background image

 

Deep Packet Inspection and Application Visibility 

 

22.5 Configuring ACL Rules for Application and Application Categories 

SCALANCE W1750D UI 
Configuration Manual, 02/2018, C79000-G8976-C451-02 

367

 

22.5

 

Configuring ACL Rules for Application and Application Categories 

This section describes the procedure for configuring access rules based on application and 

application categories. The Application and Application rules utilize the onboard DPI engine. 

 

For information on configuring access rules to control access to network services, see 

Configuring ACL Rules for Network Services (Page 244). 

 

For information on configuring access rules based on web categories and web reputation, 

see Configuring Web Policy Enforcement Service (Page 371). 

In the SCALANCE W UI 
To configure ACL rules for a user role: 
1.

 

Navigate to the Security > Roles tab. The Roles tab contents are displayed. You can also 

configure access rules for a wired or wireless client by using: 

 

The WLAN wizard (Network > WLAN SSID > Edit > Edit WLAN > Access ) or 

 

The Wired profile (More > Wired > Edit > Edit Wired Network > Access) window. 

2.

 

Select the role for which you want to configure the access rules. 

3.

 

In the Access rules section, click New to add a new rule. The New Rule window is 

displayed. 

4.

 

Ensure that the rule type is set to Access Control. 

5.

 

To configure access to applications or application category, select a service category 

from the following list: 

 

Application 

 

Application category 

Summary of Contents for SCALANCE W1750D UI

Page 1: ...etrieval of Configuration 5 SCALANCE W User Interface 6 Initial Configuration Tasks 7 Customizing AP Settings 8 VLAN Configuration 9 IPv6 Support 10 Wireless Network Profiles 11 Wired Profiles 12 Captive Portal for Guest Access 13 Authentication and User Management 14 Roles and Policies 15 DHCP Configuration 16 Configuring Time Based Services 17 Continued on next page ...

Page 2: ...Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG DEUTSCHLAND C79000 G8976 C451 02 Ⓟ 02 2018 Änderungen vorbehalten Copyright Siemens AG 2018 Alle Rechte vorbehalten ...

Page 3: ...nspection and Application Visibility 22 Voice and Video 23 Services 24 AP Management and Monitoring 25 Uplink Configuration 26 Intrusion Detection 27 Mesh AP Configuration 28 Mobility and Client Management 29 Spectrum Monitor 30 AP Maintenance 31 Monitoring Devices and Logs 32 Hotspot Profiles 33 ClearPass Guest Setup 34 AP VPN Deployment Scenarios 35 Appendix A ...

Page 4: ...rated only by personnel qualified for the specific task in accordance with the relevant documentation in particular its warning notices and safety instructions Qualified personnel are those who based on their training and experience are capable of identifying risks and avoiding potential hazards when working with these products systems Proper use of Siemens products Note the following WARNING Siem...

Page 5: ...ugh Airwave 33 4 3 Logging in to the SCALANCE W UI 34 4 4 Accessing the SCALANCE W CLI 36 5 Automatic Retrieval of Configuration 41 5 1 Managed Mode Operations 41 5 2 Configuration Managed Mode Parameters 42 5 3 Verifying the Configuration 44 6 SCALANCE W User Interface 45 6 1 Login Screen 45 6 2 Main Window 47 6 2 1 Tabs 49 6 2 1 1 Network Tab 49 6 2 1 2 Access Points Tab 50 6 2 1 3 Clients Tab 5...

Page 6: ...98 8 9 Removing an AP from the Network 99 9 VLAN Configuration 101 9 1 VLAN Pooling 101 9 2 Uplink VLAN Monitoring and Detection on Upstream Devices 101 10 IPv6 Support 103 10 1 IPv6 Notation 103 10 2 Enabling IPv6 Support for AP Configuration 104 10 3 Firewall Support for IPv6 106 10 4 Debugging Commands 107 11 Wireless Network Profiles 109 11 1 Configuring Wireless Network Profiles 109 11 1 1 Co...

Page 7: ... 12 6 Understanding Hierarchical Deployment 159 13 Captive Portal for Guest Access 161 13 1 Understanding Captive Portal 161 13 1 1 Types of Captive Portal 161 13 1 2 Walled Garden 162 13 2 Configuring a WLAN SSID for Guest Access 163 13 3 Configuring Wired Profile for Guest Access 170 13 4 Configuring Internal Captive Portal for Guest Network 172 13 5 Configuring External Captive Portal for Guest...

Page 8: ...n for a Network Profile 224 14 8 Enabling 802 1X Supplicant Support 227 14 9 Configuring MAC Authentication for a Network Profile 229 14 10 Configuring MAC Authentication with Captive Portal Authentication 231 14 11 Configuring WISPr Authentication 233 14 12 Blacklisting Clients 235 14 13 Uploading Certificate 238 15 Roles and Policies 243 15 1 Firewall Policies 243 15 1 1 Access Control List Rule...

Page 9: ... 19 1 Understanding VPN Features 303 19 2 Configuring a Tunnel from an AP to a Mobility Controller 305 19 2 1 Configuring an IPsec Tunnel 305 19 2 2 Configuring an L2 GRE Tunnel 308 19 2 3 Configuring an L2TPv3 Tunnel 313 19 3 Configuring Routing Profiles 323 20 AP VPN Deployment 327 20 1 Understanding AP VPN Architecture 327 20 2 Configuring AP and Controller for AP VPN Operations 331 20 2 1 Conf...

Page 10: ...CE W 393 24 2 Configuring an AP for RTLS Support 395 24 3 Configuring an AP for Analytics and Location Engine Support 397 24 4 Managing BLE Beacons 400 24 5 Configuring OpenDNS Credentials 402 24 6 Integrating an AP with Palo Alto Networks Firewall 403 24 7 Integrating an AP with an XML API Interface 406 24 8 CALEA Integration and Lawful Intercept Compliance 409 25 AP Management and Monitoring 417...

Page 11: ...471 31 1 Upgrading an AP 471 31 2 Backing up and Restoring AP Configuration Data 473 31 3 Converting an AP to a Remote AP and Campus AP 474 31 4 Resetting a Remote AP or Campus AP to an AP 478 31 5 Rebooting the AP 479 32 Monitoring Devices and Logs 481 32 1 Configuring SNMP 481 32 2 Configuring a Syslog Server 486 32 3 Configuring TFTP Dump Server 489 32 4 Running Debug Commands 490 32 5 Uplink B...

Page 12: ...naged Mode Commands 42 Table 6 1 Types of Alerts 75 Table 6 2 Types of Alerts 76 Table 7 1 System Parameters 81 Table 13 1 External Captive Portal Redirect Parameters 181 Table 14 1 User Privileges 197 Table 14 2 WPA and WPA 2 Features 220 Table 14 3 Recommended Authentication and Encryption Combinations 221 Table 15 1 Regular Expressions 277 Table 16 1 DHCP Relay and Option 82 289 Table 19 1 VPN ...

Page 13: ...r Scenario 2 IPsec Single Datacenter with Multiple controllers for Redundancy 537 Table 35 3 AP Configuration for Scenario 3 IPsec Multiple Datacenter Deployment 543 Figures Figure 4 1 Login Screen 34 Figure 6 1 Connectivity Summary 45 Figure 6 2 SCALANCE W Main Window 47 Figure 6 3 VPN Window for IPsec Configuration 56 Figure 6 4 IDS Window Intrusion Detection 57 Figure 6 5 IDS Window Intrusion P...

Page 14: ...er 199 Figure 14 2 Configuring WISPr Authentication 233 Figure 14 3 Loading Certificate through AirWave 240 Figure 14 4 Server Certificate 240 Figure 14 5 Selecting the Group 241 Figure 15 1 Firewall Settings ALG Protocols 250 Figure 15 2 Firewall Settings Protection Against Wired Attacks 251 Figure 15 3 Inbound Firewall Rules New Rule Window 255 Figure 15 4 Firewall Settings Management Subnets 25...

Page 15: ...irGroup Enables Personal Device Sharing 384 Figure 24 2 Bonjour Services and AirGroup Architecture 385 Figure 24 3 DLNA UPnP Services and AirGroup Architecture 386 Figure 24 4 AirGroup in a Higher Education Environment 387 Figure 24 5 AirGroup Configuration 390 Figure 24 6 RTLS Window 395 Figure 24 7 Services Window ALE Integration 398 Figure 24 8 Services Window Network Integration Tab 404 Figure...

Page 16: ...ices 520 Figure 34 3 Configure AirGroup Services Controller Settings 521 Figure 34 4 Configuration Identity Local Users Selection 522 Figure 34 5 Create an AirGroup Administrator 523 Figure 34 6 Create an AirGroup Operator 524 Figure 34 7 Local Users UI Screen 524 Figure 34 8 Create a Device 525 Figure 34 9 ClearPass Guest Register Shared Device 525 Figure 35 1 Scenario 1 IPsec Single datacenter D...

Page 17: ...d only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures e g firewalls and or network segmentation are in place For additional information on industrial security measures that may be implemented please visit https www siemens com industrialsecurity Siemens products and solutions undergo continuous d...

Page 18: ...About this guide SCALANCE W1750D UI 18 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 19: ...important concepts Table 1 1 Typographical Conventions Style Type Description Italics This style is used to emphasize important terms and to mark the titles of books System items This fixed width font depicts the following Sample screen output System prompts Filenames software devices and specific commands when mentioned in the text Commands In the command examples this style depicts the keywords ...

Page 20: ...iemens Industry Online Support at the following Internet address https support industry siemens com cs de en Apart from news there you will also find Project information Manuals FAQs downloads application examples etc Contacts Technical Forum The option to submit a support query https support industry siemens com My ww en requests Our service offer Right across our products and systems we provide ...

Page 21: ...nctions Keep the software up to date Check regularly for security updates of the product You will find information on this on the Internet pages Industrial Security https www siemens com industrialsecurity Inform yourself regularly about security advisories and bulletins published by Siemens ProductCERT https www siemens com cert en cert security advisories htm Only activate protocols that you rea...

Page 22: ...HyperText Transfer Protocol Secured Socket Layer We strongly recommend that you create your own HTTPS certificates and make them available There are preset certificates and keys on the device The preset and automatically created HTTPS certificates are self signed We recommend that you use HTTPS certificates signed either by a reliable external or by an internal certification authority The HTTPS ce...

Page 23: ...secure Use the option of preventing write access The product provides you with suitable setting options If SNMP is enabled change the community names If no unrestricted access is necessary restrict access with SNMP Use SNMPv3 in conjunction with passwords HTTP HTTPS Telnet SSH SNTP NTP Use secure protocols when access to the device is not prevented by physical protection measures To prevent unauth...

Page 24: ...thenticated Protocol Port number Port status Factory setting of the port Authentication Air Monitor UDP 1144 Open Open Yes Airgroup UDP 53536 Open Open Yes Airgroup Master to slave UDP 53535 Open Open No Bootps UDP 67 Open Open No Captive portal TCP 8080 Open Open Yes DHCP UDP 1067 Open Open No UDP 4011 Open Open No DTLS UDP 4433 Open Open Yes HTTP TCP 80 Open Open Yes TCP 4343 Open Open Yes HTTPS...

Page 25: ...sy deployment and proactive management of networks SCALANCE W is ideal for small customers or remote locations without any on site IT administrator SCALANCE W consists of an AP and a Virtual Controller The Virtual Controller resides within one of the APs In an SCALANCE W deployment scenario only the first AP needs to be configured After the first AP is configured the other APs inherit all the requ...

Page 26: ...be launched using the following browsers Microsoft Internet Explorer 11 or earlier Apple Safari 6 0 or later Google Chrome 23 0 1271 95 or later Mozilla Firefox 17 0 or later If the SCALANCE W UI is launched through an unsupported browser a warning message is displayed along with a list of recommended browsers However the users are allowed to login using the Continue login link on the Login page N...

Page 27: ...W CLI The SCALANCE W Command Line Interface CLI is a text based interface that is accessible through a Secure Shell SSH session SSH access requires that you configure an IP address and a default gateway on the AP and connect the AP to your network This is typically performed when the SCALANCE W network on an AP is set up ...

Page 28: ...About SCALANCE W 3 3 SCALANCE W CLI SCALANCE W1750D UI 28 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 29: ...ent PSE switch or a midspan PSE device AP power adapter kit Perform the following procedures to set up the SCALANCE W network 1 Connecting an AP Page 29 2 Assigning an IP address to the AP Page 30 4 1 1 Connecting an AP Based on the type of the power source used perform one of the following steps to connect an AP to the power source PoE switch Connect the Ethernet 0 Enet0 port of the AP to the app...

Page 30: ...address If a static IP is not assigned the AP obtains an IP automatically within the 169 254 subnet Assigning a Static IP To assign a static IP to an AP 1 Connect a terminal PC or workstation running a terminal emulation program to the Console port on the AP 2 Turn on the AP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 3 Press ...

Page 31: ...ly without manual intervention Following are the zero touch provisioning methods for SCALANCE W In order for zero touch provisioning to be successful the timezone of the AP must be in synchronization with the NTP server Note To facilitate zero touch provisioning using the AirWave Management Platform AMP you must configure the firewall and wired infrastructure to either allow the NTP traffic to poo...

Page 32: ...rk 1 Ensure that the client is not connected to any wired network 2 Connect a wireless enabled client to a provisioning Wi Fi network for example scalance 3 If the Windows operating system OS is used Click the wireless network connection icon in the system tray The Wireless Network Connection window is displayed Click the SCALANCE W network and then click Connect 4 If the Mac OS system is used Cli...

Page 33: ...tion program to the Console port on the AP 2 Configure the terminal or terminal emulation program to use the following communication settings Baud Rate Data Bits Parity Stop Bits Flow Control 9600 8 None 1 None 3 Turn on the AP An autoboot countdown prompt that allows you to interrupt the normal startup process and access apboot is displayed 4 Click Enterkey before the timer expires The AP goes in...

Page 34: ...omains The IEEE 802 11 b g n Wi Fi networks operate in the 2 4 GHz spectrum and IEEE 802 11a n operates in the 5 GHz spectrum The spectrum is divided into channels The 2 4 GHz spectrum is divided into 14 overlapping staggered 20 MHz wireless carrier channels These channels are spaced 5 MHz apart The 5 GHz spectrum is divided into more channels The channels that can be used in a particular country ...

Page 35: ...sanctions on operators of wireless networks with devices set to improper country codes To view the country code information run the show country codes command Specifying Country Code Note This procedure is applicable only to the AP RW variants Skip this step if you are installing AP in the United States or Japan The Country Code window is displayed for the AP RW variants when you log in to the AP ...

Page 36: ...t a CLI session For example User admin If the login is successful the privileged command mode is enabled and a command prompt is displayed For example scalance The privileged EXEC mode provides access to show clear ping traceroute and commit commands The configuration commands are available in the config mode To move from Privileged EXEC mode to the Configuration mode enter the following command a...

Page 37: ... To apply the configuration changes to the cluster without saving the configuration execute the following command in the privileged EXEC mode scalance commit apply no save To view the changes that are yet to be applied execute the following command in the privileged EXEC mode scalance show uncommitted config To revert to the earlier configuration execute the following command in the privileged EXE...

Page 38: ...wing table lists the sequence sensitive commands and the corresponding no commands to remove the configuration Sequence Sensitive Command Corresponding no command opendns username password no opendns rule dest mask match protocol start port end port permit deny src nat dst nat IP address port port option1 option9 no rule dest mask match protocol start port end port permit deny src nat dst nat mgmt...

Page 39: ...cluding spaces To configure a banner scalance config banner motd motd_text Example of a text banner configuration scalance config banner motd welcome to login scalance scalance config banner motd please start to input admin and password scalance config banner motd Don t leak the password scalance config end scalance commit apply To display the banner scalance show banner The loginsession command c...

Page 40: ...Setting up an AP 4 4 Accessing the SCALANCE W CLI SCALANCE W1750D UI 40 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 41: ...e configuration can be changed at any point You can configure a polling mechanism to fetch the latest configuration by using an FTP or FTPS client periodically If the remote configuration is different from the one running on the AP and if a difference in the configuration file is detected by the AP the new configuration is applied At any given time APs can fetch only one configuration file which m...

Page 42: ...p ftps You can use either FTP or FTPS for downloading configuration files 5 Specify the name of the server or the IP address of the server from which the configura tion file must be downloaded scalance managed mode profile server server_name 6 Configure the day and time at which the APs can poll the configuration files from the server scalance managed mode profile sync time day dd hour hh min mm w...

Page 43: ...d scalance managed mode sync server Example To configure managed mode profile scalance config managed mode profile scalance managed mode profile username username scalance managed mode profile password password scalance managed mode profile config filename instant cfg scalance managed mode profile download method ftps scalance managed mode profile sync time day 00 hour 03 min 30 window 02 scalance...

Page 44: ...form the following checks 1 Verify the status of configuration by running the following commands at the command prompt scalance show managed mode config scalance show managed mode status 2 Verify the status of download by running the following command at the command prompt scalance show managed mode logs If the configuration settings retrieved in the configuration file are incomplete APs reboot wi...

Page 45: ...ellular modem and signal strength VPN and AirWave configuration details before logging in to the SCALANCE W UI The following figure shows the information displayed in the connectivity summary Figure 6 1 Connectivity Summary Language The Language drop down list contains the available languages and allows users to select their preferred language before logging in to the SCALANCE W UI A default langu...

Page 46: ...en SCALANCE W1750D UI 46 Configuration Manual 02 2018 C79000 G8976 C451 02 Logging into the SCALANCE W UI To log in to the SCALANCE W UI enter the following credentials Username admin Password admin The SCALANCE W UI main window is displayed ...

Page 47: ... SCALANCE W UI Main Window is displayed The following figure shows the SCALANCE W main window Figure 6 2 SCALANCE W Main Window The main window consists of the following elements Banner Search Text Box Tabs Links Views Banner The banner is a horizontal gray rectangle that appears on the SCALANCE W main window It displays the company name logo and the VC s name ...

Page 48: ...f the following tabs Network Tab Provides information about the network profiles configured in the SCALANCE W network Access Points Tab Provides information about the APs configured in the SCALANCE W network Clients Tab Provides information about the clients in the SCALANCE W network Each tab appears in a compressed view by default The number of networks APs or clients in the network precedes the ...

Page 49: ... 2 1 1 Network Tab This tab displays a list of Wi Fi networks that are configured in the SCALANCE W network The network names are displayed as links The expanded view displays the following information about each WLAN SSID Name Name of the network Clients Number of clients that are connected to the network Type Type of network such as Employee Guest or Voice Band Band in which the network is broad...

Page 50: ... for spectrum analysis while monitoring channels for rogue APs in the background Monitor In this mode the AP acts as a dedicated Air Monitor AM scanning all channels for rogue APs and clients Spectrum When enabled the AP functions as a dedicated full spectrum RF monitor scanning all channels to detect interference from neighboring APs or non Wi Fi devices such as microwaves and cordless phones Whe...

Page 51: ...ss IP address of the client MAC Address MAC address of the client OS Operating system that runs on the client ESSID ESSID to which the client is connected Access Point AP to which the client is connected Channel The client operating channel Type Type of the Wi Fi client Role Role assigned to the client Signal Current signal strength of the client as detected by the AP Speed mbps Current speed at w...

Page 52: ...tenance More Help Logout Monitoring Client Match AppRF Spectrum Alerts IDS AirGroup Configuration AirWave Setup Pause Resume Each of these links is explained in the subsequent sections 6 2 2 1 New Version Available This link is displayed on the SCALANCE W main window only if a new image version is available on the image server and AirWave is not configured For more information on the New version a...

Page 53: ...Enterprise Domains Allows you to view or configure the DNS domain names that are valid in the enterprise network See Configuring Enterprise Domains Page 331 for more information Monitoring Allows you to view or configure the following details Syslog Allows you to view or configure Syslog server details for sending syslog messages to the external servers See Configuring a Syslog Server Page 486 for...

Page 54: ...rt allows you to configure permissions for each role For more information see Configuring User Roles Page 266 and Configuring ACL Rules for Network Services Page 244 Blacklisting Use this tab to blacklist clients For more information see Blacklisting Clients Page 235 Firewall Settings Use this tab to enable or disable Application Layer Gateway ALG supporting address and port translation for variou...

Page 55: ...s saved in the file named instant cfg Restore Configuration Allows you to restore the backed up configuration After restoring the configuration the AP must be rebooted for the changes to take effect Certificates Displays information about the certificates installed on the AP You can also upload new certificates to the AP database For more information see Uploading Certificates Page 238 Firmware Di...

Page 56: ...lowing options VPN IDS Wired Services DHCP Server Support VPN The VPN window allows you to define communication settings with a controller or a third party VPN concentrator See VPN Configuration Page 303 for more information The following figure shows an example of the IPsec configuration options available in the VPN window Figure 6 3 VPN Window for IPsec Configuration ...

Page 57: ... window allows you to configure wireless intrusion detection and protection levels The following figures show the IDS window Figure 6 4 IDS Window Intrusion Detection Figure 6 5 IDS Window Intrusion Protection For more information on wireless intrusion detection and protection see Detecting and Classifying Rogue APs Page 441 ...

Page 58: ...ation Server with SCALANCE W For more information see Configuring an AP for RTLS Support Page 395 The RTLS tab also allows you to integrate AP with the Analytics and Location Engine ALE For more information about configuring an AP for ALE integration see Configuring an AP for Analytics and Location Engine Support Page 397 OpenDNS Allows you to configure support for OpenDNS business solutions which...

Page 59: ...re an AP for integration with Palo Alto Networks PAN Firewall and XML API server For more information on AP integration with PAN see Integrating an AP with Palo Alto Networks Firewall Page 403 and Integrating an AP with an XML API Interface Page 406 The following figure shows the default view of the Services window Figure 6 7 Services Window Default View ...

Page 60: ...on Manual 02 2018 C79000 G8976 C451 02 DHCP Server The DHCP Servers window allows you to configure various DHCP modes The following figure shows the options available in the DHCP Servers window Figure 6 8 DHCP Servers Window For more information see DHCP Configuration Page 281 ...

Page 61: ...s as an HTML or text file For more information on support commands see Running Debug Commands Page 490 6 2 2 7 Help The Help link allows you to view a short description or definition of the selected terms in the UI windows or the dialog boxes To activate the context sensitive help 1 Click the Help link available above the Search bar on the SCALANCE W main window 2 Click any text or term displayed ...

Page 62: ...ss Switch MAS integration feature Uplink type Displays the type of uplink configured on the AP for example Ethernet or 3G Uplink status Indicates the uplink status Blacklisted clients Displays the number of blacklisted clients Internal RADIUS Users Displays the number of internal RADIUS users Internal Guest Users Displays the number of internal guest users Internal User Open Slots Displays the ava...

Page 63: ...emory availability of the AP in MB Serial number Displays the serial number of the AP MAC Displays the MAC address From Port Displays the port from where the slave AP is learned in hierarchy mode Info section in the Client view The Info section in the Client view displays the following information Name Displays the name of the client IP Address Displays the IP address of the client MAC Address Dis...

Page 64: ...hanges in the following order Green Signal strength is more than 20 dB Orange Signal strength is between 15 dB and 20 dB Red Signal strength is less than 15 dB To view the signal graph for a client click the signal icon next to the client in the Signal column 2 Speed Displays the data transfer speed of the client Depending on the data transfer speed of the client the color of the Speed icon change...

Page 65: ...ween 80 dBm and 87 dBm Red Noise floor is less than 80 dBm To view the noise floor graph of an AP click the Noise icon next to the AP in the Noise column 5 Errors Displays the errors for the APs Depending on the errors color of the lines on the Errors icon changes in the following order Green Errors are less than 5000 frames per second Orange Errors are between 5000 and 10 000 frames per second Re...

Page 66: ...strength of the client for the last 15 minutes It is measured in deci bels To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average signal statistics of the client for the last 15 minutes To see the exact signal strength at a particular time move the cursor over the graph line To monitor the signal strength of the selected client for the last 15 minutes 1...

Page 67: ...o see an enlarged view click the graph The enlarged view shows Last Minimum Maximum and Average statistics of the client for the last 15 minutes To see the exact speed at a particular time move the cursor over the graph line To monitor the speed for the client for the last 15 minutes 1 Log in to the SCALANCE W UI The Virtual Controller view is displayed This is the default view 2 On the Clients ta...

Page 68: ...6 12 Usage Trends Graphs in the Default View The following table describes the graphs displayed in the Network view Graph Name Description Monitoring Procedure Clients The Clients graph shows the number of clients associated with the network for the last 15 minutes To see an enlarged view click the graph The enlarged view provides Last Minimum Maximum and Average statistics for the number of clien...

Page 69: ...Neighboring APs The Neighboring APs graph shows the number of APs detected by the selected AP Valid APs An AP that is part of the enter prise providing WLAN service Interfering APs An AP that is seen in the RF environment but is not connected to the network Rogue APs An unauthorized AP that is plugged into the wired side of the network To see the number of different types of neigh boring APs for t...

Page 70: ...splays the memory availability of the AP in MB To see the free memory of the AP move the cursor over the graph line To check the free memory of the AP for the last 15 minutes 1 Log in to the SCALANCE W UI The Virtual Controller view is displayed This is the default view 2 On the Access Points tab click the AP for which you want to monitor the client associ ation 3 Study the Memory free graph in th...

Page 71: ...P at a particular time move the cursor over the graph line To check the throughput of the selected AP for the last 15 minutes 1 Log in to the SCALANCE W UI The Virtual Controller view is displayed This is the default view 2 On the Access Points tab click the AP for which you want to monitor the throughput 3 Study the Throughput graph For example the graph shows 44 03 Kbps incoming traffic throughp...

Page 72: ...between 2 4 GHz and 5 GHz links in the Client Match graph area to view the data When you hover the mouse on the graph details such as RSSI Client Match status and the client distribution on channels are displayed The following figure shows the client distribution details for an AP radio Figure 6 13 Client Distribution on AP Radio On clicking a client in the Clients tab and the Client Match link a ...

Page 73: ...on and Monitoring This chart provides an overview of channel quality across the spectrum It shows channel utilization information such as channel quality availability and utilization metrics as seen by a spectrum monitor for the 2 4 GHz and 5 GHz radio bands The first bar for each channel represents the percentage of airtime used by non Wi Fi interference and Wi Fi devices The second bar indicates...

Page 74: ...ated can be categorized as follows 802 11 related association and authentication failure alerts 802 1X related mode and key mismatch server and client time out failure alerts IP address related failures Static IP address or DHCP related alerts The following figure shows the contents of details displayed on clicking the Alerts link Figure 6 15 Alerts Link The Alerts link displays the following type...

Page 75: ... the AP to which the client is connected Details Provides complete details of the alert Active Faults The Active Faults alerts occur in the event of a system fault The Active Faults alerts consists of the following information Time Displays the system time when an event occurs Number Indicates the number of sequence Description Displays the event details Fault History The Fault History alerts disp...

Page 76: ...red an internal error for this client Contact the Siemens customer support team 100102 Unknown SSID in association re quest The AP cannot allow this client to associ ate because the association request received contains an unknown SSID Identify the client and check its Wi Fi driver and manager software 100103 Mismatched authenticati on encryption setting The AP cannot allow this client to associ a...

Page 77: ...authenticate this client using 802 1X because the RADIUS serv er did not respond to the authentication request If the AP is using the internal RADIUS server it is recommend to check the related configuration as well as the in stalled certificate and passphrase If the AP is using the internal RADIUS server Siemens recommends checking the related configuration as well as the installed certifi cate a...

Page 78: ...in the network Where Provides information about the AP that detected the foreign AP Click the push pin icon to view the information Foreign Clients Detected Lists the clients that are not controlled by the VC The following information is displayed for each foreign client MAC address Displays the MAC address of the foreign client Network Displays the name of the network to which the foreign client ...

Page 79: ...through a wired or wireless interface Role Displays the user role if the server is connected through 802 1X authentication If the server is connected through Phase Shift Keying PSK or open authentication this parameter is blank Group Displays the group CPPM By clicking this you get details of the registered rules in ClearPass Policy Manager CPPM for this server MDNS Cache By clicking this you rece...

Page 80: ...ation about the VC Wi Fi networks APs or the clients in the Info section The views on the SCALANCE W main window are classified as follows Virtual Controller view The VC view is the default view This view allows you to monitor the SCALANCE W network The following SCALANCE W UI elements are available in this view Tabs Networks Access Points and Clients For detailed information on the tabs see Tabs ...

Page 81: ...e AP that takes the role of a VC When an AP becomes a VC it sends three Address Resolution Protocol ARP messages with the static IP address and its MAC address to update the network ARP cache scalance config virtual controller ip IP address Allow IPv6 Management Select the check box to enable IPv6 configuration Virtual Controller IPv6 This parameter is used to configure the IPv6 address scalance c...

Page 82: ...CACS server then the IP address of the tunnel interface will be used If a VC IP address is configured the the same will be used by the VC network to communicate with the external TACACS server If a VC IP is not configured then the IP address of the bridge interface is used NOTE When dynamic tacacs proxy is enabled on the AP the TACACS server cannot identify the slave AP that generates the TACACS t...

Page 83: ... through the DHCP option 42 If the NTP server is configured it takes precedence over the DHCP option 42 provisioned value The NTP server provi sioned through the DHCP option 42 is used if no server is configured The default server pool ntp org is used if no NTP server is configured or provisioned through DHCP option 42 NOTE To facilitate zero touch provisioning using the AMP you must configure the...

Page 84: ...per AP setting Edit Access Point General it takes precedence over the VC DNS IP address defined in the System Gen eral window If the APs are not explicitly assigned a DNS IP address the DNS IP address defined in Sys tem General takes precedence If the DNS IP address is not defined for APs or VC the DNS address dynamically assigned from the DHCP server is used Virtual Controller VLAN Ensure that th...

Page 85: ...d traffic management policies defined in upstream devices you can disable bridging traffic between two clients connected to the same AP on the same VLAN When inter user bridging is de nied the clients can connect to the Internet but cannot communicate with each other and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision By default the Deny inte...

Page 86: ...sabled altogether the dynamic CPU manage ment feature settings can be modified To configure dynamic CPU management select any of the following options from DYNAMIC CPU UTILIZATION Automatic When selected the CPU manage ment is enabled or disabled automatically during runtime This decision is based on real time load calculations taking into account all different func tions that the CPU needs to per...

Page 87: ...ll the management user passwords can be stored and displayed as hash instead of plain text Hashed passwords are more secure as they cannot be converted back to plain text format This setting is enabled by default on factory reset APs running Version 6 5 1 0 4 3 1 onwards and is applicable to all APs in the cluster Hashing of the management user password can be configured by using either the SCALAN...

Page 88: ...ig hash mgmt password scalance config end scalance commit apply The following example adds a management user with read only privilege scalance config hash mgmt user john password cleartext password01 usertype read only scalance config end scalance commit apply The following examples removes a management user with read only privilege scalance config no hash mgmt user read only scalance config end s...

Page 89: ...n change the host name of an AP through the SCALANCE W UI or the CLI In the SCALANCE W UI To change the host name 1 On the Access Points tab click the AP you want to rename 2 Click the edit link 3 Edit the AP name in Name You can specify a name of up to 32 ASCII characters 4 Click OK In the CLI To change the name scalance hostname name ...

Page 90: ...one all APs in this zone can broadcast this SSID If no AP belongs to the zone configured on the SSID the SSID is not broadcast If an SSID does not belong to any zone all APs can broadcast this SSID You can add anAP zone by using the UI or the CLI Note For the SSID to be assigned to an AP the same zone details must be configured on the SSID For more information on SSID configuration see Configuring...

Page 91: ...igure a static IP address 1 On the Access Points tab click the AP to modify 2 Click the edit link 3 Select Specify statically option to specify a static IP address The following text boxes are displayed Enter a new IP address for the AP in the IP address text box Enter the subnet mask of the network in the Netmask text box Enter the IP address of the default gateway in the Default gateway text box...

Page 92: ...OK Configuring Radio Profiles Manually for AP Note When radio settings are assigned manually by the administrator the ARM is disabled To manually configure radio settings 1 On the Access Points tab click the AP for which you want to enable ARM 2 Click the edit link 3 Click the Radio tab 4 Ensure that an appropriate mode is selected By default the channel and power for an AP are optimized dynamical...

Page 93: ... configure the channel and transmission power by running the following commands scalance a channel channel tx power scalance g channel channel tx power Configuring Maximum Clients on SSID Radio Profiles You can also set the maximum number of clients individually for SSID profiles operating on the 2 4 GHz and 5 GHz radios This configuration is not persistent and is lost once the AP is rebooted To c...

Page 94: ...rom the AP is tagged with the management VLAN Note Ensure that the native VLAN of the AP and uplink are not the same You can configure the uplink management VLAN on an AP by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure uplink management VLAN 1 On the Access Points tab click the AP to modify 2 Click the edit link 3 Click the Uplink tab 4 Specify the VLAN in the Uplink Manage...

Page 95: ...abled You can change the USB port status by using the SCALANCE W UI or the CLI In the SCALANCE W UI To change the USB port status 1 From the Access Points tab click the AP to modify 2 Click the edit link 3 Click the Uplink tab 4 Set the port status by selecting any of the following options Disabled To disable the port status Enabled To re enable the port status 5 Click OK 6 7 Reboot the AP In the ...

Page 96: ...a VC Preference to an AP with 3G 4G Card he Master Election Protocol prefers the AP with a 3G 4G card when electing a VC for the SCALANCE W network during the initial setup The VC is selected based on the following criteria If there is more than one AP with 3G 4G cards one of these APs is dynamically elected as the VC When an AP without 3G 4G card is elected as the VC but is up for less than 5 min...

Page 97: ...LI In the SCALANCE W UI To provision an AP as a master AP 1 On the Access Points tab click the AP to modify 2 Click the edit link 3 Select Enabled from the Preferred master drop down list This option is disabled by default Figure 8 1 AP Settings Provisioning Master AP 4 Click OK In the CLI To provision an AP as a master AP scalance iap master To verify if the AP is provisioned as master AP scalanc...

Page 98: ...an IP address to the AP Page 30 After an AP is connected to the network if the Auto Join feature is enabled the AP inherits the configuration from the VC and is listed in the Access Points tab If the auto join mode is disabled perform the following steps by using the SCALANCE W UI In the SCALANCE W UI To add an AP to the network 1 On the Access Points tab click the New link 2 In the New Access Poi...

Page 99: ...ng the SCALANCE W UI only if the Auto Join feature is disabled In the SCALANCE W UI To remove an AP from the network 1 On the Access Points tab click the AP to delete The x icon is displayed beside the AP 2 Click x to confirm the deletion Note The deleted APs cannot join the SCALANCE W network anymore and are not displayed in the SCALANCE W UI However the master AP details cannot be deleted from t...

Page 100: ...Customizing AP Settings 8 9 Removing an AP from the Network SCALANCE W1750D UI 100 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 101: ...casts in the same subnet To manage the broadcast traffic you can partition the network into different subnets and use L3 mobility between those subnets when clients roam However if a large number of clients need to be in the same subnet you can configure VLAN pooling in which each client is randomly assigned a VLAN from a pool of VLANs on the same SSID Thus VLAN pooling allows automatic partitioni...

Page 102: ...VLAN Configuration 9 2 Uplink VLAN Monitoring and Detection on Upstream Devices SCALANCE W1750D UI 102 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 103: ...s For example 2001 0db8 0a0b 12f0 0000 0000 0000 0001 However the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes The following examples show various representations of the address 2001 0db8 0a0b 12f0 0000 0000 0000 0001 Valid format 2001 db8 a0b 12f0 0 0 1 Invalid format 2001 db8 a0b 12f0 0 1 The sign appears only once in an addr...

Page 104: ...e IP mode is set to v4 prefer mode the AP derives a link local IPv6 address and attempts to acquire a routable IPv6 address by monitoring Router Advertisements RA packets AP assigns itself to both Stateless address autoconfiguration SLAAC and DHCPv6 client address APs also support IPv6 DNS server addresses and use these for DNS resolution In the CLI To enable IPv4 mode or dual stack mode scalance ...

Page 105: ...red To configure an IPv6 address for the RADIUS server scalance config wlan auth server radiusIPv6 scalance Auth Server radiusIPv6 ip host scalance Auth Server radiusIPv6 nas ip ip_ipv6 scalance Auth Server radiusIPv6 end scalance commit apply SNMP Over IPv6 In this release you can configure a community string to authenticate messages sent between the VC and the SNMP agent where the IPv6 address w...

Page 106: ...it in the access rule configuration will expand to two different ACL entries any any any P6 any any any P4 Similarly if any IPv6 specific rule is added For example if any DHCPv6 or FTPv6 rule is added the ACE would be expanded as follows any 2002 64 17 0 65535 546 547 6 destined to network 2002 64 DHCPv6 is denied any 2001 10 128 6 0 65535 20 21 6 destined to host 2001 10 FTP is denied For all ACL...

Page 107: ...pertaining to IPv6 configuration show ipv6 interface brief and show ipv6 interface details displays the configured IPv6 address and any duplicate addresses show ipv6 route displays the IPv6 routing information show datapath ipv6 session displays IPv6 sessions show datapath ipv6 user displays IPv6 client details show clients and show clients debug displays the details about AP clients ...

Page 108: ...IPv6 Support 10 4 Debugging Commands SCALANCE W1750D UI 108 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 109: ...authentication The employee network is selected by default during a network profile configuration Voice network This Voice network type allows you to configure a network profile for devices that provide only voice services for example devices such as handsets or applications that require voice traffic prioritization Guest network The Guest wireless network is created for guests visitors contractor...

Page 110: ...ALANCE W UI or the CLI In the SCALANCE W UI To configure WLAN settings 1 On the Network tab of the SCALANCE W main window click the New link The New WLAN window is displayed The following figure shows the contents of the WLAN Settings tab Figure 11 1 WLAN Settings Tab 2 Enter a name that uniquely identifies a wireless network in the Name SSID text box Note The SSID name must be unique and may cont...

Page 111: ...d Unicast ARP Only When set to Unicast ARP Only the AP allows all broadcast and multicast frames as it is however the ARP requests are converted to unicast frames and sends them to the associated clients Disabled When set to Disabled all broadcast and mul ticast traffic is forwarded to the wireless interfaces Multicast transmission optimization Select Enabled if you want the AP to select the optim...

Page 112: ...interval The DTIM interval indicates the delivery traffic indication message DTIM period in beacons which can be configured for every WLAN SSID profile The DTIM interval determines how often the AP should deliver the buffered broadcast and multicast frames to associated clients in the powersave mode The default value is 1 which means the client checks for buffered data on the AP at every beacon Yo...

Page 113: ...dth for the following types of traffic specify a percentage value under Share To configure Differntiated Service Code Point DSCP mapping specify a value under DSCP Mapping Background WMM For background traffic such as file downloads or print jobs Best effort WMM For best effort traffic such as traffic from legacy devices or traffic from applications or devices that do not support QoS Video WMM For...

Page 114: ...D is enabled or disabled as per the configu ration settings applied For example if you select the VPN down option from the drop down list and set the status to enabled the SSID is enabled when the VPN connection is down and is disabled when the VPN connection is restored OOS time global Configure a hold time interval in seconds within a range of 30 300 seconds after which the out of service operat...

Page 115: ...me a min tx rate rate scalance SSID Profile name g max tx rate rate scalance SSID Profile name g min tx rate rate scalance SSID Profile name zone zone scalance SSID Profile name bandwidth limit limit scalance SSID Profile name per user bandwidth limit limit scalance SSID Profile name air time limit limit scalance SSID Profile name wmm background dscp dscp scalance SSID Profile name wmm background ...

Page 116: ...ackets APs can perform two hardware retries When the hardware retry attempts fail APs can perform software retries The max retries parameter indicates the maximum number of attempts the AP performs when clients are not responding to 802 11 packets By default the AP attempts a maximum of eight retries when clients are not responding to 802 11 packets The following example shows the configuration of...

Page 117: ...ID Profile Page 110 You can configure VLAN settings for an SSID profile using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure VLAN settings for an SSID 1 On the VLAN tab of the New WLAN window perform the following steps The following figure displays the contents of the VLAN tab Figure 11 2 VLAN Tab 2 Select any for the following options for Client IP assignment Virtual Controller a...

Page 118: ...new DHCP scope by selecting New For more information on DHCP scopes see Configuring DHCP Scopes on page 209 Network assigned If Network assigned is selected you can specify any of the fol lowing options for the Client VLAN assignment Default On selecting this option the client obtains the IP address in the same subnet as the APs By default the client VLAN is assigned to the native VLAN on the wire...

Page 119: ...an value of scalance SSID Profile name end scalance commit apply Enforcing DHCP You can configure a WLAN SSID profile to enforce DHCP on AP clients When DHCP is enforced A layer 2 user entry is created when a client associates with an AP The client DHCP state and IP address are tracked When the client obtains an IP address from DHCP the DHCP state changes to complete If the DHCP state is complete ...

Page 120: ...WLAN SSID Profile Page 117 Configuring Security Settings for an Employee or Voice Network You can configure security settings for an Employee or Voice network by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure security settings for an Employee or Voice network 1 On the Security tab specify any of the following types of security levels by moving the slider to a desired level En...

Page 121: ...ng Wireless Network Profiles SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 121 The following figures show the configuration options for Enterprise Personal and Open security settings Figure 11 3 Security Tab Enterprise ...

Page 122: ...Wireless Network Profiles 11 1 Configuring Wireless Network Profiles SCALANCE W1750D UI 122 Configuration Manual 02 2018 C79000 G8976 C451 02 Figure 11 4 Security Tab Personal ...

Page 123: ...Wireless Network Profiles 11 1 Configuring Wireless Network Profiles SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 123 Figure 11 5 Security Tab Open ...

Page 124: ...nal security levels only For the Open security level no encryption settings are required For the Personal security level select any of the follow ing encryption keys from the Key management drop down list WPA 2 Personal WPA Personal Both TKIP and AES Encryption WPA Personal TKIP Encryption only l WPA Personal AES Encryption only l Both WPA 2 WPA Static WEP If a WPA 2 WPA encryption or Both WPA 2 W...

Page 125: ... If you are using LDAP for authentication ensure that AP termination is configured to support EAP Enterprise security level Authentication server 1 and Authentication server 2 Select any of the following options from the Authentica tion server 1 drop down list Select an authentication server from the list if an exter nal server is already configured To modify the server parameters click Edit Selec...

Page 126: ...pre authentication role is assigned to the client When Reauth interval is configured on an SSID performing only L3 authentication captive portal au thentication When reauthentication succeeds a pre authentication role is assigned to the client that is in a post authentication role Due to this the cli ents are required to go through captive portal to re gain access Enterprise Personal and Open secu...

Page 127: ...levels set MAC authentication to Enabled For Enterprise security level the following options are available Perform MAC authentication before 802 1X Select this check box to use 802 1X authentication only when the MAC authentication is successful MAC authentication fail thru On selecting this check box the 802 1X authentication is attempted when the MAC authentication fails Enterprise Personal and ...

Page 128: ...sources When 802 11k is enabled APs and clients send neighbor reports beacon re ports and link measurement reports to each other 802 11v Selecting this check box enables the 802 11v based BSS transition 802 11v standard de fines mechanisms for wireless network management enhancements and BSS transition management It allows client devices to exchange information about the network topology and RF en...

Page 129: ...name dot11k scalance SSID Profile name dot11v scalance SSID Profile name exit scalance config auth survivability cache time out scalance config end scalance commit apply To configure personal security settings for the Employee and Voice users scalance config wlan ssid profile name scalance SSID Profile name opmode wpa2 psk aes wpa tkip wpa psk tkip wpa psk tkip wpa2 psk aes static wep scalance SSI...

Page 130: ...ion scalance SSID Profile name auth server server name scalance SSID Profile name external server scalance SSID Profile name server load balancing scalance SSID Profile name blacklist scalance SSID Profile name max authentication failures number scalance SSID Profile name radius accounting scalance SSID Profile name radius accounting mode user association user authentication scalance SSID Profile ...

Page 131: ...yee or Voice network 1 In the Access Rules tab set the slider to any of the following types of access control Unrestricted Select this option to set unrestricted access to the network Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define ...

Page 132: ...ssid scalance SSID Profile name end scalance commit apply To configure role assignment rules scalance config wlan ssid profile name scalance SSID Profile name set role attribute equals not equals starts with ends with contains matches regular expression operator role value of scalance SSID Profile name end scalance commit apply To configure a pre authentication role scalance config wlan ssid profi...

Page 133: ...le rule any any match appcategory collaboration permit scalance Access Rule WirelessRule rule any any match webcategory gambling deny scalance Access Rule WirelessRule rule any any match webcategory training and tools permit scalance Access Rule WirelessRule rule any any match webreputation well known sites permit scalance Access Rule WirelessRule rule any any match webreputation safe sites permit...

Page 134: ...vely You can configure the per ap ssid and the per ap vlan settings for the SSID and VLAN profiles respectively by using the SCALANCE W CLI In the CLI To configure the wlan ssid profile scalance config wlan ssid profile ssid_profile To configure the per ap ssid variable scalance per ap ssid text To configure the per ap vlan variable scalance per ap vlan vlan To verify the per ap ssid and per ap vl...

Page 135: ...cached PMK is used when a client roams to a new AP This allows faster roaming of clients between the APs in a cluster without requiring a complete 802 1X authentication Note OKC roaming when configured in the 802 1X Authentication profile is supported on WPA 2 clients If the wireless client the 802 1X supplicant does not support this feature a complete 802 1X authentication is required whenever a ...

Page 136: ...ayed 4 Select the WPA 2 Enterprise or Both WPA 2 WPA option from the Key management drop down list When any of these encryption types is selected Opportunistic Key Caching OKC is enabled by default 5 Click Next and then click Finish In the CLI To enable 802 11k profile scalance config wlan ssid profile name scalance SSID Profile name dot11k scalance config end scalance commit apply To view the bea...

Page 137: ...chanism reduces client roaming delay when a client transitions from one BSS to another within the same cluster This minimizes the time required to resume data connectivity when a BSS transition happens Note Fast BSS Transition is operational only if the wireless client supports 802 11r standard If the client does not support 802 11r standard it falls back to the normal WPA 2 authentication method ...

Page 138: ...nabled Power Constraint IE The power constraint element contains the information necessary to allow a client to determine the local maximum transmit power in the current channel AP Channel Report IE The AP channel report element contains a list of channels in a regulatory class where a client is likely to find an AP including the AP transmitting the AP channel report Radio Resource Management RRM ...

Page 139: ...rough the RRM enabled capabilities IE sent in the association request frames By default the beacon request frames are sent at a periodicity of 60 seconds Configuring a WLAN SSID for 802 11k Support You can enable 802 11k support on a WLAN SSID by using the SCALANCE W UI or the CLI In the SCALANCE W UI 1 Navigate to the WLAN wizard Go to Network New OR Go to Network WLAN SSID and click edit 2 Click...

Page 140: ...calance config wlan ssid profile name scalance SSID Profile name dot11k scalance config end scalance commit apply To view the beacon report details scalance show ap dot11k beacon report mac To view the neighbor details scalance show ap dot11k nbrs Example scalance config wlan ssid profile dot11k profile scalance SSID Profile dot11k profile dot11k scalance config end scalance commit apply ...

Page 141: ...lients when a suitable AP is identified for a client through Client Match Configuring a WLAN SSID for 802 11v Support You can enable 802 11v support on a WLAN SSID by using the SCALANCE W UI or the CLI In the SCALANCE W UI 1 Navigate to the WLAN wizard Go to Network New OR Go to Network WLAN SSID and click edit 2 Click the Security tab 3 Under Fast Roaming select the 802 11v check box 4 Click Next...

Page 142: ...tion rates determine the 802 11b g rates for the data that are advertised in beacon frames and probe response and 802 11g transmission rates determine the 802 11b g rates at which the AP can transmit data For 802 11n clients you can now configure an HT MCS rate set so that the SSID does not broadcast the disabled MCS rates list For 802 11ac clients only 10 MCS rates supported in the 802 11ac mode ...

Page 143: ...ile ssid_profile end scalance commit apply To re enable MU MIMO scalance config wlan ssid profile ssid_profile scalance SSID Profile ssid_profile no vht mu txbf disable scalance SSID Profile ssid_profile end scalance commit apply RTS CTS Flow Control The Request to Send RTS Clear to Send CTS mechanism allows devices to reserve the RF medium and minimize the frame collisions introduced by hidden st...

Page 144: ...ameter is enabled the SSID supports only the clients that exhibt the MFP functionality If the mfp capable parameter enabled the SSID supports management frame protection MFP capable clients and non MFP clients Note The MFP configuration is a per SSID configuration 11 6 Disabling Short Preamble for Wireless Client To improve the network performance and communication between the AP and its clients y...

Page 145: ... box to disable or enable the SSID The SSID is enabled by default 4 Click Next or the tab name to move to the next tab 5 Click Finish to save the modifications In the CLI To disable an SSID scalance config wlan ssid profile name scalance SSID Profile name disable scalance SSID Profile name end scalance commit apply To enable an SSID scalance config wlan ssid profile name scalance SSID Profile name...

Page 146: ...Wireless Network Profiles 11 8 Deleting a WLAN SSID Profile SCALANCE W1750D UI 146 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 147: ... UI or the CLI In the SCALANCE W UI 1 Click the Wired link under More on the SCALANCE W main window The Wired window is displayed 2 Click New under Wired Networks The New Wired Network window is displayed 3 Click the Wired Settings tab and configure the following parameters Name Specify a name for the profile Primary Usage Select Employee or Guest Speed Duplex Ensure that appropriate values are se...

Page 148: ...les Inactivity Timeout Specify the time out interval within the range of 60 86 400 seconds for inactive wired clients The default interval is 1000 seconds 5 Click Next The VLAN tab details are displayed 6 Configure VLAN for the wired profile For more information see Configuring VLAN for a Wired Profile Page 149 In the CLI To configure the settings for a wired profile scalance config wired port pro...

Page 149: ... for all client traffic that goes through this interface The VC can also assign a guest VLAN to a wired client Network Assigned Select this option to allow the clients to receive an IP address from the network to which the VC is connected On selecting this option the New button to create a VLAN is displayed Create a new VLAN if required If the Trunk mode is selected Specify the VLAN in Allowed VLA...

Page 150: ...e trunk access scalance wired ap profile name allowed vlan vlan scalance wired ap profile name native vlan guest 1 4095 scalance wired ap profile name end scalance commit apply To configure a new VLAN assignment rule scalance config wired port profile name scalance wired ap profile name set vlan attribute equals not equals starts with ends with contains matches regular expression operator VLAN ID ...

Page 151: ... ACL is applied to the trusted port in order to control the client traffic that needs to be source NATed MAC authentication To enable MAC authentication select Enabled The MAC authentication is disabled by default 802 1X authentication To enable 802 1X authentication select Enabled The 802 1X authentication is disabled by default MAC authentication fail thru To enable authentication fail thru sele...

Page 152: ...entication servers so that the load across the two RADIUS servers is balanced For more information on the dynamic load balancing mechanism see Dynamic Load Balancing between Two Authentication Servers on page 154 5 Click Next The Access tab details are displayed In the CLI To configure security settings for an employee network scalance config wired port profile name scalance wired ap profile name ...

Page 153: ...s to obtain access based on the roles assigned to them Unrestricted Allows the users to obtain unrestricted access on the port Network based Allows the users to be authenticated based on access rules specified for a network 3 If the Role based access control is selected perform the following steps Under select an existing role for which you want to apply the access rules or click New and add the r...

Page 154: ...nish In the CLI To configure access rules for a wired profile scalance config wired port profile name scalance wired ap profile name access rule name name scalance wired ap profile name end scalance commit apply To configure role assignment rules scalance config wired port profile name scalance wired ap profile name set role attribute equals not equal starts with ends with contains matches regular...

Page 155: ... 2 To assign an Ethernet downlink profile to Ethernet 0 port Ensure that the wired bridging on the port is enabled For more information see Configuring Wired Bridging on Ethernet 0 for Mesh Point Page 454 Select and assign a profile from the 0 0 drop down list To assign a wired profile to Ethernet 0 1 port select the profile from the 0 1 drop down list If the AP supports E2 E3 and E4 ports assign ...

Page 156: ...d on the IEEE 802 3ad standard The 802 3ad standard for Ethernet aggregation uses LACP as a method to manage link configuration and balance traffic among aggregated ports LACP provides a standardized means for exchanging information with partner systems to form a dynamic link aggregation group The LACP feature is automatically enabled during AP boots and it dynamically detects the AP if connected ...

Page 157: ...channel 0 63 scalance config port channel members interface list add delete scalance config gigabitethernet slot module port scalance config shutdown scalance config switching profile profile name Verifying LACP Configuration on the AP There is no configuration required on the AP for enabling LACP support However you can view the status of LACP on APs by using the following command scalance show l...

Page 158: ...g to a peer switch When the peer switch enables LACP configuration the APs form the LACP Users can enable disable and remove the static LACP configuration in the AP When the AP boots up it forms the LACP according to the static configuration To enable the static LACP mode on APs scalance lacp mode enable To disable the static LACP mode on APs scalance lacp mode disable Verifying Static LACP Mode T...

Page 159: ...ect to the other APs This AP called the root AP acts as the wired device for the network provides DHCP service and an L3 connection to the ISP uplink with NAT The root AP is always the master of the SCALANCE W network In a single Ethernet port platform deployment the root AP must be configured to use the 3G uplink A typical hierarchical deployment consists of the following A direct wired ISP conne...

Page 160: ...Wired Profiles 12 6 Understanding Hierarchical Deployment SCALANCE W1750D UI 160 Configuration Manual 02 2018 C79000 G8976 C451 02 Figure 12 1 Hierarchical Deployment ...

Page 161: ... portal service It supports the following types of authentication Internal Authenticated When Internal Authenticated is enabled a guest user must authenticate in the captive portal page to access the Internet The guest users who are required to authenticate must already be added to the user database Internal Acknowledged When is enabled a guest user must accept the terms and conditions to access t...

Page 162: ...external captive portal SCALANCE W supports the captive portal authentication method where a web page is presented to the guest users when they try to access the Internet from hotels conference centers or Wi Fi hotspots The web page also prompts the guest users to authenticate or accept the usage policy and terms Captive portals are used at many Wi Fi hotspots and can be used to control wired acce...

Page 163: ...and IPv6 neighbor dis covery protocols ARP When set to ARP the AP drops all broadcast and multicast frames except DHCP and ARP IGMP group queries and IPv6 neigh bor discovery protocols and additionally converts ARP requests to unicast and send frames directly to the associated client Unicast ARP Only When set to Unicast ARP Only the AP allows all broadcast and multicast frames as it is however the...

Page 164: ...1 Mbps and maximum transmission rate is 54 Mbps 5 GHz If the 5 GHz band is configured on the AP specify the mini mum and maximum transmission rate The default value for minimum transmission rate is 6 Mbps and maximum transmission rate is 54 Mbps Band Select a value to specify the band at which the network transmits radio signals You can set the band to 2 4 GHz 5 GHz or All The All option is select...

Page 165: ...irtime that all clients in this network can use for sending and receiving data Specify the airtime percentage Each radio Select this check box to specify an aggregate amount of throughput that each radio is allowed to provide for the connected cli ents Downstream and Upstream Specify the downstream and upstream rates within a range of 1 to 65 535 Kbps for the SSID users If the as signment is speci...

Page 166: ...led to allow the AP to send a deauthentication frame to the inactive client and clear client entry SSID Select the Hide check box if you do not want the SSID network name to be visible to users Select the Disable check box if you want to disable the SSID On selecting this the SSID will be disabled but will not be removed from the network By default all SSIDs are enabled Out of service OOS Enable o...

Page 167: ... client obtains the IP address from the VC Network assigned On selecting this option the IP address is obtained from the network 8 Based on the type client IP assignment mode selected you can configure the VLAN assignment for clients as described in the following table Client IP Assignment Client VLAN Assignment Virtual Controller assig ned If the Virtual Controller assigned is selected for client...

Page 168: ...Select this option for configuring VLAN poo ling Dynamic On selecting this option you can assign the VLANs dynamically from a Dynamic Host Configuration Protocol DHCP server To create VLAN assignment rules click New to assign the user to a VLAN In the New VLAN Assignment Rule window enter the following information Attribute Select an attribute returned by the RADIUS server during authentication Op...

Page 169: ...imit limit scalance SSID Profile name per user bandwidth limit limit scalance SSID Profile name air time limit limit scalance SSID Profile name wmm background share percentage of traffic_share scalance SSID Profile name wmm best effort share percentage of traffic share scalance SSID Profile name wmm video share percentage of traffic_share scalance SSID Profile name wmm voice share percentage of tr...

Page 170: ... uplink on this wired profile If Uplink is set to Enabled and this network profile is assigned to a specific port the port will be enabled as Uplink port For more information on assigning a wired network profile to a port see Assigning a Profile to Ethernet Ports on page 110 Spanning Tree Select the Spanning Tree check box to enable Spanning Tree Protocol STP on the wired profile STP ensures that ...

Page 171: ...k Assigned specify a value for Access VLAN to indicate the VLAN carried by the port in the Access mode 6 Click Next to configure internal or external captive portal authentication roles and access rules for the guest users In the CLI To configure the settings for the wired profile scalance config wired port profile name scalance wired ap profile name type guest scalance wired ap profile name speed...

Page 172: ...ing profile 2 Click the Security tab and assign values for the Internal Captive Portal Configuration Parameters Parameter Description Splash page type Select any of the following from the drop down list Internal Authenticated When Internal Authenticated is ena bled the guest users are required to authenticate in the cap tive portal page to access the Internet The guest users who are required to au...

Page 173: ...able load balancing if two authentication servers are used Reauth interval Select a value to allow the APs to periodically reauthenticate all associated and authenticated clients Blacklisting Applicable for WLAN SSIDs only If you are configuring a wireless network profile select Enabled to enable blacklisting of the clients with a specific number of authen tication failures Accounting mode Applica...

Page 174: ... click OK Ensure that the policy text does not exceed 255 cha racters To upload a custom logo click Upload your own custom logo Figure browse the image file and click upload image Ensure that the image file size does not exceed 16 KB To redirect users to another URL specify a URL in Redirect URL Click Preview to preview the captive portal page NOTE You can customize the captive portal page using d...

Page 175: ...server server1 scalance wired ap profile name radius reauth interval Minutes scalance wired ap profile name end scalance commit apply To customize internal captive portal splash page scalance config wlan captive portal scalance Captive Portal authenticated scalance Captive Portal background color color indicator scalance Captive Portal banner color color indicator scalance Captive Portal banner te...

Page 176: ...portal profile is applied to an SSID or wired profile the users connecting to the SSID or wired network are assigned a role with the captive portal rule The guest user role allows only DNS and DHCP traffic between the client and the network and directs all HTTP or HTTPS requests to the captive portal unless explicitly permitted to allow all types of traffic 13 5 2 Creating a Captive Portal Profile...

Page 177: ...are allowed for the unauthenticated users to access are automatically whitelisted The automatic URL whitelisting is disabled by default Auth Text Available only if Authentication Text is selected If the External Authentication splash page is selected specify the authentication text to be returned by the external server after successful authentication Server Offload Select Enabled to enable server ...

Page 178: ...rnal Captive Portal end scalance commit apply 13 5 3 Configuring an SSID or Wired Profile to Use External Captive Portal Authentication You can configure external captive portal authentication when adding or editing a guest network profile using the SCALANCE W UI or the CLI In the SCALANCE W UI 1 Navigate to the WLAN wizard or Wired window To configure external captive portal authentication for a ...

Page 179: ...tion request For example if you speci fy colon as the delimiter MAC addresses in the xx xx xx xx xx xx format are used If the delimiter is not specified the MAC address in the xxxxxxxxxxxx format is used NOTE This option is available only when MAC authentication is enabled Uppercase support Set to Enabled to allow the AP to use uppercase letters in MAC address string for MAC authentication NOTE Th...

Page 180: ...plink type is Select the type of the uplink to exclude Encryption Select Enabled to configure encryption settings and specify the encryption parameters 5 Click Next to continue and then click Finish to apply the changes In the CLI To configure security settings for guest users of the WLAN SSID profile scalance config wlan ssid profile name scalance SSID Profile name essid ESSID name scalance SSID ...

Page 181: ... response with the redirect URL to display the splash page and enforce captive portal authentication by clients The HTTP response from the AP includes the following parameters Table 13 1 External Captive Portal Redirect Parameters Parameter Example Value Description cmd login Type of operation mac 34 02 86 c6 d2 3e Client MAC address essid guest ecp 109 ESSID ip 192 0 2 0 Client IP address apname ...

Page 182: ... as an external captive portal server 1 Select the WLAN SSID for which you want to enable external captive portal authentication with ClearPass Policy Manager You can also configure the RADIUS server when configuring a new SSID profile 2 On the Security tab select External from the Splash page type drop down list 3 Select New from the Captive portal profile drop down list and update the following ...

Page 183: ...IUS server attribute for guest user authentication allows the administrators to balance the load on the ClearPass Policy Manager servers When the RADIUS server IP address is configured under Extra Fields in the ClearPass Guest login page the RADIUS server IP parameter is submitted to the server as part of the HTTP or HTTPS POST data when the guest users initiate an HTTP or HTTPS request The AP int...

Page 184: ... Page Page 185 Accessing the Portal Page Page 186 13 6 1 Setting up a Facebook Page To enable integration with the AP ensure that you have a Facebook page created as a local business with a valid location For more information on creating a Facebook page see the online help available at https www facebook com help For more information on setting up and using Facebook Wi Fi service see https www fac...

Page 185: ...calance commit apply 13 6 3 Configuring the Facebook Portal Page To bind the VC with the Facebook portal 1 Open the SSID with the Facebook option enabled navigate to the Security tab and click the Facebook configuration link The Facebook page is displayed Note The link is displayed only if the AP is successfully registered with Facebook 2 Log in with your Facebook credentials The Facebook Wi Fi Co...

Page 186: ...web browser The browser opens the Facebook Wi Fi page If the Wi Fi code based login is enabled the users are prompted to enter the Wi FI code If the Skip Check in link is displayed click the link to skip checking in to the Facebook business page and proceed to access the Internet 3 If you want to check in the business page click Check In and provide your credentials After checking in click Continu...

Page 187: ...set unrestricted access to the network Network based Set the slider to Network based to set common rules for all users in a network The Allow any to all destinations access rule is enabled by default This rule allows traffic to all destinations To define an access rule Click New Select appropriate options in the New Rule window Click OK Role based Select Role based to enable access based on user r...

Page 188: ...calance SSID Profile name end scalance commit apply To configure role assignment rules scalance config wlan ssid profile name scalance SSID Profile name set role attribute equals not equals starts with ends with contains matches regular expression operator role value of scalance SSID Profile name end scalance commit apply To configure a pre authentication role scalance config wlan ssid profile nam...

Page 189: ...ssRule rule any any match appcategory collaboration permit scalance Access Rule WirelessRule rule any any match webcategory gambling deny scalance Access Rule WirelessRule rule any any match webcategory training and tools permit scalance Access Rule WirelessRule rule any any match webreputation well known sites permit scalance Access Rule WirelessRule rule any any match webreputation safe sites pe...

Page 190: ...ve portal settings configured the captive portal settings configured for an SSID are applied to the client s profile If the SSID does not have captive portal settings configured the captive portal settings configured for a user role are applied to the client s profile If captive portal settings are configured for both SSID and user role the captive portal settings configured for a user role are ap...

Page 191: ...ptive portal role configuration Figure 13 1 Captive Portal Rule for Internal Splash Page Type Figure 13 2 Captive Portal Rule for External Splash Page Type Parameter Description Rule type Select Captive Portal from the RuleType drop down list Splash Page Type Select any of the following attributes l Select Internal to configure a rule for internal captive portal authentica tion l Select External t...

Page 192: ... Select a profile from the Captive portal profile drop down list If you want to edit the profile click Edit and update the following pa rameters Type Select either Radius Authentication to enable user au thentication against a RADIUS server or Authentication Text to specify the authentication text to be returned by the external serv er after a successful user authentication IP or hostname Enter th...

Page 193: ... captive portal access rule is assigned 8 Click Finish The client can connect to this SSID after authenticating with username and password After a successful user login the captive portal role is assigned to the client In the CLI To create a captive portal role scalance config wlan access rule Name scalance Access Rule Name captive portal external profile name internal scalance Access Rule Name en...

Page 194: ...accessing some websites You can create a walled garden access in SCALANCE W UI or the CLI In the SCALANCE W UI To create a walled garden access 1 Click the Security link at the top of the SCALANCE W main window The Security window is displayed 2 Click Walled Garden The Walled Garden tab contents are displayed 3 To allow the users to access a specific domain click New and enter the domain name or U...

Page 195: ...g on the network profile selected the Edit WLAN Profile orEdit Wired Network window is displayed Note You can also customize splash page design on the Security tab of New WLAN WLAN wizard and New Wired Network wired profile window when configuring a new profile 2 Navigate to the Security tab 3 Select None from the Splash page type drop down list Although the splash page is disabled you can enable ...

Page 196: ...Captive Portal for Guest Access 13 9 Configuring Walled Garden Access SCALANCE W1750D UI 196 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 197: ...e displayed in the read only mode for these users Employee users Employees who use the enterprise network for official tasks Guest users Visiting users who temporarily use the enterprise network to access the Internet The user access privileges are determined by AP management settings in the AirWave Management client and the type of the user The following table outlines the access privileges defin...

Page 198: ...ork to access the Internet However if you do not want to allow access to the internal network and the Intranet you can segregate the guest traffic from the enterprise traffic by creating a guest WLAN and specifying the required authentication encryption and access rules An employee user is the employee who is using the enterprise network for official tasks You can create Employee WLANs specify the...

Page 199: ...nternal Server The following figure shows the contents of the Users for Internal Server tab Figure 14 1 Adding a User 3 Enter the user name in the Username text box 4 Enter the password in the Password text box and reconfirm 5 Select the type of network from the Type drop down list 6 Click Add and click OK The users are listed in the Users list To edit user settings 1 Select the user you want to m...

Page 200: ...igure a guest user scalance config user username password portal scalance config end scalance commit apply 14 1 2 Configuring Authentication Parameters for Management Users You can configure RADIUS or Terminal Access Controller Access Control System TACACS authentication servers to authenticate and authorize the management users of an AP The authentication servers determine if the user has access ...

Page 201: ...led the authentication switches to Internal if there is no re sponse from the RADIUS server RADIUS server timeout To use this option select the authentication servers and configure the user credentials for in ternal server based authentication Load balancing If two servers are con figured users can use them in the pri mary or backup mode or load balancing mode To enable load balancing select Enabl...

Page 202: ...config mgmt user username password guest mgmt To configure a user with read only privilege scalance config mgmt user username password read only To configure management authentication settings scalance config mgmt auth server server1 scalance config mgmt auth server server2 scalance config mgmt auth server load balancing scalance config mgmt auth server local backup To enable TACACS accounting sca...

Page 203: ...entication MAC authentication is used for authenticating devices based on their physical MAC addresses MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses This authentication method is not recommended for scalable networks and the networks that require stringent security settings For more information on configuring an AP to use MAC authenticat...

Page 204: ...ample you can configure an 802 1X SSID and create a role for captive portal access so that some of the clients using the SSID derive the captive portal role You can configure rules to indicate access to external or internal captive portal or none For more information on configuring captive portal roles for an SSID with 802 1X authentication see Configuring Captive Portal Roles for an SSID WISPr Au...

Page 205: ...ver To use the AP s internal database for user authentication add the usernames and passwords of the users to be authenticated Note Siemens does not recommend the use of LEAP authentication because it does not provide any resistance to network attacks Authentication Termination on AP APs support EAP termination for enterprise WLAN SSIDs The EAP termination can reduce the number of exchange packets...

Page 206: ...rver for 802 1X authentication However the internal RADIUS server can also be configured as a backup RADIUS server for an external RADIUS server External RADIUS Server In the external RADIUS server the IP address of the VC is configured as the NAS IP address SCALANCE W RADIUS is implemented on the VC and this eliminates the need to configure multiple NAS clients for every AP on the RADIUS server f...

Page 207: ... 02 2018 C79000 G8976 C451 02 207 RADIUS Server Authentication with VSA An external RADIUS server authenticates network users and returns to the AP the vendor specific attribute VSA that contains the name of the network role for the user The authenticated user is placed into the management role specified by the VSA ...

Page 208: ... as the authentication server and is configured only for the AP management users Dynamic Load Balancing between Two Authentication Servers You can configure two authentication servers to serve as a primary and backup RADIUS server and enable load balancing between these servers Load balancing of authentication servers ensures that the authentication load is split across multiple authentication ser...

Page 209: ...number for RadSec TLS connec tion By default the port number is set to 2083 RFC 3576 When set to Enabled it allows the APs to process RFC 3576 compliant Change of Authorization CoA and disconnect mes sages from the RADIUS server NAS IP address NAS identifier For more information on RadSec configuration see Enabling RADIUS Communication over TLS Page 214 Auth port Enter the authorization port numbe...

Page 210: ...rs DRP IP IP address to be used as source IP for RADIUS packets DRP Mask Subnet mask of the DRP IP address DRP VLAN VLAN in which the RADIUS packets are sent DRP Gateway Gateway IP address of the DRP VLAN For more information on dynamic RADIUS proxy parameters and configu ration procedure see Configuring Dynamic RADIUS Proxy Parameters Page 216 To assign the RADIUS authentication server to a netwo...

Page 211: ...ver select the option and configure the following parameters Parameter Description Name Enter a name for the server IP address Enter the IP address of the TACACS server Auth Port Enter a TCPIP port used by the server The default port number is 49 Shared Key Enter a secret key of your choice to authenticate communication between the TACACS client and the server Retype Key Re enter the shared key Ti...

Page 212: ... asynchronously provides the AirGroup parameters for the client device including shared user role and location In the CLI To configure a RADIUS server with DRP parameters scalance config wlan auth server profile name scalance Auth Server profile name ip host scalance Auth Server profile name key key scalance Auth Server profile name port port scalance Auth Server profile name acctport port scalanc...

Page 213: ...meout seconds scalance LDAP Server profile name retry count number scalance LDAP Server profile name deadtime minutes scalance LDAP Server profile name end scalance commit apply To configure a TACACS server scalance config wlan tacacs server profile name scalance TACACS Server profile name ip IP address scalance TACACS Server profile name port port scalance TACACS Server profile name key key scala...

Page 214: ...hen the TLS tunnel is established RADIUS packets will go through the tunnel and server adds CoA on this tunnel By default the TCP port 2083 is assigned for RadSec Separate ports are not used for authentication accounting and dynamic authorization changes SCALANCE W supports dynamic CoA RFC 3576 over RadSec and the RADIUS server uses an existing TLS connection opened by the AP to send the request F...

Page 215: ...figure strings for RADIUS attribute 32 and to send it with RADIUS requests to the RADIUS server 4 Click OK In the CLI To configure the RadSec protocol scalance config wlan auth server profile name scalance Auth Server name ip host scalance Auth Server name radsec port port scalance Auth Server name rfc3576 scalance Auth Server name nas id id scalance Auth Server name nas ip ip scalance Auth Server...

Page 216: ... VLANs In most cases a centralized RADIUS or local server is used to authenticate users However some user networks can use a local RADIUS server for employee authentication and a centralized RADIUS based captive portal server for guest authentication To ensure that the RADIUS traffic is routed to the required RADIUS server the dynamic RADIUS proxy feature must be enabled Note The dynamic RADIUS pr...

Page 217: ...ring RADIUS server attributes with dynamic RADIUS proxy enabled For more information on configuring RADIUS server attributes see Configuring an External Server for Authentication Page 209 Note In case of VPN deployments the tunnel IP received when establishing a VPN connection is used as the NAS IP In such cases the VC IP need not be configured for the external RADIUS servers In the CLI To enable ...

Page 218: ...ort scalance Auth Server profile name nas id NAS ID scalance Auth Server profile name nas ip NAS IP address scalance Auth Server profile name timeout seconds scalance Auth Server profile name retry count number scalance Auth Server profile name deadtime minutes scalance Auth Server profile name drp ip IP address mask vlan vlan gateway gateway IP address scalance Auth Server profile name end scalan...

Page 219: ...er to a network profile select the newly added server when configuring security settings for a wireless or wired network profile Note You can also add an external RADIUS server by selecting New for Authentication Server when configuring a WLAN or wired profile For more information see Configuring Security Settings for a WLAN SSID Profile Page 120 and Configuring Security Settings for a Wired Profi...

Page 220: ...ain any confidential data AES in Wi Fi leverages 802 1X or PSKs to generate per station keys for all devices AES provides a high level of security like IP Security IPsec clients Note WEP and TKIP are limited to WLAN connection speed of 54 Mbps The 802 11n connection supports only AES encryption Siemens recommends AES encryption Ensure that all devices that do not support AES are upgraded or replac...

Page 221: ...A Personal In this type every client automatically receives a unique encryption key after securely logging in to the network This key is automatically updated at regular intervals WPA uses TKIP and WPA 2 uses the AES algorithm Recommended Authentication and Encryption Combinations The following table summarizes the recommendations for authentication and encryption combinations for the Wi Fi networ...

Page 222: ...TLS 2 Upon successful authentication the associated AP caches the authentication credentials of the connected clients for the configured duration The cache expiry duration for authentication survivability can be set within the range of 1 99 hours with 24 hours being the default cache timeout duration 3 If the client roams or tries to reconnect to the AP and the remote link fails due to the unavail...

Page 223: ...learPass Policy Manager downtime Do not make any changes to the authentication survivability cache timeout duration when the authentication server is down For EAP PEAP authentication ensure that the ClearPass Policy Manager 6 0 2 or later version is used for authentication For EAP TLS authentication any external or third party server can be used For EAP TLS authentication ensure that the server an...

Page 224: ...e client is authenticated the RADIUS server forwards the encryption key to the NAS The encryption key is used for encrypting or decrypting traffic sent to and from the client Note The NAS acts as a gateway to guard access to a protected resource A client connecting to the wireless network first connects to the NAS Configuring 802 1X Authentication for Wireless Network Profiles You can configure 80...

Page 225: ...uthentication servers to function as primary and backup servers when Termination is enabled For more information on RADIUS authentication configuration parameters see Configuring an External Server for Authentication Page 209 7 Click Next to define access rules and then click Finish to apply the changes In the CLI To configure 802 1X authentication for a wireless network scalance config wlan ssid ...

Page 226: ... then click Next 4 On the Security tab select Enabled from the 802 1X authentication drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings for a Wired Profile Page 151 6 Click Next to define access rules and then click Finish to apply the changes 7 Assign the profi...

Page 227: ...the AP flash Note The 802 1X supplicant support feature is not supported with mesh and Wi Fi uplink Configuring an AP for 802 1X Supplicant Support To enable 802 1X supplicant support configure 802 1X authentication parameters on every AP using the SCALANCE W UI or the CLI In the SCALANCE W UI 1 To use PEAP protocol based 802 1X authentication method complete the following steps In the Access Poin...

Page 228: ... the PEAP protocol based 802 1X authentication scalance ap1x peap user ap1xuser password To set the PEAP 802 1X authentication type scalance config ap1x peap validate server scalance config end scalance commit apply To set TLS 802 1X authentication type scalance config ap1x tls tpm user validate server scalance config end scalance commit apply To upload user or CA certificates for PEAP or TLS auth...

Page 229: ...o enable MAC and 802 1X authentications and click edit 2 In the Edit profile name or the New WLAN window ensure that all required WLAN and VLAN attributes are defined and then click Next 3 On the Security tab ensure that the required parameters for MAC authentication and 802 1X authentication are configured 4 Select the Perform MAC authentication before 802 1X check box to use 802 1X authenticatio...

Page 230: ...urity tab perform the following steps Select Enabled from the MAC authentication drop down list Select Enabled from the 802 1X authentication drop down list Select Enabled from the MAC authentication fail thru drop down list 5 Specify the type of authentication server to use and configure other required parameters For more information on configuration parameters see Configuring Security Settings f...

Page 231: ...using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure both MAC and 802 1X authentications for a wireless network 1 Select an existing wireless or wired profile for which you want to enable MAC with captive portal authentication Depending on the network profile selected the Edit WLAN Profile or the Edit Wired Network window is displayed Note To enable MAC authentication with captive ...

Page 232: ...l type exclude uplink types external Profile name exclude uplink types scalance SSID Profile name set role mac auth mac only scalance commit apply To configure MAC authentication with captive portal authentication for a wired profile scalance config wired port profile name scalance wired ap profile name type guest scalance wired ap profile name mac authentication scalance wired ap profile name cap...

Page 233: ...wn list to configure WISPr authentication for a WLAN profile You can configure WISPr authentication using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure both MAC and 802 1X authentications for a wireless network 1 Click the System link located directly above the Search bar in the SCALANCE W main window The System window is displayed 2 Click Show advanced options 3 Click WISPr tab T...

Page 234: ...ese values You can find a list of ISO and ITU country and area codes at the ISO and ITU websites www iso org and http www itu int Note A Boingo smart client uses a NAS identifier in the CarrierID _ VenueID format for location identification To support Boingo clients ensure that you configure the NAS identifier parameter in the RADIUS server profile for the WISPr server In the CLI scalance config w...

Page 235: ...LANCE W UI or the CLI In the SCALANCE W UI 1 Click the Security link located directly above the Search bar in the SCALANCE W main window 2 Click the Blacklisting tab 3 Under the Manual Blacklisting click New 4 Enter the MAC address of the client to be blacklisted in the MAC address to add text box Note For the blacklisting to take effect on the MAC address you must enable blacklisting in the SSID ...

Page 236: ... triggered it sends out blacklist information and the client is blacklisted Configuring Blacklist Duration You can set the blacklist duration using the SCALANCE W UI or the CLI In the SCALANCE W UI To set a blacklist duration 1 Click the Security link located directly above the Search bar in the SCALANCE W main window 2 Click the Blacklisting tab 3 Under Dynamic Blacklisting 4 For Auth failure bla...

Page 237: ...calance config auth failure blacklist time seconds scalance config blacklist time seconds scalance config end scalance commit apply To enable blacklisting in the SSID profile scalance config wlan ssid profile name scalance SSID Profile name blacklisting scalance SSID Profile name end scalance commit apply To view the blacklisted clients scalance show blacklist client config Blacklist Time 60 Auth ...

Page 238: ...ading Certificates through SCALANCE W UI To load a certificate in the SCALANCE W UI 1 Click the Maintenance link located directly above the Search bar in the SCALANCE W main window 2 Click the Certificates tab The Certificates tab contents are displayed 3 To upload a certificate click Upload New Certificate The New Certificate window is displayed 4 Browse and select the file to upload 5 Select any...

Page 239: ...ading Certificates through SCALANCE W CLI To upload a CA server or captive portal certificate scalance copy tftp ip address filename cpserver cert password format p12 pem radsec ca cert password format pem system 1xca format der pem 1xcert password format pem To download RadSec certificates scalance download cert radsec ftp 192 0 2 7 format pem psk psk scalance download cert radsecca ftp 192 0 2 7...

Page 240: ...e The Certificate window is displayed 2 Enter the certificate Name and click Choose File to browse and upload the certificate Figure 14 3 Loading Certificate through AirWave 3 Select the appropriate Format that matches the certificate filename Select Server Cert for certificate Type and provide the passphrase if you want to upload a server certificate Select either or certificate if you want to up...

Page 241: ... Group name is displayed only if you have entered the Organization name in the SCALANCE W UI For more information see Configuring Organization String for further information Figure 14 5 Selecting the Group The Virtual Controller Certificate section displays the certificates CA cert and Server 5 Click Save to apply the changes only to AirWave Click Save and Apply to apply the changes to the AP 6 To...

Page 242: ...Authentication and User Management 14 13 Uploading Certificate SCALANCE W1750D UI 242 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 243: ...es you can block or allow access based on the service or application source or destination IP addresses You can create access rules to allow or block data packets that match the criteria defined in an access rule You can create rules for either inbound traffic or outbound traffic Inbound rules explicitly allow or block the inbound network traffic that matches the criteria in the rule Outbound rule...

Page 244: ...y Enforcement Service Page 371 In the SCALANCE W UI To configure ACL rules for a user role 1 Navigate to Security Roles The Roles tab contents are displayed Alternatively you can configure access rules for a wired or wireless client through the WLAN wizard or the Wired Profile window To configure access rules through the Wired Profile window Navigate to More Wired Click Edit and then Edit Wired Ne...

Page 245: ...signed clients is directed to the VPN tunnel VLAN Specify the non default VLAN ID to which the guest traffic needs to be redirected to Destination Select a destination option for the access rules for network services applications and application categories You can allow or deny access to any the following destinations based on your requirements to all destinations Access is allowed or denied to al...

Page 246: ...the DSCP tag check box to specify a DSCP value to prioritize traffic when this rule is triggered Specify a value within the range of 0 63 To assign a higher priority specify a higher value 802 1p priority Select the 802 1p priority check box to specify an 802 1p priority Spec ify a value between 0 and 7 To assign a higher priority specify a high er value 6 Click OK and then click Finish In the CLI...

Page 247: ...ce Configuring a Source NAT Access Rule The source NAT action in access rules allows the user to override the routing profile entries For example when a routing profile is configured to use 0 0 0 0 0 the client traffic in L3 mode access on an SSID destined to the corporate network is sent to the tunnel When an access rule is configured with Source NAT action the users can specify the service proto...

Page 248: ...1p priority Click OK 6 Click Finish In the CLI To configure source NAT access rule scalance config wlan access rule access_rule scalance Access Rule access_rule rule dest mask match protocol sport eport src nat vlan vlan_id tunnel scalance Access Rule access_rule end scalance commit apply Configuring Policy Based Corporate Access To allow different forwarding policies for different SSIDs you can c...

Page 249: ... any of the following steps To configure access rules for the network move the slider to the Network based access control type To configure access rules for user roles move the slider to the Role based access control type 3 To create a new rule for the network click New To create an access rule for a user role select the user role and then click New The New Rule window is displayed 4 In the New Ru...

Page 250: ...tents are displayed The following figure shows the contents of the Firewall Settings tab Figure 15 1 Firewall Settings ALG Protocols 3 Select Enabled from the corresponding drop down lists to enable SIP VOCERA Alcatel NOE and Cisco Skinny protocols 4 Click OK Note When the protocols for ALG are set to Disabled the changes are not applied until the existing user sessions expire Reboot the AP and th...

Page 251: ... UI To configure firewall settings 1 Click the Security link located directly above the Search bar on the SCALANCE W main window 2 Click the Firewall Settings tab The Firewall Settings tab contents are displayed 3 To configure protection against security attacks select the following check boxes Select Drop bad ARP to enable the AP to drop the fake ARP packets Select Fix malformed DHCP for the AP t...

Page 252: ...heck enable scalance ATTACK end scalance commit apply To view the configuration status Current Attack Attack Status drop bad arp Enabled fix dhcp Enabled poison check Enabled To view the attack statistics scalance show attack stats attack counters Counter Value arp packet counter 0 drop bad arp packet counter 0 dhcp response packet counter 0 fixed bad dhcp packet counter 0 send arp attack alert co...

Page 253: ...ed ACEs In other words the user defined ACEs take higher precedence over guest VLAN ACEs For more information on inbound firewall settings see Managing Inbound Traffic Page 254 Note The priority of a particular ACE is determined based on the order in which it is programmed Ensure that you do not accidentally override the guest VLAN ACEs You can change the status of auto topology rules by using the...

Page 254: ...connected to the AP If the destination already has a user role assigned the user role overrides the actions or options specified in the inbound firewall configuration However if a deny rule is defined for the inbound traffic it is applied irrespective of the destination and user role Unlike the ACL rules in a WLAN SSID or a wired profile the inbound firewall rules can be configured based on the so...

Page 255: ...d on the access rule Select Deny to deny access to users based on the access rule Select Destination NAT to allow making changes to the destination IP address Select Source NAT to allow making changes to the source IP address The destination NAT and source NAT actions apply only to the network services rules Service Select a service from the list of available services You can allow or deny access ...

Page 256: ...ion server except to a particular server Access is allowed or denied to servers other than the specified server After selecting this option specify the IP address of the destination server to a network Traffic to the specified network is allowed denied or the IP address is translated at the source or the destination as defined in the rule Af ter selecting this option specify the IP address and net...

Page 257: ...fy a value between 0 and 7 To assign a higher priority specify a higher value 4 Click OK and then click Finish In the CLI To configure inbound firewall rules scalance config inbound firewall scalance inbound firewall rule subnet smask dest mask protocol sport eport permit deny src nat dst nat IP address port option1 option9 scalance inbound firewall end scalance commit apply Example scalance confi...

Page 258: ...tab contents are displayed Figure 15 4 Firewall Settings Management Subnets 2 To add a new management subnet In the Add new management subnet section enter the subnet address in Subnet Enter the subnet mask in Mask Click Add 3 To add multiple subnets repeat step 2 4 Click OK In the CLI To configure a management subnet scalance config restricted mgmt access subnet IP address subnet mask scalance co...

Page 259: ... blocked from the uplink port of master AP including clients connected to a slave AP You can configure restricted corporate access by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure restricted corporate access 1 Navigate to Security Inbound Firewall The Inbound Firewall see Figure 43 tab contents are displayed 2 Select Enabled from the Restrict Corporate Access drop down list ...

Page 260: ...imiting access to certain websites Reduce bandwidth consumption significantly Note Regardless of whether content filtering is disabled or enabled the DNS requests to http direct siemens com are always resolved internally on SCALANCE W The content filtering configuration applies to all APs in the network and the service is enabled or disabled globally across the wireless or wired network profiles E...

Page 261: ...re valid on the enterprise network This list is used to determine how client DNS requests must be routed When Content Filtering is enabled the DNS request of the clients is verified and the domain names that do not match the names in the list are sent to the OpenDNS server You can configure an enterprise domain through the SCALANCE W UI or the CLI In the SCALANCE W UI To manually add a domain 1 Na...

Page 262: ... in the Access Rules section The New Rule window appears 3 Select Access Control from the Rule Type drop down list 4 To set an access policy based on the web category Under Service section select Web category and expand the Web categories drop down list Select the categories to which you want to deny or allow access You can also search for a web category and select the required option From the Act...

Page 263: ...ule end scalance commit apply Example scalance config wlan access rule URLFilter scalance Access Rule URLFilter rule any any match webcategory gambling deny scalance Access Rule URLFilter rule any any match webcategory training and tools permit scalance Access Rule URLFilter rule any any match webreputation trustworthy sites permit scalance Access Rule URLFilter rule any any match webreputation su...

Page 264: ...m error page URL In the SCALANCE W UI 1 Navigate to Security Roles 2 Select any WLAN SSID or Wired profile role and click New in the Access Rules section 3 In the New Rule window select the rule type as Blocked Page URL 4 Select the URLs from the existing list of custom redirect URLs To add a new URL click New 5 Click OK 6 Click OK in the Roles tab to save the changes In the CLI To configure an AC...

Page 265: ...ites will be redirected to the custom error page URL To redirect blocked HTTPS websites to a custom error page URL In the SCALANCE W UI 1 Navigate to Security Roles 2 Select any WLAN SSID or Wired profile role and click New in the Access Rules section 3 In the New Rule window select the rule type as Redirect Blocked HTTPS 4 Click OK 5 Click OK in the Roles tab to save the changes In the CLI To con...

Page 266: ...User Role You can create a user role by using the SCALANCE W UI or the CLI In the SCALANCE W UI To create a user role 1 Click the Security link located directly above the Search bar in the SCALANCE W main window The Security window is displayed 2 Click the Roles tab The Roles tab contents are displayed 3 Under Roles click New 4 Enter a name for the new role and click OK Note You can also create a ...

Page 267: ...signed bandwidth will be served and shared among all the users You can also assign bandwidth rate per user to provide every user a specific bandwidth within a range of 1 65 535 Kbps If there is no bandwidth contract specified for a traffic direction unlimited bandwidth is allowed In the SCALANCE W UI To create a user role 1 Click the Security link located directly above the Search bar in the SCALA...

Page 268: ...ndicates a Windows machine with no user logged in The device supports machine authentication and has a valid RADIUS account but a user has not yet logged in and authenticated User Auth only role This indicates a known user or a non Windows device The device does not support machine authentication or does not have a RADIUS account but the user is logged in and authenticated When a device does both ...

Page 269: ...lance config wlan ssid profile name scalance SSID Profile name set role machine auth machine_only user_only scalance SSID Profile name end scalance commit applyTo configure machine and user authentication roles for a wired profile scalance config wired port profile name scalance wired ap profile name set role machine auth machine_only user_only scalance wired ap profile name end scalance commit ap...

Page 270: ...Incorporated IEEE Registration Authority This identifier uniquely identifies a vendor manufacturer or other organization referred to by the IEEE as the assignee globally and effectively reserves a block of each possible type of derivative identifier such as MAC addresses for the exclusive use of the assignee APs use the OUI part of a MAC address to identify the device manufacturer and can be confi...

Page 271: ...assigned for each authenticated client Note When creating more than one role assignment rule the first matching rule in the rule list is applied You can create a role assignment rule by using the SCALANCE W UI or the CLI In the SCALANCE W UI 1 Navigate to the WLAN wizard or the Wired settings window To configure access rules for a WLAN SSID in the Network tab click New to create a new network prof...

Page 272: ...pattern specified in Operand This operator is available only if the mac address and dhcp options attribute is selected in the Attribute drop down list The mac address and dhcp options attribute and matches regular expression are applicable only for the WLAN clients 6 Enter the string to match the attribute in the String text box 7 Select the appropriate role from the Role drop down list Click OK N...

Page 273: ...ile the VLAN for the client can be derived before the authentication from the rules configured for these profiles If a rule derives a specific VLAN it is prioritized over the user roles that may have a VLAN configured The user VLANs can be derived from the default roles configured for 802 1X authentication or MAC authentication After client authentication the VLAN can be derived from Vendor Specif...

Page 274: ... match attributes with a user pre defined VLAN derivation rule If the rule is matched the VLAN value defined by the rule is assigned to the user For a complete list of RADIUS server attributes see RADIUS Server Authentication with VSA Page 209 Figure 15 6 Configuring RADIUS Attributes on the RADIUS Server User Role If the VSA and VLAN derivation rules are not matching then the user VLAN can be der...

Page 275: ...edit Edit WLAN profile VLAN Select the Dynamic option under the Client VLAN assignment To configure VLAN derivation rule for a wired network profile navigate to Wired New New Wiredor The tab contents are displayed 2 Click New to create a VLAN assignment rule The New VLAN Assignment Rule window is displayed In this window you can define a match method by which the string in Operand is matched with ...

Page 276: ...d in Operand 5 Enter the string to match the attribute in the String text box 6 Select the appropriate VLAN ID from the VLAN drop down list 7 Click OK 8 Ensure that the required security and access parameters are configured 9 Click Finish to apply the changes In the CLI To create a VLAN assignment rule for a WLAN SSID scalance config wlan ssid profile name scalance SSID Profile name set vlan attri...

Page 277: ...between the brackets For example bc lock matches block and clock b Matches the words that begin and end with the given expression For example bdown matches downlink linkdown shutdown B Matches the middle of a word For example Bvice matches services devices serviceID deviceID and so on Matches the characters at starting position in a string For example bcd matches bcde or bcdf but not abcd Matches ...

Page 278: ...tion Rules SCALANCE W1750D UI 278 Configuration Manual 02 2018 C79000 G8976 C451 02 For information on how to use regular expressions in role and VLAN derivation rules see the following topics Creating a Role Derivation Rule Page 271 Configuring VLAN Derivation Rules Page 275 ...

Page 279: ...f the VLAN in the VLAN ID text box 8 Click OK In the CLI To create a VLAN role scalance config wlan access rule rule name scalance Access Rule rule name vlan 200 scalance Access Rule rule name end scalance commit apply Assigning User VLAN Roles to a Network Profile You can configure user VLAN roles for a network profile using SCALANCE W UI or the CLI In the SCALANCE W UI To assign a user VLAN role...

Page 280: ...G8976 C451 02 In the CLI To assign VLAN role to a WLAN profile scalance config wlan ssid profile name scalance SSID Profile name set role attribute equals operator role not equals operator role starts with operator role ends with operator role contains operator role value of scalance SSID Profile name end scalance commit apply ...

Page 281: ...ent VLAN is not added in the allowed VLAN list for the port to which the AP E0 port is connected 16 1 1 Configuring Local DHCP Scopes You can configure Local Local L2 and Local L3 DHCP scopes through the SCALANCE W UI or the CLI Local In this mode the VC acts as both the DHCP server and the default gateway The configured subnet and the corresponding DHCP scope are independent of the subnets config...

Page 282: ...following parameters Parameter Description Name Enter a name for the DHCP scope Type Select any of the following options Local On selecting Local the DHCP server for local branch network is used for keeping the scope of the subnet local to the AP In the NAT mode the traffic is forwarded through the IPsec tunnel or the uplink Local L2 On selecting Local L2 the VC acts as a DHCP server and a default...

Page 283: ...ed by the DHCP server For exam ple 176 242 and 161 To add multiple DHCP options click the icon 4 Click OK In the CLI To configure a Local DHCP scope scalance config ip dhcp profile name scalance DHCP Profile profile name server type local scalance DHCP Profile profile name server vlan vlan ID scalance DHCP Profile profile name subnet IP address scalance DHCP Profile profile name subnet mask subnet...

Page 284: ...llows you to configure the DHCP address assignment for the branches connected to the corporate network through Virtual Private Network VPN You can configure the range of DHCP IP addresses used in the branches and the number of client addresses allowed per branch You can also specify the IP addresses that must be excluded from those assigned to clients so that they are assigned statically SCALANCE ...

Page 285: ...CALANCE W UI or the CLI In the SCALANCE W UI To configure distributed DHCP scopes such as Distributed L2 or Distributed L3 1 Click More DHCP Server The DHCP Server window is displayed 2 To configure a distributed DHCP mode click New under Distributed DHCP Scopes The New DHCP Scope window is displayed The following figure shows the contents of the New DHCP Scope window Figure 16 1 New DHCP Scope Di...

Page 286: ...the Dynamic DNS check box to enable dynamic DNS on the Distribut ed L3 client Key Enter the TSIG shared secret key IP Address Ran ge Specify a range of IP addresses to use To add another range click the icon You can specify up to four different ranges of IP addresses For the Distributed L2 mode ensure that all IP ranges are in the same subnet as the default router On specifying the IP address rang...

Page 287: ... profile name server vlan vlan ID scalance DHCP Profile profile name subnet mask subnet mask scalance DHCP Profile profile name default router IP address scalance DHCP Profile profile name client count number scalance DHCP Profile profile name dns server name scalance DHCP Profile profile name domain name domain name scalance DHCP Profile profile name lease time seconds scalance DHCP Profile profi...

Page 288: ...For Centralized L3 clients the VC acts as a DHCP relay agent that forwards the DHCP traffic to the DHCP server located either in the corporate or local network The Centralized L3 VLAN IP is used as the source IP The IP address is obtained from the DHCP server You can configure a centralized DHCP scope through the SCALANCE W UI or the CLI In the SCALANCE W UI To configure a centralized DHCP scope 1...

Page 289: ... If the GRE tunnel is down and when the corporate network is not reachable the client traffic is dropped DHCP relay If you are configuring a Centralized L2 DHCP profile you can select Enabled to allow the APs to intercept the broadcast packets and relay DHCP requests to the centralized DHCP server NOTE The DHCP relay option is not available for Centralized L3 profile con figuration Helper address ...

Page 290: ...type centralized scalance DHCP Profile profile name server vlan vlan ID scalance DHCP Profile profile name option82 alu scalance DHCP Profile profile name disable split tunnel scalance DHCP Profile profile name end scalance commit apply To configure a Centralized L3 DHCP profile scalance config ip dhcp profile name scalance DHCP Profile profile name server type centralized scalance DHCP Profile pr...

Page 291: ...igns the IP addresses to the WLAN or the wired clients By default the AP automatically determines a suitable DHCP pool for Vir tual Controller Assigned networks APs typically select the 172 31 98 0 23 subnet If the IP address of the AP is within the 172 31 98 0 23 subnet the AP selects the 10 254 98 0 23 subnet However this mechanism does not guarantee that it would avoid all possible con flicts w...

Page 292: ...DHCP Configuration 16 2 Configuring the Default DHCP Scope for Client IP Assignment SCALANCE W1750D UI 292 Configuration Manual 02 2018 C79000 G8976 C451 02 Figure 16 2 DHCP Servers Window ...

Page 293: ...is 0 5 Enter the network range for the client IP addresses in the Network text box The system generates a network range automatically that is sufficient for 254 addresses If you want to provide simultaneous access to more number of clients specify a larger range 6 Specify the subnet mask details for the network range in the Mask text box 7 Click OK to apply the changes In the CLI To configure a DH...

Page 294: ...DHCP Configuration 16 2 Configuring the Default DHCP Scope for Client IP Assignment SCALANCE W1750D UI 294 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 295: ...NTP server on the AP To verify the time synchronization between the NTP server and the AP execute the show time range command and check if the time on the NTP server is in synchronization with the local time For more information on NTP server configuration see NTP Server For a time range profile configured to enable the SSID on the AP When the timer starts if the current time is greater than the s...

Page 296: ...ate of the AP changes during a specific date day and time Period Type For periodic time range profiles specify a periodic interval day weekday weekend daily at which the time range profile must be applied Start Day and End Day For absolute time range profiles specify the start day and the end day to configure a specific time period during which the time range profile is applied NOTE The year selec...

Page 297: ...me range is disabled the SSID becomes unavailable for the configured time range For example if the configured time range is 14 00 17 00 the SSID is made unavailable from 2 PM to 5 PM on a given day 4 Click Next and then click Finish Note If the SSID has two time range profiles enabled with an overlapping duration the time range profile will be executed as per the configuration conditions described...

Page 298: ... The following command creates an absolute time range profile scalance config time range timep1 absolute start 10 20 2013 10 40 end 10 20 2015 10 50 The following command creates a periodic time range profile that executes on the specified day of the week scalance config time range timep2 periodic monday 10 40 to tuesday 10 50 The following command creates a periodic time range profile that execut...

Page 299: ...ing a domain name thus providing a uniform approach to access the AP or the clients The IP address of the dynamic DNS client is mapped to the domain name and this gets automatically updated each time the IP address is changed You can enable Dynamic DNS using the SCALANCE W UI or the CLI In the SCALANCE W UI To enable dynamic DNS 1 Navigate to Services Dynamic DNS Parameter Description Example Key ...

Page 300: ...d maximum time interval is 100 days 900 2 Select the Enable Dynamic DNS check box 3 Click OK In the CLI To enable dynamic DNS on an AP scalance config dynamic dns ap scalance config end scalance commit apply To configure a TSIG key and server IP address scalance config dynamic dns ap key algo name keyname keystring scalance config dynamic dns ap server ddns_server scalance config end scalance comm...

Page 301: ...dates will be dropped The DDNS updates are secured by using TSIG shared secret keys when communicating between the client and the server For more information see Configuring Distributed DHCP Scopes Page 284 In the SCALANCE W UI To enable DDNS for clients 1 Navigate to More DHCP Servers select the Distributed L3 DHCP Scope under Distributed DHCP Scopes and click Edit 2 Select the Dynamic DNS check ...

Page 302: ...lients DDNS Client List Host Name Domain Name IP Address DHCP profile name Success Count Failure Count iap1 ddns home test ddns 192 192 192 17 None 16 22 132 13 Auto PC test ddns 192 168 99 18 DistL3 9 3 132 14 Auto PC test ddns 192 168 99 4 DistL3 2 0 Last updated Last update status 7 seconds ago Success 7 seconds ago Success 7 seconds ago Success Note DHCP profile name is None for the Master AP ...

Page 303: ...ts as a VPN concentrator When a VPN is configured the AP acting as the VC creates a VPN tunnel to an Mobility Controller in your corporate office The controller acts as a VPN endpoint and does not supply the AP with any configuration The VPN features are recommended for the following setups Enterprises with many branches that do not have a dedicated VPN connection to the corporate office Branch of...

Page 304: ...n use the GRE configuration for L2 deployments when there is no en cryption requirement between the AP and controller for client traffic APs support two types of GRE configuration Manual GRE The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover When manual GRE is configured on the AP ensure that the GRE tunnel settings are enabled...

Page 305: ...e backup VPN IPsec endpoint in the Backup host text box This entry is optional When you specify the primary and backup host details the other details are displayed 5 Specify the following parameters A sample configuration is shown in Figure IPsec Configuration To allow the VPN tunnel to switch back to the primary host when it becomes available again selectEnabled from the Preemption drop down list...

Page 306: ...seconds for Secs between test packets Based on the configured frequency the AP can verify if an active VPN connection is available The default value is 5 seconds which means that the AP sends one packet to the controller every 5 seconds Enter a value for Max allowed test packet loss to define a number for lost packets exceeding which the AP can determine that the VPN connection is unavailable The ...

Page 307: ...CP Profile distL2 server vlan 2 scalance DHCP Profile distL2 ip range 10 15 205 0 10 15 205 255 scalance DHCP Profile distL2 subnet mask 255 255 255 0 scalance DHCP Profile distL2 lease time 86400 scalance DHCP Profile distL2 default router 10 15 205 254 scalance DHCP Profile distL2 dns server 10 13 6 110 10 1 1 50 scalance DHCP Profile distL2 domain name siemens com scalance DHCP Profile distL2 c...

Page 308: ... To configure a GRE tunnel 1 Click the More VPN link located directly above the Search bar in the SCALANCE W UI The Tunneling window is displayed 2 Select Manual GRE from the Protocol drop down list 3 Specify the following parameters A sample configuration is shown in Figure Manual GRE Configuration Enter an IP address or an FQDN for the main VPN GRE endpoint in the Host text box Enter a value in ...

Page 309: ...d received by an AP are encapsulated but not encrypted In the CLI To configure a manual GRE VPN tunnel scalance config gre primary name scalance config gre type type scalance config gre per ap tunnel scalance config end scalance commit apply To view VPN configuration details scalance show vpn config To configure GRE tunnel on the controller scalance config interface tunnel Number scalance config t...

Page 310: ...nnels are created based on the Per AP tunnel configuration on the AP For GRE no manual configuration is required on the controller to create the GRE tunnel Note Aruba GRE is supported only on Controllers running ArubaOS 6 4 x x or later versions In the SCALANCE W UI To configure Aruba GRE 1 Click the More VPN link located directly above the Search bar in the SCALANCE W UI The Tunneling window is d...

Page 311: ...connect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary set Reconnect user on failover to Enabled To configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch specify a value in seconds for Reconnect time on failover within the range of 30 900 seconds By default the reconnecti...

Page 312: ... outside scalance config vpn primary name IP address scalance config vpn backup name IP address scalance config vpn fast failover scalance config vpn hold time seconds scalance config vpn preemption scalance config vpn monitor pkt send freq frequency scalance config vpn monitor pkt lost cnt count scalance config vpn reconnect user on failover scalance config vpn reconnect time on failover down_tim...

Page 313: ... it fails over to the backup LNS L2TPv3 has one tunnel profile and under this a primary peer and a backup peer are configured If the primary tunnel creation fails or if the primary tunnel gets deleted the backup starts The following two failover modes are supported Preemptive In this mode if the primary comes up when the backup is active the backup tunnel is deleted and the primary tunnel resumes ...

Page 314: ...uration Manual 02 2018 C79000 G8976 C451 02 In the SCALANCE W UI To configure an L2TPv3 tunnel and session profile 1 Click the More VPN link located directly above the Search bar in the SCALANCE W UI The Tunneling window is displayed Figure 19 4 L2TPv3 Tunneling 2 Select L2TPv3 from the Protocol drop down list ...

Page 315: ... when backup server is configured Enter a port number in the Peer UDP port text box Enter the remote end UDP port number in the Local UDP port text box The default value is 1701 Enter the interval at which the hello packets are sent through the tunnel in the Hello interval text box The default value is 60 seconds Select the message digest as MD5 or SHA to be used for message authentication from th...

Page 316: ...profile name where the session will be associated Figure 19 6 Session Configuration Configure the tunnel IP address with the corresponding network mask and VLAN ID This is required to reach an AP from a corporate network For example SNMP polling Select the cookie length and enter a cookie value corresponding to the length By default the cookie length is not set Specify the remote end ID If require...

Page 317: ...in_sec scalance L2TPv3 Tunnel Profile l2tpv3_tunnel_profile local port local_udp_port scalance L2TPv3 Tunnel Profile l2tpv3_tunnel_profile peer port peer_udp_port scalance L2TPv3 Tunnel Profile l2tpv3_tunnel_profile message digest type digest_algo scalance L2TPv3 Tunnel Profile l2tpv3_tunnel_profile secret key key scalance L2TPv3 Tunnel Profile l2tpv3_tunnel_profile mtu tunnel_MTU scalance L2TPv3 ...

Page 318: ...file test_tunnel secret key test123 scalance L2TPv3 Tunnel Profile test_tunnel end scalance commit apply scalance config l2tpv3 session test_session scalance L2TPv3 Session Profile test_session cookie len 4 value 12345678 scalance L2TPv3 Session Profile test_session l2tpv3 tunnel test_tunnel scalance L2TPv3 Session Profile test_session tunnel ip 1 1 1 1 mask 255 255 255 0 vlan 5 scalance L2TPv3 Tu...

Page 319: ...tate ESTABLISHED created at Jul 2 04 58 45 2013 administrative name test_session primary created by admin YES peer session id 12382 session profile name test_session_primary data sequencing required OFF use data sequence numbers OFF Peer configuration data data sequencing required OFF framing types data rx packets 16 rx bytes 1560 rx errors 0 rx cookie error 0 data tx packets 6 tx bytes 588 tx err...

Page 320: ...CLI peer vendor name Katalix Systems Ltd Linux 2 6 32 358 2 1 el6 x86_64 x86_64 peer protocol version 1 0 firmware 0 peer rx window size 10 Transport status ns nr 98 97 peer 98 96 cwnd 10 ssthresh 10 congpkt_acc 9 Transport statistics out of sequence control data discards 0 0 ACKs tx txfail rx 0 0 96 retransmits 0 duplicate pkt discards 0 data pkt discards 0 hellos tx txfail rx 94 0 95 control rx ...

Page 321: ...ress 10 13 11 157 peer UDP port 1701 hello timeout 60 retry timeout 1 idle timeout 0 rx window size 10 tx window size 10 max retries 5 use UDP checksums OFF do pmtu discovery OFF mtu 1460 framing capability SYNC ASYNC bearer capability DIGITAL ANALOG use tiebreaker OFF peer profile NOT SET session profile NOT SET trace flags PROTOCOL FSM API AVPDATA FUNC XPRT DATA SYSTEM CLI To view L2TPv3 system ...

Page 322: ...e encode failures 0 no matching tunnel discards 0 mismatched tunnel ids 0 no matching session_discards 0 mismatched session ids 0 total control frame send failures 0 event queue fulls 0 Message counters Message RX Good RX Bad TX ILLEGAL 0 0 0 SCCRQ 0 0 1 SCCRP 1 0 0 SCCCN 0 0 1 STOPCCN 0 0 0 RESERVED1 0 0 0 OCRQ 0 0 0 OCRP 0 0 0 OCCN 0 0 0 ICRQ 0 0 1 ICRP 1 0 0 ICCN 0 0 1 HELLO 95 0 95 RESERVED2 0...

Page 323: ...unneling window The routing details are displayed 2 Click New The route parameters to configure are displayed Figure 19 7 Tunneling Routing 3 Update the following parameters Destination Specify the destination network that is reachable through the VPN tunnel This defines the IP or subnet that must reach through the IPsec tunnel Traffic to the IP or subnet defined here will be forwarded through the...

Page 324: ...utes with the same network destination are available for data forwarding the route with the least metric value takes preference 4 Repeat step 3 to create the required number of routing profiles 5 Click OK 6 Click Finish In the CLI scalance config routing profile scalance Routing profile route destination mask gateway metric scalance Routing profile end scalance commit apply Note Routing profile is...

Page 325: ...VPN Configuration 19 3 Configuring Routing Profiles SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 325 ...

Page 326: ......

Page 327: ...N clients The controller terminates VPN tunnels and routes or switches the VPN traffic The AP cluster creates an IPsec or GRE VPN tunnel from the VC to a Mobility Controller in a branch office The controller only acts as an IPsec or GRE VPN endpoint and it does not configure the AP AP VPN Scalability Limits The controller scalability in AP VPN architecture depends on factors such as IPsec tunnel l...

Page 328: ...ibed in the following sections Note Ensure that VLAN 1 is not configured for any of the DHCP scopes as it is reserved for a different purpose Local Mode n this mode the AP cluster at that branch has a local subnet and the master AP of the cluster acts as the DHCP server and gateway for clients The local mode provides access to the corporate network using the inner IP of the IPsec tunnel The networ...

Page 329: ...mplexity associated with the classic site to site VPN However this mode is very similar to a classic site to site IPsec VPN where two VPN endpoints connect individual networks together over a public network In Distributed L3 mode each branch location is assigned a dedicated subnet The master AP in the branch manages the dedicated subnet and acts as the DHCP server and gateway for clients Client tr...

Page 330: ... a relay agent VC VC Default Ga teway for clients VC Default Gateway in the local network VC Controller or a router in the Datacen ter VC Controller or a router in the Datacen ter VC Corporate Traffic Source NAT is performe d with inner IP of the IPsec tunnel Not applicabl e Source NAT is performe d with inner IP of the IPsec tunnel L2 reachable Routed L2 reachable Routed Internet Traf fic Source ...

Page 331: ...onfiguring an AP Network for AP VPN Operations An AP network requires the following configurations for AP VPN operations 1 Defining the VPN Host Settings 2 Configuring Routing Profiles 3 Configuring DHCP Profiles 4 Configuring an SSID or Wired Port 5 Enabling Dynamic RADIUS Proxy 6 Configuring Enterprise Domains Defining the VPN Host Settings The VPN endpoint on which a master AP terminates its VP...

Page 332: ... of AP or the VC IP address in the local subnet is not routed to tunnel but will be switched to the relevant VLAN For example when a 0 0 0 0 0 0 0 0 routing profile is defined to bypass certain IPs you can add a route to the IP by defining 0 0 0 0 as the destination thereby forcing the traffic to be routed through the default gateway of the AP You can configure routing profiles through More VPN Co...

Page 333: ...for a specific AP VPN mode the VLAN ID defined in the SSID or wired port profile must match the VLAN ID defined in the DHCP profile configuration If the VLAN assignment for an SSID or wired port profile is set to VC assigned custom or a static VLAN ID that does not match the VLAN ID configured in the DHCP profiles the AP VPN operations are affected For example if a local DHCP profile is configured...

Page 334: ...F RFC 2328 The premise of OSPF is that the shortest or fastest routing path is used The implementation of OSPFv2 allows controllers to deploy effectively in a Layer 3 topology The controllers can act as the default gateway for all clients and forward user packets to the upstream router Each AP VPN can be defined a separate subnet derived from the corporate intranet pool to allow AP VPN devices to ...

Page 335: ...43 43 32 9 9 9 9 164 0x80000007 0x2633 0 0 0 15 NSSA 54 44 44 16 9 9 9 9 164 0x80000007 0x353 N A AS EXTERNAL 12 12 2 0 9 9 9 9 29 0x80000003 0x8c06 N A AS EXTERNAL 12 12 12 0 9 9 9 9 169 0x80000001 0x25e4 N A AS EXTERNAL 12 12 12 32 9 9 9 9 169 0x80000001 0x2663 N A AS EXTERNAL 50 40 40 0 9 9 9 9 169 0x80000001 0xab80 N A AS EXTERNAL 51 41 41 128 9 9 9 9 169 0x80000001 0x85a2 N A AS EXTERNAL 53 4...

Page 336: ... controller Whitelist Database Configuration The whitelist database is a list of the MAC addresses of the APs that are allowed to establish VPN connections with the controller This list can be either stored in the controller database or on an external server You can use the following CLI command to configure the whitelist database entries if the controller is acting as the whitelist database scala...

Page 337: ... and select Properties In the Settings tab select the policy condition and click Edit Profile In the Advanced tab select Vendor Specific and click Add to add new vendor specific attributes Add new vendor specific attributes and click OK In the IP tab provide the IP address of the AP and click OK VPN Local Pool Configuration The VPN local pool is used to assign an IP address to the AP after success...

Page 338: ...res that a branch is allocated the same subnet or range of IP addresses irrespective of which AP in the branch becomes the master in the AP cluster Branch Status Verification To view the details of the branch information connected to the controller execute the show iap table command Example This example shows the details of the branches connected to the controller scalance show iap table long AP B...

Page 339: ...lan Displays the VLAN ID assigned to the branch Key Displays the key for the branch which is unique to each branch Bid Subnet Name Displays the Branch ID BID of the subnet In the example above the controller displays bid per subnet per branch i e for LA branch BID 2 for the ip range 10 15 205 0 10 15 205 250 with client count per branch 5 If a branch has multiple subnets it can have multiple BIDs ...

Page 340: ...AP VPN Deployment 20 2 Configuring AP and Controller for AP VPN Operations SCALANCE W1750D UI 340 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 341: ...nnel or power assignment feature automatically assigns channel and power settings for all the APs in the network according to changes in the RF environment This feature automates many setup tasks during network installation and the ongoing operations when RF conditions change Voice Aware Scanning The Voice Aware scanning feature prevents an AP supporting an active voice call from scanning for othe...

Page 342: ...0 G8976 C451 02 ARM Metrics ARM computes coverage and interference metrics for each valid channel and chooses the best performing channel and transmit power settings for each AP RF environment Each AP gathers other metrics on its ARM assigned channel to provide a snapshot of the current RF health state ...

Page 343: ...and if the client persistently attempts for 2 4 GHz association Force 5 GHz Select this option to enforce 5 GHz band steering mode on the APs Balance Bands Select this option to allow the AP to balance the clients across the two radios to best utilize the available 2 4 GHz bandwidth This feature takes into account the fact that the 5 GHz band has more channels than the 2 4 GHz band and that the 5 ...

Page 344: ...eature continually monitors a client s RF neighborhood to provide ongoing client band steering and load balancing and enhanced AP reassignment for roaming mobile clients This feature supersedes the legacy band steering and spectrum load balancing features which unlike client match do not trigger AP changes for clients already associated to an AP In addition to this the Client Match feature provide...

Page 345: ...nd reduce performance for other clients associated with that AP Band Steering APs using the client match feature monitor the RSSI for clients that advertise a dual band capability If a client is currently associated to a 2 4 GHz radio and the AP detects that the client has a good RSSI from the 5 GHz radio the AP steers the client to the 5 GHz radio as long as the 5 GHz RSSI is not significantly wo...

Page 346: ...ou can specify a value within the range of 10 600 CM neighbor matching Specify a value for CM neighbor matching This number takes into account the least similarity percentage to be considered as in the same virtual RF neighbor hood of client match You can specify a percentage value within the range of 20 100 The default value is 75 CM threshold Specify a value for CM threshold This number takes ac...

Page 347: ... the highest supported power setting The default value for minimum transmit power is 18 dBm Maximum Transmit Power Specify the maximum transmission power The value specified for Max imum Transmit Power indicates the maximum Effective Isotropic Radiat ed Power EIRP that can range from 3 dBm to 33 dBm in 3 dBm increments If the maximum transmission EIRP configured on an AP is not supported by the AP...

Page 348: ... GHz radios which support a very high throughput This setting is enabled by default NOTE Only the APs that support 802 11ac can be configured with 80 MHz channels 2 Reboot the AP 3 Click OK In the CLI To configure access point control parameters scalance config arm scalance ARM a channels 5GHz channels scalance ARM min tx power power scalance ARM max tx power power scalance ARM client aware scalan...

Page 349: ...ing Mode channel based CM max client match req 5 CM max adoption 5 Custom Channels No 2 4 GHz Channels Channel Status 1 1 enable 2 2 disable 3 3 disable 4 4 disable 5 5 disable 6 6 enable 7 7 disable 8 8 disable 9 9 disable 10 10 disable 11 11 enable 12 12 disable 13 13 disable 1 enable 2 disable 3 disable 4 disable 5 disable 6 disable 7 enable 5 0 GHz Channels Channel Status 36 enable 40 enable ...

Page 350: ...W1750D UI 350 Configuration Manual 02 2018 C79000 G8976 C451 02 44 enable 48 enable 52 enable 56 enable 60 enable 64 enable 149 enable 153 enable 157 enable 161 enable 165 enable 36 enable 44 enable 52 disable 60 disable 149 enable 157 enable 36E enable 52E enable 149E enable ...

Page 351: ... within the range of 60 500 The default value is 100 milliseconds Interference immunity level Select to increase the immunity level to improve performance in high interference environments The default immunity level is 2 Level 0 no ANI adaptation Level 1 Noise immunity only This level enables power based packet detection by controlling the amount of power increase that makes a radio aware that it ...

Page 352: ...tion Very high throughput Ensure that this check box is selected to enable very high through put VHT on 802 11ac devices with 5 GHz radio If VHT is enabled for the 5 GHz radio profile on an AP it is automatically enabled for all SSIDs configured on an AP By default VHT is enabled on all SSIDs If you want the 802 11ac APs to function as 802 11n APs clear the check box to disable VHT on these device...

Page 353: ... tx power db scalance RF dot11a Radio Profile csa count count scalance RF dot11a Radio Profile end scalance commit apply To disable VHT on a 5 GHz radio profile scalance config rf dot11a radio profile scalance RF dot11a Radio Profile very high throughput disable scalance RF dot11a Radio Profile end scalance commit apply To view the radio configuration scalance show radio config 2 4 GHz Legacy Mode...

Page 354: ...ws the radio to retain its current default Rx sensitivity value Values from 1 dB 55 dB reduce the power level that the radio can hear by that amount If you configure this feature to use a non default value you must also reduce the radio s transmission Tx power to match its new received Rx power level Failure to match a device s Tx power level to its Rx power level can result in a configuration tha...

Page 355: ...nnel for transmission The ap frequent scan command is introduced in the CLI to enable the APs to trigger frequent scanning of transmission signals on a radio profile Note Wireless connection is affected for a few seconds when the frequent scanning of non DFS channels is ongoing The connection is re established after the ARM selects a valid channel Typically a frequent scanning session lasts for le...

Page 356: ......

Page 357: ...th DPI capability analyze data packets to identify applications in use and allow you to create access rules to determine client access to applications application categories web categories and website URLs based on web reputation You can also define traffic shaping policies such as bandwidth control and QoS per application for client roles For example you can block bandwidth monopolizing applicati...

Page 358: ... Location Engine ALE is exposed as northbound APIs which can be consumed by URL analytical engines for advanced client URL data mining and analytics You can enable AppRF visibility by using the SCALANCE W UI or the CLI In the SCALANCE W UI To enable AppRF 1 Navigate to System General 2 Select All from the AppRF visibility drop down list to view both application and web categories charts or either ...

Page 359: ... if AppRF visibility is enabled in the System window The following figure provides a view of the AppRF dashboard Figure 22 1 AppRF Dashboard The AppRF dashboard presents four different graph areas with data graphs on all client traffic and content filters based on App Category Web Category and Web Reputation Click each category to view the real time client traffic data or usage trend in the last 1...

Page 360: ...2 Application Categories Chart The application categories chart displays details on the client traffic towards the application categories By clicking the rectangle area you can view the following graphs and toggle between the chart and list views Figure 22 2 Application Categories Chart Client View Figure 22 3 Application Categories List Client View ...

Page 361: ...000 G8976 C451 02 361 Figure 22 4 Application Categories Chart AP View Applications Chart The applications chart displays details on the client traffic towards the applications By clicking the rectangular area you can view the following graphs and toggle between the chart and list views Figure 22 5 Applications Chart Client View ...

Page 362: ...ion and Application Visibility 22 3 Application Visibility SCALANCE W1750D UI 362 Configuration Manual 02 2018 C79000 G8976 C451 02 Figure 22 6 Applications List Client View Figure 22 7 Application Chart Access Point View ...

Page 363: ...000 G8976 C451 02 363 Web Categories Charts The web categories chart displays details about the client traffic to the web categories By clicking the rectangle area you can view the following graphs and toggle between the chart and list views Figure 22 8 Web Categories Chart Client View Figure 22 9 Web Categories List Client View ...

Page 364: ... 02 Figure 22 10 Web Categories Chart Access Point View Web Reputation Charts The web reputation chart displays details about the client traffic to the URLs that are assigned security ratings By clicking in the rectangle area you can view the following graphs and toggle between the chart and list views Figure 22 11 Web Reputation Chart Client View ...

Page 365: ...tion and Application Visibility 22 3 Application Visibility SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 365 Figure 22 12 Web Reputation List Client View Figure 22 13 Web Reputation Chart AP View ...

Page 366: ...them on the ALE server Full URL visibility for HTTP sessions fed to ALE are exposed as Northbound APIs and are used by URL analytical engines for advanced client URL data mining and analysis You can enable URL visibility by using the SCALANCE W UI or the CLI In the SCALANCE W UI To enable URL visibility 1 Navigate to System General 2 Select Enabled from the URL visibility drop down list 3 Click OK...

Page 367: ...guring access rules based on web categories and web reputation see Configuring Web Policy Enforcement Service Page 371 In the SCALANCE W UI To configure ACL rules for a user role 1 Navigate to the Security Roles tab The Roles tab contents are displayed You can also configure access rules for a wired or wireless client by using The WLAN wizard Network WLAN SSID Edit Edit WLAN Access or The Wired pr...

Page 368: ...Application throttling allows you to set a bandwidth limit for an application application category web category or for sites based on their web reputation For example you can limit the bandwidth rate for video streaming applica tions such as YouTube or Netflix or assign a low bandwidth to high risk sites If your AP model does not support configuring access rules based on applica tion or applicatio...

Page 369: ... the domain name in the Domain Name text box to master IP Access is allowed or denied to the master IP address Log Select this check box to create a log entry when this rule is triggered SCALANCE W supports firewall based logging function Firewall logs on the APs are generated as security logs Blacklist Select the Blacklist check box to blacklist the client when this rule is triggered The blacklis...

Page 370: ...G8976 C451 02 Example The following CLI example shows hoe to configure employee access rules scalance config wlan access rule employee scalance Access Rule employee rule any any match app uoutube permit throttle downstream 256 throttle up 256 scalance Access Rule employee rule any any match appcategory collaboration permit scalance Access Rule employee end scalance commit apply ...

Page 371: ... UI or the CLI In the SCALANCE W UI To configure WPE service 1 Navigate to Security Roles 2 Select any WLAN SSID or wired profile role and click New in the Access Rules section 3 Select the rule type as Access Control 4 To set an access policy based on the web category Under Service select Web category and expand the Web categories drop down list Figure 22 14 Web Policy Enforcement Select the cate...

Page 372: ...links or payloads Moderate risk These are generally benign sites but may pose a security risk There is some probability that the user will be exposed to malicious links or payloads Suspicious These are suspicious sites There is a higher than average probability that the user will be exposed to malicious links or payloads High risk These are high risk sites There is a high probability that the user...

Page 373: ...Rule access rule rule dest mask match webreputation webrep permit deny option1 option9 scalance Access Rule access rule end scalance commit apply Example The following CLI example shows how to set access rules based on the web category and the web reputation scalance config wlan access rule URLFilter scalance Access Rule URLFilter rule any any match webcategory gambling deny scalance Access Rule U...

Page 374: ......

Page 375: ...er IP VoIP devices Session Initiation Protocol SIP Spectralink Voice Priority SVP H323 SCCP Vocera and Alcatel NOE phones clients running Microsoft OCS and Apple devices running the Facetime application This section includes the following topics Wi Fi Multimedia Traffic Management Page 376 Media Classification for Voice and Video Calls Page 380 Enabling Enhanced Voice Call Tracking Page 382 ...

Page 376: ...ority value is contained in a two byte QoS control field in the WMM data frame Table 23 1 WMM AC to 802 1p Priority Mapping 802 1p Priority WMM Access Category 1 Background 2 0 Best effort 3 4 Video 5 6 Voice 7 In a non WMM or hybrid environment where some clients are not WMM capable you can configure an SSID with higher values for best effort and voice ACs to allocate a higher bandwidth to client...

Page 377: ...mmunication 4 Click Next and complete the configuration as required In the CLI Configuring WMM for wireless clients scalance config wlan ssid profile name scalance SSID Profile name wmm background share share scalance SSID Profile name wmm best effort share share scalance SSID Profile name wmm video share share scalance SSID Profile name wmm voice share share scalance SSID Profile name end scalanc...

Page 378: ...cify the appropriate DSCP mapping value within a range of 0 63 for the following access categories in the DSCP mapping text box Background WMM DSCP mapping for the background traffic Best effort WMM DSCP mapping for the best effort traffic Video WMM DSCP mapping for the video traffic Voice WMM DSCP mapping for the voice traffic 4 Click Next and complete the configuration as required In the CLI Con...

Page 379: ...trieve the unicast QoS traffic buffered in the AP by sending trigger frames During the association or reassociation with the AP the station indicates the WMM Access Categories for which U APSD is enabled In the current release APs support U APSD on all WMM ACs To disable U APSD on an SSID scalance config wlan ssid profile ssid_profile scalance SSID Profile ssid_profile wmm uapsd disable scalance S...

Page 380: ...alysis of the actual traffic SCALANCE W identifies and prioritizes voice and video traffic from applications such as Skype for Business Apple Facetime and Jabber Skype for Business uses Session Initiation Protocol SIP over TLS or HTTPS to establish control and terminate voice and video calls Apple Facetime uses Extensible Messaging and Presence Protocol XMPP over TLS or HTTPS for these functions T...

Page 381: ...ion a VOIP client initiates a Session Traversal Utilities for NAT STUN connectivity check Sessions created by STUN are subjected to media classification that classifies the media as Real time Transport Protocol RTP or non RTP The firewall automatically allows the RTP session on the AP and denies the non RTP sessions The following CLI example shows the STUN based media classification for Skype for ...

Page 382: ... under the following scenarios The VoIP call is successful The VoIP client roams from one AP to another during an active call the Master AP will identify the VoIP client and send out the WLSXAPVOICECLIENTLOCATIONUPDATE trap to the emergency call server Note The trap sending feature is not supported for L3 mobility The WLSXAPVOICECLIENTLOCATIONUPDATE trap contains the following information Table 23...

Page 383: ...nother VLAN As the addresses used by the protocol are link scope multicast addresses each query or advertisement can only be forwarded on its respective VLAN but not across different VLANs Broadcast and multicast traffic are usually filtered out from a wireless LAN network to preserve the airtime and battery life This inhibits the performance of AirGroup services that rely on multicast traffic The...

Page 384: ...iPod Touch iPad Apple TV and AirPort Express Apple AirPlay and AirPrint services are based on the Bonjour protocol and are essential services in campus Wi Fi networks Bonjour can be installed on computers running Microsoft Windows and is supported by the new network capable printers Bonjour is also included with popular software programs such as Apple iTunes Safari and iPhoto Bonjour uses multicas...

Page 385: ...licies applicable to mDNS are extended to DLNA to ensure full interoperability between compliant devices In a UPnP based scenario the following types of devices are available in a network Controlled devices servers Control points clients When a controlled device joins a network and acquires IP address it multicasts a number of discovery messages for advertising itself its embedded devices and serv...

Page 386: ...strates DLNA UPnP Services and AirGroup Architecture Figure 24 3 DLNA UPnP Services and AirGroup Architecture For a list of supported DLNA services see AirGroup Services Page 386 24 1 3 AirGroup Features AirGroup supports the following features Sends unicast responses to mDNS or DLNA queries and reduces the traffic footprint Ensures cross VLAN visibility and availability of AirGroup devices and se...

Page 387: ... a user would be presented with the closest printer instead of all the printers in the building When configured AirGroup enables a client to perform a location based discovery For example when a client roams from one SCALANCE W cluster to another it can discover devices available in the new cluster to which the client is currently connected The following figure shows an example of a higher educati...

Page 388: ...ervice ChromeCast The ChromeCast service allows you to use a ChromeCast device to play audio or video content on a high definition television by streaming content through Wi Fi from the Internet or local network DLNA Media Applications such as Windows Media Player use this service to browse and play media content on a remote device DLNA Print This service is used by printers that support DLNA For ...

Page 389: ...AN based AirGroup service policy enforcement Yes Yes User role based AirGroup ser vice policy enforcement Yes Yes Portal to self register personal devices No Yes Device owner based policy enforcement No Yes Shared user list based policy enforcement No Yes Shared role list based policy enforcement No Yes ClearPass Policy Manager and ClearPass Guest Features ClearPass Policy Manager and ClearPass Gu...

Page 390: ...lect the AirGroup services related to Bonjour as required 4 To enable DLNA support select the Enable DLNA check box and select the DLNA services 5 To allow the users to use Bonjour services enabled in a guest VLAN select Enable Guest Bonjour multicast When this check box is enabled the Bonjour devices are visible only in the guest VLAN and AirGroup will not discover or enforce policies in guest VL...

Page 391: ... the edit links for the airplay disallowed roles and airplay disallowed vlans are displayed Similarly if sharing service is selected the edit links for the sharing disallowed roles and sharing disallowed vlans are displayed To block user roles from accessing an AirGroup service click the corresponding edit link and select the user roles for which you want to restrict access By default an AirGroup ...

Page 392: ...p scalance airgroup enable dlna only scalance airgroup end scalance commit apply To configure AirGroup services scalance config airgroupservice airgroup service scalance airgroup service id airgroupservice ID scalance airgroup service description text scalance airgroup service disallow role role scalance airgroup service disallow vlan vlan ID scalance airgroup service end scalance commit apply To ...

Page 393: ...e of Authorization CoA Creating a RADIUS Server You can create a RADIUS server in the Air Group window Navigate to Services AirGroup Clear Pass Settings CPPM server 1 and select New from the drop down list You can configure an external RADIUS Security window For more information on configuring ClearPass Policy Manager server see Configuring an External Server for Authentication Page 209 Assigning ...

Page 394: ...d by Bonjour devices based on the ClearPass Policy Manager policy Configuring Change of Authorization CoA When a RADIUS server is configured with Change of Authorization CoA with the ClearPass Policy Manager server the guest users are allowed to register their devices For more information on configuring RADIUS server with CoA see Configuring an External Server for Authentication Page 209 Note You ...

Page 395: ...al Time Location Server With the help of the RTLS the devices can be monitored in real time or through history You can configure RTLS by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure RTLS 1 Click the More Services link on the SCALANCE W main window 2 In the Services section click the RTLS tab 3 Under Aruba select the RTLS check box to integrate SCALANCE W with the AMP or Eka...

Page 396: ...ons that are not associated to any AP 8 Click OK To configure third party RTLS such as Aeroscout 1 Select the Aeroscout check box to send the RFID tag information to an AeroScout RTLS 2 Specify the IP address and port number of the AeroScout server to which location reports must be sent 3 Select the Include unassociated stations check box to send reports on the stations that are not associated to ...

Page 397: ...he Northbound API Client username IP address MAC address Device type Application firewall data showing the destinations and applications used by associated devices Current location Historical location ALE requires the AP placement data to be able to calculate location for the devices in a network ALE with SCALANCE W The ALE server acts as a primary interface to all third party applications and the...

Page 398: ...he Analytics Location Engine check box Figure 24 7 Services Window ALE Integration 4 In the Server text box specify the ALE server name or IP address 5 In the Report interval text box specify the reporting interval within the range of 6 60 seconds The AP sends messages to the ALE server at the specified interval The default interval is 30 seconds 6 Click OK ...

Page 399: ... In the CLI To enable AP integration with the ALE server scalance config ale server server name IP address scalance config ale report interval seconds scalance config end scalance commit apply Verifying ALE Configuration on an AP To view the configuration details scalance show ale config To verify the configuration status scalance show ale status ...

Page 400: ...s 2 Click the RTLS tab The tab details are displayed 3 To manage the BLE devices using BMC select Manage BLE Beacons 4 Enter the authorization token The authorization token is a text string of 1 255 characters used by the BLE devices in the HTTPS header when communicating with the BMC This token is unique for each deployment 5 In Endpoint URL enter the URL of the server to which the BLE sends the ...

Page 401: ...1 02 401 In the CLI To enable BLE beacon management scalance config ble config token url scalance config end scalance commit apply To configure a BLE operation mode scalance config ble mode opmode scalance config end scalance commit apply To view the BLE configuration details scalance show ble config ...

Page 402: ...enDNS to provide enterprise level content filtering You can configure OpenDNS credentials by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure OpenDNS credentials 1 Click More Services OpenDNS 2 Enter the Username and Password to enable access to OpenDNS 3 Click OK to apply the changes In the CLI To configure OpenDNS credentials scalance config opendns username password scalance...

Page 403: ...tion for its clients in the network and can provide the required information for the user ID on PAN firewall Before sending the user ID mapping information to the PAN firewall the AP must retrieve an API key that will be used for authentication for all APIs AP provides the User ID mapping information to the PAN firewall for integration The client user id for authentication will not be sent to the ...

Page 404: ... in an AP 1 Click More Services 2 Click Network Integration The PAN firewall configuration options are displayed Figure 24 8 Services Window Network Integration Tab 3 Select the Enable check box to enable PAN firewall 4 Provide the user credentials of the PAN firewall administrator in the Username and Password text boxes 5 Enter the PAN firewall IP address 6 Enter the port number within the range ...

Page 405: ...OK In the CLI To enable PAN firewall integration with the AP scalance config firewall external enforcement pan scalance firewall external enforcement pan enable scalance firewall external enforcement pan domain name name scalance firewall external enforcement pan ip ip address scalance firewall external enforcement pan port port scalance firewall external enforcement pan user name password scalanc...

Page 406: ...communication process using the XML API Interface is as follows An API command is issued in XML format from the server to the VC The VC processes the XML request and identifies where the client is and sends the command to the correct slave AP Once the operation is completed VC sends the XML response to the XML server Users can use the response and take appropriate action to suit their requirements...

Page 407: ...t contains the XML API command The format of the XML API request is xml scalance command XML API command options Value options options Value options scalance You can specify any of the following commands in the XML request Table 24 3 XML API Command Parameter Description user_add If the user entry is already present in the user table the command will modify the entry with the values defined in the...

Page 408: ...ser 64 character string role This option is used to change the role of an existing user This option applies to user_add and user_delete commands only 64 character string password The password of the user for au thentication session_timeout The role will be changed to a pre auto role after session timeout authentication Authentication method used to au thenticate the message and the sender You can ...

Page 409: ...urveillance Depending on the country of operation the service providers SPs are required to support LI in their respective networks In the United States SPs are required to ensure LI compliance based on Communications Assistance for Law Enforcement Act CALEA specifications SCALANCE W supports CALEA integration in a hierarchical and flat topology mesh AP network the wired and wireless networks Note...

Page 410: ...replicate a specific or selected client traffic and send it to a remote CALEA server Traffic Flow from AP to CALEA Server You can configure an AP to send GRE encapsulated packets to the CALEA server and replicate client traffic within the GRE tunnel Each AP sends GRE encapsulated packets only for its associated or connected clients The following figure illustrates the traffic flow from the AP to t...

Page 411: ...or corporate access When CALEA server is configured with the controller the client traffic is replicated by the slave AP and client data is encapsulated by GRE on slave and routed to the master AP The master AP sends the IPsec client traffic to the controller The controller handles the IPsec client traffic while GRE data is routed to the CALEA server The following figure illustrates the traffic fl...

Page 412: ...he replication rules persist when clients roam within the cluster Configuring an AP for CALEA Integration To enable CALEA server integration perform the following steps 1 Create a CALEA profile 2 If a replication role must be assigned through the RADIUS VSA create an access rule and assign the access rule to a WLAN SSID or wired profile 3 Verify the configuration Creating a CALEA Profile You can c...

Page 413: ...ile 3 On the Access tab select the role for which you want create the access rule 4 Under Access Rules click New 5 In the New Rule window that is displayed select CALEA 6 Click OK 7 Create a role assignment rule if required 8 Click Finish In the CLI To create a CALEA access rule scalance config wlan access rule name scalance Access Rule name calea scalance Access Rule name end scalance commit appl...

Page 414: ...scalance config wlan ssid profile Calea Test scalance SSID Profile Calea Test enable scalance SSID Profile Calea Test index 0 scalance SSID Profile Calea Test type employee scalance SSID Profile Calea Test essid QA Calea Test scalance SSID Profile Calea Test opmode wpa2 aes scalance SSID Profile Calea Test max authentication failures 0 scalance SSID Profile Calea Test auth server server1 scalance ...

Page 415: ...t end scalance SSID Profile Calea Test commit apply To verify the configuration scalance show calea config calea ip 10 0 0 5 encapsulation type gre gre type 25944 ip mtu 150 To view the tunnel encapsulation statistics scalance show calea statistics Rt resolve fail 0 Dst resolve fail 0 Alloc failure 0 Fragged packets 0 Jumbo packets 263 Total Tx fail 0 Total Tx ok 263 ...

Page 416: ......

Page 417: ...e updates on WLAN devices by defining a minimum acceptable firmware version for each make and model of a device It remotely distributes the firmware image to the WLAN devices that require updates and it schedules the firmware updates such that updating is completed without requiring you to manually monitor the devices The following models can be used to upgrade the firmware Automatic In this model...

Page 418: ...s reduced on AP and AirWave and this assists in scaling AirWave effectively Template Based Configuration AirWave automatically creates a configuration template based on any of the existing APs and it applies that template across the network as shown in the following figure It audits every device on an ongoing basis to ensure that configurations never vary from the enterprise policies It alerts you...

Page 419: ...her devices within range The WIDS report cites the number of IDS events for devices that have experienced the most instances in the prior 24 hours and provides links to support additional analysis or configuration in response RF Visualization Support for SCALANCE W AirWave supports RF visualization for SCALANCE W The VisualRF module provides a real time picture of the actual radio environment of y...

Page 420: ...cation with AMP server instead of the PSK login When the AMP domain name is used the AP performs certificate based authentication with the AMP server The AP initiates a Secure Socket Layer SSL connection with the AirWave server The AirWave server verifies the signature and public key certificate from the AP If the signature matches the AirWave responds to the AP with the login request Configurable...

Page 421: ...or an organization Any string is acceptable Configuring AirWave Information You can configure AirWave information by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure AirWave information 1 Click the AirWave Set Up Now link of the main window The System window is displayed with the AirWave parameters on the Admin tab 2 Enter the name of your organization in the Organization name ...

Page 422: ...or option 43 are organization ams ip ams key and organization ams domain If you use the organization ams ip ams key format the PSK based authentication is used to access the AMP server If you use the organization ams domain format the AP resolves the domain name into two IP addresses AirWave Primary and AirWave Backup and then the AP starts a certificate based authentication with AMP server instea...

Page 423: ...ns in the Option class drop down list and then click Add 4 Enter the following information Name Instant Data Type String Code 60 Description InstantAP 5 Navigate to Server Manager and select Server Options in the IPv4 window This sets the value globally Use options on a per scope basis to override the global options 6 Right click Server Options and select the configuration options 7 Select 060 Aru...

Page 424: ...ust be specific to SCALANCE W and the PXE devices that use options 60 and 43 must not connect to the subnet defined by this scope This is because you can specify only one option 43 for a scope and if other devices that use option 43 connect to this subnet they are presented with the information specific to the AP 1 In Windows Server 2008 navigate to Server Manager Roles DHCP Server Domain DHCP Ser...

Page 425: ...G USB modems and the Wi Fi uplink can be used to extend the connectivity to places where an Ethernet uplink cannot be configured It also provides a reliable backup link for the Ethernet based SCALANCE W network The following figure illustrates a scenario in which the APs join the VC as slave APs through a wired or mesh Wi Fi uplink Figure 26 1 Uplink Types The following types of uplinks are suppor...

Page 426: ...PoE settings are configured PPPoE has the highest priority for the uplink connections The AP can establish a PPPoE session with a PPPoE server at the ISP and get authenticated using Password Authentication Protocol PAP or the Challenge Handshake Authentication Protocol CHAP Depending upon the request from the PPPoE server either the PAP or the CHAP credentials are used for authentication After con...

Page 427: ...nd Retype text boxes 4 Select a value from the Local interface drop down list to set a local interface for the PPPoE uplink connections The selected DHCP scope will be used as a local interface on the PPPoE interface and the Local L3 DHCP gateway IP address as its local IP address When configured the local interface acts as an unnumbered PPPoE interface and allows the entire Local L3 DHCP subnet t...

Page 428: ...scalance show pppoe config PPPoE Configuration Type Value User testUser Password 3c28ec1b82d3eef0e65371da2f39c4d49803e5b2bc88be0c Service name internet03 CHAP secret 8e87644deda9364100719e017f88ebce Unnumbered dhcp profile dhcpProfile1 To view the PPPoE status scalance show pppoe status pppoe uplink state Suppressed ...

Page 429: ...k tab 4 To configure a 3G or 4G uplink select the Country and ISP 5 Click OK 6 Reboot the AP for changes to take effect In the CLI To configure 3G 4G uplink manually scalance config cellular uplink profile scalance cellular uplink profile usb type 3G usb type scalance cellular uplink profile 4g usb type 4g usb scalance cellular uplink profile modem country country scalance cellular uplink profile ...

Page 430: ...ons can be configured only through the AP CLI To prevent any fradulent use of 3G 4G modems connected to an AP you can enable locking of the SIM PIN of the modems When enabled if an incorrect PIN code is provided in the three consecutive attempts the SIM PIN is locked To unlock the PIN the users must use the Personal Unblocking Code PUK code provided by your ISP Note After enabling SIM PIN lock reb...

Page 431: ...The two links are mutually exclusive In the SCALANCE W UI To provision an AP with the Wi Fi uplink 1 If you are configuring a Wi Fi uplink after restoring factory settings on an AP connect the AP to an Ethernet cable to allow the AP to get the IP address Otherwise go to step 2 2 Click the System link on the SCALANCE W main window 3 In the System section click the Show advanced options link The adv...

Page 432: ... parameter to Disabled 11 Reboot the AP to apply the changes After the AP reboot the Wi Fi and mesh links are automatically enabled In the CLI To configure Wi Fi uplink on an AP scalance config wlan sta profile scalance sta uplink cipher suite clear wpa tkip psk wpa2 ccmp psk scalance sta uplink essid essid scalance sta uplink uplink band band scalance sta uplink wpa passphrase key scalance sta up...

Page 433: ...Uplink Configuration 26 4 Wi Fi Uplink SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 433 1116 2000 01 01 00 00 45 625 Global control interface tmp supp_gbl ...

Page 434: ...d as the primary uplink For example if Wi Fi sta has the highest priority it is used as the primary uplink When no uplink is enforced and preemption is enabled and if the current uplink fails the AP tries to find an available uplink based on the priority configured If current uplink is active the AP periodically tries to use a higher priority uplink and switches to the higher priority uplink even ...

Page 435: ... end scalance commit apply Setting an Ethernet uplink priority scalance uplink uplink priority ethernet port 0 1 scalance uplink end scalance commit apply 26 5 3 Enabling Uplink Preemption The following configuration conditions apply to uplink preemption Preemption can be enabled only when no uplink is enforced When preemption is disabled and the current uplink goes down the AP tries to find an av...

Page 436: ...connect to VPN The retry time depends on the fast failover configuration and the primary or backup VPN tunnel If this fails the AP waits for the VPN failover timeout and selects a different uplink such as 3G 4G or Wi Fi l If the current uplink is 3G or Wi Fi and Ethernet has a physical link the AP periodically suspends user traffic to try and connect to the VPN on the Ethernet If the AP succeeds t...

Page 437: ...uplink switching based on Internet availability perform the following steps Select Enabled from the Internet failover drop down list Specify the required values for the following parameters Max allowed test packet loss The maximum number of ICMP test packets that are allowed to be lost to determine if the AP must switch to a different uplink connection You can specify a value within the range of 1...

Page 438: ...ernet pkt send freq frequency scalance uplink end scalance commit apply 26 5 5 Viewing Uplink Status and Configuration To view the uplink status scalance show uplink status Uplink preemption enable Uplink preemption interval 600 Uplink enforce none Ethernet uplink eth0 DHCP Uplink Table Type State Priority In Use eth0 UP 2 Yes Wifi sta INIT 1 No 3G 4G INIT 3 No Internet failover enable Internet fa...

Page 439: ... Validate server NONE To view the uplink configuration in the CLI scalance show uplink config Uplink preemption enable Uplink preemption interval 600 Uplink enforce none Ethernet uplink eth0 DHCP Internet failover disable Max allowed test packet loss 10 Secs between test packets 30 VPN failover timeout secs 180 Internet check timeout secs 10 Secs between test packets 30 ...

Page 440: ......

Page 441: ...ireless Intrusion Protection and Detection Levels Configuring IDS 27 1 Detecting and Classifying Rouge APs A rogue AP is an unauthorized AP plugged into the wired side of the network An interfering AP is an AP seen in the RF environment but it is not connected to the wired network While the interfering AP can potentially cause RF interference it is not considered a direct security threat because i...

Page 442: ...ntify clients that are running on forbidden operating systems Identifying outdated operating systems Helps to locate outdated and unexpected OS in the company network Locating and patching vulnerable operating systems Assists in locating and patching specific operating system versions on the network that have known vulnerabilities thereby securing the company network OS Fingerprinting is enabled i...

Page 443: ...ction Policies Specifies the policy for detecting wireless attacks on clients Infrastructure Protection Policies Specifies the policy for protecting access points from wireless attacks Client Protection Policies Specifies the policy for protecting clients from wireless attacks Containment Methods Prevents unauthorized stations from connecting to your SCALANCE W network Each of these options contai...

Page 444: ...rge Duration High Detect AP Impersonation Detect ad hoc Networks Detect Valid SSID Misuse Detect Wireless Bridge Detect 802 11 40 MHz intolerance settings Detect Active 802 11n Greenfield Mode Detect AP Flood Attack Detect Client Flood Attack Detect Bad WEP Detect CTS Rate Anomaly Detect RTS Rate Anomaly Detect Invalid Address Combination Detect Malformed Frame HT IE Detect Malformed Frame Associa...

Page 445: ...erta Attack Detect FATA Jack Attack Detect Block ACK DOS Detect Hotspotter Attack Detect unencrypted Valid Client Detect Power Save DOS Attack High Detect EAP Rate Anomaly Detect Rate Anomaly Detect Chop Chop Attack Detect TKIP Replay Attack IDS Signature Air Jack IDS Signature ASLEAP Client Detection Policies The following levels of detection can be configured in the WIP Protection page Off Low H...

Page 446: ...ID list should be auto derived from SCALANCE W configuration Rogue Containment High Protect from ad hoc Networks Protect AP Impersonation Infrastructure Protection Policies The following table describes the detection policies that are enabled in the Client Protection Custom settings text box Protection Level Protection Policy Off All protection policies are disabled Low Protect Valid Station High ...

Page 447: ...ress that the AP provides is offset by one character from its wired MAC address Note Enable the wired containment susp l3 rogue parameter only when a specific containment is required to avoid a false alarm Wireless containment When enabled the system attempts to disconnect all clients that are connected or attempting to connect to the identified Access Point None Disables all the containment mecha...

Page 448: ...DS detect windows bridge scalance IDS signature deauth broadcast scalance IDS signature deassociation broadcast scalance IDS detect adhoc using valid ssid scalance IDS detect malformed large duration scalance IDS detect ap impersonation scalance IDS detect adhoc network scalance IDS detect valid ssid misuse scalance IDS detect wireless bridge scalance IDS detect ht 40mhz intolerance scalance IDS d...

Page 449: ...attack scalance IDS detect hotspotter attack scalance IDS detect unencrypted valid scalance IDS detect power save dos attack scalance IDS detect eap rate anomaly scalance IDS detect rate anomalies scalance IDS detect chopchop attack scalance IDS detect tkip replay attack scalance IDS signature airjack scalance IDS signature asleap scalance IDS protect ssid scalance IDS rogue containment scalance I...

Page 450: ...Intrusion Detection 27 4 Configuring IDS SCALANCE W1750D UI 450 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 451: ...sh through other intermediate mesh points In an SCALANCE W mesh network the maximum hop count is two nodes point point portal and the maximum number of mesh points per mesh portal is eight Mesh APs detect the environment when they boot up locate and associate with their nearest neighbor to determine the best path to the mesh portal The 2 4 GHz radio is always used for client traffic while the 5 GH...

Page 452: ...h point provides traditional WLAN services such as client connectivity intrusion detection system IDS capabilities user role association and Quality of Service QoS for LAN to mesh communication to clients and performs mesh backhaul network connectivity Note A mesh point also supports LAN bridging You can connect any wired device to the downlink port of the mesh point In the case of single Ethernet...

Page 453: ...ry code is configured 3 Ensure that a valid SSID is configured on the AP 4 If the AP has a factory default SSID SCALANCE W SSID delete the SSID 5 If an extended SSID ESSID is enabled on the VC disable it and reboot the AP cluster 6 Disconnect the APs that you want to deploy as mesh points from the switch and place the APs at a remote location The APs come up without any wired uplink connection and...

Page 454: ...d allows client access through the port Note When using 3G uplink the wired port will be used as downlink You can configure support for wired bridging on the Enet0 port of an AP by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure Ethernet bridging 1 On the Access Points tab click the AP to modify 2 Click the edit link 3 Click the Uplink tab 4 Select Enable from the Eth0 Bridgin...

Page 455: ...ALANCE W network and continue their existing sessions Clients roaming across these networks are able to continue using their IP addresses after roaming You can configure a list of VC IP addresses across which L3 mobility is supported The Layer 3 mobility solution defines a Mobility Domain as a set of SCALANCE W networks with the same WLAN access parameters across which client roaming is supported ...

Page 456: ...CE W network to avoid duplication of broadcast traffic Separate GRE tunnels are created for each foreign AP home AP pair If a peer AP is a foreign AP for one client and a home AP for another two separate GRE tunnels are used to handle L3 roaming traffic between these APs If client subnet discovery fails on association due to some reason the foreign AP identifies its subnet when it sends out the fi...

Page 457: ... as a local client When a local client starts using the IP address L3 roaming is terminated If the client is from a foreign subnet it is identified as a foreign client When a foreign client starts using the IP address L3 roaming is set up Home Agent Load Balancing Home Agent Load Balancing is required in large networks where multiple tunnels might terminate on a single border or lobby AP and overl...

Page 458: ...displayed Figure 29 2 L3 Mobility Window 4 Select Enabled from the Home agent load balancing drop down list By default home agent load balancing is disabled 5 Click New in the Virtual Controller IP Addresses section add the IP address of a VC that is part of the mobility domain and click OK 6 Repeat Steps 2 to 5 to add the IP addresses of all VC that form the L3 mobility domain ...

Page 459: ... mask text box Enter the VLAN ID of the home network in the VLAN ID text box Enter the home VC IP address for this subnet in the Virtual controller IP text box 8 Click OK In the CLI To configure a mobility domain scalance config l3 mobility scalance L3 mobility home agent load balancing scalance L3 mobility virtual controller IP address scalance L3 mobility subnet IP address subnet mask VLAN ID vi...

Page 460: ...Mobility and Client Management 29 2 Configuring L3 Mobility SCALANCE W1750D UI 460 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 461: ...s and analyzes the spectrum band used by the SM s radio 2 4 GHz or 5 GHz An AP radio in hybrid AP mode continues to serve clients as an access point while it analyzes spectrum analysis data for the channel the radio uses to serve clients You can record data for both types of spectrum monitor devices However the recorded spectrum is not reported to the VC A spectrum alert is sent to the VC when a n...

Page 462: ...ox NOTE For additional details about non Wi Fi device types shown in this table see Non Wi Fi Interferer Types ID ID number assigned to the device by the spectrum monitor or hybrid AP radio Spectrum monitors and hybrid APs assign a unique spectrum ID per device type Cfreq Center frequency of the signal sent from the device Bandwidth Channel bandwidth used by the device Channels affected Radio chan...

Page 463: ...d that some of these devices may be occasionally classified as Fixed Frequency Other Frequency Hopper Cordless Base Frequency hopping cordless phone base units transmit periodic beacon like frames at all times When the handsets are not transmitting that is when there are no active phone calls the cordless base is classified as Fre quency Hopper Cordless Base Frequency Hopper Cordless Network When ...

Page 464: ... in the known oper ating frequencies used by the Microwave ovens may be classified as a Generic Interferer Similarly wide band interfering devices may be classified as Generic Interferers Channel Details When you move the mouse over a channel the channel details or the summary of the 2 4 GHz and 5 GHz channels as detected by a spectrum monitor are displayed You can view the aggregate data for each...

Page 465: ...oise floor and interference signal levels and then calculating how strong the desired signal is above this maximum Channel Metrics The channel metrics graph displays channel quality availability and utilization metrics as seen by a spectrum monitor or hybrid AP You can view the channel utilization data based on 2 GHz and 5 GHz radio channels The percentage of each channel that is currently being u...

Page 466: ...the current noise floor and the duty cycle for non Wi Fi devices on that channel Availability The percentage of the channel currently available for use Utilization The percentage of the channel being used WiFi Util The percentage of the channel currently being used by Wi Fi devices Interference Util The percentage of the channel currently being used by non Wi Fi interfer ence plus Wi Fi adjacent c...

Page 467: ... In the hybrid mode spectrum monitoring is performed only on the home channel In other words if the AP channel width is 80 Mhz spectrum monitoring is performed for 80 Mhz If the channel width is 40 spectrum monitoring is performed for 40 MHz channel In a dedicated air monitor mode APs perform spectrum monitoring on all channels You can convert APs in an SCALANCE W network to hybrid mode by using t...

Page 468: ... Click the Radio tab 4 From the Access Mode drop down list select Spectrum Monitor 5 Click OK 6 Reboot the AP for the changes to take effect 7 To enable spectrum monitoring for any other band for the 5 GHz radio Click the RF link on the SCALANCE Wmain window In the RF section click Show advanced options to view the Radio tab For the 5 GHz radio specify the spectrum band you want that radio to moni...

Page 469: ...el Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable 5 0 GHz Legacy Mode disable Beacon Interval 100 802 11d 802 11h disable Interference Immunity Level 2 Channel Switch Announcement Count 0 Channel Reuse Type disable Channel Reuse Threshold 0 Background Spectrum Monitor disable Standalone Spectrum Band 5ghz upper ...

Page 470: ......

Page 471: ...ollowing steps Select the Figure file option This method is only available for single class APs Select the Figure URL option Select this option to obtain an image file from a TFTP FTP or HTTP URL HTTP http IP address image file TFTP tftp IP address image file FTP ftp IP address image file 3 Clear the Reboot all APs after upgrade check box if required The Reboot all APs after upgrade check box is s...

Page 472: ...RL scalance upgrade image ftp tftp http URL To upgrade an image without rebooting the AP scalance upgrade image2 no reboot ftp tftp http URL To view the upgrade information scalance show upgrade info Figure Upgrade Progress Mac IP Address AP Class Status Figure Info Error Detail d8 c7 c8 c4 42 98 10 17 101 1 Hercules image ok image file none Auto reboot enable Use external URL disable ...

Page 473: ...nfiguration data 1 Navigate to the Maintenance Configuration page 2 Click Backup Configuration 3 Click Continue to confirm the backup The instant cfg containing the AP configuration data is saved in your local file system 4 To view the configuration that is backed up by the AP enter the following command at the command prompt scalance show backup config Restoring Configuration To restore configura...

Page 474: ...converting an AP to a Remote AP the VC sends the Remote AP convert command to all the other APs The VC along with the slave APs sets a VPN tunnel to the remote controller and downloads the firmware through FTP The VC uses IPsec to communicate to the Mobility Controller over the Internet If the AP obtains AirWave information through DHCP Option 43 and Option 60 it establishes an HTTPS connection to...

Page 475: ...ab The Convert tab contents are displayed Figure 31 1 Maintenance Convert Tab 3 Select Remote APs managed by a Mobility Controller from the drop down list 4 Enter the host name fully qualified domain name or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your local network administrator to obtain the IP address Note Ensure that the Mobility C...

Page 476: ... from the drop down list 4 Enter the host name Fully Qualified Domain Name FQDN or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your local administrator to obtain these details 5 Enter the host name Fully Qualified Domain Name FQDN or the IP address of the controller in the Hostname or IP Address of Mobility Controller text box Contact your...

Page 477: ...are displayed Figure 31 3 Stand Alone AP Conversion 3 Select Standalone AP from the drop down list 4 Select the Access Point from the Access Point to Convert drop down list 5 Click Convert Now to complete the conversion The AP now operates in the stand alone mode Converting an AP using CLI To convert an AP to a remote AP or campus AP scalance convert aos ap mode controller IP address To convert an...

Page 478: ... rear of an AP can be used to reset the AP to factory default settings To reset an AP perform the following steps 1 Turn off the AP 2 Press and hold the reset knob using a small and narrow object such as a paperclip 3 Turn on the AP without releasing the reset knob The power LED flashes within 5 seconds indicating that the reset is completed 4 Release the reset knob The AP reboots with the factory...

Page 479: ...ab Figure 31 4 Rebooting the AP 3 In the AP list select the AP that you want to reboot and click Reboot selected Access Point To reboot all the APs in the network click Reboot All 4 The Confirm Reboot for AP message is displayed Click Reboot Now to proceed The Reboot in Progress message is displayed indicating that the reboot is in progress The Reboot Successful message is displayed after the proc...

Page 480: ......

Page 481: ...nt on behalf of this user can be authenticated and if so the type of authentica tion protocol used This can take one of the two values MD5 HMAC MD5 96 Digest Authentication Protocol SHA HMAC SHA 96 Digest Authentication Protocol Authentication protocol password If messages sent on behalf of this user can be authenticated a private authentication key is used with the authentication protocol This is...

Page 482: ...ow that is displayed click the Monitoring tab Figure 32 1 Monitoring Tab SNMP Configuration Parameters 3 Click New under the Community Strings for SNMPv1 and SNMPv2 box 4 Enter the string in the New Community String text box 5 Click OK 6 To delete a community string select the string and click Delete Creating Community Strings for SNMPv3 Using SCALANCE W UI To create community strings for SNMPv3 1...

Page 483: ...assword text box and retype the password in the Retype text box 9 Click OK 10 To edit the details for a particular user select the user and click Edit 11 To delete a particular user select the user and click Delete Configuring SNMP Community Strings in the CLI To configure an SNMP engine ID and host scalance config snmp server engine id engine ID scalance config host ipaddr version 1 name udp port...

Page 484: ... Show advanced options Monitoring 2 Under SNMP Traps enter a name in the SNMP Engine ID text box It indicates the name of the SNMP agent on the AP The SNMPv3 agent has an engine ID that uniquely identifies the agent in the device and is unique to that internal network 3 Click New and update the following information IP Address Enter the IP Address of the new SNMP Trap receiver Version Select the S...

Page 485: ... SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 485 In the CLI To configure SNMP traps scalance config snmp server host IP address version 1 version 2 version 3 name udp port port inform scalance config end scalance commit apply ...

Page 486: ...essages to the external servers by using the SCALANCE W UI or the CLI In the SCALANCE W UI To configure a Syslog server and Syslog facility levels 1 In the SCALANCE W main window click the System link 2 Click Show advanced options to display the advanced options 3 Click the Monitoring tab Figure 32 3 Syslog Server 4 In the Syslog server text box enter the IP address of the server to which you want...

Page 487: ...t connects using wrong password System Log about configuration and system status User Important logs about client User Debug Detailed logs about client debugging Wireless Log about radio The following table describes the logging levels in order of severity from the most to the least severe Logging Level Description Emergency Panic conditions that occur when the system becomes unusable Alert Any co...

Page 488: ...fig syslog server IP address To configure syslog facility levels scalance config syslog level logging level ap debug network security system user user debug wireless scalance config end scalance commit apply To view syslog logging levels scalance show syslog level Logging Level Facility Level ap debug warn network warn security warn system warn user warn user debug warn wireless error ...

Page 489: ...sing the SCALANCE W UI or the CLI In the SCALANCE W UI To configure a TFTP server 1 In the SCALANCE W main window click the System link 2 Click Show advanced options to display the advanced options 3 Click the Monitoring tab 4 Enter the IP address of the TFTP server in the TFTP Dump Server text box 5 Click OK In the CLI To configure a TFTP server scalance config tftp dump server IP address scalanc...

Page 490: ... Description AP Tech Support Dump AP Tech Support Dump Supplemental AP Provisioning Status AP 3G 4G Status AP 802 1X Statistics AP Access Rule Table AP Inbound Firewall Rules AP Active AP AirGroup Cache AP AirGroup CPPM Entries AP AirGroup CPPM Servers AP AirGroup Debug Statistics AP AirGroup Servers AP AirGroup User AP ALE Configuration AP ALE Status AP Allowed Channels AP Allowed MAX EIRP AP All...

Page 491: ...P Debug AP Log Conversion AP Log Driver AP Log Kernel AP Log Network AP Log PPPd AP Log Rapper AP Log Rapper Counter AP Log Rapper Brief AP Log Sapd Command Name show ap association show ap debug auth trace buf show auth survivability cached info show auth survivability debug log show ap bss table show captive portal domains show captive portal auto white list show ap debug client match show ap cl...

Page 492: ...AP Spectrum channel summary AP Spectrum client table AP Spectrum device duty cycle Command Name show log security show log system show log apifmgr show log upgrade show log user debug show log user show log vpn tunnel show log wireless show ap debug mgmt frames show malloc state dumps show memory show ap mesh counters show ap mesh link show ap mesh neighbours show ap monitor active laser beams sho...

Page 493: ...guration VC Uplink 3G 4G Configuration VC Uplink Management Configuration VC WISPr Configuration VC XML API Server Information VC rfc3576 radius statistics Command Name show ap spectrum device history show ap spectrum device list show ap spectrum device log show ap spectrum device summary show ap spectrum interference power show ap spectrum status show 1xcert show cert all show radseccert show cap...

Page 494: ...Monitoring Devices and Logs 32 4 Running Debug Commands SCALANCE W1750D UI 494 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 495: ... automatically run speed tests at specific time intervals scalance config speed test scalance speed test include reverse scalance speed test server ip server scalance speed test server port port scalance speed test protocol tcp udp scalance speed test on boot scalance speed test time interval interval scalance speed test bandwidth bandwidth scalance speed test sec to measure secs scalance speed te...

Page 496: ......

Page 497: ... frames Based on the response of the advertisement server response to the GAS Action Frames the relevant hotspot is selected and the client attempts to associate with it Based on the authentication mode used for mobility clients the client authenticates to access the network Generic Advertisement Service GAS GAS is a request response protocol that provides L2 transport mechanism between a wireless...

Page 498: ...Identifier Realm 3GPP Cellular Network Data IP Address Availability Hotspot 2 0 Query Protocol H2QP The H2QP profiles provide a range of information on Hotspot 2 0 elements such as hotspot protocol and port operating class operator names WAN status and uplink and downlink metrics Information Elements IEs and Management Frames The Hotspot 2 0 configuration supports the following IEs Interworking IE...

Page 499: ...00 G8976 C451 02 499 NAI Realm List An Network Access Identifier NAI Realm profile identifies and describes a NAI realm to which the clients can connect The NAI realm settings on an AP act as an advertisement profile to determine the NAI realm elements that must be included as part of a GAS Response frame ...

Page 500: ...rofiles The following advertisement profiles can be configured through the SCALANCE W CLI ANQP advertisement profiles NAI Realm profile Venue Name Profile Network Authentication Profile Roaming Consortium Profile 3GPP Profile IP Address availability Profile Domain Name Profile H2QP advertisement profiles Operator Friendly Name Profile Connection Capability Profile Operating Class Profile WAN Metri...

Page 501: ... time password To use Authentication with a single use password The associated numeric value is 5 generic token card To use EAP Generic Token Card EAP GTC The associated numeric value is 6 eap tls To use EAP Transport Layer Security The associated numeric value is 13 eap sim To use EAP for GlobaSystem for Mobile Communication GSM Subscriber Identity Modules SIM The associated numeric value is 18 e...

Page 502: ... numeric value is 4 eap inner auth Uses EAP inner authentication type The associated numeric value is 3 The following authentication values apply reserved The associated numeric value is 0 pap The associated numeric value is 1 chap The associated numeric value is 2 mschap The associated numeric value is 3 mschapv2 The associated numeric value is 4 exp inner eap Uses the expanded inner EAP au thent...

Page 503: ...s Table 33 2 Venue Types Authentication ID Authentication Value unspecified The associated numeric value is 0 assembly The associated numeric value is 1 unspecified The associated numeric value is 0 arena The associated numeric value is 1 stadium The associated numeric value is 2 passenger terminal The associated numeric value is 3 amphitheater The associated numeric value is 4 amusement park The ...

Page 504: ...The associated numeric value is 1 institutional The associated numeric value is 5 unspecified The associated numeric value is 0 hospital The associated numeric value is 1 ong term care The associated numeric value is 2 alc drug rehab The associated numeric value is 3 group home The associated numeric value is 4 prison or jail The associated numeric value is mercantile The associated numeric value ...

Page 505: ...ring a Network Authentication Profile You can configure a network authentication profile to define the authentication type used by the hotspot network To configure a network authentication profile scalance config hotspot anqp nwk auth profile name scalance network auth name nwk auth type type scalance network auth name url URL scalance network auth name enable scalance network auth name end scalan...

Page 506: ...ecify a hexadecimal string of 3 5 octets for roam cons oi roam cons oi Based on the Organization Identifier OI specified you can specify the following parameters for the length of OI in roam cons oi len roam cons oi len For 0 0 Octets in the OI Null For 3 OI length is 24 bits 3 Octets For 5 OI length is 36 bits 5 Octets Configuring a 3GPP Profile You can configure a 3rd Generation Partnership Proj...

Page 507: ...scalance operator friendly name name op fr name op fr name scalance operator friendly name name op lang code op lang code scalance operator friendly name name enable scalance operator friendly name name end scalance commit apply Configuring a Connection Capability Profile You can configure a connection capability profile to define information such as the hotspot IP protocols and associated port nu...

Page 508: ...k status and metrics To configure a WAN metrics profile scalance config hotspot h2qp wan metrics profile name scalance WAN metrics name at capacity scalance WAN metrics name downlink load load scalance WAN metrics name downlink speed speed scalance WAN metrics name load duration duration scalance WAN metrics name symm link scalance WAN metrics name uplink load load scalance WAN metrics name uplink...

Page 509: ...alance Hotspot2 0 name comeback mode scalance Hotspot2 0 name gas comeback delay interval scalance Hotspot2 0 name group frame block scalance Hotspot2 0 name hessid hotspot essid scalance Hotspot2 0 name internet scalance Hotspot2 0 name p2p cross connect scalance Hotspot2 0 name p2p dev mgmt scalance Hotspot2 0 name pame bi scalance Hotspot2 0 name query response length limit integer scalance Hot...

Page 510: ...ed with a printer for the purpose of printing The corresponding integer value for this network type is 4 emergency services This network is limited to accessing emergency services only The corresponding integer value for this network type is 5 test This network is used for test purposes only The corresponding integer value for this network type is 14 wildcard This network indicates a wildcard netw...

Page 511: ...ue group Specify one of the following venue groups unspecified assembly business educational factory and industrial institutional l mercantile l outdoor residential storage utility misc vehicular By default the business venue group is used venue type Specify a venue type to be advertised in the ANQP IEs from APs associat ed with this hotspot profile For more information about the supported venue t...

Page 512: ...ertisement protocol Specify the advertisement protocol type for example specify the Ac cess Network Query Protocol ANQP as anqp 33 2 4 Creating a WLAN SSID and Associating Hotspot Profile To create a WLAN SSID with Enterprise Security and WPA 2 Encryption Settings scalance config wlan ssid profile name scalance SSID Profile name essid ESSID name scalance SSID Profile name type Employee Voice Guest...

Page 513: ...figuration Manual 02 2018 C79000 G8976 C451 02 513 scalance SSID Profile name radius interim accounting interval minutes scalance SSID Profile name radius reauth interval minutes scalance SSID Profile name set role by ssid scalance SSID Profile name end scalance commit apply ...

Page 514: ...ance config hotspot anqp venue name profile vn1 scalance venue name vn1 venue group business scalance venue name vn1 venue type research and dev facility scalance venue name vn1 venue lang code eng scalance venue name vn1 venue name VenueName scalance venue name vn1 exit scalance config hotspot anqp nwk auth profile na1 scalance network auth na1 nwk auth type accept term and cond scalance network ...

Page 515: ...ort scalance connection capabilities name icmp scalance connection capabilities name tcp ftp scalance connection capabilities name tcp http scalance connection capabilities name tcp pptp vpn scalance connection capabilities name tcp ssh scalance connection capabilities name tcp tls vpn scalance connection capabilities name tcp voip scalance connection capabilities name udp ike2 scalance connection...

Page 516: ...s1 comeback mode scalance Hotspot2 0 hs1 gas comeback delay 10 scalance Hotspot2 0 hs1 no asra scalance Hotspot2 0 hs1 no internet scalance Hotspot2 0 hs1 query response length limit 20 scalance Hotspot2 0 hs1 access network type chargeable public scalance Hotspot2 0 hs1 roam cons len 1 3 scalance Hotspot2 0 hs1 roam cons oi 1 123456 scalance Hotspot2 0 hs1 roam cons len 2 3 scalance Hotspot2 0 hs...

Page 517: ...conn cap cc1 scalance Hotspot2 0 hs1 advertisement profile h2qp oper class oc1 scalance Hotspot2 0 hs1 end scalance commit apply Step 4 Associating the hotspot profile with WLAN SSID scalance configure terminal scalance wlan ssid profile ssidProfile1 scalance SSID Profile ssidProfile1 essid hsProf scalance SSID Profile ssidProfile1 type employee scalance SSID Profile ssidProfile1 vlan 200 scalance...

Page 518: ...Hotspot Profiles 33 3 Sample Configuration SCALANCE W1750D UI 518 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Page 519: ... G8976 C451 02 519 ClearPass Guest Setup 34 34 1 Configuring ClearPass Guest To configure ClearPass Guest 1 From the ClearPass Guest UI navigate to Administration AirGroup Services 2 Click Configure AirGroup Services Figure 34 1 Configure AirGroup Services ...

Page 520: ...Pass Guest Setup 34 1 Configuring ClearPass Guest SCALANCE W1750D UI 520 Configuration Manual 02 2018 C79000 G8976 C451 02 3 Click Add a new controller Figure 34 2 Add a New Controller for AirGroup Services ...

Page 521: ...e the parameters with appropriate values Note Ensure that the port configured matches the CoA port RFC 3576 set on the AP configuration Figure 34 3 Configure AirGroup Services Controller Settings 5 Click Save Configuration In order to demonstrate AirGroup either an AirGroup Administrator or an AirGroup Operator account must be created ...

Page 522: ...2 Creating AirGroup Administrator and Operator Account To create a AirGroup administrator and AirGroup operator account using the ClearPass Policy Manager UI 1 Navigate to the ClearPass Policy Manager UI and navigate to Configuration Identity Local Users Figure 34 4 Configuration Identity Local Users Selection 2 Click Add User ...

Page 523: ...1 Configuring ClearPass Guest SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 523 3 Create an AirGroup Administrator by entering the required values Figure 34 5 Create an AirGroup Administrator 4 Click Add ...

Page 524: ...or Figure 34 6 Create an AirGroup Operator 6 Click Add to save the user with an AirGroup Operator role The AirGroup Administrator and AirGroup Operator IDs will be displayed in the Local Users UI screen Figure 34 7 Local Users UI Screen 7 Navigate to the ClearPass Guest UI and click Logout The ClearPass Guest Login page is displayed Use the AirGroup admin credentials to log in ...

Page 525: ...9000 G8976 C451 02 525 8 After logging in click Create Device Figure 34 8 Create a Device The Register Shared Device page is displayed Figure 34 9 ClearPass Guest Register Shared Device For this test add your AppleTV device name and MAC address but leave all other boxes empty 9 Click Register Shared Device ...

Page 526: ...t access to the AppleTV access the ClearPass Guest UI using either the AirGroup admin or the AirGroup operator credentials Next navigate to List Devices Test Apple TV Edit Add a username that is not used to log in to the Apple devices in the Shared With box 3 Disconnect and remove the OSX Mountain Lion iOS 6 device from the controller s user table Reconnect the device by not using the username tha...

Page 527: ...guration Manual 02 2018 C79000 G8976 C451 02 527 34 3 Troubleshooting Table 34 1 Troubleshooting Problem Solution Limiting devices has no effect Ensure IPv6 is disabled Apple Macintosh running Mountain Lion can use AirPlay but iOS devices cannot Ensure IPv6 is disabled ...

Page 528: ......

Page 529: ...wireless SSID configuration All these are optional In most networks a single DHCP profile and wireless SSID configuration referring to a DHCP profile is sufficient The following scenarios are described in this section Scenario 1 IPsec Single Datacenter Deployment with No Redundancy Page 530 Scenario 2 IPsec Single Datacenter with Multiple Controllers for Redundancy Page 535 Scenario 3 IPsec Multip...

Page 530: ... includes the following configuration elements 1 Single VPN primary configuration using IPsec 2 Split tunneling of client traffic 3 Split tunneling of DNS traffic from clients 4 Distributed L3 and Centralized L2 mode DHCP 5 RADIUS server within corporate network and authentication survivability for branch survivability 6 Wired and wireless users in L2 and L3 modes respectively 7 Access rules defin...

Page 531: ...yment with No Redundancy SCALANCE W1750D UI Configuration Manual 02 2018 C79000 G8976 C451 02 531 Topology The following figure shows the topology and the IP addressing scheme used in this scenario Figure 35 1 Scenario 1 IPsec Single datacenter Deployment with No Redundancy ...

Page 532: ...erprise DNS for split DNS The example in the next column uses a specific enterprise domain to only tunnel all DNS queries matching that domain to corporate scalance config internal domains scalance domains domain name corpdo main com See Configuring Enterprise Domains 4 Configure Centralized L2 and Distributed L3 with VLAN 20 and VLAN 30 respectively Centralized L2 profile scalance config ip dhcp ...

Page 533: ...profile wired port scalance wired port profile wired port switchport mode access scalance wired port profile wired port allowed vlan all scalance wired port profile wired port native vlan 20 scalance wired port profile wired port no shutdown scalance wired port profile wired port access rule name wired port scalance wired port profile wired port type employee scalance wired port profile wired port...

Page 534: ...scalance Access Rule wireless ssid rule any any match any any any permit See Configuring ACL Rules for Network Services NOTE Ensure that you execute the commit apply command in the SCALANCE W CLI before saving the configuration and propagating changes across the AP cluster AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple AP ...

Page 535: ...aster standby master pair which is configured as the primary VPN IP address Tunneling of all traffic to datacenter Exception route to bypass tunneling of RADIUS and AirWave traffic which are locally reachable in the branch and the Internet respectively All client DNS queries are tunneled to the controller Distributed L3 and Centralized L2 mode DHCP on all branches L3 is used by the employee networ...

Page 536: ...ntrollers for Redundancy SCALANCE W1750D UI 536 Configuration Manual 02 2018 C79000 G8976 C451 02 Topology The following figure shows the topology and the IP addressing scheme used in this scenario Figure 35 2 Scenario 2 IPsec Single Datacenter with Multiple controllers for Redundancy ...

Page 537: ...uration Steps CLI Commands UI Procedure 1 Configure the primary host for VPN with the Public VRRP IP address of the controller scalance config vpn primary public VRRP IP of controller See Configuring an IPsec Tunnel 2 Configure routing profiles to tunnel traffic through IPsec scalance config routing profile scalance routing profile route 0 0 0 0 0 0 0 0 public VRRP IP of controller See Configuring...

Page 538: ...file l3 dhcp domain namecorpdomain com scalance DHCP Profile l3 dhcp client count 200 NOTE The IP range configuration on each branch will be the same Each AP will derive a smaller subnet based on the client count scope using the Branch ID BID allocated by controller See Configuring Central ized DHCP Scopes and Configuring Distributed DHCP Scopes 6 Create authentication serv ers for user authentica...

Page 539: ...onfig wlan ssid profile guest scalance SSID Profile guest enable scalance SSID Profile guest type guest scalance SSID Profile guest essid guest scalance SSID Profile guest opmode opensys tem scalance SSID Profile guest vlan 20 scalance SSID Profile guest auth server server1 scalance SSID Profile guest auth server server2 scalance SSID Profile guest captive portal internal NOTE This example uses in...

Page 540: ...ion Client VLANs defined in this example must be opened on the upstream switches in multiple AP deployments as client traffic from the slave to the master is tagged with the client VLAN Datacenter Configuration For information on controller configuration see Configuring a Controller for AP VPN Operations Ensure that the upstream router is configured with a static route pointing to the controller f...

Page 541: ...ith controllers in different data centers operating as primary backup VPN with Fast Failover and preemption enabled Split tunneling of traffic Split tunneling of client DNS traffic Two Distributed L3 mode DHCPs one each for employee and contractors and one Local mode DHCP server RADIUS server within corporate network and authentication survivability enabled for branch survivability Wired and wirel...

Page 542: ...owing figure shows the topology and the IP addressing scheme used in this scenario Figure 35 3 Scenario 3 IPsec Multiple Datacenter Deployment with Primary and Backup Controllers for Redundancy The IP addressing scheme used in this example is as follows 10 0 0 0 8 is the corporate network 10 30 0 0 16 subnet is reserved for L3 mode used by Employee SSID 10 40 0 0 16 subnet is reserved for L3 mode ...

Page 543: ...Public IP ad dress of the controller Fast Failover is enabled for fast convergence scalance config vpn primary public IP of primary controller scalance config vpn backup public IP of backup controllers scalance config vpn preemption scalance config vpn fast failover See Configuring an IPsec Tunnel 2 Configure routing profiles to tunnel traffic through IPsec scalance config routing profile scalance...

Page 544: ...ient count 200 Local profile with VLAN 20 scalance config ip dhcp local scalance DHCP profile local server type Local scalance DHCP profile local server vlan 20 scalance DHCP profile local subnet 172 16 20 1 scalance DHCP profile local subnet mask 255 255 255 0 scalance DHCP profile local lease time 86400 scalance DHCP profile local dns server 10 1 1 30 10 1 1 50 scalance DHCP profile local domain...

Page 545: ...s SSID to operate in L3 mode for employee and associate Distributed L3 mode VLAN 30 to the WLAN SSID profile scalance config wlan ssid profile wire less ssid scalance SSID Profile wireless ssid enable scalance SSID Profile wireless ssid type employee scalance SSID Profile wireless ssid essid wireless ssid scalance SSID Profile wireless ssid opmode wpa2 aes scalance SSID Profile wireless ssid vlan ...

Page 546: ...le wireless ssid contractor rule 10 16 0 0 255 255 0 0 match any any any permit scalance Access Rule wireless ssid contractor rule any any match any any any src nat See Configuring ACL Rules for Network Ser vices NOTE Ensure that you execute the commit apply command in the SCALANCE W CLI before saving the configuration and propagating changes across the AP cluster AP Connected Switch Configuration...

Page 547: ...sing GRE Aruba GRE does not require any configuration on the Aruba Mobility Controller that acts as a GRE endpoint Manual GRE which requires GRE tunnels to be explicitly configured on the GRE endpoint that can be any device that supports GRE termination Tunneling of all traffic to datacenter Centralized L2 mode DHCP profile RADIUS server within corporate network and authentication survivability fo...

Page 548: ...yment with No Redundancy SCALANCE W1750D UI 548 Configuration Manual 02 2018 C79000 G8976 C451 02 Topology The follwoing Figure shows the topology and the IP addressing scheme used in this scenario Figure 35 4 Scenario 4 GRE Single Datacenter Deployment with No Redundancy ...

Page 549: ...ich causes each AP to form an independent GRE tunnel to the GRE end point Aruba GRE requires each AP MAC to be present in the controller whitelist Manual GRE requires GRE configuration for the IP of each AP on the controller scalance config gre per ap tunnel NOTE If VC IP is configured and per AP GRE tun nel is disabled AP uses VC IP as the GRE source IP For Manual GRE this simplifies configuratio...

Page 550: ...nce config wired port profile wired port scalance wired port profile wired port switchport mode access scalance wired port profile wired port allowed vlan all scalance wired port profile wired port native vlan 20 scalance wired port profile wired port no shutdown scalance wired port profile wired port access rule name wired port scalance wired port profile wired port type employee scalance wired p...

Page 551: ... commit apply command in the SCALANCE W CLI before saving the configuration and propagating changes across the AP cluster AP Connected Switch Configuration Client VLANs defined in this example must be opened on the upstream switches in multiple AP deployments as client traffic from the slave to the master is tagged with the client VLAN Datacenter Configuration For information on controller configu...

Page 552: ......

Page 553: ...significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz 802 11n operates in the 2 4 and 5 0 bands AP An access point AP connects users to other users within the network and also can serve as the point of interconnection between the WLAN and a fixed wire network The number of access points a WLAN needs is determine...

Page 554: ...hotspot A WLAN node that provides Internet connection and virtual private network VPN access from a given location A business traveler for example with a laptop equipped for Wi Fi can look up a local hot spot contact it and get connected through its network to reach the Internet and their own company remotely with a secure connection Increasingly public places such as airports hotels and coffee sh...

Page 555: ...of a wired LAN Data encryption protects the vulnerable wireless link between clients and access points once this measure has been taken other typical LAN security mechanisms such as password protection end to end en cryption virtual private networks VPNs and authentication can be put in place to ensure privacy wireless Describes telecommunications in which electromagnetic waves rather than some fo...

Page 556: ...e X Data Objects ADP Aruba Discovery Protocol AES Advanced Encryption Standard AIFSN Arbitrary Inter frame Space Number ALE Analytics and Location Engine ALG Application Level Gateway AM Air Monitor AMON Advanced Monitoring AMP AirWave Management Platform A MPDU Aggregate MAC Protocol Data Unit A MSDU Aggregate MAC Service Data Unit ANQP Access Network Query Protocol ANSI American National Standar...

Page 557: ...Customer Premises Equipment CPsec Control Plane Security CPU Central Processing Unit CRC Cyclic Redundancy Check CRL Certificate Revocation List CSA Channel Switch Announcement CSMA CA Carrier Sense Multiple Access Collision Avoidance CSR Certificate Signing Request CSV Comma Separated Values CTS Clear to Send CW Contention Window DAS Distributed Antenna System dB Decibel dBm Decibel Milliwatt DCB...

Page 558: ...unnel EAP GTC EAP Generic Token Card EAP MD5 EAP Method Digest 5 EAP MSCHAP EAP MSCHAPv2 EAP Microsoft Challenge Handshake Authentication Protocol EAPoL EAP over LAN EAPoUDP EAP over UDP EAP PEAP EAP Protected EAP EAP PWD EAP Password EAP TLS EAP Transport Layer Security EAP TTLS EAP Tunneled Transport Layer Security ECC Elliptical Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorith...

Page 559: ...col HA High Availability HMD High Mobility Device HSPA High Speed Packet Access HT High Throughput HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IAS Internet Authentication Service ICMP Internet Control Message Protocol IdP Identity Provider IDS Intrusion Detection System IE Information Element IEEE Institute of Electrical and Electronics Engineers IGMP Internet Group M...

Page 560: ...very LMS Local Management Switch LNS L2TP Network Server LTE Long Term Evolution MAB MAC Authentication Bypass MAC Media Access Control MAM Mobile Application Management MBps Megabytes per second Mbps Megabits per second MCS Modulation and Coding Scheme MD5 Message Digest 5 MDM Mobile Device Management mDNS Multicast Domain Name System MFA Multi factor Authentication MHz Megahertz MIB Management I...

Page 561: ...te Status Protocol OFA OpenFlow Agent OFDM Orthogonal Frequency Division Multiplexing OID Object Identifier OKC Opportunistic Key Caching OS Operating System OSPF Open Shortest Path First OUI Organizationally Unique Identifier OVA Open Virtual Appliance OVF Open Virtualization Format PAC Protected Access Credential PAP Password Authentication Protocol PAPI Proprietary Access Protocol Interface PCI...

Page 562: ...PIDS Rogue Access Point and Intrusuin Detection System RARP Reverse ARP REGEX Regular Expression REST Representational State Transfer RF Radio Frequency RFC Request for Comments RFID Radio Frequency Identification RIP Routing Information Protocol RRD Round Robin Database RSA Rivest Shamir Adleman RSSI Received Signal Strength Indicator RSTP Rapid Spanning Tree Protocol RTCP RTP Control Protocol RT...

Page 563: ... Protocol SNIR Signal to Noise Plus Interference Ratio SNMP Simple Network Management Protocol SNR Signal to Noise Ratio SNTP Simple Network Time Protocol SOAP Simple Object Access Protocol SoC System on a Chip SoH Statement of Health SSH Secure Shell SSID Service Set Identifier SSL Secure Sockets Layer SSO Single Sign On STBC Space Time Block Coding STM Station Management STP Spanning Tree Protoc...

Page 564: ...fier URL Uniform Resource Locator USB Universal Serial Bus UTC Coordinated Universal Time VA Virtual Appliance VBN Virtual Branch Networking VBR Virtual Beacon Report VHT Very High Throughput VIA Virtual Intranet Access VIP Virtual IP Address VLAN Virtual Local Area Network VM Virtual Machine VoIP Voice over IP VoWLAN Voice over Wireless Local Area Network VPN Virtual Private Network VRD Validated...

Page 565: ...rea Network WME Wireless Multimedia Extensions WMI Windows Management Instrumentation WMM Wi Fi Multimedia WMS WLAN Management System WPA Wi Fi Protected Access WSDL Web Service Description Language WWW World Wide Web WZC Wireless Zero Configuration XAuth Extended Authentication XML Extensible Markup Language XML RPC XML Remote Procedure Call ZTP Zero Touch Provisioning ...

Page 566: ...eed Computers or terminals set up for 802 11g can fall back to speeds of 11 Mbps so that 802 11b and 802 11g devices can be compatible within a single network 802 11n Wireless networking standard to improve network throughput over the two previous standards 802 11a and 802 11g with a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at ...

Page 567: ...f spring and are adjusted backward in autumn EAP Extensible authentication protocol EAP refers to the authentication proto col in wireless networks that expands on methods used by the point to point protocol PPP a protocol often used when connecting a computer to the Internet EAP can support multiple authentication mechanisms such as token cards smart cards certificates one time passwords and publ...

Page 568: ...ices TACACS uses TCP and is not compatible with TACACS Because it encrypts password username authorization and accounting it is less vulnerable than RADIUS VPN A Virtual Private Network VPN network that uses a public telecommunica tion infrastructure such as the Internet to provide remote offices or individ ual users with secure access to their organization s network A VPN ensures privacy through ...

Page 569: ...road band service and allows subscriber computers called stations to access the Internet and the web from anywhere within the zone of coverage pro vided by the server antenna usually a region with a radius of several kilo meters wireless service provi der A company that offers transmission services to users of wireless devices through radio frequency RF signals rather than through end to end wire ...

Page 570: ...Appendix B 3 Glossary SCALANCE W1750D UI 570 Configuration Manual 02 2018 C79000 G8976 C451 02 ...

Reviews: