manualshive.com logo in svg

Motorola WiNG 4.4, Reference Manual, Page: 443 / 598

Share
Download
Motorola WiNG 4.4 Reference Manual Download Page 443

Switch Security 6 - 91

Apart from EAP authentication, the switch allows the enforcement of user-based policies. User-based policies include 
dynamic VLAN assignment and access based on time of day.

The switch uses a default trustpoint. A certificate is required for EAP TTLS,PEAP and TLS Radius authentication (configured 
with the Radius service). 

Dynamic VLAN assignment is achieved based on the Radius server response. A user who associates to WLAN1 (mapped 
to VLAN1) can be assigned a different VLAN after authentication with the Radius server. This dynamic VLAN assignment 
overrides the WLAN's VLAN ID to which the User associates. 

For 802.1x EAP authentication, the switch initiates the authentication process by sending an EAPoL message to the Access 
Port only after the wireless client joins the wireless network. The Radius client in the switch processes the EAP messages 
it receives. It encapsulates them to Radius access requests and sends them to the configured Radius server (in this case 
the switch’s local Radius server).

The Radius server validates the user’s credentials and challenge information received in the Radius access request frames. 
If the user is authorized and authenticated, the client is granted access by sending a Radius access accept frame. The 
frame is transmitted to the client in an EAPoL frame format.

6.8.1.1 User Database

User group names and associated users (in each group) can be created in the local database. The User ID in the received 
access request is mapped to the associated wireless group for authentication. The switch supports the creation of 500 
users and 100 groups within its local database. Each group can have a maximum of 500 users.

6.8.1.2 Authentication of Terminal/Management User(s)

The local Radius server can be used to authenticate users. A normal user (with a password) should be created in the local 
database. These users should not be a part of any group.

6.8.1.3 Access Policy

Access policies are defined for a group created in the local database. Each user is authorized based on the access policies 
defined for the groups to which the user belongs. Access policies allow the administrator to control access to a set of users 
based on the WLANs (ESSID).

NOTE: 

For a Radius supported VLAN to function properly, the "Dynamic Assignment" 

checkbox must be enabled for the WLAN supporting the VLAN. For more information, see 

Editing the WLAN Configuration on page 4-27

.

Summary of Contents for WiNG 4.4

Page 1: ...Motorola Solutions WiNG 4 4 SYSTEM REFERENCE GUIDE ...

Page 2: ......

Page 3: ...MOTOROLA SOLUTIONS WING 4 4 SYSTEM REFERENCE GUIDE 72E 157062 01 Revision A January 2012 ...

Page 4: ...ht law The user shall not modify merge or incorporate any form or portion of a licensed program with other program material create a derivative work from a licensed program or use a licensed program in a network without written permission from Motorola Solutions The user agrees to maintain Motorola Solutions s copyright notice on the licensed programs delivered hereunder and to include the same on...

Page 5: ...iii Revision History Changes to the original guide are listed below Change Date Description Rev A January 2012 Manual updated to WiNG 4 4 baseline ...

Page 6: ...iv WiNG 4 4 Switch System Reference Guide ...

Page 7: ...6 Supported Access Ports Points 1 24 1 3 IEEE Standards Support 1 25 1 4 Standards Support 1 29 Chapter 2 Switch Web UI Access and Image Upgrades 2 1 Accessing the Switch Web UI 2 2 2 1 1 Web UI Requirements 2 2 2 1 2 Connecting to the Switch Web UI 2 2 2 2 Switch Password Recovery 2 4 2 3 Upgrading the Switch Image 2 5 2 4 Auto Installation 2 6 2 5 AP 4131 Access Point to Access Port Conversion 2...

Page 8: ... 1 Displaying the Network Interface 4 2 4 2 Viewing Network IP Information 4 4 4 2 1 Configuring DNS 4 4 4 2 2 Configuring IP Forwarding 4 6 4 2 3 Viewing Address Resolution 4 8 4 3 Viewing and Configuring Layer 2 Virtual LANs 4 9 4 3 1 Viewing and Configuring VLANs by Port 4 9 4 3 2 Editing the Details of an Existing VLAN by Port 4 10 4 3 3 Viewing and Configuring Ports by VLAN 4 11 4 4 Configuri...

Page 9: ...ping 4 164 4 11 1 IGMP Snoop Configuration 4 164 4 11 2 IGMP Snoop Querier Configuration 4 165 4 12 Wired Hotspot 4 167 4 12 1 Wired Hotspot Configuration 4 167 Chapter 5 Switch Services 5 1 Displaying the Services Interface 5 2 5 2 DHCP Server Settings 5 4 5 2 1 Configuring the Switch DHCP Server 5 5 5 2 2 Viewing the Attributes of Existing Host Pools 5 10 5 2 3 Configuring Excluded IP Address In...

Page 10: ...ction 6 11 6 3 1 Configuring Wireless Intrusion Detection Protection 6 11 6 3 2 Viewing Filtered MUs 6 13 6 4 Configuring Firewalls and Access Control Lists 6 15 6 4 1 ACL Overview 6 15 6 4 2 Attaching an ACL on a WLAN Interface Port 6 18 6 4 3 Attaching an ACL Layer 2 Layer 3 Configuration 6 20 6 4 4 Configuring the Role Based Firewall 6 22 6 4 5 Attaching Adaptive AP WLANs 6 24 6 4 6 Attaching A...

Page 11: ...the Beacon Table 6 118 6 10 2 Configuring the Probe Table 6 120 6 10 3 Reviewing Found Beacons 6 121 6 10 4 Reviewing Found Probes 6 122 Chapter 7 Switch Management 7 1 Displaying the Management Access Interface 7 2 7 2 Configuring Access Control 7 3 7 3 Configuring SNMP Access 7 5 7 3 1 Configuring SNMP v1 v2 Access 7 5 7 3 2 Configuring SNMP v3 Access 7 7 7 3 3 Accessing SNMP v2 v3 Statistics 7 ...

Page 12: ...e AP WLAN Topology B 8 B 1 8 Configuration Updates B 9 B 1 9 Securing Data Tunnels between the Switch and AAP B 9 B 1 10 Adaptive AP Switch Failure B 9 B 1 11 Remote Site Survivability RSS B 9 B 1 12 Adaptive Mesh Support B 10 B 1 13 AAP Radius Proxy Support B 11 B 2 Supported Adaptive AP Topologies B 13 B 2 1 Topology Deployment Considerations B 13 B 2 2 Extended WLANs Only B 13 B 2 3 Independent...

Page 13: ... Issues C 14 Appendix D Open Source Software Information D 1 Open Source Software Used D 2 D 2 OSS Licenses D 5 D 2 1 GNU General Public License 2 0 D 5 D 2 2 GNU Lesser General Public License 2 1 D 8 D 2 3 BSD Style Licenses D 14 D 2 4 MIT License D 14 D 2 5 Open SSL License D 14 D 2 6 ZLIB License D 16 D 2 7 Drop Bear License D 16 Appendix E Best Practices E 1 ACL configuration to reduce the amo...

Page 14: ...xii WiNG 4 4 Switch System Reference Guide ...

Page 15: ...n to more advanced configuration of the switches Motorola Solutions RFS Series Wireless LAN Switches WiNG System Reference Describes configuration of the Motorola Solutions RF Switches using the Web UI Motorola Solutions RFS Series Wireless LAN Switches WiNG CLI Reference Describes the Command Line Interface CLI and Management Information Base MIB commands used to configure the Motorola Solutions ...

Page 16: ...ox and radio button names Icons on a screen GUI text is used to highlight the following Screen names Menu items Button names on a screen bullets indicate Action items Lists of alternatives Lists of required steps that are not necessarily sequential Sequential lists e g those that describe step by step procedures appear as numbered lists NOTE Indicate tips or special requirements Switch Note Indica...

Page 17: ...g them to their destination All data packets to and from wireless devices are processed by the switch where appropriate policies are applied before they are decapsulated and sent to their destination Access port configuration is managed by the switch through a Web UI Graphical User Interface GUI SNMP or the switch Command Line Interface CLI Switch Note The discussion of the switch GUI within this ...

Page 18: ...nd routes the packets to their destinations Access ports do not have software or firmware upon initial receipt from the factory When the Access Port is first powered on and cleared for the network the switch initializes the Access Port and installs a small firmware file automatically Therefore installation and firmware upgrades are automatic and transparent 1 1 1 Physical Specifications The physic...

Page 19: ...f one category 6 Ethernet cables not supplied are required to connect the switch to the LAN and WLAN The cable s are used with the Ethernet ports on the front panel of the switch The console cable included with the switch connects the switch to a computer running a serial terminal emulator program to access the switch s Command Line Interface CLI for initial configuration An initial configuration ...

Page 20: ...on Feature The upgrade downgrade of the switch can be performed at boot time using one of the following methods Web UI DHCP CLI SNMP Patches The switch has sufficient non volatile memory to store two firmware images Having a second firmware image provides a backup in case of failure of the primary image It also allows for testing of new firmware on a switch with the ability to easily revert to a p...

Page 21: ...quality of hardware 1 2 1 4 Serviceability A special set of Service CLI commands are available to provide additional troubleshooting capabilities for service personnel access to Linux services panic logs etc Only authorized users or service personnel are provided access to the Service CLI A built in Packet Sniffer enables service personnel and users to capture incoming and outgoing packets in a bu...

Page 22: ...oup Licenses are aggregated across the group When a new member joins the group the new member can leverage the Access Port adoption license s of existing members Each member of the redundancy group including the reporting switch is capable of displaying cluster performance statistics for all members in addition to their own Centralized redundancy group management using the switch CLI For more info...

Page 23: ...P is an AP 5131 or AP 7131 Access Point adopted by a wireless switch The management of an AAP is conducted by the switch once the Access Point connects to the switch and receives its AAP configuration An AAP provides local 802 11 traffic termination local encryption decryption local traffic bridging tunneling of centralized traffic to the wireless switch The connection between the AAP and the swit...

Page 24: ...r each channel TPC functionality is enabled automatically for every AP that operates on the channel 802 11bg Dual mode b g protection ERP builds on the payload data rates of 1 and 2 Mbit s that use DSSS modulation and builds on the payload data rates of 1 2 5 5 and 11 Mbit s that use DSSS CCK and optional PBCC modulations ERP provides additional payload data rates of 6 9 12 18 24 36 48 and 54 Mbit...

Page 25: ... lists among other things an Acceptable Use Policy 10 The user agrees to the usage terms and is granted access to the Internet or other network services To setup a hotspot create a WLAN ESSID and select Hotspot authentication from the Authentication menu This is simply another way to authenticate a WLAN user as it would be impractical to authenticate visitors using 802 1x For information on config...

Page 26: ...er detector APs are no longer hearing beacons from a particular AP Configure 0 Zero or more APs to act as either Detector APs Detector APs scan all channels and send beacons to the switch which uses the information for self healing Neighbor APs When an AP fails neighbor APs assist in self healing Self Healing Actions When an AP fails actions are taken on the neighbor APs to do self healing Detecto...

Page 27: ...d by the switch licenses or the total licenses in the cluster in which this switch is a member 1 2 2 10 AP and MU Load Balancing Fine tune a network to evenly distribute data and or processing across available resources Refer to the following MU Balancing Across Multiple APs AP Balancing Across Multiple Switches MU Balancing Across Multiple APs Per the 802 11 standard AP and MU association is a pr...

Page 28: ...hes which are not on the same LAN or IP subnet without the MUs or the rest of the network noticing This allows switches to be placed in different locations on the network without having to extend the MU VLANs to every switch Fast Roaming Using 802 11i can speed up the roaming process from one AP to another Instead of doing a complete 802 1x authentication each time a MU roams between APs 802 11i a...

Page 29: ...s MUs are classified into categories such as Management Voice and Data Packets within each category are processed based on the weights defined for each WLAN The switch supports the following QoS mechanisms 802 11e QoS 802 11e enables real time audio and video streams to be assigned a higher priority over data traffic The switch supports the following 802 11e features Basic WMM WMM Linked to 802 1p...

Page 30: ...iguous periods of time during which the switch is expected to be awake If the switch establishes a downlink flow and specifies UPSD power management it requests and the AP delivers buffered frames associated with that flow during an unscheduled service period The switch initiates an unscheduled service period by transmitting a trigger frame A trigger frame is defined as a data frame e g an uplink ...

Page 31: ...the broadcast packet stream Roaming within the Switch When a MU is assigned to a VLAN the switch registers the VLAN assignment in its credential cache If the MU roams it is assigned back to its earlier assigned VLAN The cache is flushed upon detected MU inactivity or if the MU associates over a different WLAN on the same switch Roaming across a Cluster MUs roam amongst switch cluster members The s...

Page 32: ...st classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses each belonging to different subnet Class configuratio...

Page 33: ... CLI accessible via the serial port or through Telnet or a Secure Shell SSH application A CLI Service mode enabling the capture of system status information that can be sent to Motorola Solutions personnel for use in problem resolution The support for Simple Network Management Protocol SNMP version 3 as well as SNMP version 2 Upload and download of Access Port firmware and configuration files usin...

Page 34: ...PA2 Keyguard WEP WEP Wired Equivalent Privacy WEP is an encryption scheme used to secure wireless networks WEP was intended to provide comparable confidentiality to a traditional wired network hence the name WEP had many serious weaknesses and hence was superseded by Wi Fi Protected Access WPA Regardless WEP still provides a level of security that can deter casual snooping For more information on ...

Page 35: ...N Configuration on page 4 27 for additional information Kerberos Kerberos allows for mutual authentication and end to end encryption All traffic is encrypted and security keys are generated on a per client basis Keys are never shared or reused and are automatically distributed in a secure manner For information on configuring Kerberos for a WLAN see Configuring Kerberos on page 4 35 802 1x EAP 802...

Page 36: ...s to initiate the authentication process On reset all resets including power up the AP300 sends an EAPOL start message every time it sends a Hello message periodically every 1 second The EAPOL start is the supplicant initiated attempt to become authenticated If an appropriate response is received in response to the EAPOL start message the AP300 attempts to proceed with the authentication process t...

Page 37: ... 2 5 7 Rogue AP Detection The switch supports the following techniques for rogue AP detection RF scan by Access Port on all channels SNMP Trap on discovery Authorized AP Lists Rogue AP Report Motorola Solutions RFMS Support NOTE When converting an AP300 to an Intrusion Detection Sensor the conversion requires approximately 60 seconds NOTE When using an AP 5131 for use with WIPS and as a sensor you...

Page 38: ... detected and Rogue AP Rogue APs are only detected and notification is provided via a SNMP trap Authorized AP Lists Configure a list of authorized Access Ports based on their MAC addresses The switch evaluates the APs against the configured authorized list after obtaining Rogue AP information from one of the 2 mechanisms as mentioned in Rogue AP Detection on page 1 21 Rogue AP Report After determi...

Page 39: ...te VPN Provides remote user ability to access company resources from outside the company premises The switch supports IPSec termination for site to site IPSec termination for remote access IPSec traversal of firewall filtering IPSec traversal of NAT IPSec L2TP client to switch 1 2 5 11 NAT Network Address Translation NAT is supported for packets routed by the switch The following types of NAT are ...

Page 40: ...ion check for resources that do not have a NAC agent NAC verifies a MU s compliance with the switch s security policy The switch supports only the EAP 802 1x type of NAC However the switch also provides a mean to bypass NAC authentication for MU s that do not have NAC 802 1x support printers phones PDAs etc For information on configuring NAC support see Configuring NAC Server Support on page 4 50 ...

Page 41: ...IEEE 802 11b standard is fully supported on the following Switch Platforms WS2000 WS5100 RFS6000 RFS7000 The IEEE 802 11b standard is fully supported on the following AP Platforms AP100 Access Port AP4131 Access Port AP300 Access Port AP5131 Access Point AP5181 Access Point AP7131 Access Point IEEE 802 11g Yes The IEEE 802 11g standard is fully supported on the following Switch Platforms WS2000 WS...

Page 42: ...on Additionally we also implement 802 11i PMK Caching Opportunistic PMK Caching and Pre Authentication The IEEE 802 11i standard is fully supported on the following Switch Platforms WS2000 WS5100 RFS6000 RFS7000 The IEEE 802 11i standard is fully supported on the following AP Platforms AP300 Access Port AP5131 Access Point AP5181 Access Point AP7131 Access Point IEEE 802 11n Yes The IEEE 802 11n s...

Page 43: ... WLAN infrastructure allowing any standard EAP method to be supported The IEEE 802 1x standard is fully supported on the following Switch Platforms WS2000 WS5100 RFS6000 RFS7000 The IEEE 802 1x standard is fully supported on the following AP Platforms AP100 Access Port AP4131 Access Port AP300 Access Port AP5131 Access Point AP5181 Access Point AP7131 Access Point IEEE 802 3u Yes The IEEE 802 3u 1...

Page 44: ...RFS7000 SFP Pluggable Optics IEEE 802 1P Yes The IEEE 802 1P QoS standard is fully supported on the following Switch Platforms WS2000 WS5100 RFS6000 RFS7000 The IEEE 802 1P QoS standard is fully supported on the following AP Platforms AP5131 Access Point AP5181 Access Point AP7131 Access Point IEEE 802 1Q Yes The IEEE 802 1Q VLAN Tagging standard is fully supported on the following Switch Platform...

Page 45: ...OTP clients are implemented on the AP5131 AP5181 and AP7131 RFC 2131 DHCP Yes DHCP client and server RFC 1321 MD5 Message Digest Algorithm Yes Implemented for IPSec VPN SNMPv3 and EAP TTLS RFC 1851 The ESP Triple DES Transform Yes RFC 2104 HMAC Keyed Hashing for Message Authentication Yes RFC 2246 TLS Protocol Version 1 0 Yes RFC 2401 Security Architecture for the Internet Protocol Yes RFC 2403 HM...

Page 46: ...US Support for EAP Yes RFC 3580 IEEE 802 1X RADIUS Guidelines Yes RFC 3748 Extensible Authentication Protocol Yes Web based authentication Yes Using internal and external hosting SNMP v1 v2c v3 Yes RFC 854 Telnet Yes Client and Server RFC 1155 Management Information for TCP IP Based Internets Yes RFC 1156 MIB Yes RFC 1157 SNMP Yes RFC 1213 SNMP MIB II Yes RFC 1350 TFTP Yes Client only RFC 1643 Eth...

Page 47: ...upport ifMIB mib 2 dot 31 which are later extensions of ifTable mib 2 dot 2 dot 2 RFC 3164 Syslog Yes RFC 3414 User Based Security Model USM for SNMPv3 Yes RFC 3418 MIB for SNMP Yes Web based HTTP HTTPS Yes Command line interface Telnet SSH serial port Yes Standard Supported Notes ...

Page 48: ...1 32 WiNG 4 4 Switch System Reference Guide ...

Page 49: ...SS AND IMAGE UPGRADES The content of this chapter is segregated amongst the following Accessing the Switch Web UI Switch Password Recovery Upgrading the Switch Image Auto Installation AP 4131 Access Point to Access Port Conversion ...

Page 50: ...ler for virtual enabled requires restart 2 1 2 Connecting to the Switch Web UI To display the Web UI launch a Web browser on a computer with the capability of accessing the switch To display the switch Web UI 1 Point the browser to the IP address assigned to the wired Ethernet port port 2 Specify a secure connection using the https protocol The switch login screen displays 2 Enter the Username adm...

Page 51: ...is warning screen will continue to display on future login attempts until a self signed certificate is implemented Motorola Solutions recommends only using the default certificate for the first few login attempts until a self signed certificate can be generated NOTE If your password is lost there is a means to access the switch but you are forced to revert the switch back to its factory default se...

Page 52: ...their default settings Only an installation professional should reset the access point s password and promptly define a new restrictive password To contact Motorola Solutions Support in the event of a password reset requirement go to http www motorola com Business US EN Support CAUTION Only a qualified installation professional should set or restore the access point s radio and power management co...

Page 53: ...ture functionality described in this System Reference Guide However Motorola Solutions periodically releases switch firmware that includes enhancements or resolutions to known issues Verify your current switch firmware version with the latest version available from the Motorola Solutions Website before determining if your system requires an upgrade ...

Page 54: ...y their contents If a file is renamed its contents remain the same and the file will not be reloaded The requested image file version if any is checked against the current version before any attempt is made to load it If the requested version is the same as the running version no action is taken If the image file version embedded in the file header does not match the expected version no further ac...

Page 55: ...mage file then enable all three features for the auto install RF Switch config autoinstall config url ftp ftp ftp 192 9 200 1 RFSwitch config RF Switch config autoinstall cluster config url ftp ftp ftp 192 9 200 1 RFSwitch cluster config RF Switch config autoinstall image url ftp ftp ftp 147 11 1 11 RFSwitch images RFS6000 img RF Switch config autoinstall image version 4 4 0 0 XXXXX RF Switch conf...

Page 56: ...n the root directory of the TFTP server 2 Log in to the AP 4131 as Admin The default password is Symbol 3 Select the AP Installation main menu item 4 From the IP Address field enter a new IP address if required and select Save F1 to save the change If the IP address was changed you will need to reset the AP for the change to be implemented 5 Reset the AP if you changed the AP s IP address buy disp...

Page 57: ...t make changes as needed b Enter the IP address of your TFTP server select enter c Select F1 to save your changes 9 Select Firmware under the Use TFTP to update Access Point s option 10 Select yes when asked to confirm 11 The AP 4131 will now reset download and install the desired firmware 12 Once the firmware download is complete connect the AP 4131 to the PoE switch and the RF Switch The AP 4131...

Page 58: ...2 10 WiNG 4 4 Switch System Reference Guide ...

Page 59: ...ch This chapter consists of the following sections Viewing the Switch Interface Viewing Switch Port Information Viewing Switch Configurations Viewing Switch Firmware Information Switch File Management Configuring Automatic Updates Viewing the Switch Alarm Log Viewing Switch Licenses How to use the Filter Option ...

Page 60: ...ength transmitted To ensure compliance with national and local laws be sure to set the Country value correctly 3 1 2 Viewing the Switch Configuration To view a high level display of the switch configuration 1 Select Switch from the main menu tree 2 Click the Configuration tab NOTE The Motorola Solutions RF Management Software is a recommended utility to plan the deployment of the switch and view i...

Page 61: ...s the cumulative time since the switch was last rebooted or lost power Firmware Displays the current firmware version running on the switch This version should be periodically compared to the most recent version available on the Motorola Solutions Website as versions with increased functionality are periodically released AP License Count Displays the number of Access Port licenses currently availa...

Page 62: ...g the Apply button for any changes to be reverted 9 Click the Apply button to save the updates to the Time Zone or Country parameters specifically 3 1 3 Switch Dashboard Details Each Motorola Solutions RF Switch platform contains a dashboard which represents a high level graphical overview of central switch processes and hardware When logging into the switch the dashboard should be the first place...

Page 63: ...tions mentioned above it also displays the following status Redundancy State Displays the Redundancy State of the switch The status can be either Enabled or Disabled Enabled Defined a green state Disabled Defined by a yellow state Firmware Displays the Firmware version of the current software running on the wireless switch Management IP Displays the Management IP address of the switch Access Ports...

Page 64: ...e set by the user 4 The CPU Memory section displays the free memory available with the RAM 5 The File Systems section displays the free file system available for flash nvram system Mobile Units Displays the total number of MUs associated with the switch Up Time Displays the actual switch uptime The Uptime is the current operational time of the device defined within the System Name field Uptime is ...

Page 65: ...tions mentioned above it also displays the following status Redundancy State Displays the Redundancy State of the switch The status can be either Enabled or Disabled Enabled Defined a green state Disabled Defined by a yellow state Firmware Displays the Firmware version of the current software running on the wireless switch Management IP Displays the Management IP address of the switch Access Ports...

Page 66: ...e set by the user 4 The CPU Memory section displays the free memory available with the RAM 5 The File Systems section displays the free file system available for flash nvram system Mobile Units Displays the total number of MUs associated with the switch Up Time Displays the actual switch uptime The Uptime is the current operational time of the device defined within the System Name field Uptime is ...

Page 67: ...ons mentioned above it also displays the following status Redundancy State Displays the Redundancy State of the switch The status can be either Enabled or Disabled Enabled Defined by a green state Disabled Defined by a yellow state Firmware Displays the Firmware version of the current software running on the wireless switch Management IP Displays the Management IP address of the switch Access Port...

Page 68: ...et by the user 4 The CPU Memory section displays the free memory available with the RAM 5 The File Systems section displays the free file system available for flash nvram system Mobile Units Displays the total number of MUs associated with the switch Up Time Displays the actual switch uptime The Uptime is the current operational time of the device defined within the System Name field Uptime is the...

Page 69: ...to the Traffic field to assess network traffic for associated APs and radios Number of MUs Associated Displays the total number of MUs currently associated to the switch Number of APs Adopted Displays the total number of Access Ports currently adopted by the switch Number of Radios Adopted Displays the total number of radios currently adopted by the switch Pkts per second Displays the packet trans...

Page 70: ... is excessive consider moving the MU closer to the Access Port or in area with less conflicting network traffic Excessive noise may also be an indication of network interference Avg SNR Displays the average Signal to Noise Ratio SNR for all MUs associated with the switch The Signal to Noise Ratio is an indication of overall RF performance on the wireless network AverageNumberof Retries Displays th...

Page 71: ... Ports from the main menu tree Switch Note The ports available vary by switch platform RFS6000 ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 me1 up1 RFS7000 ge1 ge2 ge3 ge4 me1 RFS4000 ge1 ge2 ge3 ge4 ge5 up1 GE GE ports are available on the RFS6000 and RFS7000 platforms GE ports on the RFS4000 and RFS6000 are RJ 45 which support 10 100 1000Mbps GE ports on the RFS7000 can be RJ 45 or fiber ports which support ...

Page 72: ...e port is a member of MAC Address Displays the port s MAC Address This value is read only set at the factory and cannot be modified Admin Status Displays whether the port is currently Up or Down Speed Displays the current speed of the data transmitted and received over the port Duplex Displays the port as either half or full duplex Medium Type The Medium Type value displays the physical connection...

Page 73: ...ge Warning screen displays stating any change to the port setting could disrupt access to the switch Communication errors may occur even if modifications made are successful 3 Click the OK button to continue Optionally select the Don t show this message again for the rest of the session checkbox to disable the pop up 4 Use the Edit screen to modify the following port configurations for the selecte...

Page 74: ...ange 10 Mbps 100 Mbps 1000 Mbps Auto Duplex Modify the duplex status by selecting one of the following options Half Full Auto Channel Group Optionally set the Channel Group defined for the port The switch bundles individual Ethernet links over the selected channel into a single logical link that provides bandwidth between the switch and another switch or host The port speed used is dependant on th...

Page 75: ... Name Displays the port s current name MAC Address Displays the port s MAC Address This value is read only set at the factory and cannot be modified Oper Status Displays the link status of the port The port status can be either Up or Down Speed Displays the current speed of the data transmitted and received over the port Duplex Displays the port as either half duplex full duplex or Unknown MTU Dis...

Page 76: ...s In Displays the total number of bytes received by the port Packets In Displays the total number of packets received by the port Packets In Dropped Displays the number of packets dropped by the port If the number appears excessive a different port could be required Packets In Error Displays the number of erroneous packets received by the port If the number appears excessive try using a different ...

Page 77: ...kets received on the interface Input Total Packets Displays the total number of packets received on the interface Input Packets Dropped Displays the number of received packets dropped by the interface by the input Queue of the hardware unit software module associated with the VLAN Packets are dropped when the input Queue is full or unable to process incoming traffic Input Packets Error Displays th...

Page 78: ...iled graph for a port 1 Select a port from the table displayed in the Statistics screen 2 Click the Graph button The Interface Statistics screen displays for the selected port The screen provides the option to view the following Input Bytes Input Pkts Dropped Output Pkts Total OutputNonUnicast Packets Displays the number of unicast packets transmitted from the interface Output Total Packets Displa...

Page 79: ...thernet PoE The RFS6000 switch supports 802 3af Power over Ethernet PoE on each of its eight ge ports The PoE screen allows users to monitor the power consumption of the ports and configure power usage limits and priorities for each of the ge ports To view the PoE configuration 1 Select Switch Ports from the main menu tree NOTE You are not allowed to select display more than four parameters at any...

Page 80: ...ver Ethernet on the switch Power Consumption Displays the total watts in use by Power over Ethernet on the switch Power Usage Threshold for Sending Trap Specify a percentage of power usage as the threshold before the switch sends an SNMP trap The percentage is a percentage of the total power budget of the switch Port Displays the port name for each of the PoE capable ports PoE Displays the PoE sta...

Page 81: ...ower which can be drawn from the selected port 6 Click OK to save and add the changes to the running configuration and close the dialog Priority Displays the priority mode for each of the PoE ports The priority options are Critical High Low Limit watts Displays the power limit in watts for each of the PoE ports The maximum power limit per port is 36 watts Power watts Displays each PoE ports power ...

Page 82: ...nd default value is 0 User Name Enter the User Name configured for use with the Wireless WAN Interface Card The string range is 0 32 and default value is 0 Password Enter the Password associated with the above User Name for the Wireless WAN Interface Card The string range is 0 30 and default value is 0 Activation Mode Select Enable from the pull down menu to enable the Wireless WAN Interface Card ...

Page 83: ...Switch Information 3 25 4 To reset the WAN Interface card configuration click the Reset button and the configuration fields will be cleared ...

Page 84: ... Motorola Solutions RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational in the field Motorola Solutions RFMS can help optimize the positioning and configuration of a switch and its associated radios in respect to a WLAN s MU throughput requirements and can help detect rogue devices For more information refer to the Motoro...

Page 85: ...ted 5 To restore the system s default configuration and revert back to factory default click the Restore Defaults button 6 Click the Transfer Files button to move a target configuration file to a secure location for later use For more information see Transferring a Config File on page 3 28 3 3 1 Viewing the Detailed Contents of a Config File The View screen displays the entire contents of a config...

Page 86: ...s field for the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch 5 Click the Refresh button to get the most recent updated version of the configuration file 6 Click Close to close the dialog without committing updates to the runn...

Page 87: ...n menu Options include Server Local Disk and Switch File Specify a source file for the file transfer If the switch is selected the file used at startup automatically displays within the File parameter Using Refer to the Using drop down menu to configure whether the log file transfer is conducted using FTP or TFTP FTP transfers require a valid user ID and password IP Address Enter the IP Address of...

Page 88: ...ext file describes nuances associated with the file that may make it optimal for use with the switch Image Displays whether a firmware image is the primary image or a secondary image The primary image is typically the image loaded when the switch boots Version Displays a unique alphanumeric version for each firmware file listed Current Boot A check mark within this column designates this version a...

Page 89: ...are screen 2 Click the Edit button The Firmware screen displays the current firmware version and whether this version is used for the next reboot 3 Select the checkbox to use this version on the next boot of the switch 4 To edit the secondary image select the secondary image click the Edit button and select the Use this firmware on next reboot checkbox This firmware version will now be invoked aft...

Page 90: ...e Update Firmware button 3 Use the From drop down menu to specify the location from which the file is sent 4 Enter the name of the file containing the firmware update in the File text field This is the file that will append the file currently in use 5 From the Using drop down menu select either FTP or TFTP as a medium to update the firmware a Use FTP to get the firmware update from a File Transfer...

Page 91: ...irming the firmware update the switch reboots and completes the firmware update 11 Click OK to add the changes to the running configuration and close the dialog 12 Refer to the Status field for the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the appl...

Page 92: ...ct Switch File Management from the main menu tree 2 Refer to the Status field to specify the details of the source file From Use the From drop down menu to select the source file s current location The options include Wireless Switch and Server The following transfer options are possible Wireless Switch to Wireless Switch Wireless Switch to Server Server to Wireless Switch The parameters displayed...

Page 93: ...et file for the file transfer 3 Use the To drop down menu within the Target field and select Wireless Switch This defines the location of the file 4 Use the Browse button to define a location for the transferred file 5 Click the Transfer button to complete the file transfer 6 The Message section in the main menu area displays the file transfer message 7 Click Abort at any time during the transfer ...

Page 94: ...igured as required Enter the IP Address of the server receiving the source configuration Ensure the IP address is valid or risk jeopardizing the success of the file transfer Enter the User ID credentials required to transfer the configuration file from an FTP server 5 Enter the Password required to send the configuration file from an FTP server 6 Specify the appropriate Path name to the target dir...

Page 95: ...ed to transfer the configuration file from an FTP server 6 Enter the Password required to send the configuration file from an FTP server 7 Specify the appropriate Path name to the target directory on the server The Target options are different depending on the target selected 8 Use the To drop down menu within the Target field and select Wireless Switch 9 Use the Browse button to browse and select...

Page 96: ...he RFS6000 and RFS7000 switches USB2 and Com pact Flash are only available on the RFS7000 switch Name Displays the memory locations available to the switch Available Displays the current status of the memory resource By default nvram and system are always available A green check indicates the device is currently connected to the switch and is available A red X indicates the device is currently not...

Page 97: ...file will be used with the switch the next time the switch boots Enable Select the Enable checkbox to allow an automatic configuration file update when a newer updated file is detected upon the boot of the switch at the specified IP address IP Address Define the IP address of the server where the configuration files reside If a new version is detected when the switch is booted it is uploaded to th...

Page 98: ...accurate path to the location of the cluster files on the server This path must be accurate to ensure that the most recent file is retrieved Protocol Use the Protocol drop down menu to specify the FTP TFTP HTTP SFTP or resident switch FLASH medium used for the file update from the server FLASH is the default setting Password Enter the password required to access the server Enable Select the Enable...

Page 99: ...e number of alarms the user can navigate to the page that has been completely loaded All operations can be performed on the currently loaded data Enter a page number next to Page and click the Go button to move to the specific page View All Select the View All radio button to display the complete alarm log within the table If there are a large number of alarms the View All option will take several...

Page 100: ...etails option when additional information is required for a specific alarm to make an informed decision on whether to delete acknowledge or export the alarm To review switch alarm details 1 Select Switch Alarm Log from the main menu tree 2 Select an alarm and click the Details button Severity Displays the severity level of the event Use this non numerical and verbal description to assess the criti...

Page 101: ...leshoot the event and determine how the event can be avoided in future Solution Displays a possible solution to the alarm event The solution should be attempted first to rectify the described problem Possible Causes Describes the probable causes that could have raised this specific alarm Determine whether the causes listed can be remedied to avoid this alarm from being raised in future Alarm Messa...

Page 102: ... following licenses are automatically activated on RFS4000 switches 6 AP licenses which will work for Access Ports or Adaptive APs Advanced Security License Locationing Application License WAN Backhaul License License Key Enter the license key required to install a particular feature The license key is returned when you supply the switch serial number to Motorola Solutions support Feature Name Ent...

Page 103: ...curity license ADSEC This enables the Role Based Firewall feature and increases the number of IPSec VPN tunnels The number of IPSec tunnels varies by switch platform Location Application License LOC APP This enables the switch s integrated RTLS engine which allows for locationing of wireless clients and Wi Fi tags It also enables RFID support and reader management and Gen2 tag support In addition ...

Page 104: ... Option zone The parameters in the Filter Option field are populated with the parameters of the screen in which it appears Not all switch Web UIs contain the filtering option 3 Click the Filter Entire Table button to filter the entire table in which the filter zone appears The result of the filtering operation displays at the bottom of the table 4 Click the Turn Off Filtering button to disable the...

Page 105: ...nd Configuring Layer 2 Virtual LANs Configuring Switch Virtual Interfaces Viewing and Configuring Switch WLANs Viewing Associated MU Details Viewing Access Port Information Viewing Access Port Adoption Defaults Viewing Adopted Access Ports Configuring Access Ports Multiple Spanning Tree IGMP Snooping Wired Hotspot NOTE HTTPS must be enabled to access the switch applet Ensure HTTPS access has been ...

Page 106: ...o view the switch s Network configuration 1 Select Network from the main menu tree NOTE When the switch s configuration is successfully updated using the Web UI the effected screen is closed without informing the user their change was successful However if an error were to occur the error displays within the effected screen s Status field and the screen remains displayed In the case of file transf...

Page 107: ...guring Switch Virtual Interfaces on page 4 14 Wireless LANs Displays the number of WLANs currently defined on the switch The switch has 32 default WLANs New WLANs can be added as needed and their descriptions VLAN assignments and security schemes modified For more information see Viewing and Configuring Switch WLANs on page 4 22 Mobile Units Displays the number of MUs currently associated to and i...

Page 108: ...he Domain Name System tab displays DNS details in a tabular format 4 Select an IP address from the table and click the Delete button to remove the selected entry from the list 5 Click the Add button to display a screen used to add another domain name server For more information see Adding an IP Address for a DNS Server on page 4 5 Server IP Address Displays the IP address of the domain name server...

Page 109: ...onfiguring Global Settings Use the Global Settings screen to query domain name servers to resolve domain names to IP addresses Use this screen to enable disable the Domain look up which allows you to use commands like ping traceroute etc using hostnames rather than IP addresses 1 Click the Global Settings button in the main Domain Network System screen A Configuration screen displays for editing t...

Page 110: ...he following details are displayed in the table Destination Subnet Displays the mask used for destination subnet entries The Subnet Mask is the IP mask used to divide internet addresses into blocks known as subnets A value of 255 255 255 0 will support 256 IP addresses Subnet Mask Displays the mask used for destination subnet entries The Subnet Mask is the IP mask used to divide internet addresses...

Page 111: ...locks known as subnets A value of 255 255 255 0 support 256 IP addresses 4 In the Gateway Address field enter the IP address of the gateway used to route the packets to the specified destination subnet Do not set the gateway address to any VLAN interface used by the switch 5 Refer to the Status field for the current state of the requests made from applet This field displays error messages if somet...

Page 112: ... Refer to the Address Resolution table for the following information 4 Click the Clear button to remove the selected AP entry if no longer usable Interface Displays the name of the actual interface where the IP address was found typically a VLAN IP Address Displays the IP address being resolved MAC Address Displays the MAC address corresponding to the IP address being resolved Type Defines whether...

Page 113: ...s Use the Layer 2 Virtual LANs screen to view and configure VLANs by Port and Ports by VLAN information Refer to the following VLAN configuration activities Viewing and Configuring VLANs by Port on page 4 9 Viewing and Configuring Ports by VLAN on page 4 11 4 3 1 Viewing and Configuring VLANs by Port 1 Select Network Layer 2 Virtual LANs from the main menu tree VLAN by Port details display within ...

Page 114: ...AN for each port is tagged or not The column displays a green check mark if the Native VLAN is tagged If the Native VLAN is not tagged the column will display a red x A Native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode Not clear Switch Note For Adaptive AP to work properly with RFS7000 you need to have indepen dent and extended WLANs mapped to a d...

Page 115: ... of flexibility and enable changes to the network infrastructure without physically disconnecting network equipment To view VLAN by Port information 1 Select Network Layer 2 Virtual LANs from the main menu tree Name Displays a read only field and with the name of the Ethernet to which the VLAN is associated Mode Use the drop down menu to select the mode It can be either Access This Ethernet interf...

Page 116: ...o the switch 4 Click OK to continue A new window is displayed wherein the VLAN assignments can be modified for the selected VLAN 5 Change VLAN port designations as required 6 Click OK to use the changes to the running configuration and close the dialog Switch Note The ports available vary by switch On the RFS6000 the available ports are ge1 ge2 ge3 ge4 ge5 ge6 ge7 ge8 and up1 On the RFS7000 the av...

Page 117: ...Network Setup 4 13 7 Click Cancel to close the dialog without committing updates to the running configuration ...

Page 118: ...g the Layer 2 Virtual LANs configuration to communicate with the rest of the network Use the Switch Virtual Interfaces screen to view and configure VLAN interfaces This screen contains two tabs supporting the following activities Configuring the Virtual Interface Viewing Virtual Interface Statistics 4 4 1 Configuring the Virtual Interface Use the Configuration screen to view and configure the virt...

Page 119: ...o the switch Oper Status Displays whether the selected Switch Virtual Interface is currently Up or not Down on the switch Management Interface A green checkmark within this column defines this VLAN as currently used by the switch This designates the interface settings used for global switch settings in case of conflicts For example if multiple SVIs are configured with DHCP enabled on each the swit...

Page 120: ...s field is used if the primary IP address is unreachable Select the Add button within the Secondary IP Addresses field to define additional addresses from a sub screen Choose an existing secondary address and select Edit or Delete to revise or remove a secondary address 9 Refer to the Status field for the current state of the requests made from applet This field displays error messages if somethin...

Page 121: ... Secondary IP Addresses field to define modify additional IP addresses to associate with VLAN IDs The addresses provided will be used if the primary IP address is unreachable Select the Add button within the Secondary IP Addresses field to define modify additional addresses from a sub screen Select an existing secondary address and select Edit or Delete to revise or remove a secondary address as n...

Page 122: ...face receives packets faster than it can transfer them to a buffer Packets In Error Displays the number of error packets coming into the interface Runt frames Packets shorter than the minimum Ethernet frame length 64 bytes CRC errors The Cyclical Redundancy Check CRC is the 4 byte field at the end of every frame The receiving station uses to interpret if the frame is valid If the CRC value compute...

Page 123: ...f the interface due to saturated output queues assigned to the interface processor or the physical device software module Packets can be dropped due to collisions as well Packets Out Error Displays the number of error packets going out of the interface including frame forming errors or malformed packets transmitted over the interface Name Displays the title of the logical interface selected MAC Ad...

Page 124: ...Total Input Packets Dropped Displays the number of packets dropped at the interface by the input Queue of the hardware unit software module associated with the VLAN interface Packets are dropped when the input Queue of the interface is full or unable to handle incoming traffic Input Packets Error Displays the number of packets with errors at the interface Input Packet Errors are input errors occur...

Page 125: ...ers by clicking on the checkbox associated with it 4 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 5 Click Close to close the dialog NOTE Only four parameters may be selected at any given time ...

Page 126: ...the following configuration activities Configuring WLANs Viewing WLAN Statistics Configuring WMM Configuring the NAC Inclusion List Configuring the NAC Exclusion List 4 5 1 Configuring WLANs Refer to the Configuration screen for a high level overview of the WLANs created for use within the switch managed network Use this data as necessary to keep current of active WLANs their VLAN assignments upda...

Page 127: ...o the Enabled parameter to discern whether the specified WLAN is enabled or disabled When enabled a green check mark displays When disabled a red X displays To enable or disable a WLAN select it from the table and click the Enable or Disable button ESSID Displays the Service Set ID associated with each WLAN Click the Edit button to modify the value to a new unique SSID Description Displays a short...

Page 128: ... configuring an authentication scheme for a WLAN see Configuring Different Encryption Types on page 4 53 Independent Mode Determines whether the WLAN is functioning as an independent or extended WLAN in regards its support of adaptive AP AAP operation Independent WLANs defined by a green checkmark are local to an AAP and configured from the switch Specify a WLAN as independent for no traffic to be...

Page 129: ...dress is known The WLAN generates an ARP reply on behalf of an MU if the MU s IP address is known The ARP reply contains the MAC address of the MU not the MAC address of WLAN Module Thus the MU does not awaken to send ARP replies helping to increase battery life and conserve bandwidth If an MU goes into PSP mode without transmitting at least one packet its Proxy ARP will not work for the MU This o...

Page 130: ... rate limit in kbps for all MUs associated with the switch across all WLANs MU Load Balance Mode Configure a method for distributing traffic across MUs using the MU Load Balancing Mode Select Count to set load balancing based on number of MUs Select By Throughput to set load balancing based on total throughput of MUs Hotspot Voucher Logo Name Enter the name of the image that is used on each Hotspo...

Page 131: ...e All of the default WLANs are available for modification when the user accesses the Wireless LANs screen However the WLAN requires an authentication or encryption scheme be applied before it can begin securing the data traffic within the switch managed wireless network The Edit screen provides a mean of modifying the existing WLANs SSID description VLAN ID assignment inter WLAN communication defi...

Page 132: ...WLAN is functioning as an independent or extended WLAN in regards its support of adaptive AP AAP operation Select the checkbox to designate the WLAN as independent and prevent traffic from being forwarded to the switch Independent WLANs behave like WLANs as used on a a standalone Access Point Leave this option unselected as is by default to keep this WLAN an extended WLAN a typical centralized WLA...

Page 133: ...ependent Mode AAP Only checkbox must be selected Additionally the Access Point must have its auto discovery option enabled to be discovered by the switch For information on configuring an Access Point for AAP support see Adaptive AP Configuration NOTE For a Radius supported VLAN to function the Dynamic Assignment checkbox must be enabled for the WLAN supporting the VLAN NOTE When configuring wirel...

Page 134: ...provides a longer algorithm that takes longer to decode than that of the 40 bit encryption mode For detailed information on configuring WEP 64 for the WLAN see Configuring WEP 64 on page 4 53 WEP 128 Use the WEP 128 checkbox to enable the Wired Equivalent Privacy WEP protocol with a 104 bit key WEP is available in two encryption modes WEP 64 using a 40 bit key and WEP 128 using a 104 bit key WEP 1...

Page 135: ...fic from Spectralink Polycomm phones Secure Beacon Closed system is the secure beacon feature for not answering broadcast SSID This option still allows MU to MU communication within the WLAN QoS Weight Sets the Quality of Service weight for the WLAN WLAN QoS will be applied based on the QoS weight value with the higher values given priority The default value for the weight is 1 MU to MU Traffic Al...

Page 136: ...VLANs to a WLAN 1 Select Network Wireless LANs from the main menu tree 2 Select an existing WLAN from those displayed within the Configuration tab and click the Edit button A WLAN screen displays with the WLAN s existing configuration 3 Select the VLAN radio button from the Configuration screen to change the VLAN designation for this WLAN By default all WLANs are initially assigned to VLAN 1 4 Sel...

Page 137: ...e mapping of a VLAN to a WLAN 9 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration VL...

Page 138: ...ct an existing WLAN from those displayed within the Configuration tab and click the Edit button A WLAN screen displays with the WLAN s existing configuration Refer to the Authentication and Encryption columns to assess the WLAN s existing security configuration 3 Select the 802 1X EAP button from within the Authentication field The Radius Config button on the bottom of the screen will become enabl...

Page 139: ...t an existing WLAN from those displayed within the Configuration tab 3 Click the Edit button A WLAN screen displays with the WLAN s existing configuration Refer to the Authentication and Encryption columns to assess the WLAN s existing security configuration 4 Select the Kerberos button from within the Authentication field 5 Click the Config button to the right of the Kerberos checkbox The Kerbero...

Page 140: ... campuses The switch enables hotspot operators to provide user authentication and accounting without a special client application The switch uses a traditional Internet browser as a secure authentication device Rather than rely on built in 802 11security features to control association privileges configure a WLAN with no WEP an open network The switch issues an IP address using a DHCP server authe...

Page 141: ...figuring an Internal Hotspot on page 4 37 External A customer may wish to host their own external Web server using advanced Web content using XML Flash Use the External option to point the switch to an external hotspot For more information see Configuring External Hotspot on page 4 41 Advanced a customer may wish to use advanced Web content XML Flash but might not have or would not want to use an ...

Page 142: ...og in to the switch maintained hotspot Title Text Displays the HTML text displayed on the Welcome page when using the switch s internal Web server This option is only available if Internal is chosen from the drop down menu Header Text Displays the HTML header displayed on the Failed page when using the switch s internal Web server This option is only available if Internal is chosen from the drop d...

Page 143: ... This option is only available if Internal is chosen from the drop down menu above Small Logo URL The Small Logo URL is the URL for a small logo image displayed on the Welcome page when using the internal Web server This option is only available if Internal is chosen from the drop down menu above Main Logo URL The Main Logo URL is the URL for the main logo image displayed on the Welcome page when ...

Page 144: ...ver This option is only available if Internal is chosen from the drop down menu above Header Text The Header Text specifies the HTML header displayed on the No Service page when using the internal Web server This option is only available if Internal is chosen from the drop down menu above Footer Text The Footer Text is the HTML footer text displayed on the No Service page when using the internal W...

Page 145: ... hotspot user validation 18 Check the Hotspot failover checkbox to enable the hotspot failover option Hotspot failover is a feature that displays the No Service page when an authentication server a critical resource is not available when a user tries to access resources using the hotspot 19 Refer to the Status field for the current state of the requests made from applet This field displays error m...

Page 146: ...t the hotspot user for a username and password to access the Welcome page For example the Login page URL can be the following http 192 168 150 5 login html ip_address 192 168 30 1 Here 192 168 150 5 is the Web server IP address and 192 168 30 1 is the switch IP address Welcome Page URL Define the complete URL for the location of the Welcome page The Welcome page assumes that the hotspot user has l...

Page 147: ...goes wrong in the transaction between the applet and the switch 15 Click OK to use the changes to the running configuration and close the dialog Failed Page URL Define the complete URL for the location of the Failed page The Failed screen assumes that the hotspot authentication attempt has failed you are not allowed to access the Internet and you need to provide correct login information to access...

Page 148: ... an FTP server and hosting them on the switch To use the Advanced option to define the hotspot 1 Select Network Wireless LANs from the main menu tree 2 Select an existing WLAN from those displayed within the Configuration tab 3 Click the Edit button NOTE While using the External web pages option 1 Configure the Internal Web pages for a particular WLAN 2 Copy the Internal Web pages corresponding to...

Page 149: ...pot configuration Ensure that the IP address is valid or risk jeopardizing the success of the file transfer d If using FTP enter the User ID credentials required to transfer the configuration file from an FTP server e If using FTP enter the Password required to send the configuration file from an FTP server f Specify the appropriate Path name to the hotspot configuration on the local system disk o...

Page 150: ...the transaction between the applet and the switch 15 Click OK to use the changes to the running configuration and close the dialog 16 Click Cancel to close the dialog without committing updates to the running configuration Configuring MAC Authentication The MAC Authentication option allows the user to configure a Radius server for user authentication with the range of MAC addressees defined as all...

Page 151: ...f defining an external primary and secondary Radius Server as well as a NAC Server if you do not use the switch s resident Radius Server The switch ships with a default configuration defining the local Radius Server as the primary authentication source default users are admin with superuser privileges and operator with monitor privileges No secondary authentication source is specified However Moto...

Page 152: ...r to the Server field and define the following credentials for a primary and secondary Radius server RADIUS Server Address Enter the IP address of the primary and secondary server acting as the Radius user authentication data source RADIUS Port Enter the TCP IP port number for the primary and secondary server acting as the Radius user authentication data source The default port is 1812 RADIUS Shar...

Page 153: ...ing as the Radius accounting server Accounting Port Enter the TCP IP port number for the primary and secondary server acting as the Radius accounting data source The default port is 1813 Accounting Shared Secret Provide a shared secret password for user credential authentication with the primary or secondary Radius accounting server Accounting Timeout Enter a value between 1 and 300 seconds to ind...

Page 154: ...00 and its type as integer 2 Define the following possible decimal values for login sources a Set the Console Access value to 128 user is allowed login privileges only from console b Set the Telnet Access value to 64 user is allowed login privileges only from a Telnet session c Set the SSH Access value to 32 user is allowed login privileges only from ssh session d Set the Web Access value to 16 us...

Page 155: ...ces in the exclude list will not have any NAC checks Bypass NAC except include list An MU NAC check is conducted only for those MUs in the include list To configure NAC Server support 1 Select Network Wireless LANs from the main menu tree 2 Select an existing WLAN from those displayed with the Configuration tab 3 Click on the Edit button 4 Select either the EAP 802 1x Hotspot or Dynamic MAC ACL bu...

Page 156: ...ss Enter the IP address of the primary and secondary server acting as the NAC accounting server Accounting Port Enter the TCP IP port number for the primary and secondary server acting as the NAC accounting data source The default port is 1813 Accounting Shared Secret Provide a shared secret password for user credential authentication with the primary or secondary NAC accounting server Accounting ...

Page 157: ... hacker to duplicate but WEP 64 may be all that a small business user needs for the simple encryption of wireless data However networks that require more security are at risk from a WEP flaw The existing 802 11 standard alone offers administrators no effective method to update keys To configure WEP 64 1 Select Network Wireless LANs from the main menu tree 2 Select an existing WLAN from those displ...

Page 158: ...ing WEP 128 KeyGuard WEP 128 provides a more robust encryption algorithm than WEP 64 by requiring a longer key length and pass key Thus making it harder to hack through the replication of WEP keys WEP 128 may be all that a small business user needs for the simple encryption of wireless data KeyGuard is a proprietary encryption method developed by Motorola Technologies KeyGuard is Motorola Solution...

Page 159: ...for WEP 128 and KeyGuard include 7 If you feel it necessary to restore the WEP algorithm back to its default settings click the Restore Default WEP Keys button This may be the case if you feel that the latest defined WEP algorithm has been compromised and no longer provides its former measure of data security 8 Refer to the Status field for the current state of the requests made from applet This f...

Page 160: ...ent result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the keys the administrator provides are used to derive other keys Messages are encrypted using a 128 bit secret key and a 128 bit block of data The end result is an encryption scheme as secure as any the switch provides To configure WPA W...

Page 161: ...d 256 bit Key To use a hexadecimal value and not an ASCII passphrase select the checkbox and enter 16 hexadecimal characters into each of the four fields displayed NOTE The Web UI does not support saving passphrases in encrypted format To save passphrases in an encrypted format configure the passphrases using the Command Line Interface Refer to the CLI Reference Guide for details on configuring pa...

Page 162: ...have unique BSSIDs WEP 64 and TKIP CCMP ciphers can not be part of the same WLAN group When WEP 128 TKIP and CCMP ciphers are grouped in the same WLAN group the BC MC encryption is downgraded to WEP 128 TKIP So in scenarios where N only MUs are present they may not able to associate as those MUs do not support WEP 128 TKIP In such cases WLANs with WEP 128 TKIP cipher suites should be in a differen...

Page 163: ...description of the WLAN Use the description along with the index to differentiate the WLAN from others with similar attributes VLAN The VLAN parameter displays the name of the VLAN the WLAN is associated with MUs Lists the number of MUs associated with the WLAN Throughput Mbps Throughput Mbps is the average throughput in Mbps on the selected WLAN The Rx value is the average throughput in Mbps for ...

Page 164: ... more granular information for a single WLAN Use this information to discern if a WLAN requires modification to meet network expectations To view detailed statistics for a WLAN 1 Select a Network Wireless LANs from the main menu tree 2 Click the Statistics tab 3 Select a WLAN from the table displayed in the Statistics screen and click the Details button v The Details screen displays the WLAN stati...

Page 165: ... column displays the average throughput for packets sent on the selected WLAN The number in black represents this statistics for the last 30 seconds and the number in blue represents this statistics for the last hour Avg Bit Speed Displays the average bit speed in Mbps on the selected WLAN This includes all packets sent and received The number in black represents this statistics for the last 30 se...

Page 166: ...2 Click the Graph button The WLAN Statistics screen displays for the select port The WLAN Statistics screen provides the option of viewing the graphical statistics of the following parameters Pkts per sec Throughput Mbps Avg Bits per sec Avg Signal dBm Dropped Pkts TX Pkts per sec AverageNumberof Retries Displays the average number of retries for all MUs associated with the selected WLAN The numbe...

Page 167: ...h Statistics The Switch Statistics screen displays the sum of all WLAN statistics The Switch Statistics screen is optimal for displaying a snapshot of overall WLAN traffic on your switch To view detailed statistics for a WLAN 1 Select a Network Wireless LANs from the main menu tree 2 Click the Statistics tab 3 Select a WLAN from the table displayed in the Statistics screen and click the Switch Sta...

Page 168: ...n 4 5 3 Configuring WMM Use the WMM tab to review a WLAN s current index numerical identifier SSID description current enabled disabled designation and Access Category To view existing WMM Settings 1 Select Network Wireless LANs from the main menu tree 2 Click the WMM tab The WMM tab displays the following information NOTE The Motorola Solutions RF Management Software is recommended to plan the de...

Page 169: ...isplays the current Arbitrary Inter frame Space Number AIFSN Higher priority traffic categories should have lower AIFSNs than lower priority traffic categories This will cause lower priority traffic to wait longer before attempting access Transmit Ops Displays the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should ...

Page 170: ...on for each access category to prioritize the network traffic expected on this WLAN 802 1p to Access Category Set the access category accordingly in respect to its importance for this WLAN s target network traffic DSCP to Access Category Set the access category accordingly in respect to its DSCP importance for this WLAN s target network traffic Differentiated Services Code Point DSCP is a field in...

Page 171: ...lays the Service Set ID SSID associated with the selected WMM index This SSID is read only and cannot be modified within this screen Access Category Displays the Access Category for the intended radio traffic The Access Categories are the different WLAN WMM options available to the radio The four Access Category types are Background Optimized for background traffic Best effort Optimized for best e...

Page 172: ...within the same VLAN The switch uses the include list to add devices that are NAC supported The following explains how authentication is achieved using 802 1x The switch authenticates 802 1x enabled devices using one of the following NAC Agent NAC support is added in the switch to allow the switch to communicate with a LAN enforcer a laptop with a NAC agent installed No NAC Agent NAC support is ac...

Page 173: ...Configuration field to add more than one device to the WLAN You can create 32 lists both include and exclude combined together and 64 MAC entries per list For more information see Configuring Devices on the Include List on page 4 70 5 The Configured WLANs field displays available WLANs Associate a list item within the Include Lists field with as many WLANs as required For information on mapping NA...

Page 174: ...t committing updates to the running configuration 4 5 4 2 Configuring Devices on the Include List To add a multiple number of devices for a single device type 1 Select Network Wireless LANs from the main menu tree 2 Select the NAC Include tab to view and configure all the NAC Include enabled devices 3 Click on the Add button within the List Configuration area The List Name field displays the name ...

Page 175: ...em with as many WLANs as needed be selecting the WLAN s checkbox Use the Select All button to associate each WLAN with the selected list item 5 To remove the WLAN Mappings select the Deselect All button to clear the mappings 6 Refer to the Status field for a display of the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field display...

Page 176: ...or a NAC configuration example using the switch CLI see NAC Configuration Examples Using the Switch CLI on page 4 74 To view the attributes of a NAC exclusion list 1 Select Network Wireless LANs from the main menu tree 2 Select the NAC Exclude tab to view and configure all the NAC include enabled devices The Exclude Lists field displays a list of devices that can be excluded from a WLAN 3 Use the ...

Page 177: ...tion from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch 6 Click OK to save and add the new configuration and close the dialog window 7 Click Cancel to close the dialog without committing updates to the running configuration 4 5 5 2 Configuring Devices on the Exclude List To add more than one device for a particular ...

Page 178: ...item with as many WLANs as needed be selecting the WLAN s checkbox Use the Select All button to associate each WLAN with the selected list item 5 To remove the WLAN Mappings select the Deselect All button to clear the mappings 6 Refer to the Status field for a display of the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displ...

Page 179: ...ss client list station pc10 AB BC CD DE EF FA RF Switch config wireless client list 3 Associate the exclude list to a WLAN RF Switch config wireless client list wlan 1 RF Switch config wireless client list 4 5 6 3 Configuring the WLAN for NAC Many handheld devices are required to bypass NAC and a few laptops and desktops are required to be NAC validated 1 Set the NAC mode for WLAN A NAC validation...

Page 180: ...F Switch config wireless wlan 1 radius server secondary 192 168 1 40 RF Switch config wireless d Configure the secondary server s Radius Key RF Switch config wireless wlan 1 radius server secondary radius key my rad secret 2 RF Switch config wireless 4 Configure the NAC server s timeout and re transmit settings The timeout parameter configures the duration for which the switch waits for a response...

Page 181: ... Motorola Solutions RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational Motorola Solutions RFMS can help optimize switch positioning and configuration in respect to a WLAN s MU throughput requirements and can help detect rogue devices For more information refer to the Motorola Solutions Website Station Index Displays a nu...

Page 182: ...tus tab IP Address Displays the unique IP address for the MU Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval Ready Displays whether the MU is ready for switch interoperation Values are Yes and No Session Timeout Displays the session timeout values for each of the listed MUs Power Save Displays the current read only Power Save Poll PSP...

Page 183: ...ended for MUs transmitting frequently WLAN Displays of the WLAN the MU is currently associated with VLAN Displays the VLAN parameter for the name of the VLAN the MU is currently mapped to Authentication Displays the authentication method used by the MU to get connected to the WLAN Last Active Displays the time the MU last interoperated with the switch QoS Information Displays the WMM power save UA...

Page 184: ...reless Switch shall send out a Beacon request to RRM capable MUs and it should be able to process received Beacon reports The Beacon request is sent to RRM capable MUs in active mode with specified measurement duration as and when they are triggered If an MU refuses rejects does not send the report then the request is retried after an expiry of specified duration In case of further refuse reject r...

Page 185: ...ess to MU association click the Add button For more information on adding an association see MAC Naming of Mobile Units 6 To remove a MAC Name association select the item from the table and click the Delete button Switch The Switch field displays the IP address of the cluster member associated with each MU When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be...

Page 186: ... 6 3 Viewing MU Statistics The Statistics screen displays read only statistics for each MU Use this information to assess if configuration changes are required to improve network performance If a more detailed set of MU statistics is required select an MU from the table and click the Details button To view MU statistics details 1 Select Network Mobile Units from the main menu tree MAC Address Each...

Page 187: ...ys the Hardware or Media Access Control MAC address for the MU The MAC address is hard coded at the factory and cannot be modified MAC Name Displays the MAC name associated with each MU s MAC address The MAC name is a user created name used to identify individual mobile unit MAC addresses with a user friendly name WLAN Displays the name of the WLAN the MU is currently associated with Use this info...

Page 188: ...d to an inaccurate WMM setting for the type of data transmitted To view the MU Statistics details 1 Select a Network Mobile Units from the main menu tree 2 Click the Statistics tab 3 Select an MU from the table displayed in the Statistics screen and click the Details button The Details screen displays WLAN statistics for the selected WLAN including Information Traffic RF Status Errors Information ...

Page 189: ...received by the MU The Rx column displays the average packets per second received on the selected MU The Tx column displays the average packets per second sent on the selected MU Throughput Displays the average throughput in Mbps between the MU and the Access Port The Rx column displays the average throughput in Mbps for packets received on the selected MU from the Access Port The Tx column displa...

Page 190: ... Click the Statistics tab 3 Select a MU from the table displayed in the Statistics screen and click the Graph button 4 Select a checkbox to display that metric charted within the graph Do not select more than four checkboxes at any one time 5 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transactio...

Page 191: ...one of Initiated Accepted Established Terminated calls are not displayed Call Codec Displays the codec in use for the active calls R Factor Displays the average call quality using the R Factor scale The R Factor method rates voice quality on a scale of 0 to 120 with a higher score being better If the R Factor score is lower than 70 it is likely that users will not be satisfied with the voice quali...

Page 192: ...n the displayed MUs Jitter is delays on the network that can result in a lag in conversations A jitter score higher than 150ms is likely to be noticed by end users during a call Average Latency Displays the average latency in milliseconds for calls on the selected MUs Start Time Displays the start time for this call This is the timestamp of the start of the call on the switch ...

Page 193: ...os listed you have the option of editing a radio s properties deleting a radio adding a new radio resetting a radio scanning available channels or exporting a radio To view Access Port Radio configuration details 1 Select Network Access Port Radios from the main menu tree NOTE Up to 256 Access Ports are supported by the RFS6000 and RFS7000 switches Up to 6 Access Ports and 24 Adaptive APs are supp...

Page 194: ...the radio from other device radios Description Displays a user assigned name for the radio AP Type Displays the type of Access Port detected The switches support Motorola Solutions AP 100 AP300 and AP650 model Access Ports and AP 4131 AP 5131 and AP 7131 model Access Points Type Use the Type to identify whether the radio is 802 11b 802 11bg and 802 11bgn or 802 11a and 802 11an Adopted Displays th...

Page 195: ...e If using ACS Automatic Channel Selection the switch selects a channel for the radio The Desired Channel displays ACS and the Actual channel displays the channel selected for the radio When set to Random the applet determines the channel s designation Actual Channel When the radio s channel is configured statically the Actual Channel and Desired Channel are the same If using ACS Automatic Channel...

Page 196: ...elected Access Point To configure AP Mesh 1 Select Network Access Port Radios from the main menu tree 2 Click the Configuration tab 3 Click the AP Mesh button to display a screen containing AP Mesh settings which apply to the selected AP 4 To use the AP as a Base Bridge check the Base Bridge checkbox and configure the following information 5 To use the AP as a Client Bridge check the Client Bridge...

Page 197: ...60 seconds the Base Bridge s signal strength remains below the configured threshold the AP compares the signal strength of the existing Base Bridge with the signal strength of each of the found Base Bridges All Base Bridges with signal strength below the signal strength of the connected Base Bridge are ignored Of the remaining Base Bridges if the difference in signal strength is greater than the c...

Page 198: ...hen automatically adopted Enable this option to allow adoption even when the Access Port is not configured Default radio settings are applied to Access Ports adopted automatically 6 To limit the number of voice enabled MUs which are associated click the Voice Call Admission Control checkbox Limiting voice MU traffic in a supported WLAN is a good idea to maintain data rates voice quality and throug...

Page 199: ...f modifying the properties of an existing radio This is often necessary when the radio s intended function has changed and its name needs modification or if the radio now needs to be defined as a detector radio The Edit screen also enables you to modify placement channel and power settings as well as a set of advanced properties in case its transmit and receive capabilities need to be adjusted To ...

Page 200: ...gle channel scan for Unauthorized APs option to enable the switch to scan for rogue devices using the radio s current channel of operation 9 Select the Enable Enhanced Beacon Table option to allow adopted Access Port or Access Point radios to scan for potentially unauthorized APs across all bands This option utilizes radio bandwidth but is an exhaustive means of scanning across all available chann...

Page 201: ...r Desired Channel Sec respectively The selection of a channel determines the available power levels The range of legally approved communication channels varies depending on the installation location and country The selected channel can be a specific channel Random or ACS Random assigns each radio a random channel ACS Automatic Channel Selection allows the switch to systematically assign channels D...

Page 202: ...t To Send RTS threshold in bytes for use by the WLAN s adopted Access Ports RTS is a transmitting station s signal that requests a Clear To Send CTS response from a receiving station This RTS CTS procedure clears the air where many MUs are contending for transmission time Benefits include fewer data collisions and better communication with nodes that are hard to find or hidden because of other act...

Page 203: ...liseconds for example 10 100 See Beacon Interval above A DTIM is periodically included in the beacon frame transmitted from adopted Access Ports The DTIM period determines how often the beacon contains a DTIM for example 1 DTIM for every 10 beacons The DTIM indicates broadcast and multicast frames buffered at the Access Port are soon to arrive These are simple data frames that require no acknowled...

Page 204: ...te Settings button within the radio edit screen to launch a new screen with rate setting information 2 Check the boxes next to all the Basic Rates you want supported Basic Rates are used for management frames broadcast traffic and multicast frames If a rate is selected as a basic rate it is automatically selected as a supported rate 3 Check the boxes next to all the Supported Rates you want suppor...

Page 205: ...ose the dialog 7 Click Cancel to close the dialog without committing updates to the running configuration 4 7 1 4 Adding APs The Add Radio screen provides a facility for creating a new unique radio index for inclusion within the Configuration screen Use the Add screen to add the new radio s MAC address and define its radio type To add a Radio to the switch 1 Select Network Access Port Radios from ...

Page 206: ... 3 The index is helpful for differentiating radios of similar type and configuration 8 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 9 If clustering is configured and the Cluster GUI feature is enabled the Apply to Cluster feature will be available Clic...

Page 207: ... this name along with the radio index to differentiate the radio from other device radios Type Identifies whether the radio is an 802 11b 802 11bg and 802 11bgn or 802 11a and 802 11an radio MUs Displays the number of MUs currently associated with the Access Port Throughput Mbps Displays the average throughput in Mbps for the selected radio The Rx column displays the average throughput in Mbps for...

Page 208: ...d radio Description Displays a brief description of the radio to help differentiate the radio from similar models MAC Address Displays the Hardware or Media Access Control MAC address for the Access Port Access Ports with dual radios will have a unique hardware address for each radio Num Associated Stations Displays the number of MUs currently associated with the radio Radio Type Displays the Acce...

Page 209: ...n black represents this statistics for the last 30 seconds and the number in blue represents this statistics for the last hour Avg Station Signal Displays the average RF signal strength in dBm for all MUs associated with the selected radio The number in black represents this statistics for the last 30 seconds and the number in blue represents this statistics for the last hour Avg Station Noise Dis...

Page 210: ...applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 6 Click Close to exit the Graph and return to the parent Access Port Radios Statistics screen 4 7 3 Configuring WLAN Assignment The WLAN Assignment tab displays a high level description of the radio It also displays the radios WLAN and BSSID assignments on a panel on the right han...

Page 211: ...vailable for WLAN assignment select the WLAN and click the Delete button 4 7 3 1 Editing a WLAN Assignment The properties of an existing WLAN assignment can be modified to meet the changing needs of your network To edit an exiting WLAN assignment 1 Select Network Access Port Radios from the main menu tree 2 Click the WLAN Assignment tab Index Displays the numerical index device identifier used wit...

Page 212: ...of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 6 Click the Apply button to save the modified WLAN assignment 7 Click Close to exit the screen without committing updates to the running configuration 4 7 4 Configuring WMM Use the WMM tab to review each radio s current index numerical identifier the Acce...

Page 213: ...ndex The Access Port name comes from the description field in the Radio Configuration screen Access Category Displays the Access Category currently in use There are four categories Video Voice Best Effort and Background Click the Edit button to change the current Access Category Ensure the Access Category reflects the radio s intended network traffic AIFSN Displays the current Arbitrary Inter fram...

Page 214: ...d be set higher 6 Enter a value between 0 and 15 for the Extended Contention Window minimum ECW Min value The ECW Min is combined with the ECW Max to make the Contention Window From this range a random number is selected for the back off mechanism Lower values are used for higher priority video or voice traffic 7 Enter a value between 0 and 15 for the Extended Contention Window maximum ECW Max val...

Page 215: ...other can be grouped together By default a radio is not in any group and the load balancing algorithm would not apply to it To configure a group of radios together 1 Select Network Access Port Radios from the main menu tree 2 Go to the Configuration tab Index The Index is the numerical index device identifier used with the device radio Use this index along with the radio name to differentiate the ...

Page 216: ...ing radios to groups click the Apply button on the Configuration tab to save your changes 8 To verify the radio groups click the Groups tab to view configured radio groups For more information on viewing radio groups refer to Viewing Access Point Radio Groups on page 4 112 4 7 6 1 Viewing Access Point Radio Groups Refer to the Groups tab to view the Group ID and Index associated with each radio wh...

Page 217: ...view Active Calls statistics 1 Select Network Access Port Radios from the main menu tree Group Id Displays the Group Id associated with each adopted radio Radio Configured Index The Index is the numerical index device identifier used with the device radio Use this index along with the radio name to differentiate the radio from other device radios ...

Page 218: ...e Total Voice Calls Displays the total number of voice calls attempted for each Access Port Roamed Calls Displays the total number of voice calls that were roamed from each Access Port Rejected Calls Displays the total number of voice calls rejected by each Access Port Calls may be rejected if the call does not meet the TPSEC Admission Control requirements for the AP or when an AP would not be abl...

Page 219: ...ferentiating radios of similar type and configuration Type Displays the radio type of the corresponding APs Available types are 802 11a 802 11an 802 11b 802 11bg 802 11bgn Associated WLAN Displays the WLAN that each Access Port is associated to Throughput Mbps Throughput Mbps is the average throughput in Mbps on the selected Access Port Average Mbps Average Mbps is the average throughput in Mbps o...

Page 220: ...management activities Automatically calibrates associated radio s maximum power capability Automatically assigns certain radios to be detectors Automatically assign channels to radios to avoid channel overlap and interference from external RF sources Automatically calculates the transmit power of working radios Automatically configures self healing parameters Radio assume the roles of caretaker an...

Page 221: ...pes are 802 11a 802 11an 802 11b 802 11bg 802 11bgn Antenna Gain dBi Displays the current antenna gain value in dBi for each Access Port Coverage Rate Mbps Displays the current coverage rate for each Access Port based on the Smart RF settings Is Detector Displays whether or not an Access Port is a detector or not Detector status is determined through Smart RF based on coverage and location of othe...

Page 222: ... radio by its intended coverage area or function MAC Address Displays the Media Access Control MAC Address of the selected AP AP Name Displays the name assigned to the AP The AP name can be configured on the Access Port Radios Configuration page AP Type Displays the type of Access Port detected The switches support Motorola Solutions AP 100 AP300 and AP650 model Access Ports and AP 4131 AP 5131 an...

Page 223: ...d The switches support Motorola Solutions AP 100 AP300 and AP650 model Access Ports and AP 4131 AP 5131 and AP 7131 model Access Points Radio Type Displays the radio type of the corresponding APs Available types are 802 11a 802 11an 802 11b 802 11bg 802 11bgn AP Name Displays the name assigned to the AP The AP name can be configured on the Access Port Radios Configuration page AP Location Displays...

Page 224: ... a description of the Radio Modify the description as required to name the radio by its intended coverage area or function MAC Address Displays the Media Access Control MAC Address of the selected AP AP Name Displays the name assigned to the AP The AP name can be configured on the Access Port Radios Configuration page AP Type Displays the type of Access Port detected The switches support Motorola ...

Page 225: ...n to add a selected radio or radios from the Available Radios list into the Rescuer Radios list Remove Click the Remove button to remove a selected radio or radios from the Rescuer Radios list Rescuer MAC Displays the Media Access Control MAC Address of the selected Rescuer Radio AP Name Displays the configured AP Name for the selected Rescuer Radio AP Location Displays the configured AP Location ...

Page 226: ...he Smart RF History button 4 The Smart RF History window displays the Index number and Assignment History of Smart RF activity 4 7 9 6 Configuring Smart RF Settings To configure Smart RF settings 1 Select Network Access Port Radios from the main menu tree 2 Click the Smart RF tab ...

Page 227: ...tector Check this box to enable automatic assignment of radio detectors Assign Channel Check this box to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources Assign Tx Power Check this box to enable automatic assignment of transmit power Assign Rescuers Check this box to enable automatic assignment of rescuers along with...

Page 228: ...alid minimum is 4 and maximum is 20 Default range is 4 to 16 dBm Scan Dwell Time seconds Specify the RF Scan Dwell Time in seconds The valid range is between 1 and 10 seconds Default dwell time is 1 second Interference Recovery Check this box to enable monitoring for interference and self healing it by rescuer Faulty Radio Recovery Check this box to enable monitoring for defective radio and self h...

Page 229: ...ion Start Time Displays the date and time that the last Smart RF calibration began Last Calibration End Time Displays the date and time that the last Smart RF calibration ended Next Calibration Start Time Displays the date and time scheduled for the next Smart RF calibration Current Action Displays what the Smart RF engine is currently doing If there is a scan in process it will be displayed here ...

Page 230: ...02 11bg 802 11bgn Calls per radio Current Displays the current number of active voice calls for each Access Port Calls per radio Max Displays the maximum number of concurrent voice calls that each Access Port has seen Calls per radio Avg Displays an average number of calls active on each Access Port Airtime for Voice Displays the percentage of total airtime that each Access Port has dedicated to v...

Page 231: ... rates voice quality on a scale of 0 to 120 with a higher score being better If the R Factor score is lower than 70 it is likely that users will not be satisfied with the voice quality of calls Avg Call Quality MOS CQ Displays the average call quality using the Mean Opinion Score MOS call quality scale The MOS scale rates call quality on a scale of 1 5 with higher scores being better If the MOS sc...

Page 232: ...figuring WMM 4 8 1 Configuring AP Adoption Defaults The Configuration tab displays the current radio adoption configuration including radio type placement channel setting and power settings Many of these settings can be modified as well as radio s current rate settings by selecting a radio and clicking the Edit button These settings are the default configurations when the radios are set to auto ad...

Page 233: ...BM for 802 11bg and 17 dBm for 802 11a Power mW Displays the default transmit power in mW derived from the Power dBm setting Defaults are 100 mW for 802 11bg and 50 mW for 802 11a NOTE Up to 256 Access Ports are supported by the RFS6000 and RFS7000 switches Up to 6 Access Ports and 24 Adaptive APs are supported by the RFS4000 switch The actual number of Access Ports adoptable by a switch is define...

Page 234: ...e AP to receive beacons and association information 8 Select the Enable Enhanced Probe Table checkbox to allow an AP to forward MU probe requests to the switch 9 Within the Radio Settings field configure the Placement of the radio as either Indoors or Outdoors The setting will affect the selection channel and power levels Default is Indoors 10 Select a channel for communications between the Access...

Page 235: ... menu to configure the Antenna Diversity settings for Access Ports using external antennas Options include Full Diversity Utilizes both antennas to provide antenna diversity Primary Only Enables only the primary antenna Secondary Only Enables only the secondary antenna Antenna Diversity should only be enabled if the Access Port has two matching external antennas Default value is Full Diversity Max...

Page 236: ...hreshold minimizes RTS CTS exchanges consuming less bandwidth for data transmissions A disadvantage is less help to nodes that encounter interference and collisions An advantage is faster data frame throughput Environments with less wireless traffic and contention for transmission make the best use of a higher RTS threshold Default is 2346 In 802 11b g mixed RTS CTS happens automatically There is ...

Page 237: ... cannot be maintained To configure a radio s rate settings 1 Click the Rate Settings button in the radio edit screen to launch a screen wherein rate settings can be defined for the radio 2 Check the boxes next to all Basic Rates you want supported by this radio Basic Rates are used for management frames broadcast traffic and multicast frames If a rate is selected as a basic rate it is automaticall...

Page 238: ...lick Cancel to close the dialog without committing updates to the running configuration 4 8 2 Configuring Layer 3 Access Port Adoption The configuration activity required for adopting Access Ports in a layer 3 environment is unique In a layer 3 environment switch discovery is attempted in the following ways On the local VLAN Through the DHCP Server Initially the Access Port attempts to find its wi...

Page 239: ... on the list 5 Each switch that receives such a packet responds with a Parent response 4 8 3 Configuring WLAN Assignment Use the WLAN Assignment tab to assign WLANs and security schemes To view existing WLAN Assignments 1 Select Network Access Port Adoption Defaults from the main menu tree 2 Click the WLAN Assignment tab The Assigned WLANs tab displays two fields Select Radios BSS and Select Chang...

Page 240: ... main menu tree Primary WLAN If a specific BSS was selected from the Select Radio BSS area choose one of the selected WLANs from the drop down menu as the primary WLAN for the BSS If the radio was selected the applet will automatically assign one WLAN to each BSS in order and that WLAN will be set as the Primary WLAN for the BSS If the number of WLANs selected is greater than the number of BSSIDs ...

Page 241: ...s Category Displays the Access Category currently in use There are four categories Video Voice Best Effort and Background Click the Edit button to change the current Access Category Ensure that the Access Category reflects the radios intended network traffic AIFSN Displays the current Arbitrary Inter frame Space Number AIFSN Higher priority traffic categories should have lower AIFSNs than lower pr...

Page 242: ...s value is the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set higher 6 Enter a value between 0 and 15 for the Contention Window minimum value The CW Minimum is combined with the CW Maximum to make the Contention Window From this range a random number is selected for the back off mechanism Lower values ar...

Page 243: ...P screen for the following information Switch The Switch field displays the IP address of the cluster member associated with each AP When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the AP configuration screen For information on configuring enabling Cluster GUI see Managing Clustering Using the Web UI MAC Address Displays the radio s first M...

Page 244: ...ntifying a selected AP within an installation IP Address Displays the IP address of the adopted Access Port Bootloader Displays the software version the Access Port boots from This information can be helpful when troubleshooting problems Protocol Version Displays the version of the interface protocol between the Access Port and the switch This information can be helpful when troubleshooting proble...

Page 245: ...the radio Index Displays a numerical identifier used to associate a particular Access Port with a set of statistics and can help differentiate the Access Port from other Access Ports with similar attributes MAC Address Displays the unique Hardware or Media Access Control MAC address for the Access Port Access ports with dual radios will have a unique MAC address for each radio The MAC address is h...

Page 246: ...be able to find the IP addresses of the switches on the network To locate switch IP addresses on the network Configure DHCP option 189 to specify each switch IP address Configure a DNS Server to resolve an existing name into the IP of the switch The Access Port has to get DNS server information as part of its DHCP information The default DNS name requested by an AP300 is Symbol CAPWAP Address Simi...

Page 247: ...Country and VLAN Tagging for the selected AP Syslog Mode For the selected AAP this option enables or disables logging to an external Syslog server LLDP Settings Enables the Link Layer Discovery Protocol LLDP which is a protocol that enables devices to advertise their capabilities and media specific configuration information Country Select the Country that the Access Port will be configured to oper...

Page 248: ... frames with special tags as they pass between the access port and its destination These tags help distinguish data traffic Authentication servers such as RADIUS and Kerberos must be on the same Management VLAN Additionally DHCP and BOOTP servers must be on the same Management VLAN as well A B G N WLAN and Sensor Enables 802 11a 802 11b 802 11g 802 11bgn and 802 11an for the WLAN and dedicates the...

Page 249: ...physical network connections of a given network management domain 1 Check the Enable LLDP checkbox to enable or disable the transmission of LLDP advertisements 2 Enter the refresh interval value in the Refresh Interval field This parameter indicates the interval at which LLDP frames are transmitted on behalf of this LLDP agent 3 Enter the holdtime multiplier value in the Holdtime Multiplier field ...

Page 250: ...Mask of the default VLAN in the respective fields Also enter the Gateway IP Address Primary WIPS Server Address and the Secondary WIPS Server Address The Sensor Display Table displays the following information Index Displays the numerical value assigned to each sensor AP MAC Address Displays the Media Access Control MAC address for each sensor AP VLAN Displays the VLAN that each sensor AP is assoc...

Page 251: ...ansactions for this AP will be secured Switch The Switch field displays the IP address of the cluster member associated with each AP When clustering is enabled on the switch and Cluster GUI is enabled the Switch field will be available on the AP configuration screen For information on configuring enabling Cluster GUI see Managing Clustering Using the Web UI MAC Address Displays the MAC Addresses f...

Page 252: ...to select which cluster members APs are displayed To view APs from all cluster members select All from the pull down menu To view APs radios from a specific cluster member select that member s IP address from the pull down menu 4 9 6 Configuring Adaptive AP Firmware Refer to the AP Firmware tab to view the Access Port and Adaptive AP firmware image associated with each adopted Access Port or Adapt...

Page 253: ...can browse the switch file systems using the browser icon AP images must be on the flash system nvram or usb file systems in order for them to be selected AAP Automatic Update Check this box to enable automatic update of Access Port or Adaptive AP firmware when an Access Port or Adaptive AP associates with the switch The AP image file used for automatic update are specified in the AP Image Upload ...

Page 254: ...en to change the AP Image Type or AP Image File 5 Modify the AP Image Type as necessary 6 Modify the AP Image File as necessary You can browse the switch file systems using the browser icon AP images must be on the flash system nvram or usb file systems in order for them to be selected 7 Click the OK button to save the changes and return to the AP Firmware tab 4 9 6 2 Updating an existing AAP Imag...

Page 255: ... You can update an AAP image from an external SFTP server using the SFTP Image Update button To update using SFTP 1 Select Networks Access Port from the main menu tree 2 Click the AP Firmware tab 3 Click the SFTP Image Update button AP MAC Address is the device MAC address Ensure that this is the actual hard coded MAC address of the device File Name is the name of the AP image Server IP Address gi...

Page 256: ... Spanning Tree that interconnects all the bridges in a network This instance treats each region as a single bridge In all other ways it operates exactly like Rapid Spanning Tree RSTP Common and Internal Spanning Trees CIST CIST contains all of the ISTs and bridges not formally configured into a region This instance inter operates with bridges running legacy STP and RSTP implementations Multiple Sp...

Page 257: ...ng multiple regions within the network Each switch running MSTP is configured with a unique MST region name This helps when keeping track of MSTP configuration changes Increment this number with each configuration change The revision level specifies the revision level of the current configuration MST Revision Level Assign a MST revision level number to the MSTP region to which the device belongs E...

Page 258: ...nds After the defined interval all bridges in a bridged LAN exchange BPDUs The hello time is the time interval in seconds the device waits between BPDU transmissions A very low value leads to excessive traffic on the network whereas a higher value delays the detection of a topology change This value is used by all instances Bridge Hello Time Displays the configured Hello Time If this is the root b...

Page 259: ...nce tab ID Displays the ID of the MSTP instance Bridge Priority Displays the bridge priority for the associated instance The Bridge Priority is assigned to an individual bridge based on whether it is selected as the root bridge The lower the priority the greater likelihood the bridge becoming the root for this instance Bridge ID Bridge ID Displays the bridge id of the bridge for this instance Desi...

Page 260: ...om the table within the Bridge Instance tab and click the Add VLANs button 4 Enter a VLAN ID between 1 to 4094 in the VLAN ID field This VLAN ID is associated with the Instance index You can add multiple VLANs to an instance 5 Click OK to save and commit the new configuration 6 Click Cancel to disregard the changes 4 10 3 Configuring a Port Use the Port tab to view and configure MSTP port paramete...

Page 261: ...ted port Typically each guard root port is a designated port unless two or more ports within the root bridge are connected together If the bridge receives superior BPDUs on a guard root enabled port the guard root moves the port to a root inconsistent STP state This state is equivalent to a listening state No data is forwarded across the port Thus the guard root enforces the root bridge position A...

Page 262: ...st Designated Port Defines the port connection used to send and receive packets By having only one designated port per segment all looping issues should be resolved Once the designated port has been selected any other ports that connect to that segment become non designated ports and block traffic from taking the defined path Forward Transitions Forward Transitions displays the number of MSTP stat...

Page 263: ...rt as an edge port Port Guard Root Select this checkbox to enable guard root for this port Typically each guard root port is a designated port unless two or more ports within the root bridge are connected together If the bridge receives superior BPDUs on a guard root enabled port the guard root moves the port to a root inconsistent STP state This state is equivalent to a listening state No data is...

Page 264: ...c 20000 10000000000 bits sec 2000 100000000000 bits sec 200 1000000000000 bits sec 20 1000000000000 bits sec 2 Admin Point to Point status Defines the point to point status as ForceTrue or ForceFalse ForceTrue indicates this port should be treated as connected to a point to point link ForceFalse indicates this port should be treated as having a shared connection A port connected to a hub is on a s...

Page 265: ...t Cost Displays the Internal Root Cost of a path associated with an interface The lower the path cost the greater likelihood of the interface becoming the root Designated Bridge Displays the ID of the bridge that sent the best BPDU Designated Port Designated Port displays the ID of the port that is the designated port for that instance Priority Displays the port priority set for that port and inst...

Page 266: ...or other modifications Port Index Read only indicator of the port index used as a basis for other modifications Port Priority If necessary change the port priority value for the bridge The lower the priority a greater likelihood of the port becoming a designated port Admin Internal Path Cost Displays the configured Admin Internal Path Cost of a port A value of 0 indicates that the user has not con...

Page 267: ... enable IGMP Snooping on the switch If disabled snooping on a per VLAN basis is also disabled Unknown Multicast Forward Select to enable the switch to forward Multicast packets from unregistered Multicast Groups If disabled Unknown Multicast Forward on a per VLAN basis is also disabled Apply Click to Apply changes made to the running configuration Revert Revert back to previous state from the runn...

Page 268: ...eports are received from a portal that portal information is removed from the Snooping Table The switch will only forward Multicast Packets to portals that are present in the Snooping Table For IGMP reports from wired ports the switch forwards these reports to the Multicast Router Ports Version Sets the IGMP version compatibility Select from IGMP v1 v2 or v3 IP Address This address is applied as t...

Page 269: ...ier takes over the role of IGMP querier for this VLAN Max Response Time The maximum time allowed in seconds before sending a responding report for a host Operational State The current operational state of IGMP Querier for this VLAN Displays querier if IGMP Snoop Querier is enabled on this VLAN Displays disabled otherwise IP Address The IP address to be inserted in IGMP Query packets generated by t...

Page 270: ...net access until the session expires Wired hotspots can be used where wireless connections are not used or not feasible 4 12 1 Wired Hotspot Configuration Use the Network Wired Hotspot screen to configure the wired hotspot To configure the wired hotspot 1 Select Network Wired Hotspot from the main menu tree 2 Select the Configuration tab The Configuration tab displays the following information NOT...

Page 271: ...ose displayed within the Configuration tab and click the Edit button The following screen is displayed Primary RADIUS Server IP Port This is the IP address of the Primary RADIUS server and the port on which the Primary RADIUS server is listening Secondary RADIUS Server IP Port This is the IP address of the Secondary RADIUS server and the port on which the Secondary RADIUS Server is listening Edit ...

Page 272: ...cify any additional text containing instructions or information for the users who access the Login page This option is only available if Internal is chosen from the drop down menu above The default text is Please enter your username and password Title Text The Title Text specifies the HTML title text displayed on the Welcome page when using the internal Web server This option is only available if ...

Page 273: ... available if Internal is chosen from the drop down menu above Footer Text The Footer Text is the HTML footer text displayed on the Failed page when using the internal Web server This option is only available if Internal is chosen from the drop down menu above Small Logo URL The Small Logo URL is the URL for a small logo image displayed on the Failed page when using the internal Web server This op...

Page 274: ...close the dialog without committing updates to the running configuration 4 12 1 2 Configuring an External Hotspot Selecting the External option entails hosting your own external Web server using advanced Web content using XML Flash To create a hotspot maintained by an external server 1 Select Network Wired Hotspot from the main menu tree 2 Select an existing hotspot entry from those displayed with...

Page 275: ... username and password to access the Welcome page For example the Login page URL can be the following http 192 168 150 5 login html ip_address 192 168 30 1 Here 192 168 150 5 is the Web server IP address and 192 168 30 1 is the switch IP address Welcome Page URL Define the complete URL for the location of the Welcome page The Welcome page assumes that the hotspot user has logged in successfully an...

Page 276: ...e of the drop down menu 4 Once the properties of the advanced hotspot have been defined the file can be installed on the switch and used to support the hotspot The following parameters are required to upload the file a Specify a source hotspot configuration file The file used at startup automatically displays within the File parameter b Refer to the Using drop down menu to configure whether the ho...

Page 277: ...t URL to use the System Name specified on the main Switch configuration screen as part of the hotspot address 7 Specify the maximum Hotspot Simultaneous Users to set a limit on the number of concurrent unique hotspot users for the selected WLAN 8 Check the Logout on Browser Close button to log out hotspot users from the network when they close their web browsers 9 Use the Accounting drop down menu...

Page 278: ...ing as the Radius user authentication data source The default port is 1812 RADIUS Shared Secret Provide a shared secret password for user credential authentication with the primary or secondary Radius server Server Timeout Enter a value between 1 and 300 seconds to indicate the number of elapsed seconds causing the switch to time out on a request to the primary or secondary server Server Retries E...

Page 279: ...en 1 and 300 seconds to indicate the number of elapsed seconds causing the switch to time out a request to the primary or secondary accounting server Accounting Retries Enter a value between 1 and 100 to indicate the number of times the switch attempts to reach the primary or secondary Radius accounting server before giving up Accounting Mode Use the Accounting Mode drop down menu to define the ac...

Page 280: ...4 176 WiNG 4 4 Switch System Reference Guide ...

Page 281: ...information available for the following switch configuration activities Displaying the Services Interface DHCP Server Settings Configuring Secure NTP Configuring Switch Redundancy Clustering Layer 3 Mobility Configuring Self Healing Configuring Switch Discovery Locationing ...

Page 282: ...tions the transfer screen remains open during the transfer operation and remains open upon completion with status displayed within the Status field DHCP Servers Displays whether DHCP is enabled and the current configuration For information on configuring DHCP Server support see DHCP Server Settings on page 5 4 NTP Time Management Displays whether time management is currently enabled or disabled Ne...

Page 283: ...DP sessions to be maintained in spite of roaming among different IP subnets For more information on configuring Layer 3 Mobility see Layer 3 Mobility on page 5 48 Self Healing Displays whether Self Healing is currently enabled Self healing enables radios to take action when one or more radios fail To enable the feature the user must specify radio neighbors that would self heal if a neighbor goes d...

Page 284: ...following activities Configuring the Switch DHCP Server Viewing the Attributes of Existing Host Pools Configuring Excluded IP Address Information Configuring the DHCP Server Relay Viewing DDNS Bindings Viewing DHCP Bindings Reviewing DHCP Dynamic Bindings Configuring the DHCP User Class Configuring DHCP Pool Class ...

Page 285: ...eased IP address To configure DHCP 1 Select Services DHCP Server from the main menu tree 2 Select the Enable DHCP Server checkbox to enable the switch s internal DHCP Server for use with global pools 3 Select the Ignore BOOTP checkbox to bypass a BOOTP request 4 Define an interval from 1 10 seconds for the Ping timeout variable The switch uses the timeout to intermittently ping and discover whethe...

Page 286: ...tree 2 Select an existing pool from those displayed within the Network Pool field and click the Edit button 3 Modify the name of the IP pool from which IP addresses can be issued to client requests on this interface 4 Modify the Domain name as appropriate for the interface using the pool 5 Modify the NetBios Node used with this particular pool The NetBios Node could have one of the following types...

Page 287: ...e buttons as required to define the range of supported IP addresses A network pool without any include range is as good as not having a pool because it won t be useful in assigning addresses 12 Click OK to save and add the changes to the running configuration and close the dialog 13 Refer to the Status field The Status is the current state of the requests made from the applet Requests are any SET ...

Page 288: ...s to find a node and failing that queries a known p node name server for the address An h hybrid is a combination of two or all of the nodes mentioned above 6 Enter the name of the boot file used for this pool within the Boot File parameter 7 From the Network field use the Associated Interface drop down menu to define the switch interface is used for the newly created DHCP configuration Use VLAN1 ...

Page 289: ...on 5 2 1 3 Configuring DHCP Global Options The DHCP Server screen s Configuration and Host Pool tabs can be used to display an additional Global Options screen To define new global name and value and send it to other peer switches in the mobility domain 1 Select Services DHCP Server from the main menu tree 2 Highlight an existing pool name from within either the Configuration or Host Pool tab and ...

Page 290: ...e Multiple User Class checkbox if multiple user class support is needed 7 Use the DDNS Servers field to define the IP addresses of the DNS servers 8 Click OK to save and add the changes to the running configuration and close the dialog 9 Refer to the Status field The Status is the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field...

Page 291: ...al Options on page 5 9 Pool Name Displays the name of the IP pool from which IP addresses can be issued to DHCP client requests on this interface The pool is the range of IP addresses for which addresses can be assigned IP Address Displays the IP address for the client on this interface using the pool name listed Hardware Address Displays the type of interface used to pass DHCP discover and reques...

Page 292: ...lude from possible selection To view excluded IP address ranges 1 Select Services DHCP Server from the main menu tree 2 Click the Excluded tab The Excluded tab displays fixed IP addresses statically assigned and unavailable for assignment with a pool 3 Click the Edit button to modify the IP address range displayed For more information see Editing the Properties of an Existing DHCP Pool on page 5 6...

Page 293: ...et1 External DHCP Server IP subnet1 Interface Name When configuring a DHCP Relay address specify the other interface where the external DHCP Server can be reached In this example that interface is subnet1 The DHCP relay agent must listen on both subnet1 and subnet2 Consequently the DHCP Server cannot run on either subnet1 or subnet2 it must be both However you can run an onboard DHCP server on sub...

Page 294: ...twork Pool field and click the Delete button 6 Click the Add button to create a new DHCP pool a Use the Interface drop down menu to assign the interface used for the DHCP relay As VLANs are added to the switch the number of interfaces available grows b Add Servers as needed to supply DHCP relay resources c Click OK to save and add the changes to the running configuration and close the dialog d Cli...

Page 295: ... IP address for a given name To view switch DDNS binding information 1 Select Services DHCP Server from the main menu tree 2 Select the DDNS Bindings tab 3 Refer to the contents of the DDNS Bindings tab for the following information 4 Click the Export button to display a screen used to export DDNS Binding information to a secure location 5 2 6 Viewing DHCP Bindings The Bindings tab displays addres...

Page 296: ...e address to an IP address from a pool of available addresses The Dynamic Bindings tab displays only automatic bindings To view detailed Dynamic DHCP Binding Status information 1 Select Services DHCP Server from the main menu tree IP Address Displays a IP address for each client with a listed MAC address This column is read only and cannot be modified MAC Address Client ID Displays the MAC address...

Page 297: ...abled when one or more rows exist 6 Click the Export button to display a screen used to export the DHCP Binding information to a secure location IP Address Displays the IP address for each client whose MAC Address is listed in the MAC Address Client ID column This column is read only and cannot be modified MAC Address Client ID Displays the MAC address client hardware ID of the client using the sw...

Page 298: ... User Class Option Name field displays the names defined for a particular client Select the Multiple User Class Options checkbox to associate the user class option names with a multiple user class 5 Click the Add button create a new user class name client For more information see Adding a New DHCP User Class on page 5 18 6 Click the Edit button to modify the properties displayed for an existing DH...

Page 299: ...nsmit multiple option values to DHCP servers supporting multiple user class options d Click OK to save and add the new configuration e Refer to the Status field It displays the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch f C...

Page 300: ... field It displays the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch f Click Cancel to close the dialog without committing updates to the running configuration 5 2 9 Configuring DHCP Pool Class The DHCP server can associate mu...

Page 301: ...sociation of a DHCP pool name to a DHCP class name It is also used to configure a maximum of 4 pool class address range To revise an existing DHCP pool class name 1 Select Services DHCP Server from the main menu tree 2 Select the Pool Class tab 3 Click on the Edit button from the Pool Class Names section 4 Refer to the read only Pool Name to ensure modifications are made to the correct pool name 5...

Page 302: ...r the pool name created using Adding a New DHCP Pool on page 5 7 5 Use the Class Name field to associate an existing class created using Adding a New DHCP User Class on page 5 18 6 The Pool Class Address Range field is used to assign address range to the class inside the pool A maximum of 4 address ranges can be assigned to a class a Use the Insert button to enter the Start IP and End IP address r...

Page 303: ... Configuration Configuring Symmetric Key Defining a NTP Neighbor Configuration Viewing NTP Associations Viewing NTP Status 5 3 1 Defining the SNTP Configuration Symmetric keys are algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption The encryption key is related to the decryption key as they may be identical or there is a simple mechanism to ...

Page 304: ... resources Authenticate Time Sources Select this checkbox to ensure credential authentication takes place between the SNTP server and the switch When this checkbox is selected the Apply and Revert buttons become enabled to save or cancel settings Act As NTP Master Clock When this checkbox is selected the Apply and Revert buttons become enabled to save or cancel settings within the Other Settings f...

Page 305: ...isting Symmetric Key configurations and if necessary add a new one 1 Select Services Secure NTP from the main menu tree 2 Select the Symmetric Keys tab Listen to NTP Broadcasts Select this checkbox to allow the switch to listed over the network for SNTP broadcast traffic Once enabled the switch and the SNTP broadcast server must be on the same network Broadcast Delay Enter the estimated round trip...

Page 306: ...ration from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch 10 Click OK to save and add the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration Key ID Displays a Key ID between 1 65534 The Key ID is a abbreviation allowin...

Page 307: ...IP address version authentication key ID and preferred source designation 5 Select an existing entry and click the Delete button to remove it from the table IP Address Hostname Displays the numeric IP address of the resource peer or server providing switch SNTP resources Ensure the server is on the same subnet as the switch to provide SNTP support Neighbor Type Displays whether the NTP resource is...

Page 308: ...P synchronization resource addresses Use a NTP broadcast to listen for NTP synchronization packets within a network To listen to NTP broadcast traffic the broadcast server and switch must be on the same subnet NTP broadcasts reduce configuration complexity since both the switch and its NTP resources can be configured to send and receive broadcast messages 7 Enter the IP Address of the peer or serv...

Page 309: ...both the sender and the receiver must know the same key it is also referred to as shared key cryptography The key can only be known by the sender and receiver to maintain secure transmissions 13 Enter an Key ID between 1 65534 The Key ID is a Key abbreviation allowing the switch to reference multiple passwords 14 Select the Preferred Source checkbox if this NTP resource is a preferred NTP resource...

Page 310: ... address of the time source the switch is synchronized to Stratum Displays how many hops the switch is from a SNTP time source The switch automatically chooses the SNTP resource with the lowest stratum The SNTP supported switch is careful to avoid synchronizing to a server that may not be accurate Thus the NTP enabled switch never synchronizes to a machine not synchronized itself The SNTP enabled ...

Page 311: ...e round trip delay in seconds for SNTP broadcasts between the SNTP server and the switch Offset sec Displays the calculated offset between the switch and SNTP server The switch adjusts its clock to match the server s time value The offset gravitates toward zero over time but never completely reduces its offset to zero Dispersion sec Displays how scattered the time offsets are in seconds from a SNT...

Page 312: ...e with a NTP server CAUTION After an NTP synchronization using a Symmetric Key the NTP status will not automatically update Leap Indicates if a second will be added or subtracted to SNTP packet transmissions or if the transmissions are synchronized Stratum Displays how many hops the switch is from its current NTP time source Reference Displays the address of the time source the switch is synchroni...

Page 313: ...e time and frequency offsets The values that normally appear in this field range from negative values of a few milliseconds to positive values of several hundred milliseconds Root Dispersion Displays the nominal error relative to the primary time source in seconds The values that normally appear in this field range from 0 to several hundred milliseconds ...

Page 314: ...can be configured using a common file cluster config using DHCP options This functionality provides an alternative method for configuring members collectively from a centralized location instead of configuring specific redundancy parameters on individual switches Configure each switch in the cluster by logging in to one participating switch The administrator does not need to login to each redundan...

Page 315: ...nship between members Typically a switch can be considered a master for the command it originates Responding members can be considered slaves with respect to that command This virtual master slave relationship makes this design unique when compared to existing centralized management systems Having a virtual master slave relationship eliminates a single point of failure since a user can make use of...

Page 316: ...undancy group all Active members adopt Access Ports except the Standby members who adopt Access Ports only when an Active member has failed or sees an access port not adopted by a switch Redundancy ID Define an ID for the cluster group All the switches configured in the cluster should have the same Cluster ID The valid range is 1 65535 Discovery Period Use the Discovery Period to configure a clust...

Page 317: ...an administrator to have only one DHCP server running at any time in a cluster The clustering protocol enables all peers participating in DHCP redundancy to determine the active DHCP server among them The switch with lowest Redundancy IP is selected as the active DHCP server for the cluster This selected active DHCP server can be either a primary or standby switch The other switches do not provide...

Page 318: ...selected load balancing will initiate anytime a new active switch is added to the redundancy group If Schedule is selected you can configure a start date and time to execute load balancing This feature is not available when Dynamic Load Balancing is enabled Start Date If Schedule is selected as the load balancing mode enter a start date for load balancing to take place Start Time If Schedule is se...

Page 319: ...ot enabled Otherwise it remains in Startup for a period of 50 seconds the standard STP convergence time During the discover state the switch exchanges heartbeats and update messages to discover other members and define the redundancy group license After discerning memberships it moves to an Active state There is no difference in state execution for Primary and Standby modes AP Licenses in group Di...

Page 320: ...cluster can self heal if problems exist Mobile Units in group Displays the combined number of MU associations for the members of the redundancy group Compare this number with the number of MUs on this switch to determine how effectively MU associations are distributed within the cluster DHCP Server in Group Displays the total number of DHCP Servers available for DHCP resources for the combined clu...

Page 321: ...witch and thus escalates a security issue Radios on this switch Displays the number of radios used with this switch Self healing radios on this switch Displays the number of radios on this switch with self healing enabled Compare this value with the total number of radios within the group to determine how effectively radios can self heal if problems exist Mobile Units on this switch Displays the n...

Page 322: ...of this group member This status could have the following values Configured The member is configured on the current wireless service module Seen Heartbeats can be exchanged between the current switch and this member Invalid Critical redundancy configuration parameter s of the peer heartbeat time discovery time hold time Redundancy ID Redundancy Protocol version of this member do not match this swi...

Page 323: ...ls Use the Details screen in conjunction with its parent Member screen to display additional more detailed information on the group member selected within the Member screen To review the details 1 Select Services Redundancy from the main menu tree The Redundancy screen displays with the Configuration tab selected 2 Select the Member tab 3 Highlight a member of the group and select the Details butt...

Page 324: ... impacting redundancy group members see Redundancy Group License Aggregation Rules on page 5 45 Mode The Redundancy Mode could be Active or Standby depending on the mode configuration on the member Refer to the Configuration screen to change the mode License Count Displays the number of port licenses available for this switch For information on licensing rules impacting redundancy group members se...

Page 325: ...e dialog 6 Refer to the Status field The Status is the current state of the requests made from the applet Requests are any SET GET operation from the applet The Status field displays error messages if something goes wrong in the transaction between the applet and the switch 7 Click Cancel to close the dialog without committing updates to the running configuration 5 4 4 Redundancy Group License Agg...

Page 326: ...onfiguration is removed a member switch forgets the learned cluster license as well as peer information needed to compute license totals If adding a new switch with zero or non zero installed license to a group with at least one license contributing switch down the new group member will receive a different cluster license value For example for a cluster of three switches S1 6 S2 6 and S3 6 license...

Page 327: ...ring Redundancy Group Membership 4 On the Configuration tab check the Enable Redundancy checkbox and then check the Enable Cluster GUI box 5 Click the Apply button to enable the Cluster GUI feature 6 Once Cluster GUI is enabled a Switch field will be available in many of the Access Port and mobile unit related screens The Switch field is displays which cluster members the APs and MUs are associate...

Page 328: ...m Reference Guide 5 5 Layer 3 Mobility Refer to the following sections to configure Layer 3 Mobility Configuring Layer 3 Mobility Defining the Layer 3 Peer List Reviewing Layer 3 Peer List Statistics Reviewing Layer 3 MU Status ...

Page 329: ...ng between switches on different Layer 3 subnets while retaining the same IP address Static configuration of mobility peer switches Layer 3 support does not require any changes to the MU In comparison other solutions require special functionality and software on the MU This creates numerous inter working problems with working with MUs from different legacy devices which do not support Layer 2 swit...

Page 330: ... of time MUs within selected WLAN are allowed to roam amongst different subnets 5 Refer to the table of WLANs and select the checkboxes of those WLANs you wish to enable Layer 3 mobility for Once the settings are applied MUs within these WLANs can roam amongst different subnets 6 Select the Enable Mobility checkbox to enable a MU to maintain the same Layer 3 address while roaming throughout a mult...

Page 331: ...t tab 3 Refer to the contents of the Peer List for existing IP addresses and Layer 3 MU session status Use this information to determine whether a new IP address needs to be added to the list or an existing address needs to be removed 4 Select an IP address from those displayed and click the Delete button to remove the address from the list available for MU Layer 3 roaming amongst subnets 5 Click ...

Page 332: ...screen appears with the Configuration tab displayed 2 Select the Peer Statistics tab 3 Refer to the following information within the Peer Statistics tab Peer IP Displays the IP addresses of the peer switches within the mobility domain Each peer can support up to 500 MUs JOIN Events sent rcvd Displays the number of JOIN messages sent and received JOIN messages advertise the presence of MUs entering...

Page 333: ...ase is no longer present in the mobility domain The criterion to determine the MU has actually left the network is implementation specific The current switch sends the LEAVE message with the MU s MAC address information to the home switch which eventually forwards the message to each mobility peer L2 ROAMs sent rcvd Displays the number of Layer 2 ROAM messages sent and received When a MU roams to ...

Page 334: ...e The Self Healing page launches with the Configuration tab displayed 2 Select the Enable Neighbor Recovery checkbox Enabling Neighbor Recovery is required to conduct manual neighbor detection 3 Refer to the Interference Avoidance field to define the following settings 4 Click the Apply button to save the changes made within this screen Clicking Apply overwrites the previous configuration Enable I...

Page 335: ...nd corner displays whether neighbor recovery is currently enabled or disabled To change the state click the Enable Neighbor Recovery checkbox within the Configuration tab 3 Refer to the following information as displayed within the Neighbor Recovery screen Radio Index Displays a numerical identifier used in conjunction with the radio s name to differentiate the radio from its peers Description Dis...

Page 336: ...e Properties of a Neighbor Use the Edit screen to specify the neighbor of a selected radio and the action the radio performs in the event its neighbor radio fails To edit the properties of a neighbor 1 Select Services Self Healing from the main menu tree 2 Select the Neighbor Details tab Action Displays the self healing action configured for the radio Options include Raise Power The transmit power...

Page 337: ...er is lower than the maximum permissible value Both The radio will open its rates as well as raise its power 5 Click the Add button to move a radio from the Available Radios list to the Neighbor Radios list This dedicates neighbors for this radio 6 Select a radio and click Remove to move the radio from the Neighbor Radios list to the Available Radios list 7 Refer to the Status field for an update ...

Page 338: ... with the locating switch is displayed in a shaded color to distinguish it from non compatible devices 5 7 1 Configuring Discovery Profiles To configure switch discovery 1 Select Services Discovery from the main menu tree The Discovery page launches with the Discovery Profiles tab displayed 2 Refer to the following information within the Discovery Profiles tab to discern whether an existing profil...

Page 339: ...the switch displays discovered devices within the Recently Found Devices table If SNMP v2 is used with a discovering profile a Read Community String screen displays The Community String entered is required to match the name used by the remote network management software of the discovered switch If SNMP v3 is used with a discovering profile a V3 Authentication screen displays The User Name and Pass...

Page 340: ...the running configuration 5 7 2 Viewing Discovered Switches Refer to the Recently Found Devices tab to view a table of devices found by the discovery process Each discovered device compatible with the locating switch running switch software version 1 1 or higher is displayed in a shaded color to distinguish it from non compatible devices The switch Web UI enables users display the Web UI of the di...

Page 341: ...sider configuring a new discovery policy and launching a new search Redundancy Group ID If the discovered device is part of a redundancy group its cluster ID displays within this column The Redundancy ID would have been assigned using the Switch Redundancy screen Device Name Displays the device name assigned to the discovered device This name would have been assigned using the Switch Configuration...

Page 342: ...vice cannot be selected and its Web UI displayed 5 Select a discovered device from amongst those located and displayed within the Recently Found Devices screen and click the Launch button to display the Web UI for that switch CAUTION When launching the Web UI of a discovered device take care not to make configuration changes rendering the device ineffective in respect to its current configuration ...

Page 343: ...n of the client By default all clients are allowed admission in all zones and the Wireless ACLs can be configured to deny admission to a single MAC address client or a group of clients for each defined zone Switch Management CLI SNMP or Applet Switch Management plays a key role in defining and configuring the multiple Geofencing zones This includes configuration of site parameters including site d...

Page 344: ...ses the following input variables as needed for the specific tag type calculating location User configurations RSSI propagation based on facility layout and RF barriers as specified by the user Smart surroundings fixed wireless devices such as printers price verifiers near me tags as installed in the facility Runtime RF environment The previous position of the tag TDoA AoA SOLE is capable of recei...

Page 345: ...re locationing is deployed This is an optional field Length Enter the length of the site This is the X axis of your site map based on the origin point of 0 0 The size is either in feet or meters depending on which unit of measure is selected below The valid range for length is 1 1000m or 1 3000ft Width Enter the width of the site This is the Y axis of your site map based on the origin point of 0 0...

Page 346: ...ected by the switch For information on how to configure AP location information see Chapter 5 Adding AP Location Information Location Y Coordinate Displays the value of the Y Coordinate for each AP The Y coordinate is relative to the origin point of 0 0 in the upper left corner of the site map This value is user configured and not detected by the switch For information on how to configure AP locat...

Page 347: ...al value and revert back to the last saved configuration 7 The MU MAC table allows you to manually add or remove MAC Addresses which can be located by the SOLE engine This supports a maximum of 512 MUs This table is disabled when the Locate All MUs checkbox is selected a To add MUs to the MU MAC table click the Add button to open a dialogue box allowing you to add a MAC Address to the MU MAC table...

Page 348: ... switch Location X Coordinate Displays the value of the X Coordinate for each located MU The X coordinate is relative to the origin point of 0 0 in the upper left corner of the site map Location Y Coordinate Displays the value of the Y Coordinate for each located MU The Y coordinate is relative to the origin point of 0 0 in the upper left corner of the site map Timestamp Displays the last time for...

Page 349: ...s received by the switch from the external Aeroscout RTLS engine Last Msg RX Time Displays the Date and Time that the last message was received from the external Aeroscout RTLS engine No of TX Msgs Displays the number of messages transmitted by the switch to the external Aeroscout RTLS engine Last Msg TX Time Displays the Date and Time that the last message was sent to the external Aeroscout RTLS ...

Page 350: ...pply button to save the Multicast MAC Address IP Address and Port information 8 Click the Revert button to cancel any changes made within Multicast MAC Address IP Address and Port settings and revert back to the last saved configuration 9 If the Multicast MAC Address IP Address and Port values are configured and Ekahau RTLS support is enabled the following information will be displayed NOTE To use...

Page 351: ...rts Displays the number of Tag Reports received from the external Ekahau RTLS engine MAC Lists the MAC Addresses of all MUs which have been located by the switch Location X Coordinate Displays the value of the X Coordinate for each located MU The X coordinate is relative to the origin point of 0 0 in the upper left corner of the site map Location Y Coordinate Displays the value of the Y Coordinate...

Page 352: ...5 72 WiNG 4 4 Switch System Reference Guide ...

Page 353: ...onfiguration activities Displaying the Main Security Interface Access Point Detection Wireless Intrusion Detection Protection Configuring Firewalls and Access Control Lists Configuring NAT Information Configuring IKE Settings Configuring IPSec VPN Configuring the Radius Server Creating Server Certificates Configuring Enhanced Beacons and Probes ...

Page 354: ...ain menu tree NOTE When the switch s configuration is successfully updated using the Web UI the effected screen is closed without informing the user their change was successful However if an error were to occur the error displays within the effected screen s Status field remains displayed In the case of file transfer operations the transfer screen remains open during the transfer operation and rem...

Page 355: ...11 Wireless Filters Displays the state of the filters used to either allow or deny a MAC address or groups of MAC addresses from associating with the switch For more information see Configuring Firewalls and Access Control Lists on page 6 15 Certificates Displays the number of Server and CA certificates currently used by the switch For more information see Creating Server Certificates on page 6 10...

Page 356: ...figuring AP Detection Use the Configuration screen to allow the switch to detect potentially hostile Access Points set the number of detected APs allowed and define the timeout and threshold values used for detection The switch can enable both Access Ports and MUs to scan and detect Access Points within the switch managed network Continually re validating the credentials of associated devices redu...

Page 357: ...ed these devices can be added to a list of Access Points either approved or denied from interoperating within the switch managed network Refresh Time Define a value in seconds associated MUs use to scan for Access Points The range is from 300 86400 seconds with a default of 1800 seconds NOTE When using MU Assisted Scans with an AP300 Access Port the MU Assisted scan will begin as soon as the Enabl...

Page 358: ...SSID field to configure Access Point ESSID permissions 7 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 8 Click OK to use the changes to the running configuration and close the dialog 9 Click Cancel to close the dialog without committing updates to the r...

Page 359: ...Use the Unapproved APs AP Reported tab to review Access Points detected by associated switch Access Port radios and are restricted from operation within the switch managed network The criteria for restriction was defined using the Security Access Point Detection Configuration screen To view Access Port detected unapproved Access Points 1 Select Security Access Point Detection from the main menu tr...

Page 360: ...ed on the network but have yet to be added to the list of Approved APs and are therefore interpreted as a threat on the network If a MAC Address displays on the list incorrectly click the Allow button and add the MAC Address of a newly Allowed AP index Reporting AP Displays the numerical value for the radio used with the detecting AP Channel Displays the channel the Unapproved AP is currently tran...

Page 361: ... feature to provide protection from rogue Access Points by disrupting traffic to mobile units associated with the Rogue AP and prevents new mobile units from getting associated to the Rogue AP To configure Access Point Containment and view rogue APs 1 Select Security Access Port Intrusion Detection from the main menu tree BSS MAC Address Displays the MAC Address of each Unapproved AP These MAC add...

Page 362: ...al has been set click the Apply button to enable the feature and save the interval value 5 The rogue AP table displays the following information about known rogue APs 6 To manually add a rogue AP to the table click the Add button and enter the MAC address of the known rogue AP 7 To remove an AP from the rogue AP table select that AP and click the Delete button Index A unique numerical ID assigned ...

Page 363: ...d information The Wireless Intrusion Detection screen provides the following functionalities Configuring Wireless Intrusion Detection Protection Viewing Filtered MUs 6 3 1 Configuring Wireless Intrusion Detection Protection To configure Wireless Intrusion Detection 1 Select Security Wireless Intrusion Detection Protection from the main tree menu 2 Click the Configuration tab The MU Intrusion Detec...

Page 364: ... a violation is triggered by an AP type it will display with a green check box If it is not triggered on an AP type it will display with a red X Threshold Values for Mobile Unit Set the MU threshold value for each violation type If exceeded the MU will be filtered and displayed within the Filtered MUs screen Threshold Values for Radio Set the radio threshold value for each violation type If exceed...

Page 365: ...those MUs filtered using the settings defined within the Configuration tab 1 Select Security Wireless IDS IPS from the main tree menu 2 Click on the Filtered MUs tab The Filtered MUs tab displays the following read only information for detected MUs MAC Address Displays the MU s MAC address Defer to this address as the potentially hostile MU s identifier Radio Index The radio index displays the ind...

Page 366: ...ive Authentication failure Excessive Crypto replays Excessive 802 11 replays Excessive Decryption failures Excessive Unassociated Frames Excessive EAP Start Frames Null destination Same source destination MAC Source multicast MAC Weak WEP IV TKIP Countermeasures Invalid Frame Length Excessive EAP NAKS Invalid 802 1x frames Invalid Frame Type Beacon with broadcast ESSID Frames with known bad ESSIDs...

Page 367: ...e switch stops testing conditions after the first match The switch supports the following ACLs to filter traffic Router ACLs Applied to VLAN Layer 3 interfaces These ACLs filter traffic based on Layer 3 parameters like source IP destination IP protocol types and port numbers They are applied on packets routed through the switch Router ACLs can be applied to inbound traffic only not both directions...

Page 368: ...s match the packet it is matched against ACL rules to determine whether to accept or reject it If ACL rules accept the packet a new session is created and all further packets belonging to that session are allowed If ACL rules reject the packet no session is established A session is computed based on Source IP address Destination IP address Source Port Destination Port ICMP identifier Incoming inte...

Page 369: ...n MAC Ethertype VLAN ID 802 1p bits When a Port ACL is applied to a trunk port the ACL filters traffic on all VLANs present on the trunk port With Port ACLs you can filter IP traffic by using IP ACL Non IP traffic by using MAC addresses Both IP and non IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface You cannot apply more than one I...

Page 370: ... is the default offset between any two rules in an ACL However if the user specifies a precedence value with an entry that value overrides the default value The user can also add an entry in between two subsequent entries for example in between 10 and 20 If an entry with a max precedence value of 5000 exists you cannot add a new entry with a higher precedence value In such a case the system displa...

Page 371: ...ck the Add button to add an ACL to a WLAN interface For more information see Adding or Editing a New ACL WLAN Configuration on page 6 19 6 4 2 1 Adding or Editing a New ACL WLAN Configuration After creating an ACL it can be applied to one or more WLANs on the switch To attach an ACL to a WLAN 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the At...

Page 372: ...the ACL applies 9 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration 6 4 3 Attaching an ACL L...

Page 373: ... 2 Layer 3 Configuration After creating an ACL it can be applied to one or more interfaces On a Layer 3 interface Layer 2 interface ACLs can be applied only in an inbound direction To add an ACL interface to the switch 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Attach L2 L3 tab Interface The interface to which the switch is configured It...

Page 374: ...n menu to select an MAC ACL used as the MAC IP for the layer 2 interface 8 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 9 Click OK to use the changes to the running configuration and close the dialog 10 Click Cancel to close the dialog without committing updat...

Page 375: ...L interface to the switch 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Attach Role tab Role Priority Displays the priority assigned to the role as determined by the Sequence Number associated with the role Role Name Displays the role name assigned to each role Role names are assigned when they are added from the Security Wireless Firewall ...

Page 376: ...y 9 Refer to the Status field for the state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 10 Click OK to use the changes to the running configuration and close the dialog 11 Click Cancel to close the dialog without committing updates to the running configuration 6 4 5 Attaching Adaptive AP WLANs Use ...

Page 377: ...n to add an physical or VLAN interface to the switch For more information see Adding an Adaptive AP WLAN on page 6 26 6 4 5 1 Editing an Adaptive AP WLAN To Edit an AAP WLANs page 1 Select Security Wireless Firewall from the main menu tree 2 Click on the Security Policy tab 3 Click on the Wireless Filters tab WLAN Index The WLAN Index displays the list of attached WLANs with ACLs IP ACL Displays t...

Page 378: ...1 Select Security Wireless Firewall from the main menu tree 2 Click on the Security Policy tab 3 Click on the Wireless Filters tab 4 On the Attach AAP WLAN tab and click the Add button WLAN Index Enter the WLAN Index to attach the WLAN with ACLs The range is 0 2 IP ACL Select an IP ACL configured for the WLAN interface in the inbound outbound direction Inbound Outbound Select either the Inbound or...

Page 379: ...urity Policy tab 3 Click on the Wireless Filters tab 4 The Attach AAP LAN tab contains the following read only information 5 Select an interface and click on Edit to modify the LAN Index IP ACL and MAC ACL values For more information see Editing an Adaptive AP LAN on page 6 27 6 4 6 1 Editing an Adaptive AP LAN To Edit an AAP LANs page AP MAC Address Displays the MAC Address of all Adaptive APs LA...

Page 380: ...er allow or deny a MAC address or groups of MAC addresses from associating with the switch Refer to the Wireless Filters screen to review the properties of existing switch filters A filter can be selected from those available and edited or deleted Additionally a new filter can be added if an existing filter does not adequately express the MU s address range required To display the Wireless Filters...

Page 381: ...ciated with each Wireless Filter Zone ID can be between 1 and 48 Zones allows you to associate firewall policies to each zone All members of the same zone will have the same firewall policies applied to them Allow Deny States whether this particular ACL Index and MAC address range has been allowed or denied access to the switch managed network WLANs Displays the WLANs associated with each Wireless...

Page 382: ...ing and ending MAC addresses If significant changes are required to a usable filter consider creating a new one To edit an existing filter 1 Select Security Wireless Firewall from the main menu tree 2 Click on the Security Policy tab 3 Click on the Wireless Filters tab 4 Select one of the existing ACLs from the filters list 5 Click the Edit button at the bottom of the screen to launch a screen for...

Page 383: ...e created an allow or deny designation can be applied to the new filter ACL To create a new filter ACL 1 Select Security Wireless Firewall from the main menu tree 2 Click the Security Policy tab 3 Click the Wireless Filters tab 4 Click the Add button at the bottom of the screen to launch a new dialogue used for creating an ACL Define an Index numerical identifier for the ACL and the starting and e...

Page 384: ...plet and the switch 11 Click OK to use the changes to the running configuration and close the dialog 12 Click Cancel to close the dialog without committing updates to the running configuration 6 4 10 Associating an ACL with WLAN Use the Membership screen to define a name for the ACL index and map the index to WLANs 1 32 requiring membership permission restrictions To associate a filter ACL index w...

Page 385: ...3 Click the ACL tab 4 Add a new ACL entry as explained in Appendix 6 4 11 1 Adding a New ACL 5 The Configuration tab consists of the following two fields ACLs existing access lists Associated Rules allow deny rules The ACLs field displays the list of ACLs currently associated with the switch An ACL contains an ordered list of ACEs Each ACE specifies a permit or deny designation and a set of condit...

Page 386: ...witch 4 Click the Add button 5 Select an ACL Type from the drop down menu The following options are available Standard IP List Uses source IP addresses for matching operations Extended IP List Uses source and destination IP addresses and optional protocol information for matching operations MAC Extended List Uses source and destination MAC addresses VLAN ID and optional protocol information 6 Ente...

Page 387: ...om within the Filters field select a Source Mask Length from the drop down menu The Source Mask Length is the size of the network or host in mask format The mask length defines a match based on the Network Host 10 Use the Source Address field to enter the IP address where the packets are sourced 11 Refer to the Status field for the current state of the requests made from applet This field displays...

Page 388: ...ed in the access lists 9 If mark is selected from within the Operations drop down menu the Attribute to mark field becomes enabled If necessary select the 802 1p 0 7 or TOS 0 255 checkbox and define the attribute receiving priority with this ACL mark designation 10 From within the Filters field modify if necessary the Source Mask Length from the drop down menu The source is the source address of t...

Page 389: ...otocol ARP rate Rates can be between 1 and 1000000 DHCP Trust Displays the DHCP trust status for the selected L2 interface Any DHCP packets from a DHCP server connected to the selected interface is considered trusted These DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks By default all physical interfaces are DHCP trusted Onboard DHCP server is also trusted as the s...

Page 390: ...hrottled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The threshold range is 1 1000000 packets per second Unknown Unicast Storm Displays the Unknown Unicast Storm Threshold for each interface When the rate of unknown unicast packets exceeds the high threshold configured for an interface packets are throttled till the rate falls below the co...

Page 391: ...igured for an interface packets are throttled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The threshold range is 1 1000000 packets per second Multicast Storm Threshold Configure the Multicast Storm Threshold for each interface When the rate of multicast packets exceeds the high threshold configured for an interface packets are throttled ti...

Page 392: ...red in terms of packets per second The threshold range is 0 1000000 packets per second Unknown Unicast Storm Displays the Unknown Unicast Storm Threshold for each interface When the rate of unknown unicast packets exceeds the high threshold configured for an interface packets are throttled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The th...

Page 393: ...LAN tab 4 Click the Add button DHCP Trust Displays the DHCP trust status for the selected WLAN These DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks Any DHCP packets from a DHCP server connected to the selected WLAN is considered trusted By default all WLANs are not DHCP trusted When DHCP trust is enabled a green checkmark is displayed when disabled a red X is disp...

Page 394: ...d configured for an interface packets are throttled till the rate falls below the configured rate Thresholds are configured in terms of packets per second The valid threshold range is 0 1000000 packets per second Unknown Unicast Storm Enter the Unknown Unicast Storm Threshold for each interface When the rate of unknown unicast packets exceeds the high threshold configured for an interface packets ...

Page 395: ...he level of Syslog logging enabled for each DoS Attack filter The logging level uses standard Syslog levels of Emergency Alert Critical Error Warning Notice Info Debug None To change the logging level click on the specific field and choose the logging level from the pull down menu Attack Count Displays the number of times that each DoS attack have been observed by the switch firewall Clicking the ...

Page 396: ...isable all Denial of Service Attack filters click on the Disable All button When a DoS Attack filter is disabled a red X will be shown in the Check Enabled column 9 To clear statistics for Denial of Service Attacks click the Clear Stats button This will reset all Attack Counts to 0 and all Last Occurrence times to 0 00 00 00 10 Click the Apply button to save the changes made within the DoS Attach ...

Page 397: ... name of each role The role name is configured when the role is created and cannot be edited AP Location Displays the AP Location filters if any applied to each role The AP location filters can be set when the role is created or may be edited by selecting a role and clicking the Edit button ESSID Displays the ESSID filters if any applied to each role The ESSID location filters can be set when the ...

Page 398: ...figuration tab 3 Click the Role tab 4 Click the Add button 5 To create a new role configure the following information Sequence Number Enter a sequence number to be associated with each role Sequence numbers determine the order that role are applied Roles with lower sequence numbers are applied before those with higher sequence numbers Sequence numbers are assigned when a role is created and cannot...

Page 399: ...s The role will be applied when the Radius Group Name contains the string specified in the role Not Contains The role will be applied to when the Radius Group Name does not contain the string specified in the role Any The role will be applied to any Radius Group Name MU MAC Address Configure the MU MAC Address filters if any applied to each role The MU MAC Address filter can be set to apply the ro...

Page 400: ... between the applet and the switch 7 Click OK to use the changes to the running configuration and close the dialog 8 Click Cancel to close the dialog without committing updates to the running configuration 6 4 16 Configuring Firewall Logging Options To view firewall logging rules 1 Select Security Wireless Firewall from the main tree menu 2 Click the Configuration tab 3 Click the Log Options tab ...

Page 401: ...rning Notice Info Debug None To change the logging level click on the specific field and choose the logging level from the pull down menu Broadcast Log The Broadcast Log field displays the level of syslog logging enabled for excessive broadcasts on an interface The logging level uses standard Syslog levels of Emergency Alert Critical Error Warning Notice Info Debug None To change the logging level...

Page 402: ...he Statistics tab Multicast Log The Multicast Log field displays the level of syslog logging enabled for excessive multicast on an interface The logging level uses standard Syslog levels of Emergency Alert Critical Error Warning Notice Info Debug None To change the logging level click on the specific field and choose the logging level from the pull down menu Unknown Unicast Log The Unknown Unicast...

Page 403: ... to mark the packet is tagged for priority or type of service Low Source IP Displays the Low Source IP Address from where the packets are sourced High Source IP Displays the High Source highest address in available range IP Address from where the packets are sourced Low Destination IP Displays the Low Destination lowest address in available range IP Address High Destination IP Displays the High De...

Page 404: ...r the selected interface 6 Click the Export to export the selected ACL attribute to a user specified location 6 4 17 2 Viewing DHCP Snoop Entry Statistics To review DHCP Snoop Entry statistics 1 Select Security Wireless Firewall from the main menu tree 2 Click the Statistics tab 3 From the Statistics section select the DHCP Snoop Entry tab ...

Page 405: ...ics section select the Role tab Client IP Address Displays the DHCP Client IP Address for each entry VLAN ID Displays the VLAN ID number if any for each entry in the DHCP Snoop Entry table The range is 1 4094 The default value is 1 MAC Address Displays the MAC Address of each DHCP Client DHCP Server or Router in the table Type Displays the type for each DHCP Snoop Entry Available entry types are D...

Page 406: ... main menu tree 2 Click the Statistics tab Role Name Displays the Role Names for all roles that are active and have mobile units associated with them Assigned MUs Clicking on a Role Name will display all mobile units that are associated with the selected role AP MAC Address Displays the MAC Address of all Adaptive APs Inbound ACL ID Displays the Inbound ACL ID for each attached Adaptive AP ACL IDs...

Page 407: ...n as displayed within the AAP WLAN tab ACL ID Displays the ACL ID for each attached AAP WLAN ACL ACL IDs can be modified in the Security Policy Edit screen Direction Displays the direction either Inbound or Outbound for the AAP WLAN ACL Hit Count Displays the number of times each AAP WLAN ACL has been triggered ...

Page 408: ...s can be forwarded to an outside network The translation process operates in parallel with packet routing NAT enables network administrators to move a Web or FTP Server to another host without having to troubleshoot broken links Change the inbound mapping with the new inside local address to reflect the new host Configure changes to your internal network seemlessly since the only external IP addre...

Page 409: ... Direction Displays the direction as either Source The inside network is transmitting data over the network to its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Destination Packets passing through the NAT on the way back to the switch managed LAN are searched against the records kept by the NAT engine The destination IP add...

Page 410: ...s is changed in the header and replaced by the public IP address Destination Packets passing through the NAT on the way back to the switch managed LAN are searched against to the records kept by the NAT engine There the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the switch managed network 6 Use the Access List drop down m...

Page 411: ... address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Refer to the NAT screen s Static Translation tab to view existing static NAT configur...

Page 412: ... accessible network Direction Displays the Direction as either Source The inside network is transmitting data over the network its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Destination Packets passing through the NAT on the way back to the switch managed LAN are searched against to the records kept by the NAT engine The...

Page 413: ...t the local source end of the NAT configuration This address once translated will not be exposed to the outside world when the translation address is used to interact with the remote destination 7 Enter the Local Port 1 65535 used to for the translation between the switch and its NAT destination 8 Use the Protocol drop down menu to select either TCP or UDP as the protocol 9 Enter the Global Addres...

Page 414: ...ed as the communication medium between the switch managed network and its destination within the insecure outside world c Use the Type drop down menu to specific the Inside or Outside designation as follows Inside The set of switch managed networks subject to translation These are the internal addresses you are trying to prevent from being exposed to the outside world Outside All other addresses U...

Page 415: ...4 Click on the Export button to export the contents of the table to a Comma Separated Values file CSV Inside Global Displays the internal global pool of addresses allocated out of the switch s private address space but relevant to the outside you are trying to prevent from being exposed to the outside world Inside Local Displays the internal local pool of addresses addresses internal to the switch...

Page 416: ...Refer to the Configuration tab to enable or disable IKE and define the IKE identity for exchanging identities Use IKE to specify IPSec tunnel attributes for an IPSec peer and initiate an IKE negotiation with the tunnel attributes This feature is best implemented in a crypto hub scenario This scenario is scalable since the keys are kept at a central repository the Radius server and more than one sw...

Page 417: ...thin the IKE Settings field to save the configuration 5 Click the Revert within the IKE Settings field to rollback to the previous configuration 6 Refer to the Pre shared Keys field to review the following information 7 Highlight an existing set of pre shared Keys and click the Edit button to revise the existing peer IP address and key 8 Select an existing entry and click the Delete button to remo...

Page 418: ...es the first tunnel protecting later IKE negotiation messages and phase 2 creates the tunnel protecting the data To define the terms of the IKE negotiation create one or more IKE policies Include the following An authentication scheme to ensure the credentials of the peers An encryption scheme to protect the data A HMAC method to ensure the identity of the sender and validate a message has not bee...

Page 419: ...fied in transit Options include SHA The default value MD5 MD5 has a smaller digest and is somewhat faster than SHA 1 Authentication Type Displays the authentication scheme used to validate the identity of each peer Pre shared keys do not scale accurately with a growing network but are easier to maintain in a small network Options include Pre shared Key Uses pre shared keys RSA Signature Uses a dig...

Page 420: ... cannot be edited to be useful click the Add button to define a new policy a Configure a set of attributes for the new IKE policy NOTE 192 bit AES and 256 bit AES are not supported for manual IPSec sa configurations Sequence Number Define the sequence number for the IKE policy The available range is from 1 to 10 000 with 1 being the highest priority value Encryption Set the encryption method used ...

Page 421: ... used to ensure data integrity The hash value validates a packet comes from its intended source and has not been modified in transit Options include SHA The default value MD5 MD5 has a smaller digest and is somewhat faster than SHA 1 Authentication Type Set the authentication scheme used to validate the identity of each peer Pre shared keys do not scale accurately with a growing network but are ea...

Page 422: ...x used to identify individual SAs Phase 1 done Displays whether this index is completed with the phase 1 authentication credential exchanged between peers Created Date Displays the exact date the SA was configured for each index displayed Local Identity Specifies the address the local IKE peer uses to identify itself to the remote peer Remote Identity Specifies the address the remote IKE peer uses...

Page 423: ...DHCP Server needs to be configured on the interface to distribute public IP addresses to the IPSec clients Configure a Crypto policy IKE IKE automatically negotiates IPSec security associations and enables IPSec secure communications without costly manual pre configuration IKE eliminates the need to manually specify all the IPSec security parameters in the Crypto Maps at both peers allows you to s...

Page 424: ...n With the switch a Crypto Map cannot get applied to more than one interface at a time Monitor and maintain IPSec tunnels New configuration changes only take effect when negotiating subsequent security associations If you want the new settings to take immediate effect clear the existing security associations so they will be re established with the changed configuration For manually established sec...

Page 425: ... to disregard any changes you have made and revert back to the last saved configuration Name Displays a transform set identifier used to differentiate transform sets The index is helpful when transform sets with similar attributes need to be revised or discarded AH Authentication Scheme Displays the AH Transform Authentication scheme used with the index Options include None No AH authentication is...

Page 426: ...nu tree 2 Click the Configuration tab 3 Select an existing transform set and click the Edit button 4 Revise the following information as required to render the existing transform set useful ESPAuthentication Scheme Displays the ESP Authentication Transform used with the index Options include None No ESP authentication is used with the transform set MD5 HMAC AH with the MD5 HMAC variant authenticat...

Page 427: ...our network To edit the attributes of an existing transform set 1 Select Security IPSec VPN from the main menu tree 2 Click the Configuration tab 3 Click the Add button ESP Encryption Scheme Select the Use ESP checkbox if necessary to modify the ESP Encryption Scheme Options include None No ESP encryption is used with the transform set ESP DES ESP with the 56 bit DES encryption algorithm ESP 3DES ...

Page 428: ...he main menu tree Name Create a name describing this new transform set AH Authentication Scheme Select the Use AH checkbox to define the AH Transform Authentication scheme Options include None No AH authentication is used AH MD5 HMAC AH with the MD5 HMAC variant authentication algorithm AH SHA HMAC AH with the SHA HMAC variant authentication algorithm ESP Encryption Scheme Select the Use ESP check...

Page 429: ...route information to the remote destination of the IPSec VPN Apply Click Apply to save any updates made to the screen Revert Click the Revert button to disregard changes and revert back to the last saved configuration Index Enter the index assigned to the range of IP addresses displayed in the Starting and Ending IP Address ranges This index is used to differentiate the index from others with simi...

Page 430: ...nisms used with the IPSEC VPN configuration To define the IPSEc VPN authentication configuration 1 Select Security IPSec VPN from the main menu tree 2 Select the Authentication tab 3 Define whether IPSec VPN user authentication is conducted using a Radius Server by selecting the Radius radio button by a user defined set of names and password by selecting the User Table radio button or if no authen...

Page 431: ... checkboxes define the server IP address port and shared secret password Click OK when completed to save the changes 9 If the User Table checkbox was selected from within the Configuration field select the User Table tab to review the User Name and Passwords defined for use 10 Click the Add button to display a screen used to add a new User and Password Enter a User Name and Password and confirm Cl...

Page 432: ... of Crypto Maps referring to large identity sections instead of specifying a large number of Crypto Maps referring to small identity sections To define the Crypto Map configuration 1 Select Security IPSec VPN from the main menu tree 2 Click the Crypto Maps tab The Crypto Maps screen is divided into 5 tabs each serving a unique function in the overall Crypto Map configuration Refer to the following...

Page 433: ... each Crypto Map Name Displays the user assigned name for this specific Crypto Map This name can be modified using the Edit function or a new Crypto Map can be created by clicking the Add button Mode Config Displays a green checkmark for the Crypto Map used with the current interface A X is displayed next to other Crypto Maps not currently being used Number of Peers Displays the number of peers us...

Page 434: ... data flow using the permissions within the selected ACL g Use the PFS drop down menu to specify a group to require perfect forward secrecy PFS in requests received from the peer h Use the Remote Type drop down menu to specify a remote type either XAuth or L2TP i Optionally select the SA Per Host checkbox to specify that separate IPSec SAs should be requested for each source destination host pair ...

Page 435: ...se displayed and click the Edit button 5 Select an existing Crypto Map and click the Delete button to remove it from the list of those available to the switch 6 If a new peer requires creation click the Add button a Define the Seq Name for the new peer b Enter the name of the IKE Peer used with the Crypto Map to build an IPSec security association Priority Seq Displays each peer s Seq sequence num...

Page 436: ...m amongst those displayed and click the Edit button to revise its Seq IKE Peer ACL ID and security protocol 5 Select an existing table entry and click the Delete button to remove it from the list of those available to the switch Priority Seq Displays the Seq sequence number used to determine priority the lower the number the higher the priority Name Displays the name assigned to the security assoc...

Page 437: ...ypto Map s manual security association is an AH Transform Authentication scheme or an ESP Encryption Transform scheme The AH SPI or ESP SPI fields become enabled depending on the radio button selected f Define the In AH SPI and Auth Keys or In Esp and Cipher Keys depending on which option has been selected g Use the Transform Set drop down menu to select the transform set representing a combinatio...

Page 438: ...ication or a new one requires creation 4 Select an existing Crypto Map and click the Edit button to revise its Seq Name and Transform Set 5 Select an existing entry from the table and click the Delete button to remove it from the list 6 If a new Crypto Map transform set requires creation click the Add button Priority Seq Displays the Seq sequence number used to determine priority Name Displays the...

Page 439: ...n Assigning a Crypto Map to an interface also initializes run time data structures such as the SA database and the security policy database Reassigning a modified Crypto Map to the interface resynchronizes the run time data structures with the Crypto Map configuration Also adding new peers through the new sequence numbers and reassigning the Crypto Map does not break existing connections NOTE A Cr...

Page 440: ...ndex Displays the numerical if defined ID for the security association Use the index to differentiate the index from others with similar configurations Local Peer Displays the name of the local peer at the near side of the VPN connection Remote Peer Displays the name of the remote peer at the far side of the VPN connection ESP SPI In SPI specified in the Encapsulating Security Payload ESP inbound ...

Page 441: ...he View By Page option is selected 5 If necessary select a security association from those displayed and click the Stop Connection button to stop the security association View All Displays all SAs in one screen View By Page Use this option to split the list into pages and view them one page at a time Use this control to navigate to the first page Use this control to navigate to the previous page P...

Page 442: ...igured to use a remote user database A Radius server as the centralized authentication server is an excellent choice for performing accounting Radius can significantly increase security by centralizing password management The Radius server defines authentication and authorization schemes for granting the access to wireless clients Radius is also used for authenticating hotspot and remote VPN Xauth...

Page 443: ...received in the Radius access request frames If the user is authorized and authenticated the client is granted access by sending a Radius access accept frame The frame is transmitted to the client in an EAPoL frame format 6 8 1 1 User Database User group names and associated users in each group can be created in the local database The User ID in the received access request is mapped to the associa...

Page 444: ...ry authentication source default users are admin with superuser privileges and operator with monitor privileges No secondary authentication source is specified However Motorola Solutions recommends using an external Radius Server as the primary authentication source and the local switch Radius Server as the secondary user authentication source For information on configuring an external Radius Serv...

Page 445: ...al Settings field and revert back to the last saved configuration 6 8 3 1 Radius Client Configuration A Radius client implements a client server mechanism enabling the switch to communicate with a central server to authenticate users and authorize access to the switch managed network A Radius client is often an embedded device since it alleviates the need to store detailed user information locally...

Page 446: ...ute force attacks c Refer to the Status field for the current state of the requests made from applet This field displays error messages if something is wrong in the transaction between the applet and the switch d Click OK to use the changes to the running configuration and close the dialog e Click Cancel to close the dialog without committing updates to the running configuration 6 8 3 2 Radius Pro...

Page 447: ...ed secret The shared secret is a case sensitive string that can include letters numbers or symbols Make the shared secret at least 22 characters long to protect the Radius server from brute force attacks The max length of the shared secret is 31 characters f Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong i...

Page 448: ...e switch s local Radius server If LDAP is selected the switch uses the data within an LDAP server Cert Trustpoint Click the View Change button to specify the trustpoint from which the Radius server automatically grants certificate enrollment requests A trustpoint is a representation of a CA or identity pair A trustpoint contains the identity of the CA CA specific configuration parameters and an as...

Page 449: ...hat establishes the base object for the search The base object is the point in the LDAP tree at which to start searching User Login Filter Enter the login used by the LDAP server for authentication Group Filter Specify the group filters used by the LDAP server GroupMembership Attribute Specify the Group Member Attribute sent to the LDAP server when authenticating users Group Attribute Specify the ...

Page 450: ...d 4 Refer to the Available Groups field to view the memberships for existing users If the group assignment is insufficient use the Edit or Add functions to modify create users or modify their existing group assignments For guest users only the password is editable For normal non guest users the password and NOTE The same configuration is supported for the Secondary LDAP agent of the Secondary LDAP...

Page 451: ...r user temporary access to the local Radius server thus restricting their authentication period to a user defined interval Password Enter the password that adds the user to the list of approved users displayed within the Users tab Confirm Password Re enter confirm the password used to add the user to the list of approved users displayed within the Users tab Current Switch Time Displays the read on...

Page 452: ...Cancel to close the dialog without committing updates to the running configuration 6 8 6 Configuring Radius User Groups The Groups tab displays a list of all groups in the local Radius server s database The groups are listed in the order added The existing configuration for each group is displayed to provide the administrator the option of using a group as is modifying an existing group s properti...

Page 453: ...sed by each group The VLAN ID is representative of the shared SSID each group member user employs to interoperate with one another within the switch managed network once authenticated by the local Radius server Time of Access Start Displays the time each group is authenticated to interoperate within the switch managed network Each user within the group is authenticated with the local Radius server...

Page 454: ...ting group is no longer needed perhaps obsolete in function select the group and click the Delete button to permanently remove the group from the list The group can only be removed if all the users in the group are removed first 8 To create a new group click the Add button and provide the following information Name Define a unique group name that differentiates this new group from others with simi...

Page 455: ... user may still interoperate with the switch remain authenticated as part of that group Rate Limit Uplink 0 100 100000 Set the rate limit from the wireless client to the network when using Radius authentication A rate limit of 0 disables rate limiting for this direction Any rate limit obtained through radius server authentication overwrites the initial user rate limit for the given MU Rate Limit D...

Page 456: ...ccounting Logs tab Filename Displays the name of each accounting log file Use this information to differentiate files with similar attributes Type Displays the type of file each file is Size Display the size of the file NOTE An explicit purge operation is not supported the accounting logs are purged automatically once they reach their limit ...

Page 457: ... are issued to Web Servers and used to authenticate Web Servers to browsers while establishing a Secure Socket Layer SSL connection The Server Certificates screen displays two tabs supporting the following Using Trustpoints to Configure Certificates Configuring Trustpoint Associated Keys 6 9 1 Using Trustpoints to Configure Certificates Each certificate is digitally signed by a trustpoint The trus...

Page 458: ... the city wherein the server certificate request was made The city should obviously be within the State Prov stated Organization O Displays the name of the organization making the certificate request Org Unit OU Displays the name of the organizational unit making the certificate request Common Name CN If there is a common name IP address for the organizational unit making the certificate request i...

Page 459: ...ich can be sent to a Certificate Authority CA For more information see Using the Wizard to Create a New Certificate on page 6 107 5 Select the Upload an external certificate radio button to upload an existing Server Certificate or CA Root Certificate For more information see Using the Wizard Delete Operation on page 6 113 6 Select the Delete Operations radio button to delete trustpoints and all re...

Page 460: ...page to create either a self signed certificate or prepare a certificate request For certificate creation select one of the following options Generate a self signed certificate Configure the properties of a new self signed certificate Once the values of the certificate are defined the user can create and install the certificate Prepare a certificate request to send to a Certificate Authority Confi...

Page 461: ...rovide a name for the new trustpoint in the space provided To specify a key for a new certificate select one of the following Automatically generate a key Automatically generates a key for the trustpoint Use existing key Specify an existing key using the drop down menu Use a new key Select this option to create a new key for the trustpoint Define a key name and size as ...

Page 462: ...ration 5 Select the Enter certificate credentials radio button to manually enter the values of a unique certificate If you anticipate using generic default values consider using the Automatically generate certificate with default values option 6 Provide the following information for the certificate Country Define the Country used in the Self Signed Certificate By default the Country is US The fiel...

Page 463: ...l address used as the contact address for issues relating to this certificate request FQDN Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy absolutely To distinguish an FQDN from a regular domain name a trailing period is added ex somehost example com An FQDN differs from a regular domain name by its absoluteness as...

Page 464: ...the newly created self signed certificate If you selected to prepare a certificate request in the page 2 the wizard continues prompting the user for the required information to complete the certificate request Click Next to continue 9 Check the Copy the certificate request to clipboard option to add the contents of the certificate request to the clipboard which can then be copied to other location...

Page 465: ...stpoint properties To Use the To field to define whether the target certificate is to be sent to the system s local disk Local Disk or to an external server Server File Specify a filename for the certificate to be save as on the target server or local disk Using Use the Using drop down menu to configure whether the log file transfer is sent using FTP or TFTP IP Address Specify the server IP Addres...

Page 466: ... 2 Select and use the Delete trustpoint and all certificates inside it drop down menu to define the target trustpoint for removal 3 Select and use the Remove certificates from this trustpoint drop down menu define the trustpoint that will have either its Server Certificate or CA Root Certificate removed 4 Click the Next button to proceed and complete the trustpoint removal ...

Page 467: ...e list of keys available to the switch For more information see Adding a New Key on page 6 115 5 Select the Delete All Keys options to delete all of the keys displayed 6 Click on Transfer Keys to archive the keys to a user specified location For more information see Transferring Keys on page 6 116 6 9 2 1 Adding a New Key If none of the keys listed within the Keys tab are suitable for use with a c...

Page 468: ...tion is available if problems are encountered with the switch and the data needs to be retreived 1 Select Security Server Certificate from the main menu tree 2 Click the Keys Tab 3 Highlight a target file and select the Transfer Keys button 4 Use the From drop down menu to specify the location from which the log file is sent If only the applet is available as a transfer location use the default sw...

Page 469: ...ocal server 13 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 14 Click the Transfer button when ready to move the target file to the specified location Repeat the process as necessary to move each desired log file to the specified location 15 Click the A...

Page 470: ...tion is gathered to locate a particular rogue AP Refer to Editing AP Settings on page 4 95 to enable an AP to forward beacons and association information for AP radios to detect a rouge The switch is provided with a set of 802 11a and 802 11bg radio specific channels The switch radio scans scan each channel to detect the potential existence or rogues operating on the configured channel On completi...

Page 471: ...Allowed Displays the channels available to the AP The channel list is country specific and differs from country to country Add Select a channel frequency and click the Add button to include the channel to the Configured list box You can select multiple channels and add them to the Configured list box Press the Ctrl button and use the mouse to select multiple channels The switch uses an 802 11a rad...

Page 472: ...es the rogue MU and displays its location within a Motorola Solutions RFMS maintained site map To configure enhanced beacons 1 Select Security Enhanced Probe Beacon Table from the main menu tree Allowed Displays all the channels available to the AP The channel list is country specific and differs from country to country Add Select a channel frequency and click the Add button to include the channel...

Page 473: ...0 802 11a Radios Click the Disable button to stop AP s 802 11a radios from forwarding MU probe requests to the switch 11 802 11bg Radios Click the Enable button to allow the AP s 802 11bg radios to receive MU probe requests and forward them to the switch 12 802 11bg Radios Click the Disable button to stop AP s 802 11bg radios from forwarding MU probe requests to the switch 13 Click Apply to save a...

Page 474: ... channel scan The information displayed within the Probes Found tab is read only with no user configurable parameters To view the enhanced beacons table report 1 Select Security Enhanced Probe Beacon Table from the main menu tree Portal MAC Displays the MAC address of the unadopted AP detected by the enhanced beacon supported AP Rogue AP MAC Displays the MAC address of the enhanced beacon supporte...

Page 475: ...ta calculation Portal MAC Displays the MAC address of the unadopted MU picked detected by the Enhanced Probes enabled AP MU MAC Displays the MAC address of the Enhanced Probe detected MU Signal Strength dBm Displays the signal strength when the unadopted MU was detected Heard Channel Displays the channel frequency used when the unadopted MU was detected Heard Time Displays the time the unadopted M...

Page 476: ...6 124 WiNG 4 4 Switch System Reference Guide ...

Page 477: ...ing switch management activities Displaying the Management Access Interface Configuring Access Control Configuring SNMP Access Message Parameters Configuring SNMP Trap Receivers Creating and Managing Users NOTE HTTPS must be enabled to access the switch applet Ensure HTTPS access has been enabled before using the login screen to access the switch applet ...

Page 478: ... the effected screen is closed without informing the user their change was successful However if an error were to occur the error displays within the effected screen s Status field and the screen remains displayed In the case of file transfer operations the transfer screen remains open during the transfer operation and remains open upon completion with status displayed within the Status field Firm...

Page 479: ...be active at a time This option is disabled not selected by default Enable Telnet Select this checkbox to allow the switch to use a Telnet session for communicating over the network This setting is enabled by default Port Define the port number used for the Telnet session with the switch This field is enabled as long as the Enable Telnet option remains enabled The default port is port 23 Enable SN...

Page 480: ...hose credentials are used for the FTP session Password If FTP is enabled a password is required for the user specified in the Username field to use the switch with the FTP interface Root Dir Define the root directory where the FTP server is located if using FTP Click the Magnifying Glass icon to display a Select Directory File screen useful in selecting the root directory If necessary a new direct...

Page 481: ...ves the same function used in SNMPv1 but uses a different message format and is designed to replace a SNMPv1 Trap Refer to the v1 v2c screen for information on existing SNMP v1 v2 community names and their current access control settings Community names can be modified by selecting a community name and clicking the Edit button To review existing SNMP v1 v2 definitions CAUTION Your system must be r...

Page 482: ... be changed appropriately to match a new naming and user requirement used by the management software To modify an existing SNMP v1 v2 Community Name and Access Control setting 1 Select Management Access SNMP Access v1 v2 from the main menu tree 2 Select an existing Community Name from those listed and click the Edit button Community Name Displays the read only or read write name used to associate ...

Page 483: ...e transaction between the applet and the switch 7 Click Cancel to return back to the SNMP v1 v2 screen without implementing changes 7 3 2 Configuring SNMP v3 Access SNMP Version 3 SNMPv3 adds security and remote configuration capabilities to previous versions The SNMPv3 architecture introduces the User based Security Model USM for message security and the View based Access Control Model VACM for a...

Page 484: ... Protocol is the existing protocol for the User Profile The Authentication Protocol is not an editable option The Privacy Protocol is the existing protocol for the User Profile The Privacy Protocol is also not an editable option 4 Enter the Old Password used to grant Authentication Protocol and Privacy Protocol permissions for the User Profile 5 Enter the New Password then verify the new password ...

Page 485: ...del and their values To edit an SNMP v3 user profile 1 Select Management Access SNMP Access from the main menu tree 2 Select the Statistics tab from within the SNMP Access screen 3 Refer to the following read only statistics displayed within the SNMP Access Statistics screen V2 V3 Metrics Displays the individual SNMP Access events capable of having a value tracked for them The metrics range from g...

Page 486: ...odule then verifies authentication data For outgoing messages the USM module encrypts PDUs and generates authentication data The module then passes the PDUs to the message processor which then invokes the dispatcher The USM module s implementation of the SNMP USER BASED SM MIB enables SNMP to issue commands to manage users and security keys The MIB also enables the agent to ensure a requesting use...

Page 487: ...nd view a brief description that may help your decision Use Expand all items to explode each trap category and view all the traps that can be enabled Traps can either be enabled by group or as individual traps within each parent category To configure SNMP trap definitions 1 Select Management Access SNMP Trap Configuration from the main menu tree 2 Select the Allow Traps to be generated checkbox to...

Page 488: ...p options specific to the NSM configuration option Select an individual trap within this subsection and click the Enable button to enable this specific trap or highlight the NSM trap family parent item and click Enable all sub items to enable all traps within the NSM category Mobility Displays a list of sub items trap options specific to the Mobility configuration option Select an individual trap ...

Page 489: ...ion button to launch a dialogue where you can configure outgoing E mail servers and addresses for alerts 3 Check the Enable SMTP box to enable the outgoing mail server on the switch In order to use E mail notification on the switch this box must be checked Configure the SMTP mail server properties as follows Name Enter the hostname of your outgoing SMTP mail server This is the server that is used ...

Page 490: ... values and units of measurement To Address es Specify an e mail address or addresses that notifications will be sent to To add an e mail address to the list enter the email address in the To Address es field and click the Add button There is a maximum of 4 e mail addresses allowed on the list Add Click the Add button to add an e mail address that is in the To Address es field to the list below Re...

Page 491: ...ld value for associated MUs Use the Threshold Name and Threshold Conditions as input criteria to define an appropriate Threshold Value unique to the MUs within the network For information on specific values see Wireless Trap Threshold Values on page 7 16 Threshold values for AP Set a threshold value for adopted APs Use the Threshold Name and Threshold Conditions as input criteria to define an appr...

Page 492: ... decimal numberlessthan 0 00andgreater than or equal to 120 00 A decimal number less than 0 00 and greater than or equal to 120 00 A decimal numberless than 0 00andgreater than or equal to 120 00 N A dBm 5 Non Unicast Packets Greater than A decimal number greater than 0 00 and less than or equal to 100 00 A decimal number greater than 0 00 and lessthanorequal to 100 00 A decimal number greater tha...

Page 493: ... address port and v2c or v3 trap designation within the Edit screen For more information see Editing SNMP Trap Receivers on page 7 18 4 Highlight an existing Trap Receiver and click the Delete button to remove the Trap Receiver from the list of available destinations available to receive SNMP trap information Remove Trap Receivers as needed if the destination address information is no longer avail...

Page 494: ...nger a valid address If it is still a valid IP address consider clicking the Add button from within the SNMP Trap Receivers screen to add a new address without overwriting this existing one 4 Define a Port Number for the trap receiver 5 Use the Protocol Options drop down menu to specify the trap receiver as either a SNMP v2c or v3 receiver 6 Click OK to save and add the changes to the running conf...

Page 495: ...tocol Options drop down menu to specify the trap receiver as either a SNMP v2c or v3 receiver 6 Click OK to save and add the changes to the running configuration and close the dialog 7 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch 8 Click Cancel to clos...

Page 496: ... administrative privileges assigned to users create a new user and configure the associated roles and access modes assigned to each user To configure the attributes of Local User Details 1 Select Management Access Users from the main menu tree 2 Click the Local Users tab The Local User window consists of 2 fields Users Displays the users currently authorized to use the switch By default the switch...

Page 497: ...ions Monitor Select Monitor to assign regular user permissions without any administrative rights The Monitor option provides read only permissions Help Desk Manager Assign this role to someone who typically troubleshoots and debugs problems reported by the customer The Help Desk Manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboo...

Page 498: ... can perform Help Desk role operations NOTE By default the switch is HTTPS enabled with a self signed certificate This is required since the Web UI uses HTTPS for user authentication Console This option provides the new user access to the switch using the console SSH This option provides the new user access to the switch using SSH Telnet This option provides the new user access to the switch using...

Page 499: ...ator Assign Web User Administrator privileges if necessary to add users for Web authentication hotspot Super User Select Super User if necessary to assign complete administrative rights NOTE By default the switch is HTTPS enabled with a self signed certificate This is required since the applet uses HTTPS for user authentication NOTE There are some basic operations CLI commands like exit logout and...

Page 500: ... again in the Confirm Password field 5 Assign the guest admin WebUser Administrator access When the guest admin user logs in they are redirected to a Guest User Configuration screen wherein start and end user permissions can be defined in respect to specific users 6 Add guest users by name start date and time expiry date and time and user group 7 Optionally click the Generate button to automatical...

Page 501: ...nfigured for switch authentication The servers are listed in order of their priority NOTE The Radius configuration described in this section is independent of other Radius Server configuration activities performed using other parts of the switch Preferred Method Select the preferred method for authentication Options include None No authentication Local The user employs a local user authentication ...

Page 502: ...erver 1 Select Management Access Users from the main menu tree The Users screen displays 2 Click on the Authentication tab 3 Select an existing Radius Server from those listed and click the Edit button at the bottom of the screen Port Displays the TCP IP port number for the Radius Server The port range available for assignment is from 1 65535 Shared Secret Displays the shared secret used to verify...

Page 503: ...ical Index value for the Radius Server to help distinguish this server from other servers with a similar configuration if necessary The maximum number that can be assigned is 32 Radius Server IP Address Modify the IP address of the external Radius server if necessary Ensure this address is a valid IP address and not a DNS name Radius Server Port Change the TCP IP port number for the Radius Server ...

Page 504: ...ss Provide the IP address of the external Radius server Ensure this address is a valid IP address and not a DNS name Radius Server Port Enter the TCP IP port number for the Radius Server The port range available for assignment is from 1 65535 Number of retries to communicate with Radius Server Enter the maximum number of times for the switch to retransmit a Radius Server frame before it times out ...

Page 505: ...plication access Superuser Role Value is 32768 grants full read write access to the switch Note To configure multiple roles this value may configured multiple times with different values for each role Symbol Login Service 100 Integer Decimal Console Access Value is 128 user is allowed to login only from console Telnet Access Value is 64 use is allowed to login only from telnet session SSH Access V...

Page 506: ...7 30 WiNG 4 4 Switch System Reference Guide ...

Page 507: ... the Applet Configuring a Ping NOTE HTTPS must be enabled to access the switch applet Ensure HTTPS access has been enabled before using the login screen to access the switch applet NOTE The Motorola Solutions RF Management Software is a recommended utility to plan the deployment of the switch and view its configuration once operational Motorola Solutions RFMS can help optimize the positioning and ...

Page 508: ...lays the following fields Settings Temperature Sensors Fans 4 In the Settings field select the Enable Diagnostics checkbox to enable disable diagnostics and set the monitoring interval The monitoring interval is the interval the switch uses to update the information displayed within the CPU NOTE When the switch s configuration is successfully updated using the Web UI the effected screen is closed ...

Page 509: ...1 2 CPU Performance Use the CPU tab to view and define the CPU s load statistics Load limits can be assessed for the last one minute five minutes and 15 minutes to better gauge switch loads over differing periods of network activity 1 Select Diagnostics from the main tree menu 2 Select the CPU tab 3 The CPU screen consists of 2 fields Load Limits CPU Usage NOTE Enabling switch diagnostics is recom...

Page 510: ...s 7 Click the Revert button to revert back to the last saved configuration 8 1 3 Switch Memory Allocation Use the Memory tab to periodically assess the switch s memory load 1 Select Diagnostics from the main tree menu 2 Select the Memory tab The Memory tab is partitioned into the following two fields RAM Buffer 3 Refer to the RAM field to view the percentage of CPU memory in use in a pie chart for...

Page 511: ...of the switch flash nvram and system disk resources Each field displays the following Free Space Limit Free INodes Free INode Limit 4 Define the Free Space Limit variable carefully as disk space may be required during periods of high bandwidth traffic and file transfers 5 Click the Apply button to commit and apply the changes 6 Click the Revert button to revert back to the last saved configuration...

Page 512: ... periods of switch activity 5 Processes by highest memory consumption displays a graph of the top ten switch processes based on memory consumption Use this information to determine if a spike in consumption with the switch priorities in processing data traffic within the switch managed network 6 Click the Apply button to commit and apply any changes to the memory usage limit 7 Click the Revert but...

Page 513: ... switch managed network 3 Define the maximum limit for each resource accordingly as you expect these resources to be utilized within the switch managed network 4 Click the Apply button to commit and apply any changes to any of the resources maximum limit 5 Click the Revert button to revert back to the last saved configuration ...

Page 514: ...ng to Buffer checkbox to enable the switch to log system events to a buffer The log levels are categorized by their severity The default level is 3 errors detected by the switch However more granular log levels can be selected for system level information detected by the switch that may be useful in assessing overall switch performance or troubleshooting 5 Select the Enable Logging to Console chec...

Page 515: ...system events are logged 0 60 seconds The shorter the interval the sooner the event is logged 8 Click Apply to save the changes made to the screen This will overwrite the previous configuration 9 Click the Revert button to move the display back to the last saved configuration 8 2 2 File Management Use the File Mgt tab to view existing system logs Select a file to display its details in the Preview...

Page 516: ...ferring Log Files on page 8 12 8 2 2 1 Viewing the Entire Contents of Individual Log Files Motorola Solutions recommends the entire contents of a log file be viewed to make an informed decision whether to transfer the file or clear the buffer The View screen provides additional details about a target file by allowing the entire contents of a log file to be reviewed To display the entire contents o...

Page 517: ...le was initiated not the time it was modified or appended Module Displays the name of the switch logging the target event This metric is important for troubleshooting issues of a more serious priority as it helps isolate the switch resource detecting the problem Severity The Severity level coincides with the logging levels defined within the Log Options tab Use these numeric identifiers to assess ...

Page 518: ...ect a target file for transfer from the File drop down menu The drop down menu contains the log files listed within the File Mgt screen 6 Use the To drop down menu within the Target field to define whether the target log file is to be sent to the system s local disk Local Disk or to an external server Server 7 Provide the name of the file to be transferred within the File parameter Ensure the file...

Page 519: ...sfer button when ready to move the target file to the specified location Repeat the process as necessary to move each desired log file to the specified location 14 If a problem condition is discovered during the file transfer click the Abort button to terminate the transfer 15 Refer to the Status field for the current state of the requests made from applet This field displays error messages if som...

Page 520: ...everity of the core snapshot has been assessed 4 Click the Transfer Files button to open the transfer dialogue to enable a file to be copied to another location For more information on transferring core snapshots see Transferring Core Snapshots on page 8 14 8 3 1 Transferring Core Snapshots Use the Transfer screen to define a source for transferring core snapshot files to a secure location for pot...

Page 521: ...the target log file 9 If Server has been selected as the source enter the User ID credentials required to send the file to the target location Use the user ID for FTP transfers only 10 If Server has been selected as the source enter the Password required to send the file to the target location using FTP 11 Specify the appropriate Path to the target directory on the local system disk or server as c...

Page 522: ...iew of the panic 4 Select a target panic file and click the Delete button to remove the file 5 Select a target panic file and click the View button to open a separate viewing screen to display the panic information in greater detail For more information see Viewing Panic Details on page 8 17 6 Click the Transfer Files button to open the transfer dialogue to transfer the file to another location Fo...

Page 523: ...ilable and click the Transfer button 3 Use the From drop down menu to specify the location from which the file is sent If only the applet is available as a transfer location use the default switch option 4 Select a file for the file transfer from the File drop down menu The drop down menu contains the panic files listed within the File Mgmt screen 5 Use the To drop down menu within the Target fiel...

Page 524: ... the target location 11 Specify the appropriate path name to the target directory on the local system disk or server as configured using the To parameter If local server is selected use the Browse button to specify a location on your local machine 12 Refer to the Status field for the current state of the requests made from applet This field displays error messages if something goes wrong in the tr...

Page 525: ...the file location where you wish to store the log message 4 Select the Use SNMP V2 only checkbox to use SNMP v2 to debug the applet Check whether you have access to SNMP v2 by clicking on the Test SNMP V2 access button If SNMP v2 access is available the test icon will change from grey to green indicating the SNMPv2 interface is viable on the switch 5 Select the severity of the message you wish to ...

Page 526: ...e categories when bugs are raised Select the checkboxes corresponding to the message types you would like to receive Each message category is enabled by default Click the Simple button to minimize this area and hide the available message categories b Click the All Messages button to select all the message categories c Click the No Messages button if you do not want to select any of the message cat...

Page 527: ...t button For more information see Modifying the Configuration of an Existing Ping Test on page 8 22 Description Displays the user assigned description of the ping test The name is read only Use this title to determine whether this test can be used as is or if a new ping test is required Destination IP Displays the IP address of the target device This is the numeric destination for the device sent ...

Page 528: ...ade from applet This field displays error messages if something goes wrong in the transaction between the applet and the switch Description If necessary modify the description for the ping test Ensure this description is representative of the test as this is the description displaying within the Configuration tab Destination IP If necessary modify the IP address of the target device This is the nu...

Page 529: ...ll function of the test Description Ensure the description is representative of the test as this is the description displaying within the Configuration tab Destination IP Enter the IP address of the target device This is the numeric non DNS address destination for the device transmitted the ping packets No of Probes Define the number of ping packets transmitted to the target device This value repr...

Page 530: ...ection to either extend the switch s existing radio coverage area or provide support for additional MUs within an existing network segment To view ping test statistics 1 Select Diagnostics Ping from the main menu 2 Select the Statistics tab 3 Refer to the following content within the Statistics tab to assess the connection with the target device Destination IP Displays the numeric non DNS address ...

Page 531: ... its most congested for the two devices Average RTT Displays the average round trip time for ping packets transmitted between the switch and its destination IP address Use this value as a general baseline along with packets sent vs packets received for the overall connection and association potential between the switch and target device Last Response Displays the time in seconds the switch last he...

Page 532: ...8 26 WiNG 4 4 Switch System Reference Guide ...

Page 533: ...gion click on the appropriate link under Support for Business When contacting Enterprise Mobility support please provide the following information Serial number of the unit Model number or product name Software type and version number Motorola Solutions responds to calls by e mail telephone or fax within the time limits set forth in support agreements If you purchased your Enterprise Mobility busi...

Page 534: ...port Web Site Motorola Solutions Support Central Web site accessed via the Symbol branded products link under Support for Business provides information and online assistance including developer tools software downloads product manuals and online repair requests ...

Page 535: ...ed a new SKU the AP7131N USO that can be used both indoors and outdoors While operating outdoors the new SKU can only operate on channels 52 64 The SKU AP7131N US will no longer work when the selected placement is outside By default the two SKUs AP7131N US and AP7131USO will operate on the following channels 52 64 110 116 136 140 when operating indoors for the SKUs AP7131N US and AP7131N USO 52 64...

Page 536: ...A 4 WiNG 4 4 Switch System Reference Guide ...

Page 537: ... can be discovered using one of the following mechanisms DHCP Switch fully qualified domain name FQDN Static IP addresses The benefits of an AAP deployment include Centralized Configuration Management Compliance Wireless configurations across distributed sites can be centrally managed by the wireless switch or cluster WAN Survivability Local WLAN services at a remote sites are unaffected in the ca...

Page 538: ...DHCP NAT Firewall etc cannot be configured from the switch and must be defined using the Access Point s resident interfaces before its conversion to an AAP B 1 3 Types of Adaptive APs Two low priced AP 5131 SKU configurations are being introduced allowing customers to take advantage of the adaptive AP architecture and to reduce deployment costs These dependent mode AP configurations are a software...

Page 539: ...nction as an AAP regardless of mode it needs to connect to a switch to receive its configuration There are two methods of switch discovery Auto Discovery using DHCP Manual Adoption Configuration B 1 5 1 Auto Discovery using DHCP Extended Global Options 189 190 191 192 can be used or Embedded Option 43 Vendor Specific options can be embedded in Option 43 using the vendor class identifier For AAP 2 ...

Page 540: ...ecuring a Configuration Channel Between Switch and AP Once an Access Point obtains a list of available switches it begins connecting to each The switch can be either on the LAN or WAN side of the Access Point to provide flexibility in the deployment of the network If the switch is on the Access Point s LAN ensure the LAN subnet is on a secure channel The AP will connect to the switch and request a...

Page 541: ...f a switch failure an AAP s independent WLAN continues to operate without disruption The AAP attempts to connect to other switches if available in background Extended WLANs are disabled once switch adoption is lost When a new switch is discovered and a connection is secured an extended WLAN can be enabled If a new switch is located the AAP synchronizes its configuration with the located switch onc...

Page 542: ...o to Network Access Port Radios and click on the Global Settings button 2 Uncheck the Adopt Unconfigured Radios Automatically option to prevent the switch from automatically adopting new APs when they are connected to the switch 3 Configure the client bridge back haul WLAN base bridge and client bridge radios on the switch using the Command Line Interface CLI commands listed below Client Bridge Ba...

Page 543: ...e However when the Adaptive AP is adopted over a WAN link the Radius Server IP Address will be an internal address which is non routable over the Internet To access the Radius server s non routable IP address over the WAN you have the option to configure Adaptive AP Radius Proxying for the WLAN When this flag is enabled the Adaptive AP is reconfigured to send all RADIUS traffic to the switch and t...

Page 544: ...B 12 WiNG 4 4 Switch System Reference Guide ...

Page 545: ...02 1q trunk port on the wired switch Be aware IPSec Mode supports NAT Traversal NAT T B 2 2 Extended WLANs Only An extended WLAN configuration forces all MU traffic through the switch No wireless traffic is locally bridged by the AAP Each extended WLAN is mapped to the Access Point s virtual LAN2 subnet By default the Access Point s LAN2 is not enabled and the default configuration is set to stati...

Page 546: ...red network There is no special configuration required with the exception of setting the mesh and using it within one of the two extended VLAN configurations NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN2 The switch enforces the WLAN be defined as an independent WLAN by automatically setting the WLAN to independent when backhaul is selected The AP ensures the backhaul WLAN ...

Page 547: ... connect the adaptive to the switch B 3 2 Configuring the Adaptive AP for Adoption by the Switch 1 An AAP needs to find and connect to the switch To ensure this connection Configure the switch s IP address on the AAP Provide the switch IP address using DHCP option 189 on a DHCP server The IP address is a comma delimited string of IP addresses For example 157 235 94 91 10 10 10 19 There can be a ma...

Page 548: ...ess Port Optionally configure WLANs as independent and assign to AAPs as needed 3 Configure each VPN tunnel with the VLANs to be extended to it If you do not attach the target VLAN no data will be forwarded to the AAP only control traffic required to adopt and configure the AP NOTE For additional information in greater detail on the switch configuration activities described above see Switch Config...

Page 549: ...d in the sections that follow B 4 1 1 Adopting an Adaptive AP Manually To manually enable the Access Point s switch discovery method and connection medium required for adoption 1 Select System Configuration Adaptive AP Setup from the Access Point s menu tree 2 Select the Auto Discovery Enable checkbox Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity mediu...

Page 550: ...ch by providing the following options in the DHCP Offer B 4 2 Switch Configuration A Motorola Solutions RF Switch running firmware version 3 1 or later requires an explicit adaptive configuration to adopt an Access Point if IPSec is not being used for adoption The same licenses currently used for AP300 adoption can be used for an AAP Disable the switch s Adopt unconfigured radios automatically opt...

Page 551: ...P 5 Select Network Wireless LANs from the switch main menu tree 6 Select the target WLAN you would like to use for AAP support from those displayed and click the Edit button 7 Select the Independent Mode AAP Only checkbox Selecting the checkbox designates the WLAN as independent and prevents traffic from being forwarded to the switch Independent WLANs behave like WLANs as used on a a standalone Ac...

Page 552: ...ally a WLAN can be defined as independent using the wlan index independent command from the config wireless context Switch Note For AAP to work properly with RFS7000 you need to have indepen dent and extended WLANs mapped to a different VLAN than the ge port ...

Page 553: ...e WLAN used for mesh backhaul must always be an independent WLAN The switch configures an AAP If manually changing wireless settings on the AP they are not updated on the switch It s a one way configuration from the switch to the AP An AAP always requires a router between the AP and the switch An AAP can be used behind a NAT An AAP uses UDP port 24576 for control frames and UDP port 24577 for data...

Page 554: ...RFS6000 1 snmp server manager v2 snmp server manager v3 snmp server user snmptrap v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e2739b snmp server user snmpmanager v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e2739b snmp server user snmpoperator v3 encrypted auth md5 0x49c451c7c6893ffcede0491bbd0a12c4 To configure the passkey for a Remote VPN Peer 255 255 255 255 denotes all AAPs 12345678...

Page 555: ...s an independent WLAN wlan 5 independent wlan 5 client bridge backhaul enable wlan 6 enable wlan 6 ssid test mesh wlan 6 vlan 250 radio add 1 00 15 70 00 79 30 11bg aap5131 radio 1 bss 1 3 radio 1 bss 2 4 radio 1 bss 3 2 radio 1 channel power indoor 11 8 radio 1 rss enable radio add 2 00 15 70 00 79 30 11a aap5131 radio 2 bss 1 5 radio 2 bss 2 1 radio 2 bss 3 2 radio 2 channel power indoor 48 8 ra...

Page 556: ...form and set to the Crypto Map crypto map AAP CRYPTOMAP 10 ipsec isakmp set peer 255 255 255 255 match address AAP ACL set transform set AAP TFSET interface ge1 switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1 9 100 110 120 130 140 150 160 170 switchport trunk allowed vlan add 180 190 200 210 220 230 240 250 static channel ...

Page 557: ...10 120 130 140 150 160 170 switchport trunk allowed vlan add 180 190 200 210 220 230 240 250 interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface crypto map AAP CRYPTOMAP sole ip route 157 235 0 0 16 157 235 92 2 ip route 172 0 0 0 8 157 235 92 2 ntp server 10 10 10 100 prefer version 3 line con 0 line vty 0 24 end ...

Page 558: ...B 26 WiNG 4 4 Switch System Reference Guide ...

Page 559: ...eshooting information and workaround to known conditions the user may encounter Wherever possible it includes possible suggestions or solutions to resolve the issues It is divided into the following section General Troubleshooting Troubleshooting SNMP Issues Security Issues ...

Page 560: ...ble below provides suggestions to troubleshoot this issue C 1 1 2 Switch Does Not Obtain an IP Address through DHCP A Motorola Solutions RF Series Switch requires a routable IP address for the administrator to manage it via Telnet SSH or a Web browser The table below provides suggestions to troubleshoot this issue Possible Problem Suggestions to Correct Switch has no power Verify power cables fuse...

Page 561: ...not configured for a static IP on the port All else Contact Motorola Solutions Support Possible Problem Suggestions to Correct Telnet is not enabled and or SSH is disabled Verify that Telnet or SSH are enabled by using the CLI or Web UI By default telnet is disabled Max sessions have been reached Maximum allowed sessions is 8 concurrent users connected to a switch Verify that the threshold has not...

Page 562: ...ava Cannot access Web UI through a Firewall To successfully access the switch Web UI through a firewall UDP port 161 must be open in order for the switch s SNMP back end to function All else Contact Motorola Solutions Support Possible Problem Suggestions to Correct Cabling issue Ensure that a console cable is connected from the console port to the host computer s serial port Not using a terminal e...

Page 563: ...not allow Access Port adoption verify that Access Port adoption is not set to deny Ensure that the Access Port adoption policy is added with a WLAN Access Port is on Exclude List Verify the Motorola Solutions RF Series Switch ACL adoption list does not include the Access Ports that are not being adopted Miscellaneous other issues With a packet sniffer look for 8375 broadcast packets Reset the Moto...

Page 564: ...h the MU is trying to associate All else Contact Motorola Solutions Support Possible Problem Suggestions to Correct Preamble differences Verify that the preamble type matches between switch and MUs Try a different setting Device key issues Verify in Syslog that there is not a high rate of decryption error messages This could indicate that a device key is incorrect MU is not in Adopt List Verify th...

Page 565: ...congestion with data traffic Maintain voice and data traffic on separate WLANs Use a QoS Classifier to provide dedicated bandwidth if data and voice traffic are running on the same WLAN Long preamble not used on Spectralink phones Verify that a long preamble is used with Spectralink phones Possible Problem Suggestions to Correct Fragmentation Do not allow VoIP traffic when operating on a flat netw...

Page 566: ...Solutions RF Series Switch provides subsystem logging to a Syslog server There are two Syslog systems local and remote Local Syslog records system information locally on the switch The remote Syslog sends messages to a remote host All Syslog messages conform to the RFC 3164 message format ...

Page 567: ...ich has the MIB Browser Check if the community string is the same at the agent side and the manager MIB Browser side The community name is case sensitive C 2 3 MIB not visible in the MIB browser The filename mib file should be first compiled using a MIB compiler which creates a smidb file This file must be loaded in the MIB browser C 2 4 SNMP SETs not working Check to see if environment variables ...

Page 568: ...aultPassword User Access Verification Username restore Password restoreDefaultPassword WARNING This will wipe out the configuration except license key and user data under flash and reboot the device Do you want to continue y n 3 Press Y to delete the current configuration and reset factory defaults The switch will login into the Web UI with its reverted default configuration If you had exported th...

Page 569: ... set to use the on board local Radius server by entering the local IP address or the switch management VLAN IP address C 3 2 3 Radius Server is rejecting the user Ensure the following have been attempted Verify a SAVE was done after adding this user Is the user present in a group If yes check if the WLAN being accessed is allowed on the group Check if time of access restrictions permit the user C ...

Page 570: ...ing configuration matches that of external RADIUS Accounting Server Verify that the shared secret being configured on accounting configuration matches that of external RADIUS Accounting Server C 3 3 Troubleshooting RADIUS Accounting Issues Use the following guidelines when configuring RADIUS Accounting The RADIUS Accounting records are supported for clients performing 802 1X EAP based authenticati...

Page 571: ...Rogue AP status as enable and should also the status of the configured detection scheme Check for the Motorola AP flag in rulelist context If it is set to enable then all the detected APs will be added in approved list context Check for Rulelist entries in the rulelist context Verify it does not have an entry with MAC as FF FF FF FF FF FF and ESSID as If you have enabled AP Scan ensure that at lea...

Page 572: ... trusted side is not able to connect to a Wireless Host Host 2 or Wired Host Host 3 on the untrusted side 1 Check that IP Ping from Host1 to the Interface on the Untrusted Side of the switch works 2 If it works then there is no problem in connectivity 3 Now check whether Host 1 and Host 2 Host 3 are on the same IP subnet If not add proper NAT entries for configured LANs under FireWall context 4 On...

Page 573: ...C 15 5 Associate WLAN and Network Policy to the active Access Port Policy Any request matching the configured criteria should take the action configured in the Classification Element ...

Page 574: ...C 16 WiNG 4 4 Switch System Reference Guide ...

Page 575: ...oduct you may send a request in writing to MOTOROLA SOLUTIONS INC OSS Management 600 North US Hwy 45 Libertyville IL 60048 USA The Motorola Solutions Website http opensource motorola com also contains information regarding Motorola Solutions use of open source This document contains information regarding licenses acknowledgments and required copyright notices for open source packages used in this ...

Page 576: ...ropbear html Drop Bear License e2fsprogs 1 40 11 http e2fsprogs sourceforge net GNU General Public License 2 0 gcc 4 1 2 http gcc gnu org GNU General Public License 2 0 gdb 6 8 http www gnu org software gdb GNU General Public License 2 0 genext2fs 1 4 1 http genext2fs sourceforge net GNU General Public License 2 0 glibc 2 7 http www gnu org software libc GNU General Public License 2 0 hostapd 0 6 ...

Page 577: ... General Public License 2 0 openssl 0 9 8j http www openssl org Open SSL License openwrt truck r15025 http www openwrt org GNU General Public License 2 0 opkg truck r4564 http code google com p opkg GNU General Public License 2 0 pkg config 0 22 http pkg config freedesktop org wiki GNU General Public License 2 0 ppp 2 4 3 http ppp samba org ppp BSD Style Licenses quilt 0 47 http savannah nongnu or...

Page 578: ...p www kernel org pub linux utils kernel hotplug GNU General Public License 2 0 wireless_tool s r29 http www hpl hp com personal Jean_Tourrilhes Linux Tools html GNU General Public License 2 0 zlib 1 2 3 http www zlib net ZLIB License Name Version URL License ...

Page 579: ... fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two steps 1 copyright the software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and...

Page 580: ... that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived f...

Page 581: ...m the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited ...

Page 582: ...EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT...

Page 583: ...a free program by obtaining a restrictive license from a patent holder Therefore we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the GNU Lesser General Public License applies to certain design...

Page 584: ... such a program is covered only if its contents constitute a work based on the Library independent of the use of the Library in a tool for writing it Whether that is true depends on what the Library does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously ...

Page 585: ...ne readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange If distribution of object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code even though third parties are no...

Page 586: ...red form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that c...

Page 587: ...hat is believed to be a consequence of the rest of this License 12 If the distribution and or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among...

Page 588: ...UTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN...

Page 589: ...ttp www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NO...

Page 590: ...HEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publicly available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence inclu...

Page 591: ...nland All rights reserved As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell loginrec c loginrec h atomicio h atomicio c and strlcat in...

Page 592: ...NOT LIMITEDTOTHE WARRANTIESOF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSEANDNONINFRINGEMENT IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE ...

Page 593: ...se these commands to create an extended IP access list with the name BCMC CTRL VOICE From the config mode execute the following commands ip access list extended BCMC CTRL VOICE permit ip any host 224 0 0 1 rule precedence 20 permit tcp any any rule precedence 30 permit udp any eq 67 any eq bootpc rule precedence 40 deny ip any 224 0 0 0 4 rule precedence 50 deny udp any range 137 138 any range 137...

Page 594: ...ckets at a lower rate issue this command broadcast tx speed range throughput range use lowest basic rate Provides maximum range throughput use highest basic rate Provides maximum throughput default Depending on your requirement select the appropriate action to increase your performance E 4 Remove DFS channels from ACS Removing the Dynamic Frequency Selection DFS channels from your Automatic Channe...

Page 595: ...ction Engine Disable the stateful firewall inspection engine This increases the performance while there is a compromise on the level of security in the network To disable stateful packet inspection from the config context issue this command no firewall stateful packet inspection l2 E 8 Disable Cluster Master Support Disable cluster master support to stop synchronization of radio configuration amon...

Page 596: ...E 4 WiNG 4 4 Switch System Reference Guide ...

Page 597: ......

Page 598: ...U S A http www motorolasolutions com MOTOROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2012 Motorola Solutions Inc All Rights Reserved ...

Reviews:

No comments