...acting network performance An administrator can enable or disable event filtering and set the thresholds for the generation of the event notification and filtering action An Excessive Action Event is an event where an action is performed repetitively and continuously DoS attacks come under this category Use the Excessive Action Events table to select and configure the action taken when events are ...

Page 383: ...that can compromise the security and stability of the network Use the MU Anomaly screen to set the intervals clients can be filtered upon the generation of each event Filter Expiration Set the duration an event generating client is filtered This creates a special ACL entry and frames coming from the client are dropped The default setting is 0 seconds This value is applicable across the RF Domain I...

Page 384: ...eting the event as excessive or permitted Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against its threshold A red X defines the event as disabled and not tracked by the WIPS policy Each event is disabled by default Filter Expiration Set the duration a cl...

Page 385: ... point in the configuration process by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Name Displays the name of each AP Anomaly event This column lists the event tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each AP Anomaly event Use the drop do...

Page 386: ...e Lists the name assigned to each signature when it was created A signature name cannot be modified as part of the edit process Signature Displays whether the signature is enabled A green checkmark defines the signature as enabled A red X defines the signature as disabled Each signature is disabled by default BSSID MAC Displays each BSS ID MAC address used for matching purposes Source MAC Displays...

Page 387: ...abled BSSID MAC Define a BSS ID MAC address used for matching purposes Source MAC Define a source MAC address for the packet examined for matching purposes Destination MAC Set a destination MAC address for a packet examined for matching purposes FrameTypetoMatch Use the drop down menu to select a frame type for matching with the WIPS signature Match on SSID Sets the SSID used for matching Ensure i...

Page 388: ...index and offset for the WIPS signature 24 Select OK to save the updates to the WIPS Signature configuration Select Reset to revert to the last saved configuration The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Radio Threshold Specify the threshold limit per radio that...

Page 389: ...evices should be filtered to avoid jeopardizing the data managed by the access point and its connected clients Use the Device Categorization screen to apply neighboring and sanctioned approved filters on peer access points operating in this access point s radio coverage area Detected client MAC addresses can also be filtered based on their classification in this access point s coverage area To cat...

Page 390: ...ameters to add a device to a list of devices sanctioned for network operation 6 Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification Use the drop down menu to designate the target device as either Sanctioned or Neighboring Device Type Use the drop down menu to designate the target device as either an access point or client M...

Page 391: ...utilized when deployed in conjunction with a corporate or enterprise wireless security policy Since an organization s security goals vary the security policy should document site specific concerns The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time Vulnerability and activity reports should au...

Page 392: ...7 32 WiNG 5 2 6 Access Point System Reference Guide ...

Page 393: ...to requesting clients and local RADIUS client authentication For more information refer to the following Configuring Captive Portal Policies Setting the Whitelist Configuration Setting the DHCP Server Configuration Setting the RADIUS Configuration Refer to Services Deployment Considerations on page 8 45 for tips on how to optimize the access point s configuration ...

Page 394: ...number of options on screen flow and appearance Captive portal authentication is used primarily for guest or visitor access to the network but is increasingly being used to provide authenticated access to private network resources when 802 1X EAP is not a viable option Captive portal authentication does not provide end user data encryption but it can be used with static WEP WPA PSK or WPA2 PSK enc...

Page 395: ...l Server Mode Lists each hosting mode as either Internal Self or External centralized If the mode is Internal Self the access point is maintaining the captive portal internally while External centralized means the captive portal is being supported on an external server Hosting VLAN Interface When Centralized Server is selected as the Captive Portal Server Mode a VLAN is defined where the client ca...

Page 396: ...tal policy AAA Policy Lists each AAA policy used to authorize client guest access requests The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication When a captive portal policy is created or modified a AAA policy must be defined and applied to authorize authenticate and account user requests ...

Page 397: ...Services Configuration 8 5 A Basic Configuration tab displays by default Define the policy s security access and whitelist basic configuration before HTML pages can be defined for guest user access ...

Page 398: ...io button to maintain the captive portal configuration Web pages internally on the access point Select the External Centralized radio button if the captive portal is supported on an external server Select Centralized Controller for the captive portal to reside on the accesspoint sconnectedVirtualControllerAP ThedefaultvalueisInternal Self Hosting VLAN Interface When Centralized Server is selected ...

Page 399: ...ients using the captive portal for guest access Options include No authentication required Clients can freely access the captive portal Web pages without authentication Generate Logging Record and Allow Access Access is provided without authentication but a record of the accessing client is logged Custom User Information for RADIUS Authentication When selected accessing clients are required to pro...

Page 400: ...wing Accounting parameters to define how accounting is conducted for clients entering and exiting the captive portal Accounting is the method of collecting and sending security server information for billing auditing and reporting user data such as captive portal start and stop times executed commands such as PPP number of packets and number of bytes Accounting enables wireless network administrat...

Page 401: ...ss services by users using an external syslog resource This information is of great assistance in partitioning local versus remote users Remote user information can be archived to an external location for periodic network and user administration This feature is disabled by default Syslog Host Use the drop down menu to determine whether an IP address or a host name is used as a syslog host The IP a...

Page 402: ...elcome page The Terms and Conditions page provides conditions that must be agreed to before wireless client guest access is provided for the captive portal policy The Welcome page asserts a user has logged in successfully and can access the captive portal The Fail page asserts the authentication attempt has failed and the user is not allowed access using this captive portal policy and must provide...

Page 403: ...each login terms welcome and fail function Header Text Provide header text unique to the function of each page Login Message Specify a message containing unique instructions or information for the users accessing each specific page In the case of the Terms and Conditions page the message can be the conditions requiring agreement before guest access is permitted Footer Text Provide a footer message...

Page 404: ...e The Login screen prompts the user for a username and password to access the Terms and Conditions or Welcome page Agreement URL DefinethecompleteURLforthelocationoftheTermsandConditionspage The Terms and Conditions page provides conditions that must be agreed to before wireless client access is provided Welcome URL Define the complete URL for the location of the Welcome page The Welcome page asse...

Page 405: ...s can be transferred to other managed devices as the devices support connection attempts on behalf of their connected access point Refer to Operations Devices File Transfers and use the Source and Target fields to move captive portal pages as needed to managed devices that may be displaying and hosting captive portal connections For more information refer to Managing File Transfers on page 11 7 ...

Page 406: ...t up to 32 Whitelists with the exception of AP 6511 and AP 6521 models which can only support up to 16 Whitelists To define a DNS Whitelist 1 Select Configuration Services 2 Select DNS Whitelist The DNS Whitelist screen displays those existing whitelists available to a captive portal 3 Select Add to create a Whitelist Edit to modify a selected whitelist or Delete to remove a whitelist a If creatin...

Page 407: ... suffix The default setting is disabled d If necessary select the radio button of an existing Whitelist entry and select the Delete icon to remove the entry from the Whitelist 4 Select OK when completed to update the Whitelist screen Select Reset to revert the screen back to its last saved configuration ...

Page 408: ...ch pool Each class in a pool is assigned an exclusive range of IP addresses DHCP clients are compared against classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a single ...

Page 409: ...f IP addresses used to assign to DHCP clients upon request The name assigned cannot be modified as part of the edit process If a network pool configuration is obsolete it can be deleted Subnet Displays the network address and mask used by clients requesting DHCP resources Domain Name Displays the domain name used with this network pool Host names are not case sensitive and can contain alphabetic o...

Page 410: ...ettings tab by default Define the required parameters for the Basic Settings Static Bindings and Advanced tabs to complete the creation of a DHCP pool Lease Time If a lease time has been defined for a listed network pool it displays as an interval between 1 9 999 999 seconds DHCP leases provide addresses for defined times to various clients If a client does not use a leased address for the defined...

Page 411: ...ame assigned cannot be modified as part of the edit process However if the network pool configuration is obsolete it can be deleted The name cannot exceed 32 characters Subnet Define the IP address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for ...

Page 412: ...tion file and reduces the space required to maintain address pools Figure 8 9 DHCP Pools screen Static Bindings tab 8 Review existing DHCP pool static bindings to determine if a static binding can be used as is a new one requires creation or edit or if one requires deletion 9 Select Add to create a new static binding configuration Edit to modify an existing static binding configuration or Delete t...

Page 413: ...her client identifiers IP Address Set the IP address of the client using this host pool Domain Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a host name plus a domain name For example computername domain com Boot File Enter the name of the boot file used...

Page 414: ...nition only applies to the vendor class for which it is defined 14 Within the Network field define one or group of DNS Servers to translate domain names to IP addresses Up to 8 IP addresses can be provided and translated 15 Select OK when completed to update the static bindings configuration Select Reset to revert the screen back to its last saved configuration 16 Select the Advanced tab to define...

Page 415: ... to boot remote systems over the network BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded Each pool can use a different file as needed BOOTP Next Server Provide the numerical IP address of the server providing BOOTP resources Enable Unicast Unicast packets are sent from one location to another location there s just one sender and one receiver Select this...

Page 416: ...P pool s Advanced settings Select Reset to revert the screen back to its last saved configuration 8 3 2 Defining DHCP Server Global Settings Setting a DHCP server global configuration entails defining whether BOOTP requests are ignored and setting DHCP global server options To define DHCP server global settings 1 Select the Global Settings tab and ensure the Activate DHCP Server Policy button rema...

Page 417: ...ddress or ASCII string or Hex string Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value 4 Select OK to save the updates to the DHCP server global settings Select Reset to revert the screen to its last saved configuration Ignore BOOTP Requests Select the checkbox to ignore BOOTP requests BOOTP requests boot remote systems within the net...

Page 418: ...he DHCP Class Policy screen to review existing DHCP class names and their current multiple user class designations Multiple user class options enable a user class to transmit multiple option values to DHCP servers supporting multiple user class options Either add a new class policy edit the configuration of an existing policy or permanently delete a policy as required To review DHCP class policies...

Page 419: ...lect a row within the Value column to enter a 32 character maximum value string 5 Select the Multiple User Class radio button to enable multiple option values for the user class This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options 6 Select OK to save the updates to this DHCP class policy Select Reset to revert the screen back to its l...

Page 420: ... time of day The access point uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS RADIUS authentication configured with the RADIUS service Dynamic VLAN assignment is achieved based on the RADIUS server response A user who associates to WLAN1 mapped to VLAN1 can be assigned a different VLAN after authentication with the RADIUS server This dynamic VLAN assignment overrides ...

Page 421: ...est access and temporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each group A red X designates the group as having permanent access to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions Management Group A green checkmark designates this RADIUS user group as a management group Manage...

Page 422: ... Delete button VLAN Displays the VLAN ID used by the group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the access point managed network once authenticated by the local RADIUS server Time Start Specifies the time users within each listed group can access local RADIUS resources Time Stop Specifies the time users within each listed group lose...

Page 423: ...ure 8 16 RADIUS Group Policy Add screen 4 Define the following Settings to define the user group configuration RADIUS Group Policy If creating a new RADIUS group assign it a name to help differentiate it from others with similar configurations The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process Guest User Group Select this option to assign only guest access a...

Page 424: ... to set value from 100 1 000 000 kbps Setting a value of 0 disables rate limiting Management Group Select this option to designate the RADIUS group as a management group If set as management group assign a role to the members of the group using the Access drop down menu allowing varying levels of administrative rights This feature is disabled by default Role If a group is listed as a management gr...

Page 425: ...gle user or group of users To configure a RADIUS user pool and unique user IDs 1 Select Configuration Services 2 Expand the RADIUS menu option and select User Pools Figure 8 17 RADIUS User Pool screen 3 Select Add to create a new user pool Edit to modify the configuration of an existing pool or Delete to remove a selected pool 4 If creating a new pool assign it a name up to 32 characters and selec...

Page 426: ...cess can be set uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group Displays the group name each configured user ID is a member Start Date Lists the month day and year the listed user ID can access the access point s internal RADIUS server resources Start Time Lists the time the listed user ID can access the internal RADIUS server resource...

Page 427: ...d 32 characters Select the Show checkbox to expose the password s actual character string Leaving the option unselected displays the password as a string of asterisks Guest User Select the checkbox to designate this user as a guest with temporary access The guest user must be assigned unique access times to restrict their access Group List If the user has been defined as a guest use the Group drop...

Page 428: ...alidation The access point s local RADIUS server has access to a database of authentication information used to validate client authentication requests The RADIUS server ensures the information is correct using authentication schemes like PAP CHAP or EAP The user s proof of identification is verified along with optionally other information The access point s RADIUS server policy can also be config...

Page 429: ...on 8 37 2 Expand the RADIUS menu option and select Standalone_RADIUS_Server Figure 8 20 RADIUS Server Policy screen Server Policy tab The RADIUS Server Policy screen displays with the Server Policy tab displayed by default ...

Page 430: ...d to either create a new group or modify an existing group Use the arrow icons to add and remove groups as required LDAP Group Verification Select the checkbox to set the LDAP group search configuration This setting is enabled by default Local Realm Define the LDAP Realm performing authentication using information from an LDAP server User information includes user name password and the groups to w...

Page 431: ... the client receives a verified access reject message the username and password are considered to be incorrect and the user is not authenticated LDAP Authentication Type Use the drop down menu to select the LDAP authentication scheme The following LDAP authentication types are supported by the external LDAP resource All Enables both TTLS and PAP and PEAP and GTC TTLS and PAP The EAP type is TTLS w...

Page 432: ... last saved configuration 13 Select the Proxy tab and ensure the Activate RADIUS Server Policy button remains selected A user s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources The proxy server checks the information in the user access request and either accepts or rejects the request If the proxy server accepts the request it returns configuration i...

Page 433: ...en the access point s RADIUS server receives a request for a user name the server references a table of realms If the realm is known the server proxies the request to the RADIUS server 18 Enter the Proxy server s IP Address This is the address of server checking the information in the user access request The proxy server either accepts or rejects the request on behalf of the RADIUS server 19 Enter...

Page 434: ... point s RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic There s no way to perform such complex authorization checks from a LDAP user database alone Figure 8 23 RADIUS Server Policy screen LDAP tab 24 Refer to the following to determine whether an LDAP server can be used as is a server configuration requires creation or m...

Page 435: ...re RADIUS user information is available if a primary server were to become unavailable IP Address Set the IP address of the external LDAP server acting as the data source for the RADIUS server Login Define a unique login name used for accessing the remote LDAP server resource Consider using a unique login name for each LDAP server to increase the security of the connection between the access point...

Page 436: ...to as the Relative Distinguished Name RDN It identifies an entry distinctly from any other entries that have the same parent Bind Password Enter a valid password for the LDAP server Select the Show checkbox to expose the password s actual character string Leave the option unselected to display the password as a string of asterisks The password cannot 32 characters Password Attribute Enter the LDAP...

Page 437: ...cret password If a shared secret is compromised only the one client poses a risk as opposed all the additional clients that potentially share that secret password Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location Designating at least one secondary server i...

Page 438: ...8 46 WiNG 5 6 2 Access Point System Reference Guide ...

Page 439: ...dramatically reduce an attack footprint and free resources To set Management Access administrative rights access control permissions authentication refer to the following Creating Administrators and Roles Setting the Access Control Configuration Setting the Authentication Configuration Setting the SNMP Configuration SNMP Trap Configuration Refer to Management Access Deployment Considerations on pa...

Page 440: ...ement Policy Administrators screen 2 Refer to the following to review existing administrators 3 Select Add to create a new administrator configuration Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when editing an administrator s configuration Access Type L...

Page 441: ...selected and invoked simultaneously 7 Select an Administrator Role Only one role can be assigned Web UI Select this option to enable access to the access point s Web UI Telnet Select this option to enable access to the access point using TELNET SSH Select this option to enable access to the access point using SSH Console Select this option to enable access to the access point s console Superuser S...

Page 442: ...arameters Monitor Select Monitor to assign permissions without administrative rights The Monitor option provides read only permissions Help Desk Assign this role to someone who typically troubleshoots and debugs reported problems The Help Desk manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the access point Web User Select ...

Page 443: ...aces to reduce security holes The Access Control tab is not meant to function as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better security than others and are more desirable To set user access control configurations 1 Select Configuration Management Access Type Encrypt...

Page 444: ...d for Telnet access Enable Telnet Select the checkbox to enable Telnet device access Telnet provides a command line interface to a remote host over TCP Telnet provides no encryption but it does provide a measure of authentication Telnet access is disabled by default Telnet Port Setthe port on which Telnet connectionsare made 1 65 535 The default port is 23 Change this value using the spinner contr...

Page 445: ...reachable HTTPS or SSH management access to the access point may be denied Those models unlike AP 6532 AP 7131 AP 7161 and AP 8132 models do not have an onboard RADIUS resource and are reliant on an external RADIUS resource for authentication Enable FTP Select the checkbox to enable FTP device access FTP File Transfer Protocol is the standard protocol for transferring files over a TCP IP network F...

Page 446: ... an existing list of IP addresses used to control connection access to the access point A default list is available or a new list can be created by selecting the Create icon An existing list can also be modified by selecting the Edit icon Source Hosts Set multiple source host IP address resources Source Subnets Define a list of subnets allowed administrative access Use the Clear link to the right ...

Page 447: ...y Authentication screen 3 Set the following to authenticate access requests to the access point managed network Local Define whether the access point s internal RADIUS resource if supported is used to validate authentication requests The default setting is Enabled When enabled network address information is not required for an external RADIUS resource AP 6511 and AP 6521 models have no local resou...

Page 448: ... AAA Servers to provide user database information and user authentication data In there s no AAA policy suiting your RADIUS authentication requirements either select the Create icon to define a new AAA policy or select an existing policy from the drop down menu and select the Edit icon to update its configuration For more information on defining the configuration of a AAA policy see AAA Policy on ...

Page 449: ...nly and read write community strings as an authentication mechanism to monitor and configure supported devices The read only community string is used to gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to monitor a system s performance and other parame...

Page 450: ...al set of variables SNMPv2 uses Get GetNext and Set operations for data management SNMPv2 is enabled by default Enable SNMPv3 Select the checkbox to enable SNMPv3 support SNMPv3 adds security and remote configuration capabilities to previous versions The SNMPv3 architectureintroducestheUser basedSecurityModel USM formessage security and the View based Access Control Model VACM for access control T...

Page 451: ...ccess Control Set the access permission for each community string used by devices to retrieve or modify information The available options include Read Only Allows a remote device to retrieve information Read Write Allows a remote device to modify settings User Name Use the drop down menu to define a user name of either snmpmanager snmpoperator or snmptrap Authentication Displays the authentication...

Page 452: ...mits the information to an external repository The trap contains several standard items such as the SNMP version community etc SNMP trap notifications exist for most operations but not all are necessary for day to day operation To define a SNMP trap configuration for receiving events at a remote destination 1 Select Configuration Management 2 Select SNMP Traps from the list of Management Policy op...

Page 453: ... icon to permanently remove a trap receiver 5 Select OK to update the SNMP Trap configuration Select Reset to revert to the last saved configuration IP Address Set the IP address of the external server resource receiving SNMP traps on behalf of the access point Port Set the server port dedicated to receiving traps The default port is 162 Version Set the SNMP version for sending SNMP traps SNMPv2 i...

Page 454: ...n Management services like HTTPS SSH and SNMPv3 should be used when possible as they provide both data privacy and authentication By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Legacy Motorola Solutions devices may use other community strings by default Motorola Solutions recommends SNMPv3 be ...

Page 455: ...Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail Numerous tools are available within the Diagnostics menu Some allow event filtering some enable log views and some allowing you to manage files generated when hardware or software issues are detected Diagnostic capabilities include Fault Management Crash Files Advanced ...

Page 456: ...lt all events are enabled and an administrator has to turn off events if they don t require tracking Figure 10 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing events Events can be filtered based on severity module received source MAC of the event device MAC of the event and MAC address of the wireless client 2 Define the following Customize Event...

Page 457: ...s are tracked When a single module is selected events from other modules are not tracked Remember this when interested in events generated by a particular module Individual modules can be selected such as TEST LOG FSM etc or all modules can be tracked by selecting All Modules Source Set the MAC address of the source device being tracked Setting a MAC address of 00 00 00 00 00 00 allows all devices...

Page 458: ...ther a selected device or those impacting the access point s default RF Domain Timestamp Displays the timestamp time zone specific when the event occurred Module Displays the module used to track the event Events detected by other modules are not tracked Message Displays error or status messages for each event listed Severity Displays the severity of the event as defined for tracking from the Conf...

Page 459: ...ific each listed event occurred Module Displays the module tracking the listed event Events detected by other modules are not tracked Message Displays error or status message for each event Severity Displays event severity as defined for tracking from the Configuration screen Severity options include All Severities All events are displayed regardless of severity Critical Only critical events are d...

Page 460: ...a device from those displayed in the lower left hand side of the UI Figure 10 4 Crash Files screen 3 The screen displays the following for each reported crash file 4 Select a listed crash file and select the Copy button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button File Nam...

Page 461: ...ugging information displays within the NETCONF Viewer by default Figure 10 5 UI Debugging screen NETCONF Viewer 2 Use the NETCONF Viewer to review NETCONF information NETCONF is a tag based configuration protocol Messages are exchanged using XML tags The Real Time NETCONF Messages area lists an XML representation of any message generated by the system The main display area of the screen is updated...

Page 462: ...UI Logs from the upper left hand side of the browser to view Application Logs Flex Logs and Error Logs The Sequence order of occurrence Date Time Type Category and Message items display for each log option selected Figure 10 6 View UI Logs screen Application Logs tab ...

Page 463: ...other managed devices Self Monitoring At Run Time RF Management Smart RF is a Motorola Solutions innovation designed to simplify RF configurations for new deployments while over time providing on going deployment optimization and radio performance improvements The Smart RF functionality scans the RF network to determine the best channel and transmit power for each managed access point radio For mo...

Page 464: ...ditionally selected devices can either have a primary or secondary firmware image applied or fallback to a selected firmware image if an error were to occur in the update process Device update activities include Managing Firmware and Config Files Managing File Transfers Using the File Browser AP Upgrades These tasks can be performed on individual access points and wireless clients NOTE AP upgrades...

Page 465: ...C address in the banner of the screen for the selected access point The Device Type also displays in the banner of the screen Firmware Version Displays the primary and secondary firmware image version currently utilized by the selected access point Build Date Displays the date the primary and secondary firmware image was built for the selected device Install Date Displays the date the firmware was...

Page 466: ...to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render the device inoperable Upgrade Status Displays the status of the last firmware upgrade For information on upgrading device firmware see Upgrading Device Firmware on page 11 5 Show Running Config Select this option to display the running configuration of the selected device Th...

Page 467: ...he Device Details screen Figure 11 2 Firmware Upgrade screen By default the Firmware Upgrade screen displays a URL field to enter the URL destination location of the device s firmware file 3 Enter the complete path to the firmware file NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode and cannot be initiated by Standalone APs Additionally upgrades can only be pe...

Page 468: ...Available options include tftp ftp sftp http cf usb1 usb2 Port Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates This option is not valid for cf usb1 and usb2 IP Address Enter IP address of the server used to update the firmware This option is not valid for cf usb1 and usb2 Hostname Provide the hostname of the server used to update the...

Page 469: ... the access point managed wireless network To administrate files for managed devices 1 Select Operations Devices File Transfers Figure 11 4 File Transfers screen 2 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity Source Select the source of the file transfer Select Server to indicate the source of the file...

Page 470: ...tname of the server transferring the file This option is not valid for cf usb1 and usb2 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file This parameter is required only when Server is selected as the Sou...

Page 471: ...ng display for each of the available memory resources 3 If needed use the Add New Folder utility to create a folder that servers as a directory for some or all of the files for a selected memory resource Once defined select the Create Folder button to implement 4 Optionally use the Delete Folder or Delete File buttons to remove a folder or file from within a memory resource File Name Displays the ...

Page 472: ... the Virtual Controller AP Upgrades can only be made to the same access point model For example an AP 8132 firmware image cannot be used to upgrade an AP 7131 model access point For that reason the drop down menu will only display the model deployed Scheduled Upgrade Time To perform the upgrade immediately select Now To schedule the upgrade to take place at a specified time enter a date and time S...

Page 473: ...entary model Use the button to move all access points in the All Devices table to the Upgrade List table Use the button to move a selected access point in the All Devices table to the Upgrade List table Use the button to move all access points from the Upgrade List Use the button to move a selected access point from the Upgrade List Upgrade List The Upgrade List table displays the APs that have be...

Page 474: ...le Advanced Select Advanced to list additional options for the image file location including protocol host and path Additional options display based on the selected protocol Protocol Select the protocol to retrieve the image files Available options include tftp Select this option to specify a file location using Trivial File Transfer Protocol A port and IP address or hostname are required A path i...

Page 475: ...ssess devices impacted by upgrade operations and their upgrade status Type Displays the type access point upgraded MAC Displays the primary MAC or hardware identifier for each device impacted by an upgrade operation State Displays the current upgrade status for each listed access point Possible states include Waiting Downloading Updating Scheduled Reboot Rebooting Done Cancelled Done No Reboot Pro...

Page 476: ...f the last status update for access points that are no longer upgrading Clear History Selecting the Clear History button clears the history log page for each access point Cancel Clicking the Cancel button will cancel the upgrade process for any selected access points that are upgrading ...

Page 477: ... CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication can be used by a client to access resources if...

Page 478: ...11 9 Trustpoints screen The Trustpoints screen displays for the selected MAC address 2 Refer to the Certificate Details to review certificate properties self signed credentials validity period and CA information 3 Select the Import button to import a certificate ...

Page 479: ...phrase Define the key used by the target trustpoint Select the Show textbox to expose the actual characters used in the key Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint Protocol If using Advanced settings select the protocol used for importing the target trustpoint Available options include tftp ftp ...

Page 480: ...ced settings enter IP address of the server used to import the trustpoint This option is not valid for cf usb1 and usb2 Hostname If using Advanced settings provide the hostname of the server used to import the trustpoint This option is not valid for cf usb1 and usb2 Path If using Advanced settings specify the path to the trustpoint Enter the complete path to the file on the server Trustpoint Name ...

Page 481: ...and Paste radio button to simply copy an existing CA certificate into the cut and past field When pasting a valid CA certificate no additional network address information is required Protocol Select the protocol used for importing the target CA certificate Available options include tftp ftp sftp http cf usb1 usb2 Port If using Advanced settings use the spinner control to set the port This option i...

Page 482: ...er of additional fields that populate the screen is also dependent on the selected protocol This is the default setting Cut and Paste Select Cut and Paste to copy an existing CRL into the cut and past field When pasting a CRL no additional network address information is required URL Provide the complete URL to the location of the CRL If needed select Advanced to expand the dialog to display networ...

Page 483: ... own creator thus the certificate creator also signs off on its legitimacy The lack of mistakes or corruption in the issuance of self signed certificates is central IP Address If using Advanced settings enter IP address of the server used to import the CRL This option is not valid for cf usb1 and usb2 Hostname If using Advanced settings provide the hostname of the server used to import the CRL Thi...

Page 484: ...should be associated From Network Select the From Network radio button to provide network address information to the location of the target signed certificate The number of additional fields that populate the screen is dependent on the selected protocol This is the default setting Cut and Paste Select the Cut and Paste radio button to copy an existing signed certificate into the cut and past field...

Page 485: ...e key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates Protocol Select the protocol used for importing the target signed certificate Available options include tftp ftp sftp http cf usb1 usb2 Port If using Adva...

Page 486: ...nt and the server or repository of the target trustpoint Select the Show textbox to expose the actual characters used in the key Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address information to the location of the target trustpoint ...

Page 487: ...mote location Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s an algorithm that can be used for certificate signing and encryption When a device trustpoint is created the RSA key is the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import export keys to and from remote locations 1 Select Operations C...

Page 488: ...Guide Figure 11 15 RSA Keys screen Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device ...

Page 489: ...he RSA key Select Cancel to revert the screen to its last saved configuration Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality ...

Page 490: ... the Show textbox to expose the actual characters used in the passphrase Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is depend...

Page 491: ...r used to import the RSA key This option is not valid for cf usb1 and usb2 Hostname Provide the hostname of the server used to import the RSA key This option is not valid for cf usb1 and usb2 Path Specify the path to the RSA key Enter the complete relative path to the key on the server Key Name Enter the 32 character maximum name assigned to the RSA key Key Passphrase Define the key passphrase use...

Page 492: ...r private CAs A self signed certificate is a certificate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate that can be applied to a device 1 Select Operations Certificates 2 Select Create Certificate Protocol Select the protocol used for exporting the RSA key Available options include tftp ftp sftp http cf usb1 usb2 Port If us...

Page 493: ...o identify the name of the trustpointassociatedwiththecertificate AtrustpointrepresentsaCA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate Use an Existing RSA Key Select the radio button and use the drop down menu to select the existing key used by both the access point and the server or repository of the...

Page 494: ...s auto generate Country C Define the Country used in the certificate This is a required field and must not exceed a 2 character country code State ST Enter a State Prov for the state or province name used in the certificate This is a required field City L Enter a City to represent the city name used in the certificate This is a required field Organization O Define an Organization for the organizat...

Page 495: ...e certificate request before the certificate can be generated A private key is not included in the CSR but is used to digitally sign the completed request The certificate created with a particular CSR only worked with the private key generated with it If the private key is lost the certificate is no longer functional The CSR can be accompanied by other identity credentials required by the certific...

Page 496: ...drop down menu to select the existing key used by both the access point and the server or repository of the target RSA key RSA Key Create or use an existing key by selecting the appropriate radio button Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more ...

Page 497: ...his is a required field City L Enter a City to represent the city name used in the CSR This is a required field Organization O Define an Organization for the organization used in the CSR This is a required field Organizational Unit OU Enter an Org Unit for the name of the organization unit used in the CSR This is a required field Common Name CN If there s a common name IP address for the organizat...

Page 498: ...dio and channel configurations as the basis to conduct Smart RF calibration operations 11 3 1 Managing Smart RF for a RF Domain Smart RF When calibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a...

Page 499: ...dio index can be used in Smart RF calibration Old Channel Lists the channel originally assigned to each listed access point within the RF Domain This value may have been changed as part an Interactive Calibration process applied to the RF Domain Compare this Old Channel against the Channel value to right of it in the table to determine whether a new channel assignment was warranted to compensate f...

Page 500: ...signed to each listed access point within the RF Domain The power level may have been increased or decreased as part an Interactive Calibration process applied to the RF Domain Compare this Old Power level against the Power value to right of it in the table to determine whether a new power level was warranted to compensate for a coverage hole Power This column displays the transmit power level for...

Page 501: ...pective access point radios 5 Select the Run Calibration option to initiate a calibration New channel and power values are applied to radios they are not written to the running configuration These values are dynamic and may keep changing during the course of the run time monitoring and calibration the Smart RF module keeps performing to continually maintain good coverage Unlike an Interactive Cali...

Page 502: ...ing to the latest firmware version for full functionality and utilization An access point must be rebooted to implement a firmware upgrade Take advantage of the reboot scheduling mechanisms available to the access point to ensure its continuously available during anticipated periods of heavy wireless traffic utilization Within a well planned RF Domain any associated radio should be reachable by at...

Page 503: ...nd encryption schemes Statistics can be displayed for the entire system or access point coverage are Stats can also be viewed collectively for RF Domain member access point radio s and their connected clients Individual access point or connected clients can be reviewed in isolation as well The access point user interface allows you filter statistics by System Statistics RF Domain Statistics Access...

Page 504: ...s follows Health Inventory Adopted Devices Pending Adoptions Offline Devices 12 1 1 Health System Statistics The Health screen displays the overall performance of the access point supported system and its connected clients This includes information on device availability overall RF quality resource utilization and network threat perception To display the health of the system 1 Select the Statistic...

Page 505: ...many are functional and currently online Green indicates online devices and red offline devices 5 The Device Types lists the access point model deployed in the system Offline Devices lists how many access points are detected in the system but currently offline 6 The RF Quality Index field displays the RF Domain s RF performance Quality indices are 0 50 Poor 50 75 Medium ...

Page 506: ...ity 50 75 Medium quality 75 100 Good quality RF Domain Displays the name of the access point RF Domain Top 5 The Utilization index is a measure of how efficiently the domain is utilized This value is defined as a percentage of current throughput relative to the maximum possible throughput The values are 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and above High ut...

Page 507: ... points and their connected clients in the system whether members of the RF Domain or not To display the system wide inventory statistics 1 Select the Statistics menu from the Web UI 2 Select System from the left hand navigation pane 3 Select Inventory from the System menu Figure 12 2 System Inventory screen 4 The Device Types table displays an exploded pie chart depicting system wide access point...

Page 508: ...to update the inventory to its latest device membership information 12 1 3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the access points in the system both RF Domain and non RF Domain member access points To view adopted AP statistics 1 Select the Statistics menu from the Web UI 2 Select System from the left hand navigation pane 3 Select Adopt...

Page 509: ... of the access point providing device association Conifg Status Displays each listed device s configuration status within the system Config Errors Lists the errors generated during device adoption Adopted by Displays hardware encoded MAC address the adopting device Adoption Time Displays the time when the listed device was connected to its associated access point Uptime Displays the elapsed time t...

Page 510: ...ess point connection MAC Address Displays the MAC address of the device pending adoption Type Displays the access point type IP Address Displays the current IP Address of the device pending adoption VLAN Displays the current VLAN number of the device pending adoption Reason Displays the status as to why the device is still pending adoption Discovery Option Displays the discovery option code for ea...

Page 511: ...me Lists the hostname assigned to each listed device when added to the system MAC Address Displays the factory encoded MAC address assigned to the device when manufactured Type Displays the access point model as either AP 6511 AP 6521 AP 6532 AP 7131 AP 7161 or AP 8132 VLAN Displays the current VLAN number of the device pending adoption RF Domain Name Displays the name of this access point s RF Do...

Page 512: ...physical location Floor Displays the deployment floor assigned to the listed device when deployed using the WING UI as a means of identifying the device s physical location Last Update Lists the last time the reporting access point displayed status on the offline device Refresh Periodically select the Refresh button to update the screen to its latest device adoption status for the system ...

Page 513: ... determine Access SMART RF and WIPS configuration Use the following information to obtain an overall view of the performance of the RF Domain and troubleshoot issues with the domain or any member device Health Inventory Access Points AP Detection Wireless Clients Wireless LANs Radios Mesh SMART RF WIPS Captive Portal Historical Data 12 2 1 Health RF Domain Statistics The Health screen displays gen...

Page 514: ...12 12 WiNG 5 2 6 Access Point System Reference Guide Figure 12 6 RF Domain Health screen ...

Page 515: ...0 Good quality 4 Refer to the Radio Quality table for RF Domain member radios requiring administration to improve performance 5 Refer to the Client Quality table for RF Domain connected clients requiring administration to improve performance 6 Refer to the WLAN Utilization field to assess the following Worst 5 Radios Displays five radios with the lowest average quality in the access point RF Domai...

Page 516: ... Client MAC Displays the client s hardcoded MAC address used a hardware identifier Vendor Lists each client s manufacturer Power Changes Displays the total number of radio transmit power changes that have been made using SMART RF within the access point RF Domain Channel Changes Displays the total number of radio transmit channel changes that have been made using SMART RF within the access point R...

Page 517: ... of the screen 3 Select Inventory from the RF Domain menu Bcast Mcast Packets Displays the total number of broadcast multicast packets transmitted and received within the access point RF Domain Management Packets This is the total number of management packets processed within the access point RF Domain Tx Dropped Packets Lists total number of dropped data packets within the access point RF Domain ...

Page 518: ... chart depicts the distribution of RF Domain members by model type The Radio Types table displays the total number of radios in this RF Domain The bar chart depicts the distribution of radio types 5 The Radios by Band field displays the total number of radios using 802 11an and 802 11bgn bands within the RF Domain The number of radios designated as sensors is also represented ...

Page 519: ...s the channels used by RF Domain member clients using 5GHz and 2 4GHz radios 12 2 3 Access Points RF Domain Statistics The RF Domain Access Points screen displays hardware data collectively for all the access Point s within the RF Domain To display RF Domain access point statistics 1 Select the Statistics menu from the Web UI 2 Select the default item from under the System node on the top left han...

Page 520: ...Type Displays each access point model within the selected RF Domain Client Count Displays the number of clients connected with each listed access point AP 6532 AP 7131 AP 7161 and AP 8132 models can support up to 256 clients per access point AP 6511 and AP 6521 models can support up to 128 clients per access point Radio Count Displays the number of radios on each listed access point AP 7131 models...

Page 521: ...of operation used by the detected access point SSID Displays the Service Set ID SSID of the network to which the detected access point belongs RSSI Displays the Received Signal Strength Indicator RSSI of the detected access point Use this variable to help determine whether a device connection would improve network coverage or add noise Reported by Displays the MAC address of the RF Domain member r...

Page 522: ...iew this content to determine whether a client should be removed from access point association within the selected access point RF Domain To review a RF Domain s connected wireless clients 1 Select the Statistics menu from the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select Wireless Clients from the RF Domain menu Figure 12 10 RF Domain ...

Page 523: ...ed WLAN Displays the name of the defined WLAN the wireless client is currently using for its access point interoperation within the RF Domain Username Displays the unique name of each client s assigned user State Displays the state of the wireless client as whether it is associating with an access point or not VLAN Displays the VLAN ID the client s connected access point has defined for interopera...

Page 524: ...efined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 moderate utilization and 60 and above high utilization Radio Count Displays the number of radios deployed in each listed WLAN within this RF Domain Tx Bytes Displays the average number of packets in bytes sent on each listed RF Domain ...

Page 525: ...e Statistics menu from the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Expand Radios from the RF Domain menu and select Status Figure 12 12 RF Domain Radio Status screen The Radio Status screen displays the following Refresh Select the Refresh button to update the statistics counters to their latest values Radio Displays the name assigned t...

Page 526: ...ng on Configured Channel Lists each radio s defined operating channel to help assess if the radio is no longer transmitting on its configured channel Neighbor radios are often required to assist non functioning peers in the same coverage area Power Current Config Displays the current power level the radio is using for its transmissions Configured Power Lists each radio s defined transmit power to ...

Page 527: ...hat can be selected to display radio information in greater detail Signal Displays the power of listed RF Domain member radio signals in dBm SNR Displays the signal to noise ratio of each listed RF Domain member radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data receive...

Page 528: ...llowing Traffic Index Displays the traffic utilization index of each RF Domain member access point radio This is expressed as an integer value 0 20 indicates very low utilization and 60 and above indicate high utilization RF Quality Index Displays an integer that indicates overall RF performance for the radio The RF quality indices are 0 50 Poor 50 75 Medium 75 100 Good Refresh Select the Refresh ...

Page 529: ... as any management overhead packets Tx User Data Rate Displays the rate in kbps that user data is transmitted by each RF Domain member access point radio This rate only applies to user data and does not include any management overhead Rx User Data Rate Displays the rate in kbps that user data is received by each RF Domain member access point radio This rate only applies to user data and does not i...

Page 530: ...e configured hostname for each mesh client connected to a RF Domain member access point Client Radio MAC Displays the hardware encoded MAC address for each mesh client connected to a RF Domain member access point Portal Displays a numerical portal Index ID for the each mesh client connected to a RF Domain member access point Portal Radio MAC Displays the hardware encoded MAC address for each radio...

Page 531: ...rom the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu Figure 12 16 RF Domain Smart RF screen 4 The RF Domain SMART RF screen displays the following Individual access point MAC addresses can selected from the SMART RF Details field and the RF Domain member radio can reviewed in greater detail AP MAC Addr...

Page 532: ...rt RF Details screen 5 Select the Energy Graph tab for a RF Domain member access point radio to review the radio s operating channel and noise level and neighbor count This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios ...

Page 533: ...Statistics 12 31 Figure 12 18 RF Domain Smart RF Energy Graph ...

Page 534: ...tilization Blacklisted clients are not allowed to associate to RF Domain member access point radios To view the WIPS client blacklist 1 Select the Statistics menu from the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Expand the WIPS menu item and select Client Blacklist Figure 12 19 RF Domain WIPS Client Blacklist The WIPS Client Blacklist s...

Page 535: ...n 4 The WIPS Events screen displays the following Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member access point Total Time Displays the time the unauthorized now blacklisted device remained in the RF Domain Time Left Displays the time the blacklisted client remains on the list Refresh Select the Refresh button to update the statistics counters to th...

Page 536: ... 2 Select the default item from under the System node on the top left hand side of the screen 3 Select Captive Portal from the RF Domain menu Figure 12 21 RF Domain Captive Portal screen 4 The screen displays the following Captive Portal data for requesting clients Originating Device Displays the MAC address of the intruding device Detector Radio Displays RF Domain member access point radio number...

Page 537: ...tive Portal Lists the name of the RF Domain captive portal currently being utilized by each listed client Authentication Displays the authentication status of requesting clients attempting to connect to the captive portal WLAN Displays the name of the access point s WLAN the requesting client would use for interoperation VLAN Displays the name of the VLAN the client would use as a virtual interfac...

Page 538: ...rting Smart RF adjustments within the RF Domain Radio MAC Displays the radio MAC address of each access point radio reporting Smart RF adjustments within the RF Domain Radio Index Displays the numerical identifier assigned to each access point radio within the RF Domain Type Displays whether each listed access point is adopted or not New Value Displays the adjusted power value assigned by Smart RF...

Page 539: ...ptive Portal Network Time Load Balancing 12 3 1 Health Access Point Statistics The Health screen displays the selected access point s hardware version and software version Use this information to fine tune the performance of the selected access points This screen should also be the starting point for troubleshooting an access point since it s designed to present a high level display of access poin...

Page 540: ...etwork Device MAC Displays the MAC address of the AP This is factory assigned and cannot be changed Type Displays the access point s type AP 6511 AP 6521 AP 7131 AP 7161 or AP 8132 Model Displays the access point s model to help further differentiate the access point from its peers RF Domain Name Displays the access point s RF Domain membership Unlike a RFS series controller an access point can on...

Page 541: ...s RF quality index indicates the overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Radio Id Displays a radio s hardware encoded MAC address Radio Type Identifies whether the radio is a 802 11b 802 11bg 802 11bgn 802 11a or 802 11an Top Radios Displays the traffic indices of radios which measures how efficiently the traffic medium is used This value is indicated a...

Page 542: ...on the boot image and upgrade status To view the device statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Device Figure 12 24 Access Point Device screen 4 The System field displays the following Model Number Displays the model as...

Page 543: ...on fails the user can use the old version of the software Next Boot Designates this version as the version used the next time the AP is booted Available Memory Displays the available memory in MB available on the access point Total Memory Displays the access point s total memory Currently Free RAM Displays the access point s free RAM space If its very low free up some space by closing some process...

Page 544: ...s the names of the servers designated to provide DNS resources to this access point Type Displays the type of server for each server listed Primary Build Date Displays the build date when this access point firmware version was created Primary Install Date Displays the date this version was installed Primary Version Displays the primary version string Secondary Build Date Displays the build date wh...

Page 545: ...e Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select AP Upgrade Figure 12 25 Access Point AP Upgrade screen 4 The Upgrade screen displays the following information Power Management Status Lists the power status of the access point Ethernet Power Status Displays the access point ...

Page 546: ...e of the same model as the access point receiving the update MAC Displays the MAC address of the access point receiving the update Last Update Status Displays the error status of the last upgrade operation Time Last Upgraded Displays the date and time of the last upgrade operation Retries Count Displays the number of retries made in the current state State Displays the current state of the access ...

Page 547: ...access point for statistical observation 3 Expand the Adoption menu item 4 Select Adopted APs Figure 12 26 Access Point Adopted APs screen 5 The Adopted APs screen displays the following Access Point Displays the name assigned to the access point as part of its device configuration Type Lists the each listed access point type adopted by this access point RF Domain Name Displays each access point s...

Page 548: ...ors that may be hindering performance Adopted By Lists the adopting access point Adoption time Displays each listed access point s time of adoption by this access point whose MAC address displays in the banner of the screen Uptime Displays each listed access point s in service time since last offline Refresh Select the Refresh button to update the screen s statistics counters to their latest value...

Page 549: ...cess Point Adopted AP History screen 5 The Adopted Devices screen describes the following historical data for adopted access points Event Name Displays the adoption event status of each listed access point as either adopted or un adopted AP MAC Address Displays the MAC address of each access point this access point has attempted to adopt Reason Displays the reason code for each event listed in the...

Page 550: ...pand the Adoption menu item 4 Select Adopted AP History Figure 12 28 Access Point Pending Adoptions screen 5 The Adopted Devices screen provides the following MAC Address Displays the MAC address of the device pending adoption Type Displays the AP type AP 6511 AP 6521 AP 6532 AP 7131 AP 7161 or AP 8132 IP Address Displays the current IP Address of the device pending adoption VLAN Displays the curr...

Page 551: ... an access point for statistical observation 3 Select AP Detection Figure 12 29 Access Point AP Detection Screen 4 The AP Detection screen displays the following Last Seen Displays the date and time stamp of the last time the device was seen Click the arrow next to the date and time to toggle between standard time and UTC Refresh Select the Refresh button to update the screen s statistics counters...

Page 552: ...he default node and select an access point for statistical observation AP Mode Displays the mode of the unsanctioned access point Radio Type Displays the type of the radio on the unsanctioned access point The radio can be 802 11b 802 11bg 802 1bgn 802 11a or 802 11an Channel Displays the channel the unsanctioned access point is currently transmitting on Last Seen Displays the time in seconds the u...

Page 553: ...suits its intended deployment objective Username Displays the unique name of the administrator or operator assigned to the client s deployment State Displays the working state of the client roaming associating etc VLAN Displays the VLAN ID each listed client is currently mapped to IP Address Displays the unique IP address of the client Use this address as necessary throughout the applet for filter...

Page 554: ...left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Wireless LANs Figure 12 31 Access Point Wireless LANs screen 4 The Access Point Wireless LANs screen displays the following WLAN Name Displays the name of the WLAN the access point is currently using SSID Displays each listed WLAN s Service Set ID SSID Traffic Index Displays the tra...

Page 555: ...ource statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Critical Resources Radio Count Displays the number of access point radios deployed within each listed WLAN Tx Bytes Displays the average number of transmitted bytes sent on ...

Page 556: ...source This is the address the device assigned and is used by the access point to ensure the critical resource is available VLAN Lists the access point VLAN on which the critical resource is available Ping Mode Describes the ping mode as either arp only Uses the Address Resolution Protocol ARP for only pinging the critical resource ARP is used to resolve hardware addresses when only the network la...

Page 557: ... display as selectable links within each of the three access point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Figure 12 33 Access Point Radio Statistics screen Use the Details screen to review this radio s configuration in greater detail as additional deployment location ...

Page 558: ...nd side of the screen expand the default node and select an access point for statistical observation 3 Expand the Radios menu item 4 Select Status Figure 12 34 Access Point Radios Status screen 5 The radio Status screen provides the following information Radio Displays the name assigned to the radio as its unique identifier Radio MAC Displays the factory encoded hardware MAC address and assigned t...

Page 559: ...vel it is configured to use in parenthesis Configured Power Displays each listed radio s administrator defined output power level Compare this level to the current power level to determine whether the radio is optimally transmitting Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 560: ...nt for statistical observation 3 Expand the Radios menu item 4 Select RF Statistics Figure 12 35 Access Point Radios RF Statistics screen 5 The RF Statistics screen provides the following Radio Displays the name assigned to the radio as its unique identifier Signal Displays the radio s current power level in dBm SNR Displays the signal to noise ratio of the radio s associated wireless clients Tx P...

Page 561: ...te coincides with a noisy signal Traffic Index Displays the traffic utilization index of the radio This is expressed as an integer value 0 20 indicates very low utilization and 60 and above indicate high utilization Quality Index Displays an integer that indicates overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Refresh Select the Refresh button to update the sc...

Page 562: ...een displays the following Radio Displays the name assigned to the radio as its unique identifier Tx Bytes Displays the total number of bytes transmitted by each listed radio This includes all user data as well as any management overhead data Rx Bytes Displays the total number of bytes received by each listed radio This includes all user data as well as any management overhead data Tx Packets Disp...

Page 563: ...point for statistical observation 3 Expand Radios Rx User Data Rate Displays the rate in kbps user data is received by the radio This rate only applies to user data and does not include management overhead Tx Dropped Displays the total number of transmitted packets dropped by each listed radio This includes all user data as well as management overhead packets that were dropped Rx Errors Displays t...

Page 564: ...point in the RF Domain mesh network Portal Radio Index Displays the numerical Index ID for the peer device associated with each access point in the RF Domain mesh network Portal Hostname Displays the assigned hostname for the peer device associated with each access point in the RF Domain mesh network Portal Radio MAC Displays the MAC address for each radio in the RF Domain mesh network Connect Tim...

Page 565: ... interfaces available on WING 5 supported access points Use this screen to review the statistics for each access point interface Use the following screens to review the performance of each interface on the access point The interface statistics screen consists of two tabs General Statistics Viewing Interface Statistics Graph ...

Page 566: ...on on a selected access point interface such as its MAC address type and TX RX statistics To view the general interface statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation ...

Page 567: ...Graph tabs is specific to the selected interface 5 The General field describes the following Name Displays the name of the access point interface selected from the upper left hand side of the screen AP 6511 AP 6521 AP 6532 AP 7131 AP 7161 and AP 8132 models support different interfaces Interface MAC Address Displays the MAC address of the access point interface IP Address IP address of the interfa...

Page 568: ...epresents the largest packet size that can be sent over a link 10 100 Ethernet ports have a maximum setting of 1500 Mode The mode can be either Access This Ethernet interface accepts packets only from the native VLANs Trunk This Ethernet interface allows packets from a given list of VLANs that you can add to the trunk Metric Displays the metric value associated with the route through the selected ...

Page 569: ... the sending client Late collisions are not normal and are usually the result of out of specification cabling or a malfunctioning device Excessive Collisions Displays the number of excessive collisions Excessive collisions occur when the traffic load increases to the point that a single Ethernet network cannot handle it efficiently Drop Events Displays the number of dropped packets transmitted or ...

Page 570: ...ze Tx Errors Displays the number of packets with errors transmitted on the interface Tx Dropped Displays the number of transmitted packets dropped from the interface Tx Aborted Errors Displays the number of packets aborted on the interface because a clear to send request was not detected Tx Carrier Errors Displays the number of carrier errors on the interface This generally indicates bad Ethernet ...

Page 571: ...stics as the Y axis and the Polling Interval as the X axis Select different parameters on the Y axis and different polling intervals as needed Figure 12 39 Access Point Interface Network Graph tab 12 3 12 Network Access Point Statistics Use the Network screen to view information for ARP DHCP Routing and Bridging Each of these screen provide enough statistics to troubleshoot issues related to the f...

Page 572: ...3 Select Network and expand the menu to reveal its submenu items 4 Select ARP Entries Figure 12 40 Access Port Network ARP Entries screen 5 The ARP Entries screen describes the following IP Address Displays the IP address of the client being resolved on behalf of the access point ARP MAC Address Displays the MAC address corresponding to the IP address being resolved Type Defines whether the entry ...

Page 573: ...ect an access point for statistical observation 3 Select Network and expand the menu to reveal its sub menu items 4 Select Route Entries Figure 12 41 Access Point Network Route Entries screen 5 The Route Entries screen supports the following Destination Displays the IP address of a specific destination address FLAGS Displays the connection status for this entry C indicates a connected state G indi...

Page 574: ...dge screen provides details about the Integrate Gateway Server IGS which is a router connected to an access point The IGS performs the following Issues IP addresses Throttles bandwidth Permits access to other networks Times out old logins The Bridging screen also provides information about the Multicast Router MRouter which is a router program that distinguishes between multicast and unicast packe...

Page 575: ... the multicast address hosts are listening to Port Members Displays the ports on which multicast clients have been discovered by the access point Displays the interface name For example ge1 radio 1 etc Version Displays the IGMP version in use Learn Mode Displays the learning mode used by the router Either Static or PIM DVMRP Port Members Displays the ports on which multicast clients have been disc...

Page 576: ...either the Details tab or MAC Address tab to their latest values Bridge Name Displays the name of the network bridge MAC Address Displays the MAC address of the bridge selected Interface Displays the interface where the bridge transferred packets VLAN Displays the VLAN the bridge belongs to Forwarding Displays whether the bridge is forwarding packets A bridge can only forward packets ...

Page 577: ... its configuration To view a network s DHCP Options 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Network and expand the menu to reveal its sub menu items 4 Select DHCP Options Figure 12 43 Access Point Network DHCP Options screen 5 The...

Page 578: ...onfiguration file on the DHCP server Legacy Adoption Displays legacy device adoption information on behalf of the access point Adoption Displays adoption information on behalf of the access point Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 579: ...reveal its sub menu items 4 Select Cisco Discovery Protocol Figure 12 44 Access Point Network Cisco Discovery Protocol screen 5 The Cisco Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each device in the table L...

Page 580: ... pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Network and expand the menu to reveal its sub menu items 4 Select Link Layer Discovery Figure 12 45 Access Point Network Link Layer Discovery screen 5 The Link Layer Discovery Protocol screen displays the following Refresh Select Refresh to update the statistics counter...

Page 581: ...ew DHCP server statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select DHCP and expand the menu to reveal its sub menu items Platform Displays the model number of the LLDP capable device Port ID Displays the identifier for the local po...

Page 582: ...d DHCP configuration State Displays the current state of the DHCP server IP Address Displays the IP address assigned to the client Name Displays the domain name mapping corresponding to the IP address listed IP Address Displays the IP address for each client with a listed MAC address Client ID Displays the MAC address client hardware ID of the client Refresh Select Refresh to update the statistics...

Page 583: ...node and select an access point for statistical observation 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select Bindings Figure 12 47 Access Point Network DHCP Server Bindings tab 5 The DHCP Bindings screen displays the following Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources IP Address Displays the IP address for each listed cli...

Page 584: ...ccess point for statistical observation 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select Networks 5 The DHCP Networks screen displays the following 12 3 14 Firewall Access Point Statistics A firewall is a part of a computer system or network designed to block unauthorized access while permitting authorized communications It s a device or set of devices configured to permit o...

Page 585: ...he flows in respect to their percentage of data traffic utilized To view access point packet flows statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Packet Flows ...

Page 586: ... reset or consume its resources so it can t provide its intended service The DoS screen displays the types of attack number of times it occurred and the time of last occurrence To view DoS attack information 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical obs...

Page 587: ... 85 Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 588: ...t the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select IP Firewall Rules Figure 12 50 Access Point Firewall IP Firewall Rules screen 5 The IP Firewall Rules screen displays the followin...

Page 589: ...Statistics 12 87 Hit Count Displays the number of times each WLAN ACL has been triggered Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 590: ...hat match the rule s criteria Allow a connection Allow a connection only if it s secured through the MAC firewall security Block a connection To view the access point s MAC Firewall Rules 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Fi...

Page 591: ...re based on their precedence values Every rule has a unique precedence value between 1 and 5000 You cannot add two rules with the same precedence value Friendly String Displays a string providing additional information on rule contents Hit Count Displays the number of times each WLAN ACL has been triggered Refresh Select the Refresh button to update the screen s statistics counters to their latest...

Page 592: ...nslations Figure 12 52 Access Point Firewall NAT Translations screen 5 The NAT Translations screen displays the following Protocol Displays the IP protocol as either TCP UDP or ICMP Forward Source IP Displays the source IP address for the forward NAT flow Forward Source Port Displays the source port for the forward NAT flow contains ICMP ID if it is an ICMP flow Forward Dest IP Displays the destin...

Page 593: ... it is an ICMP flow Reverse Dest IP Displays the destination IP address for the reverse NAT flow Reverse Dest Port Displays the destination port for the reverse NAT flow contains ICMP ID if it is an ICMP flow Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 594: ...ation 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select DHCP Snooping Figure 12 53 Access Point Firewall DHCP Snooping screen 5 The DHCP Snooping screen displays the following MAC Address Displays the MAC address of the client Node Type Displays the NetBios node with the IP pool from which IP addresses can be issued to client requests on this interface IP Address Displays...

Page 595: ...h expires after a designated interval defined by the administrator The lease time is the time an IP address is reserved for re connection after its last use Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses This is useful for example in education and customer environments where client users change frequently Us...

Page 596: ...represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Certificates and expand the menu...

Page 597: ...Statistics 12 95 Figure 12 54 Access Point Certificate Trustpoint screen ...

Page 598: ...mation specified under the Subject Name field Issuer Name Displays the name of the organization issuing the certificate Serial Number The unique serial number of the certificate issued RSA Key Used Displays the name of the key pair generated separately or automatically when selecting a certificate IS CA Indicates if this certificate is a authority certificate Is Self Signed Displays if the certifi...

Page 599: ...elect the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Certificates and expand the menu to reveal its sub menu items 4 Select RSA Keys Figure 12 55 Access Point Certificates RSA Key screen 5 The RSA Key Details field displays the size in bits of th...

Page 600: ...bilities Basic forms of this behavior can be monitored and reported without a dedicated WIPS When the parameters exceed a configurable threshold a SNMP trap is generated that reports the results via management interfaces The WIPS screen provides details about the blacklisted clients unauthorized access points intruded into the network The details include the name of the blacklisted client the time...

Page 601: ...al its sub menu items 4 Select Client Blacklist Figure 12 56 Access Point WIPS Client Blacklist screen The WIPS Client Blacklist screen displays the following Event Name Displays the name of the intrusion event detected by this access point Blacklisted Client Displays the MAC address of the unauthorized device intruding this access point s radio coverage area Time Blacklisted Displays the time whe...

Page 602: ...to reveal its sub menu items 4 Select WIPS Events Figure 12 57 Access Point WIPS Events screen 5 The WIPS Events screen provides the following Event Name Displays the name of the detected wireless intrusion Reporting AP Displays the MAC address of the access point reporting the listed intrusion Originating Device Displays the MAC address of the intruding device Detector Radio Displays the number o...

Page 603: ...left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Sensor Servers Figure 12 58 Access Point Sensor Servers screen 4 The Sensor Servers screen displays the following Refresh Select the Refresh button to update the screen s statistics counters to their latest values IP Address Displays a list of sensor server IP addresses These are th...

Page 604: ... the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select Captive Portal Figure 12 59 Access Point Captive Portal screen 4 The Captive Portal screen displays the following Client MAC Displays the MAC address of the wireless client Client IP Displays the IP address of the requestin...

Page 605: ...103 Remaining Time Displays the time after which the client is disconnected from the captive portal hosted Internet Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 606: ...y increasing at an exponential rate the accuracy precision and synchronization of network time is essential in an access point managed enterprise network The access point can use a dedicated server to supply system time The access point can also use several forms of NTP messaging to sync system time with authenticated network traffic The Network Time screen provides detailed statistics of an assoc...

Page 607: ...Clock Offset Displays the time differential between the access point s time and its NTP resource s time Frequency Indicates the SNTP server clock s skew difference for the access point Leap Indicates if a second is added or subtracted to SNTP packet transmissions or if transmissions are synchronized Precision Displays the precision of the time clock in Hz The values that normally appear in this fi...

Page 608: ...ld range from negative values a few milliseconds to positive values several hundred milliseconds Root Display The difference between the time on the root NTP server and its reference clock The reference clock is the clock used by the NTP server to set its own clock Status Stratum Displays how many hops the access point is from its current NTP time source Refresh Select the Refresh button to update...

Page 609: ... of the screen expand the default node and select an access point for statistical observation 3 Select Network Time and expand the menu to reveal its sub menu items 4 Select the NTP Association tab Figure 12 61 Access Point Network Time Association screen 5 The NTP Association screen displays the following Delay Time Displays the round trip delay in seconds for broadcasts between the NTP server an...

Page 610: ... lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server IP Address Displays the numerical IP address of the SNTP resource server providing SNTP updates to the access point State Displays the NTP association status This can be one of the following Synced Indicates the access point is synchroniz...

Page 611: ...tion displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Request Events displays the Time Client Capability State WLAN and Requested Channels for all client request events on the access point AP 6532 AP 7131 AP 7161 and AP 8132 models can support up to 256 clients per ac...

Page 612: ...nges are required to improve client performance Wireless clients statistics screen can be reviewed through the following Health Details Traffic WMM TSPEC Association History Graph 12 4 1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client To view the health of a wireless client 1 Select the Statistics menu from the Web U...

Page 613: ...ported access point Vendor Displays the vendor name or the manufacturer of the wireless client State Displays the state of the wireless client It can be idle authenticated roaming associated or blacklisted IP Address Displays the IP address of the selected wireless client WLAN Displays the client s access point WLAN membership BSS Displays the basic service station ID BSS of the network the wirele...

Page 614: ... RF quality index can be interpreted as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems SNR Displays the signal to noise ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbi...

Page 615: ...client 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand the RF Domain select an access point then a connected client 3 Select Details Total Bytes Displays the total bytes processed by the access point s connected wireless client Total Packets Displays the total number of packets processed by the wireless client User Da...

Page 616: ...t ID RF Domain Displays the access point RF Domain to which the connected client is a member Username Displays the unique name of the administrator or operator managing the client s connected access point Authentication Lists the authentication scheme applied to the client for interoperation with its connected access point Encryption Lists the encryption scheme applied to the client for interopera...

Page 617: ...d defines an optional Power Save Mode which is available on most 80211 clients End users can simply turn it on or off via the card driver or configuration tool With power save off the 802 11 network card is generally in receive mode listening for packets and occasionally in transmit mode when sending packets These modes require the 802 11 NIC to keep most circuits powered up and ready for operatio...

Page 618: ...shed by an AP 802 11 association enables the access point to allocate resources and synchronize with a radio NIC An NIC begins the association process by sending an association request to an access point This association request is sent as a frame This frame carries information about the NIC and the SSID of the network it wishes to associate After receiving the request the access point considers a...

Page 619: ... bytes processed by the access point s connected client Total Packets Displays the total number of data packets processed by the access point s connected wireless client User Data Rate Displays the average user data rate Packets per Second Displays the packets processed per second Physical Layer Rate Displays the data rate at the physical layer level Bcast Mcast Packets Displays the total number o...

Page 620: ...n the radio is powered down The access point holds any network packet to be sent to this radio RF Quality Index Displays information on the RF quality of the selected wireless client The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error rate The RF quality index value can be interpreted...

Page 621: ...e left hand side of the screen Expand the RF Domain select an access point then a connected client 3 Select WMM TPSEC R Value R value is a number or score that is used to quantitatively express the quality of speech in communications systems This is used in digital networks that carry Voice over IP VoIP traffic The R value can range from 1 worst to 100 best and is based on the percentage of users ...

Page 622: ...rk indicates this feature is enabled Video Displays the status of prioritization for video traffic A red X indicates this feature is disabled A green check mark indicates this feature is enabled Best Effort Displays the status of prioritization for best effort traffic A red X indicates this feature is disabled A green check mark indicates this feature is enabled Background Displays the status of p...

Page 623: ...lect an access point then a connected client 3 Select Association History Parameter Displays the parameter for defining the traffic stream TID identifies data packets as belonging to a unique traffic stream Voice Displays the Voice corresponding to the TID and Media Time Video Displays the Video corresponding to the TID and Media Time Best Effort Displays the Best Effort corresponding to the TID a...

Page 624: ...d by since the screen was last refreshed BSSID Displays the connected access point s hardware encoded MAC address as a hardware identifier The MAC address can be used to filter devices Channel Lists the channel assignment for each listed access point The channel was shared by both the access point and client for interoperation Band Lists the 2 4 or 5GHz radio band this clients and its connect acce...

Page 625: ...m from the navigation pane on the left hand side of the screen Expand the RF Domain select an access point then a connected client 3 Select Graph 4 Use the Parameters drop down menu to define from 1 3 variables assessing signal noise transmit or receive values 5 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 minutes 20 minu...

Page 626: ...12 124 WiNG 5 2 6 Access Point System Reference Guide ...

Page 627: ...Model number or product name Software type and version number Motorola Solutions responds to calls by email or telephone within the time limits set forth in support agreements If you purchased your product from a Motorola Solutions business partner contact that business partner for support Customer Support Web Site The Support Central Web site located at http supportcentral motorola com provides i...

Page 628: ...A 2 WiNG 5 2 6 Access Point System Reference Guide ...

Page 629: ...nts and required copyright notices for open source packages used in these Motorola Solutions products Access Points AP8132 AP7181 AP7161 AP7131 AP6532 AP6521 AP6511 AP5181 AP5131 AP650 AP622 AP621 Wireless Switches NX9000 RFS7000 RFS6000 RFS4000 WS5100 APPENDIX B PUBLICLY AVAILABLE SOFTWARE ...

Page 630: ...o contains information regarding Motorola Solutions use of open source Name Version Origin License Apache Web Server 1 3 41 www apache org Apache License 2 0 asterisk 1 2 24 http asterisk org GNU General Public License 2 0 advas 0 2 3 http advas sourceforge net GNU General Public License 2 0 autoconf 2 62 http www gnu org software autoconf GNU General Public License 2 0 automake 1 9 6 http www gnu...

Page 631: ...to ols GNU General Public License 2 0 dropbear 0 51 http matt ucc asn au dropbear dropbear html Drop Bear License e2fsprogs 1 40 11 http e2fsprogs sourceforge net GNU General Public License 2 0 ethtool 2 6 35 http www kernel org pub software network eth tool GNU General Public License 2 0 flashrom 0 9 4 http flashrom org Flashrom GNU General Public License 2 0 flex 2 5 4 http flex sourceforge net ...

Page 632: ... groups networking iproute2 BSD Style Licenses iproute2 2 6 25 http developer osdl org GNU General Public License 2 0 iptables 1 4 3 http www netfilter org projects iptables index h tml GNU General Public License 2 0 ipxe 1 0 0 http ipxe org GNU General Public License 2 0 kerberos None http web mit edu Kerberos GNU General Public License 2 0 kexec tools 2 0 3 http kernel org pub linux utils kernel...

Page 633: ...2 0 libxml2 2 7 7 http xmlsoft org MIT License libxslt 1 1 26 MIT License lighttpd 1 4 29 http www lighttpd net MIT License lilo 22 6 http lilo go dyndns org GNU General Public License 2 0 linux 2 6 28 9 http www kernel org GNU General Public License 2 0 ltp 20060717 http ltp sourceforge net GNU General Public License 2 0 lxml 2 3 beta1 http lxml de BSD Style Licenses lzma 4 32 http www 7 zip org ...

Page 634: ...p org BSD Style Licenses openldap 2 3 20 http www openldap org foundation Open LDAP Public License openssh 5 4p1 http www openssh com BSD Style Licenses openssl 1 2 3 http www openssl org Open SSL License openwrt trunk r150 25 https openwrt org GNU General Public License 2 0 opkg trunk r456 4 http code google com p opkg GNU General Public License 2 0 oprofile 0 9 2 http oprofile sourceforge net ne...

Page 635: ...http www quagga net GNU General Public License 2 0 quilt 0 47 http savannah nongnu org projects quilt GNU General Public License 2 0 rp pppoe 3 1 0 http www roaringpenguin com products pppoe GNU General Public License 2 0 rsync 3 0 6 http rsync samba org GNU General Public License 3 0 safestr 1 0 3 http www zork org safestr BSD Style Licenses samba 3 5 1 http www samba org GNU General Public Licen...

Page 636: ...ttp www linux usb org GNU General Public License 2 0 util linux 2 20 http www kernel org pub linux utils util linux GNU General Public License 2 0 valgrind 3 5 0 http valgrind org GNU General Public License 2 0 wireless_tools r29 http www hpl hp com personal Jean_Tourrilhes Linux Tools html GNU General Public License 2 0 wuftpd 1 0 21 http wu ftpd therockgarden ca WU FTPD License XenAPI 4 0 http d...

Page 637: ...modifications represent as a whole an original work of authorship For the purposes of this License Derivative Works shall not include works that remain separable from or merely link or bind by name to the interfaces of the Work and Derivative Works thereof Contribution shall mean any work of authorship including the original version of the Work and any modifications or additions to that Work or De...

Page 638: ...ional attribution notices cannot be construed as modifying the License You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use reproduction or distribution of Your modifications or for any such Derivative Works as a whole provided Your use reproduction and distribution of the Work otherwise complies with the condit...

Page 639: ...with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice and the entire permission notice in its entirety including the disclaimer of warranties 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation a...

Page 640: ...HE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE LibTomCrypt and LibTomMath are written by Tom St Denis and ar...

Page 641: ...free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public L...

Page 642: ...de as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferr...

Page 643: ...ing machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange If distribution of object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code even though third parti...

Page 644: ...ify that the user has already received a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either s...

Page 645: ...he is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 12 If the distribution and or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Librar...

Page 646: ...g to freedom not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restri...

Page 647: ...er contains cod derived from the library while the latter only works together with the library Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License Agreement applies to any software library which contains a notice placed by the copyright holder or oth...

Page 648: ...ion of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works base...

Page 649: ...th each copy of the work that the Library is used in it and that the Library and its use are covered by this License You must supply a copy of this License If the work during execution displays copyright notices you must include the copyright notice for the Library among them as well as a reference directing the user to the copy of this License Also you must do one of these things a Accompany the ...

Page 650: ...ment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obliga...

Page 651: ...N 16 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED...

Page 652: ...he full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the GNU Lesser General Public License applies to certain designated libraries and is quite different from the ordinary General Public License We use this license for certain libraries in order to permit linking those libraries into non free ...

Page 653: ...ogram is covered only if its contents constitute a work based on the Library independent of the use of the Library in a tool for writing it Whether that is true depends on what the Library does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and approp...

Page 654: ...esponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange If distribution of object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code even though third...

Page 655: ...quired form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless tha...

Page 656: ...make thoroughly clear what is believed to be a consequence of the rest of this License 12 If the distribution and or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is per...

Page 657: ...icenses are designed to make sure that you have the freedom to distribute copies of free software and charge for them if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to prevent others from denying you these rights or asking you to ...

Page 658: ...hat enables other parties to make or receive copies Mere interaction with a user through a computer network with no transfer of a copy is not conveying An interactive user interface displays Appropriate Legal Notices to the extent that it includes a convenient and prominently visible feature that 1 displays an appropriate copyright notice and 2 tells the user that there is no warranty for the work...

Page 659: ...llowed section 10 makes it unnecessary 3 Protecting Users Legal Rights From Anti Circumvention Law No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996 or similar laws prohibiting or restricting circumvention of such measures When you convey a covered work...

Page 660: ...copy the Corresponding Source from a network server at no charge c Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source This alternative is allowed only occasionally and noncommercially and only if you received the object code with such an offer in accord with subsection 6b d Convey the object code by offering access from a designated pla...

Page 661: ...valid under applicable law If additional permissions apply only to part of the Program that part may be used separately under those permissions but the entire Program remains governed by this License without regard to the additional permissions When you convey a copy of a covered work you may at your optionremove any additional permissions from that copy or from any part of it Additional permissio...

Page 662: ... a copy likewise does not require acceptance However nothing other than this License grants you permission to propagate or modify any covered work These actions infringe copyright if you do not accept this License Therefore by modifying or propagating a covered work you indicate your acceptance of this License to do so 10 Automatic Licensing of Downstream Recipients Each time you convey a covered ...

Page 663: ...se is discriminatory if it does not include within the scope of its coverage prohibits the exercise of or is conditioned on the non exercise of one or more of the rights that are specifically granted under this License You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software under which you make payment to the third ...

Page 664: ...APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE...

Page 665: ...Redistributions in binary form must reproduce applicable copyright statements and notices this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version numb...

Page 666: ...re may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMP...

Page 667: ...PTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publicly available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under a...

Page 668: ...S PROVIDED BY THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY O...

Page 669: ......

Page 670: ...S A http www motorolasolutions com MOTOROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2012 Motorola Solutions Inc All Rights Reserved ...

Reviews:

No comments