background image

60

System configuration management

WDS settings

WDS Bridge—Up to six WDS bridge or repeater links (MAC addresses) per
radio interface can be specified for each unit in the wireless bridge network.
One unit must be configured as the root bridge in the wireless network. The
root bridge is the unit connected to the main core of the wired LAN. Other
bridges need to specify one Parent link to the root bridge or to a bridge
connected to the root bridge. The other five WDS links are available as
Child links to other bridges.

Bridge Role—Each radio interface can be set to operate in one of the
following four modes: (Default: AP)

— Access Point (AP): Operates as an access point for wireless clients,

providing connectivity to a wired LAN.

BAP120

Using the Nortel Business Access Point 120

NN47921-301

01.01

Standard

1.0

August 2006

Copyright © 2006, Nortel Networks

Nortel Networks Confidential

.

Summary of Contents for 120

Page 1: ...BAP120 Using the Nortel Business Access Point 120 NN47921 301 ...

Page 2: ...e accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Nortel Nortel Logo the Globemark and This is the way This is Nortel Design mark are trademarks of Nortel Networks Microsoft MS MS DOS Windows and Windows...

Page 3: ...System defaults 18 BAP120 installation and initial configuration 23 Installing the BAP120 hardware 25 BAP120 hardware installation procedures 25 Mounting the access point on a wall or ceiling 27 Mounting the BAP120 on a horizontal surface 28 Attaching the antenna 29 Powering up the BAP120 30 Configuring the network 33 Procedure job aid 33 Configuring the BAP120 the first time it is powered up 35 T...

Page 4: ...ment 63 Administration 64 Changing the password 64 Setting the timeout interval 65 Upgrading Firmware 65 System log 68 Enabling system logging 68 Configuring SNTP 70 SNMP 70 Configuring SNMP and Trap message parameters 71 Configuring SNMPv3 users 74 Configuring SNMPv3 trap filters 75 Configuring SNMPv3 targets 77 Radio interface 78 Slot 0 Radio A 802 11a 79 Configuring VAP radio settings 79 Config...

Page 5: ... Access Point 123 Ad hoc 123 Advanced Encryption Standard AES 123 Authentication 123 Backbone 123 Basic Service Set BSS 124 Beacon 124 Broadcast key 124 CSMA CA 124 Dynamic Host Configuration Protocol DHCP 124 Encryption 124 Extended Service Set ESS 124 Extensible Authentication Protocol EAP 124 Ethernet 124 File Transfer Protocol FTP 124 Hypertext Transfer Protocol HTTP 125 Internet Control Messa...

Page 6: ...127 Simple Network Management Protocol SNMP 127 Simple Network Time Protocol SNTP 127 Temporal Key Integrity Protocol TKIP 127 Trivial File Transfer Protocol TFTP 127 Virtual Access Point VAP 127 Virtual LAN VLAN 127 Wi Fi protected access 127 Wired Equivalent Privacy WEP 128 WPA Preshared Key PSK 128 BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copy...

Page 7: ...derable cost savings over wired LANs which include long term maintenance overhead for cabling Navigation BAP120 Fundamentals page 9 BAP120 installation and initial configuration page 23 Installing the BAP120 hardware page 25 Configuring the network page 33 Configuring the BAP120 the first time it is powered up page 35 Troubleshooting page 41 System configuration management page 45 References page ...

Page 8: ...8 Introduction BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 9: ...n operate in one of four modes Access Point Providing connectivity to wireless clients in the service area Repeater Providing an extended link to a remote access point from the wired LAN In this mode the access point does not have a cable connection to the wired Ethernet LAN In this mode at least one access point must have wired connectivity to enable the signal to repeat to the next unwired acces...

Page 10: ...lf duplex connection to Ethernet networks for each active channel or up to 108 Mbps when using turbo mode on the 802 11a interface The access point also supports Super A for 108 Mb s on 802 11a mode and Super G for 108 Mb s on 802 11g mode BAP120 user interfaces You can manage the switch using one of the following Web based management You can manage the network from the World Wide Web Access the W...

Page 11: ...helping to avoid multi path fading effects When receiving the access point checks both antennas and selects the one with the strongest signal When transmitting it continues to use the antenna previously selected for receiving The access point never transmits from both antennas at the same time BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 20...

Page 12: ...en Fully functional Indicates that the system is working normally Flashing Amber Initialization phase Indicates that the system is running a self test or loading the software program PWR Flashing Prolonged Indicates system errors On Green Functional not ongoing transmission Indicates a valid 10 100 Mb s Ethernet cable link Link Flashing Green Transmitting Indicates that the access point is transmi...

Page 13: ...etwork activity 11b g Off Indicates that the 802 11b g radio is disabled Security slot The access point includes a Kensington security slot on the rear panel You can prevent unauthorized removal of the access point by wrapping the Kensington security cable not provided around an unmovable object inserting the lock into the slot and turning the key Console port The console port is only used for mai...

Page 14: ...ton as a last resort for resetting the access point Nortel recommends that you use the reset options that are available through the WebUI Power connector The access point does not have a power switch It is powered on when connected to the AC power adapter and the power adapter is connected to a power source The power adapter automatically adjusts to any voltage between 100 240 volts at 50 or 60 Hz...

Page 15: ...ture wireless LAN Infrastructure wireless LAN for roaming wireless PCs The BSS defines the communications domain for each access point and its associated wireless clients The BSS ID is a 48 bit binary number based on the wireless MAC address for the access point and is set automatically and transparently when clients associate with the access point The BSS ID is used in frames sent between the acc...

Page 16: ...n roam freely All wireless network cards and adapters and wireless access points within a specific ESS must be configured with the same SSID Infrastructure wireless LAN for roaming wireless PCs Infrastructure wireless bridge The IEEE 802 11 standard defines a Wireless Distribution System WDS for bridge connections between BSS areas access points The access point uses WDS to forward traffic on link...

Page 17: ...wireless bridge network When using WDS on a radio band only wireless bridge units can associate with each other Wireless clients can only associate with the access point using a radio band set to access point or repeater mode Infrastructure wireless bridge Infrastructure wireless repeater The access point can also operate in a bridge repeater mode to extend the range of links to wireless clients T...

Page 18: ...channel Infrastructure wireless repeater System defaults The following table lists some of the BAP120 basic system defaults System defaults System defaults Feature Parameter Default Identification System Name Business Access Point 120 User Name nnadmin Administration Password PlsChgMe HTTP Server Enabled General HTTP Server Port 80 BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 0...

Page 19: ...ession Timeout 0 minutes disabled Local MAC System Default Allowed MAC Authentication Local MAC Permission Allowed Status Disabled Broadcast Key Refresh 0 minutes disabled Session Key Refresh 0 minutes disabled 802 1X Authentication Re authentication Refresh Rate 0 seconds disabled Management VLAN ID 1 VLAN ID VAP Interface 1 VLAN VLAN Tag Support Disabled QoS QoS Mode Off Local Bridge Disabled AP...

Page 20: ... Logging Host Disabled Logging Console Disabled IP Address Host Name 0 0 0 0 Logging Level Informational System logging Logging Facility Type 16 SNTP Server Status Disabled SNTP Server 1 IP 0 0 0 0 SNTP Server 2 IP 0 0 0 0 Date and Time 00 00 Jan 1 1970 when there is no time server Daylight Saving Time Enabled System clock Time Zone GMT 5 Eastern Time US and Canada Ethernet interface Speed and Dup...

Page 21: ...ethod Diversity Antenna ID 0x0000 Wireless interface 802 11a Antenna Location Indoor Authentication Type Open System Data Encryption Disabled WEP Key Type Alphanumeric WEP Transmit Key Number 1 WEP Keys null WPA Configuration Mode WEP Only Disabled WPA Key Management WPA Pre shared Key WPA PSK Type Alphanumeric VAP0 SSID BAP120_11A_SSID 0 VAP1 SSID BAP120_11A_SSID 1 VAP2 SSID BAP120_11A_SSID 2 Wir...

Page 22: ...0000 Wireless interface 802 11b g Antenna Location Indoor Authentication Type Open System Data Encryption Disabled WEP Key Type Alphanumeric WEP Transmit Key Number 1 WEP Keys null WPA Configuration Mode WEP Only Disabled WPA Key Management WPA Pre shared Key WPA PSK Type Alphanumeric VAP0 SSID BAP120_11G_SSID 0 VAP1 SSID BAP120_11G_SSID 1 VAP2 SSID BAP120_11G_SSID 2 Wireless security 802 11b g VA...

Page 23: ...dapter and power cord four rubber feet one mounting bracket three Philips screws three nylon anchors two antennas optional two directional antennas BAP120 Quick Installation Guide Inform your dealer if there are any incorrect missing or damaged parts If possible retain the carton including the original packing materials Use them again to repack the product in case there is a need to return it BAP1...

Page 24: ...n and initial configuration navigation Installing the BAP120 hardware page 25 Configuring the network page 33 Configuring the BAP120 the first time it is powered up page 35 BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 25: ...ea Mount away from any signal absorbing or reflecting structures such as those containing metal Mount the BAP120 on a wall or a ceiling or rest it on a high shelf If you are mounting on a horizontal surface shelf your BAP120 can use Power over Ethernet PoE and does not need to be connected to an AC power source If a PoE connection is not available connect the AC power adapter to the BAP120 and the...

Page 26: ... a wall or ceiling page 27 Mounting the BAP120 on a horizontal surface page 28 Attaching the antenna page 29 Powering up the BAP120 page 30 Configuring the BAP120 the first time it is powered up page 35 BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 27: ...120 from the mounting surface Leave enough space above wall mount or behind ceiling mount to connect the power cord and Ethernet cable 2 Use the screws provided to screw the mounting plate to the mounting surface with the tab facing up wall mount or behind ceiling mount 3 Slide the pins on the base of the BAP120 into the keyhole slots on the mounting bracket BAP120 installed on mounting bracket 4 ...

Page 28: ...er feet provided in the accessory kit to the marked circles on the bottom of the access point BAP120 rubber feet installation 2 Lock the BAP120 in place 3 Optionally protect the BAP120 from unauthorized removal with a Kensington Slim microsaver security cable optional BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel ...

Page 29: ...teps Step Action 1 Attach the antennas to the BAP120 2 Rotate each antenna so that it is perpendicular to the computers served by the BAP120 BAP120 antenna placement BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 30: ...ged BAP120 rear panel connections ATTENTION If the access point is connected to both a PoE source device and an AC power source the AC power is disabled 2 Connect the Ethernet cable to the RJ 45 port and then connect the cable to an Ethernet or PoE port on your Ethernet switch The BAP120 automatically requests an IP address from the DHCP server on your LAN by default If no response is received fro...

Page 31: ... LED Indicators page 12 During initialization the LED is amber and flashing If the PWR LED does not stop flashing the self test has not completed correctly For more information see Troubleshooting page 41 End BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 32: ...32 Installing the BAP120 hardware BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 33: ...he Infrastructure wireless LAN page 14 uses the default values that are listed in System defaults page 18 4 Delay making the changes to the default values until after you have initially installed the BAP120 For further information see Configuring the BAP120 the first time it is powered up page 35 5 Connect the BAP120 to your LAN through the RJ 45 port End Procedure job aid Wireless networks suppor...

Page 34: ... following measures Limit any possible sources of radio interference within the service area Increase the distance between neighboring access points Decrease the signal strength of neighboring access points Increase the channel separation of neighboring access points for example up to 5 channels of separation for 802 11b and 802 11g BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 ...

Page 35: ...ger must be installed Procedure steps Step Action 1 Start the Element Manager 2 Choose Network Find Network Elements Business Access Point from the Element Manager menu 3 Enter the range 192 168 1 1 to 192 168 1 255 and then click OK BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 36: ... value for Read Community is PlsChgMe RO and for Write Community it is PlsChgMe RW 5 Click the Web Page button on the Element Manager menu 6 Enter the default username nnadmin and password PlsChgMe to log on to the BAP120 BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 37: ... country code to the country in which the BAP120 is operating 8 Select Administration Quick Start from the main menu BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 38: ...hannel Radio Setting Channel and Radio Setting page 11 Enable DHCP for IP Configuration TCP IP settings 12 Set the security type if required 13 Click Submit to save your configuration BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 39: ...onfiguration System Administration and click Reboot to restart the BAP120 End BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 40: ...onfiguring the BAP120 the first time it is powered up BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 41: ...ess clients cannot access the network If wireless clients cannot access the network perform the following checks Procedure steps Step Action 1 Be sure the access point and the wireless clients are configured with the same Service Set ID SSID 2 If authentication or encryption are enabled ensure that the wireless clients are properly configured with the appropriate authentication or encryption keys ...

Page 42: ...ng checks Procedure steps Step Action 1 If you are connecting to the access point through the wired Ethernet interface check the network cabling between the management station and the access point 2 Check that you have a valid network connection to the access point and that the Ethernet port or the wireless interface that you are using is not disabled 3 If VLANs are enabled on the access point the...

Page 43: ...e log on details are lost If you forgot or lost the password perform the following steps Procedure steps Step Action 1 Use the default username nnadmin and password PlsChgMe to access the management interface 2 If you still cannot access the management interface set the access point to its default configuration by pressing the reset button on the back panel for 5 seconds or more then repeat the pr...

Page 44: ... not displaying accurate information perform the following steps Procedure steps Step Action 1 On the browser application click Shift Refresh The displayed panel data is pulled from the network to display the current information in each window panel End Troubleshooting when WebUI does not log on correctly If your WebUI session has timed out and you experience difficulty either displaying panel dat...

Page 45: ...ment JRE is installed on your computer Download the latest version from www java com Java scripting and Java applet are enabled Starting the WebUI Use the following procedure to open the BAP120 Web User Interface Procedure steps Step Action 1 Select the BAP120 device from the list of network elements on the Element Manager tree 2 Click the Web Page button on the Element Manager menu 3 Enter the us...

Page 46: ...igures the RADIUS server for wireless client authentication and accounting See RADIUS page 50 Authentication Configures MAC address authentication See Authentication page 52 Filter Control Filters communications between wireless clients access to the management interface from wireless clients and traffic matching specific Ethernet protocol types See Filter control page 55 VLAN Enables VLAN support...

Page 47: ...iguring SNMPv3 targets page 77 Country Code Sets the BAP120 to the regulations for the selected country A reset of the BAP120 is required after the country code is set See Country Code selection page 37 SLOT 0 Radio A Configures the IEEE 802 11a interface See Radio interface page 78 Radio Settings Configures common radio signal parameters and other settings for each VAP interface See Slot 0 Radio ...

Page 48: ...identification The system name for the access point can be left at its default setting However modifying this parameter can help you to more easily distinguish different devices in your network System identification System Name An alias for the access point enabling the device to be uniquely identified on the network Default Business Access Point BAP120 Range 1 32 characters TCP and IP settings Co...

Page 49: ...rk DHCP server Default Enabled DHCP Client Disable Select this option to manually configure a static address for the access point IP Address The IP address of the access point Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Subnet Mask The mask that identifies the host address bits used for routing to specific subnets Default Gateway The default gateway is the IP a...

Page 50: ...t requires access to the network A primary RADIUS server must be specified for the access point to implement IEEE 802 1X network access control and Wi Fi Protected Access WPA wireless security A secondary RADIUS server can also be specified as a backup if the primary server fails or becomes inaccessible In addition the configured RADIUS server can also act as a RADIUS Accounting server and receive...

Page 51: ... IEEE 802 1X and a central RADIUS server The user VLAN IDs must be configured on the RADIUS server for each user authorized to access the network VLAN IDs can be entered as hexadecimal numbers or as ASCII strings Primary Radius Server Setup Configure the following settings to use RADIUS authentication on the access point IP Address Specifies the IP address or host name of the RADIUS server BAP120 ...

Page 52: ... backup in case the primary server fails The access point uses the secondary server if the primary server fails or becomes inaccessible When the access point switches over to the secondary server it periodically attempts to establish communication again with primary server If communication with the primary server is reestablished the secondary server reverts to a backup role Authentication Wireles...

Page 53: ...so provides a mechanism for enhanced network security using dynamic encryption key rotation or W Fi Protected Access WPA Note If you configure RADIUS MAC authentication together with 802 1X RADIUS MAC address authentication is performed prior to 802 1X authentication If RADIUS MAC authentication succeeds then 802 1X authentication is performed If RADIUS MAC authentication fails 802 1X authenticati...

Page 54: ...tabase The MAC database provides a mechanism to take certain actions based on a wireless client s MAC address The MAC list can be configured to allow or deny network access to specific clients System Default Specifies a default action for all unknown MAC addresses that is those not listed in the local MAC database Deny Blocks access for all MAC addresses except those listed in the local database a...

Page 55: ... Intra VAP client communication When enabled clients associated with a specific VAP interface cannot establish wireless communications with each other Clients can communicate with clients associated to other VAP interfaces Prevent Inter and Intra VAP client communication When enabled clients cannot establish wireless communications with any other client either those associated to the same VAP inte...

Page 56: ...point VLAN The access point can employ VLAN tagging support to control access to network resources and increase security VLANs separate traffic passing between the access point associated clients and the wired network There can be a VLAN assigned to each associated client a default VLAN for each VAP Virtual Access Point interface and a management VLAN for the access point Note the following points...

Page 57: ...llows traffic tagged with assigned VLAN IDs or default VLAN IDs to access clients associated on each VAP interface When VLAN support is enabled on the access point traffic passed to the wired network is tagged with the appropriate VLAN ID either an assigned client VLAN ID default VLAN ID or the management VLAN ID Traffic received from the wired network must also be tagged with one of these known V...

Page 58: ...igured VLAN ID on the RADIUS server the access point assigns the client to the configured default VLAN ID for the VAP interface Note When using IEEE 802 1X to dynamically assign VLAN IDs the access point must have 802 1X authentication enabled and a RADIUS server configured Wireless clients must also support 802 1X client software When setting up VLAN IDs for each user on the RADIUS server be sure...

Page 59: ...ess MAC address of all units to which you want to forward traffic Up to six WDS bridge or repeater links can be specified for each unit in the wireless bridge network The Spanning Tree Protocol STP can be used to detect and disable network loops and to provide backup links between bridges Using the STP a wireless bridge can interact with other bridging devices that is an STP compliant switch bridg...

Page 60: ... Other bridges need to specify one Parent link to the root bridge or to a bridge connected to the root bridge The other five WDS links are available as Child links to other bridges Bridge Role Each radio interface can be set to operate in one of the following four modes Default AP Access Point AP Operates as an access point for wireless clients providing connectivity to a wired LAN BAP120 Using th...

Page 61: ...port on each bridging device except for the root device which incurs the lowest path cost when forwarding a packet from that device to the root device Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determin...

Page 62: ...0 seconds Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Bridge Forwarding Delay The maximum time in seconds this device waits before changing states that is discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting...

Page 63: ... access point specific interfaces can be disabled and management restricted to a single IP address or a limited range of IP addresses After you specify an IP address or range of addresses access to management interfaces is restricted to the specified addresses If anyone tries to access a management interface from an unauthorized address the access point rejects the connection AP management UI Mana...

Page 64: ...ss point and network security Note Pressing the Reset button on the back of the access point for more than five seconds resets the username and password to the factory defaults For this reason Nortel recommends that you protect the access point from physical access by unauthorized persons ATTENTION The Reset button should be used as a last resort for resetting the access point Nortel recommends th...

Page 65: ...e You can upgrade new access point software from a local file on the management workstation or from an FTP or TFTP server New software can be provided periodically from your distributor After upgrading new software you must reboot the access point to implement the new code Until a reboot occurs the access point continues to run the software it used before the upgrade started Upgrading Firmware BAP...

Page 66: ...n the server with a username and password If VLANs are configured on the access point ensure the VLAN ID with which the FTP or TFTP server is associated is the same VLAN ID that is configured for the access point and the management station If you are managing the access point from a wireless client the VLAN ID for the wireless client must be configured on a RADIUS server Perform local disk file up...

Page 67: ...P TFTP server Select Import to download a file from an FTP TFTP server Config file Specifies the name of the configuration file A path on the server can be specified using in the name providing the path already exists for example myfolder syscfg Other than to indicate a path the file name must not contain any slashes or the leading letter cannot be a period and the maximum length for file names on...

Page 68: ...he correct time and date System log Enabling system logging The access point supports a logging process that can control error messages saved to memory or sent to a Syslog server The logged messages serve as a valuable tool for isolating access point and network problems System Log Setup Enables the logging of error messages Default Disable Server 1 4 Enables the sending of log messages to a Syslo...

Page 69: ...nditions for example return false unexpected return Notice Normal but significant condition such as cold start Informational Informational messages only Debug Debugging messages Note The access point error log can be viewed using the Event Logs window in the Status section For further information see Event Logs page 108 The Event Logs window displays the last 128 messages logged in chronological o...

Page 70: ... it attempts an update from the secondary server Note Using the access point you can also disable SNTP and set the system clock manually Set Time Zone SNTP uses Coordinated Universal Time or UTC formerly Greenwich Mean Time or GMT based on the time at the Earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours your time...

Page 71: ...MP management the access point must first have an IP address and subnet mask configured either manually or dynamically Access to the onboard agent using SNMP v1 and v2c is controlled by community strings To communicate with the access point the management station must first submit a valid community string for authentication Access to the access point using SNMP v3 provides additional security feat...

Page 72: ...p to four of SNMP notifications Trap Destination IP Address Specifies the recipient of SNMP notifications Enter the IP address or the host name Host Name 1 to 63 characters case sensitive Trap Destination Community Name The community string sent with the notification operation Maximum length 23 characters case sensitive Default PlsChgMe RO Engine ID Sets the engine identifier for the SNMPv3 agent ...

Page 73: ...n changed dot11StationAssociation A client station has successfully associated with the access point dot11StationReAssociation A client station has successfully reassociated with the access point dot11StationAuthentication A client station has been successfully authenticated dot11StationRequestFail A client station has failed association reassociation or authentication dot11InterfaceBFail The 802 ...

Page 74: ...ntified by its IP address iappContextDataSent A client station s Context Data has been sent to another access point with which the station has associated sntpServerFail The access point has failed to set the time from the configured SNTP server wirelessExternalAntenna An external antenna has been enabled dot11WirelessStationDeauthenticate A client station has deauthenticated from the network dot11...

Page 75: ... a new user to the list Click the edit button to change details of an existing user Click the Del button to remove a user from the list Note Users must be assigned to groups that have the same security levels For example a user who has Auth Type and Priv Type configured to MD5 and DES respectively that is it uses both authentication and data encryption must be assigned to the RWPriv group If this ...

Page 76: ...igured Define a filter name and subtree ID to be filtered Select the filter type include or exclude from the drop down list Click Apply to create the filter Configuring the SNMP filter ID To add more subtree IDs to the filter return to the SNMP Trap Filters page and click the Edit button In the Edit page click the New button to access the Add SNMP Notification Subtree page and configure a new subt...

Page 77: ...nfiguring SNMPv3 trap filters page 75 To configure a new notification receiver target click the New button A new page opens to configure the settings see the following figure To edit an existing target select the radio button next to the entry in the table and then click the Edit button To delete targets select the radio button next to the entry in the table and then click the Delete button Config...

Page 78: ...fined notification filter that is applied to the target Radio interface The IEEE 802 11a and 802 11b g interfaces include configuration options for radio signal characteristics and wireless security features The configuration options are nearly identical and are therefore both covered in this section of the manual The access point can operate in three modes IEEE 802 11a only 802 11b g only or a mi...

Page 79: ...page 111 Slot 0 Radio A 802 11a The IEEE 802 11a interface operates within the 5 GHz band at up to 54 Mb s in normal mode or up to 108 Mb s in Turbo mode First configure the radio settings that apply to the individual VAPs Virtual Access Point and the common radio settings that apply to the overall system After you have configured the radio settings go to the Security page under the 802 a Interfac...

Page 80: ...P interface does not include its SSID in beacon messages Nor does it respond to probe requests from clients that do not include a fixed SSID Default Disable Authentication Timeout Interval The time within which the client must finish authentication before authentication times out Range 5 60 minutes Default 60 minutes BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 ...

Page 81: ...t the VAP holds in a cache When the lifetime expires the security association and keys are deleted from the cache If the client returns to an access point after the association has been deleted it requires full reauthentication Range 1 1 440 minutes Default 720 minutes Configuring common radio settings To configure common radio settings select the Radio Settings page and scroll down to below the V...

Page 82: ...ted from the access point The higher the transmission power the farther the transmission range Power selection is not just a trade off between coverage area and maximum supported clients You must also ensure that high power signals do not interfere with the operation of other radio devices in the service area Options 100 50 25 12 minimum Default 100 Note When operating the access point using 5 GHz...

Page 83: ...orrect location ensures that the access point only uses radio channels that are permitted in the country of operation Default Indoor MIC Mode The Michael Integrity Check MIC is part of the Temporal Key Integrity Protocol TKIP encryption used in Wi Fi Protected Access WPA security The MIC calculation is performed in the access point for each transmitted packet and this can impact throughput and per...

Page 84: ...ut delays the transmission of broadcast and multicast frames or both Range 1 255 beacons Default 1 beacon Fragmentation Length Configures the minimum packet size that can be fragmented when passing through the access point Fragmentation of the PDUs Package Data Unit can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame ...

Page 85: ...c and optimize performance when multiple applications compete for wireless network bandwidth at the same time WMM employs techniques that are a subset of the developing IEEE 802 11e QoS standard and it enables the access point to inter operate with both WMM enabled clients and other devices that may lack any WMM functionality Access categories WMM defines four access categories ACs voice video bes...

Page 86: ...ut a priority tag are always added to the Best Effort AC queue From the four queues an internal virtual collision resolution mechanism first selects data with the highest priority to be granted a transmit opportunity Then the same collision resolution mechanism is used externally to determine which device has access to the wireless medium For each AC queue the collision resolution mechanism is dep...

Page 87: ...high priority traffic the AIFSN and CW values are smaller The smaller values equate to less backoff and wait time and therefore more transmit opportunities To configure WMM select the Radio Settings page and scroll down to the WMM configuration settings Configuring WMM Backoff Wait Times BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nor...

Page 88: ... initial upper limit of the random backoff wait time before wireless medium access can be attempted The initial wait time is a random value between zero and the CWMin value Specify the CWMin value in the range 0 15 Note that the CWMin value must be equal or less than the CWMax value logCWMax Maximum Contention Window The maximum upper limit of the random backoff wait time before wireless medium ac...

Page 89: ...mation see Security page 91 enable the radio service for any of the VAP interfaces and then set an SSID to identify the wireless network service provided by each VAP Remember that only clients with the same SSID can associate with a VAP Note You must first enable VAP interface 0 before the other interfaces can be enabled Most of the 802 11b g commands are identical to those used by the 802 11a int...

Page 90: ...on neighboring access points at least five channels apart to avoid interference with each other For example in the United States you can deploy up to three access points in the same area for example channels 1 6 11 Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked Auto Channel Select Enables the access point to a...

Page 91: ...t is configured by default as an open system which broadcasts a beacon signal including the configured SSID Wireless clients with an SSID setting of any can read the SSID from the beacon and automatically set their SSID to allow immediate connection to the nearest access point To improve wireless network security you have to implement two main functions Authentication It must be verified that clie...

Page 92: ...figured RADIUS server 802 1X EAP type can require management of digital certificates for clients and server MAC Address Filtering Uses the MAC address of client network card Provides only weak user authentication Management of authorized MAC addresses Can be combined with other methods for improved security Optionally configured RADIUS server WPA over 802 1X Mode Requires WPA enabled system and ne...

Page 93: ...iant Note You must enable data encryption through the Web interface to enable all types of encryption WEP TKIP or AES in the access point The access point can simultaneously support clients using various different security mechanisms The configuration for these security combinations are outlined in the following table Note that MAC address authentication can be configured independently to work wit...

Page 94: ...ed Set 802 1x key refresh and re authentication rates Local RADIUS or Disabled Yes 802 1x WPA only Interface Detail Settings Authentication WPA Encryption Enable WPA Configuration Required Cipher Suite TKIP 802 1x Required Set 802 1x key refresh and reauthentication rates Local or Disabled Yes WPA Pre Shared Key only Interface Detail Settings Authentication WPA PSK Encryption Enable WPA Configurat...

Page 95: ...802 1x key refresh and reauthentication rates Local or Disabled Yes Static and dynamic 802 1x WEP keys and 802 1x WPA Enter 1 to 4 WEP keys Select a WEP transmit key Interface Detail Settings Authentication WPA Encryption Enable WPA Configuration Supported Cipher Suite WEP 802 1x Supported Set 802 1x key refresh and reauthentication rates Local or Disabled Yes 802 1x WPA2 only Interface Detail Set...

Page 96: ...WPA WPA2 Mixed Mode Pre Shared Key Interface Detail Settings Authentication WPA WPA2 PSK mixed Encryption Enable WPA Configuration Required Cipher Suite TKIP 802 1x Disable WPA Pre shared Key Type Hexadicmal or Alphanumeric Enter a WPA Preshared key Local or Disabled No 1 The configuration summary does not include the setup for MAC authentication or RADIUS server 2 The configuration of RADIUS MAC ...

Page 97: ... the WEP WPA and 802 1X security settings described in the following sections After you have finished configuring the security settings return to the main Security page shown in the following figure start the required VAP interfaces by clicking the Enable checkbox and then click Apply Enabling the VAPs Enable Enables radio communications on the VAP interface Default Disabled Note You must first en...

Page 98: ...entication and data encryption Up to four keys can be specified These four keys are used for all VAP interfaces on the same radio To set up WEP shared keys click Radio Settings under Radio A or Radio G Setting up WEP shared keys Key Type Select the preferred method of entering WEP encryption keys on the access point and enter up to four keys Hexadecimal Enter keys as 10 hexadecimal digits 0 9 and ...

Page 99: ...tem that accepts network access attempts from any client or with clients using preconfigured static shared keys Default Open System Open System If you do not set up any other security mechanism on the access point the network has no protection and is open to all users This is the default setting Shared Key Sets the access point to use WEP shared keys If this option is selected you must configure a...

Page 100: ...ed network card driver and 802 1X client software that supports the EAP authentication type that you want to use Windows XP provides native WPA support other systems require additional software Temporal Key Integrity Protocol TKIP WPA specifies TKIP as the data encryption method to replace WEP TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys Basically TKIP s...

Page 101: ...tion Standard AES WPA2 uses AES Counter Mode encryption with Cipher Block Chaining Message Authentication Code CBC MAC for message integrity The AES Counter Mode CBCMAC Protocol AES CCMP provides extremely robust data confidentiality using a 128 bit key The AES CCMP encryption cipher is specified as a standard requirement for WPA2 However the computational intensive operations of AES CCMP requires...

Page 102: ...nclude the client s security association information Then when the client sends an association request to the new access point the client is known to be already authenticated so it proceeds directly to key exchange and association To configure WPA click Security under Radio A or Radio G Select one of the VAP interfaces by clicking More Select one of the WPA options in the Authentication Setup tabl...

Page 103: ...with a Preshared Key are accepted for authentication WPA Configuration Each VAP interface can be configured to allow only WPA enabled clients to access the network Required or to allow access to both WPA and WEP clients Supported Default Required Cipher Suite Selects an encryption method for the global key used for multicast and broadcast traffic which is supported by all wireless clients WEP WEP ...

Page 104: ...zed access to the network by requiring an 802 1X client application to submit user credentials for authentication The 802 1X standard uses the Extensible Authentication Protocol EAP to pass user credentials either digital certificates usernames and passwords or other from the client to the RADIUS server Client authentication is then verified on the RADIUS server before the access point grants clie...

Page 105: ...he access point initiates authentication Only those clients successfully authenticated with 802 1X are allowed to access the network Note If 802 1X is enabled on the access point then RADIUS setup must be completed For further information see RADIUS page 50 When 802 1X is enabled the broadcast and session key rotation intervals can also be configured Broadcast Key Refresh Rate Sets the interval at...

Page 106: ...ystem configuration settings as well as the settings for the wireless interface Access Point Status settings AP System Configuration The AP System Configuration table displays the basic system configuration settings System Up Time Length of time the management agent has been up Ethernet MAC The physical layer address for the Ethernet port Radio A MAC The physical layer address for the 802 11a inte...

Page 107: ...lowing listed radio and VAP interface settings Note that Interface Wireless A refers to the 802 11a radio and Interface Wireless G refers the 802 11b g radio SSID The service set identifier for the VAP interface Radio Channel The radio channel through which the access point communicates with wireless clients Encryption The key size used for data encryption Authentication Type Shows the type of aut...

Page 108: ...er authentication is completed stations can associate with the current access point or reassociate with a new access point Using the association procedure the wireless system can track the location of each mobile client and ensure that frames destined for each client are forwarded to the appropriate access point Forwarding Allowed Shows if the station has passed 802 1X authentication and is now al...

Page 109: ... Access point was set to Shared Key Authentication but a client sent an authentication frame for Open System WEP keys do not match When the access point uses Shared Key Authentication but the key used by client and access point are not the same the frame is decrypted incorrectly using the wrong algorithm and sequence number STP Status The STP Status window shows the STP status for each port STP St...

Page 110: ...ation management State Display the STP state for the specified port BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 111: ...can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV te...

Page 112: ...ve priority of the 5250 5350 MHz and 5470 5725 MHz bands These radars could cause interference and or damage to the access point when used in Canada The term IC before the radio certification number only signifies that Industry Canada technical specifications were met Industry Canada Class B This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus ...

Page 113: ...ill automatically limit the allowable channels determined by the current country of operation Incorrectly entering the country of operation may result in illegal operation and may cause harmful interference to other systems The user is obligated to ensure the device is operating according to the channel limitations indoor outdoor restrictions and license requirements for each European Community co...

Page 114: ...peration Using 5 GHz Channels in the European Community The user installer must use the provided configuration utility to check the current channel of operation and make necessary configuration changes to ensure operation occurs in conformance with European National spectrum usage laws as described below and elsewhere in this document Allowed 5GHz Channels in Each European Community Country Allowe...

Page 115: ...s 115 Declaration of Conformity in Languages of the European Community BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 116: ...sconnecting the power cord from the outlet This unit operates under SELV Safety Extra Low Voltage conditions according to IEC 60950 The conditions are only maintained if the equipment to which it is connected also operates under SELV conditions The PoE Power over Ethernet which is to be interconnected with other equipment that must be contained within the same building including the interconnected...

Page 117: ...with NEMA 5 15P 15 A 125 V or NEMA 6 15P 15 A 250 V configuration Denmark The supply plug must comply with Section 107 2 D1 Standard DK2 1a or DK2 5a Switzerland The supply plug must comply with SEV ASE 1011 The supply plug must comply with BS1363 3 pin 13 A and be fitted with a 5 A fuse which complies with BS1362 U K The mains cord must be HAR or BASEC marked and be of type HO3VVF3GO 75 minimum T...

Page 118: ...118 References Power Cord Safety France BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 119: ...gulatory compliances 119 Power Cord Safety Germany BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 120: ...Also an RJ 45 connector must be attached to both ends of the cable CAUTION Each wire pair must be attached to the RJ 45 connectors in a specific orientation CAUTION DO NOT plug a phone jack connector into the RJ 45 port Use only twisted pair cables with RJ 45 connectors that conform with FCC standards BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copy...

Page 121: ...s 328 feet The RJ 45 port on the access point is wired with MDI pinouts This means that you must use crossover cables for connections to PCs or servers and straight through cable for connections to switches or hubs However when connecting to devices that support automatic MDI MDI X pinout configuration you can use either straight through or crossover cable 10 100BASE TX MDI port pinouts 10 100BASE...

Page 122: ... only have MDI X ports Straight through wiring configuration Wiring map for serial cable Wiring map for serial cable DB9 Male AP Console DB9 Male PC DTE Pin Function Pin Function 1 GND ground 5 GND ground 2 Unused 4 Unused 3 RXD receive data 3 TXD transmit data 4 TXD transmit data 2 RXD receive data 5 Unused 1 Unused 6 Unused 9 Unused 7 RTS request to send 8 CTS clear to send 8 CTS clear or send 7...

Page 123: ...ts wired and wireless networks Access points attached to a wired network support the creation of multiple radio cells that enable roaming throughout a facility Ad hoc A group of computers connected as an independent wireless network without an access point Advanced Encryption Standard AES An encryption algorithm that implements symmetric key cryptography AES provides very strong encryption using a...

Page 124: ... allocation of reusable network addresses and additional configuration options Encryption Data passing between the access point and clients can use encryption to protect from interception and eavesdropping Extended Service Set ESS More than one wireless cell can be configured with the same Service Set Identifier to allow mobile users can roam between different cells with the Extended Service Set E...

Page 125: ...s communications in the 2 4 GHz band using Orthogonal Frequency Division Multiplexing OFDM The standard provides for data rates of 6 9 11 12 18 24 36 48 54 Mb s IEEE 802 11g is also backward compatible with IEEE 802 11b IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication Infrastructure An integrated wireles...

Page 126: ...ng of access point s and network devices and significantly decreased installation costs RADIUS A logon authentication protocol that uses software running on a central server to control access to the network Roaming A wireless LAN mobile user moves around an ESS and maintains a continuous connection to the infrastructure network RTS threshold Transmitters contending for the medium may not be aware ...

Page 127: ...nt VAP Virtual AP technology multiplies the number of Access Points present within the RF footprint of a single physical access device With Virtual AP technology WLAN users within the device footprint can associate with what appears to be different access points and their associated network services All the services are delivered using a single radio channel enabling Virtual AP technology to optim...

Page 128: ...rk traffic WPA Preshared Key PSK PSK can be used for small office networks that do not have the resources to configure and maintain a RADIUS server WPA provides a simple operating mode that uses just a preshared password for network access BAP120 Using the Nortel Business Access Point 120 NN47921 301 01 01 Standard 1 0 August 2006 Copyright 2006 Nortel Networks Nortel Networks Confidential ...

Page 129: ......

Page 130: ...da and the United States of America The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information ...

Reviews: