manualshive.com logo in svg

SMC Networks ELITECONNECT SMC2504W, User Manual

The SMC Networks ELITECONNECT SMC2504W is a high-performance wireless router that offers fast and reliable connectivity. Ensure optimal use by downloading the User Manual for free from manualshive.com. This comprehensive manual will guide you through setup, usage, and troubleshooting, maximizing the potential of your device.

Share
Download
background image

3-8

SMC EliteConnect WLAN Security System User Guide

Step 2.

Click 

Yes

 button to enable IPSec.

Step 3.

Enter your shared secret.
You are defining a shared secret to give to your IPSec users so that their 
IPSec client software can prove they are authorized to use an IPSec 
connection. 

Note:

The WLAN Secure Server does not support certificate-based authentication for an IPSec 
connection. For Windows 2000 users and other clients that use certificate-based 
authentication (by default) you must enable shared-secret authentication.

Step 4.

Click the appropriate type of 

Internet Key Encryption

 (IKE).

Step 5.

Click MD5 and/or SHA for 

IKE integrity

Step 6.

Click the appropriate 

IKE Diffie-Hellman

 settings. 

Step 7.

Click the appropriate setting for

 ESP Encryption

.

Step 8.

Click the appropriate setting for

 ESP Integrity.

For those IPSec clients that define both outer- and inner-tunnel IP addresses, 
specify how the inner-tunnel address is to be assigned.

Step 9.

Click 

DHCP client 

to assign the inner-tunnel IP address via an external

 

DHCP server.

Step 10.

Click 

IP Address Range 

and type the range of IP addresses to be assigned 

by the WLAN Access Manager or WLAN Secure Server.

Step 11.

Click 

Submit Changes

 to save your settings.

Summary of Contents for ELITECONNECT SMC2504W

Page 1: ...roviding network administrators full control on users access to a network based on user identification location and time Web based configuration is easy to use convenient and provides simple configura...

Page 2: ......

Page 3: ...ELITECONNECT WLAN SECURITY SYSTEM USER MANUAL From SMC s EliteConnect line of enterprise wireless LAN solutions 38 Tesla March 2002 Irvine CA 92618 Part No 01 111343 006 Phone 949 679 8000...

Page 4: ......

Page 5: ...orporated located at 38 Tesla Irvine CA 92618 SMC is a registered trademark and EliteConnect is a trademark of SMC Networks Inc Other product and company names are trademarks or registered trademarks...

Page 6: ...to SMC pursuant to any warranty Products returned to SMC should have any customer installed accessory or add on components such as expansion modules removed prior to returning the product for replace...

Page 7: ...USE PERFORMANCE FAILURE OR INTERRUPTION OF ITS PRODUCTS EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WA...

Page 8: ...quipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient the receiving antenna Increase the separation between the equipment and...

Page 9: ...work Settings 2 6 Setting the Shared Secret 2 10 Authorizing the Shared Secret on the WLAN Secure Server 2 10 Setting the Secure Server IP Address and Shared Secret 2 11 Configuring SNMP 2 11 Specifyi...

Page 10: ...the Rights Manager 6 1 Rights Manager Terminology 6 2 About the Rights Manager 6 3 Two Simple Rights Examples 6 4 Example 1 Visiting Professor 6 4 Example 2 Contractors with Extended Hours 6 4 Getting...

Page 11: ...6 47 Changing Rights Allows in Groups 6 50 Adding Rights Allows 6 50 Modifying a Rights Allow 6 53 Deleting a Rights Allow 6 53 Redirecting Packets 6 54 Creating or Modifying a Redirect 6 54 Deleting...

Page 12: ...B 12 Rights Tutorial C 1 Starting with Locations C 2 Group Editor C 4 Logon Expire Times for Groups C 5 Default Groups C 6 Logon Rights C 6 Guest Rights C 7 User Rights C 9 Required Rights C 11 Built...

Page 13: ...SNMP D 2 Supported Management Information Base Objects D 3 MIB Objects D 3 System MIB D 4 Hardware Description MIB Object D 5 Hardware Version MIB Object D 5 Software Version MIB Object D 5 Serial Nu...

Page 14: ...xiv...

Page 15: ...iate background and knowledge to complete the procedures described in this document How To Use This Document This document contains procedural information describing all configuration and management o...

Page 16: ...eboot Chapter 5 Viewing Status Information This chapter explains how to view the status of the components of the EliteConnect WLAN Security System Chapter 6 Configuring the Rights Manager This chapter...

Page 17: ...torial Appendix This appendix explains Rights Management through examples Appendix D Simple Network Management Protocol This appendix describes the Management Information Base modules used in EliteCon...

Page 18: ...x Preface...

Page 19: ...ODUCTION This chapter gives a brief description of the SMC EliteConnect WLAN Security System Solution products It consists of the following sections 1 1 Overview 1 2 1 2 The EliteConnect WLAN Security...

Page 20: ...lly customizable Rights Manager component In addition the Airwave Security feature can encrypt all client traffic using standard encryption technology including PPTP L2TP or IPSec The WLAN Security Sy...

Page 21: ...Security System consists of three logical functions WLAN Access Manager Control Server Rights Manager There are two physical components of the EliteConnect WLAN Security System The WLAN Secure Server...

Page 22: ...through the WLAN Secure Server to the WLAN Access Manager This rights package is based on the user s identity location and the time and date In addition to filtering and redirecting packets the WLAN A...

Page 23: ...by the Rights Manager to the WLAN Access Manager limits the packets allowed into the network Additionally any HTTP requests from the end user are redirected to the Rights Manager The Rights Manager s...

Page 24: ...nection to the Access Manager When a client sends a packet through the WLAN Access Manager the WLAN Access Manager rewrites the IP address field and the port number field to a value that is unique and...

Page 25: ...irectors match packets using the powerful pattern matching language introduced by the tcpdump utility program If NAT is not enabled for a set of rights then these rights should also include a filter a...

Page 26: ...1 8 Introduction internal tables and informs the Rights Manager The Rights Manager starts the linger timer If the linger timer expires the user must re authenticate...

Page 27: ...ludes the following sections 2 1 Administrative Login 2 2 2 2 Changing Your Network Configuration 2 4 2 3 Advanced Network Settings 2 6 2 4 Setting the Shared Secret 2 10 2 5 Configuring SNMP 2 11 2 6...

Page 28: ...ce through the specially recognized URL http 42 0 0 1 Note Your browser must accept cookies to log in Figure 2 1 Administrator s Login Note The text is adjusted appropriately depending on whether the...

Page 29: ...EliteConnect WLAN Security System User Manual 2 3 Figure 2 2 Main Menu for the WLAN Secure Server Figure 2 3 Main Menu for the WLAN Access Manager...

Page 30: ...installation Refer to this section if you need to change your network configuration To change your network configuration Step 1 Click Network from the Main Menu Figure 2 4 shows the Network Configura...

Page 31: ...here on the network This applies only to clients that are not using Network Address Translation NAT since a network address translated client will have its DHCP request satisfied by the WLAN Access Ma...

Page 32: ...rom a DHCP server Step 5 Choose the Netmask address from the drop down box Step 6 Type the Default Router IP address Step 7 Type the Primary DNS server IP address and if applicable the Secondary DNS s...

Page 33: ...r Bridged traffic a Click Cisco Discovery Protocol to enable CDP packets through this WLAN Secure Server or WLAN Access Manager This Layer 2 protocol is used by Cisco network hardware and software to...

Page 34: ...mory 2 the WLAN Access Manager sends a message to the Rights Manager which tells the Rights Manager that the client is no longer connected At this point the Rights Manager starts the linger timer The...

Page 35: ...IP address which the WLAN Access Manager or WLAN Secure Server passes on to an external DHCP server This DHCP request will obtain an IP address on the WLAN Access Manager or WLAN Secure Server s subn...

Page 36: ...the WLAN Access Manager to establish this trust relationship You must set this shared secret on the WLAN Secure Server that controls one or more WLAN Access Managers 2 4 1 Authorizing the Shared Secr...

Page 37: ...ver from the Main Menu of the WLAN Access Manager The Specify the Control Server screen appears as shown in Figure 2 8 Figure 2 8 Specify the Control Server Step 2 Type the Control Server IP address S...

Page 38: ...need SNMP to work with your overall network SNMP is disabled by default Click Yes to enable SNMP Step 3 Type your Community Name which is analogous to a password The default name is public SMC recomm...

Page 39: ...anager IP addresses IP addresses such as 192 168 1 1 netmask addresses such as 192 168 1 0 24 a hostname such as snmp fiesta com or a wildcard address for example 0 0 0 0 0 Note To query the SNMP agen...

Page 40: ...xample Applied Research Lab Step 7 Click Submit Changes to save your choices 2 7 Specifying Session Logging The WLAN Security System creates logs of session information known as session logs for the W...

Page 41: ...ssary for logs and for troubleshooting Accurate and synchronized time and dates across multiple systems is especially important You use the Time and Date Configuration screen to set the System timezon...

Page 42: ...rs Step 4 To configure the time manually a Click Set time manually When you click Set time now you disconnect from the NTP server b Click Set time now to set the time with the fields below Type the da...

Page 43: ...he screen for example if you click Help on the Time and Date screen a screen appears with information on setting the time and date Step 3 Review the information in the Release Notes so that you are aw...

Page 44: ...2 18 Configuring the WLAN Security System...

Page 45: ...WLAN Secure Server This VPN or Airwave security is an integrated feature of the EliteConnect WLAN Security System that creates a secure VPN tunnel to protect your information over the airwaves It incl...

Page 46: ...AN Security System can use the PPTP user authentication for its own authentication In this case the WLAN Secure Server login page is not necessary For encryption it uses either 40 bit or 128 bit MPPE...

Page 47: ...data encryption Both the IKE and ESP phases can use Data Encryption Standard DES Triple DES Blowfish or CAST encryption The secure hash used for data integrity in both the IKE and ESP phases can be e...

Page 48: ...ive performance Availability As previously mentioned the availability of a client is an important part of the selection of an algorithm to use for VPN Security Table 3 2 shows availability of PPTP L2T...

Page 49: ...nfiguring a location to use PPTP and L2TP encryption has a non obvious effect on how IP addresses are assigned at that location Normally an WLAN Access Manager provides an IP address for clients with...

Page 50: ...Click PPTP and L2TP Configuration from the Main menu The PPTP and L2TP Configuration appears as shown in Figure 3 1 Figure 3 1 PPTP and L2TP Step 2 Click Yes for Enable PPTP if appropriate Step 3 Cli...

Page 51: ...owed encryption and secure hash algorithms There is also an enable require IPSec setting on a per location basis in the Rights Manager An IPSec client negotiates with the IPSec server to set the vario...

Page 52: ...ret authentication Step 4 Click the appropriate type of Internet Key Encryption IKE Step 5 Click MD5 and or SHA for IKE integrity Step 6 Click the appropriate IKE Diffie Hellman settings Step 7 Click...

Page 53: ...hut down the WLAN Secure Servers and WLAN Access Managers It also describes how to reset the SMC WLAN Secure Server to its factory defaults It includes the following sections 4 1 Creating and Storing...

Page 54: ...ten multiple WLAN Access Managers contain nearly identical configuration and the amount of data kept in each WLAN Access Manager is small You might consider manually re entering a WLAN Access Manager...

Page 55: ...nfirm Create Backup Step 3 Click Continue with Create Backup The Starting to backup Image screen appears as shown in Figure 4 3 Figure 4 3 Starting to Backup Image It is important that you save your b...

Page 56: ...tem You cannot restore a backed up image from the WLAN Secure Server or WLAN Access Manager 4 1 2 Saving the Backup To save the back up image to your local computer Step 1 Click Save Backup as shown i...

Page 57: ...screens Figure 4 6 Save As Screen on your local computer The default backup image file name automatically appears next to File Name You can use this default or rename it Choose the folder in which yo...

Page 58: ...s as shown in Figure 4 8 Figure 4 8 Confirm Restore From File Use the Browse feature if necessary to locate the backed up image you want to restore Enter the backup image file name in the Image file t...

Page 59: ...4 3 Updating the System Software Upgrading system software is a two step process First download a new software image This new image becomes the Alternate Version Then reboot from the Alternate Version...

Page 60: ...e box that says Immediately Reboot with update when finished downloading Step 5 Enable Proxy if appropriate An FTP proxy enables you to download the new image through an enterprise firewall Step 6 If...

Page 61: ...box that says Reboot with new version when finished downloading then the download proceeds with the new software replacing the alternate version software and without rebooting The Update Software scr...

Page 62: ...tep 3 Click Shutdown and Power Off to shut down the system The Confirm System Shutdown and Power Off screen appears Click the Continue with Shutdown and Power Off to proceed with the reboot Step 4 Cli...

Page 63: ...tory Defaults Caution If you click this option you must restore all settings from a backup image that was created before the reset Step 5 Click Main Menu if you do not want to reboot or shut down Caut...

Page 64: ...4 12 Controlling the System Functions...

Page 65: ...List 5 4 5 4 Viewing Active Session Information 5 6 5 5 Viewing Log Files 5 7 5 6 Viewing Version and License Information 5 9 Note The text and the buttons are adjusted appropriately depending on whet...

Page 66: ...Filtering Information Entry Details Lines You can specify a number of entries to be displayed The default is 25 You can choose 10 25 100 1000 or unlimited Protocol Choose the protocol from the drop d...

Page 67: ...t of WLAN Access Managers Step 1 Click View WLAN Access Manager List from the Main Menu The WLAN Access Manager list appears as shown in Figure 5 2 Figure 5 2 View WLAN Access Manager List Step 2 To v...

Page 68: ...een appears as shown in Figure 5 3 Figure 5 3 View Active Clients The screen presents user name machine name IP address port number sessions and the idle time for each active session Step 2 You can fi...

Page 69: ...Number The port number of the WLAN Access Manager to which the user is connected IP Security Displays the type of tunnelling protocol used by the client none PPTP L2TP or IPSec the type of authentica...

Page 70: ...ars as shown in Figure 5 5 Figure 5 5 Active Sessions Step 2 You can filter by MAC address protocol port number and by the number of lines to be displayed Step 3 You can sort by MAC addresses The colu...

Page 71: ...ients that are currently connected or the specific client chosen by the MAC address filter Client Source Actual Source When a client sends a packet it puts its IP address in the header of packet which...

Page 72: ...Filter to view filtered results click Reset Filter to reset to the default view Step 6 Click Export Log as plain text to save the log as a plain text file on your web browser s system You might want t...

Page 73: ...w version and license information click Version and License Information from the Main Menu Table 5 4 Session Log Parameters Entry Name Definition Start Start time of session in seconds since 1 1 2000...

Page 74: ...5 10 Viewing System Status...

Page 75: ...Associated with Locations 6 6 6 5 Changing Group Properties 6 22 6 6 Adding Modifying or Deleting a User 6 34 6 7 Enforcing Authentication 6 40 6 8 Changing Rights Allows in Groups 6 50 6 9 Redirecti...

Page 76: ...ing types Guest the rights given to someone who clicks the Guest button on the logon page Implicit users the base group in which rights are allocated to all authenticated users at the specified locati...

Page 77: ...f the WLAN Secure Server that allocates rights to devices and users in the EliteConnect WLAN Security System The Rights Manager enables you to determine site policy based on location user groups times...

Page 78: ...f his rights compared to those of usual professors at this location Figure 6 2 Example 1 Visiting Professor In Figure 6 2 Professor Lupine has access to the university network for the month of January...

Page 79: ...Step 1 Set your browser to the IP address or hostname of the WLAN Secure Server or WLAN Access Manager Step 2 Press Enter Step 3 The Main Menu appears as shown in Figure 6 4 Figure 6 4 Main Menu Where...

Page 80: ...ging Rights Associated with Locations A Location is a group of Wheres and some set of rights associated with the location itself A Where is a WLAN Access Manager or a WLAN Access Manager port or a spe...

Page 81: ...is demonstrations to defend their research In this example you might want to limit access to only graduate students so that only these students can use network resources 6 4 2 Adding a Location To add...

Page 82: ...n name Step 4 Add or change the Where a Click New under Where to add a new WLAN Access Manager See Adding a WLAN Access Manager b Click Edit under Where to change the properties of an existing WLAN Ac...

Page 83: ...d but not required b Require Encryption c Require Encryption except for choose from the list of groups You can choose one or more of these groups Step 12 Click Enable PPTP L2TP Authentication This box...

Page 84: ...to enable either MS CHAP v2 or to enable MS CHAP or MS CHAP v2 Step 17 Click Update The Locations Editor now shows Music in the Location Name textbox as shown in Figure 6 9 Figure 6 9 Location Editor...

Page 85: ...a location Step 1 In the Location Manager as shown in Figure 6 7 on page 6 7 click the location name that you want to modify The Location Editor appears as shown in Figure 6 10 Figure 6 10 Location Ed...

Page 86: ...lete a location Step 1 Click a Location that you want to delete from the Location Editor as shown in Figure 6 11 Figure 6 11 Location Manager with a Location to be Deleted Step 2 Click Delete The Dele...

Page 87: ...ager if your environment has changed For example you might want to add a WLAN Access Manager to handle increased network traffic in a meeting room You might want to modify the hours that a WLAN Access...

Page 88: ...iguring the Rights Manager Figure 6 13 Location Manager Step 2 Click New Location to add a WLAN Access Manager from the Locations Manager menu The Locations Editor appears as shown in Figure 6 14 on p...

Page 89: ...EliteConnect WLAN Security System User Manual 6 15 Figure 6 14 Location Editor Step 3 Click New under Where The Where Editor appears as shown in Figure 6 15...

Page 90: ...ess Manager The WLAN Access Manager Editor appears as shown in Figure 6 16 Figure 6 16 WLAN Access Manager Editor Step 5 Type the WLAN Access Manager Name Step 6 Type the MAC address You can find the...

Page 91: ...ager The Where Editor appears with your new WLAN Access Manager as shown in Figure 6 17 Step 9 Type a name for your Where Figure 6 17 Where Editor with the New WLAN Access Manager Step 10 Click Update...

Page 92: ...6 18 Configuring the Rights Manager Figure 6 18 Location Editor with New Where Added Step 12 Click Update New Where...

Page 93: ...9 Figure 6 19 Where Editor with Graham and Geology Step 2 Click Edit The Choose a WLAN Access Manager to Edit screen appears with the list of the WLAN Access Manager at that location as shown in Figur...

Page 94: ...5 When you are done click Update The WLAN Access Manager is modified or created if you changed the WLAN Access Manager name Changing Other Where Properties You can change other Where properties as sh...

Page 95: ...te Deleting a Where To delete a Where Step 1 Click Edit under Where to select the WLAN Access Manager from the Location Editor The Choose a Where to edit screen appears as shown in Figure 6 23 Figure...

Page 96: ...hts Manager has the following standard groups Logon users are users who have not yet logged in and have not been authenticated Guest users who have guest rights allocated Normal authenticated users wi...

Page 97: ...nnect WLAN Security System User Manual 6 23 Figure 6 26 Groups Manager Step 2 Click New Group Step 3 Type the Group Name that you want to add in this example Contractors as shown in Figure 6 27 on pag...

Page 98: ...e specific times when this group is allowed access Under Valid Times click New The When Editor appears as shown in Figure 6 31 on page 6 29 Click the appropriate times these set of rights are valid or...

Page 99: ...at you want members of this group to have Match an NT Group Name Use these rights when a user logs into a Matching NT domain NAT Whether NAT addresses are enabled Static IP allowed Whether static IP a...

Page 100: ...e times when a group can access Changing the times when the group can access Changing the Allows that appear on the Group Manager screen Note If you leave When blank it is available all of the time In...

Page 101: ...EliteConnect WLAN Security System User Manual 6 27 Figure 6 29 Group Manager The Group Editor appears as shown in Figure 6 30 on page 6 28...

Page 102: ...6 28 Configuring the Rights Manager Figure 6 30 Group Editor Step 2 Click New under Valid Times The When Editor appears as shown in Figure 6 31 on page 6 29...

Page 103: ...tes or a specific range of dates You might have a visitor for example who is with you for the month of January so you could click from January 1 through January 31 b You might want to choose specific...

Page 104: ...ons to change schedules might include a change in schedule that requires more hours for a particular group a visiting colleague who needs access to the network only for a week or month To change the t...

Page 105: ...ew valid times either a range of dates days or times Step 5 Click Update Modifying the Group Allows Column You can modify the Group Allows Column so that you see a subset of the Allows To change which...

Page 106: ...6 35 Figure 6 35 Group Allow Column Modifier Use the Group Allow Column Modifier to include or exclude any Allows in the Groups Manager To choose the columns to display choose one of the following opt...

Page 107: ...ows respectively When you are done click Update The Groups Manager appears with the columns you have selected 6 5 3 Deleting a Group To delete a group Step 1 Click Groups The Group Manager screen appe...

Page 108: ...ager It also explains how to add a specific MAC address as a user Users can belong to one or more groups or to no group User can also be a member of a group of one user which gives that user a unique...

Page 109: ...6 5 1 Adding a New Group 6 22 if you need to add a new group Step 5 If you use the Built in authentication service you might need to type a password If you use LDAP RADIUS or Kerberos authentication...

Page 110: ...click the user you want to modify The User Editor appears as shown in Figure 6 41 on page 6 36 Figure 6 41 Modifying a User s Characteristic Step 2 Make the changes that you require in the User Editor...

Page 111: ...lete Step 2 The User Editor screen appears as shown in Figure 6 43 with the name of the user you selected Figure 6 43 User Editor With User Selected Step 3 To delete this user click Delete The Delete...

Page 112: ...MAC address as a user Typical applications for this feature include an Access Point a server running without user intervention a wireless device without SSL capability or a specific user who does not...

Page 113: ...address in the User Name text box as shown in Figure 6 46 Step 3 Click the This user is a MAC address user check box Figure 6 46 User Editor with MAC Address for User Name Step 4 Click Update The User...

Page 114: ...ntication SMC uses the following authentication services Built in the default service created by SMC LDAP RADIUS Kerberos The Built in service is available if you choose not use the other authenticati...

Page 115: ...r Manager Screen If you are choosing an Authentication service for the first time you see the Built in method screen as shown in Figure 6 49 on page 6 41 If you have previously chosen an Authenticatio...

Page 116: ...Location Editor to enable watching for 802 1x logons If you enable 802 1x logons use these fields to specify the 802 1x RADIUS server Step 4 Type the port number The default port number is 1812 Step 5...

Page 117: ...r running the LDAP service Username field Field to use to retrieve the Username Port Port for LDAP typically 389 Timeout Authentication timeout period Base DN The suffix for LDAP Group Field Group fie...

Page 118: ...hentication screen appears as shown in Figure 6 52 on page 6 45 Table 6 3 RADIUS Authentication Options Entry Explanation Name User name Server FQDN of the server running RADIUS Port Port for RADIUS t...

Page 119: ...does not work properly A description of the Kerberos fields is given in Table 6 4 Note The Kerberos protocol is designed to operate across organizational boundaries Each organization wishing to run a...

Page 120: ...on screen appears as shown in Figure 6 53 Figure 6 53 Advanced Authentication Screen Use Advanced Authentication when you want multiple authentication realms or when you want default realms to support...

Page 121: ...realm for PPTP authentication if appropriate Step 5 Use the move arrows or to choose the methods you want into the Use these methods box The methods that appear are based on authentication services th...

Page 122: ...ealm you want to modify from the Realm Editor screen as shown in Figure 6 54 Figure 6 55 Choose a Realm to Modify The Realm Editor screen appears as shown in Figure 6 56 on page 6 48 Figure 6 56 Editi...

Page 123: ...ethods you want into the Use these methods box The methods that appear are based on authentication services that you previously selected Step 5 Choose Edit a method to choose another method The system...

Page 124: ...he Groups Manager screen appears as shown in Figure 6 57 Figure 6 57 Groups Manager Screen Step 2 The Groups Manager shows the Allows for each group The Groups are color coded as shown in Table 6 5 St...

Page 125: ...EliteConnect WLAN Security System User Manual 6 51 Figure 6 58 Allow Editor Step 4 Type the Allow Name as shown in Figure 6 59 Figure 6 59 Typing New Allow Name...

Page 126: ...ights Manager Step 5 Click Update The Allow Editor appears as shown in Figure 6 60 Figure 6 60 New Allow Added to Groups Manager Step 6 If you click Advanced in Figure 6 59 the Filter screen appears a...

Page 127: ...roup intersection in the Groups Manager as shown in Figure 6 57 on page 6 50 Then click Update Step 2 To modify the Protocol Port and Address click the Allow in the Groups Manager and change these par...

Page 128: ...edirected to the enterprise DNS server rather than the one that was originally specified Redirects can include Original protocol Original port Original address Redirect port Redirect IP address Redire...

Page 129: ...EliteConnect WLAN Security System User Manual 6 55 Figure 6 63 Selecting a Group from the Groups Manager Screen Select Contractors for Redirects...

Page 130: ...the group given under Group Name as shown in Figure 6 64 Figure 6 64 Group Editor Screen With Group Selected Step 2 Under Redirects click New if you want to create a redirect or Click Edit if you want...

Page 131: ...ect to edit from the drop down list The Redirect Editor appears as shown in Figure 6 66 Figure 6 66 Redirect Editor Step 4 Select the Protocol and the address to which you want packets redirected Then...

Page 132: ...as shown in Figure 6 64 on page 6 56 select the redirect you want to delete under the proper group Click Edit The Redirect Editor appears as shown in Figure 6 65 on page 6 57 Step 2 Select the Redire...

Page 133: ...ts To change Allow Rights Step 1 From the Group Editor click Edit under Allow to change the type of Allows rights for a group Figure 6 69 Allow Editor Step 2 Type the Allow Name Step 3 Choose the Prot...

Page 134: ...anager Figure 6 70 Advanced Allow Step 6 Click Update Changing a Group s Redirect Rights To change a group s Redirect rights Step 1 Click New Redirect to change Redirect rights The Redirect Editor app...

Page 135: ...ct Editor Step 2 Type the Redirect Name Step 3 Choose the Protocol Port or Address you want redirected Step 4 Choose the address or an address and port to which you want the Redirect packets sent Step...

Page 136: ...6 62 Configuring the Rights Manager Figure 6 72 Filter Redirect Editor Step 6 Click Update...

Page 137: ...any Rights Manager screen click Debug as shown in Figure 6 73 Figure 6 73 Rights Manager Screen The Rights Debugger appears as shown in Figure 6 74 Figure 6 74 Rights Debugger Step 2 Select either th...

Page 138: ...p 4 Click Done when you are finished viewing the rights When simulating the rights for an LDAP or RADIUS user use the Everyone Else user from the drop down list This is an incomplete simulation becaus...

Page 139: ...EliteConnect WLAN Security System User Manual 6 65 Figure 6 76 Selecting Guest User at Location Everywhere Else Step 6 Click Show Me and the Rights for Guests screen appears as shown in Figure 6 77...

Page 140: ...6 66 Configuring the Rights Manager Figure 6 77 Rights for Guest Step 7 When you have finished click Done...

Page 141: ...ck Logs The Rights Manager Logs Viewer appears as shown in Figure 6 78 Step 2 Click the option under Logs Configuration a Click Log failed Logon attempts to track this activity b Click Log successful...

Page 142: ...choose Alert Critical Informational Warning Error or Debug Click Within to choose the time period to display You can choose the last hour day week or unlimited Click Update Click Clear Log to empty t...

Page 143: ...ghts Step 1 Look at Export Image created month date time year If the image that was created at the time listed is suitable you can export it If you need a more recent export image create one See Creat...

Page 144: ...ding the XML Schema To download the XML schema Step 1 Click Schema to download the current XML schema The schema is a text file that you can view with any text editor Step 2 You see export xsd in the...

Page 145: ...to the appropriate node of a large network Different locations at the site might have their own authentication scheme which must be indicated on the logon screen 6 13 1 Customizing the Logon Screen T...

Page 146: ...Browse to locate the proper directory and file name c Click Update Step 6 To update the text for the logon screen a type the name of a text or HTML file that contains the text or HTML source you want...

Page 147: ...fficial signed and trusted SSL certificate users accessing the logon screen receive a message warning of an untrusted certificate Replacing the default SSL certificate with one signed by an external s...

Page 148: ...ith the information you entered and the Certificate Signing Request as shown in Figure 6 86 on page 6 74 Figure 6 86 Upload SSL Certificate You use this certificate signing request either to request a...

Page 149: ...use the CSR to generate your own self signed certificate Step 4 Type the filename of the certificate you received from the certificate authority the one you generated Step 5 Click Upload Certificate N...

Page 150: ...6 76 Configuring the Rights Manager...

Page 151: ...dst Examples are src foo dst net 128 3 src or dst port ftp data If there is no dir qualifier src or dst is assumed For null link layers i e point to point protocols such as slip the inbound and outbo...

Page 152: ...number of net net net mask mask True if the IP address matches net with the specific netmask Can be qualified with src or dst net net len True if the address matches net a netmask len bits wide Can b...

Page 153: ...onal This is shorthand for ether 0 1 0 ip multicast True if the packet is an IP multicast packet ether proto protocol True if the packet is of ether type protocol Protocol can be a number or one of th...

Page 154: ...ghest precedence Alternation and concatenation have equal precedence and associate left to right Note that explicit and tokens not juxtaposition are now required for concatenation If an identifier is...

Page 155: ...owing categories B 1 Syntax for Command Line Interface B 2 B 2 CLI Help Commands B 2 B 3 CLI Access Control Commands B 2 B 4 Diagnostic Commands B 3 B 5 System Status Commands B 4 B 6 Diagnostic Log C...

Page 156: ...e brackets that are separated by the pipe symbol You can also specify no option Parentheses indicate that you must choose one option for example show clients mac mac address sort mac ip user machine p...

Page 157: ...Translates to nslookup timeout 10 hostname ping ip address hostname Ping an IP address or a hostname Translates to ping c 3 ip address or ping c 3 hostname debug ip interface Show IP traffic on an int...

Page 158: ...ess hostname hops probes probewait Displays the traceroute for an IP address or hostname Translates to traceroute n m hops q probes w probewait ip address or traceroute n m hops q probes w probewait h...

Page 159: ...upgrade downgrade or same version of the software if one exists on the system B 6 Diagnostic Log Commands show logs severity max lines for count time units reverse Display entries in the error log cle...

Page 160: ...ess to display Format xx xx xx xx xx xx logoff client all mac mac address Log off a client or all clients mac address MAC Ethernet address to log off Format xx xx xx xx xx xx B 8 System Configuration...

Page 161: ...ternate versions is specified it must match the type of alternate version installed on the system See the show version command shutdown Shuts down the system url The URL encoded location of the softwa...

Page 162: ...ip address ip address Set the IP addresses of the DNS servers clear dns Clear the IP addresses of the DNS servers set sharedsecret secret secret Set the Access Manager or Control Server shared secret...

Page 163: ...ess and netmask for the specified port clear portip port Clear the IP address and netmask for the specified port show portip Display the current IP address and netmask settings for all ports B 8 4 Acc...

Page 164: ...Sec shared secret Prompts for the secret if not entered on the command line show ipsec This command shows PPTP and L2TP settings set ipsec on off Enable or disable IPSec clear ipsecsecret If IPSec is...

Page 165: ...ip address hostname ip address hostname Set the NTP servers IP address or hostnames Hostnames must be fully qualified if specified clear ntpserver Clear the NTP servers IP address or hostnames This c...

Page 166: ...ieved backup cancel backup Cancel a running store backup or get backup task show backup Display information about the list of local backup and the status of a running store backup or get backup task B...

Page 167: ...all of them set snmplocation location Sets the SNMP sysLocation object defined in RFC 1213 as the physical location of this node for example telephone closet 3rd floor clear snmplocation Clears the S...

Page 168: ...B 14 Command Line Interface...

Page 169: ...in Chapter 6 Please read it before reading this chapter This appendix covers the following topics C 1 Starting with Locations C 2 C 2 Group Editor C 4 C 3 Built in Users C 11 C 4 Example 1 Rights Debu...

Page 170: ...best place to start is the Location editor Step 2 Click Locations The Locations Manager appears as shown in Figure C 1 Figure C 1 Location Manager Notice there is a location called Everywhere Else Th...

Page 171: ...yet answer the When question We have not yet specified any times that groups can access the network from this location This particular location is always valid The WLAN Security System also associates...

Page 172: ...ded out to a client who appears at this location but has not yet logged on as a user or a guest Guest None or only one This group defines what rights are handed out to a client at this location who lo...

Page 173: ...st of Logon Guest User or Normal groups for use in the Location Editor See Section C 2 2 Default Groups for more information Note Normal groups are the only ones that users can join A user can not bel...

Page 174: ...s see Configuring the Rights Manager and Redirecting Packets C 2 3 Logon Rights Table C 3 describes Logon rights and Redirects Table C 3 Default Allows and Redirects Table C 2 Default Allows and Redir...

Page 175: ...address 42 0 0 1 As a new client you have Logon rights If you take a detailed look at this Redirect you will see it actually redirects to port 82 This is because our web server will internally redire...

Page 176: ...is on the INTRANET network This is defined by the settings in the Network configuration web page Logon page shortcut is a redirect that allows the client to access the web through http 1 1 1 1 and get...

Page 177: ...9 SSL Stop page and Stop page allow access to port 81 and port 446 which are used to display the stop page once a client is redirected to it See Customizing the Logon Screen for more information C 2 5...

Page 178: ...C 10 Rights Tutorial Figure C 5 User Rights shown in the Rights Debugger In this example All IP allows access to all network traffic DNS redirect and Logon page shortcut are the same as above...

Page 179: ...S Logon page See Configuring the Rights Manager for more information C 3 Built in Users Let s look at the User Editor Step 1 Click Users Step 2 Click New User The User Editor screen appears as shown i...

Page 180: ...e authentication procedure is explained in the Rights Management chapter In order for the rights to be allocated you must meet the who when and where criteria Who is the authentication via the built i...

Page 181: ...ceive rights Location There is a drop down list containing all locations that have been created and the pre existing Everywhere Else location When there is a section that allows you to specify either...

Page 182: ...C 14 Rights Tutorial Figure C 8 Rights for Guest Table C 4 explains the Rights Debugger...

Page 183: ...that based on the location the Guest group is allowed so we keep this group and its expire time Allows HTTPS Logon page DHCP Outside World SSL Stop page HTTP logon redirector tells us that given the...

Page 184: ...ort ip_redirect ip_redirect match tcp dst port 80 and not dst host 42 0 0 1 match ip 192 168 10 86 ip port 82 port ip_redirect ip_redirect match tcp dst port 443 and not dst host 42 0 0 1 match ip 192...

Page 185: ...complicated situation C 5 Example 2 Allowed User Groups Step 1 Add a group called Example group 1 Step 2 Make it as follows a Normal group NAT Linger 60 seconds Expire 10000 seconds Allow DHCP DNS re...

Page 186: ...d Example group 2 following the procedure in the Rights Management chapter Step 4 Make it as follows a Normal group Linger 0 Expire NEVER Allow All IP traffic DNS redirect HTTP logon redirect HTTPS lo...

Page 187: ...e Group 2 Step 5 Click New User in the User Manager The User Editor screen appears as shown in Figure C 11 Step 6 Add user Fred and make Fred a member of both Example Group 1 and Example Group 2 A pas...

Page 188: ...ts Tutorial Figure C 11 User Editor for Fred Step 8 After adding user Fred go back to the Rights Debugger as shown in Figure C 7 and select Fred at location Everywhere Else at time Now as shown in Fig...

Page 189: ...EliteConnect WLAN Security System User Manual C 21 Figure C 12 Rights Debugger for Fred...

Page 190: ...two example groups This happened because although Fred is a member of the two example groups the location did not allow those groups So the rest of the information corresponds to the Allows Redirects...

Page 191: ...10 Click Debug The Rights Debugger appears as shown in Figure C 14 Figure C 14 Rights Debugger after Allowing Groups The first three lines are the same as before but now Final Group Expire contains th...

Page 192: ...WLAN Access Manager receives these rights the WLAN Access Manager will request new rights from the Rights Manager If these groups location haven t changed then the same rights package will be sent to...

Page 193: ...n that Everywhere Else did not have It has a list of Wheres blank list at the moment in which you will choose a location At least one Where must be chosen from this list so that we know the Where to w...

Page 194: ...te a new WLAN Access Manager a To create a WLAN Access Manager we need to know the MAC address of the WLAN Access Manager we want to specify To find out the MAC address go to the WLAN Access Manager w...

Page 195: ...each WLAN Access Manager UI is the WLAN Access Manager s MAC address You can also create a dummy MAC address by typing in 12 hexidecimal digits in the MAC address field Step 5 Click Update to return...

Page 196: ...they will end up with Logon rights again This is an interesting concept Rather than a client receiving no rights at all the system tries to hand out logon rights again This is why you must specify a L...

Page 197: ...ng No rights at all translates at the WLAN Access Manager to NAT true and no other traffic allowed But they can t use DHCP since no traffic at all is allowed They won t be able to get a logon page or...

Page 198: ...group with the same Allows and Redirects as the User group we started editing See Figure C 20 Figure C 20 Group Editor Step 3 Now create a new location that uses this group and does not use any other...

Page 199: ...user who shows up on this WLAN Access Manager on port 1 is associated with this location Where before they associate with the other where The more specific interface always overrides the more general...

Page 200: ...c MAC address to access the net without logging on This could be because it is a server of some sort that runs without a user intervention a wireless device that does not have SSL capability or a spec...

Page 201: ...nual C 33 Figure C 23 User Editor However when we look at the rights as specified by the debugger the MAC address user will get User rights instead of Logon rights even though the MAC address has not...

Page 202: ...er for MAC User Thus for known MAC addresses you can skip the logon process completely Also if you wanted to give the MAC address user special rights that the implicit User group does not have you cou...

Page 203: ...s in question is explicitly denied Then add a group that specifically gets access to that machine and add users to that group So let s decide that the traffic we want to disallow is to the specific su...

Page 204: ...addresses except for the one specified as shown in Figure C 26 Figure C 26 Allow Editor Step 6 Click Update to add this Allow to the list of Allows Step 7 Click Cancel from the Edit Selector as shown...

Page 205: ...Getting Access to the Subnet Now let s create a group that gets access to part of this subnet Step 1 Click New Group to add a group of type Normal Step 2 Name it Allow192 168 1 Step 3 Click New under...

Page 206: ...C 38 Rights Tutorial Figure C 29 Allow Editor Step 5 Click Update to create this Allow Step 6 Return to the Groups Manager Step 7 Select this Allow in our new group as shown in Figure C 30...

Page 207: ...EliteConnect WLAN Security System User Manual C 39 Figure C 30 Group Editor with new Allows Step 8 Click Update Step 9 Create another group using the Allow 192 168 2 0 24 as shown in Figure C 31...

Page 208: ...C 40 Rights Tutorial Figure C 31 Allow Editor Step 10 Click Update The Group Editor shows this added as an Allow as shown in Figure C 32...

Page 209: ...ser Manual C 41 Figure C 32 Group Editor C 11 3 Adding Users Now let s create a couple users who take advantage of these groups Step 1 Create a new user Harry as a subnet 1 user as shown in Figure C 3...

Page 210: ...k C 11 4 Creating a Location Now let s create a location that takes advantage of this Step 1 Create a new location See this procedure the Rights Management chapter Step 2 Then in the Location Editor a...

Page 211: ...et User and the normal groups 192 168 1 and 192 168 2 and the Subnet Where location as shown in Figure C 36 Figure C 36 Location Editor Now let s see how our two users differ in the Rights Debugger St...

Page 212: ...y Notice 192 168 1 0 24 is allowed so this user gets explicit use of the 1 subnet Also anything except 192 168 0 0 16 is allowed so all other traffic will be let through Step 7 Display the rights for...

Page 213: ...xample I used all ports but you could get more restrictive and only handout specific ports if necessary Also in your particular network you might want to use group names like Accounting or Engineering...

Page 214: ...Figure C 40 shows the Locations Manager screen with the location Subnet Location and the groups that are valid at this location As expected the groups valid at this location are Logon Subnet User and...

Page 215: ...r is how to block a well known streaming port in a public Access Point Let s take Gnutella s default port 6346 as an example Step 1 Modify our default Guest group so that Guests can t use this port St...

Page 216: ...C 48 Rights Tutorial Figure C 41 Redirect Editor This closes the 6346 port to everyone who uses this group Step 4 Select this Redirect in the Guest group and click Update as shown in Figure C 42...

Page 217: ...d start by allowing nothing and then add more allows as your users demand more services This can also be achieved by setting up the Guest and User groups Start by deselecting all Allows for these grou...

Page 218: ...ault set of Redirects includes a redirect for SOCKS proxy It is not selected by default but if you have a SOCKS proxy then your users need this to access the network See the Redirect section in the Ri...

Page 219: ...ow Also you probably want to allow conference attendees to get access through their own laptops Let s say you have 50 public access kiosks and it takes 40 Access Points for you to cover the entire sho...

Page 220: ...n The problem with the Wheres we ve seen so far is they are based on WLAN Access Manager port Since there are only 40 access points and 50 public kiosks you don t have enough access points to dedicate...

Page 221: ...tor Step 3 Enter the Location Name in this case Public Kiosks Step 4 We also need a new Where so click New under the list of Wheres and enter the name Kiosk1 Step 5 Also click the Client MAC address r...

Page 222: ...his Where If this was really for a conference we would only want this kiosk to be valid during the show so let s create a When for the show Step 7 Click New under the list of Whens Step 8 Set up the w...

Page 223: ...up s users will get at this location Step 11 Name the group 20 Minute User make the group an implicit user s group only valid during show hours Step 12 Select the allows DHCP HTTPS logon page outside...

Page 224: ...ding 20 Minute User Step 14 Click Update to create this group and go back to the Location Editor Step 15 Select the Where as Kiosk 1 the When as Show hours the Logon group Logon and the User group 20...

Page 225: ...Step 16 Click Update to create this location Now you have created the Location Public Kiosks with different rights from the rest of the network based on the fact that the users are logging in at a spe...

Page 226: ...ant part of this example is that you have created a new location that is expandable on a kiosk by kiosk basis It does not cost you anymore in WLAN Access Manager ports because it uses existing coverag...

Page 227: ...SMC implementation of Simple Network Management Protocol The sections include D 1 Introduction to WLAN Security System SNMP D 2 D 2 Supported Management Information Base Objects D 3 All the MIB v2 obj...

Page 228: ...al aspects associated with the device including fan status interface status and temperature subject to hardware and operating system support Receive asynchronous notifications when important events oc...

Page 229: ...re D 2 1 MIB Objects Base MIB Module Object SMCNETWORKS BASE MIB DEFINITIONS BEGIN IMPORTS MODULE IDENTITY FROM SNMPv2 SMI enterprises FROM RFC1155 SMI smcNetworks MODULE IDENTITY LAST UPDATED 0202270...

Page 230: ...Manager smc2502w OBJECT IDENTIFIER smcNetworksProduct 2 END D 2 2 System MIB SMCNETWORKS SYSTEM MIB DEFINITIONS BEGIN IMPORTS MODULE IDENTITY OBJECT TYPE Gauge32 NOTIFICATION TYPE Unsigned32 Integer3...

Page 231: ...the HW product smcNetworksSysMib 1 D 2 4 Hardware Version MIB Object smcProductHWVersion OBJECT TYPE SYNTAX OCTET STRING MAX ACCESS read only STATUS current DESCRIPTION HW version of the product smcN...

Page 232: ...he power supply smcNetworksSysMib 7 Chassis Temperature MIB Object smcChassisTemperature OBJECT TYPE SYNTAX OCTET STRING MAX ACCESS read only STATUS current DESCRIPTION Current temperature in degrees...

Page 233: ...STATUS current DESCRIPTION Operational status of a cooling fan smcFanStatusEntry 2 Fan Speed MIB smcFanSpeed OBJECT TYPE SYNTAX INTEGER32 MAX ACCESS read only STATUS current DESCRIPTION Speed of the f...

Page 234: ...ICATION TYPE OBJECTS smcCpuTemperature STATUS current DESCRIPTION A temperatureAlarm signifies that the SNMP entity acting in an agent role has detected that the smcCpuTemperature has a value that exc...

Page 235: ...ming handoff Expire time a timer that determines how long before a a user must re authenticate Everywhere else the Rights Manager location that a client belongs to if it does not associate with any ot...

Page 236: ...nt packets Rights Manager the SMC component that allocates rights or access privileges for locations groups and users The Rights Manager also authenticates clients Roaming the act of moving from one w...

Page 237: ...face 2 1 Configuring the Date and Time 2 15 Configuring the time and date 2 15 Control Server 1 4 Creating or Modifying a Redirect 6 54 D Debug 6 63 Default Groups C 6 Delete a location 6 12 Deleting...

Page 238: ...15 C 24 Linger seconds 6 3 1 1 Location delete 6 12 modify 6 11 Location Editor 6 11 C 52 C 56 Location Expire C 15 Location Manager C 46 Locations Manager 6 10 C 52 Login Screen 2 2 Logon C 56 Logon...

Page 239: ...red Secret 6 9 Shared secret 3 8 Show Me C 13 Simple Network Management Protocol SNMP D 1 SMB C 7 SMTP C 49 SNMP objects D 1 SNMP port 2 12 SNMP traps 2 12 SOCKS C 50 C 51 Specifying location descript...

Page 240: ...X 4 Index...

Page 241: ...2 739 12 33 Fax 39 02 739 14 17 Benelux 31 33 455 72 88 Fax 31 33 455 73 30 Central Europe 49 0 89 92861 0 Fax 49 0 89 92861 230 Switzerland 41 0 1 9409971 Fax 41 0 1 9409972 Nordic 46 0 868 70700 Fax...

Page 242: ...ii...

Reviews:

No comments

Related manuals for ELITECONNECT SMC2504W

GajShield GS15nu Quick Start Manual preview
GS15nu
Brand: GajShield Pages: 12
Fortinet FortiGate FortiGate-5001SX Security System Manual preview
FortiGate FortiGate-5001SX
Brand: Fortinet Pages: 36
Silicon Graphics Gauntlet Administrator'S Manual preview
Gauntlet
Brand: Silicon Graphics Pages: 306
Nexcom vDNA 1160 User Manual preview
vDNA 1160
Brand: Nexcom Pages: 81
Nexcom NSA 5150 User Manual preview
NSA 5150
Brand: Nexcom Pages: 84
Draytek Vigor2850 Series User Manual preview
Vigor2850 Series
Brand: Draytek Pages: 387
Dell TZ 105 Specifications preview
TZ 105
Brand: Dell Pages: 8
Barracuda CloudGen F400 C Standard Model Quick Start Manual preview
CloudGen F400 C Standard Model
Brand: Barracuda Pages: 7
Blue Coat SG210 series Installation Manual preview
SG210 series
Brand: Blue Coat Pages: 54
Blue Coat SG200 200 A Installation Manual preview
SG200 200 A
Brand: Blue Coat Pages: 60
Blue Coat ProxySG SG900-10 Maintenance And Upgrade Manual preview
ProxySG SG900-10
Brand: Blue Coat Pages: 104
Blue Coat SG810 series Installation Manual preview
SG810 series
Brand: Blue Coat Pages: 110

Brands by name

Popular brands

Load more brands