manualshive.com logo in svg

Motorola WiNG 5.4.2, System Reference Manual, Page: 560 / 836

Share
Download
Motorola WiNG 5.4.2 System Reference Manual Download Page 560

10 - 12 WiNG 5.4.2 Access Point System Reference Guide 

10.6 Management Access Deployment Considerations

Before defining an access control configuration as part of a Management Access policy, refer to the following deployment 
guidelines to ensure the configuration is optimally effective:

• Unused management protocols should be disabled to reduce a potential attack.

• Use management interfaces providing encryption and authentication. Management services like HTTPS, SSH and SNMPv3 

should be used when possible, as they provide both data privacy and authentication.

• By default, SNMPv2 community strings on most devices are set to 

public

 for the read-only community string and 

private

 for 

the read-write community string. Legacy Motorola Solutions devices may use other community strings by default. 

• Motorola Solutions recommends SNMPv3 be used for device management, as it provides both encryption, and 

authentication.

• Enabling SNMP traps can provide alerts for isolated attacks at both small radio deployments or distributed attacks occurring 

across multiple sites.

Summary of Contents for WiNG 5.4.2

Page 1: ...Motorola Solutions WiNG 5 4 2 ACCESS POINT SYSTEM REFERENCE GUIDE ...

Page 2: ......

Page 3: ...MOTOROLA SOLUTIONS WING 5 4 2 ACCESS POINT SYSTEM REFERENCE GUIDE 72E 172112 01 Revision A February 2013 ...

Page 4: ...pyright law The user shall not modify merge or incorporate any form or portion of a licensed program with other program material create a derivative work from a licensed program or use a licensed program in a network without written permission from Motorola Solutions The user agrees to maintain Motorola Solution s copyright notice on the licensed programs delivered hereunder and to include the sam...

Page 5: ...n Glossary 2 4 2 2 1 Global Icons 2 4 2 2 2 Dialog Box Icons 2 5 2 2 3 Table Icons 2 5 2 2 4 Status Icons 2 6 2 2 5 Configurable Objects 2 6 2 2 6 Configuration Objects 2 9 2 2 7 Configuration Operation Icons 2 9 2 2 8 Access Type Icons 2 10 2 2 9 Administrative Role Icons 2 10 2 2 10 Device Icons 2 11 Chapter 3 Quick Start 3 1 Using the Initial Setup Wizard 3 2 3 1 1 Virtual Controller AP Mode 3 ...

Page 6: ...5 43 5 2 5 Profile Network Configuration 5 46 5 2 5 1 DNS Configuration 5 47 5 2 5 2 ARP 5 48 5 2 5 3 L2TPv3 Profile Configuration 5 50 5 2 5 4 IGMP Snooping 5 59 5 2 5 5 Quality of Service QoS 5 61 5 2 5 6 Spanning Tree Configuration 5 63 5 2 5 7 Routing 5 66 5 2 5 8 Dynamic Routing OSPF 5 68 5 2 5 9 Forwarding Database 5 75 5 2 5 10 Bridge VLAN 5 77 5 2 5 11 Cisco Discovery Protocol Configuratio...

Page 7: ...age Certificates 5 153 5 4 3 RF Domain Overrides 5 166 5 4 4 Profile Overrides 5 168 5 4 4 1 Radio Power Overrides 5 170 5 4 4 2 Adoption Overrides 5 172 5 4 4 3 Profile Interface Override Configuration 5 175 5 4 4 4 Overriding the Network Configuration 5 209 5 4 4 5 Overriding a Security Configuration 5 246 5 4 5 Overriding the Virtual Router Redundancy Protocol VRRP Configuration 5 264 5 4 5 1 O...

Page 8: ...nsiderations 6 91 6 7 MeshConnex Policy 6 92 6 8 Mesh QoS Policy 6 99 Chapter 7 Network configuration 7 1 Policy Based Routing PBR 7 2 7 2 L2TP V3 Configuration 7 8 7 3 Network Deployment Considerations 7 11 Chapter 8 Security Configuration 8 1 Wireless Firewall 8 2 8 1 1 Defining a Firewall Configuration 8 2 8 2 Configuring IP Firewall Rules 8 13 8 3 Configuring MAC Firewall Rules 8 16 8 4 Wirele...

Page 9: ...UI Logs 11 9 11 3 3 View Sessions 11 10 Chapter 12 Operations 12 1 Devices 12 2 12 1 1 Managing Firmware and Configuration Files 12 2 12 1 1 1 Managing Running Configuration 12 3 12 1 1 2 Managing Startup Configuration 12 6 12 1 1 3 Managing Crash Dump Files 12 9 12 1 2 Rebooting the Device 12 10 12 1 3 Locating the Device 12 11 12 1 4 Upgrading Device Firmware 12 12 12 1 5 Viewing Device Summary ...

Page 10: ...29 13 2 9 Mesh Point 13 30 13 2 10 SMART RF 13 41 13 2 11 WIPS 13 43 13 2 11 1 WIPS Client Blacklist 13 44 13 2 11 2 WIPS Events 13 45 13 2 12 Captive Portal 13 46 13 2 13 Historical Data 13 47 13 2 13 1 Viewing Smart RF History 13 47 13 3 Access Point Statistics 13 49 13 3 1 Health 13 49 13 3 2 Device 13 52 13 3 3 AP Upgrade 13 55 13 3 4 Adoption 13 57 13 3 4 1 Adopted APs 13 57 13 3 4 2 AP Adopt...

Page 11: ... Options 13 115 13 3 19 6 Cisco Discovery Protocol 13 116 13 3 19 7 Link Layer Discovery Protocol 13 118 13 3 20 DHCP Server 13 119 13 3 20 1 DHCP Bindings 13 121 13 3 20 2 DHCP Networks 13 123 13 3 21 Firewall 13 123 13 3 21 1 Packet Flows 13 124 13 3 21 2 Denial of Service 13 125 13 3 21 3 IP Firewall Rules 13 126 13 3 21 4 MAC Firewall Rules 13 128 13 3 21 5 NAT Translations 13 129 13 3 21 6 DH...

Page 12: ...ce Software Used B 1 B 2 1 Wireless Controller B 2 B 2 2 AP650 AP6532 B 5 B 2 3 AP51xx B 7 B 2 4 AP7131 B 8 B 3 OSS Licenses B 10 B 3 1 GNU General Public License 2 0 B 10 B 3 2 GNU Lesser General Public License 2 1 B 15 B 3 3 BSD Style Licenses B 21 B 3 4 MIT License B 22 B 3 5 WU FTPD License B 23 B 3 6 Open SSL License B 24 B 3 7 ZLIB License B 26 B 3 8 Open LDAP Public License B 27 B 3 9 Apach...

Page 13: ...ing Document Convention Notational Conventions Motorola Solutions Enterprise Mobility Support Center Motorola Solutions End User Software License Agreement NOTE In this guide AP7131 AP7161 and AP7181 are collectively represented as AP71XX NOTE ES6510 is an Ethernet Switch managed by a wireless controller such as RFS4000 RFS6000 RFS7000 NX9000 NX9500 NX9510 ES6510 does not have radios and does not ...

Page 14: ...nd related documents Bullets indicate lists of alternatives lists of required steps that are not necessarily sequential action items Sequential lists those describing step by step procedures appear as numbered lists NOTE Indicates tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in pe...

Page 15: ...business partner contact that business partner for support Customer Support Web Site Motorola Solutions Support Central Web site accessed via the Symbol branded products link under Support for Business provides information and online assistance including developer tools software downloads product manuals and online repair requests Product support can be found at http www motorolasolutions com Busi...

Page 16: ...act of acceptance by the end user then that agreement supersedes this End User License Agreement as to the end use of that particular Product 2 GRANT OF LICENSE 2 1 Subject to the provisions of this End User License Agreement Motorola Solutions grants to End User Customer a personal limited non transferable except as provided in Section 4 and non exclusive license under Motorola Solutions copyrigh...

Page 17: ... at which End User Customer uses such Software End User Customer may make one additional copy for each computer owned or controlled by End User Customer at each such site End User Customer may temporarily use the Software on portable or laptop computers at other sites End User Customer must provide a written list of all sites where End User Customer uses or intends to use the Software 4 TRANSFERS ...

Page 18: ... which or for which the Software and Documentation have been provided by Motorola Solutions unless End User Customer breaches this End User License Agreement in which case this End User License Agreement and End User Customer s right to use the Software and Documentation may be terminated immediately by Motorola Solutions In addition if Motorola Solutions reasonably believes that End User Customer...

Page 19: ...ses of Action End User Customer must bring any action under this End User License Agreement within one year after the cause of action arises except that warranty claims must be brought within the applicable warranty period 11 7 Entire Agreement and Amendment This End User License Agreement contains the parties entire agreement regarding End User Customer s use of the Software and may be amended on...

Page 20: ...xvi WiNG 5 4 2 Access Point System Reference Guide ...

Page 21: ...everages the best aspects of independent and dependent architectures to create a smart network that meets the connectivity quality and security needs of each user and their applications based on the availability of network resources including wired networks By distributing intelligence and control amongst access points a WiNG 5 network can route directly via the best path as determined by factors ...

Page 22: ...escribes the installation and use of the WiNG 5 software designed specifically for AP6511 AP6521 AP6522 AP6532 AP6562 AP7131 AP7161 AP7181 AP8132 access points and ES6510 model ethernet switch It does not describe the version of the WiNG 5 software designed for use with the RFS4000 RFS6000 RFS7000 NX9000 NX9500 and NX9510 For information on using WiNG 5 in a controller managed network go to http s...

Page 23: ... backhaul Within a WiNG 5 network up to 80 of the network traffic can remain on the wireless mesh and never touch the wired network so the 802 11n load impact on the wired network is negligible In addition latency and associated costs are reduced while reliability and scalability are increased A WiNG 5 network enables the creation of dynamic wireless traffic flows so bottlenecks can be avoided and...

Page 24: ...1 4 WiNG 5 4 2 Access Point System Reference Guide ...

Page 25: ... access point can manage up to 24 other access points of the same model and share data amongst managed access points In Standalone mode an access point functions as an autonomous non adopted access point servicing wireless clients If adopted to controller an access point is reliant on its connected controller for its configuration and management For information on how to access and use the access ...

Page 26: ... with a working Web browser 2 Set the computer to use an IP address between 192 168 0 10 and 192 168 0 250 on the connected port Set a subnet network mask of 255 255 255 0 3 To derive the access point s IP address using its MAC address 4 Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows 5 With th...

Page 27: ...ect the Login button to load the management interface If this is the first time the management interface has been accessed the first screen to display will prompt for a change of the default access point password Then a dialogue displays to start the initial setup wizard For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 28: ...n lists global icons available throughout the interface Logoff Select this icon to log out of the system This icon is always available and is located at the top right hand corner of the UI Add Select this icon to add a row in a table When this icon is selected a new row is created in the table or a dialog box opens where you can enter values for that particular list Delete Select this icon to remo...

Page 29: ...and select this button Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to a device s profile configuration Mandatory Field Indicates the control s value is a mandatory configuration item You will not be allowed to proceed further without providing all mandatory values in this dialog Error in Entry Indicates t...

Page 30: ...id not stop the process from completing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has completed successfully without error Information This icon always precedes information displayed to the user This may either be a message displaying progress for a particular process or may just be a message from the sy...

Page 31: ...as been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domain States an RF Domain configuration has been impacted RF Domain implement location based security restrictions applicable to all VLANs in a particular physical location Firewall Policy Indicates a Firewall policy has been impacted Firewalls ...

Page 32: ...ates the configuration of RADIUS Group is being defined and applied A RADIUS group is a collection of RADIUS users with the same set of permissions RADIUS User Pools States a RADIUS user pool is being applied RADIUS user pools are a set of IP addresses that can be assigned to an authenticated RADIUS user RADIUS Server Policy Indicates a RADIUS server policy is being applied RADIUS server policy is...

Page 33: ...process fails Panic Snapshots Indicates a panic snapshot has been generated A panic snapshot is a file that records the status of all the processes and memory when a failure occurs UI Debugging Select this icon link to view current NETCONF messages View UI Logs Select this icon link to view the different logs generated by the user interface FLEX and the error logs Revert When selected any changes ...

Page 34: ...ess permission A user with this permission is permitted to access using the access point s serial console Superuser Indicates superuser privileges A superuser has complete access to all configuration aspects of the access point to which they are connected System States system user privileges A system user is allowed to configure some general settings like boot parameters licenses auto install imag...

Page 35: ...dicates system wide impact Cluster This icon indicates a cluster A cluster is a set of access points that work collectively to provide redundancy and load sharing RF Domain This icon indicates a RF Domain RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area such as in a floor a building or a site Each RF Domain also contains policies t...

Page 36: ...2 12 WiNG 5 4 2 Access Point System Reference Guide ...

Page 37: ...amline the process of initially accessing the wireless network The wizard defines the access point s operational mode deployment location basic security network and WLAN settings For instructions on how to use the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 38: ...ername field 3 Enter the default password motorola in the Password field 4 Select the Login button to load the management interface 5 If this is the first time the access point s management interface has been accessed an introductory screen displays that outlines the parameters that can be configured sequentially using the setup wizard NOTE When logging in for the first time you are prompted to ch...

Page 39: ...xt time the access point is rebooted by selecting Never Figure 3 3 Initial Setup Wizard Navigation Panel NOTE The Initial Setup Wizard displays the same pages and content for each access point model supported The only difference being the number of radios configurable by model as an AP7131 model can support up to three radios AP6522 AP6532 AP6562 AP8132 and AP7161 models support two radios and AP6...

Page 40: ...al Setup Wizard Introduction screen 6 Select Save Commit within each page to save the updates made to that page s configuration Select Next to proceed to the next page listed in the Navigation Panel Select Back to revert to the previous screen in the Navigation Panel without saving your updates 7 Select Next The Initial Setup Wizard displays the Access Point Type screen to define the access point ...

Page 41: ...r adopted by a RFS series wireless controller For more information see section Standalone Mode Adopted to Controller Select this option when deploying the access point as a controller managed Dependent mode access point Selecting this option closes the Initial AP Setup Wizard An adopted access point obtains its configuration from a profile stored on its managing controller Any manual configuration...

Page 42: ...ary advantage of this deployment is the cost savings in not deploying a wireless controller To designate an access point as a Virtual Controller AP 1 From the Access Point Type screen select Virtual Controller AP 2 Select Next The remainder of the configuration of the access point as a Virtual Controller AP is the same as configuring it for the Standalone mode To know more about configuring the ac...

Page 43: ... on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 4 Select Next The Initial Setup Wizard displays the LAN Configuration screen to set the access...

Page 44: ...resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the check box to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interface Range Enter a starting and ending IP Address range for client assignments on the access point s LAN interface Avoid assign...

Page 45: ...n screen to set the access point s WAN interface configuration Figure 3 8 Initial Setup Wizard WAN Configuration screen 7 Set the following DHCP and Static IP Address Subnet information for the WAN interface Use DHCP Select the checkbox to enable an automatic network address configuration using an external DHCP server on the WAN network Static IP Address Subnet Enter an IP Address Subnet and gatew...

Page 46: ...dio s functionality as a dedicated sensor Figure 3 9 Initial Setup Wizard Radio Configuration screen 9 Set the following parameters for each radio Configure as a Data Radio Select this option to dedicate this radio for WLAN client support in either the selected 2 4 GHz or 5 0 GHz radio band Radio Frequency Band Select either the 2 4 GHz or 5 0 GHz radio band to use with the radio when selected as ...

Page 47: ... of interference Select Static to assign the access point a permanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor support exclusively When functioning as a sensor the radio scans in sensor mode across all channels within the 2 4 and 5 0 GHz bands to identify potential threats within the access poin...

Page 48: ...ide no security between the access point and connected clients on this WLAN Captive Portal Authentication and No Encryption Select this option to use a Web page either internally or externally hosted to authenticate users before access is granted to the network If using this option define whether a local or external RADIUS authentication resource is used PSK Authentication and WPA2 Encryption Sele...

Page 49: ...shared secret used to authenticate the request 12 Select Next The Initial Setup Wizard displays the RADIUS Server Configuration screen if the access point s onboard RADIUS server is selected as required to validate user requests If an onboard RADIUS server is not required the Initial Setup Wizard displays the Access Point Mode screen to set how the access point works in a network Figure 3 11 Initi...

Page 50: ...ed network using the access point s onboard RADIUS server This is a required parameter Confirm Password Re enter or modify the password as a means of confirming the password This is a required parameter Description Optionally provide a description of the user account as means of further differentiating it from others 15 When completed select Add User to commit a new user Modify User to commit a mo...

Page 51: ...sage also displays stating an incorrect country setting may result in illegal radio operation Selecting the correct country is central to legal operation Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted This is a required parameter Time Zone Set the time zone where the access point is deployed This is a...

Page 52: ...ration before it is deployed However if a screen displays settings not intended as part of the initial configuration the screen can be selected from within the Navigation Panel and its settings modified accordingly Figure 3 13 Initial Setup Wizard Summary and Commit screen 20 If the configuration displays as intended select the Save Commit button to implement these settings to the access point s c...

Page 53: ...point tries to adopt to the controller defined in Controller 2 field When preferring layer 3 adoption configure how an IP will be assigned to this access point Select Use DHCP to use DHCP to assign an IP address to this access point If this access point requires a static IP to be assigned select Static IP Address Subnet and provide the appropriate IP address and net mask For your convenience the n...

Page 54: ...3 18 WiNG 5 4 2 Access Point System Reference Guide ...

Page 55: ...int managed network Use the dashboard to review the current network topology assess the network s component health and diagnose problematic device behavior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard Network View ...

Page 56: ... Expand the System menu item on the upper left hand side of the UI and select either an access point or connected client The Dashboard screen displays the Health tab by default Figure 4 1 Dashboard Health tab 4 1 1 Dashboard Conventions The Dashboard screen displays device information using the following conventions Health Displays information about the state of the access point managed network In...

Page 57: ...f the access point managed network Figure 4 2 Dashboard Health tab Information in the Health tab is classified as Device Details Radio RF Quality Index Radio Utilization Index Client RF Quality Index 4 1 1 1 1 Device Details Health The Device Details field displays model and version information ...

Page 58: ... is a percentage of the overall effectiveness of the RF environment It is a function of the data rate in both directions the retry rate and the error rate Figure 4 4 Dashboard Health tab Radio RF Quality Index field RF Quality displays as the average quality index for the single RF Domain utilized by the access point The table lists the bottom five 5 RF quality values for the RF Domain The quality...

Page 59: ...t Refer to the number or errors and dropped packets to assess radio performance relative to the number of packets both transmitted and received Periodically select Refresh at the bottom of the screen to update the radio utilization information displayed Figure 4 5 Dashboard Health tab Radio Utilization Index field 4 1 1 1 4 Client RF Quality Index Dashboard Conventions The Client RF Quality Index ...

Page 60: ... granular data specific to a specific radio Worst 5 Lists the worst 5 performing client radios connected to the access point The RF Quality Index measures the overall effectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as the retry rate and the error rate The quality is measured as 0 20 Very poor quality 20 40 Poor quality 40 60 Average...

Page 61: ...the following fields Radio Types WLAN Utilization Wireless Clients Clients by Radio Type 4 1 1 2 5 Radio Types Inventory The Radio Types field displays the total number and types of radios managed by the selected access point Figure 4 8 Dashboard Inventory tab Radio Types field ...

Page 62: ...ent throughput relative to the maximum throughput possible The quality is measured as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and above High utilization Figure 4 9 Dashboard Inventory tab WLAN Utilization field Periodically select Refresh at the bottom of the screen to update WLAN utilization information 4 1 1 2 7 Wireless Clients Inventory The Wireless Client...

Page 63: ...o Type field For 5 0 GHz clients are displayed supporting the 802 11a and 802 11an radio bands For 2 4 GHz clients are displayed supporting the 802 11b 802 11bg and 802 11bgn radio bands Use this information to determine if all the access point s client radio bands are optimally supported for the access point s radio coverage area NOTE AP6522 AP6532 AP6562 AP8132 AP7131 AP7161 and AP7181 model acc...

Page 64: ...ptions can be utilized to review device performance and utilization as well as the RF band channel and vendor For more information see Network View Display Options on page 4 11 To review a device s Network Topology select Dashboard Network View Figure 4 12 Network View Topology The left hand side of the Network View screen contains an expandable System Browser where access points can be selected a...

Page 65: ...vailable None Select this option to keep the Network View display as it currently appears without any additional color or device interaction adjustments Utilization Select this option to filter based on the percentage of current throughput relative to maximum throughput Utilization results include Red Bad Utilization Orange Poor Utilization Yellow Fair Utilization and Green Good Utilization Qualit...

Page 66: ...riables in blue within the Network View display 3 Select the Update button to update the display with the changes made to the filter options Select Close to close the options field and remove it from the Network View 4 2 2 Device Specific Information Network View A device specific information screen is available for individual devices selected from within the Network View not the System Browser Th...

Page 67: ...e as their general client support roles are quite similar However access point configurations may need periodic refinement and overrides from their original RF Domain administered design For more information see RF Domain Overrides on page 5 165 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same model Profiles can be used to ...

Page 68: ...inement from its original RF Domain designation Unlike a RFS series wireless controller an access point supports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the RF Domain configuration Thus a configuration should only be overridden when needed For more i...

Page 69: ...n This name could be as specific as the floor of a building or as generic as an entire site The location defines the physical area where a common set of access point configurations are deployed and managed by the RF Domain policy Contact Provide the name of the contact email or administrator assigned to respond to events created by or impacting the RF Domain Time Zone Set the geographic time zone ...

Page 70: ...ct RF Domains from the options on left hand side of the UI 4 Select the Sensor Configuration tab Figure 5 2 RF Domain Sensor Configuration tab 5 Either select the Add Row button to create a new WIPS server configuration or highlight an existing Sensor Server Configuration and select the Delete icon to remove it 6 Use the spinner control to assign a numerical Server ID to each WIPS server defined T...

Page 71: ...er access points but not those who have had their configuration overridden from their previous profile designation These devices require careful administration as they no longer can be tracked and as profile members Their customized configurations overwrite their profile assignments until the profile can be re applied to the access point Each access point model is automatically assigned a default ...

Page 72: ...access point to become a manager To define a profile s general configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI General configuration options display by default with the profile activated for use with this access point model Figure 5 3 General Profile screen 4 Select Add Row below the Network Time Pro...

Page 73: ... also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced ...

Page 74: ...io s 802 3at Power Mode Use the drop down menu for each power mode to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is p...

Page 75: ...its and receives multiple adoption responses from Virtual Controller APs available on the network These adoption responses contain loading policy information the access point uses to select the optimum Virtual Controller AP for adoption To define the access point profile s adoption configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the option...

Page 76: ...ter which the preferred controller group is considered down and unavailable to provide services Use the spinner to set a value from 2 600 seconds 8 Select the VLAN check box to define a VLAN the access point s associating Virtual Controller AP is reachable on VLANs 0 and 4 095 are reserved and cannot be used This setting is disabled by default 9 Enter Controller Hostnames as needed to define resou...

Page 77: ...guration PPPoE Configuration WAN Backhaul Configuration Additionally deployment considerations and guidelines for profile interface configurations are available for review prior to defining a configuration that could significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 5 45 Routing Level Use the spinner controller to set the ro...

Page 78: ...E1 POE LAN GE2 WAN To define a profile s Ethernet port configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Ethernet Ports Figure 5 6 Profile Interfaces Ethernet Ports screen 5 Refer to the following to assess port status mode and VLAN configuration Name Displays the...

Page 79: ... tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode Tag Native VLAN A green check...

Page 80: ...on a half duplex transmission can carry data in both directions just not at the same time Select Full duplex to transmit data to and from the port at the same time Using full duplex the port can send data while receiving data as well Select Automatic to enable to the access point to dynamically duplex as port performance needs dictate Automatic is the default setting Cisco Discover Protocol Receiv...

Page 81: ...ted for tagging frames and coordinating VLANs between devices IEEE 802 1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs If the upstream Ethernet device does not support IEEE 802 1Q tagging it does not interpret the tagged frames When VLAN tagging is required between devices both devices must support tagging and be configured to accept tagged VLAN...

Page 82: ...as a physical MAC and inner ARP SMAC as VRRP MAC If this configuration is enabled a packet is allowed despite a conflict existing Host Mode Configures the Port mode for 802 1x authentication Select single host to bridge traffic from a single authenticated host Select multi host to bridge traffic from any host the wired port Guest VLAN Set the Guest VLAN on which traffic is bridged from the wired p...

Page 83: ...tree works fine However if the network contains more than one VLAN the network topology defined by single STP would work but it is possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs A MSTP supported deployment uses multiple MST regions with multiple MST instances MSTI Multiple regions and other STP bridges are int...

Page 84: ...transmit or receive BPDU messages Default sets the PortFast BPDU Filter value to the bridge s BPDU filter value Select Enable to invoke a BPDU filter for this PortFast enabled port channel Enable PortFast BPDU Guard When enabled PortFast enabled ports are forced to shut down when they receive BPDU messages When set to Default sets the PortFast BPDU Guard value to the bridge s BPDU guard value Enab...

Page 85: ... the Ethernet port s security configuration Select Reset to revert to the last saved configuration Cisco MSTP Interoperability Select to enable or disable interoperability with CISCO s implementation of MSTP which is incompatible with standard MSTP Force Protocol Version Select the STP protocol to use with this port Select Not Supported to disable STP on this port Guard The Root Guard mechanism pr...

Page 86: ...create a new Virtual Interface configuration modify an existing configuration or delete an existing configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Virtual Interfaces Figure 5 10 Profile Interfaces Virtual Interfaces screen 5 Review the following parameters uniq...

Page 87: ...arameters from within the Properties field Admin Status A green check mark defines the listed Virtual Interface configuration as active and enabled with its supported profile A red X defines the Virtual Interface as currently disabled The interface status can be modified when a new Virtual Interface is created or an existing one modified VLAN Displays the numerical VLAN ID associated with each lis...

Page 88: ...lect the Security tab Enable Zero Configuration The access point can use Zero Config for IP assignments on an individual virtual interface basis Select Primary to use Zero Config as the designated means of providing an IP address this eliminates the means to assign one manually Selecting Secondary is preferred when wanting the option to either use Zero Config or manual assignments Primary IP Addre...

Page 89: ... clients If a firewall rule does not exist suiting the data protection needs of this Virtual Interface select the Create icon to define a new firewall rule configuration or the Edit icon to modify an existing configuration For more information see Wireless Firewall on page 8 2 14 Select the OK button located at the bottom right of the screen to save the changes to the Security screen Select Reset ...

Page 90: ...atus 6 To edit the configuration of an existing port channel select it from amongst those displayed and select the Edit button The Port Channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name cannot be modified as part of the edit process Type Displays whether the type is port channel Descrip...

Page 91: ...transmission over the port These options are not available if Auto is selected Select Automatic to enable the port channel to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex Select either Half F...

Page 92: ...native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select this option to tag the native VLAN Access points support the IEEE 802 1Q specification for tagging frames and coordinat...

Page 93: ...wall on page 8 2 13 Refer to the Trust field to define the following Trust ARP Responses Select this option to enable ARP trust on this port channel ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the managed network The default value is disabled Trust DHCP Responses Select this option to enable DHCP trust If enab...

Page 94: ...r hub or controller Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is disabled by default PortFast BPDU Filter Select Enable to invoke a BPDU filter for this PortFast enabled port channel Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs The default setting is ...

Page 95: ... connection A port connected to a hub is on a shared link while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setting is disabled by default Force Protocol Version Sets...

Page 96: ...ork Name Displays whether the reporting radio is radio 1 radio 2 or radio 3 AP7131 models can have up to 3 radios depending on the SKU AP6522 AP6532 AP6562 AP8132 and AP7161 models have 2 radios while AP6521 and AP6511 models have 1 radio Type Displays the type of radio housed by each listed access point Description Displays a brief description of the radio provided by the administrator when the r...

Page 97: ... select the channel with the lowest average power level Transmit Power Lists the transmit power for each radio The column displays smart if set for dynamic Smart RF support Description Provide or edit a description 1 64 characters in length for the radio that helps differentiate it from others with similar configurations Admin Status Either select the Disabled or Enabled radio button to define thi...

Page 98: ...he radio cannot return back to its original channel of operation ever after the mandatory thirty minute evacuation period is over Lock RF Mode Select this option to lock Smart RF operation for this radio The default setting is disabled as Smart RF utilization will impact throughput Channel Use the drop down menu to select the channel of operation for the radio Only a trained installation professio...

Page 99: ...s selected as the radio band select separate 802 11a and 802 11n rates then define how they are used together When using 802 11n in either the 2 4 or 5 0 GHz band Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guar...

Page 100: ...hold from 1 2 347 bytes for use by the WLAN s adopted access point radios RTS is a transmitting station s signal that requests a Clear To Send CTS response from a receiving client This RTS CTS procedure clears the air where clients are contending for transmission time Benefits include fewer data collisions and better communication with nodes that are hard to find or hidden because of other active ...

Page 101: ...ransmission of probe responses Options include highest basic lowest basic and follow probe request default setting Probe Response Retry Select this option to retry probe responses if they are not acknowledged by the target wireless client The default value is enabled Off Channel Scan list for 5 GHz Use the drop down list to select the channels to scan in the 5 GHz band when performing off channel ...

Page 102: ...int there are 8 BSSIDs for the 802 11b g n radio and 8 BSSIDs for the 802 11a n radio Each supported access point model can support up to 8 BSS IDs 17 Select Advanced Mapping to list all the available BSSIDs for the radio 18 Select Create New WLAN to open a dialog where a new WLAN are created 19 Select Create New MeshPoint to open a dialog where new Mesh Points are created 20 Select the OK button ...

Page 103: ...e changes to the Mesh configuration Select Reset to revert to the last saved configuration 25 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and then connect through them Portal operation begins beaconing immediately and accepts connections from other mesh supported nodes Select Portal...

Page 104: ...tting this value to None for high priority traffic to reduce packet delay A MPDU Modes Use the drop down menu to define the A MPDU mode supported Options include Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or bot...

Page 105: ...ast and multicast packets should always follow DTIM or only follow DTIM when using Power Save Aware mode The default setting is Follow DTIM Host for Redirected Packets If packets are re directed from an access point radio define an IP address of a resource additional host system used to capture the re directed packets This address is the numerical non DNS address of the host used to capture the re...

Page 106: ...PPoE client operation is enabled it discovers an available server and establishes a PPPoE link for traffic slow When a wired WAN connection failure is detected traffic flows through the WWAN interface in fail over mode if the WWAN network is configured and available When the PPPoE link becomes accessible again traffic is redirected back through the access point s wired WAN link When the access poi...

Page 107: ...The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the numerical non ho...

Page 108: ...imum password used for authentication by the PPPoE client Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmission Unit MTU from 500 1 492 The MTU i...

Page 109: ...tions PPP packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation The following 3G cards are supported Verizon V740 V...

Page 110: ...Enable WAN 3G Check this box to enable 3G WAN card support on the access point A supported 3G card must be connected to the device for this feature to work Username Provide your username for authentication support by the cellular data carrier Password Provide your password for authentication support by the cellular data carrier Access Point Name APN Enter the name of the cellular data provider if ...

Page 111: ...to ensure these configuration are optimally effective If the WAN card does not connect after a few minutes after a no shutdown check the access point s syslog for a detected ttyUSB0 No such file event If this event has occurred linux didn t detect the card Re seat the card If the WAN card has difficulty connecting to an ISP syslog shows that it retries LCP ConfReq for a long time ensure the SIM ca...

Page 112: ...guration ARP L2TPv3 Profile Configuration IGMP Snooping Quality of Service QoS Spanning Tree Configuration Routing Dynamic Routing OSPF Forwarding Database Bridge VLAN Cisco Discovery Protocol Configuration Link Layer Discovery Protocol Configuration Miscellaneous Network Configuration Before beginning any of the profile network configuration activities described in the sections above review the c...

Page 113: ...series of numbers 123 123 123 123 instead of an easy to remember domain name www domainname com To define the DNS configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select DNS Figure 5 24 Network DNS screen 5 Provide a default Domain Name used when resolving DNS names The n...

Page 114: ...s on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply so indicating ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied To define an ARP supported configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Prof...

Page 115: ...e bottom right of the screen to save the changes to the ARP configuration Select Reset to revert to the last saved configuration Device Type Specify the device type the ARP entry supports Host Router or DHCP Server Host is the default setting ...

Page 116: ...ling entities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status...

Page 117: ...P and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages AVP messages assist in the identification of a tunnelled peer UDP Listen Port Select this option to set the port used for listening to incoming traffic Select a port from 1 024 65 35...

Page 118: ...r IP address MTU Displays the maximum transmission unit MTU size for each listed tunnel The MTU is the size in bytes of the largest protocol data unit that the layer can pass between tunnel peers Use Tunnel Policy Lists the L2TPv3 tunnel policy assigned to each listed tunnel Local Hostname Lists the tunnel specific hostname used by each listed tunnel This is the host name advertised in tunnel esta...

Page 119: ...is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests MTU Set the maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tun...

Page 120: ...ed based on the role of the remote peer always The tunnel is always created irrespective of the role of the local device vrrp master The tunnel is only created when the local device is a VRRP master cluster master The tunnel is only created when the local device is a cluster master rf domain manager The tunnel is only created when the local device is a RF Domain manager In all the above cases if t...

Page 121: ...o enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the peer a hostname that can be used as matching criteria in the tunnel establishment process Router ID Specify the router ID sent in tunnel establishment messages with this specific peer Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is...

Page 122: ...ire ID for this session A pseudowire is an emulation of a layer 2 point to point connection over a packet switching network PSN A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network Traffic Source Type Lists the type of traffic tunnelled in this session Traffic Source Value Define a VLAN range to include in the tunnel session Available...

Page 123: ...hment message to the L2TP peer MTU Displays each sessions s maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers in this session A larger MTU means processing fewer packets for the same amount of data Name Lists the name assigned to each listed manual session Remote Session ID Lists the remote session ID passed in the ...

Page 124: ...as the size in bytes of the largest protocol data unit the layer can pass between tunnel peers in this session A larger MTU means processing fewer packets for the same amount of data Remote Session ID Use the spinner control to set the remote session ID passed in the establishment of the tunnel session Assign an ID from 1 4 294 967 295 Encapsulation Select either IP or UDP as the peer encapsulatio...

Page 125: ...hich do not require them To configure IGMP Snooping 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select IGMP Snooping Figure 5 32 Image Snooping Screen 5 Set the following parameters to configure general IGMP Snooping values Enable IGMP Snooping Select the box to enable IGMP Snoopi...

Page 126: ...he IGMP version compatibility to IGMP version 1 2 or 3 The default IGMP version is 3 IGMP Query Interval Sets the IGMP query interval This parameter is used only when the querier functionality is enabled Define an interval value in Seconds Minutes or Hours up to maximum of 5 hours The default value is 60 seconds IGMP Robustness Variable Sets the IGMP robustness variable The robustness variable is ...

Page 127: ...iated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP header DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence DSCP specifies a specific per hop behavior that is applied to a packet To define an QoS configuration for DSCP mappings 1 Select the Configuration t...

Page 128: ...een to save the changes Select Reset to revert to the last saved configuration 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priority The valid values for this field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 V...

Page 129: ...rotocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys s...

Page 130: ...ps the BPDU considers valid in the spanning tree topology The available range is from 7 127 The default setting is 20 MST Config Name Define a 64 character maximum name for the MST region to use as an identifier for the configuration MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Selec...

Page 131: ...es The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to set the maximum time in seconds to listen for the root bridge The root bridge is the spanning tree bridge with the smallest lowest bridge ID Each bridge has a unique ID and a configurable priority number the bridge ID contains both The available range ...

Page 132: ...ing clients without creating numerous host pools with manual bindings This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools To create static routes 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Routing Figure ...

Page 133: ...ect the OK button located at the bottom right of the screen to save the changes Select Reset to revert to the last saved configuration Static Default Route Priority Use the spinner control to set the priority value 1 8 000 for the default static route This is weight assigned to this route versus others that have been defined The default setting is 100 DHCP Client Default Route Priority Use the spi...

Page 134: ...ub area is an area which does not receive route advertisements external to the autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer routing decisions are need...

Page 135: ...ve to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passive Removed If enabling Passive...

Page 136: ...s VRRP State Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted before the OSPF process is shut down The...

Page 137: ...an existing configuration or Delete to remove a configuration Figure 5 38 Network OSPF Area Configuration screen Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 138: ... default summary cost advertised if creating a stub Set a value from 1 16 777 215 Translate Type Define how messages are translated Options include translate candidate translate always and translate never The default setting is translate candidate Range Specify a range of addresses for routes matching address mask for OSPF summarization Name Displays the name defined for the interface configuratio...

Page 139: ...means of providing IP addresses for the OSPF virtual route 21 Select Use DHCP to Obtain IP to use the access point s DHCP server resource as the means of providing requested IP addresses to the OSPF route s virtual interface 22 Select Use DHCP to Obtain Gateway DNS Servers to learn the default gateway name servers and domain name on just this interface Once selected specify an IP address and mask ...

Page 140: ...wall inspects OSPF route traffic flows and detects potential attacks on the dynamic route not visible to traditional wired firewall appliances Select the Create icon to define a new set of IP firewall rules that can be applied to the OSPF route configuration Selecting Edit allows for the modification of an existing IP firewall rules configuration For more information see Wireless Firewall on page ...

Page 141: ...de of the UI 4 Expand the Network menu and select Forwarding Database Figure 5 42 Network Forwarding Database screen 5 Define a Bridge Aging Time from 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before being deleted due to lack of activity If an entry replenishments a destination generating continuous traffic this timeout v...

Page 142: ...e the target VLAN ID if the destination MAC is on a different network segment 9 Provide an Interface Name used as the target destination interface for the target MAC address 10 Select OK to save the changes Select Reset to revert to the last saved configuration ...

Page 143: ...rame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Bridge VLAN forwards the data frame on the appropriate port s VLAN s are useful to set separate networks to isolate some computers from others without actually having to have separate cabling and Ethernet switches Another common use is to put specialize...

Page 144: ... mode An edge VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as edge VLAN the firewall enforces additional checks on hosts in that VLAN For example a host cannot move from an edge VLAN to a...

Page 145: ...t Automatic mode to let the access point determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel to use a shared tunnel for bridging traffic on the VLAN Tunnel must be selected to successfully create a mesh connection between two Standalone APs isolated tunnel Select isolated tunnel to use a dedicated tunnel ...

Page 146: ...Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Cisco Discovery Protocol Figure 5 45 Network Cisco Discovery Protocol CDP screen 5 Enable disable CDP and set the following settings 6 Select the OK button located at the bottom right of the screen to save the changes to the CDP configuration Select Reset to revert to t...

Page 147: ...r Discovery Protocol Data Unit LLDP PDU A single LLDP PDU is transmitted in a single 802 3 Ethernet frame To set the LLDP configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Link Layer Discovery Protocol Figure 5 46 Network Link Layer Discovery Protocol LLDP screen 5 ...

Page 148: ...tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Miscellaneous Figure 5 47 Network Miscellaneous screen 5 Select the Include Hostname in DHCP Request check box to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 6 Select the DHCP Persistent Lease check box to r...

Page 149: ... the VLAN bridge determines the associated VLAN based on the port of reception Static routes while easy can be overwhelming within a large or complicated network Each time there is a change someone must manually make changes to reflect the new route If a link goes down even if there is a second path the router would ignore it and consider the link down Static routes require extensive planning and ...

Page 150: ... firewall policy wireless client role policy WEP shared key authentication and NAT policy applied For more information refer to the following sections Defining Profile VPN Settings Defining Profile Security Settings Setting the Certificate Revocation List CRL Configuration Setting the Profile s NAT Configuration Setting the Profile s Bridge NAT Configuration ...

Page 151: ...er settings applied to IPSec protected traffic One crypto map is utilized for each IPsec peer however for remote VPN deployments one crypto map is used for all the remote IPsec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional features flexibility and configuration simplicity for the IPSec standa...

Page 152: ...ption authentication keys should last from successful key negotiation to expiration Two peers need not exactly agree on the lifetime though if they do not there is some clutter for a superseded connection on the peer defining the lifetime as longer DPD Retries Lists each policy s maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer This screen on...

Page 153: ...el connection is defined as dead The available range is from 1 100 The default setting is 5 IKE LifeTime Set the lifetime defining how long a connection encryption authentication keys should last from successful key negotiation to expiration Set this value in either Seconds 600 86 400 Minutes 10 1 440 Hours 1 24 or Days 1 This setting is required for both IKEv1 and IKEV2 Name If creating a new IKE...

Page 154: ... FQDN of the IPSec VPN peer targeted for secure tunnel connection and data transfer Authentication Type Lists whether the peer configuration has been defined to use pre shared key PSK or RSA Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s the first algorithm known to be suitable for signing as well as encryption If using IKEv2 this screen displays both local and remo...

Page 155: ...entication options as both ends of the VPN connection require authentication RSA is the default value for both local and remote authentication regardless of IKEv1 or IKEv2 Authentication Value or Local Authentication Value Define the authentication string shared secret that must be shared by both ends of the VPN tunnel connection The string must be from 8 21 characters long If using IKEv2 both a l...

Page 156: ... Policy Name Select the IKEv1 or IKE v2 policy name and settings to apply to this peer configuration If a policy requires creation select the Create icon Transform Set Lists the 32 character maximum name assigned to each listed transform set upon creation Again a transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic Authentication Alg...

Page 157: ... character maximum name to differentiate this configuration from others with similar attributes Authentication Algorithm Set the transform sets s authentication scheme used to validate identity credentials Use the drop down menu to select either HMAC SHA or HMAC MD5 The default setting is HMAC SHA Encryption Algorithm Set the transform set encryption method for protecting transmitted traffic Optio...

Page 158: ... manual site to site auto or remote VPN configuration defined for each listed cyrpto map configuration With site to site deployments an IPSEC Tunnel is deployed between two gateways each at the edge of two different remote networks With remote VPN an access point located at remote branch defines a tunnel with a security gateway This facilitates the endpoints in the branch office to communicate wit...

Page 159: ...provides the flexibility to connect to multiple peers from the same interface based on the sequence number from 1 1 000 Type Displays the site to site manual site to site auto or remote VPN configuration defined for each listed cyrpto map configuration IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration Each firewall policy contains a unique set of acc...

Page 160: ...h crypto map configuration uses a list of entries based on a sequence number Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface based on this selected sequence number from 1 1 000 Type Define the site to site manual site to site auto or remote VPN configuration defined for each listed cyrpto map configuration ...

Page 161: ... must not be used to derive any additional keys Options include None 2 5 and 14 The default setting is None Lifetime kB Select this option to define a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes Lifetime seconds Se...

Page 162: ...screen differs depending on the selected IKE mode 30 Set the following IKEv1 or IKe v2 Settings Authentication Method Use the drop down menu to specify the authentication method used to validate the credentials of the remote VPN client Options include Local on board RADIUS resource if supported and RADIUS designated external RADIUS resource If selecting Local select the Add Row button and specify ...

Page 163: ... provides options for Dead Peer Detection DPD DPD represents the actions taken upon the detection of a dead peer within the IPSec VPN tunnel connection AAA Policy Select the AAA policy used with the remote VPN client AAA policies define RADIUS authentication and accounting parameters The access point can optionally use AAA server resources when using RADIUS as the authentication method to provide ...

Page 164: ...ded the association is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes The default settings is 4 608 000 kilobytes IPsec Lifetime seconds Set a lifetime in seconds for the duration of an IPSec VPN security association Once the set value is exceeded the association is timed out Options include Seconds 120 86 400 Minutes 2 1 440 Hours 1 24 or Days 1 The default s...

Page 165: ... before the tunnel connection is defined as dead The available range is from 1 100 The default number of messages is 5 NAT Keep Alive Define the interval or frequency of NAT keep alive messages for dead peer detection Options include Seconds 10 3 600 Minutes 1 60 and Hours 1 The default setting is 20 seconds Cookie Challenge Threshold Use the spinner control to define the threshold 1 100 that when...

Page 166: ...left hand side of the UI 4 Expand the Security menu and select Auto IPSec Tunnel Figure 5 59 Profile Security Auto IPSec Tunnel screen 5 Refer to the following table to configure the Auto IPSec Tunnel settings 6 Select OK to save the updates made to the Auto IPSec Tunnel screen Selecting Reset reverts the screen to its last saved configuration Group ID Configure the ID string used for IKE authenti...

Page 167: ...System Profile from the options on left hand side of the UI 4 Expand the Security menu and select Settings Figure 5 60 Profile Security Settings screen 5 Select the WEP Shared Key Authentication radio button to require profile supported devices to use a WEP key to access the network using this profile The access point other proprietary routers and Motorola Solutions clients use the key algorithm t...

Page 168: ...evocation Figure 5 61 Profile Security Certificate Revocation List CRL Update Interval screen 5 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a private key was found and nobody had access to it its...

Page 169: ...ng one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows an access point to ...

Page 170: ... to append additional rows to the IP Address Range table 8 Select OK to save the changes made to the profile s NAT Pool configuration Select Reset to revert to the last saved configuration 9 Select the Static NAT tab The Source tab displays by default Name If adding a new NAT policy provide a name to help distinguish it from others with similar configurations The length cannot exceed 64 characters...

Page 171: ...er interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Inside NAT is the default setting 12 Select ...

Page 172: ...rence Guide Figure 5 65 Profile Security Static NAT screen Destination tab 13 Select Add to create a new NAT destination configuration Edit to modify the attributes of an existing configuration or Delete to permanently remove a NAT destination ...

Page 173: ...on between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadca...

Page 174: ...twork Select Inside or Outside NAT as the network direction The default setting is Inside Source List ACL Lists the ACL defining packet selection criteria for the NAT configuration NAT is applied only on packets which match a rule defined in the access list These addresses once translated are not exposed to the outside world when the translation address is used to interact with the remote destinat...

Page 175: ...e to define the packet selection criteria for NAT NAT is applied only on packets which match a rule defined in the access list These addresses once translated are not exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside NAT as the network direction for the dynamic NAT configuration Inside is the default setting I...

Page 176: ... with the listed IP ACL rule Options include NAT Pool One Global Address and Interface IP Address Interface IP Address is the default setting If NAT Pool is selected provide the Overload IP address NAT Pool Provide the name of an existing NAT pool for use with the NAT configuration Optionally select the Create icon to define a new NAT Pool configuration Overload IP Enables the use of one global ad...

Page 177: ... is routed to the NoC and from there routed to the Internet This increases the access time for the end user on the client To resolve latency issues Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet Traffic towards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with access to the Internet T...

Page 178: ...NAT configuration Interface Lists the communication medium outgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool...

Page 179: ...lines to ensure the profile configuration is optimally effective Ensure the contents of the certificate revocation list are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated NAT alone does not provide a firewall If deploying NAT on a profile add a firewall on the profile to block undesirable traffic from being routed For outbound Inte...

Page 180: ...destination link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup st...

Page 181: ...entifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual router ID Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway address for the virtual route In...

Page 182: ...e information on the VRRP protocol specifications available publicly refer to http www ietf org rfc rfc3768 txt version 2 and http www ietf org rfc rfc5798 txt version 3 7 From within the VRRP tab select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selec...

Page 183: ...ral parameters Description In addition to an ID assignment a virtual router configuration can be assigned a textual description up to 64 characters to further distinguish it from others with a similar configuration Priority Use the spinner control to set a VRRP priority setting from 1 254 The access point uses the defined setting as criteria in selection of a virtual router master The higher the v...

Page 184: ... lower priority Preempt Delay If the Preempt option is selected use the spinner control to set the delay interval in seconds for preemption Interface Select this value to enable disable VRRP operation and define the AP7131 VLAN 1 4 094 interface where VRRP will be running These are the interfaces monitored to detect a link failure Sync Group Select this option to assign a VRRP sync group to this V...

Page 185: ...an event is generated stating a critical resource is unavailable By default there s no enabled critical resource policy and one needs to be created and implemented Critical resources can be monitored directly through the interfaces on which they re discovered For example a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource locate...

Page 186: ... when the state of any single critical resource changes If selecting All an event is generated when the state of all monitored critical resources change 7 Select the IP check box within the Monitor Via field at the top of the screen to monitor a critical resource directly within the same subnet using the provided critical resource IP address as a network identifier 8 Select the Interface check box...

Page 187: ... this purpose The IP address used for Port Limited Monitoring must be different from the IP address configured on the device 13 Select OK to save the changes to the critical resource configuration and monitor interval Select Reset to revert to the last saved configuration Mode Set the ping mode used when the availability of a critical resource is validated Select from arp only Use the Address Reso...

Page 188: ...en 5 Refer to the Captive Portal Hosting field to select or set a guest access configuration captive portal for use with this profile A captive portal is guest access policy for providing guests temporary and restrictive access to the access point managed network A captive portal provides secure authenticated access using a standard Web browser Captive portals provides authenticated access by capt...

Page 189: ...o ensure the profile configuration is optimally effective A profile plan should consider the number of wireless clients allowed on the profile s guest captive portal network and the services provided or if the profile should support guest access at all Profile configurations supporting a captive portal should include firewall policies to ensure logical separation is provided between guest and inte...

Page 190: ...NMP These management access configurations can be applied strategically to profiles as resource permissions dictate Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define a profile s management configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand s...

Page 191: ...pattern that may be negatively impacting performance using the configuration defined for the access point s profile Enable Message Logging Select this option to enable the profile to log system events to a user defined log file or a syslog server Selecting this radio button enables the rest of the parameters required to define the profile s logging configuration This option is disabled by default ...

Page 192: ...e console logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on c...

Page 193: ...ord for SMTP Server Specify the sender s username password on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending e mail through the server Enable Configuration Update Select this option to enable automatic configuration file updates for the profile from a location external to the access point If enabled the setting is disabled by de...

Page 194: ...up and running The Service Watchdog is enabled by default 18 Select OK to save the changes made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware version using its associated Virtual Controller AP s most recent firmware file for that model The only ava...

Page 195: ...ave the new password 8 To upgrade firmware using a FTP server use the upgrade command ftp username password 169 254 0 1 AP6532 5 4 0 0 047R img Alternatively a user can upgrade the AP6532 firmware using a TFTP server using the upgrade command tftp 169 254 0 1 AP6532 5 4 0 0 047R img The AP6532 downloads the firmware from FTP TFTP server This process will take a few minutes 9 When finished type rel...

Page 196: ...laneous settings NAS ID access point LEDs and RF Domain Manager To set an access point profile s advanced configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Advanced menu item The following items are available as advanced access point profile configuration options Advanced Profile Client Lo...

Page 197: ...cing from the expanded Advanced menu Figure 5 82 Advanced Profile Configuration Client Load Balancing screen 2 Use the drop down menu to define a Band Control Strategy Options include prefer 5ghz prefer 2 4 ghz and distribute by ratio The default value is prefer 5ghz 3 Set the following Neighbor Selection Strategies Use probes from common clients Select this option to use probes from shared client...

Page 198: ...el is over utilized This setting is enabled by default Selecting this feature enables parameters within the Channel Load Balancing field for assigning weightage and throughput values Max Band Load Difference Considered Equal Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing 2 4 and 5GHz radio band load balances The default setting is 1...

Page 199: ...Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing access point 2 4GHz radio load balances The default setting is 1 Thus using a default setting of 10 means 10 is considered inconsequential when comparing access point radio load balances exclusively on the 2 4GHz radio band Min Value to Trigger 2 4GHz Channel Balancing Use the spinner c...

Page 200: ...t than a high client connection count The default setting is 10 Min Value to Trigger Load Balancing Use the spinner control to set the access point radio threshold value from 0 100 used to initiate load balancing across other radios When the radio load exceeds the defined threshold load balancing is initiated The default is 5 Max AP Load Difference Considered Equal Use the spinner control to set a...

Page 201: ...e network requires users know about certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MINT are such that these scenarios continue t...

Page 202: ...ab displays the IP address routing level link cost hello packet interval and adjacency hold time settings used by managed devices to securely communicate amongst one another within the IPSec network Figure 5 84 Advanced Profile Configuration MINT Protocol screen IP tab Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting from 255 and 255 This...

Page 203: ... created by configuring a matching pair of links one on each end point However that is error prone and does not scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link as a forced link Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hell...

Page 204: ...evices use to securely communicate amongst one another Figure 5 86 Advanced Profile Configuration MINT Protocol screen VLAN tab 13 Select Add to create a new VLAN link configuration or Edit to modify an existing configuration IPSec GW Define either an IP address or hostname for the IPSec gateway NOTE If creating a mesh link between two access points in Standalone AP mode you will need to ensure a ...

Page 205: ... for interoperation when supporting the MINT protocol Routing Level If adding a new VLAN use the spinner control to define a routing level of either 1 or 2 Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default interval is 4 seconds ...

Page 206: ... to ensure this access point s LED remain continuously illuminated Deployments such as hospitals prefer to keep their wireless devices from having illuminating LEDs as they have been reported to disturb their patients this setting however is enabled by default Select the Flash Pattern radio button to enable the access point to blink in a manner that is different from its operational LED behavior E...

Page 207: ...ccess to the network the CISCO ISE RADIUS server presents the client with a URL where the device s compliance to the networks security such as validity of anti virus or anti spyware software is checked for the validity for their definition files this checking is called posture If the client device complies then it is allowed access to the network 8 Select OK to save the changes made to the profile...

Page 208: ...is a part of a meshed network Use the Mesh Point screen to configure the parameters that set how this device behaves as a part of the mesh network 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Select Mesh Point The Mesh Point screen displays Figure 5 89 Mesh Point Configuration Mesh Point Screen The Mesh Point...

Page 209: ...g a mesh connection Monitor Primary Port Link Displays if this mesh point monitors link status on the primary port Path Method Displays the path selection method used to select the path to the root node MeshConnex Policy Provide a name for the Mesh Connex Policy Use the Create icon to create a new Mesh Connex Policy To edit an existing policy select it from the drop down and click the Edit icon Fo...

Page 210: ...tion to indicate that this mesh point monitors link on the primary port If the link on the primary port becomes unavailable the mesh network is torn down Path Method From the drop down menu select the method to use for path selection in a mesh network The available options are None Select this to indicate no criteria used in root path selection uniform Select this to indicate that the path selecti...

Page 211: ...s point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile while the UI only provides one per access point model Consequently the two interfaces cannot be used collectively to manage profiles without an administrator encountering problems NOTE The ...

Page 212: ...dio button to change the selected access point s designation from Standalone to Virtual Controller AP Remember that only one Virtual Controller can manage up to 24 access points of the same model Thus an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation 7 Select the Adopt Unknown APs Automa...

Page 213: ...e number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual Controller AP mode To override a managed device s basic configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides 4 Select a target device MAC address from either the Device Browser in the lower left hand side of the UI or within the Device...

Page 214: ...ct OK to save the changes to the basic configuration Selecting Reset reverts the screen to its last saved configuration System Name Provide the selected device a system name up to 64 characters in length This is the device name that appears within the RF Domain or Profile the access point supports and is identified by Area Assign the access point an Area representative of the location the access p...

Page 215: ...rporation or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authenticati...

Page 216: ...s the screen to its last saved configuration HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop down menu where an existing certificate trustpoint can be leveraged To leverage an existing device certificate for use with this target device select the Launch Manager button For more information see Manage Certificates on page 5 152 SSH RSA Key Either...

Page 217: ...5 151 For more information on the certification activities refer to the following Manage Certificates RSA Key Management Certificate Creation Generating a Certificate Signing Request ...

Page 218: ...se with certificates 1 Select Launch Manager from either the HTTPS Trustpoint SSH RSA Key or RADIUS Server Certificate parameters Figure 5 95 Certificate Management Trustpoints screen The Certificate Management screen displays with the Trustpoints section displayed by default 2 Select a device from amongst those displayed to review its certificate information Refer to Certificate Details to review...

Page 219: ...CA certificate Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation List CRL CRLs are used to identify and remove those installed certificates that have been revoked or are no longer ...

Page 220: ...n Once a certificate has been generated on the authentication server export the self signed certificate A digital CA certificate is different from a self signed certificate The CA certificate contains the public and private key pairs The self certificate only contains a public key Export the self certificate for publication on a Web server or file server for certificate deployment or export it in ...

Page 221: ...9 Define the following configuration parameters to export a trustpoint Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address informatio...

Page 222: ... the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import export keys to and from remote locations 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select RSA Keys from the upper left hand side of the Certificate Management screen Prot...

Page 223: ...current RSA key configuration Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select the Generate Key button to create a new key ...

Page 224: ...icate select the Import button from the RSA Keys screen Figure 5 100 Certificate Management Import New RSA Key screen 8 Define the following configuration parameters required to import a RSA key Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key from 1 024 2 048 bits Motorola Solutions recommends leaving this value at th...

Page 225: ...hrase as a series of asterisks URL Provide the complete URL to the location of the RSA key Protocol If selecting Advanced select the protocol used for importing the target key Available options include tftp ftp sftp http cf usb1 usb2 Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 and usb2 IP Address If selecting Advanced enter IP address of ...

Page 226: ...the actual characters used in the passphrase Leaving the Show check box unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key Protocol If selecting Advanced select the protocol used for exporting the RSA key Available options include tftp ftp sftp http cf usb1 usb2 Port If selecting Advanced use the spinner control to set the port This ...

Page 227: ...o not use public or private CAs A self signed certificate is a certificate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create Certificate from the upper left hand side o...

Page 228: ...elect the existing key used by both the device and the server or repository of the target RSA key Create New Select this option to create a new RSA key Provide a 32 character name to identify the RSA key Use the spinner control to set the size of the key from 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting 1024 to ensure optimum functionality For more infor...

Page 229: ...sful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create CSR from the upper left hand side of the Certificate Management screen State ST Enter a State for the state or province name used in t...

Page 230: ...56 Use Existing Select this option to use an existing RSA key Use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certi...

Page 231: ...an AP6532 RF Domain override can only be applied to another AP6532 model access point To define a device s RF Domain override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the Device Browser in the lower left hand side of the UI 5 Select RF Domain Overrides Organizational Unit OU Ente...

Page 232: ...nt location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the maintenance of the access point configuration and wireless network Time Zone Use the drop down menu to select the geographic time zone supporting its deployment location Country Code Use the drop down menu to s...

Page 233: ...m their original administered design Consequently a device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particular site Use Device Overrides to define configurations overriding the parameters set by the target device s original profile configuration To define a general profile override configuration 1 Select the Configuration tab...

Page 234: ...e the override of the access point s entire profile configuration Radio Power Overrides Adoption Overrides Profile Interface Override Configuration Overriding the Network Configuration WAN Backhaul Overrides Overriding a Security Configuration Overriding a Services Configuration Overriding a Management Configuration Overriding an Advanced Configuration AutoKey Select this option to enable an autok...

Page 235: ...e sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To define an a...

Page 236: ...s 802 3af Power Mode and the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range whe...

Page 237: ... and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an existing parameter 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the Device Browser in the lower left hand side of the UI 5 Sele...

Page 238: ...group is considered down and unavailable to provide services Set a value from 2 600 seconds 10 Use the spinner control to set the Controller VLAN This is the VLAN the Virtual Controller is reachable on Select from 1 4094 There is no default value for this setting 11 Use the Add Row button to populate the Controller Hostnames table with the following host pool and routing parameters for defining th...

Page 239: ...configuration IPSec GW Use the drop down menu to specify if the IPSec Gateway resource is defined as a non DNS IP Address or a Hostname Once defined provide the numerical IP or Hostname A Hostname cannot exceed 64 characters Force Select to enable the link to the adopting controller or the controller group to be created even when not required ...

Page 240: ...ge modify parameters of an access point s Ethernet Port configuration The following ports are available on supported access point models AP6511 fe1 fe2 fe3 fe4 up1 AP6521 GE1 POE LAN AP6522 GE1 POE LAN AP6532 GE1 POE LAN AP6562 GE1 POE LAN AP7131 GE1 POE LAN GE2 WAN AP7161 GE1 POE LAN GE2 WAN AP8132 GE1 POE LAN GE2 WAN To define an Ethernet port configuration override 1 Select the Configuration ta...

Page 241: ... The interface status can be modified with the port configuration as required Mode Displays the profile s current switching mode as either Access or Trunk as defined within the Ethernet Port Basic Configuration screen If Access is selected the listed port accepts packets only from the native VLAN Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are e...

Page 242: ... to the appropriate VLAN When a frame is received with no 802 1Q header the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Allowed VLANs Displays the VLANs allowed to send packets over the listed port Allowed VLANs are only l...

Page 243: ...rtise its presence to neighbors Cisco Discover Protocol Transmit Select this option to allow the Cisco discovery protocol for transmitting data on this port If enabled the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors Link Layer Discovery Protocol Receive Select this option to allow the Link Layer discovery protocol to be received on this p...

Page 244: ...ur bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs If the upstream Ethernet device does not support IEEE 802 1Q tagging it does not interpret the tagged frames When VLAN tagging is required between devices both devices must support tagging and be configured to accept tagged VLANs When a frame is tagged the 12 bit frame VLAN ID is added to the 802 1Q header s...

Page 245: ...rt The default value is enabled Trust IP DSCP Select this option to enable IP DSCP values on this port The default value is enabled NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC If this configuration is enabled a packet is allowed despite a conflict existing Host Mode Select the port mode for 802 1X authentication ...

Page 246: ...k behind the port Once the STP calculation is complete the port s state is changed to Forwarding and traffic is allowed Rapid Spanning Tree Protocol RSTP IEEE 802 1w standard is a evolution over the standard STP where the primary aim was to reduce the time taken to respond to topology changes while being backward compatible with STP PortFast enables quickly changing the state of a port from Blocke...

Page 247: ... multiple devices An example for Shared connection would be when the port is connected to a hub Similarly an example for a Point to Point connection would be when the port is connected to an access point 24 Select either the Enable or Disable radio button for the CISCO MSTP Interoperability field This enables or disables inter operability with CISCO s implementation of the Multiple Spanning Tree P...

Page 248: ...er 3 IP access or provide layer 3 service on a VLAN The Virtual Interface defines which IP address is associated with each VLAN ID A Virtual Interface is created for the default VLAN VLAN 1 to enable remote administration A Virtual Interface is also used to map VLANs to IP address ranges This mapping determines the destination networks for routing To review existing Virtual Interface configuration...

Page 249: ...each listed Virtual Interface assigned when it was created The name is from 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed interface Description Displays the description defined for the Virtual Interface when it was either initially created or edited Admin Status A green check mark defines the listed Virtual Interface c...

Page 250: ...characters for the Virtual Interface that helps differentiate it from others with similar configurations Admin Status Either select the Disabled or Enabled radio button to define this interface s current status within the network When set to Enabled the Virtual Interface is operational and available The default value is disabled Enable Zero Configuration The access point can use Zero Config for IP...

Page 251: ...face select the Create icon to define a new firewall rule configuration or the Edit icon to modify or override an existing configuration For more information see Wireless Firewall on page 8 2 Use DHCP to Obtain IP Select this option to allow DHCP to provide the IP address for the Virtual Interface Selecting this option disables the Primary IP address field AP6522 AP6532 AP6562 AP8132 AP7131 and AP...

Page 252: ...nterfaces Security screen 17 Use the IP Inbound Firewall Rules drop down menu to select the firewall rule configuration to apply to this Virtual Interface 18 Use the VPN Crypto Map drop down menu to define the cryptography map to use with this virtual interface 19 Select the Dynamic Routing tab ...

Page 253: ...ges and overrides to the Security screen Select Reset to revert to the last saved configuration Priority Select this option to enable or disable OSPF priority settings Use the spinner to configure a value from 0 255 Cost Select this option to enable or disable OSPF cost settings Use the spinner to configure a cost value from 1 65535 Bandwidth Select this option to enable or disable OSPF bandwidth ...

Page 254: ...ile Overrides Port Channels screen 7 Refer to the following to review existing port channel configurations and their current status 8 To edit the configuration of an existing port channel select it from amongst those displayed and select the Edit button The Port Channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was c...

Page 255: ...ll duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port channel to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex Select eit...

Page 256: ...e native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select this option to tag the native VLAN Access points support the IEEE 802 1Q specification for tagging frames and coordin...

Page 257: ...rewall rule configuration For more information see Wireless Firewall on page 8 2 15 Refer to the Trust field to define the following Trust ARP Responses Select this option to enable ARP trust on this port channel ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the managed network The default value is disabled Trus...

Page 258: ...connected to a server workstation and not another hub or controller Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is disabled by default Enable PortFast BPDU Filter Select Enable to invoke a BPDU filter for this PortFast enabled port channel Enabling the BPDU filter feature ensures this port channel does no...

Page 259: ...aving a shared connection A port connected to a hub is on a shared link while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setting is disabled by default Force Protoco...

Page 260: ...Device menu to expand it into sub menu options 5 Select Interface to expand its sub menu options 6 Select Radios Figure 5 120 Profile Overrides Access Point Radios screen 7 Review the following radio configuration data to determine whether a radio configuration requires modification or override NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied...

Page 261: ...sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be listed as a sensor to define the radio as not providing typical WLAN support The radio band is set from within the Radio Settings tab Channel Lists the channel setting for the radio Smart is the default setting If set to smart the access po...

Page 262: ... WLAN support depending on the radio s intended client support Set the mode to Sensor if using the radio for rogue device detection Lock Radio Band Select this option to lock Smart RF calibration functions for this radio The default setting is disabled DFS Revert Home Select this option to enable a radio to return back to its original channel Dynamic Frequency Selection DFS prevents a radio from o...

Page 263: ...mit chains This setting is disabled by default The radio uses a single chain antenna for frames at non 802 11n data rates Rate Once the radio band is provided the Rate drop down menu populates with rate options depending on the 2 4 or 5 0 GHz band selected If the radio band is set to Sensor or Detector the Data Rates drop down menu is not enabled as the rates are fixed and not user configurable If...

Page 264: ...beacon is information such as the WLAN service area the radio address the broadcast destination addresses a time stamp and indicators about traffic and delivery such as a DTIM Increase the DTIM beacon settings lengthening the time to let nodes sleep longer and preserve battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitt...

Page 265: ...RTS CTS exchanges before transmissions can commence A disadvantage is the reduction in data frame throughput An advantage is quicker system recovery from electromagnetic interference and data collisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS threshold minimizes RTS CTS exchanges consuming less bandwidth for da...

Page 266: ...gn WLANs and mesh points to the available BSSIDs Administrators can assign each WLAN its own BSSID If using a single radio AP6511 or AP6521 access point there are 8 BSSIDs available If using a dual radio AP6532 AP6522 AP6562 AP8132 or AP7161 model access point there are 16 BSSIDs for the 802 11b g n radio and 16 BSSIDs for the 802 11a n radio 22 Select OK to save the changes and overrides to the W...

Page 267: ...right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 28 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and connect through them Portal operation begins beaconing immediately and accepts connections from other mesh supp...

Page 268: ...e Consider setting this value to None for high priority traffic to reduce packet delay A MPDU Modes Use the drop down menu to define the A MPDU mode Options include Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or ...

Page 269: ...edia including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation To define a WAN Backhaul configuration override for a supported access point 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the...

Page 270: ...Overrides field and select Clear Overrides This will remove all overrides from the device WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card Reset WAN Card If the WAN Card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card Enable WAN 3G Check this box to enable 3G WAN card support on the device A ...

Page 271: ...s point to point connection each PPPoE session learns the Ethernet address of a remote PPPoE client and establishes a session PPPoE uses both a discover and session phase to identify a client and establish a point to point connection By using such a connection a Wireless WAN failover is available to maintain seamless network access if the access point s Wired WAN were to fail When PPPoE client ope...

Page 272: ...ide of the UI 4 Expand the Interface menu and select PPPoE Figure 5 126 Profile Interface PPPoE screen 5 Use the Basic Settings field to enable PPPoE and define a PPPoE client Enable PPPoE Select Enable to support a high speed client mode point to point connection using the PPPoE protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by ...

Page 273: ...Provide the 64 character maximum username used for authentication support by the PPPoE client Password Provide the 64 character maximum password used for authentication by the PPPoE client Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP ...

Page 274: ...ration Overriding a Miscellaneous Network Configuration 5 4 4 4 1 Overriding the DNS Configuration Overriding the Network Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP addresses If one DNS server doesn t know how to translate a particular domain name it a...

Page 275: ...rotocol ARP is a protocol for mapping an IP address to a hardware MAC address ARP provides protocol rules for making this correlation and providing address conversion in both directions This ARP assignment can be overridden NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Ove...

Page 276: ...ng as such ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied To define an ARP supported configuration 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Network to expand it...

Page 277: ...e psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is reflected by the state of the L2TP V3 session If a L2TP V3 session is down the pseudowire associated with it must be s...

Page 278: ...Name Define a 64 character maximum host name to specify the name of the host that s sent tunnel messages Tunnel establishment involves exchanging 3 message types SCCRQ SCCRP and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages AVP messag...

Page 279: ...e maximum transmission unit MTU size for each listed tunnel The MTU is the size in bytes of the largest protocol data unit that the layer can pass between tunnel peers Use Tunnel Policy Lists the L2TPv3 tunnel policy assigned to each listed tunnel Local Hostname Lists the tunnel specific hostname used by each listed tunnel This is the host name advertised in tunnel establishment messages Local Rou...

Page 280: ...ot the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests MTU Set the maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data...

Page 281: ...This is the host name advertised in tunnel establishment messages Local Router ID Specify the router ID sent in tunnel establishment messages with a potential peer device Establishment Criteria Specify the establishment criteria for creating a tunnel The tunnel is only created if this device is one of the following vrrp master cluster master rf domain manager The tunnel is always created if Always...

Page 282: ...ination peer address for tunnel establishment Host Name Assign the peer a hostname that can be used as matching criteria in the tunnel establishment process Router ID Specify the router ID sent in tunnel establishment messages with this specific peer Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmission model without impli...

Page 283: ...tomatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in a session establishment message to the L2TP peer MTU Displays each sessions s maximum transmissio...

Page 284: ...el When responding to incoming tunnel create requests it would use the IP address on which it had received the tunnel create request IP Set the IP address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message to t...

Page 285: ...MP Snooping 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select IGMP Snooping Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmission model without implicit handshakes UDP Port If UDP encapsulation is selecte...

Page 286: ...perform the IGMP querier role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports IGMP multicast packet are not flooded on the wired port IGMP membership is also learnt on it and only if present then forwarded on that port An AP71xx model access p...

Page 287: ...oS configuration for DSCP mappings 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Network to expand its sub menu options 5 Select Quality of Service Maximum Response Time Specify the maximum time from 1 25 seconds before sen...

Page 288: ...on The Multiple Spanning Tree Protocol MSTP provides an extension to RSTP to optimize the usefulness o f VLANs MSTOP allows for a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree topology DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification 802 1p Priority Assign a 8...

Page 289: ...also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region T...

Page 290: ... The default setting is 20 MST Config Name Define a 64 character maximum name for the MST region as an identifier MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the Enable or Disable radio buttons to enable disable interoperability with Cisco s version of MSTP which is in...

Page 291: ...does not immediately start to forward data It first processes BPDUs and determines the network topology When a host is attached the port always goes into the forwarding state after a delay of while it goes through the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to set the...

Page 292: ...to edit an existing policy after selecting it in the drop down list For more information on policy based routing see Policy Based Routing PBR on page 7 2 8 Select Add Row as needed to include single rows with in the static IPv4 route table 9 Add IP addresses and network masks in the Network column 10 Provide the Gateway used to route traffic 11 Refer to the Default Route Priority field and set the...

Page 293: ...nd routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes that is The only way for traffic to get routed outside of the area is A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer routing decisions are needed lowering system resource uti...

Page 294: ...tifier is not an IP address it does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by d...

Page 295: ...s and encourage aggregate routes VRRP Mode Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted before the...

Page 296: ...8 Select Add to create a new OSPF configuration Edit to modify an existing configuration or Delete to remove a configuration Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 297: ...r None simple password or message digest as credential validation scheme used with the OSPF dynamic route The default setting is None Type Set the OSPF area type as either stub totally stub nssa totally nssa or non stub Default Cost Select this option to set the default summary cost advertised if creating a stub Set a value from 1 16 777 215 Translate Type Define how messages are translated Option...

Page 298: ...d for the interface configuration Type Displays the type of interface Description Lists each interface s 32 character maximum description Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route s virtual interface connection VLAN Lists the VLAN IDs set for each listed OSPF route virtual interface IP Address Displays the IP addresses defined as virtual...

Page 299: ... set as the Primary or Secondary means of providing IP addresses for the OSPF virtual route 27 Select Use DHCP to Obtain IP to use a the access point s DHCP server resource as the means of providing requested IP addresses to the OSPF route s virtual interface 28 Select Use DHCP to Obtain Gateway DNS Servers to learn default gateway name servers and the domain name on just this interface Once selec...

Page 300: ...ine a new set of IP firewall rules that can be applied to the OSPF route configuration Selecting Edit allows for the modification of an existing IP firewall rules configuration For more information see Wireless Firewall on page 8 2 34 Select the VPN Crypto Map to use with this VLAN configuration Use the drop down menu to apply an existing crypto map configuration to this VLAN interface Use the Cre...

Page 301: ...able Priority Select to enable or disable OSPF priority settings Use the spinner to configure a value in the range 0 255 Cost Select to enable or disable OSPF cost settings Use the spinner to configure a cost value in the range 1 65535 Bandwidth Select to enable or disable OSPF bandwidth settings Use the spinner to configure a bandwidth settings in the range 1 10 000 000 KBps Key ID Set the unique...

Page 302: ...ses and their locations on the network This information is then used to decide to filter or forward the packet This forwarding database assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar device models To define or override a forwarding database configuration 1 Select Devices from the Configuration tab 2 Select ...

Page 303: ...st multicast unicast and unknown unicast within a Layer 2 device For example say several computers are used into conference room X and some into conference Y The systems in conference room X can communicate with one another but not with the systems in conference room Y The creation of a VLAN enables the systems in conference rooms X and Y to communicate with one another even though they are on sep...

Page 304: ...AN Mode Defines whether the VLAN is currently in edge VLAN mode An edge VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn t be marked as an edge VLAN When defining a VLAN as edge VLAN the firewall enforces additional checks on hosts in that ...

Page 305: ... VLAN s specific configuration to help differentiate it from other VLANs with similar configurations 10 Set or override the following general parameters Per VLAN Firewall Select to enable Firewall on each virtual interface Firewalls create huge flow tables This feature enables firewalls to be enabled or disabled on a per VLAN basis Thus the creation and storage of flow tables is controllable L2 Tu...

Page 306: ... ACL is not available click the create button to make a new one MAC Outbound Tunnel ACL Select a MAC Outbound Tunnel ACL for outbound traffic from the drop down menu If an appropriate outbound MAC ACL is not available click the create button to make a new one NOTE If creating a mesh connection between two access points in Standalone AP mode Tunnel must be selected as the Bridging Mode to successfu...

Page 307: ...d Unknown Multicast Packets Select this option to enable the access point to forward multicast packets from unregistered multicast groups If disabled the Unknown Multicast Forward feature is also disabled for the selected VLANs This is disabled by default Interface Name Select the interface on which to snoop for and forward IGMP packets Select each individual interface independently to enable IGMP...

Page 308: ...rily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present The controller can perform the IGMP querier role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports IGMP multicast p...

Page 309: ...n higher layer management and connection endpoint information from adjacent devices Using LLDP an access point is able to advertise its own identification capabilities and media specific configuration information and learn the same information from connected peer devices LLDP information is sent in an Ethernet frame at a fixed interval Each frame contains one Link Layer Discovery Protocol Data Uni...

Page 310: ...me for a device profile When numerous DHCP leases are assigned an administrator can better track the leases when hostnames are used instead of devices Enable LLDP Select this option to enable LLDP on the access point LLDP is enabled by default When enabled an access point advertises its identity capabilities and configuration information to connected peers and learns the same from them Hold Time U...

Page 311: ...d DHCP server is unavailable This feature is enabled by default 8 Select the OK button to save the changes and overrides Select Reset to revert to the last saved configuration 5 4 4 5 Overriding a Security Configuration Profile Overrides A profile can have its own firewall policy wireless client role policy WEP shared key authentication NAT policy and VPN policy applied If an existing firewall cli...

Page 312: ...on describes how to use the inbuilt wizards to override the VPN parameters WiNG provides two 2 wizards that provide different levels of configuration The following screen displays Figure 5 153 Security Configuration Wizard screen The following options are available Quick Setup Wizard Use this wizard to setup basic VPN Tunnel on the device This wizard is aimed at novice users and enables them to se...

Page 313: ... Quick Setup Wizard 1 Provide the following information to configure a VPN tunnel Tunnel Name Provide a name for the tunnel Tunnel name must be such that it easily identifies the tunnel uniquely Tunnel Type Configure the type of the tunnel Tunnel can be one of the following types Site to Site This tunnel provides a secured connection between two sites Remote Access This tunnel provides access to a...

Page 314: ...along with its mask Destination Provide the destination network along with its mask Peer Configure the Peer for this Tunnel The peer device can be specified either by its Hostname or by its IP address Authentication Configure the Authentication used to identify the peers with each other The following can be configured Certificate Use a certificate to authenticate Pre Shared Key Use a pre shared ke...

Page 315: ...mote sites as indicated in the image Remote Access is used to create a tunnel between an user device and a network as indicated in the image Interface Select the interface to use Interface can be a Virtual LAN VLAN or WWAN or PPPoE depending on the interfaces available on the device Traffic Selector This field creates the Access Control List ACL that is used to control who uses the network Provide...

Page 316: ...h each other When this option is selected provide the shared secret key Local Identity Configure the local identity for the VPN Tunnel IP Address The local identity is an IP address Provide the IP address in the text box FQDN The local identity is a Fully Qualified Domain Name FQDN Provide the FQDN in the text box Email The local identity is an E mail address Provide the e mail address in the text...

Page 317: ...licy Click this option to create a new IKE policy Transform Set Transform set is a set of configuration that is exchanged for creating the VPN tunnel and impose a security policy on the tunnel Primarily the transform set comprises the following Encryption The encryption to use for creating the tunnel Authentication The authentication used to identify tunnel peers Mode The mode of the tunnel This i...

Page 318: ...ed when Create New Policy is selected in Transform Set field This indicates how packets are transported through the tunnel Tunnel This option indicates that the mode is Tunnel Use this mode when the Tunnel is between two routers or servers Transport This option indicates that the mode is Transport Use this mode when the Tunnel is created between a client and a server Security Association Configure...

Page 319: ...unnel screen Selecting Reset reverts the screen to its last saved configuration 5 4 4 5 5 Overriding General Security Settings Overriding a Security Configuration A profile can leverage existing firewall wireless client role and WIPS policies and configurations and apply them to the configuration This affords a profile a truly unique combination of data protection policies However as deployment re...

Page 320: ...d if the certificate authority CA had improperly issued a certificate or if a private key is compromised The most common reason for revocation is the user no longer being in sole possession of the private key To define a Certificate Revocation configuration or override 1 Select Devices from the Configuration tab NOTE A blue override icon to the left of a parameter defines the parameter as having a...

Page 321: ...ess to it its status could be reinstated 8 Provide the name of the trustpoint in question within the Trustpoint Name field The name cannot exceed 32 characters 9 Enter the resource ensuring the trustpoint s legitimacy within the URL field 10 Use the spinner control to specify an interval in hours after which the access point copies a CRL file from an external server and associates it with a trustp...

Page 322: ...8 private IP addresses behind a single public IP address NAT provides outbound Internet access to wired and wireless hosts Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows the access point to translate one or more private IP addresses to a single public facing IP address assigned to a 10 100 1000 Ethernet port or 3G card To define a NAT configura...

Page 323: ...Any of these policies can be selected and applied to a profile 7 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile Figure 5 163 Profile Overrides Security NAT Pool screen ...

Page 324: ...de Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access b...

Page 325: ...rough the NAT on the way back to the LAN are searched against to the records kept by the NAT engine The destination IP address is changed back to the specific internal private class IP address to reach the LAN over the network Figure 5 165 Profile Overrides NAT Destination screen 12 Select Add to create a new NAT destination configuration Edit to modify or override the attributes of an existing co...

Page 326: ...s a full duplex virtual connection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communicatio...

Page 327: ...cess list These addresses once translated are not exposed to the outside world when the translation address is used to interact with the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overl...

Page 328: ...exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside NAT as the network direction for the dynamic NAT configuration Inside is the default setting Interface Select the VLAN from 1 4094 or WWAN used as the communication medium between the source and destination points within the NAT configuration Ensure the VLAN se...

Page 329: ...uter MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state they monitor the master for any failures and in case o...

Page 330: ... initially defined This ID identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual router ID Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway add...

Page 331: ...he VRRP protocol specifications available publicly refer to http www ietf org rfc rfc3768 txt version 2 and http www ietf org rfc rfc5798 txt version 3 7 From within the VRRP tab select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Delete If add...

Page 332: ...efine the following VRRP General parameters Description In addition to an ID assignment a virtual router configuration can be assigned a textual description up to 64 characters to further distinguish it from others with a similar configuration Priority Use the spinner control to set a VRRP priority setting from 1 254 The access point uses the defined setting as criteria in selection of a virtual r...

Page 333: ...Delay If the Preempt option is selected use the spinner control to set the delay interval in seconds for preemption Interface Select this value to enable disable VRRP operation and define the AP7131 VLAN 1 4 094 interface where VRRP will be running These are the interfaces monitored to detect a link failure Sync Group Select this option to assign a VRRP sync group to this VRRP ID s group of virtua...

Page 334: ...ing a critical resource is unavailable By default there s no enabled critical resource policy and one needs to be created and implemented Critical resources can be monitored directly through the interfaces on which they re discovered For example a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue ...

Page 335: ...e of any single critical resource changes If selecting All an event is generated when the state of all monitored critical resources change 7 Select the IP check box within the Monitor Via field at the top of the screen to monitor a critical resource directly within the same subnet using the provided critical resource IP address as a network identifier 8 Select the Interface check box within the Mo...

Page 336: ... IP address specifically used for this purpose The IP address used for Port Limited Monitoring must be different from the IP address configured on the device 13 Select OK to save the changes to the critical resource configuration and monitor interval Select Reset to revert to the last saved configuration Mode Set the ping mode used when the availability of a critical resource is validated Select f...

Page 337: ...h this profile A captive portal is guest access policy for providing guests temporary and restrictive access to the network The primary means of securing such guest access is a captive portal A captive portal configuration provides secure authenticated access using a standard Web browser A captive portal provides authenticated access by capturing and re directing a user s Web browser session to a ...

Page 338: ...les as resource permissions dictate for the profile Additionally overrides can be applied to customize a device s management configuration if deployment requirements change and a devices configuration must be modified from its original device profile configuration Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define or over...

Page 339: ...onfiguration This option is disabled by default Remote Logging Host Use this table to define numerical non DNS IP addresses for up to three external resources where logged system events can be sent on behalf of the profile Select Clear as needed to remove an IP address Facility to Send Log Messages Use the drop down menu to specify the local server facility if used for the profile event log transf...

Page 340: ...ng Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Time to Aggregate Repeated Messages Define the increment or interval system events are logged on behalf of this pr...

Page 341: ...ernal to the access point If enabled the setting is disabled by default provide a complete path to the target configuration file used in the update Enable Firmware Update Select this option to enable automatic firmware updates from a user defined remote location This value is disabled by default Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware v...

Page 342: ... Watchdog option to implement heartbeat messages to ensure other associated devices are up and running and capable of effectively interoperating The Service Watchdog is enabled by default 18 Select OK to save the changes and overrides made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration ...

Page 343: ...es and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MiNT are such that these scenarios continue to function as expected with minimal user inter...

Page 344: ...ure or override it Using probes from common clients Select this option to enable neighbors are selected using probe requests from common clients between the neighbor device and this device Using notifications from roamed clients Select this option to enable neighbors are selected using notifications from clients roamed from other devices Using smart rf neighbor detection Select this option to enab...

Page 345: ...dary to maintaining client association The default setting is 90 Weightage given to Throughput Use the spinner control to assign a weight between 0 100 the access point uses to prioritize 2 4 and 5 GHz radio throughput in the overall access point load calculation Assign this value higher if throughput and radio performance are considered mission critical within the access point managed network The...

Page 346: ...Difference Considered Equal Use the spinner control to set a value between 0 100 considered an adequate discrepancy when comparing 2 4 and 5GHz radio band load balances on this access point The default setting is 10 Thus using a default setting of 1 means 1 is considered inconsequential when comparing 2 4 and 5 GHz load balances on this access point Band Ratio 2 4GHz Use the spinner control to set...

Page 347: ... default setting has the check box disabled Max confirmed Neighbors Use the spinner to set the maximum number of learned neighbors stored at this device Minimum signal strength for smart rf neighbors Use the spinner to set the minimum signal strength of neighbor devices that are learnt through Smart RF before they are recognized as neighbors Level 1 Area ID Select the box to enable a spinner contr...

Page 348: ...s managed by the MINT configuration Figure 5 181 Profile Overrides Advanced Profile MINT screen IP tab The IP tab displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another 25 Select Add to create a new Link IP configuration or Edit to override an existing MINT configu...

Page 349: ...inks one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Port To specify a custom port for MiNT links check this box and use the spinner control to define or override the port number from 1 65 535 Forced Link Check this box to specify the MiNT link as a forced link This set...

Page 350: ...guration or Edit to override an existing MINT configuration Adjacency Hold Time Set or override a hold time interval in either Seconds 2 600 or Minutes 1 10 for the transmission of hello packets The default interval is 46 seconds IPSec Secure Select this option to use a secure link for IPSec traffic This setting is disabled by default When enabled both the header and the traffic payload are encryp...

Page 351: ...trollers for interoperation when supporting the MINT protocol Routing Level Use the spinner control to define or override a routing level of either 1 or 2 Link Cost Use the spinner control to define or override a link cost from 1 10 000 The default value is 10 Hello Packet Interval Set or override an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default ...

Page 352: ...d its initial configuration its LED blinks in a unique pattern to indicate that the initial configuration is complete 36 Use the drop down to configure the access point s Meshpoint Behavior This field configures the access point s mobility behavior The default is External fixed and indicates that the mesh point is fixed The value vehicle mounted indicates that the mesh point is mobile 37 Use the R...

Page 353: ...o communicate with each other either directly or through intermediate nodes Mesh Point is the name given to a device that is a part of a meshed network Use the Mesh Point screen to configure or override the parameters that set how this device behaves as a part of the mesh network To override Mesh Point configuration 1 Select Devices from the Configuration menu 2 Select a target device from the Dev...

Page 354: ...oring of primary port link is enabled for this mesh connex policy If the primary port link is not present and if the device is a mesh root it is automatically changed to a non root device When the primary port link becomes available again the non root device is changed back to a root device Path Method From the drop down menu select the method to use for path selection in a mesh network The availa...

Page 355: ...n Disable Dynamic Chain Selection radio setting The default value is enabled This setting is disabled from the Command Line Interface CLI using the dynamic chain selection command or in the UI refer Radio Override Configuration Disable A MPDU Aggregation if the intended vehicular speed is greater than 30 mph For more information see Radio Override Configuration Preferred Neighbor Enter the MAC add...

Page 356: ...olicies can have their event notification configurations modified as device profile requirements warrant To define an access point event policy 1 Select Devices from the Configuration menu 2 Select Event Policy Figure 5 188 Event Policy screen 3 Ensure the Activate Event Policy option is selected to enable the screen for configuration This option needs to remain selected to apply the event policy ...

Page 357: ...t access control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit periodic beacons for each BSS A beacon advertises the SSID security requirements supported data rates of the wireless network to enable clients to locate and connect to the WLAN WLANs are mapped to radios on each ...

Page 358: ...6 2 WiNG 5 4 2 Access Point System Reference Guide Figure 6 1 Configuration Wireless menu ...

Page 359: ...pdate the SSID designation Description Displays the brief description assigned to each listed WLAN when it was either created or modified WLAN Status Lists each WLAN s status as either Active or Shutdown A green check mark defines the WLAN as available to clients on all radios where it has been mapped A red X defines the WLAN as shutdown meaning even if the WLAN is mapped to radios it s not availa...

Page 360: ...h the WLAN or risk using this WLAN with no protection at all Encryption Type Displays the name of the encryption scheme used by each listed WLAN to secure client membership transmissions None is listed if encryption is not used within this WLAN In case of no encryption refer to the Authentication Type column to verify if there is some sort of data protection used with the WLAN or risk using this W...

Page 361: ...ties WLANs can also be removed as they become obsolete by selecting Delete Figure 6 3 WLAN Basic Configuration screen 5 Refer to the WLAN Configuration field to define the following WLAN If adding a new WLAN enter its name in the space provided Spaces between words are not permitted The name could be a logical representation of the WLAN coverage area engineering marketing etc If editing an existin...

Page 362: ...lients on the radios where it has been mapped Select the Disabled radio button to make this WLAN inactive meaning even if the WLAN is mapped to radios it is not available for clients to associate QoS Policy Use the drop down menu to assign an existing QoS policy to the WLAN If needed select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of a selected...

Page 363: ...ion Before defining a WLAN s basic configuration refer to the following deployment guideline to ensure the configuration is optimally effective NOTE Motorola Solutions recommends one VLAN be deployed for secure WLANs while separate VLANs be defined for each WLAN providing guest access ...

Page 364: ... A client must authenticate to an access point to receive resources from the network 802 1x EAP 802 1x EAP PSK MAC and PSK None authentication options are supported Refer to the following to configure a WLAN s authentication scheme 802 1x EAP EAP PSK and EAP MAC MAC Authentication PSK None Secure guest access to the network is referred to as captive portal A captive portal is guest access policy f...

Page 365: ...oadcast traffic needs to be understood by all clients the broadcast encryption type in this scenario is TKIP Refer to the following to configure a WLAN s encryption scheme WPA WPA2 TKIP WPA2 CCMP WEP 64 WEP 128 and KeyGuard 6 1 2 1 802 1x EAP EAP PSK and EAP MAC Configuring WLAN Security The Extensible Authentication Protocol EAP is the de facto standard authentication method used to provide secur...

Page 366: ...30 86 400 that once exceeded forces the EAP supported client to reauthenticate to use the resources supported by the WLAN 8 Select OK to update the WLAN s EAP configuration Select Reset to revert back to the last saved configuration EAP EAP PSK and EAP MAC Deployment Considerations 802 1x EAP EAP PSK and EAP MAC Before defining a 802 1x EAP EAP PSK or EAP MAC supported configuration on a WLAN refe...

Page 367: ...d A default AAA policy is also available if configuring a WLAN for the first time and there s no existing policies Select the Edit icon to modify the configuration of a selected AAA policy Authentication Authorization and Accounting AAA is a framework for intelligently controlling access to the wireless client managed network enforcing user authorization policies and auditing and tracking usage Th...

Page 368: ...ault 7 Select the Captive Portal Policy to use with the WLAN from the drop down menu If no relevant policies exist select the Create icon to define a new policy to use with this WLAN or the Edit icon to update the configuration of an existing captive portal policy For more information see Configuring Captive Portal Policies on page 9 2 8 Select OK when completed to update the captive portal config...

Page 369: ...rmation 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify its properties 5 Select Security 6 Refer to the External Controller field within the WLAN security screen 7 Select the Enable option to enable this WLAN to...

Page 370: ... or select an existing WLAN and select Edit to modify its properties 5 Select Security 6 Select the WPA WPA2 TKIP radio button from within the Select Encryption field The screen populates with the parameters required to define a WPA WPA2 TKIP configuration for the WLAN Figure 6 5 WLAN Security WPA WPA2 TKIP screen 7 Define the Key Settings Pre Shared Key Enter either an alphanumeric string of 8 to...

Page 371: ...the 256 bit key each time keys are generated Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 86 400 seconds Some clients have issues using unicast key rotation so ensure you know which kind of clients are impacted before using unicast keys This feature is disabled by default Broadcast Rotation Interval When enabled the key indices used for encrypting decr...

Page 372: ...ve other keys Messages are encrypted using a 128 bit secret key and a 128 bit block of data The end result is an encryption scheme as secure as any for associated clients To configure WPA2 CCMP encryption on a WLAN Opportunistic Key Caching This option enables the wireless controller to use a PMK derived with a client on one access point with the same client when it roams over to another access po...

Page 373: ...ld The screen populates with the parameters required to define a WPA2 CCMP configuration for the WLAN Figure 6 6 WLAN Security WPA2 CCMP screen 7 Define Key Settings 8 Define Key Rotation values Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string a...

Page 374: ...abled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define a broadcast key transmission interval from 30 86 400 seconds Key rotation enhances the broadcast traffic security on the WLAN This value is disabled by default NOTE Fast Roaming is available only when the authentication is EAP or EAP PSK and the selected encrypt...

Page 375: ...ses a 40 bit key concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter WEP algorithm for a hacker to potentially duplicate but networks that require more security are at risk from a WEP flaw WEP is only recommended if there are client devices incapable of using higher forms of security The existin...

Page 376: ...4 Key 3 3031323334 Generate Keys Specify a 4 to 32 character Pass Key and select the Generate button The pass key can be any alphanumeric string The wireless controller other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecima...

Page 377: ... and dynamic WEP key derivation and periodic key rotation 802 1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered If 802 1X support is not available on the legacy device MAC authentication should be enabled to provide device level authentication WEP 128 and KeyGuard use a 104 bit key which is concatenated with a 24 bit initialization vector IV to f...

Page 378: ...32 character Pass Key and select the Generate button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key...

Page 379: ...rewall on page 8 2 WLANs use Firewalls like Access Control Lists ACLs to filter mark packets based on the WLAN from which they arrive as opposed to filtering packets on Layer 2 ports An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions rules a packet must satisfy to match the ACE The order of conditions in the list is critical because ...

Page 380: ...ny Limits 6 Select an existing inbound and outbound IP Firewall Rule using the drop down menu If no rules exist select the Create icon to create a new Firewall rule configuration Select the Edit icon to modify the configuration of a selected Firewall If creating a new rule provide a name up to 32 characters long 7 Select the Add Row button 8 Select the added row to expand it into configurable para...

Page 381: ...w a packet to proceed to its destination Source Select the source for creating the ACL Source options include Any Indicates any host device in any network Network Indicates all hosts in a particular network Subnet mask information has to be provided for filtering based on network Host Indicates a single host with a specific IP address Destination Select the destination for creating the ACL Destina...

Page 382: ...ode Selecting either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions are supported Log Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted Mark Modifies certain fields inside the packet and then permits them Therefore mark is an action with an implicit permit Mark Log Conducts bot...

Page 383: ...destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source and Destination MAC Enter both Source and Destination MAC addresses The access point uses the source IP address destination MAC address as basic matching criteria Provide a subnet mask if using a mask Action The following actions are supported Log Creates a log entry that a Firewall rule has allowed a ...

Page 384: ...scription Provide a description up to 64 characters for this rule to help differentiate it from others with similar configurations Precedence Enter a numerical value indicating the precedence of rule execution Starting MAC Address Enter a MAC address to define the start of range This field is mandatory Ending MAC Address Enter a MAC address to define the end of range Allow Deny Every Association A...

Page 385: ... ACL to the interface Action If enabling a wireless client threshold use the drop down menu to determine whether clients are deauthenticated when the threshold is exceeded or blacklisted from connectivity for a user defined interval Selecting None applies no consequence to an exceeded threshold Blacklist Duration Select this check box and define a setting from 0 86 400 seconds Offending clients ca...

Page 386: ...n support up to 256 clients per access point An AP6511 or AP6521 model can support up to 128 clients per access point Client load balancing can be enforced for the WLAN as more and more WLANs are deployed 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create a new WLAN or select an...

Page 387: ... radio When enabled this parameter limits the number of clients that are allowed to connect to a single radio This feature is set to 256 by default Enforce Client Load Balancing Select this check box to distribute clients evenly amongst associated access point radios This feature is enabled by default An AP6562 AP6532 AP6522 AP8132 or AP71XX model access point can support up to 256 clients per acc...

Page 388: ...yzed for network management client billing and or auditing Accounting methods must be defined through AAA Accounting can be enabled and applied to managed WLANs to uniquely log accounting events specific to the WLAN Accounting logs contain information about the use of remote access services by users This information is of great assistance in partitioning local versus remote users and how to best a...

Page 389: ...by default Syslog Host Specify the IP address or hostname of the external syslog host where accounting records are routed Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed The default port is 514 Proxy Mode Use the drop down menu to define how syslog accounting is conducted Options include None Through Wireless Contr...

Page 390: ...s recommends the WAN port round trip delay not exceed 150 ms Excessive delay over a WAN can cause authentication and roaming issues When excessive delays exist a distributed RADIUS service should be used Motorola Solutions recommends authorization policies be implemented when users need to be restricted to specific WLANs or time and date restrictions need to be applied Authorization policies can a...

Page 391: ...ancing Figure 6 14 WLAN Client Load Balancing screen 6 Set the following Load Balance Settings generic to both the 2 4 GHz and 5 0 GHz bands Enforce Client Load Balancing Select this radio button to enforce a client load balance distribution on this WLAN AP6522 AP6532 AP6562 AP8132 and AP71XX model access points can support 256 clients per access point An AP6511 or AP6521 model can support up to 1...

Page 392: ...a value from 0 10 000 for the maximum number of probe requests for client associations on the 2 4 GHz frequency The default value is 48 Probe Request Interval Enter a value in seconds from 0 10 000 to set an interval for client probe requests beyond which association is allowed for clients on the 2 4 GHz network The default setting is 24 seconds Allow Single Band Clients Select this option to enab...

Page 393: ...d be included in the RADIUS NAS Identifier field for authentication and accounting packets This is an optional setting and defaults are used if no values are provided NAS Port The profile database on the RADIUS server consists of user profiles for each connected network access server NAS port Each profile is matched to a user name representing a physical port When the access point authorizes users...

Page 394: ... rates are applicable to client traffic associated with this WLAN only If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients ...

Page 395: ...tion and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates 10 Select the Fast BSS Transition checkbox to enable 802 11...

Page 396: ...is a member in a meshed network and its connection to the mesh is lost then all WLANs on the access point that have this option enabled are shut down Shutdown on Primary Port Link Loss When there is a loss of link on the primary wired link on the access point all the WLANs on the access point that have this option enabled are shut down Shutdown on Critical Resource Down If critical resource monito...

Page 397: ...e or all of the access point s configured critical resources are not reachable or available Shutdown on Unadoption Select to enable the WLAN to shutdown if the access point is unadopted from its wireless controller Days Configure the days on which the WLAN is accessible Select from one of the following All Select this option to make the WLAN available on all days of the week Weekends Select this o...

Page 398: ...de 9 Select OK when completed to update this WLAN s Advanced settings Select Reset to revert to the last saved configuration Select Exit to exit the screen End Time Configure the time when the WLAN is unavailable End time is configured as HH MM AM PM ...

Page 399: ...e of the exiting QoS policies supports an ideal QoS configuration select the Add button to create new policy Select the radio button of an existing WLAN and select OK to map the QoS policy to the WLAN displayed in the banner of the screen Use the WLAN Quality of Service QoS screen to add a new QoS policy or edit an existing policy Each access point model supports up to 32 WLAN QoS policies with th...

Page 400: ...all traffic on this WLAN is low priority on the radio SVP Prioritization A green check mark defines the policy as having Spectralink Voice Prioritization SVP enabled to allow the access point to identify and prioritize traffic from Spectralink Polycomm phones using the SVP protocol Phones using regular WMM and SIP are not impacted by SVP prioritization A red X defines the QoS policy as not support...

Page 401: ...hen added to one of four independent transmit queues one per access category voice video best effort or background in the client The client has a collision resolution mechanism to address collision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should be granted the opportunity to tran...

Page 402: ...d on this radio This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video ...

Page 403: ... feature is enabled by default Enable QBSS Load IE Select this option to enable support for WMM QBSS load information element in beacons and probe response packets This feature is enabled by default Configure Non WMM Client Traffic Use the drop down menu to specify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include...

Page 404: ... value is 3 ECW Min The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Higher values are used for lower priority traffic The available range is from 0 15 The default value is 4 ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a n...

Page 405: ... and data transmitted from a WLAN s wireless clients back to their associated access point radios downstream AP6511 and AP6521 model access points do not support rate limiting on an individual client basis Before defining rate limit thresholds for WLAN upstream and downstream traffic Motorola Solutions recommends you define the normal number of ARP broadcast multicast and unknown unicast packets t...

Page 406: ...s point radios to associated clients on this WLAN Enabling this option does not invoke rate limiting for data traffic in the downstream direction This feature is disabled by default Rate Define an upstream rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defi...

Page 407: ...traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for WLAN video traffic in the upstream direction T...

Page 408: ...fic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the downstream direction This is a percentage of the...

Page 409: ...fic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for client video traffic in the upstream direction This is a percentage of...

Page 410: ...nistrator using a time trend analysis The default threshold is 50 Best Effort Traffic Set a percentage value for client best effort traffic in the downstream direction This is a percentage of the maximum burst size for normal traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set t...

Page 411: ...ch frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast Mask Secondary Set a secondary multicast mask for the WLAN QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients in power save mode wake to check for frames H...

Page 412: ... administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast or specify which multicast streams are converted to unicast When the stream is converted and being queued up for transmission there are a number of classification mechanisms that can be applied to the stream and the administrator can select what type of classificat...

Page 413: ...tely dominating the wireless medium thus ensuring lower priority traffic is still supported by connected radios IEEE 802 11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery U APSD that provides a mechanism for wireless clients to retrieve packets buffered by an access point U APSD reduces the amount of signaling frames sent from a client to retrieve buf...

Page 414: ...onfigure an access point radio s QoS policy 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Radio QoS Policy to display a high level display of existing Radio QoS policies Figure 6 23 Radio Quality of Service QoS screen 4 Refer to the following information for a radio QoS policy Radio QoS Policy Displays the name of each Radio QoS policy This is the name set for each list...

Page 415: ...ffic class by looking at the amount of traffic the client is receiving and sending If a client sends more traffic than configured for an admission controlled traffic class the traffic is forwarded at the priority of the next non admission controlled traffic class This applies to clients that do not send TPSEC frames only Voice A green check mark indicates Voice prioritization QoS is enabled on the...

Page 416: ...m number is selected for the back off mechanism Lower values are used for higher priority traffic The available range is from 0 15 The default value is 3 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low number The default value is 31 AIFSN Set the current AIF...

Page 417: ... From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic like video The available range is from 0 15 The default value is 4 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low number The default va...

Page 418: ...ted to admission control for voice supported client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription This value ensures the radio s bandwidth is available for high bandwidth voice traffic if anticipated on the wireless medium or other access category traffic if voice support is not prioritized Voice traffic requires longer radio airtime...

Page 419: ...the number of normal background supported wireless clients allowed to roam to a different managed access point radio Select from a range of 0 256 clients The default value is 10 Reserved for Roam Set the roam utilization in the form of a percentage of the radio s bandwidth allotted to admission control for normal background supported clients who have roamed to a different managed radio The availab...

Page 420: ...ely enabled and configured Maximum Airtime Set the maximum airtime in the form of a percentage of the radio s bandwidth allotted to admission control for low client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription Best effort traffic only needs a short radio airtime to process so set an intermediate airtime value if the radio QoS policy...

Page 421: ... accelerated multicast exceeds the maximum number set the radio to either Reject new wireless clients or to Revert existing clients to a non accelerated state The default setting is Reject Maximum multicast streams per client Specify the maximum number of multicast streams from 1 4 wireless clients can use The default value is 2 Packets per second for multicast flow for it to be accelerated Specif...

Page 422: ...on WMM clients on the same WLAN Non WMM clients are always assigned a Best Effort access category Motorola Solutions recommends default WMM values be used for all deployments Changing these values can lead to unexpected traffic blockages and the blockages might be difficult to diagnose Overloading an access point radio with too much high priority traffic especially voice degrades the overall servi...

Page 423: ...uthorized to perform These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions The database could be located locally on the access point or be hosted remotely on a RADIUS server Remote RADIUS servers authorize users by associating attribute value AV pairs with the appropriate ...

Page 424: ... beginning of a process and a stop notice at the end of a process The start accounting record is sent in the background The requested process begins regardless of whether the start accounting notice is received by the accounting server Request Interval Lists the interval at which an access point sends a RADIUS accounting request to the RADIUS server NAC Policy Lists the Network Access Control NAC ...

Page 425: ... self or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request ...

Page 426: ... NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Using NAI each ISP need not have all the accounts for all of it...

Page 427: ... Specify the amount of time from 50 200 seconds between retry timeouts for the access points s re transmission of request packets The default is 100 DSCP Specify the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is from 0 63 with a default value of 46 NAI Routing Enable Select this check box to enable NAI routing AAA servers identif...

Page 428: ...oard self or onboard controller Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of request packets The default is 5 seconds If this time is exceeded...

Page 429: ...t be a valid e mail address or a fully qualified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Usi...

Page 430: ...tempts of request packets Specify a value from 50 200 seconds The default is 100 seconds DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is from 0 63 with a default value of 34 NAI Routing Enable Displays NAI routing status AAA servers identify clients using the NAI The NAI is a character string in the format of an e...

Page 431: ...nterval Set the periodicity of the interim accounting requests The default is 30 minutes Accounting Server Preference Select the server preference for RADIUS Accounting The options are Prefer Same Authentication Server Host Uses the authentication server host name as the host used for RADIUS accounting This is the default setting Prefer Same Authentication Server Index Uses the same index as the a...

Page 432: ...fines the amount of time after which an EAP Request to a wireless client is retried ID Request Timeout Defines the amount of time 1 60 seconds after which an EAP ID Request to a wireless client is retried The default setting is 3 seconds Retransmission Scale Factor Configures the scaling of the retransmission attempts Timeout at each attempt is a function of the request timeout factor and client a...

Page 433: ... Configuring Advanced WLAN Settings on page 6 37 Each supported access point model can support up to 32 Association ACL with the exception of AP6511 and AP6521 models that support 16 WLAN Association ACLs To define an Association ACL deployable with a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Association ACL to display a high level display of existing Associati...

Page 434: ...e the Association ACL settings Select Reset to revert to the last saved configuration Precedence The rules within a WLAN s ACL are applied to packets based on their precedence values Every rule has a unique sequential precedence value you define You cannot add two rules s with the same precedence value The default precedence is 1 so be careful to prioritize ACLs accordingly as they are added Start...

Page 435: ...e Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name ACLs after specific WLANs as individual ACL policies can be used by more than one WLAN You cannot apply more than one MAC based ACL to a Layer 2 interface If a MAC ACL is already configured on a Layer 2 interface and a new MAC ACL...

Page 436: ...ected If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Smart RF policy is mapped the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped the radio selects a random channel If the radio is a dedicated sensor it stops termination on that channel if a neighboring Access Point detects radar The Access Poin...

Page 437: ...nce Recovery Select this radio button to enable Interference Recovery when radio interference is detected within the access point s radio coverage area When interference is detected Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio If a client s signal to noise value is above the threshold the transmit power is inc...

Page 438: ...screen to refine Smart RF power settings over both the 5 0 GHz and 2 4 GHz radio bands and select channel settings in respect to the access point s channel usage Neighbor Recovery Select this radio button to enable Neighbor Recovery when a failed radio is detected within the Smart RF supported radio coverage area Smart RF can provide automatic recovery by instructing neighboring APs to increase th...

Page 439: ...d The default setting is 4 dBm 5 GHz Maximum Power Use the spinner control to select a 1 20 dBm maximum power level Smart RF can assign a radio in the 5 0 GHz band The default setting is 17 dBm 2 4 GHz Minimum Power Use the spinner control to select a 1 20 dBm minimum power level Smart RF can assign a radio in the 2 4 GHz band The default setting is 4 dBm 2 4 GHz Maximum Power Use the spinner cont...

Page 440: ...g on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources The default setting is 40 MHz 2 4 GHz Channels Use the Select drop down menu to select the 2 4 GHz channels used in Smart RF scans 2 4 GHz Channel Width 20 and 40 MH...

Page 441: ...m is selected as the Sensitivity setting from the Basic Configuration screen Mesh Point Select to enable scanning a mesh point during off channel scans for either the 2 4 or 5 GHz bands Use the text box to provide the mesh point name Duration Set a channel scan duration from 20 150 milliseconds access point radios use to monitor devices within the network and if necessary perform self healing and ...

Page 442: ... Smart RF master The default setting is 5 for both 2 4 GHz and 5 0 GHz bands Client Aware Scanning Use the spinner control to set a client awareness count 0 255 during off channel scans for either the 2 4 or 5 0 GHz radio The default setting is 0 for both radio bands Power Save Aware Scanning Select either the Dynamic Strict or Disable radio button to define how power save scanning is set for Smar...

Page 443: ...itivity setting from the Smart RF Basic Configuration screen 5GHz Neighbor Power Threshold Use the spinner control to set a value from 85 to 55 dBm the access point s 5 0 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within the access point s radio coverage area The default value is 70 dBm 2 4 GHz Neighbo...

Page 444: ...ower change is allowed to compensate for a potential coverage hole The default setting is 3 Dynamic Sample Threshold Use the spinner control to set the number of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select this radio button to allow Smart RF to scan for excess interference from supported radio devi...

Page 445: ...io does not change its channel even though required based on the interference recovery determination made by the smart master The default setting is 50 5 GHz Channel Switch Delta Use the spinner to set a channel switch delta from 5 35 dBm for the 5 0 GHz radio This parameter is the difference between noise levels on the current channel and a prospective channel If the difference is below the confi...

Page 446: ...spinner control to set a signal to noise threshold from 1 75 dB This is the signal to noise threshold for an associated client as seen by its associated AP radio When exceeded the radio increases its transmit power to increase coverage for the associated client The default value is 20 dB Coverage Interval Define the interval when coverage hole recovery should be initiated after a coverage hole is ...

Page 447: ...asure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist Motorola Solutions recommends that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS it will switch channels if radar is detected If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Smart RF ...

Page 448: ...throughput of each MP to MP link MeshConnex uses this data to dynamically form and continually maintain paths for forwarding network frames In MeshConnex systems a Mesh Point MP is a virtual mesh networking instance on a device similar to a WLAN AP On each device up to 4 MPs can be created and 2 can be created per radio MPs can be configured to use one or both radios in the device If the MP is con...

Page 449: ... any descriptive text entered for each of the configured mesh points Control VLAN Displays VLAN number for the control VLAN on each of the configured mesh points Allowed VLANs Displays the list of VLANs allowed on each of the configured mesh points Security Mode Displays the security for each of the configured mesh points The field will display none for no security or psk for pre shared key authen...

Page 450: ...ct access point from the pull down menu To use Mesh Point style beacons select mesh point from the drop down menu The default value is mesh point Is Root Select this option to specify the mesh point as a root Control VLAN Use the spinner control to specify a VLAN to carry mesh point control traffic The valid range for control VLAN is from 1 4094 The default value is VLAN 1 Allowed VLAN Specify the...

Page 451: ... mesh point Select psk to set a pre shared key as the authentication for the mesh point If psk is selected enter a pre shared key in the Key Settings field Pre Shared Key When the security mode is set as psk enter a 64 character HEX or an 8 63 ASCII character passphrase used for authentication on the mesh point Unicast Rotation Interval Define an interval for unicast key transmission in seconds 30...

Page 452: ... can communicate as long as they support the same basic MCS as well as non 11n basic rates The selected rates apply to associated client traffic within this mesh point only 5 0 GHz Mesh Point Select the Select button to configure radio rates for the 5 0 GHz band Define both minimum Basic and optimal Supported rates as required for 802 11a and 802 11n rates supported by the 5 0 GHz radio band These...

Page 453: ...6 97 Figure 6 45 Advanced Rate Settings 2 4 GHz screen Figure 6 46 Advanced Rate Settings 5 GHz screen ...

Page 454: ...this Mesh Point If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well...

Page 455: ...d based on the weights defined for each Mesh Point The Quality of Service screen displays a list of Mesh QoS policies available to mesh points Each Mesh QoS policy can be selected to edit its properties If none of the exiting Mesh QoS policies supports an ideal QoS configuration for the intended data traffic of this Mesh Point select the Add button to create new policy Select an existing Mesh QoS ...

Page 456: ...dios and controller Before defining rate limit thresholds for Mesh Point transmit and receive traffic Motorola Solutions recommends you define the normal number of ARP broadcast multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category If thresholds are defined too low normal network traffic required by end user devices will be dropped result...

Page 457: ... Select this check box to enable rate limiting for all data received from any mesh point in the mesh This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received over the Mesh Point from all access categories Traffic that exceeds the defined rate is dropped and a log mess...

Page 458: ...of the maximum burst size for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general transmit rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for ...

Page 459: ... general receive rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for video traffic in the receive direction This is a percentage of the maximum burst size for video traffic Video traffic exceeding the defined threshold is dropped and a log message is generated Video traffic consumes significant bandwidth so thi...

Page 460: ...utton to enable rate limiting for data transmitted from connected wireless clients Enabling this option does not invoke rate limiting for data traffic in the transmit direction This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received by the client Traffic that exceeds...

Page 461: ...ct this option to allow the administrator to have multicast packets that are being bridged converted to unicast to provide better overall airtime utilization and performance The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast or specify which multicast streams are to be converted to unicast When the stream is con...

Page 462: ...6 106 WiNG 5 4 2 Access Point System Reference Guide ...

Page 463: ...nal route resources For more information on the network configuration options available to the access point refer to the following Policy Based Routing PBR L2TP V3 Configuration For configuration caveats specific to Configuration Network path refer to Network Deployment Considerations on page 7 11 ...

Page 464: ...n a WLAN ports or SVI mark the packet the new marked DSCP value is used for matching Incoming WLAN Packets can be filtered by the incoming WLAN There are two ways to match the WLAN If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN then this WLAN is used for selection If the device doing policy based routing does not have an onboard radio and a p...

Page 465: ... the packet Fallback Fallback to destination based routing if none of the configured next hops are reachable or not configured This is enabled by default Mark IP DSCP Set IP DSCP bits for QoS using an ACL The mark action of the route maps takes precedence over the mark action of an ACL To define a PBR configuration 1 Select Configuration tab from the web UI 2 Select Network 3 Select Policy Based R...

Page 466: ...route map consists of multiple entries each carrying a precedence value An incoming packet is matched against the route map with the highest precedence lowest numerical value DSCP Displays each policy s DSCP value used as matching criteria for the route map DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification Packets are filtered based on the traffi...

Page 467: ...s defined in the IP DSCP field One DSCP value can be configured per route map entry Role Policy Use the drop down to select a Role Policy to use with this route map Click the Create icon to create a new Role Policy To view and modify an existing policy click the Edit icon User Role Use the drop down menu to select a role defined in the selected Role Policy This user role is used while deciding the...

Page 468: ...nal considerations Next Hop secondary If the primary hop request were unavailable a second resource can be defined Set either the IP address of the virtual resource or select the Interface option and define either a wwan1 pppoe1 or a VLAN interface Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination the configured default next hop is used This value is ...

Page 469: ...l PBR Select this option to implement policy based routing for this access point s packet traffic This setting is enabled by default so the match and action clauses defined within the Route Maps tab are implemented until disabled using this setting Use CRM Select the Use CRM Critical Resource Management option to monitor access point link status Selecting this option determines the disposition of ...

Page 470: ...L2TP V3 tunnel needs to be established between the tunneling entities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the pseudowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for...

Page 471: ...ello keep alive messages exchanged within the L2TP V3 control connection Reconnect Attempts Lists each policy s maximum number of reconnection attempts to reestablish a tunnel between peers Reconnect Interval Displays the duration set for each listed policy between two successive reconnection attempts Retry Count Lists the number of retransmission attempts set for each listed policy before a targe...

Page 472: ...ecovery Indicates if L2 Path Recovery is enabled When enables it enables learning servers gateways and other network devices behind a L2TPV3 tunnel Cookie size L2TP V3 data packets contain a session cookie which identifies the session pseudowire corresponding to it Use the spinner control to set the size of the cookie field present within each L2TP V3 data packet Options include 0 4 and 8 The defa...

Page 473: ...nnection attempts The default setting is 2 minutes Retry Count Use the spinner control to define how many retransmission attempts are made before determining a target tunnel peer is not reachable The available range is from 1 10 with a default value of 5 Retry Time Out Use the spinner control to define the interval in seconds before initiating a retransmission of a L2TP V3 signaling message The av...

Page 474: ...7 12 WiNG 5 4 2 Access Point System Reference Guide ...

Page 475: ...ser validation to protect and secure data at each vulnerable point in the network This security is offered at the most granular level with role and location based secure access available to users based on identity as well as the security posture of the client device There are multiple dimensions to consider when addressing the security of an access point managed wireless network including Wireless...

Page 476: ...om first to last When a rule matches the network traffic processed by an access point the Firewall uses that rule s action to determine whether traffic is allowed or denied Rules comprise of conditions and actions A condition describes a packet traffic stream A condition defines constraints on the source and destination devices the service for example protocols and ports and the incoming interface...

Page 477: ...nd so slowly the device becomes unavailable in respect to its defined data rate DoS attacks are implemented by either forcing targeted devices to reset or consuming the devices resources so it can no longer provide service 4 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to a...

Page 478: ...vices Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port port 7 Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network For those that do not have port 7 open they will send an unreachable message back to the originator further clogging the network with more t...

Page 479: ...solicitation multicasts onto the network and routers must respond as defined in RFC 1122 By sending ICMP Router Solicitation packets ICMP type 9 on the network and listening for ICMP Router Discovery replies ICMP type 10 hackers can build a list of all of the routers that exist on a network segment Hackers often use this scan to locate routers that do not reply to ICMP echo requests Smurf The Smur...

Page 480: ...tion rate and threshold of outstanding connections Optionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get established in a configurable interval the software intervenes and terminates the connection attempt TCP Null Scan Hackers use the TCP NULL scan to ...

Page 481: ...creen to enable the screen s parameters for configuration Ensure this option stays selected to apply the configuration to the access point profile Figure 8 2 Wireless Firewall screen Storm Control tab Twinge The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes This can crash some Windows systems UDP Short Header Enables the UDP Short Header denial of service c...

Page 482: ...e of the access point user interface 13 Select the Advanced Settings tab Use the Advanced Settings tab to enable disable the Firewall define application layer gateway settings flow timeout configuration and TCP protocol checks Traffic Type Use the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Broadcast Multicast and Unicast Interfac...

Page 483: ...ll as either Enabled or Disabled The Firewall is enabled by default If disabling the Firewall a confirmation prompt displays stating NAT wireless hotspot proxy ARP deny static wireless client and deny wireless client sending not permitted traffic excessively will be disabled 15 Select OK to continue disabling the captive portal ...

Page 484: ... client is sending routed packets to the correct MAC address IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection This feature is enabled by default and set to Warning IPMAC Routing Conflict Action Use the drop down menu to set the action taken when an attack is detected Options include Log Only Drop Only or Log and Drop The default setting is Log and Drop DNS ...

Page 485: ...ple s FaceTime video calling traffic through the Firewall using its default port This feature is enabled by default Log Dropped ICMP Packets Use the drop down menu to define how dropped ICMP packets are logged Logging can be rate limited for one log instance every 20 seconds Options include Rate Limited All or None The default setting is None Log Dropped Malformed Packets Use the drop down menu to...

Page 486: ...setting is 30 seconds Check TCP states where aSYNpackettearsdown the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow The default setting is enabled Check unnecessary resends of TCP packets Select the check box to enable the checking of unnecessary resends of TCP packets The default setting is enabled Check Sequen...

Page 487: ...r 2 interface can be filtered by applying an IP ACL To add or edit an IP based Firewall Rule policy 1 Select Configuration tab from the web user interface 2 Select Security 3 Select IP Firewall Rules to display existing IP Firewall Rule policies Figure 8 4 IP Firewall Rules screen 4 Select Add to create a new IP Firewall Rule Select an existing policy and select Edit to modify the attributes of th...

Page 488: ...ket to proceed to its destination Enter a valid ACL data for Source Enter a valid ACL data Destination Enter both Source and Destination IP addresses The access point uses the source IP address destination IP address and IP protocol type as basic matching criteria The access policy filter can also include other parameters specific to a protocol type like source and destination port for TCP UDP pro...

Page 489: ...ted Log Events are logged for archive and analysis Mark Modifies certain fields inside the packet and then permits them Therefore mark is an action with an implicit permit VLAN 802 1p priority DSCP bits in the IP header Mark Log Conducts both mark and log functions Precedence Use the spinner control to specify a precedence for this IP policy from 1 5000 Rules with lower precedence are always appli...

Page 490: ...e the result is a typical allow deny or mark designation to packet traffic To add or edit a MAC based Firewall Rule policy 1 Select Configuration tab from the web user interface 2 Select Security 3 Select MAC Firewall Rules to display existing MAC Firewall Rule policies Figure 8 6 MAC Firewall Rules screen 4 Select Add to create a new MAC Firewall Rule Select an existing policy and select Edit to ...

Page 491: ...ow a packet to proceed to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source MAC Destination MAC Enter both Source and Destination MAC addresses Access Points use the source IP address destination MAC address as basic matching criteria Provide a subnet mask if using a mask Action The following actions are supported Log Events are logged for archive...

Page 492: ...D representative of the shared SSID each user employs to interoperate within the network once authenticated by the RADIUS server The VLAN ID can be from 1 4094 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu to specify an Ethertype of either other ipv4 arp rarp appletalk aarp mint w...

Page 493: ...security management features Threat Detection Threat detection is central to a wireless security solution Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network Rogue Detection and Segregation A WIPS supported network distinguishes itself by both identifying and categorizing nearby Access Points WIPS identifies threatening versus non threat...

Page 494: ...Rogue AP Detection field to define the following detection settings for this WIPS policy 8 Refer to the Device Categorization field to associate a Device Categorization Policy with this Wireless IPS policy Select the Add icon to create a new Device Categorization policy or select the Edit icon to modify an existing Device Categorization policy Enable Rogue AP Detection Select the check box to enab...

Page 495: ...rmance An administrator can enable or disable event filtering and set the thresholds for the generation of the event notification and filtering action An Excessive Action Event is an event where an action is performed repetitively and continuously DoS attacks come under this category Use the Excessive Actions Events table to select and configure the action taken when events are triggered 11 Set th...

Page 496: ...less clients that can compromise the security and stability of the network Use the MU Anomaly screen to set the intervals clients can be filtered upon the generation of each event Filter Expiration Set the duration an event generating client is filtered This creates a special ACL entry and frames coming from the client are dropped The default setting is 0 seconds This value is applicable across th...

Page 497: ...ve or permitted Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against its threshold A red X defines the event as disabled and not tracked by the WIPS policy Each event is disabled by default Filter Expiration Set the duration a client is filtered This crea...

Page 498: ...less IPS Policy from the upper left hand side of the access point user interface 19 Select the WIPS Signatures tab Ensure the Activate Wireless IPS Policy option remains selected to enable the screen s configuration parameters Name Displays the name of each AP Anomaly event This column lists the event tracked against the defined thresholds set for interpreting the event as excessive or permitted E...

Page 499: ...d as part of the edit process Signature Displays whether the signature is enabled A green checkmark defines the signature as enabled A red X defines the signature as disabled Each signature is disabled by default BSSID MAC Displays each BSS ID MAC address used for matching purposes Source MAC Displays each source MAC address of the packet examined for matching purposes Destination MAC Displays eac...

Page 500: ...he profile The default signature is enabled BSSID MAC Define a BSS ID MAC address used for matching purposes Source MAC Define a source MAC address for the packet examined for matching purposes Destination MAC Set a destination MAC address for a packet examined for matching purposes Frame Type to Match Use the drop down menu to select a frame type for matching with the WIPS signature Match on SSID...

Page 501: ...ave the updates to the WIPS Signature configuration Select Reset to revert to the last saved configuration The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Wireless Client Threshold Specify the threshold limit per client that when exceeded signals the event The configura...

Page 502: ...jeopardizing the data managed by the access point and its connected clients Use the Device Categorization screen to apply neighboring and sanctioned approved filters on peer access points operating in this access point s radio coverage area Detected client MAC addresses can also be filtered based on their classification in this access point s coverage area To categorize access points and clients a...

Page 503: ... to a list of devices sanctioned for network operation 8 Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification Use the drop down menu to designate the target device as either Sanctioned or Neighboring Device Type Use the drop down menu to designate the target device as either an access point or client MAC Address Enter the fa...

Page 504: ...mally effective WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy Since an organization s security goals vary the security policy should document site specific concerns The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time Vulnerability a...

Page 505: ...questing clients and local RADIUS client authentication For more information refer to the following Configuring Captive Portal Policies Setting the DNS Whitelist Configuration Setting the DHCP Server Configuration Setting the RADIUS Configuration Refer to Services Deployment Considerations on page 9 44 for tips on how to optimize the access point s configuration ...

Page 506: ...he network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable option Captive portal authentication does not provide end user data encryption but it can be used with static WEP WPA PSK or WPA2 PSK encryption Each supported access point model can support up to 32 captive portal policies with the exception of AP6511 and AP6521 models ...

Page 507: ...Self the access point maintains the captive portal internally while External centralized means the captive portal is being supported on an external server Hosting VLAN Interface When Centralized Server is selected as the Captive Portal Server Mode a VLAN is defined where the client can reach the controller 0 is the default value Connection Mode Lists each policy s connection mode as either HTTP or...

Page 508: ...ity access and whitelist basic configuration before defining HTML pages for guest user access AAA Policy Lists each AAA policy used to authorize client guest access requests The security provisions provide a way to configure advanced AAA policies that can be applied to captive portal policies supporting authentication When a captive portal policy is created or modified a AAA policy must be defined...

Page 509: ...9 5 Figure 9 2 Captive Portal Policy screen Basic Configuration tab ...

Page 510: ...trol to set the VLAN where the client can reach the controller 0 is the default value Captive Portal Server Set a numeric IP address non DNS hostname for the server validating guest user permissions for the captive portal policy This option is only available if hosting the captive portal on an External Centralized server resource Connection Mode Select either HTTP or HTTPS to define the connection...

Page 511: ...down menu of existing DNS White List entries to select a policy to be applied to this captive portal policy a If creating a new Whitelist assign it a name up to 32 characters Use the Add Row button to populate the Whitelist table with Host and IP Index parameters that must be defined for each Whitelist entry Terms and Conditions page Select this option with any access type to include terms that mu...

Page 512: ...y server information for billing auditing and reporting user data such as captive portal start and stop times executed commands such as PPP number of packets and number of bytes Accounting enables wireless network administrators to track captive portal services users are consuming Enable RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting for the captive port...

Page 513: ... host The IP address or host name of an external server resource is required to route captive portal syslog events to that destination Syslog Port Define the numerical syslog port to route traffic with the external syslog server The default is 514 Limit Select the option to enable limiting usage Use the spinner to set a maximum usage limit in megabytes Action Use the drop down to configure the act...

Page 514: ...e captive portal policy The Welcome page asserts a user has logged in successfully and can access the captive portal The Fail page asserts the authentication attempt has failed and the user is not allowed access using this captive portal policy and must provide the correct login information again to access the Internet 17 Provide the following required information when creating Login Terms and Con...

Page 515: ... each specific page In the case of the Terms and Conditions page the message can be the conditions requiring agreement before guest access is permitted Footer Text Provide a footer message displayed on the bottom of each page The footer text should be any concluding message unique to each page before accessing the next page in the succession of captive portal Web pages Main Logo URL The Main Logo ...

Page 516: ... Login screen prompts the user for a username and password to access the Terms and Conditions or Welcome page Agreement URL Define the complete URL for the location of the Terms and Conditions page The Terms and Conditions page provides conditions that must be agreed to before wireless client access is provided Welcome URL Define the complete URL for the location of the Welcome page The Welcome pa...

Page 517: ...aptive portal creation Refer to Operations Devices File Transfers and use the Source and Target fields to move captive portal pages as needed to managed devices that may be displaying and hosting captive portal connections Select the Web Page Auto Upload check box to enable automatic upload of captive portal Web pages For more information refer to File Management on page 12 21 Fail URL Define the ...

Page 518: ...ce 2 Select Services 3 Select DNS Whitelist The DNS Whitelist screen displays those existing whitelists available to a captive portal 4 Select Add to create a Whitelist Edit to modify a selected whitelist or Delete to remove a whitelist a If creating a Whitelist assign it a name up to 32 characters Use the Add Row button to populate the Whitelist table with Host and IP Index parameters that must b...

Page 519: ... is assigned an exclusive range of IP addresses DHCP clients are compared against classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a single VLAN allow the configuration...

Page 520: ...ation is obsolete it can be deleted Subnet Displays the network address and mask used by clients requesting DHCP resources Domain Name Displays the domain name used with this network pool Host names are not case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a host name plus a domain name For example computername domain com Boot F...

Page 521: ...f the network pool configuration is obsolete it can be deleted The name cannot exceed 32 characters Subnet Define the IP address and Subnet Mask used for DHCP discovery and requests between the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Domain Name Prov...

Page 522: ...K to save the updates to the DHCP Pool Basic Settings tab Select Reset to revert to the last saved configuration 10 Select the Static Bindings tab from within the DHCP Pools screen A binding is a collection of configuration parameters including an IP address associated with or bound to a DHCP client Bindings are managed by DHCP servers DHCP bindings automatically map a device MAC address to an IP ...

Page 523: ... Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client is using a Hardware Address or Client Identifier as its identifier type Value Lists the hardware address or client identifier value assigned to the client when added or last modified IP Address Displays the IP address o...

Page 524: ...g this host pool Domain Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a host name plus a domain name For example computername domain com Boot File Enter the name of the boot file used with this pool Boot files Boot Protocol can be used to boot remote sys...

Page 525: ...plies to the vendor class for which it is defined 19 Within the Network field define one or group of DNS Servers to translate domain names to IP addresses Up to 8 IP addresses can be provided and translated Within the Network field define one or more Default Routers to resolve routes to other parts of the network Up to 8 IP addresses can be provided for Default Routers 20 Select OK when completed ...

Page 526: ... can be used to boot remote systems over the network BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded Each pool can use a different file as needed BOOTP Next Server Provide the numerical IP address of the server providing BOOTP resources Enable Unicast Unicast packets are sent from one location to another location there s just one sender and one receiver...

Page 527: ... revert the screen back to its last saved configuration 9 3 2 Defining DHCP Server Global Settings Setting the DHCP Server Configuration Setting a DHCP server global configuration entails defining whether BOOTP requests are ignored and setting DHCP global server options To define DHCP server global settings 1 Select the Global Settings tab and ensure the Activate DHCP Server Policy button remains ...

Page 528: ... numerical IP address or ASCII string or Hex string Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value 4 Select OK to save the updates to the DHCP server global settings Select Reset to revert to the last saved configuration Ignore BOOTP Requests Select the check box to ignore BOOTP requests BOOTP requests boot remote systems within th...

Page 529: ...HCP Class Policy screen to review existing DHCP class names and their current multiple user class designations Multiple user class options enable a user class to transmit multiple option values to DHCP servers supporting multiple user class options Either add a new class policy edit the configuration of an existing policy or permanently delete a policy as required To review DHCP class policies 1 S...

Page 530: ...d 32 characters 4 Select a row within the Value column to enter a 32 character maximum value string 5 Select the Multiple User Class radio button to enable multiple option values for the user class This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options 6 Select OK to save the updates to this DHCP class policy Select Reset to revert to t...

Page 531: ...AN assignment and access based on time of day The access point uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS RADIUS authentication configured with the RADIUS service Dynamic VLAN assignment is achieved based on the RADIUS server response A user who associates to WLAN1 mapped to VLAN1 can be assigned a different VLAN after authentication with the RADIUS server This d...

Page 532: ...edit process Guest User Group Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each group A red X designates the group as having permanent access to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions Management Group A green ...

Page 533: ...plays the VLAN ID used by the group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the access point managed network once authenticated by the local RADIUS server Time Start Specifies the time users within each listed group can access local RADIUS resources Time Stop Specifies the time users within each listed group lose access to local RADIUS...

Page 534: ...e to permanently remove a selected group Figure 9 17 RADIUS Group Policy Add screen 5 Define the following Settings to define the user group configuration RADIUS Group Policy If creating a new RADIUS group assign it a name to help differentiate it from others with similar configurations The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process Guest User Group Sele...

Page 535: ...Select this option to designate the RADIUS group as a management group If set as management group assign a role to the members of the group using the Access drop down menu allowing varying levels of administrative rights This feature is disabled by default Access If a group is listed as a management group assign how the devices can be accessed Available access types are Web Web access through brow...

Page 536: ...in a single user or group of users To configure a RADIUS user pool and unique user IDs 1 Select Configuration tab from the web user interface 2 Select Services 3 Expand the RADIUS menu option and select User Pools Figure 9 18 RADIUS User Pool screen 4 Select Add to create a new user pool Edit to modify the configuration of an existing pool or Delete to remove a selected pool 5 If creating a new po...

Page 537: ... uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group Displays the group name each configured user ID is a member Email Id Displays the configured Email ID for this user This is the address used when communicating with users in this pool Telephone Displays the configured telephone number for this user This is the number used when communicat...

Page 538: ...D cannot exceed 64 characters Password Provide a password unique to this user The password cannot exceed 32 characters Select the Show check box to expose the password s actual character string Leaving the option unselected displays the password as a string of asterisks Guest User Select the check box to designate this user as a guest with temporary access The guest user must be assigned unique ac...

Page 539: ...g with optionally other information The access point s RADIUS server policy can also be configured to refer to an external LDAP resource to verify the user s credentials The creation and utilization of a single RADIUS server policy is supported To manage the access point s RADIUS server policy 1 Select Configuration tab from the web user interface 2 Select Services 3 Expand the RADIUS menu option ...

Page 540: ...he RADIUS Server Policy screen displays with the Server Policy tab displayed by default 4 Select the Activate RADIUS Server Policy button to enable the parameters within the screen for configuration Ensure this option remains selected or this RADIUS server configuration is not applied to the access point profile ...

Page 541: ...P client that it does not have the requested information and provides the client with another LDAP server that could have the requested information It is up to the client to contact the other LDAP server for its information Local Realm Define the LDAP Realm performing authentication using information from an LDAP server User information includes user name password and the groups to which the user ...

Page 542: ...uthenticated If the client receives a verified access reject message the username and password are considered incorrect and the user is not authenticated LDAP Authentication Type Use the drop down menu to select the LDAP authentication scheme The following LDAP authentication types are supported by the external LDAP resource All Enables both TTLS and PAP and PEAP and GTC TTLS and PAP The EAP type ...

Page 543: ...tion 15 Select the Proxy tab and ensure the Activate RADIUS Server Policy button remains selected A user s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources The proxy server checks the information in the user access request and either accepts or rejects the request If the proxy server accepts the request it returns configuration information specifying...

Page 544: ...the access point s RADIUS server receives a request for a user name the server references a table of realms If the realm is known the server proxies the request to the RADIUS server 20 Enter the Proxy server s IP Address This is the address of server checking the information in the user access request The proxy server either accepts or rejects the request on behalf of the RADIUS server 21 Enter th...

Page 545: ...omplex checks and logic There s no way to perform such complex authorization checks from a LDAP user database alone Figure 9 24 RADIUS Server Policy screen LDAP tab 26 Refer to the following to determine whether an LDAP server can be used as is a server configuration requires creation or modification or a configuration requires deletion 27 Select Add to add a new LDAP server configuration Edit to ...

Page 546: ...rnal LDAP server acting as the data source for the RADIUS server Login Define a unique login name used for accessing the remote LDAP server resource Consider using a unique login name for each LDAP server to increase the security of the connection between the access point and remote LDAP resource Port Use the spinner control to set the physical port used by the RADIUS server to secure a connection...

Page 547: ... server Select the Show check box to expose the password s actual character string Leave the option unselected to display the password as a string of asterisks The password cannot 32 characters Password Attribute Enter the LDAP server password attribute The password cannot exceed 64 characters Group Attribute LDAP systems have the facility to poll dynamic groups In an LDAP dynamic group an adminis...

Page 548: ...se a different shared secret password If a shared secret is compromised only the one client poses a risk as opposed all the additional clients that potentially share that secret password Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location Designating at leas...

Page 549: ...y reduce an attack footprint and free resources too To set Management Access administrative rights access control permissions authentication refer to the following Creating Administrators and Roles Setting the Access Control Configuration Setting the Authentication Configuration Setting the SNMP Configuration SNMP Trap Configuration Refer to Management Access Deployment Considerations on page 10 1...

Page 550: ...default Figure 10 1 Management Policy Administrators screen 3 Refer to the following to review existing administrators 4 Select Add to create a new administrator configuration Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when editing an administrator s co...

Page 551: ... assigned Web UI Select this option to enable access to the access point s Web UI Telnet Select this option to enable access to the access point using TELNET SSH Select this option to enable access to the access point using SSH Console Select this option to enable access to the access point s console Superuser Select this option to assign complete administrative rights to this user This entails al...

Page 552: ...out administrative rights The Monitor option provides read only permissions Help Desk Assign this option to someone who typically troubleshoots and debugs reported problems The Help Desk manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the access point Web User Select this option to assign privileges to add users for captive...

Page 553: ...n ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better security than others and are more desirable To set user access control configurations 1 Select Configuration 2 Select Management 3 Select Access Control from the list of Management Policy options in the upper left hand si...

Page 554: ...HTTP device access HTTP provides limited authentication and no encryption Enable HTTPS Select the check box to enable HTTPS device access HTTPS Hypertext Transfer Protocol Secure is more secure than plain HTTP HTTPS provides both authentication and data encryption as opposed to just authentication NOTE If an AP6511 or AP6521 s external RADIUS server is not reachable HTTPS or SSH management access ...

Page 555: ...access restriction Options include source address ip access list and None IP Access List Use the drop down menu to select an existing list of IP addresses used to control connection access to the access point A default list is available or a new list can be created by selecting the Create icon An existing list can also be modified by selecting the Edit icon Source Hosts Set multiple source host IP...

Page 556: ...and LDAP Server AAA Servers to provide user database information and user authentication data If there is no AAA policy suiting your RADIUS authentication requirements either select the Create icon to define a new AAA policy or select an existing policy from the drop down menu and select the Edit icon to update its configuration For more information on defining the configuration of a AAA policy se...

Page 557: ... monitor and configure supported devices The read only community string is used to gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to monitor a system s performance and other parameters To define SNMP management values 1 Select Configuration Managemen...

Page 558: ...control The architecture supports the concurrent use of different security access control and message processing techniques SNMPv3 is enabled by default Community Define a public or private community designation By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Access Control Set the access permi...

Page 559: ...t Configuration Management 2 Select SNMP Traps from the list of Management Policy options in the upper left hand side of the UI Figure 10 6 Management Policy screen SNMP Traps tab 3 Select the Enable Trap Generation check box to enable trap creation using the trap receiver configuration defined in the lower portion of the screen This feature is disabled by default 4 Refer to the Trap Receiver tabl...

Page 560: ...on Management services like HTTPS SSH and SNMPv3 should be used when possible as they provide both data privacy and authentication By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Legacy Motorola Solutions devices may use other community strings by default Motorola Solutions recommends SNMPv3 be...

Page 561: ...e Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail Numerous tools are available within the Diagnostics menu Some allow event filtering some enable log views and some allow you to manage files generated when hardware or software issues are detected Diagnostic capabilities include Fault Management Crash Files Advanced ...

Page 562: ...d By default all events are enabled and an administrator has to turn off events if they don t require tracking Figure 11 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing events Events can be filtered based on severity module received source MAC of the event device MAC of the event and MAC address of the wireless client 3 Define the following Custo...

Page 563: ...7 Refer to the following event parameters to assess nature and severity of the displayed event Module Select the module from which events are tracked When a single module is selected events from other modules are not tracked Remember this when interested in events generated by a particular module Individual modules can be selected such as TEST LOG FSM etc or all modules can be tracked by selecting...

Page 564: ...eld to filter events to display To filter messages further select a RF Domain from the Filter by RF Domain field 11 In the Access Point s tab select the RF Domain from the Select a RF Domain field to filter events to display To filter messages further select a device from the Filter by Device field Module Displays the module used to track the event Events detected by other modules are not tracked ...

Page 565: ...tracked Message Displays error or status message for each event Severity Displays event severity as defined for tracking from the Configuration screen Severity options include All Severities All events are displayed regardless of severity Critical Only critical events are display Error Only errors display Warning Only warnings display Informational Only informational events display no critical eve...

Page 566: ...from those displayed in the lower left hand side of the UI Figure 11 4 Crash Files screen The screen displays the following for each reported crash file 4 Select a listed crash file and select the Copy button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button File Name Displays ...

Page 567: ... Debugging View UI Logs View Sessions 11 3 1 UI Debugging Advanced Use the UI Debugging screen to view debugging information for a selected device To review device debugging information 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options By default NETCONF Viewer is selected Once a target ID is selected its debugging information displays within the NETCONF Viewer screen...

Page 568: ...on 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select Schema Browser from the navigation pane on the left The following screen displays Figure 11 6 UI Debugging screen Schema Browser The Scheme Browser displays the Configuration tab by default The Schema Browser displays two fields regardless of the Configuration Statistics or Actions tab selected Use the left...

Page 569: ...ages generated by the device Logs are classified as Flex Logs and Error Logs These logs provide a real time look into the state of the device and provide useful information for debugging and trouble shooting issues To display the logs 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View UI Logs menu item to display the logs By default the Flex Logs scre...

Page 570: ...screen displays a list of all sessions associated with this device A session is created when a user name password combination is used to access the device to interact with it for any purpose Use the following to view a list of sessions associated with this device 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View Sessions menu item to display the user...

Page 571: ...Delete Cookie Displays the number of cookies created by this session From Displays the IP address of the device process initiating this session Role Displays the role assigned to the user name as displayed in the User column Start Time Displays the start time of this session This is the time at which the user successfully created this session User Displays the user name of the account used to init...

Page 572: ...11 12 WiNG 5 4 2 Access Point System Reference Guide ...

Page 573: ...n to other managed devices Self Monitoring At Run Time RF Management Smart RF is a Motorola Solutions innovation designed to simplify RF configurations for new deployments while over time providing on going deployment optimization and radio performance improvements The Smart RF functionality scans the RF network to determine the best channel and transmit power for each managed access point radio F...

Page 574: ...Managing Firmware and Configuration Files Rebooting the Device Locating the Device Upgrading Device Firmware Viewing Device Summary Information AP Upgrades File Management Adopted AP Restart Captive Portal Pages These tasks can be performed on individual access points and wireless clients 12 1 1 Managing Firmware and Configuration Files Devices Firmware and configuration files are viewed and manag...

Page 575: ...tion Show Startup Config Select this option to display the startup configuration of the selected device The startup configuration is displayed in a separate window Select Execute to perform the function For more information on viewing and managing the startup configuration see Managing Startup Configuration Clear Crash Info Select this option to clear the crash dump files stored on the selected de...

Page 576: ...igure 12 3 Device Pane 2 Click the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 4 Device Pane Options for a device 3 Select Show Running Config to display the Running Configuration window ...

Page 577: ...lect the protocol used for exporting the running configuration Available options include tftp ftp sftp http cf usb1 usb2 Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting the running configuration This option is not valid for cf usb1 and usb2 Host Enter IP address or the host name of the server used to export the running configuration to...

Page 578: ... the selected device Figure 12 7 Device Pane Options for a device 3 Select Show Startup Config to display the Startup Configuration window Path File Specify the path to the folder to export the running configuration to Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server This field is only available if the selected pro...

Page 579: ...r to the following to configure the remote server parameters Protocol Select the protocol used for exporting or importing the startup configuration Available options include local tftp ftp sftp http cf usb1 usb2 local Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting or importing the startup configuration This option is not valid for cf ...

Page 580: ...ion Host can be one of Host Name or IP Address Path File Specify the path to the folder to export or import the startup configuration to Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server This field is only available if the selected protocol is ftp or sftp Password Specify the user account password to access the FTP ...

Page 581: ...rect the error condition To view and manage the crash information files 1 Select a target device from the left hand side of the UI Figure 12 9 Device Pane 2 Click the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 10 Device Pane Options for a device 3 Select Clear Crash Info to display the Clear Crash Info window Figure 12 11 Clear ...

Page 582: ... of the UI Figure 12 12 Device Pane 2 Click the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 13 Device Pane Options for a device 3 To reboot the device click the Reload item Last Modified Displays the timestamp the crash information file was modified last Action Displays icons for the actions that can be performed on the selected ...

Page 583: ...is device to reload Use this option for devices that are unresponsive and do not reload normally Delay Use the spinner to configure a delay in seconds before the device is reloaded Set this value to 0 to reload the device immediately Description Use the text box to provide a brief description detailing the reason to reload this device Current Boot Displays the current running firmware Displays eit...

Page 584: ... a value for Flash LED Duration This is the duration in minutes the device will flash its LEDs for locating it Once this duration expires the LEDs starts operating normally 5 Click Locator ON to start flashing the LEDs Click Locator OFF to stop the LEDs from flashing and resume normal operation Click Close to close this window 12 1 4 Upgrading Device Firmware Devices To update the firmware of an a...

Page 585: ...sftp http cf usb1 usb2 local Port Use the spinner control or manually enter the value to define the port used by the protocol for importing the firmware upgrade file This option is not valid for local cf usb1 and usb2 Host Enter IP address or the host name of the server used to import the firmware file This option is not valid for local cf usb1 and usb2 Use the drop down to select the type of host...

Page 586: ...configuration file requires an update to the latest feature set and functionality To view the Summary screen 1 Select Operations 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the firmware and configuration files on and select it The Device DetailsSummary screen displays by default when the Operations menu item is selected from the main menu Use this scr...

Page 587: ... firmware image was built for the selected device Install Date Displays the date the firmware was installed on the access point represented by the listed MAC address Fallback Lists whether fallback is currently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would re...

Page 588: ...gate to the device to manage the firmware and configuration files on and select it Figure 12 22 Device Summary screen 4 Click Adopted AP Upgrade The following screen displays NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode and cannot be initiated by Standalone APs Additionally upgrades can only be performed on access points of the same model as the Virtual Con...

Page 589: ... time accordingly The AP must be rebooted to implement the firmware upgrade Select No Reboot to ensure the access point remains in operation with its current firmware This option is useful to ensure the access point remains operational until ready to take it offline for the required reboot Schedule Reboot Time To reboot a target access point immediately select Now To schedule the reboot to take pl...

Page 590: ...gure 12 24 AP Upgrade screen AP Image File Staggered Reboot Select this option to do a staggered rebooting of upgraded access points When selected upgraded access points are not rebooted simultaneously bringing down the network A few access points at a time are rebooted to preserve network availability Hostname Displays the access point s host name if configured MAC Address Displays the access poi...

Page 591: ...rotocol A port IP address or hostname username and password are required A path is optional sftp Select this option to specify a file location using Secure File Transfer Protocol A port IP address or hostname username and password are required A path is optional http Select this option to specify a file location using Hypertext Transfer Protocol A hostname or IP address is required Port and path a...

Page 592: ...raded Hostname Displays the host name of the access point if configured MAC Address Displays the primary MAC or hardware identifier for each device impacted by an upgrade operation State Displays the current upgrade status for each listed access point Possible states include Waiting Downloading Updating Scheduled Reboot Rebooting Done Cancelled Done No Reboot Progress Displays the current progress...

Page 593: ...can be moved and deleted as needed To manage files stored on the device 1 Select Operations from the main menu 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Retries Displays the number of retries if any during the upgrade If this number is more than a few the upgrade configuration should be revisited Last Status Displays the t...

Page 594: ...12 22 WiNG 5 4 2 Access Point System Reference Guide Figure 12 26 Device Summary screen 4 Click File Management The following screen displays ...

Page 595: ...en 5 The pane on the left of the screen displays the directory tree for the selected device Use this tree to navigate around the device s directory structure When a directory is selected all files in that directory is listed in the pane on the right ...

Page 596: ...ton to create the new folder Click the Refresh button to refresh the view in the screen 8 To delete a folder select the folder in the directory tree on the left Click Delete Folder button The following popup displays Figure 12 29 Devices File Management Delete Confirmation screen File Name Displays the name of the file Size Kb Displays the size of the file in kilobytes Last Modified Displays the t...

Page 597: ...e location The transfer can be done as follows From remote server to the device From device to remote server From a location on the device to another location on the same device 10 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity Source Select the source of the file transfer Select Server to indicate the s...

Page 598: ... selected as the Source Hostname If needed specify a Hostname of the server transferring the file This option is not valid for cf usb1 and usb2 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file This param...

Page 599: ...points adopted by this AP To view the Adopted AP Restart screen 1 Select Operations from the main menu 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Figure 12 31 Device Summary screen 4 Select Adopted AP Restart The following screen displays ...

Page 600: ...he wireless network Once logged into the captive portal additional Terms and Conditions Welcome and Fail pages provide the administrator with a number of options on screen flow and appearance Captive portal authentication is used primarily for guest or visitor access to the network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable...

Page 601: ...Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Figure 12 33 Device Summary screen 4 Select Captive Portal Pages The following screen displays ...

Page 602: ... to immediately start the process of the update Use the date hour fields to configure a specific date and time for upload 7 The All Devices table lists the hostname and MAC address of all devices adopted by this access point Use the arrow buttons to move selected devices from the All Devices table to the Upload List table The Upload List table lists the devices to which the captive portal pages ar...

Page 603: ...or file management Available options include tftp ftp sftp http cf usb1 usb2 This parameter is required only when Server is selected as the Source and Advanced is selected Port If Advanced is selected specify the port for transferring files This option is not available for cf usb1 and usb2 Enter the port number directly or use the spinner control IP Address If Advanced is selected specify the IP a...

Page 604: ...and usb2 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file User Name If Advanced is selected provide a user name to access a FTP or SFTP server This parameter is required only when the selected protocol i...

Page 605: ...displayed in the Status tab Progress Displays the progress of the upload to the target device Retries Displays the number of retires attempted for upload to the target device Last Status Displays the last known status of the upload to the target device ...

Page 606: ...tpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication can be used by a client to ...

Page 607: ...ints screen The Trustpoints screen displays for the selected MAC address 3 Refer to the Certificate Details to review certificate properties self signed credentials validity period and CA information 4 Select the Import button to import a certificate ...

Page 608: ...12 36 WiNG 5 4 2 Access Point System Reference Guide Figure 12 38 Certificate Management Import New Trustpoint screen ...

Page 609: ...provide the following information Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation List CRL CRLs are used to identify and remove those installed certificates that have been revoke...

Page 610: ... key pairs The self certificate only contains a public key Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS au...

Page 611: ...t keys to and from remote locations 1 Select Operations 2 Select Certificates Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address inf...

Page 612: ...ey can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select Generate Key to create a new key with a defined size Figure 12 41 Certificate Management Generate RSA Key screen ...

Page 613: ...la Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality Key Name Enter the 32 character maximum name assigned to identify the RSA key Key Passphrase Define the key used by the server or repository of the target RSA key Select the Show textbox to expose the actual characters used in the passphrase Leaving the checkbox unselected displays the passphr...

Page 614: ...es Protocol Select the protocol used for importing the target key Available options include tftp ftp sftp http cf usb1 usb2 Port Use the spinner control to set the port This option is not valid for cf usb1 and usb2 IP Address Enter IP address of the server used to import the RSA key This option is not valid for cf usb1 and usb2 Hostname Provide the hostname of the server used to import the RSA key...

Page 615: ...rovide the complete URL to the location of the key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is also dependent on the selected protocol Protocol Select the protocol used for exporting the RSA key Available options include tftp ftp sftp http cf usb1 usb2 Port If usi...

Page 616: ...ificates Self signed certificates often referred to as root certificates do not use public or private CAs A self signed certificate is a certificate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate that can be applied to a device 1 Select Operations 2 Select Certificates 3 Select Create Certificate Hostname If using Advanced ...

Page 617: ...key used by both the access point and the server or repository of the target RSA key Create New To create a new RSA key select the radio button to define 32 character name used to identify the RSA key Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more in...

Page 618: ...and the certificate authority maintains the right to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operations 2 Select Certificates 3 Select Create CSR State ST Enter a State Prov for the state or province name used in the certificate This is a required fiel...

Page 619: ... this value at the default setting of 1024 to ensure optimum functionality For more information see RSA Key Management on page 12 39 Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certificate The default setting is auto generate Country C ...

Page 620: ...for the organizational unit issuing the certificate enter it here Email Address Provide an email address used as the contact address for issues relating to this CSR Domain Name Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy absolutely To distinguish an FQDN from a regular domain name a trailing period is added ex ...

Page 621: ...urations as the basis to conduct Smart RF calibration operations 12 3 1 Managing Smart RF for a RF Domain Smart RF When calibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the neighbo...

Page 622: ...but each listed radio index can be used in Smart RF calibration Old Channel Lists the channel originally assigned to each listed access point within the RF Domain This value may have been changed as part an Interactive Calibration process applied to the RF Domain Compare this Old Channel against the Channel value to right of it in the table to determine whether a new channel assignment was warrant...

Page 623: ...cess point within the RF Domain The power level may have been increased or decreased as part an Interactive Calibration process applied to the RF Domain Compare this Old Power level against the Power value to right of it in the table to determine whether a new power level was warranted to compensate for a coverage hole Power This column displays the transmit power level for the listed access point...

Page 624: ...sults to their respective access point radios 3 Select the Run Calibration option to initiate a calibration New channel and power values are applied to radios they are not written to the running configuration These values are dynamic and may keep changing during the course of the run time monitoring and calibration the Smart RF module keeps performing to continually maintain good coverage Unlike a...

Page 625: ...re version for full functionality and utilization An access point must be rebooted to implement a firmware upgrade Take advantage of the reboot scheduling mechanisms available to the access point to ensure its continuously available during anticipated periods of heavy wireless traffic utilization Within a well planned RF Domain any associated radio should be reachable by at least one other radio K...

Page 626: ...12 54 WiNG 5 4 2 Access Point System Reference Guide ...

Page 627: ...reless clients associations adopted AP information rogue APs and WLANs Access Point statistics can be exclusively displayed to validate connected access points their VLAN assignments and their current authentication and encryption schemes Wireless client statistics are available for an overview of client health Wireless client statistics includes RF quality traffic utilization and user details Use...

Page 628: ...ealth Inventory Adopted Devices Pending Adoptions Offline Devices Licenses 13 1 1 Health System Statistics The Health screen displays the overall performance of the managed network system This includes device availability overall RF quality resource utilization and network threat perception To display the health of the network 1 Select the Statistics menu from the Web UI 2 Select the System node f...

Page 629: ...rently online Green indicates online devices and red offline devices detected within the network The Offline Devices table displays a list of devices in the network that are currently offline The table displays the number of offline devices within each impacted RF Domain Assess whether the configuration of a particular RF Domain is contributing to an excessive number of offline devices ...

Page 630: ...5 Select Refresh at any time to update the statistics counters to their latest values Top 5 Displays the top 5 RF Domains in terms of usage index Utilization index is a measure of how efficiently the domain is utilized This value is defined as a percentage of current throughput relative to the maximum possible throughput The values are 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate...

Page 631: ... the system by its members Use this information to assess the overall performance of wireless devices To display the inventory statistics 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select Inventory from the left hand side of the UI Figure 13 2 System Inventory screen ...

Page 632: ...ounters to their latest values 13 1 3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the network entire system Use this screen to view a list of devices and their current status To view adopted AP statistics 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select Adopted Devices from the left h...

Page 633: ...management software Select the adopted device to display configuration and network address information in greater detail Type Displays the AP type AP650 AP6511 AP6521 AP6522 AP6532 AP6562 AP8132 AP7131 AP7181 etc RF Domain Name Displays the domain the adopted AP has been assigned to Select the RF Domain to display configuration and network address information in greater detail ...

Page 634: ... model number of each AP that s been adopted to the network since this screen was last refreshed Config Status Displays the configuration file version in use by each listed adopted device Use this information to determine whether an upgrade would increase the functionality of the adopted device Config Errors Lists any errors encountered when the listed device was adopted Adopter Hostname Lists the...

Page 635: ...figuration and network address information in greater detail Type Displays the AP type AP650 AP6511 AP6521 AP6522 AP6532 AP6562 AP8132 AP7131 AP7181 etc IP Address Displays the current IP Address of the device pending adoption VLAN Displays the VLAN the device pending adoption will use as a virtual interface with its adopting controller Reason Displays a status reason as to why the device is pendi...

Page 636: ... screen The Offline Devices screen provides the following Discovery Option Displays the discovery option code for each AP listed pending adoption Last Seen Displays the date and time stamp of the last time the device was seen Click the arrow next to the date and time to toggle between standard time and UTC Add to Devices Select a listed AP and select the Add to Devices button to begin the adoption...

Page 637: ...onfiguration and network address information in greater detail Reporter Displays the hostname of the device reporting the listed device as offline Select the reporting device name to display configuration and network address information in greater detail Area Lists the WiNG assigned deployment area where the offline device has been detected Floor Lists the WiNG assigned deployment floor where the ...

Page 638: ...f access point licenses installed in the cluster Cluster AP Adoptions Displays the number of access points points adopted by the cluster Cluster Maximum APs Displays the maximum number of access points that can be adopted by the controller members in a cluster Cluster AAP Licenses Displays the number of Adaptive Access Point AAP licenses installed in the cluster Cluster AAP Adoptions Displays the ...

Page 639: ...plays the hostname for each feature license installed Advanced Security Displays whether the separately licensed Advanced Security application is installed for each hostname Advanced WIPS Displays whether a separately licensed Advanced WIPS application is installed for each hostname ...

Page 640: ...es that determine Access SMART RF and WIPS configuration Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device Health Inventory Access Points AP Detection Wireless Clients Wireless LANs Radios Mesh Mesh Point SMART RF WIPS Captive Portal Historical Data 13 2 1 Health RF Domain Statistics The...

Page 641: ...he Devices field displays the total number of online versus offline devices in the RF Domain and an exploded pie chart depicts their status 6 The Radio Quality field displays information on the RF Domain s RF quality The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry and error rate This area also lists...

Page 642: ...ays the total number of WLANs managed by RF Domain member access points Top 5 Displays the five RF Domain utilized WLANs with the highest average quality indices WLAN Name Displays the WLAN Name for each of the Top 5 WLANs in the access point RF Domain Radio Type Displays the radio type as either 5 GHz or 2 4 GHz Traffic Index Displays traffic utilization efficiency This index measures how efficie...

Page 643: ... Domain RF Domain Threat Level Indicates the threat from the wireless clients trying to find network vulnerabilities within the access point RF Domain The threat level is represented by an integer Concern Describes the threat to the devices within the access point RF Domain Remedy Describes the proposed remedy for the threat within the access point RF Domain Total Bytes Displays the total bytes of...

Page 644: ...nds within the RF Domain The number of radios designated as sensors is also represented The Radios by Channel field displays the radio channels utilized by RF Domain member devices in two separate charts One chart displays for 5 GHz channels and the other for 2 4 GHz channels The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members Total W...

Page 645: ...Domain To display RF Domain access point statistics 1 Select the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select Access Points from the RF Domain menu Figure 13 9 RF Domain Access Points screen Radio Lists each radio s WiNG defined hostname and its radio designation radio 1 radio 2 etc Radio Band Lists each client s o...

Page 646: ...P6562 AP8132 and AP71xx models can support up to 256 clients per access point AP6511 and AP6521 models can support up to 128 clients per access point Radio Count Displays the number of radios on each listed access point AP7131N models can support from 1 3 radios depending on the hardware SKU AP6522 AP6532 AP6562 AP8132 and AP71xx models have two radios AP6511 and AP6521 models have one radio IP Ad...

Page 647: ...ft hand side of the screen 3 Select Wireless Clients from the RF Domain menu SSID Displays the Service Set ID SSID of the network to which the detected access point belongs RSSI Displays the Received Signal Strength Indicator RSSI of the detected access point Use this variable to help determine whether a device connection would improve network coverage or add noise Reported by Displays the MAC add...

Page 648: ...ts access point interoperation within the RF Domain Hostname Displays the unique WiNG assigned when the WLAN s configuration was defined State Displays the state of the wireless client as whether it is associating with an access point or not VLAN Displays the VLAN ID the client s connected access point has defined for use as a virtual interface IP Address Displays the current IP address for the wi...

Page 649: ...h button to update the statistics counters to their latest values WLAN Name Displays the name assigned to the WLAN upon its creation within the network SSID Displays the Service Set ID SSID assigned to the WLAN upon its creation within the network Traffic Index Displays the traffic utilization index of each listed WLAN which measures how efficiently the traffic medium is used It s defined as the p...

Page 650: ...Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Expand Radios from the RF Domain menu and select Status Rx Bytes Displays the average number of packets in bytes received on each listed RF Domain member WLAN Rx User Data Rate Displays the average data rate per user for packets received on each listed RF Domain member WLAN Dis...

Page 651: ...point to which the radio resides AP7131N models can have from 1 3 radios depending on the SKU AP6522 AP6532 AP6562 AP8132 and AP71xx models have 2 radios while AP6511 and AP6521 models have 1 radio AP Type Lists the model type of each RF Domain member access point State Displays the radio s current operational state Channel Current Config Displays the current channel each listed RF Domain member a...

Page 652: ...Lists each radio s defined transmit power to help assess if the radio is no longer transmitting using its assigned power Neighbor radios are often required to increase power to compensate for failed peer radios in the same coverage area Clients Displays the number of clients currently connected to each listed RF Domain member access point radio AP6522 AP6532 AP6562 AP8132 and AP71XX models can sup...

Page 653: ...smit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data receive rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Avg Retry Rate Displays the average number of retries for each RF Domain member radio Error Rate Displays the average number of retries per packet A high number indicates possibl...

Page 654: ... management overhead packets Rx Packets Displays the total number of packets received by each RF Domain member access point radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps user data is transmitted by each RF Domain member access point radio This rate only applies to user data and does not include any management overhead Rx Us...

Page 655: ...or each mesh client connected to a RF Domain member access point Client Radio MAC Displays the hardware encoded MAC address for each mesh client connected to a RF Domain member access point Portal Displays a numerical portal Index ID for the each mesh client connected to a RF Domain member access point Portal Radio MAC Displays the hardware encoded MAC address for each radio in the RF Domain mesh ...

Page 656: ...d non root Mesh Points in the RF Domain displays the Mesh ID and MAC Address of all configured non root Mesh Points in the RF Domain The Mesh Point Details field on the bottom portion of the screen displays tabs for General Path Root Multicast Path Neighbors Security and Proxy Refer to the following The General tab displays the following Mesh Point Name Displays the name of each configured Mesh Po...

Page 657: ... separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain Hops Number of hops to a root and should not exceed 4 in general practice If using the same interface to both transmit and receive then you will get approximately half the performance every additional hop out Mobility Displays whether the mesh ...

Page 658: ... Group in the Mesh Point Path Timeout The timeout interval in seconds The interpretation this value will vary depending on the value of the state If the state is Init or In Progress the timeout duration has no significance If the state is Enabled the timeout duration indicates the amount of time left before the security validity check is initiated If the state is Failed the timeout duration is the...

Page 659: ...hbor and their Root Mesh Point Rank The rank is the level of importance and is used for automatic resource management 8 The current next hop to the recommended root 7 Any secondary next hop to the recommended root to has a good potential route metric 6 A next hop to an alternate root node 5 A downstream node currently hopping through to get to the root 4 A downstream node that could hop through to...

Page 660: ...lable Link Timeout Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out Keep Alive Yes indicates that the local MP will act as a supplicant to authenticate the link and not let it expire if possible No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP Mesh Point Name Displays the...

Page 661: ...nnected to the WAN and provides a wired backhaul to the network Yes No MP ID The MP identifier is used to distinguish between other Mesh Points both on the same device and on other devices This is used by a user to setup the preferred root configuration Root Hops The number of devices between the selected Mesh Point and the destination device IFID Count Displays the number of Interface IDs IFIDs a...

Page 662: ...Displays the MiNT Protocol ID for the global mint area identifier This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain Hops Number of hops to a root and should not exceed 4 in general practice If using the same interface to both transmit and receive then you will get approxima...

Page 663: ...gured Mesh Point in the RF Domain MP ID The MP identifier is used to distinguish between other Mesh Points both on the same device and on other devices This is used by a user to setup the preferred root configuration Member Address Displays the MAC address used for the members in the Mesh Point Group Address Displays the MAC address used for the Group in the Mesh Point Path Timeout The timeout int...

Page 664: ... This value shows the computed path metric from the device to the neighbor Mesh Point using this interface The lower the number the better the possibility that the neighbor will be chosen as the path to the Root Mesh Point Root Metric The computed path metric between the neighbor and their Root Mesh Point Age Displays the number of milli seconds since the mesh point last heard from this neighbor M...

Page 665: ...nguish between other Mesh Points both on the same device and on other devices This is used by a user to setup the preferred root configuration Proxy Address Displays the MAC Address of the proxy used in the mesh point Age Displays the age of the proxy connection for each of the mesh points in the RF Domain Proxy Owner The Owner MPID is used to distinguish the device that is the neighbor VLAN The V...

Page 666: ...all data received and received by Mesh Points in the RF Domain Packets Rate pps Total Packet Rate Displays the average data packet rate in packets per second for all data transmitted and received by Mesh Points in the RF Domain Data Packets Dropped and Errors Tx Dropped Displays the total number of transmissions that were dropped Mesh Points in the RF Domain Data Packets Dropped and Errors Rx Erro...

Page 667: ...atistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu Figure 13 20 RF Domain Smart RF screen The RF Domain SMART RF screen displays the following Data Indicators Max User Rate Displays the maximum user throughput rate for Mesh Points in the RF Domain Data Distribution Neighbor Count Displays t...

Page 668: ...ighbor count This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios MAC Address Lists the radio s MAC address Type Identifies the RF Domain member access point type State Lists the RF Domain member radio operational mode either calibrate normal sensor or offline Channel Displays the operating channel assigned to the RF Domain member access...

Page 669: ...raph 13 2 11 WIPS RF Domain Statistics Refer to the Wireless Intrusion Protection Software WIPS screens to review a client blacklist and events reported by a RF Domain member access point For more information see WIPS Client Blacklist WIPS Events ...

Page 670: ...list Figure 13 23 RF Domain WIPS Client Blacklist screen The WIPS Client Blacklist screen displays the following Event Name Displays the name of the wireless intrusion event detected by a RF Domain member access point Blacklisted Client Displays the MAC address of the unauthorized blacklisted client intruding the RF Domain Time Blacklisted Displays the time when the wireless client was blacklisted...

Page 671: ... a RF Domain member access point Reporting AP Displays the MAC address of the RF Domain member access point reporting the event Originating Device Displays the MAC address of the device generating the event Detector Radio Displays access point radio number detecting the event AP7131N models can have from 1 3 radios depending on the SKU AP6522 AP6532 AP6562 AP8132 and AP71xx models have 2 radios wh...

Page 672: ...der the System node on the top left hand side of the screen 3 Select Captive Portal from the RF Domain menu Figure 13 25 RF Domain Captive Portal The screen displays the following Captive Portal data for requesting clients Client MAC Displays the MAC address of each listed client requesting captive portal access to the network This address can be selected to display client information in greater d...

Page 673: ...xpand the Historical Data menu item and select Smart RF History Figure 13 26 RF Domain Smart RF History screen The SMART RF History screen displays the following RF Domain member historical data VLAN Displays the name of the VLAN the client would use as a virtual interface for captive portal operation with the controller Remaining Time Displays the time after which a connected client is disconnect...

Page 674: ...ect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain Refresh Select the Refresh button to update the statistics counters to their latest values ...

Page 675: ...sed Routing Radios Mesh Mesh Point Interfaces RTLS PPPoE OSPF L2TPv3 VRRP Critical Resources Network DHCP Server Firewall VPN Certificates WIPS Sensor Servers Captive Portal Network Time Load Balancing 13 3 1 Health Access Point Statistics The Health screen displays a selected access point s hardware version and software version Use this information to fine tune the performance of an access point ...

Page 676: ...xpand a RF Domain and select one of its connected access points 3 Select Health Figure 13 27 Access Point Health screen The Device Details field displays the following information Hostname Displays the AP s unique name as assigned within the network A hostname is assigned to a device connected to a computer network Device MAC Displays the MAC address of the AP This is factory assigned and cannot b...

Page 677: ...r core RAM Displays the free memory available with the RAM System Clock Displays the system clock information RF Quality Index Displays access point radios having very low quality indices RF quality index indicates the overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Radio Id Displays a radio s hardware encoded MAC address Radio Type Identifies whether the radio...

Page 678: ...n to gather version information such as the installed firmware image version the boot image and upgrade status To view the device statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Device Figure 13 28 Access Point Device screen ...

Page 679: ...If the new version fails the user can use the old version of the software Next Boot Designates this version as the version used the next time the AP is booted Available Memory Displays the available memory in MB available on the access point Total Memory Displays the access point s total memory Currently Free RAM Displays the access point s free RAM space If its very low free up some space by clos...

Page 680: ...esources to this access point Type Displays the type of server for each server listed Primary Build Date Displays the build date when this access point firmware version was created Primary Install Date Displays the date this version was installed Primary Version Displays the primary version string Secondary Build Date Displays the build date when this version was created Secondary Install Date Dis...

Page 681: ...iew the access point upgrade statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select AP Upgrade Ethernet Power Status Displays the access point s Ethernet power status Radio Power Status Displays the power status of the access point s radios Refresh...

Page 682: ...ype Displays the model of the access point The updating access point must be of the same model as the access point receiving the update MAC Displays the MAC address of the access point receiving the update Last Update Status Displays the error status of the last upgrade operation Time Last Upgraded Displays the date and time of the last upgrade operation Retries Count Displays the number of retrie...

Page 683: ...access point their RF Domain memberships and network service information To view adopted access point statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select Adopted APs State Displays the current state of the access ...

Page 684: ...n membership with other access points of the same model Model Number Displays each listed access point s model AP6511 AP6522 AP6532 AP6562 etc Config Status Displays each listed access point s configuration status to help determine its service role Config Errors Lists any configuration errors that may be hindering a clean adoption Adopted By Lists the adopting access point Adoption time Displays e...

Page 685: ...ted to the network Use this screen to view a list of devices and their current status 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand the a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select AP Self Adoption History Event Name Displays the adoption status of each listed ac...

Page 686: ...ne on the left hand side of the screen Expand the a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select Pending Adoptions Event History Displays the self adoption status of each AP as either adopted or un adopted History ID Each listed event has a corresponding sequential Id used as numerical identifier for the listed event MAC Displays the Media Access...

Page 687: ...Type Displays the AP type AP650 AP6511 AP6521 AP6522 AP6532 AP6562 AP8132 AP7131 AP7181 etc IP Address Displays the current IP Address of the device pending adoption VLAN Displays the current VLAN used as a virtual interface by device pending adoption Reason Displays the status as to why the device is still pending adoption and has not yet successfully connected to this access point Discovery Opti...

Page 688: ... Point AP Detection The AP Detection screen displays the following Unsanctioned AP Displays the MAC address of a detected access point that is yet to be authorized Reporting AP Displays the hardware encoded MAC address of the radio used by the detecting access point Select an access point to display configuration and network address information in greater detail SSID Displays the WLAN SSID the uns...

Page 689: ...f its connected access points 3 Select Wireless Clients AP Mode Displays the operating mode of the unsanctioned access point Radio Type Displays the type of the radio on the unsanctioned access point The radio can be 802 11b 802 11bg 802 1bgn 802 11a or 802 11an Channel Displays the channel the unsanctioned access point is currently transmitting on Last Seen Displays the time in seconds the unsanc...

Page 690: ...me to display configuration and network address information in greater detail WLAN Displays the name of the WLAN the access point s using with each listed client Use this information to determine if the client s WLAN assignment best suits its intended deployment in respect to the WLAN s QoS objective Hostname Displays the unique name of the administrator or operator assigned to the client s deploy...

Page 691: ...he screen Expand a RF Domain and select one of its connected access points 3 Select Wireless LANs VLAN Displays the VLAN ID each listed client is currently mapped to as a virtual interface IP Address Displays the unique IP address of the client Use this address as necessary throughout the applet for filtering device intrusion recognition and approval Vendor Displays the name of the vendor or manuf...

Page 692: ...de Figure 13 36 Access Point Wireless LANs screen The Wireless LANs screen displays the following WLAN Name Displays the name of the WLAN the access point is currently using for client transmissions SSID Displays each listed WLAN s Service Set ID SSID ...

Page 693: ...ng Traffic Index Displays the traffic utilization index which measures how efficiently the WLAN s traffic medium is used It s defined as the percentage of current throughput relative to maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 moderate utilization 60 and above high utilization Radio Count Displays the cumulative number of peer access poi...

Page 694: ... Hop IP If the primary hop is unavailable a second resource is used This column lists the address set for the alternate route in the election process Secondary Next Hop State Displays whether the secondary hop is being applied to incoming routed packets Default Next Hop IP If a packet subjected to PBR does not have an explicit route to the destination the configured default next hop is used This i...

Page 695: ...ach of these screens provide enough statistics to troubleshoot issues related to the following three areas Status RF Statistics Traffic Statistics Individual access point radios display as selectable links within each of the three access point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Stat...

Page 696: ...the following information Radio Displays the name assigned to the radio as its unique identifier The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Radio MAC Displays the factory encoded hardware MAC address assigned to the radio Radio Type Displays the radio as either supporting the 2 4 or 5 GHZ radio band State Lists a radio ...

Page 697: ...e Radios menu item 4 Select RF Statistics Figure 13 40 Access Point Radio RF Statistics screen The RF Statistics screen lists the following Radio Displays the name assigned to the radio as its unique identifier The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Signal Displays the radio s current power level in dBm SNR Displays...

Page 698: ...er The rate is displayed in Mbps Avg Retry Number Displays the average number of retries per packet A high number indicates possible network or hardware problems Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal Error Rate Displays the total number of received packets which contained errors for the listed ra...

Page 699: ...ser data as well as any management overhead packets Rx Packets Displays the total number of packets received by each listed radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps user data is transmitted by each listed radio This rate only applies to user data and does not include management overhead Rx User Data Rate Displays the r...

Page 700: ...d select one of its connected access points 3 Select Mesh Figure 13 42 Access Point Mesh screen The Mesh screen describes the following Client Displays the system assigned name of each client in the mesh network Client Radio MAC Displays the MAC address of each client radio in the mesh network Portal Mesh points connected to an external network and forward traffic in and out are Mesh Portals Mesh ...

Page 701: ...s field on the top portion of the screen displays the Mesh ID and MAC Address of all configured non root Mesh Points and the Mesh ID and MAC Address of all configured non root Mesh Points The Mesh Point Details field on the bottom portion of the screen displays tabs for General Path Root Multicast Path Neighbors Security and Proxy Refer to the following The General tab displays the following Conne...

Page 702: ... Point ID Next Hop IFID The Interface ID of the Mesh Point that traffic is being directed to Is Root A Root Mesh Point is defined as a Mesh Point that is connected to the WAN and provides a wired backhaul to the network Yes No MiNT ID Displays the MiNT Protocol ID for the global mint area identifier This area identifier separates two overlapping mint networks and need only be configured if the adm...

Page 703: ...he name of each configured Mesh Point MP ID The MP identifier is used to distinguish between other Mesh Points both on the same device and on other devices This is used by a user to setup the preferred root configuration Member Address Displays the MAC address used for the members in the Mesh Point Group Address Displays the MAC address used for the Group in the Mesh Point Path Timeout The timeout...

Page 704: ...ality of the mesh link between the device and the neighbor The range is from 0 weakest to 100 strongest Link Metric This value shows the computed path metric from the device to the neighbor Mesh Point using this interface The lower the number the better the possibility that the neighbor will be chosen as the path to the Root Mesh Point Root Metric The computed path metric between the neighbor and ...

Page 705: ...d yet In Progress indicates the link is being established but is not yet available Link Timeout Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out Keep Alive Yes indicates that the local MP will act as a supplicant to authenticate the link and not let it expire if possible No indicates that the local MP does not need the link and will ...

Page 706: ...transmitted by Mesh Points in the mesh network DataPacketsThroughput Kbps Received Packets Displays the total amount of data in packets received by Mesh Points on the mesh network DataPacketsThroughput Kbps Total Packets Displays the total amount of data in packets transmitted and received by Mesh Points in the mesh network Data Rates bps Transmit Data Rate Displays the average data rate in kbps f...

Page 707: ...ts transmitted from Mesh Points in the mesh network Broadcast Packets Rx Bcast Mcast Pkts Displays the total number of broadcast and multicast packets received from Mesh Points in the mesh network Broadcast Packets Total Bcast Mcast Pkts Displays the total number of broadcast and multicast packets transmitted and received from Mesh Points in the mesh network Management Packets Transmitted by the n...

Page 708: ...tatistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Interfaces The General tab displays by default Figure 13 45 Access Point General Interfaces screen 4 Select an access point interface from those available for the selected access point model The subsequent display with...

Page 709: ...er Used on RJ 45 Ethernet ports Optical Used on fibre optic gigabit Ethernet ports Protocol Displays the name of the routing protocol adopted by the selected interface MTU Displays the maximum transmission unit MTU setting configured on the interface The MTU value represents the largest packet size that can be sent over a link 10 100 Ethernet ports have a maximum setting of 1500 Mode The mode can ...

Page 710: ...collisions on the interface Late Collisions A late collision is any collision that occurs after the first 64 octets of data have been sent by the sending client Late collisions are not normal and are usually the result of out of specification cabling or a malfunctioning device Excessive Collisions Displays the number of excessive collisions Excessive collisions occur when the traffic load increase...

Page 711: ...the interface Tx Aborted Errors Displays the number of packets aborted on the interface because a clear to send request was not detected Tx Carrier Errors Displays the number of carrier errors on the interface This generally indicates bad Ethernet hardware or cabling Tx FIFO Errors Displays the number of FIFO errors received at the interface First in First Out queueing is an algorithm that involve...

Page 712: ... as the Y axis and the Polling Interval as the X axis Select different parameters on the Y axis and different polling intervals as needed Figure 13 46 Access Point Interfaces Graph 13 3 13 RTLS Access Point Statistics The real time locationing system RTLS enables accurate location determination and presence detection capabilities for Wi Fi based devices Wi Fi based active RFID tags and passive RFI...

Page 713: ...mber of the Aeroscout engine Send Count Lists the number location determination packets sent by the locationing engine Recv Count Lists the number location determination packets received by the locationing engine Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS Nacks Displays the number of Nack frames received from RTLS supported radio...

Page 714: ... on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select PPPoE Lbs Displays the number of location based service LBS frames received from RTLS supported radio devices providing locationing services AP Status Provides the status of peer APs providing locationing assistance AP Notifications Displays a count of the number of notifications sent to ...

Page 715: ...ion Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Username Displays the 64 character maximum username used for authentication support by the PPPoE client Password Displays the 64 character maximum password used for authentication by the PPPoE client Client...

Page 716: ...F is a link state interior gateway protocol IGP OSPF routes IP packets within a single routing domain autonomous system like an enterprise LAN OSPF gathers link state information from neighbor routers and constructs a network topology The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packet...

Page 717: ...ce information and LSA data OSPF version 2 was originally defined within RFC versions 1583 and 2328 The general field displays whether compliance to these RFCs have been satisfied The OSPF Link State Advertisement LSA Throttling feature provides a dynamic mechanism to slow down link state advertisement updates in OSPF during times of network instability It also allows faster OSPF convergence by pr...

Page 718: ...ibute routes received from other external ASs throughout its own autonomous system Routers in other areas use ABR as next hop to access external addresses Then the ABR forwards packets to the ASBR announcing the external addresses SPF Refer to the SPF field to assess the status of the shortest path forwarding SFF execution last SPF execution SPF delay SPF due in SPF hold multiplier SPF hold time S...

Page 719: ...yer 2 topologies If on a point to point link OSPF knows it is sufficient and the link stays up If on a broadcast link the router waits for election before determining if the link is functional To view OSPF neighbor statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point f...

Page 720: ...Neighbor Address Lists the IP address of the neighbor sharing the router interface with each listed router ID Request Count Lists the connection request count hello packets to connect to the router interface discover neighbors and elect a designated router Retransmit Count Lists the connection retransmission count attempted in order to connect to the router interface discover neighbors and elect a...

Page 721: ...Advertisements LSAs with others in the same area Areas limit LSAs and encourage aggregate routes Areas are identified by 32 bit IDs expressed either in decimal or octet based dot decimal notation To view OSPF area statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point fo...

Page 722: ...s generated by ABR to leak area summary address info into another areas ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix ASBR Summary LSA Originated by ABRs when an ASBR is present to let other areas know where the ASBR is These are supported just like summary LSAs NSSA LSA Routers in a Not so stubby area NSSA do not receive...

Page 723: ...e backbone If OSPF virtual links are used an ABR will also be used to connect the area using the virtual link to another non backbone area Border routes use internal OSPF routing table entries to an ABR or Autonomous System Boundary Router ASBR Border routers maintain an LSDB for each area supported They also participate in the backbone 6 Refer to External Routes tab Figure 13 52 Access Point OSPF...

Page 724: ...ork routes support more than two routers with the capability of addressing a single physical message to all attached routers broadcast Neighboring routers are discovered dynamically using OSPF hello messages This use of the hello protocol takes advantage of broadcast capability An OSPF network route makes further use of multicast capabilities if they exist Each pair of routers on the network is as...

Page 725: ... referred to as a link To view OSPF interface statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select OSPF 4 Select the OSPF Interface tab Figure 13 54 Access Point OSPF Interface tab The OSPF Interface tab describes the following Inte...

Page 726: ...lays the flag used to determine the interface status and how to proceed MTU Lists the OSPF interface maximum transmission unit MTU size The MTU is the largest physical packet size in bytes a network can transmit Any packets larger than the MTU are divided into smaller packets before being sent OSPF Enabled Lists whether OSPF has been enabled for each listed interface OSPF is disabled by default UP...

Page 727: ...vigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation 3 Select OSPF 4 Select the OSPF State tab Figure 13 55 Access Point OSPF State tab The OSPF State tab describes the following OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology Link state information is maintained in a link state database ...

Page 728: ... left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select L2TPv3 Tunnels OSPF ignore state count Lists the number of times state requests have been ignored between the access point and its peers within this OSPF supported broadcast domain OSPF ignore state monitor timeout Displays the timeout that when exceeded prohibits the access point from detecting...

Page 729: ...sment of the tunnel connection Each listed session name can also be selected as a link to display VLAN information specific to that session The VLAN Details screen lists those VLANs used an access point interface in L2TP tunnel establishment Local Address Lists the IP address assigned as the local tunnel end point address not the tunnel interface s IP address This IP is used as the tunnel source I...

Page 730: ...ion IDs are exchanged in session establishment messages with the L2TP peer CTRL Connection ID Displays the router ID s sent in tunnel establishment messages with a potential peer device Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection The Up Time is displayed in a Days Hours Minutes Seconds format If D 0 H 0 M 0 S 0 is...

Page 731: ...uter a packet is reporting status for Virtual IP Address Lists the virtual interface IP address used as the redundant gateway address for the virtual route Master IP Address Displays the IP address of the elected VRRP master A VRRP master once elected responds to ARP requests forwards packets with a destination link layer MAC address equal to the virtual router MAC address rejects packets addresse...

Page 732: ...eview a selected access point s critical resource statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Critical Resources State Displays the current state of each listed virtual router ID Clear Router Status Select the Clear Router Status button ...

Page 733: ...t configuration and network address information in greater detail Status Defines the operational state of each listed critical resource VLAN interface Up or Down Error Reason Provides an error status as to why the critical resource is not available over its designated VLAN Mode Defines the operational state of each listed critical resource up or down Refresh Select the Refresh button to update the...

Page 734: ...otocol Link Layer Discovery Protocol 13 3 19 1 ARP Entries Network ARP is a networking protocol for determining a network host s hardware address when its IP address or network layer address is known To view an access point s ARP statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of ...

Page 735: ...e client resolved on behalf of the access point ARP MAC Address Displays the MAC address corresponding to the IP address being resolved Type Lists the type of ARP entry VLAN Displays the system assigned VLAN ID where an IP address was found Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 736: ...e of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Route Entries Figure 13 60 Access Point Network Route Entries screen The Route Entries screen supports the following Destination Displays the IP address of a destination address FLAGS Displays the connection status false or true for this entry ...

Page 737: ...ay Server IGS which is a router connected to an access point The IGS performs the following Issues IP addresses Throttles bandwidth Permits access to other networks Times out old logins The Bridging screen also provides information about the Multicast Router MRouter which is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multi...

Page 738: ...update the counters to their latest values Bridge Name Displays the name of the network bridge MAC Address Displays the MAC address of the bridge selected Interface Displays the interface where the bridge transferred packets VLAN Displays the VLAN the bridge uses a virtual interface Forwarding Displays whether the bridge is forwarding packets A bridge can only forward packets ...

Page 739: ...he Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select IGMP Figure 13 62 Access Point Network IGMP screen The Group field displays the following VLAN Displays the group VLAN where the multicast transmiss...

Page 740: ...ticast router For example ge1 radio1 etc MiNT IDs Lists MiNT IDs for each listed VLAN MiNT provides the means to secure access point profile communications at the transport layer Using MiNT an access point can be configured to only communicate with other authorized MiNT enabled access points of the same model Query Interval Lists the IGMP query interval implemented when the querier functionality i...

Page 741: ...and its configuration To view a network s DHCP Options 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select DHCP Options Figure 13 63 Access Point Network DHCP Options screen The DHCP Options...

Page 742: ... access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Cisco Discovery Protocol Figure 13 64 Access Point Network CDP screen The Cisco Discovery Protocol screen displays the following Configuration Displays the name of the configuration file on the DHCP server Legacy Adoption Displays historical device adoption information on behalf of the access point Adoption D...

Page 743: ... Displays the model number of the CDP capable device Port ID Displays the access point identifier for the local port TTL Displays the time to live for each CDP connection Clear Neighbors Select Clear Neighbors to remove CDP neighbors from the table and begin a new data collection Refresh Select Refresh to update the statistics counters to their latest values ...

Page 744: ...m from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Link Layer Discovery Figure 13 65 Access Point Network LLDP screen The Link Layer Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device either ...

Page 745: ...HCP server to a host To view DHCP server statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select General Port ID Displays the identifier for the local port TTL Displays the time to live ...

Page 746: ... server supporting DHCP services on behalf of the access point DDNS Bindings IP Address Displays the IP address assigned to the client DDNS Bindings Name Displays the domain name mapping corresponding to the IP address listed DHCP Manual Bindings IP Address Displays the IP address for each client with a listed MAC address DHCP Manual Bindings Client ID Displays the MAC address client hardware ID o...

Page 747: ...ms 4 Select Bindings Figure 13 67 Access Point DHCP Server Bindings screen The DHCP Bindings screen displays the following Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources IP Address Displays the IP address for each DHCP resource requesting client DHCP MAC Address Displays the hardware encoded MAC address client Id of each DHCP resource requesting cli...

Page 748: ...13 122 WiNG 5 4 2 Access Point System Reference Guide Refresh Select Refresh to update the statistics counters to their latest values ...

Page 749: ...ess points 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select Networks The DHCP Networks screen displays the following 13 3 21 Firewall Access Point Statistics A firewall is a part of a computer system or network designed to block unauthorized access while permitting authorized communications It s a device or set of devices configured to permit or deny access to the network ba...

Page 750: ...her bar graphs display for each individual packet type To view access point packet flows statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Packet Flows 5 Periodically select Re...

Page 751: ...tively unavailable DoS attacks are implemented by either forcing the targeted computer s to reset or consume its resources so it can t provide its intended service The DoS screen displays the types of attack number of times it occurred and the time of last occurrence To view access point DoS attack information 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on...

Page 752: ...w the IP firewall rules 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select IP Firewall Rules Count Displays the number of times the access point s firewall has observed each listed DoS att...

Page 753: ...es ACL list are based on precedence values Every rule has a unique precedence value between 1 and 5000 You cannot add two rules with the same precedence Friendly String This is a string that provides information as to which firewall the rules apply Hit Count Displays the number of times each WLAN ACL has been triggered Refresh Select the Refresh button to update the screen s statistics counters to...

Page 754: ...oint s MAC Firewall Rules 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select MAC Firewall Rules Figure 13 71 Access Point Firewall MAC Firewall Rules screen The MAC Firewall Rules screen d...

Page 755: ...ations screen displays the following Friendly String This is a string that provides information as to which firewall the rules apply Hit Count Displays the number of times each WLAN ACL has been triggered Refresh Select the Refresh button to update the screen s statistics counters to their latest values Protocol Lists the NAT translation IP protocol as either TCP UDP or ICMP Forward Source IP Disp...

Page 756: ...xpand the menu to reveal its sub menu items 4 Select DHCP Snooping Figure 13 73 Access Point Firewall DHCP Snooping screen Forward Dest Port Destination port for the forward NAT flow contains ICMP ID if it is an ICMP flow Reverse Source IP Displays the source IP address for the reverse NAT flow Reverse Source Port Displays the source port for the reverse NAT flow contains ICMP ID if it is an ICMP ...

Page 757: ...dard IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre configuration VPN statistics are partitioned into the following IKESA IPSec MAC Address Displays the MAC address of the client requesting DHCP resources from the controller Node Type Displays the NetBios node from which IP addresses can be issued to client requests on this interface IP A...

Page 758: ...xpand the menu to reveal its sub menu items 4 Select IKESA Figure 13 74 Access Point VPN IKESA screen 5 Review the following VPN peer security association statistics Peer Lists peer IDs for peers sharing security associations SA for tunnel interoperability When a peer sees a sensitive packet it creates a secure tunnel and sends the packet through the tunnel to its destination Version Displays each...

Page 759: ...enu to reveal its sub menu items 4 Select IPSec Lifetime Displays the lifetime for the duration of each listed peer IPSec VPN security association Once the set value is exceeded the association is timed out Local IP Address Displays each listed peer s local tunnel end point IP address This address represents an alternative to an interface IP address Clear All Select the Clear All button to clear e...

Page 760: ...e VPN IPSec tunnel connection SAs are unidirectional existing in each direction and established per security protocol Options include ESP and AH State Lists the state of each listed peer s security association SPI In Lists stateful packet inspection SPI status for incoming IPSec tunnel packets SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid SPI Out Lists state...

Page 761: ...ate can be a certificate authority corporate or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connect...

Page 762: ...rnative details to the information specified under the Subject Name field Issuer Name Displays the name of the organization issuing the certificate Serial Number The unique serial number of the certificate issued RSA Key Used Displays the name of the key pair generated separately or automatically when selecting a certificate IS CA Indicates if this certificate is a authority certificate Is Self Si...

Page 763: ... 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Certificates and expand the menu to reveal its sub menu items 4 Select RSA Keys Figure 13 77 Access Point Certificate RSA Keys screen The RSA Key Details field displays the size in bits of the desired ke...

Page 764: ...lacklisted clients unauthorized access points intruded into the network Details include the name of the blacklisted client the time when the client was blacklisted the total time the client remained in the network etc The screen also provides WIPS event details For more information see WIPS Client Blacklist WIPS Events 13 3 24 1 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted...

Page 765: ...ess of the unauthorized device intruding this access point s radio coverage area Time Blacklisted Displays the time when the client was blacklisted by this access point Total Time Displays the time the unauthorized now blacklisted device remained in this access point s WLAN Time Left Displays the time the blacklisted client remains on the list Refresh Select the Refresh button to update the statis...

Page 766: ...ts screen The WIPS Events screen provides the following Event Name Displays the name of the detected wireless intrusion Reporting AP Displays the MAC address of the access point reporting the listed intrusion Originating Device Displays the MAC address of the intruding device Detector Radio Displays the number of the detecting access point radio Time Reported Displays the time when the intrusion w...

Page 767: ...ess point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Sensor Servers Figure 13 80 Access Point Sensor Servers screen The Sensor Servers screen displays the following IP Address Displays a list of sensor server IP addresses These are the server reso...

Page 768: ...the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Captive Portal Figure 13 81 Access Point Captive Portal screen The Captive Portal screen displays the following Refresh Select the Refresh button to update the screen s statistics counters to their latest values C...

Page 769: ... NTP messaging to sync system time with authenticated network traffic The Network Time screen provides detailed statistics of an associated NTP Server of an access point Use this screen to review the statistics for each access point The Network Time statistics screen consists of two tabs NTP Status NTP Association Authentication Displays the authentication status of requesting clients WLAN Display...

Page 770: ... UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network Time Figure 13 82 Access Point NTP Status screen The NTP Status tab displays by default with the following information Clock Offset Displays the time differential between the access point s time and its NTP resource s time ...

Page 771: ...t transmissions or if transmissions are synchronized Precision Displays the precision of the time clock in Hz The values that normally appear in this field range from 6 for mains frequency clocks to 20 for microsecond clocks Reference Time Displays the time stamp the access point s clock was last synchronized or corrected Reference Displays the address of the time source the access point is synchr...

Page 772: ... NTP server The access point adjusts its clock to match the server s time value The offset gravitates towards zero but never completely reduces its offset to zero Poll Displays the maximum interval between successive messages in seconds to the nearest power of two Reach Displays the status of the last eight SNTP messages If an SNTP packet is lost the lost packet is tracked over the next eight SNTP...

Page 773: ...oad Balancing State Displays the NTP association status This can be one of the following Synced Indicates the access point is synchronized to this NTP server Unsynced Indicates the access point has chosen this master for synchronization However the master itself is not yet synchronized to UTC Selected Indicates this NTP master server will be considered the next time the access point chooses a mast...

Page 774: ...he graph section displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Request Events displays the Time Client Capability State WLAN and Requested Channels for all client request events on the access point Remember AP6522 AP6532 AP6562 AP8132 and AP71xx models can support ...

Page 775: ...ired to improve client performance Wireless clients statistics can be assessed using the following criteria Health Details Traffic WMM TSPEC Association History Graph 13 4 1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client To view the health of a wireless client 1 Select the Statistics menu from the Web UI 2 Select Sy...

Page 776: ...client Hostname Lists the hostname assigned to the client when initially managed by the controller operating system Vendor Displays the vendor name or the manufacturer of the wireless client State Displays the state of the wireless client It can be idle authenticated roaming associated or blacklisted IP Address Displays the IP address of the selected wireless client WLAN Displays the client s acce...

Page 777: ...quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems SNR Displays the signal to noise SNR ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbing influences on the signal by interference of sign...

Page 778: ... connected wireless client 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select Details Total Bytes Displays the total bytes processed by the access point s connected wireless client Total Packets Displays the total number of packets processed by the wireless cli...

Page 779: ...ly managed by the controller operating system Device Type Displays the device type providing the details to the WiNG operating system RF Domain Displays the RF Domain to which the connected client is a member via its connected access point The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail OS Lists the client s operating...

Page 780: ... this feature is enabled on the wireless client The spatial multiplexing SM power save mode allows an 802 11n client to power down all but one of its radios This power save mode has two sub modes of operation static operation and dynamic operation Power Save Mode Displays whether this feature is enabled or not To prolong battery life the 802 11 standard defines an optional Power Save Mode which is...

Page 781: ...d to be awake AID Displays the Association ID AID established by an AP 802 11 association enables the access point to allocate resources and synchronize with a client A client begins the association process by sending an association request to an access point This association request is sent as a frame This frame carries information about the client and the SSID of the network it wishes to associa...

Page 782: ...tive to the maximum possible throughput This screen also provides the following Total Bytes Displays the total bytes processed by the access point s connected client Total Packets Displays the total number of data packets processed by the access point s connected wireless client User Data Rate Displays the average user data rate Packets per Second Displays the packets processed per second Physical...

Page 783: ... the WiFi adapter to notify the access point when the radio is powered down The access point holds any network packet to be sent to this radio RF Quality Index Displays information on the RF quality of the selected wireless client The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error ra...

Page 784: ...he navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select WMM TPSEC R Value R value is a number or score used to quantitatively express the quality of speech in communications systems This is used in digital networks that carry Voice over IP VoIP traffic The R value can range from 1 worst to 100 best and is based on the percentage of...

Page 785: ...link data stream Direction Type Displays whether the WMM TPSEC data stream is in the uplink or downlink direction Request Time Lists each sequence number s request time for WMM TPSEC traffic in the specified direction This is time allotted for a request before packets are actually sent Used Time Lists the time duration this data stream has been in use TID Displays the parameter for defining the tr...

Page 786: ...menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select Association History Figure 13 89 Wireless Client Association History screen 4 Refer to the following to discern this client s access point association history Access Point Lists the access point MAC address this client has connected t...

Page 787: ...ir performance measure To view a graph of this client s statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select Graph 4 Use the Parameters drop down menu to define from 1 3 variables assessing signal noise transmit or receive values 5 Use the Polling Inte...

Page 788: ...62 WiNG 5 4 2 Access Point System Reference Guide 6 Select an available point in the graph to list the selected performance parameter and display that parameter s value and a time stamp of when it occurred ...

Page 789: ...ftware type and version number If you have a problem with your equipment contact support for your region Support and issue resolution is provided for products under warranty or that are covered by an services agreement Contact information and Web self service is available by visiting http supportcentral motorola com Customer Support Web Site The Support Central Web site located at http supportcent...

Page 790: ...A 2 WiNG 5 4 2 Access Point System Reference Guide ...

Page 791: ...gement 1301 E Algonquin Road Schaumburg IL 60196 USA About This Document This document contains information regarding licenses acknowledgments and required copyright notices for open source packages used in this Motorola product B 2 Open Source Software Used Motorola s Support Central Web site located at http supportcentral motorola com provides information and online assistance including develope...

Page 792: ...ww gnu org lgplv2 glib2 2 7 0 http www gtk org gplv2 gdb 6 5 http www gnu org gplv2 safestr 1 0 3 http www zork org safestr bsd iproute2 50816 http developer osdl org gplv2 iptables 1 3 5 http www netfilter org gplv2 libdnet 1 1 http libdnet sourceforge net bsd libncurses 5 4 http www gnu org software ncurses ncurses html MIT libpcap 0 9 4 http www tcpdump org bsd tcpdump 3 9 7 http www tcpdump or...

Page 793: ...rceforge net projects advas gplv2 libexpat 2 0 0 http expat sourceforge net mit ppp 2 4 4 http ppp samba org bsd openldap 2 3 20 http www openldap org bsd pure ftpd 1 0 22 http www pureftpd org bsd FreeRADIUS 2 1 7 http freeradius org gplv2 rp pppoe 3 1 http www roaringpenguin com products pppo e gplv2 Stackless python 252 http www stackless com bsd xxl 1 0 1 http zork org xxl bsd libgmp 4 2 2 htt...

Page 794: ...PI MIT PyXAPI 0 8 18 http pychecker sourceforge net gplv2 Sierra wireless card drivers 1 22 http sierrawireless custhelp com app answer s detail a_id 500 Connecting_using_PPPD gplv2 m2crypto 0 20 http chandlerproject org bin view Projects M eTooCrypto bsd c ares 1 7 1 http c ares haxx se MIT ipaddr 2 1 0 http code google com p ipaddr py apache samba 3 5 1 http www samba org gplv2 rsync 3 0 6 http ...

Page 795: ...ibc 2 7 http www gnu org software libc gplv2 hostapd 0 6 9 http hostap epitest fi hostapd gplv2 hotplug2 0 9 http isteve bofh cz isteve hotplug2 gplv2 ipkg utils 1 7 http www handhelds org sources html gplv2 iproute2 2 6 25 http www linuxfoundation org collaborate workgroups networking iproute2 gplv2 iptables 1 4 1 1 http www netfilter org gplv2 libpcap 0 9 8 http www tcpdump org bsd libtool 1 5 2...

Page 796: ... 2 4 3 http ppp samba org ppp bsd pppoe 3 10 http roaringpenguin com products pppoe gplv2 Quagga 0 99 17 http www quagga net gplv2 quilt 0 47 http savannah nongnu org projects quilt gplv2 sed 4 1 2 http www gnu org software sed gplv2 squashfs 3 http squashfs sourceforge net gplv2 StrongSwan 4 50 http www strongswan org gplv2 u boot trunk 2010 03 30 http www denx de wiki U Boot gplv2 Name Version O...

Page 797: ... sun com j2se Sun Community Source Kerberos Client 5 http www mit edu kerberos bsd AES CCM encryption http www gladman me uk bsd zlib 1 1 4 http www zlib net zlib freeradius 1 0 0 pre3 http www freeradius org gplv2 net snmp 5 0 9 http net snmp sourceforge net bsd openssh 5 4p1 http www openssh com bsd openldap 2 2 http www openldap org foundation openldap wuftpd 2 6 1 http wu ftpd therockgarden ca...

Page 798: ...ius 2 0 2 http www freeradius org gplv2 gcc 4 1 2 http gcc gnu org gplv2 gdb 6 8 http www gnu org software gdb gplv2 genext2fs 1 4 1 http genext2fs sourceforge net gplv2 glibc 2 7 http www gnu org software libc gplv2 ipkg utils 1 7 http www handhelds org sources html gplv2 iptables 1 4 3 http www netfilter org projects iptables i ndex html gplv2 iproute2 2 6 25 http www linuxfoundation org collabo...

Page 799: ...9 8j http www openssl org openssl ppp 2 4 3 http ppp samba org ppp bsd pppoe 3 10 http roaringpenguin com products pppoe gplv2 Quagga 0 99 17 http www quagga net gplv2 snmpagent 5 0 9 http sourceforge net bsd strace 4 5 18 http sourceforge net projects strace bsd u boot Trunk 2010 03 3 0 http www denx de wiki U Boot gplv2 wireless_tools r29 http www hpl hp com personal Jean_Tour rilhes Linux Tools...

Page 800: ...so they know their rights We protect your rights with two steps 1 copyright the software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on we ...

Page 801: ...do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this sec...

Page 802: ...st include the copyright notice for the Library among them as well as a reference directing the user to the copy of this License Also you must do one of these things a Accompany the work with the complete corresponding machine readable source code for the Library including whatever changes were used in the work which must be distributed under Sections 1 and 2 above and if the work is an executable...

Page 803: ...u from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those who receive copies directly or indirectly through you then the o...

Page 804: ...RARY AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU SHOULD THE LIBRARY PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 16 IN NO EVENT UNLESS REQUIRED BY APPLICABLE...

Page 805: ...hether gratis or for a fee you must give the recipients all the rights that we gave you You must make sure that they too receive or can get the source code If you link other code with the library you must provide complete object files to the recipients so that they can relink them with the library after making changes to the library and recompiling it And you must show them these terms so they kno...

Page 806: ...is Lesser General Public License also called this License Each licensee is addressed as you A library means a collection of software functions and or data prepared so as to be conveniently linked with application programs which use some of those functions and data to form executables The Library below refers to any such software library or work which has been distributed under these terms A work b...

Page 807: ...of the ordinary GNU General Public License instead of this License to a given copy of the Library To do this you must alter all the notices that refer to this License so that they refer to the ordinary GNU General Public License version 2 instead of to this License If a newer version than version 2 of the ordinary GNU General Public License has appeared then you can specify that version instead if...

Page 808: ...itions b Use a suitable shared library mechanism for linking with the Library A suitable mechanism is one that 1 uses at run time a copy of the library already present on the user s computer system rather than copying library functions into the executable and 2 will operate properly with a modified version of the library if the user installs one as long as the modified version is interface compati...

Page 809: ...on is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many...

Page 810: ... SHOULD THE LIBRARY PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE U...

Page 811: ...NTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAM...

Page 812: ...d its documentation for any purpose is hereby granted provided that the names of M I T and the M I T S I P B not be used in advertising or publicity pertaining to distribution of the software without specific written prior permission M I T and the M I T S I P B make no representations about the suitability of this software for any purpose It is provided as is without express or implied warranty ...

Page 813: ...opyright c 1996 1998 Berkeley Software Design Inc Portions Copyright c 1998 Sendmail Inc Portions Copyright c 1983 1995 1996 1997 Eric P Allman Portions Copyright c 1989 Massachusetts Institute of Technology Portions Copyright c 1997 Stan Barber Portions Copyright c 1991 1992 1993 1994 1995 1996 1997 Free Software Foundation Inc Portions Copyright c 1997 Kent Landfield Use and distribution of this...

Page 814: ...tten permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILI...

Page 815: ...graphic can be left out if the routines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INC...

Page 816: ...lications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not ...

Page 817: ...ANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF...

Page 818: ...he interfaces of the Work and Derivative Works thereof Contribution shall mean any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright ow...

Page 819: ... inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License without any additional terms or conditions Notwithstanding the above nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions 6 Trademarks This License does not grant permission to use the trade names trad...

Page 820: ...n of purpose be included on the same printed page as the copyright notice for easier identification within third party archives Copyright yyyy name of copyright owner Licensed under the Apache License Version 2 0 the License you may not use this file except in compliance with the License You may obtain a copy of the License at http www apache org licenses LICENSE 2 0 Unless required by applicable ...

Page 821: ...NTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE LibTomCrypt and LibTomMath are written by Tom St Denis and are sshpty c is taken fro...

Page 822: ...rnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE COPY...

Page 823: ...ee non exclusive license to the extent of Original Contributor s Intellectual Property Rights covering the Original Code Upgraded Code and Specifications to do the following a Research Use License i use reproduce and modify the Original Code Upgraded Code and Specifications to create Modifications and Reformatted Specifications for Research Use by You ii publish and display Original Code Upgraded ...

Page 824: ...icensee status required of those attempting to download from the server An example of an acceptable certification is attached as Attachment A 2 c Notices All Error Corrections and Shared Modifications You create or contribute to must include a file documenting the additions and changes You made and the date of such additions and changes You must also include the notice set forth in Attachment A 1 ...

Page 825: ... an organization that has an Internet domain name such as sun com You then reverse the name component by component to obtain in this example Com sun and use this as a prefix for Your package names using a convention developed within Your organization to further administer package names 3 2 Additional Requirements and Responsibilities Any additional requirements and responsibilities relating to the...

Page 826: ... THE AMOUNT HAVING THEN ACTUALLY BEEN PAID BY YOU TO ORIGINAL CONTRIBUTOR FOR ALL COPIES LICENSED HEREUNDER OF THE PARTICULAR ITEMS GIVING RISE TO SUCH CLAIM IF ANY IN NO EVENT WILL YOU RELATIVE TO YOUR SHARED MODIFICATIONS OR ERROR CORRECTIONS OR ORIGINAL CONTRIBUTOR BE LIABLE FOR ANY INDIRECT PUNITIVE SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THIS LICENSE I...

Page 827: ...r will order each party to produce identified documents and respond to no more than twenty five single question interrogatories 8 7 Construction Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not apply to this License 8 8 U S Government End Users The Covered Code is a commercial item as that term is defined in 48 C F R 2 101 Oct 19...

Page 828: ...r other programming code and or interfaces The foregoing shall not apply to software development by Your subcontractors to be exclusively used by You 10 Intellectual Property Rights means worldwide statutory and common law rights associated solely with i patents and patent applications ii works of authorship including copyrights copyright applications copyright registrations and moral rights iii t...

Page 829: ...tity acting by and through an individual or individuals exercising rights either under this License or under a future version of this License issued pursuant to Section 4 1 For legal entities You r includes any entity that by majority voting interest controls is controlled by or is under common control with You ATTACHMENT A REQUIRED NOTICES ATTACHMENT A 1 REQUIRED IN ALL CASES The contents of this...

Page 830: ... Original Code and Upgraded Code as part of Compliant Covered Code and Specifications for Internal Deployment Use b compile such Original Code and Upgraded Code as part of Compliant Covered Code and reproduce and distribute internally the same in Executable form for Internal Deployment Use and c reproduce and distribute internally Reformatted Specifications for use in connection with Internal Depl...

Page 831: ...ry thereof e Shared Part means those Original Code and Upgraded Code files of the Technology which are identified as shared or words of similar meaning or which are in any share directory or subdirectory thereof except those files specifically designated by Original Contributor as modifiable f User s Guide means the users guide for the TCK which Original Contributor makes available to You to provi...

Page 832: ...ro Edition Connected Limited Device Configuration iii A Profile as integrated with a Configuration must pass the applicable TCK for the Technology 2 3 Compatibility Testing Successful compatibility testing must be completed by You or at Original Contributor s option a third party designated by OriginalContributor to conduct such tests in accordance with the User s Guide A Technology must pass the ...

Page 833: ...ot give you the right to use Servicemarks sm or Trademarks tm of Zope Corporation Use of them is covered in a separate agreement see http www zope com Marks 5 If any files are modified you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change Disclaimer THIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION AS IS AND ANY EXPRESSED OR IMPLIED ...

Page 834: ...rpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainl...

Page 835: ......

Page 836: ...TOROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2013 Motorola Solutions Inc All Rights Reserved 72E 172112 01 Revision A February 2013 ...

Reviews:

No comments