manualshive.com logo in svg

Xirrus XR Series, User Manual

The Bourgault XR Series is a cutting-edge agricultural machinery that ensures superior efficiency and productivity in the field. To get started swiftly and make the most of this exceptional product, simply visit our website and download the free Quick Start Manual or user manual available.

Share
Download
background image

Wireless Access Point

597

The pci-audit command checks items such as: 

Telnet is disabled.

Admin RADIUS is enabled (admin login authentication is via RADIUS 
server).

An external Syslog server is in use. 

All SSIDs must set encryption to WPA or better (which also enforces 
802.1x authentication)

Sample output from this command is shown below. 

Figure 228. Sample output of pci-audit command

Additional Resources 

PCI Security Standards Web site: 

www.pcisecuritystandards.org

List of Qualified PCI Security Assessors: 

www.pcisecuritystandards.org/

pdfs/pci_qsa_list.pdf

SS-AP(config)# pci-audit

PCI audit failure: telnet enabled.

PCI audit failure: admin RADIUS authentication disabled.

PCI audit failure: SSID ssid2 encryption too weak.

PCI audit failure: SSID ssid3 encryption too weak.

PCI audit failure: SSID ssid4 encryption too weak.

PCI audit failure: SSID ssid5 encryption too weak.

PCI audit failure: SSID ssid6 encryption too weak.

Summary of Contents for XR Series

Page 1: ...August 11 2015 Release 7 5 Wireless Access Point User s Guide ...

Page 2: ......

Page 3: ...s reserved This document may not be reproduced or disclosed in whole or in part by any means without the written consent of Xirrus Inc Part Number 800 0022 001 Revision R Wireless Access Points XR and XD Series ...

Page 4: ...tive holders Please see Legal Notices Warnings Compliance Statements and Warranty and License Agreements in Notices XR 1000 to XR 6000 Indoor Models on page 563 Xirrus Inc 2101 Corporate Center Drive Thousand Oaks CA 91320 USA Tel 1 805 262 1600 1 800 947 7871 Toll Free in the US Fax 1 866 462 3980 www xirrus com ...

Page 5: ...ies 2 and 4 Radio High Density Access Points 10 XR 2005 Series 2 and 4 Radio Access Points 11 XR 4006 Series 4 to 8 Radio High Density Access Points 12 XR 4000 Series 4 to 8 Radio High Density Access Points not ending in 6 13 XR 6000 Series 8 to 16 Radio High Density Access Points 14 Enterprise Class Security 14 Deployment Flexibility 15 Power over Ethernet POE 16 Enterprise Class Management 16 Ke...

Page 6: ...ments 31 Planning Your Installation 32 General Deployment Considerations 32 Coverage and Capacity Planning 34 Placement 34 RF Patterns 35 Capacity and Cell Sizes 36 Fine Tuning Cell Sizes 37 Roaming Considerations 39 Allocating Channels 39 Other Factors Affecting Throughput 41 About IEEE 802 11ac 42 Up to Eight Simultaneous Data Streams Spatial Multiplexing 44 MIMO Multiple In Multiple Out 44 MU M...

Page 7: ...ing the AP 72 Dismounting the AP 72 Powering Up the Wireless AP 72 AP LED Operating Sequences 73 LED Boot Sequence 73 LED Operation when AP is Running 74 Zero Touch Provisioning and Ongoing Management 75 XMS Cloud Next Generation XMS 9500 CL x 75 XMS Enterprise 75 If you are not using XMS 76 AP Management Interfaces 77 User Interfaces 77 Using the Serial Port 78 Using the Ethernet Ports to Access ...

Page 8: ...Information 102 Access Point Configuration 103 Admin History 104 Network Status Windows 104 Network 105 Network Map 106 Content of the Network Map Window 106 Spanning Tree Status 109 Routing Table 110 ARP Table 110 DHCP Leases 111 Connection Tracking NAT 111 CDP List 112 LLDP List 113 Network Assurance 113 Undefined VLANs 114 RF Monitor Windows 115 IAP Monitoring 116 Spectrum Analyzer 117 Rogues 1...

Page 9: ...ion Statistics 149 Application Control Windows 150 About Application Control 150 Application Control 152 Stations Application Control 156 System Log Window 157 IDS Event Log Window 158 Configuring the Wireless AP 161 Express Setup 163 Network 169 Interfaces 170 Network Interface Ports 171 Bonds and Bridging 173 DNS Settings 180 Cisco Discovery Protocol CDP Settings 181 LLDP Settings 182 Services 1...

Page 10: ...curity 225 Certificates and Connecting Securely to the WMI 228 Using the AP s Default Certificate 229 Using an External Certificate Authority 230 Admin Management 230 Admin Privileges 232 Admin RADIUS 234 About Creating Admin Accounts on the RADIUS Server 234 Management Control 237 Access Control List 247 Global Settings 249 External Radius 253 About Creating User Accounts on the RADIUS Server 254...

Page 11: ...Personal Wi Fi 301 Groups 303 Understanding Groups 303 Using Groups 304 Group Management 305 Group Limits 308 IAPs 310 Understanding Fast Roaming 311 IAP Settings 312 Global Settings 318 Beacon Configuration 320 Station Management 321 Advanced Traffic Optimization 323 Global Settings 11an 334 Global Settings 11bgn 340 Global Settings 11n 346 Global Settings 11ac 349 Global Settings 11u 351 Underst...

Page 12: ...ngs 378 LED Settings 378 DSCP Mappings 379 Roaming Assist 380 WDS 383 About Configuring WDS Links 383 Long Distance Links 385 WDS Client Links 385 Filters 389 Filter Lists 390 Filter Management 393 Clusters 399 Cluster Management 399 Mobile 404 AirWatch 404 User Procedure for Wireless Access 406 Using Tools on the Wireless AP 409 System Tools 410 About Licensing and Upgrades 410 System 412 Remote ...

Page 13: ...nterface 433 Establishing a Secure Shell SSH Connection 433 Getting Started with the CLI 435 Entering Commands 435 Getting Help 435 Top Level Commands 438 Root Command Prompt 438 configure Commands 439 show Commands 443 statistics Commands 448 Configuration Commands 450 acl 450 admin 451 auth 452 cdp 452 clear 454 cluster 456 contact info 457 date time 458 dhcp server 459 dns 460 file 461 filter 4...

Page 14: ...unnel 491 uptime 492 vlan 492 wifi tag 493 Sample Configuration Tasks 495 Configuring a Simple Open Global SSID 496 Configuring a Global SSID using WPA PEAP 497 Configuring an SSID Specific SSID using WPA PEAP 498 Enabling Global IAPs 499 Disabling Global IAPs 500 Enabling a Specific IAP 501 Disabling a Specific IAP 502 Setting Cell Size Auto Configuration for All IAPs 503 Setting the Cell Size fo...

Page 15: ...tion 514 External RADIUS Global 515 Internal RADIUS 516 Administrator Account and Password 516 Management 516 Keyboard Shortcuts 517 Appendix B FAQ and Special Topics 519 General Hints and Tips 519 Frequently Asked Questions 520 Multiple SSIDs 520 Security 522 VLAN Support 525 AP Monitor and Radio Assurance Capabilities 527 Enabling Monitoring on the AP 527 How Monitoring Works 527 Radio Assurance...

Page 16: ...e Information 567 Compliance Information Non EU 574 Safety Warnings 576 Translated Safety Warnings 577 Software License and Product Warranty Agreement 578 Hardware Warranty Agreement 584 Appendix E Medical Usage Notices 587 Appendix F Auditing PCI DSS 593 Payment Card Industry Data Security Standard Overview 593 PCI DSS and Wireless 594 The Xirrus AP PCI Compliance Configuration 595 The pci audit ...

Page 17: ...Wireless Access Point xiii Glossary of Terms 607 Index 619 ...

Page 18: ...Wireless Access Point xiv ...

Page 19: ...e Options 38 Figure 16 Overlapping Cells 39 Figure 17 Allocating Channels Manually 40 Figure 18 Spatial Multiplexing 44 Figure 19 MIMO Signal Processing 45 Figure 20 MU MIMO with Four Antennas 46 Figure 21 Physical Layer Data Encoding 47 Figure 22 Channel Bonding Channels 36 64 shown 49 Figure 23 Maximum 802 11ac Data Rates 49 Figure 24 Port Failover Protection 52 Figure 25 Switch Failover Protect...

Page 20: ... AP Information 102 Figure 49 Show Configuration 103 Figure 50 Admin Login History 104 Figure 51 Network Settings 105 Figure 52 Network Map 106 Figure 53 Spanning Tree Status 109 Figure 54 Routing Table 110 Figure 55 ARP Table 110 Figure 56 DHCP Leases 111 Figure 57 Connection Tracking 111 Figure 58 CDP List 112 Figure 59 LLDP List 113 Figure 60 Network Assurance 113 Figure 61 Undefined VLANs 114 ...

Page 21: ...s 144 Figure 86 IDS Statistics Page 145 Figure 87 Filtered IDS Statistics 146 Figure 88 Filter Statistics 147 Figure 89 Station Statistics 147 Figure 90 Individual Station Statistics Page 149 Figure 91 Application Control 152 Figure 92 Application Control Pie Charts 154 Figure 93 Application Control Station Traffic 155 Figure 94 Stations Application Control 156 Figure 95 System Log Alert Level Hig...

Page 22: ... Figure 124 Proxy Client for Management Traffic 211 Figure 125 VLANs 213 Figure 126 VLAN Management 216 Figure 127 Tunnel Summary 220 Figure 128 Tunnel Management 221 Figure 129 Tunnel SSID Assignments 223 Figure 130 Security 224 Figure 131 Import Xirrus Certificate Authority 229 Figure 132 Admin Management 230 Figure 133 Admin Privileges 232 Figure 134 Admin RADIUS 235 Figure 135 Management Contr...

Page 23: ... 293 Figure 159 Setting Active IAPs per SSID 297 Figure 160 Per SSID Access Control List 298 Figure 161 Honeypot Whitelist 300 Figure 162 Personal Wi Fi 301 Figure 163 Groups 303 Figure 164 Group Management 305 Figure 165 IAPs 310 Figure 166 Source of Channel Setting 310 Figure 167 IAP Settings 312 Figure 168 Global Settings IAPs 318 Figure 169 Multicast Processing 323 Figure 170 Additional Optimi...

Page 24: ...nostic Log 419 Figure 200 Managing Application Control Signature files 420 Figure 201 Managing WPR Splash Login page files 421 Figure 202 System Command Ping 422 Figure 203 Radius Ping Output 423 Figure 204 CLI Window 424 Figure 205 API Documentation 426 Figure 206 API GET Request Details 427 Figure 207 API GET Request Response 429 Figure 208 API Documentation Toolbar 430 Figure 209 WMI Display Op...

Page 25: ...ell Size for All IAPs 504 Figure 225 Setting the Cell Size for a Specific IAP 505 Figure 226 Configuring VLANs on an Open SSID 506 Figure 227 Configuring Radio Assurance Mode Loopback Testing 508 Figure 228 Sample output of pci audit command 597 Figure 229 Tamper Evident Seal Application for Indoor Enclosure 600 Figure 230 Tamper Evident Seal Application Close up 601 Figure 231 AP Information 602 ...

Page 26: ...Wireless Access Point xxii List of Figures ...

Page 27: ...f Products Figure 1 Xirrus AP The Xirrus family of products includes the following Xirrus High Density Wireless Access Points Xirrus APs are designed to provide distributed intelligence integrated switching capacity application level intelligence increased bandwidth and smaller size The radios support IEEE802 11 ac a b g and n clients and feature the capacity and performance needed to replace swit...

Page 28: ...and stacking One two and eight port POE injectors are also available for a range of AP power requirements Nomenclature Throughout this User s Guide Xirrus Wireless Access Points are referred to as simply APs or APs In some instances the terms product and unit are also used When discussing specific products from the Xirrus family the product name is used for example XR 4830 The Wireless AP s operat...

Page 29: ...se customers have come to expect from their networks The technology is being driven by these major IEEE standards 802 11ac Operates in the 5 GHz range using a number of advanced techniques to achieve a maximum speed of 1 3 Gbps These techniques include improvements on the methods used for 802 11n below 802 11n Uses multiple antennas per radio to boost transmission speed as high as 450Mbps increasi...

Page 30: ...n achieve up to 1 3 Gbps throughput Figure 2 Wireless AP XR Series The Wireless AP regardless of the product model is Wi Fi compliant and simultaneously supports 802 11ac on 11ac models 802 11a 802 11b 802 11g and 802 11n clients The multi state design allows you to assign radios to 2 4 GHz and 5 GHz bands or both in any desired arrangement Integrated switching and active enterprise class features...

Page 31: ... similar locations Using existing in wall cabling the XR 320 can deliver Wi Fi access connectivity to multiple wired devices and pass through access for legacy devices like POTS These models have omni directional antennas rather than directional antennas The XR 320 runs a different operating system than ArrayOS and the WMI and CLI described in this book do not apply to the XR 320 This model should...

Page 32: ...ios in challenging deployments in areas with high RF attenuation and in isolated or physically separated locations These models have an integrated controller firewall threat sensor and spectrum analyzer Indoor units have omni directional antennas rather than directional antennas Feature XR 520 No radios 802 11 a b g n monitor 2 Radio type 2x2 Integrated omni directional antennas 4 Integrated wirel...

Page 33: ...ectional antennas The XR 630 supports a unique feature that optimizes wireless performance by automatically segmenting faster 802 11ac clients from slower Wi Fi clients Since Wi Fi is a shared medium this separation ensures slower 802 11a b g n clients do not slow down 802 11ac clients and prevent them from achieving high performance Note that the XH2 120 is an outdoor AP that is similar to the XR...

Page 34: ...ation and in isolated or physically separated locations The elliptical shaped coverage pattern produced by its directional antennas is ideal for covering facilities with central hallways and adjacent rooms commonly found in office buildings hotels and dormitories Like larger APs these models integrate multi state radios with high gain directional antennas an onboard multi gigabit switch controller...

Page 35: ...gain directional antennas an onboard multi gigabit switch controller firewall threat sensor and spectrum analyzer A unique feature optimizes wireless performance by automatically segmenting faster 802 11ac clients from slower Wi Fi clients Since Wi Fi is a shared medium this separation ensures slower 802 11a b g n clients do not slow down 802 11ac clients and prevent them from achieving high perfo...

Page 36: ...te radios with high gain directional antennas an onboard multi gigabit switch controller firewall threat sensor and spectrum analyzer on a modular chassis designed for extensibility A unique feature optimizes wireless performance by automatically segmenting faster 802 11ac clients from slower Wi Fi clients Since Wi Fi is a shared medium this separation ensures slower 802 11a b g n clients do not s...

Page 37: ...i state radios with high gain directional antennas an onboard multi gigabit switch controller firewall threat sensor and spectrum analyzer on a modular chassis designed for extensibility XR 2005 Series APs have no console port but have two Gigabit ports one of which accepts POE power supplied by a Xirrus supplied power injector or an IEEE802 3at powered switch Note that older XR 2000 Series APs en...

Page 38: ...s with high gain directional antennas an onboard multi gigabit switch controller firewall threat sensor and spectrum analyzer on a modular chassis designed for extensibility A unique feature optimizes wireless performance by automatically segmenting faster 802 11ac clients from slower Wi Fi clients Since Wi Fi is a shared medium this separation ensures slower 802 11a b g n clients do not slow down...

Page 39: ...f 3 6 Gbps up to 450 Mbps per radio Smaller models may be upgraded to eight radios later when your needs change Feature XR 4420 XR 4430 XR 4820 XR 4830 Number of radios 802 11a b g n monitor 4 4 8 8 Radio type 2x2 3x3 2x2 3x3 Integrated antennas 8 12 16 24 Integrated wireless switch ports 8 8 8 8 Integrated RF spectrum analyzer threat sensors Yes Yes Yes Yes 1 Gigabit Uplink Ports 2 2 2 2 Wireless...

Page 40: ... security standards including Wireless Protected Access WPA and WPA2 with 802 11i Advanced Encryption Standard AES are available on the Wireless AP In addition the use of an embedded RADIUS server or 802 1x with an external RADIUS server ensures user authentication multiple APs can authenticate to the XMS ensuring only authorized APs become part of the wireless network With the Xirrus Advanced Fea...

Page 41: ...l customer needs For example Figure 3 Wireless Coverage Patterns Figure 3 depicts the following two scenarios Full pattern coverage All radios are activated with coverage spanning 360 degrees If within range clients will always receive coverage regardless of their geographic position relative to the AP Radios may be assigned to 2 4 GHz and or 5 0 GHz bands in any desired pattern Partial pattern co...

Page 42: ...e for the AP for compatible injectors or powered switches POE modules provide power to APs over the same Cat 5e or Cat 6 cable used for data Managed modules provide the ability to control power using XMS Figure 4 XP8 Power over Ethernet Usage Specific models of the AP are compatible with specific POE modules Enterprise Class Management The Wireless AP can be used with its default settings or it ca...

Page 43: ...Line Interface CLI offers IT professionals a familiar management and control environment Simple Network Management Protocol SNMP is also supported to allow management from an SNMP compliant management tool such as the optional XMS For deployments of more than five APs we recommend that you use the cloud based or enterprise version of XMS XMS offers a rich set of features for fine control over larg...

Page 44: ...ts sixteen IAPs radios provide a maximum wireless capacity of 7 2 Gbps which offers ample reserves for the high demands of current and future applications Of the sixteen IAPs fifteen operate as radios which may be set up to serve your choice of client types any or all of 802 11a b g n 5 GHz or 2 4 GHz bands providing backwards compatibility with 802 11b and 802 11g In the recommended configuration...

Page 45: ... AP deployment ensures Continuous connectivity if an IAP radio fails Continuous connectivity if an AP fails Continuous connectivity if a WDS link or switch fails Continuous connectivity if a Gigabit uplink or switch fails Flexible Coverage Schemes Figure 7 Coverage Schemes XR 7230 shown 802 11a n Delivers 60 wireless coverage per IAP with 6 dBi of gain 802 11b g n Delivers 180 wireless coverage wi...

Page 46: ... 3 Ease of Deployment The Xirrus XMS and Mobilize services simplify and speed deployment of the wireless network by automatically setting up each AP s license software image and initial configuration When the AP is installed and has Internet connectivity it contacts Xirrus which performs these initialization tasks Powerful Management The XMS offers real time monitoring and management capabilities ...

Page 47: ...Xirrus RPM optimizes the bandwidth usage and station performance of wireless networks Leveraging the multiple integrated access point multi radio design of the Xirrus Wireless AP RPM manages the allocation of wireless bandwidth to wireless stations across multiple RF channels The result maximizes overall network performance with superior flexibility and capacity Today s wireless infrastructure is ...

Page 48: ...s Leveraging an integrated 24 7 threat sensor and hardware based encryption decryption in each AP RSM secures the wireless network from multiple types of threats The result delivers uncompromised overall network security with superior flexibility and performance Wireless networks face a number of potential security threats in the form of rogue access points ad hoc clients unauthorized clients wire...

Page 49: ...e IT administrators the ability to troubleshoot issues that may occur within the wireless environment 802 11ac deployment will continue to evolve over the next several years with additional performance and optional functions along with an ongoing stream of IEEE 802 11 amendments This changing wireless landscape mandates that appropriate tools are available to the user to analyze optimize and troub...

Page 50: ...sibility of application usage by users across the wireless network Network usage has changed enormously in the last few years with the increase in smart phone and tablet usage stressing networks The AP uses Deep Packet Inspection DPI to determine what applications are being used and by whom and how much bandwidth they are consuming These applications are rated by their degree of risk and productiv...

Page 51: ... installing the AP and provides instructions to help you plan and complete a successful installation The Web Management Interface Offers an overview of the product s embedded Web Management Interface including its content and structure It emphasizes what you need to do to ensure that any configuration changes you make are applied and provides a list of restricted characters It also includes instru...

Page 52: ... and a procedure for isolating problems within an AP enabled wireless network Also includes Frequently Asked Questions FAQs and Xirrus contact information Appendix D Notices XR 1000 to XR 6000 Indoor Models Contains the legal notices licensing and compliance statements for the AP Please read this section carefully Appendix C Notices XD4 and XR500 600 Series Only Contains the legal notices licensin...

Page 53: ...ls are used throughout this User s Guide Screen Images Some screen images of the Web Management Interface have been modified for clarity For example an image may have been cropped to highlight a specific area of the screen and or sample data may be included in some fields Product Specifications Please refer to the Xirrus web site for the latest specifications for these APs www xirrus com This symb...

Page 54: ...Wireless Access Point 28 Introduction ...

Page 55: ...ncluding Power Source Xirrus APs are powered via Xirrus supplied Power over Ethernet POE supplies power over the same Cat 5e or Cat 6 cable used for data thus reducing cabling and installation effort POE power injector modules are available in 1 2 and 8 port configurations and are typically placed near your Gigabit Ethernet switch An AC outlet is required for each injector module Some smaller APs ...

Page 56: ...c route for management as described in the warning above Serial connection capability A serial port console is present on most XR 2000 models and all larger XR series models The Xircon utility can be used in place of a console port see the Xircon User s Guide To connect directly to the console port on the AP your computer must be equipped with a male 9 pin serial port and terminal emulation softwa...

Page 57: ...are optional Xirrus Management System XMS The optional XMS offers powerful management features for small or large Wireless AP deployments Client Requirements The Wireless AP should only be used with Wi Fi certified client devices See Also Coverage and Capacity Planning Failover Planning Planning Your Installation ...

Page 58: ...ations The Array s unique multi radio architecture generates 360 degrees of sectored high gain 802 11a b g n ac coverage that provides extended range Note that XR 500 600 Series radios are omni directional rather than sectored The number thickness and location of walls ceilings or other objects that the wireless signals must pass through may affect the range Typical ranges vary depending on the ty...

Page 59: ...hick For best reception try to ensure that your wireless devices are positioned so that signals will travel straight through a wall or ceiling Figure 8 Wall Thickness Considerations 3 Try to position wireless client devices so that the signal passes through drywall between studs or open doorways and not other materials that can adversely affect the wireless signal See Also Coverage and Capacity Pl...

Page 60: ...ectrical devices or appliances that generate RF noise Because the AP is generally mounted on ceilings be aware of its position relative to lighting especially fluorescent lighting we recommend maintaining a distance of at least 3 to 6 feet 1 to 2 meters Figure 9 Unit Placement 3 If using multiple APs in the same area maintain a distance of at least 100ft 30m between APs if there is direct line of ...

Page 61: ... or disabling individual sectors Full Normal Coverage In normal operation the AP provides a full 360 degrees of coverage Figure 10 Full Normal Coverage Half Coverage Figure 11 Adjusting RF Patterns If installing a unit close to an exterior wall you can deactivate half of the radios to prevent redundant signals from bleeding beyond the wall and extending service into public areas The same principle...

Page 62: ...the number of APs available at the location The capacity of a cell is defined as the minimum data rate desired for each sector multiplied by the total number of sectors being used Figure 13 Connection Rate vs Distance Figure 13 shows relative connection rates for 802 11n vs 802 11a g and 802 11b and the effect of distance on the connection rates 802 11ac rates behave like 802 11n over distance see...

Page 63: ...wer so that complete coverage is provided to all areas yet at the minimum power level required This helps to minimize potential interference with neighboring networks Additionally APs running Auto Cell automatically detect and compensate for coverage gaps caused by system interruptions To enable the Auto Cell Size feature go to RF Power and Sensitivity on page 360 There are two ways of performing ...

Page 64: ...ld be run once for each of these pages APs must be at least 15 feet apart for Auto Cell to work properly If you are installing many units in proximity to each other we recommend that you use Auto Cell Size otherwise reduce the transmit power using manual settings to avoid excessive interference with other APs or installed APs See also Coverage and Capacity Planning on page 34 Sharp Cell This paten...

Page 65: ...by scanning the surrounding area for RF activity on all channels then automatically selecting and setting channels on the AP to the best channels available This function is typically executed when initially installing APs in a new location and may optionally be configured to execute periodically to account for changes in the RF environment over time Auto Channel selection has significant advantage...

Page 66: ...os themselves are scanning the environment from their physical location May be configured to run periodically To set up the automatic channel selection feature go to Advanced RF Settings on page 357 Manual Channel Selection You can manually assign channels on a per radio basis though manual selection is not recommended and not necessary Figure 17 Allocating Channels Manually To avoid co channel in...

Page 67: ...rials used at the site etc In addition features applied to traffic may have an effect Performance may decrease as you add increasing numbers of SSIDs VLANs and features such as Application Control encryption management via XMS Cloud etc XR 500 1000 Series models are more prone to performance degradation since they have less memory than other models See Also Failover Planning Installation Prerequis...

Page 68: ...802 11ac performance with ACExpress an innovation that intelligently separates fast and slow devices on separate IAPs to maximize system performance The major advantages of 802 11ac are Faster speeds than 802 11n over the same coverage area operating at up to 1 3 Gbps in Wave 1 implementations While the maximum distance that a Wi Fi signal can reach is unchanged with 802 11ac multiple antennas inc...

Page 69: ...lanning your deployment since it contributes greatly to 802 11ac s speed improvements and because it is configured separately for each IAP Your selection of channel width in IAP Settings 40 MHz or 80 MHz or 20 MHz if bonding is turned off has a major effect on your channel planning A global setting is provided to enable or disable 802 11ac mode See Global Settings 11ac on page 349 to configure ope...

Page 70: ...ltiplexing The date rate increases directly with the number of transmit antennas used Note that mobile devices in the near future will support up to three or four streams at most with many supporting less MIMO Multiple In Multiple Out MIMO Multiple In Multiple Out signal processing is one of the core technologies of 802 11n and 802 11ac It mitigates interference and maintains broadband performance...

Page 71: ...g on the same channel With spatial multiplexing in 802 11ac up to 8 data streams may be concurrently transmitted MU MIMO s innovation allows the streams to be split between multiple devices at once With 802 11n whenever the IAP transmitted data all of the traffic at any instant of time was directed to a single client As a consequence if a set of devices included a mix of fast and slow client clien...

Page 72: ...s 2 1 station w 2 antennas or 2 stations w 1 antenna 3 1 station w 3 antennas or 1 station w 2 antennas 1 station w 1 antenna or 3 stations w 1 antenna 4 1 station w 4 antennas or 2 stations w 2 antennas or 1 station w 2 antennas 2 stations w 1 antenna or 4 stations w 1 antenna 8 1 station w 8 antennas or 2 stations w 4 antennas or 1 station w 4 antennas 2 stations w 2 antennas or 2 stations w 2 a...

Page 73: ...ol and 64 QAM which conveys 6 bits per symbol 802 11ac adds 256 QAM which conveys 8 bits per symbol for a 33 increase in throughput vs the highest 802 11n data rate You may select the highest Modulation and Coding Scheme MCS level allowed with 1 2 or 3 Spatial Streams see the Max MCS setting in Procedure for Configuring Global 802 11ac IAP Settings on page 350 You may limit the highest level of mo...

Page 74: ...he IAP Settings page for each IAP in terms of the primary channel and the width of the bond Be aware that Channel Bonding impacts channel planning since you are using multiple channels per IAP 802 11ac allows creation of 20 40 80 or 160 MHz wide channels The 160MHz channel can also be a combination of two non contiguous 80MHz channels 80 80 Although channel bonding increases bandwidth wider channe...

Page 75: ...ncy Channel Number 36 5150MHz Channel Bandwidth 5250MHz 5350MHz 40 44 48 52 60 56 64 20MHz 40MHz 80MHz 160MHz 2 20MHz bonded channels 2 40MHz bonded channels 2 80MHz bonded channels UNII 1 UNII 2 Phase 1 Phase 2 Maximum Transmit Bandwidth Data Rate Antennas MHz Streams Modulation 293Mbps 1 40 1 64QAM 433Mbps 1 80 1 256QAM 867Mbps 2 80 2 256QAM 1 299Gbps 3 80 3 256QAM 1 730Gbps 4 80 4 256QAM 3 470G...

Page 76: ... slower 802 11a b g n clients do not starve the performance of 802 11ac clients For example the data rate of an 802 11n client is less than 25 of the rate of an 802 11ac client and thus will take four times as much air time for a given amount of data This takes available bandwidth away from faster clients reducing their performance significantly ACExpress intelligently separates clients by type on...

Page 77: ... avoiding single points of failure More power Multi antenna APs handling 802 11ac speeds will likely require more power Power planning for your access switches should be carefully considered A new site survey may be needed Wireless networks established as recently as a few years ago were probably designed for coverage and not capacity APs were placed so that there were no dead zones without consid...

Page 78: ...es failover protection at the unit and port levels To ensure that service is continued in the event of a port failure you can utilize two Gigabit Ethernet ports simultaneously as a bonded pair on APs with two or more Gigabit ports Figure 24 Port Failover Protection Xirrus highly recommends that the upgraded Array have a radio count that matches one of our standard Arrays e g XR 4000 with 4 or 8 ra...

Page 79: ...net ports actually support a number of modes 802 3ad Link Aggregation Load Balancing Broadcast Link Backup Mirrored For more details on Gigabit port modes and their configuration please see Bonds and Bridging on page 173 Interface Bridges Data Bridges Management Traffic Fails Over To IP address Gigabit port Yes Yes Bonded port DHCP or static Bonded Gigabit port Yes Yes Bonded port Same ...

Page 80: ...aving multiple Gigabit ports to more than one Ethernet switch not a hub Figure 25 Switch Failover Protection See Also Coverage and Capacity Planning Installation Prerequisites Network Management Planning Planning Your Installation Power Planning Security Planning Gigabit Ethernet connections must be on the same subnet Ethernet switch Backup switch Ethernet connections ...

Page 81: ...or Cat 6 cables to the AP without running power cables see Figure 4 on page 16 Specific models of the AP are compatible with specific PoGE modules For details please see the Power over Gigabit Ethernet Installation and User Guide See Also Coverage and Capacity Planning Failover Planning Network Management Planning Security Planning When using Cat 5e or Cat 6 cable power can be provided up to a dis...

Page 82: ...re secure than WEP and uses TKIP for encryption Wi Fi Protected Access WPA2 with AES This is government grade encryption available on most new client adapters and uses the AES CCM encryption mode Advanced Encryption Standard Counter Mode Authentication Authentication ensures users are who they say they are Users are authenticated when they attempt to connect to the wireless network and periodicall...

Page 83: ...SS Standards The Payment Card Industry PCI Data Security Standard DSS was developed by major credit card companies It lays out a set of requirements that must be met in order to provide adequate security for sensitive data The AP may be configured to assist in satisfying PCI DSS standards For details please see Auditing PCI DSS on page 593 Note that the license installed on the AP must include the...

Page 84: ...S port requirements are illustrated in Figure 26 XMS requires ports 161 162 and 443 to be passed between APs and the XMS server Similarly port 9443 is required for communication between the XMS server and XMS clients and port 25 is typically used by the XMS server to access an SMTP server to send email notifications Figure 26 Port Requirements for XMS Firewall XMS Server XMS Client L2 Switching In...

Page 85: ...p TFTP TFTP Server No 123 udp NTP NTP Server No 161 udp SNMP XMS Server No 162 udp SNMP Traphost Note Up to four Traphosts may be configured XMS Server Yes but required by XMS 443 tcp HTTPS WMI WPR Client Yes 514 udp Syslog Syslog Server No 1812 1645 udp RADIUS some servers use 1645 RADIUS Server Yes 1813 1646 udp RADIUS Accounting some servers still use 1646 RADIUS Accounting Server Yes 2055 udp ...

Page 86: ...tcp XMS Back end Server Internal No 3306 tcp MySQL Database Internal No 8001 tcp Status Viewer Internal No 8007 tcp Tomcat Shutdown Internal During installation 8009 tcp Web Container Internal During installation 9090 tcp XMS Webserver XMS client During installation 9091 tcp XMS Client Server XMS client Via XMS config file 9092 tcp XMS Client Server XMS client Via XMS config file 9443 tcp XMS WMI ...

Page 87: ...Wireless Access Point Installing the Wireless AP 61 See Also Management Control External Radius Services VLAN Management ...

Page 88: ...g features Globally manage large numbers of APs Seamless view of the entire wireless network Easily configure large numbers of APs Rogue AP monitoring Easily manage system wide firmware updates Monitor performance and trends Aggregation of alerts and alarms The AP s Command Line Interface using an SSH Secure Shell utility like PuTTY The utility must be set up to use SSH 2 since the AP will only al...

Page 89: ...m see Figure 27 WDS features include One to three IAPs may be used to form a single WDS link yielding up to 1350 Mbps bandwidth per link Up to three different WDS links may be created on a single AP Automatic IAP load balancing If desired you may allow clients to associate to a BSS on the same radio interface used for a WDS Host Link This will take bandwidth from the WDS link Figure 27 WDS Link Mu...

Page 90: ...ess AP Figure 28 A Multiple Hop WDS Connection Multiple WDS links can provide link redundancy failover capability see Figure 29 A network protocol Spanning Tree Protocol STP prevents APs from forming network loops Figure 29 WDS Failover Protection ...

Page 91: ...in the same way that stations associate to IAPs The client side of the link must be configured with the root MAC address of the target host AP A WDS Host Link acts like an IAP by allowing one WDS Client Link to associate to it An AP may have both client and host links WDS configuration is performed only on the client side AP See WDS on page 383 Note that both APs must be configured with the same S...

Page 92: ...Planning Function Number of Wireless APs One or Two Three or More Power Power over Ethernet Power over Ethernet UPS backup recommended Failover Recommended Highly recommended VLANs Optional Optional use Can be used to put all APs on one VLAN or map to existing VLAN scheme Encryption WPA2 with AES recommended PSK or 802 1x WPA2 with AES recommended 802 1x keying Authentication Internal RADIUS serve...

Page 93: ... customers will skip the last two steps Figure 30 Installation Workflow See Also Coverage and Capacity Planning Common Deployment Options Determine the number of Arrays needed Choose the location s for your Wireless Arrays Install the mounting plate Connect the cables and turn on the power Verify that the Ethernet link and radio LEDs are functioning correctly Review the Array Configuration Run Eth...

Page 94: ...Wireless Access Point 68 Installing the Wireless AP Failover Planning Installation Prerequisites Planning Your Installation Power Planning Wireless Access Point Product Overview Security Planning ...

Page 95: ...ly discussed choose a location for the AP that will provide the best results for your needs The Wireless AP was designed to be mounted on a ceiling where the unit is unobtrusive and wireless transmissions can travel unimpeded throughout open plan areas Choose a location that is central to your users see the following diagram for correct placement Figure 31 AP Placement Wiring Considerations Before...

Page 96: ... crossover Network APs have at least one POE port to supply power and data over the same cable Many models have additional Gigabit ports or even additional POE ports Please see the Installation Guide for your AP model for detailed information about running cables to the AP and connecting it Some models also have a serial console port The Serial cable may be up to 25 feet long per the RS 232 specif...

Page 97: ...ons See Also Failover Planning Installation Prerequisites Installation Workflow Mounting and Connecting the AP Power over Ethernet POE The AP s Ethernet ports should be plugged into an Ethernet switch not an Ethernet hub if a hub is used we recommend that you connect only one Ethernet port ...

Page 98: ... on the AP i e push it against the mounting plate Then turn the AP to the left to remove it This is similar to dismounting a smoke detector Powering Up the Wireless AP When powering up the AP follows a specific sequence of LED patterns showing the boot progress and following a successful boot will provide extensive status information Figure 32 LED Locations AP LED settings may be altered or disabl...

Page 99: ...ON Blinking GREEN All OFF Boot loader power ON self test Blinking GREEN All ON Image load from compact FLASH Blinking GREEN Spinning pattern rotate all to ON then all to OFF Image load failure Blinking ORANGE All OFF Hand off to ArrayOS Solid GREEN All OFF System software initialization Solid GREEN Walking pattern LED rotating one position per second Up and running Solid GREEN ON for IAPs that are...

Page 100: ... Hz IAP is up passing traffic Traffic 1500 packets sec Traffic 150 packets sec Traffic 1 packet sec IAP LED is GREEN IAP is operating in the 2 4 GHz band IAP LED is ORANGE IAP is operating in the 5 GHz band IAP LED flashing ORANGE to GREEN at 1 Hz The radio is in monitor mode standard intrude detect STATUS LED is GREEN AP is operational GIG Ethernet LEDs are dual color Ethernet LED is ORANGE Ether...

Page 101: ...se XMS Cloud to specify the initial settings for your APs A Guided Tour will walk you through the basic steps of creating a profile containing configuration settings including creating SSIDs and firewall application control rules Once a new unlicensed AP is connected to a network with DHCP and Internet connectivity it will automatically contact Xirrus for cloud based zero touch provisioning per yo...

Page 102: ...iguration sets items such as SSIDs encryption and authentication and SNMP settings Use the Mobilize service to specify these settings for each AP before deployment Settings may be duplicated from one AP to the next or entered in bulk Your Xirrus wireless equipment will continue to be able to fetch and activate license updates to which you are entitled See Remote Boot Services on page 414 If you ar...

Page 103: ...hrough the Command Line Interface CLI using SSH or on a browser with the Web Management Interface WMI You may use the CLI via the serial management port console on all APs except the XR 500 600 1000 Series and some XR 2000 models or any of the Gigabit Ethernet ports You can use the WMI via any of the AP s Ethernet ports Figure 33 Network Interface Ports XR 520 left XR 1000 Series right Figure 34 N...

Page 104: ...erial port to change settings on the AP even if the AP s Gigabit interfaces are in XMS managed mode i e read only mode see Managing APs Locally or Using XMS on page 85 The Xircon utility may also be used to communicate with APs locally as an alternative to using a serial connection to the console This is especially useful for the XR 500 600 1000 Series and some XR 2000 models which do not have a c...

Page 105: ...00 0F 7D or 50 60 28 and are found on the AP label and shipping container 3 Alternatively you may query the AP using the CLI via the console port on all models except the XR 500 600 1000 and some XR 2000 models Log in using the default user name admin and password admin Use the show ethernet command to view the IP addresses assigned to each port 4 If the AP cannot obtain an IP address via DHCP the...

Page 106: ... AP boots up it automatically contacts Xirrus with its serial number and MAC address and obtains its license key software image and initial configuration from XMS or Mobilize Any unlicensed AP running ArrayOS release 6 5 or above will update in this way after it boots up if it has Internet connectivity A license is needed to enable the full functionality of the AP Without a license the AP can be p...

Page 107: ...l as an attachment in the form of an Excel file xls Enter the key exactly as it appears in the file Click the Apply button to apply the key 4 Now you may verify the features provided by the key In the Status section of the left hand frame click AP and then click Information Check the items listed in the License Features row Performing the Express Setup Procedure The Express Setup procedure establi...

Page 108: ...ce an AP is discovered Xircon can establish an encrypted console session to the AP via the network even if the AP IP configuration is incorrect Xircon allows you to manage the AP using CLI just as you would if connected to the console port Xircon also has an option for easily accessing XBL In normal circumstances Xirrus APs should be configured and managed through SSH or via the WMI A connection i...

Page 109: ...onnection on page 433 Then proceed to the next step 2 At the login as prompt log in to CLI using the username and password that you set in Step 5 on page 167 or the default value of admin admin if you have not changed them login as jsmith jsmith xr4012802207c s password Xirrus Wi Fi AP ArrayOS Version 6 1 2 3299 Copyright c 2005 2012 Xirrus Inc http www xirrus com AP42 3 Type configure to enter th...

Page 110: ...ving boot environment OK AP42 config boot exit 5 Enter the following commands if you wish to change Xircon access permission AP42 config management AP42 config mgmt xircon management status AP42 config mgmt save AP42 config mgmt exit AP42 config management status may be one of on enables both CLI and XBL access off disables both CLI and XBL access aos only enables only CLI i e ArrayOS access boot ...

Page 111: ...n directly managing each AP individually You may change settings directly on the AP but be aware that XMS may not sync up with these changes for up to 24 hours All XMS versions automatically rediscover the wireless network once a day by default and XMS will fetch updated settings into its database at that time If you are an XMS Cloud customer XMS 9500 CL x you may wish to use WMI or CLI directly o...

Page 112: ...e An Overview The WMI is an easy to use graphical interface to your Wireless AP It allows you to configure the product to suit your individual requirements and ensure that the unit functions efficiently and effectively Figure 38 Web Management Interface ...

Page 113: ... Network Map Spanning Tree Status Routing Table ARP Table DHCP Leases Connection Tracking NAT CDP List Network Assurance RF Monitor Windows IAP Monitoring Spectrum Analyzer Rogues Channel History Radio Assurance Station Status Windows Stations Location Map RSSI Signal to Noise Ratio SNR Noise Floor Max by IAP Station Assurance Statistics Windows IAP Statistics Summary Per IAP Statistics Network St...

Page 114: ... Settings External Radius Internal Radius Active Directory Rogue Control List OAuth 2 0 Management SSIDs SSID Management Active IAPs Per SSID Access Control List Honeypots Configuration Windows cont d Groups Group Management IAPs IAP Settings Global Settings Global Settings 11an Global Settings 11bgn Global Settings 11n Global Settings 11u Global Settings 11ac Advanced RF Settings Hotspot 2 0 NAI ...

Page 115: ...le you ll see that windows are divided into left and right frames Figure 39 The left frame contains two main elements The menu is organized into three major sections Status Configuration Tools Each has headings for major functions such as Network SSIDs Security etc Click a heading such as Network to display a page Left frame Right frame Utilities Log Message counters Help Command log Utilities ...

Page 116: ...ght corner along with the hostname this defaults to the unit s serial number and IP address The Uptime shows the time since the AP was last rebooted Below this is the page title and the user name you used to log in On the right click the Utilities button for a drop down menu that allows you to Refresh Page Save your changes open the Help system or Logout If you have any unsaved changes the Save bu...

Page 117: ...you to submit your comments to Xirrus Inc Click the Print button to open a print dialog to send a copy of the active window to your local printer Click the Help button to access the AP s online help system Submitting Your Comments When submitting comments via the Feedback button ensure that you provide as much detail as possible including your contact information the product model number that the ...

Page 118: ... default host name in the browser s URL The default host name is simply the AP s serial number for example XR0823091CACD Otherwise enter the AP s IP address This may be determined as described in Using the Ethernet Ports to Access the AP on page 79 3 The default login to the AP s Web Management Interface is admin for both the user name and password Figure 43 Logging In to the Wireless AP Some page...

Page 119: ...bed above the changes that you have made are not saved to the latest configuration file in the AP s flash memory so they will not be restored after a reboot Click the Save button located on the upper right of each page in order to make sure that these changes will be applied after rebooting This will save the entire current configuration not only the changes on current WMI page Character Restricti...

Page 120: ...Wireless Access Point 94 The Web Management Interface ...

Page 121: ...I Access Point Status Windows on page 96 Network Status Windows on page 104 RF Monitor Windows on page 115 Station Status Windows on page 126 Statistics Windows on page 139 Application Control Windows on page 150 System Log Window on page 157 IDS Event Log Window on page 158 Configuration and Tools windows are not discussed here For information on these windows please see Configuring the Wireless ...

Page 122: ...onfiguration information for the AP in text format Admin History shows all current and past logins since the last reboot Access Point Summary This is a status only window that provides a snapshot of the global configuration settings for all Wireless AP network interfaces and IAPs You must go to the appropriate configuration window to make changes to any of the settings displayed here configuration...

Page 123: ... Auto Neg Shows whether auto negotiation is in use on this interface to determine settings for speed parity bits etc LED Shows whether LED display of interface status is enabled Link Shows whether the link on this interface is up or down Duplex Shows whether full duplex mode is in use Speed Shows the speed of this interface in Mbps MTU Size Shows the Maximum Transmission Unit size that has been co...

Page 124: ...d Mirror Shows whether mirroring is enabled on this bond IAP Section This section provides information about the Integrated Access Points IAPs that are contained within the AP How many IAPs are listed depends on which product model you are using To make configuration changes to these IAPs go to IAP Settings on page 312 IAP Lists the IAPs that are available on the AP State Shows the current state o...

Page 125: ...red to support Antenna Shows which antenna is being used by each IAP Cell Size Indicates which cell size setting is currently active for each IAP small medium large max automatic or manually defined by you Figure 46 IAP Cells The cell size of an IAP is a function of its transmit power and determines the IAP s overall coverage To define cell sizes go to IAP Settings on page 312 For additional infor...

Page 126: ...ion shows the results of ongoing network assurance testing This is the same as information shown in Network Assurance on page 113 Figure 47 Network Assurance and Operating Status The AP checks connectivity to network servers that you have configured for example DNS and NTP servers on an ongoing basis For each Setting this list shows the server s Host Name if any IP Address and Status Network assur...

Page 127: ... value if the AP model is one that includes a built in compass In order for this reading to be correct the AP must be mounted with iap1 facing north If the AP does not have an integrated compass this field will just show a dash See Also Management Control Interfaces Bonds and Bridging IAP Settings Network Assurance ...

Page 128: ...current internal temperatures fan speed and compass heading if the AP model supports these features Notice that the License Features row lists the features that are supported by your AP s license See About Licensing and Upgrades on page 410 and Advanced Feature Sets on page 21 for more information Figure 48 AP Information You cannot make configuration changes in this window but if you are experien...

Page 129: ... last reboot Factory displays the configuration established at the factory Figure 49 Show Configuration If you want to see just the differences between the Running Saved Lastboot and Factory configurations you can do this by choosing a configuration option from the Select Config pull down menu then selecting an alternative configuration option from the Select Diff pull down menu To include the def...

Page 130: ...k displays a summary of network interface settings Network Map displays information about this AP and neighboring APs that have been detected Spanning Tree Status displays the spanning tree status of network links on this AP Routing Table displays information about routing on this AP ARP Table displays information about Address Resolution Protocol on this AP DHCP Leases displays information about ...

Page 131: ...currently established for AP s wired interfaces This includes the Gigabit interfaces and their bonding settings DNS Settings are summarized as well You can click on any item in the Interface or Bond columns to go to the associated configuration window Figure 51 Network Settings WMI windows that allow you to change or view configuration settings associated with the network interfaces include Interf...

Page 132: ...ct the AP to refresh this window automatically Content of the Network Map Window By default the network map shows the following status information for each AP Access Point Name The host name assigned to the AP To establish the host name go to Express Setup on page 163 You may click the host name to access WMI for this AP IP Address The AP s IP address You may click the address to access WMI for th...

Page 133: ...his feature utilizes the Xirrus Roaming Protocol XRP ensuring fast and seamless roaming capabilities between IAPs or APs at both Layer 2 and Layer 3 To enable or disable fast roaming go to Global Settings on page 318 Uptime D H M Informs you how long the AP has been up and running in Days Hours and Minutes To see additional information select from the following checkboxes at the bottom of the page...

Page 134: ...tions Stations Tells you how many stations are currently associated to each AP To de authenticate a station go to Stations on page 127 The columns to the right H D W and M show the highest number of stations that have been associated over various periods of time the previous hour day week and month Default Sets the columns displayed to the default settings By default only Software and IAP Info are...

Page 135: ...etwork and forces certain redundant data paths into a standby blocked state If one segment in the spanning tree becomes unreachable the spanning tree algorithm reconfigures the network topology and reestablishes the link by activating the standby path The spanning tree function is transparent to client stations Figure 53 Spanning Tree Status This window shows the spanning tree status forwarding or...

Page 136: ...work Figure 54 Routing Table See Also VLANs Configuring VLANs on an Open SSID ARP Table This status only window lists the entries in the AP s ARP table For a device with a given IP address this table lists the device s MAC address It also shows the AP interface through which this device may be reached The table typically includes devices that are on the same local area network segment as the AP Fi...

Page 137: ... is valid The same IP address is normally renewed at the expiration of the current lease Figure 56 DHCP Leases See Also DHCP Server Connection Tracking NAT This status only window lists the session connections that have been created on behalf of clients This table may also be used to view information about current NAT sessions Figure 57 Connection Tracking Click the Show Hostnames checkbox at the ...

Page 138: ...very Protocol CDP Figure 58 CDP List The AP performs discovery on the network on an ongoing basis This list shows the devices that have been discovered Cisco devices and other devices on the network that have CDP running For each it shows the device s host name IP address manufacturer and model name the device interface that is connected to the network i e the port that was discovered and the netw...

Page 139: ...vice interface that is connected to the network i e the port that was discovered and the network capabilities of the device switch router supported protocols etc LLDP must be enabled on the AP in order to gather and display this information For details and some restrictions see LLDP Settings on page 182 Network Assurance This status only window shows the results of ongoing network assurance testin...

Page 140: ...been configured on the AP See VLANs on page 213 Figure 61 Undefined VLANs This feature alerts you to the fact that an 802 1Q trunk to the AP has VLANs that are not being properly handled on the AP To reduce unnecessary traffic only VLANs that are actually needed on the AP should normally be on the trunk e g the management VLAN and SSID VLANs In some cases such as multicast forwarding for Apple Bon...

Page 141: ...signed threat sensor monitor radio The associated software is part of the ArrayOS The following RF Status windows are available IAP Monitoring displays current statistics and RF measurements for each of the AP s IAPs Spectrum Analyzer displays current statistics and RF measurements for each of the AP s channels Rogues displays rogue APs that have been detected by the AP Channel History charts ongo...

Page 142: ...ed information on the measurements displayed please see Spectrum Analyzer Measurements on page 119 Figure 62 RF Monitor IAPs Figure 62 presents the data as a graphical display enabled by selecting the Graph checkbox on the upper left If this option is not selected data is presented as a numerical table Figure 63 RF Monitor IAPs You may sort the rows based on any column that has an active column he...

Page 143: ...io is in a listen only mode scanning across all wireless channels Each channel is scanned in sequence for a 250 millisecond interval per channel The spectrum analyzer window presents the data as a graphical display of vertical bar graphs for each statistic as shown in Figure 64 the default presentation or horizontally as bar graphs or numerical RF measurements The measurements displayed are explai...

Page 144: ...Click again to return to a graphical display The text option is only available in the rotated view When viewing a graphical display click Bars to have the bar graphs displayed against a gray background you may find this easier on the eyes This operation is not available when Text is selected You may sort the rows based on any column that has an active column header indicated when the mouse pointer...

Page 145: ...ing time 100 minus total busy time is quiet time the time that no activity was seen on the channel Signal to Noise Average SNR signal to noise ratio seen on the channel calculated from the signal seen on valid 802 11 packets less the noise floor level A dash value means no SNR data was available for the interval Noise Floor Average noise floor reading seen on the channel ambient noise A dash value...

Page 146: ... connections For more information about intrusion detection rogue APs and blocking please see About Blocking Rogue APs on page 375 Figure 65 Intrusion Detection Rogue AP List The Intrusion Detection window provides the easiest method for classifying rogue APs as Blocked Known Approved or Unknown Choose one or more APs using the checkbox in the Select column then use the buttons on the upper left t...

Page 147: ...he Wireless AP 121 You can refresh the list at any time by clicking on the Refresh button or click in the Auto Refresh check box to instruct the AP to refresh the list automatically See Also Network Map Rogue Control List SSIDs SSID Management ...

Page 148: ...ase see Spectrum Analyzer Measurements on page 119 Figure 66 RF Monitor Channel History Figure 66 presents the data in graphical form New data appears at the left with older readings shifting to the right To make the data appear as a bar chart click the Bar checkbox which will shade the background You also have the option of clicking the Rotate checkbox to give each statistic its own column In oth...

Page 149: ...ireless AP 123 Figure 67 RF Monitor Channel History Rotated If you select Rotate and Text together data is presented as a numerical table Figure 68 Click Pause to stop collecting data or Resume to continue Figure 68 RF Monitor Channel History Text ...

Page 150: ...en the AP can take corrective action if a problem is detected Note that radio assurance requires RF Monitor Mode to be enabled in Advanced RF Settings to turn on self monitoring functions It also requires a radio to be set to monitoring mode For a detailed discussion of the operation of this feature and the types of resets performed see Radio Assurance on page 528 Figure 69 Radio Assurance For eac...

Page 151: ...Wireless Access Point Viewing Status on the Wireless AP 125 See Also IAPs Xirrus Advanced RF Analysis Manager RAM RF Resilience Radio Assurance ...

Page 152: ...ciated station this displays the Received Signal Strength Indicator at each of the AP s IAPs Signal to Noise Ratio SNR for each associated station this displays the SNR at each of the AP s IAPs Noise Floor for each associated station this displays the ambient noise silence value at each of the AP s IAPs Max by IAP for each IAP this shows the historical maximum number of stations that have been ass...

Page 153: ...active up time In the Link column click the details button to jump to a detailed statistics page for this station Click to see Application Control information You may click other buttons above the list to show a number of additional columns Identification shows more identifying information for the station its User Name Host Name Manufacturer Device Type and Device Class for example notebook iPad e...

Page 154: ...cted station and explicitly denies it access by adding its MAC address to the Deny List in the Access Control List window To permit access again go to Access Control List on page 247 and delete the station from the Deny list Deauthenticate Sends a de authentication frame to the selected station The station may re authenticate Click on the Refresh button to refresh the station list or click in the ...

Page 155: ... GHz stations shown in orange or 2 4 GHz stations shown in green or both Figure 71 Location Map The map and AP are shown as if you were looking down on the AP from above say from a skylight on the roof Thus the positions of the radios are a mirror image of the way they are typically drawn when looking at the face of the AP Radios are marked on the map to show the orientation of the AP A station is...

Page 156: ...Netbios name of the station The TX Rate and RX Rate of this connection The approximate Distance of this station from the AP The distance is estimated using the received signal strength and your environment setting The environment determines the typical signal attenuation due to walls and other construction that affect signal reception Controls and items displayed on the Location Map window Figure ...

Page 157: ...should be 100 feet per inch Then click Upload see below For more information on using the custom image see Working with the Custom Image on page 132 Upload After browsing to the desired custom image click the Upload button to install it The map is redisplayed with your new background No hash marks for the map scale are added to the image display Reset Click this button to restore the map display t...

Page 158: ...the AP on the map simply click it then drag and drop it to the desired location The AP will continue to follow the mouse pointer to allow you to make further changes to its location When you are satisfied with its location click the AP again to return to normal operation RSSI For each station that is associated to the AP the RSSI Received Signal Strength Indicator window shows the station s RSSI v...

Page 159: ...SI values on the AP Figure 74 Station RSSI Values Colorized Graphical View In either graphical or tabular view you may sort the rows based on any column that has an active column header indicated when the mouse pointer changes to the hand icon Click on the Refresh button to refresh the station list or click in the Auto Refresh check box to instruct the AP to refresh this window automatically See A...

Page 160: ...ignal to Noise Ratio Values You may choose to display Unassociated Stations as well with a checkbox at the bottom of the window By default the SNR is displayed numerically Figure 75 You may display the relative value using color if you select Colorize Intensity with the highest SNR indicated by the most intense color Figure 76 If you select Graph then the SNR is shown on a representation of the AP...

Page 161: ...P The noise floor value can be very useful for characterizing the environment of a station to determine the cause of poor performance A relatively high value means that action may need to be taken to reduce sources of noise in the environment Figure 77 Station Noise Floor Values You may choose to display Unassociated Stations as well with a checkbox at the bottom of the window By default the noise...

Page 162: ...tabular view you may sort the rows based on any column that has an active column header indicated when the mouse pointer changes to the hand icon Click on the Refresh button to refresh the station list or click in the Auto Refresh check box to instruct the AP to refresh this window automatically See Also Station Status Windows RF Monitor Windows ...

Page 163: ...e hour day week month and year In other words the Max Station Count shows the high water mark over the selected period of time the maximum count of stations for the selected period rather than a cumulative count of all stations that have associated This information aids in network administration and in planning for additional capacity Figure 79 Max by IAP You may click an IAP to go to the IAP Sett...

Page 164: ...event is triggered a trap is generated and a Syslog message is logged For each station this list shows the MAC address its IP address its host name its device type device class and manufacturer It also shows the values of the various statistics that were monitored for problems as described in Station Assurance on page 364 associated time authentication failures packet error rate packet retry rate ...

Page 165: ...host links IDS Statistics provides statistical data for intrusion detection Filter Statistics provides statistical data for all configured filters Station Statistics provides statistical data associated with each station IAP Statistics Summary This is a status only window that provides an overview of the statistical data associated with all IAPs It also shows the channel used by each IAP For detai...

Page 166: ...ave it blank to display raw numbers Receive Error statistics include Total Retries the count of packets that were sent more than once before being received correctly CRC error the count of packets that were corrupted on the air and were dropped Some level of CRC errors are expected in wireless networks Note that all IAPs operate in a mode where they are listening to everything all the time which m...

Page 167: ...w with the latest information or Clear the data reset all content to zero and begin counting again at any time by clicking on the appropriate button You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically See Also System Log Window Global Settings Global Settings 11an Global Settings 11bgn IAPs ...

Page 168: ...te the window with the latest information or Clear the data reset all content to zero and begin counting again at any time by clicking on the appropriate button You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically If you are experiencing problems on the AP you may also want to print this window for your records Figure 83 Network Statistics See Al...

Page 169: ...ted with your assigned VLANs You can refresh the information that is displayed on this page at any time by clicking on the Refresh button or select the Auto Refresh option for this window to refresh automatically The Clear All button at the lower left allows you to clear zero out all VLAN statistics Figure 84 VLAN Statistics See Also VLAN Management VLANs ...

Page 170: ... client and host links To access data about a specific WDS client or host link simply click on the desired link in the left frame to access the appropriate window You may also choose to view a sum of the statistics for all client links all host links or all links both client and host links Figure 85 WDS Statistics See Also SSID Management WDS ...

Page 171: ...ion Detection on page 372 Information about IDS events is discussed in the IDS Event Log Window on page 158 Figure 86 IDS Statistics Page Use the filter feature to show only information for a selected IAP or for selected event types Select the type of Filter IAP to select IAPs or Packet Event to select particular attack types Select the type of string matching for example Begins with or Contains T...

Page 172: ...ics Many of the column headers may be clicked to sort the entries in ascending or descending order based on that column You can Refresh the data update the window with the latest information at any time by clicking the Refresh button on the upper right You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically See Also Intrusion Detection IDS Event Log...

Page 173: ...e rows based on that column Click on a filter name to edit the filter settings Figure 88 Filter Statistics See Also Filters Application Control Windows Station Statistics This status only window provides an overview of statistical data for all stations Stations are listed by MAC address and Receive and Transmit statistics are summarized for each For detailed statistics for a specific station click...

Page 174: ...rt the rows based on that column You can Refresh the data update the window with the latest information at any time by clicking the refresh button You can also click in the Auto Refresh check box to instruct the AP to refresh this window automatically See Also Per Station Statistics Stations ...

Page 175: ...Per Station Statistics window Receive and Transmit statistics are listed by Rate this is the data rate in Mbps For a summary of statistics for all stations see Station Statistics on page 147 You can Refresh the data update the window with the latest information at any time by clicking on the appropriate button You can also click in the Auto Refresh check box to instruct the AP to refresh this wind...

Page 176: ...f stations Click one to analyze application control information for only that station About Application Control The AP uses Deep Packet Inspection DPI to determine what applications are being used and by whom and how much bandwidth they are consuming These applications are rated by their degree of risk and productiveness Filters can be used to implement per application policies that keep network u...

Page 177: ...gher the rating number the more business oriented an application is 1 Primarily recreational 2 Mostly recreational 3 Combination of business and recreational purposes 4 Mainly used for business 5 Primarily used for business Risk indicates how likely an application is to pose a threat to the security of your network The higher the rating number the more risky an application is 1 No threat 2 Minimal...

Page 178: ...dow provides a snapshot of the application usage on your AP In order to view the Application Control window the AP must have a license that supports this feature and you must have enabled the Application Control option on the Filter Lists page see Filter Lists on page 390 Figure 91 Application Control ...

Page 179: ...lt value of all to see data from all VLANs Display for Station Use the drop down list if you wish to select just one station to analyze stations are listed by their MAC address or leave the default value of all to see data from all stations You may also use the Stations window to select a station to display See Stations Application Control on page 156 Station Traffic Check this box if you wish to ...

Page 180: ...e the Refresh button to refresh the window right now Pie Charts Figure 92 Application Control Pie Charts These charts provide a quick way to determine how your wireless bandwidth is being used There are charts for Station Traffic and or AP Management Traffic depending on which checkboxes you selected Similarly there are charts for By Application and or By Category depending on your selections The ...

Page 181: ...an application causing problems for your business such as a file sharing utility introducing viruses or exposing you to legal problems Risk is rated from 1 low risk for example Google to 5 high risk for example BitTorrent Risky applications rated at 4 or 5 are flagged for your attention by highlighting the entry in pale red Productivity estimates the value of an activity to your business from 1 un...

Page 182: ...ty of less productive traffic use filters to decrease the QoS assigned to traffic for applications like YouTube and Facebook Stations Application Control This status only window shows client stations currently visible to the AP The MAC address in the first column is a link Click on a selected station and the Application Control window opens with the Display for Station field set to that station to...

Page 183: ...the message Message sorts the list based on the message category The displayed messages may be filtered by using the Filter Priority option which allows control of the minimum priority level displayed For example you may choose under Services System Log to log messages at or above Debug level but use Filter Priority to display only those at Information level and above Figure 95 System Log Alert Le...

Page 184: ...6 IDS Event Log Use the Highlight Event field if you wish to highlight all events of one particular type in the list Click on a column header to sort the rows based on that column Click on the Refresh button to refresh the message list or click the Auto Refresh check box to instruct the AP to refresh this window automatically Although there are no configuration options available in this window you...

Page 185: ...h of the window used to determine whether the count of this type of event exceeded the threshold Current the count of this type of event for the current period Average the average count per period of this type of event Maximum the maximum count per period of this type of event ...

Page 186: ...Wireless Access Point 160 Viewing Status on the Wireless AP ...

Page 187: ...4 SSIDs on page 267 Groups on page 303 IAPs on page 310 WDS on page 383 Filters on page 389 Clusters on page 399 Mobile on page 404 After making changes to the configuration settings of an AP you must click the Save button at the top of the configuration window otherwise the changes you make will not be applied the next time the AP is rebooted If you are a customer using XMS 9000 CL x then APs are...

Page 188: ...tus or use system tools on the AP please see Viewing Status on the Wireless AP on page 95 Using Tools on the Wireless AP on page 409 If you have added modular IAPs to your AP note that its model number will be automatically adjusted to reflect the count and types of IAPs currently installed See Upgrading with 802 11ac radio modules ...

Page 189: ...xpress Setup Initial AP configuration via XMS sets items such as SSIDs and security as described in Zero Touch Provisioning and Ongoing Management on page 75 This page allows you to see many of these values or change them locally Figure 97 WMI Express Setup ...

Page 190: ... specific unit b Contact Name Enter the name and contact information of the person who is responsible for administering the AP at the designated location c Contact Email Enter the email address of the admin contact you entered in Step 3 d Contact Phone Enter the telephone number of the admin contact you entered in Step 3 3 Configure the Network settings Please see Interfaces on page 170 for more i...

Page 191: ...ne making IP changes 4 SSID Settings This section specifies the wireless network name and security settings a SSID Name is a unique name that identifies a wireless network The default SSID is xirrus Entering a value in this field will replace the this default SSID with the new name For additional information about SSIDs go to the Multiple SSIDs section of Frequently Asked Questions on page 520 b W...

Page 192: ...rprise and consumer Wi Fi users with a high level of assurance that only authorized users can access their wireless networks Like WPA WPA2 is designed to secure all versions of 802 11 devices including 802 11a 802 11b 802 11g and 802 11n multi band and multi mode WPA Both WPA and WPA2 This option makes use of both WPA and WPA2 For more information about security including a full review of all secu...

Page 193: ... have different privileges select the desired level from the drop down list For more information about user privileges please see Admin Privileges on page 232 Take care to make sure to leave yourself enough read write privileges on at least one account to be able to administer the AP c New Admin Password Enter a new administration password for managing this AP If you forget this password you must ...

Page 194: ...ion centers stadiums etc 8 IAP Settings Figure 98 LEDs are Switched On Enable Configure All IAPs Click on the Execute button to enable and auto configure all IAPs a message displays the countdown time in seconds to complete the auto configuration task When enabled the IAP s LED is switched on 9 Click the Save button at the upper right to make your changes permanent i e these settings will still be...

Page 195: ...to any of the settings displayed here configuration changes cannot be made from this window You can click on any item in the Interface column to jump to the associated configuration window Figure 99 Network Interfaces WMI windows that allow you to change or view configuration settings associated with the network interfaces include Interfaces on page 170 Bonds and Bridging on page 173 DNS Settings ...

Page 196: ...ernet interface while XR 600 XR 4000 and some XR 2000 Series APs have two and XR 6000 Series models have four This window allows you to establish configuration settings for these interfaces Figure 100 Network Settings When finished making changes click the Save button if you wish to make your changes permanent When the status of a port changes a Syslog entry is created describing the change ...

Page 197: ... the selected network interface or choose No to deny all management privileges for this interface 4 Auto Negotiate This feature allows the AP to negotiate the best transmission rates automatically Choose Yes to enable this feature or choose No to disable this feature the default is enabled If you disable the Auto Negotiate feature you must define the Duplex and Speed options manually otherwise the...

Page 198: ...ou must specify the IP address IP subnet mask and default gateway a Address If you selected the Static IP option enter a valid IP address for the AP To use any of the remote connections Web SNMP or SSH a valid IP address must be established b Subnet Mask If you selected the Static IP option enter a valid IP address for the subnet mask the default for Class C is 255 255 255 0 The subnet mask define...

Page 199: ... ports and you may specify which ports are bonded to work together as a pair You may also select more than two ports to work together in one group A special option lets you configure bridging between the Gigabit ports on an AP that has two of these ports Figure 101 Network Bonds and Bridging You may use the mirror option to have all the traffic that is ingressing and egressing one bond be transmit...

Page 200: ...ach of these bonds are the same and include 1 Bridge Traffic Across All Ports Click this for Layer 2 bridging between all Gigabit ports Figure 102 Figure 102 Bridging Traffic If a set of Gigabit ports have been bonded the IP address IP mask IP gateway IP DHCP and Management settings are shared between bonded ports Any changes you make to these settings on one member will be reflected in the settin...

Page 201: ...n only Gig1 Bond2 contains only Gig2 If you are bridging a chain of more than two APs the endpoint AP is not actually bridging It can be left with the default settings Bond1 is set to Active Backup and will contain Gig1 and Gig2 Skip to Step 7 on page 179 2 If you are not enabling bridging configure the bonding behavior of the Gigabit network interfaces as described in the following steps The fiel...

Page 202: ...fault mode Gigx acts as the primary link Gigy is the backup link and is passive Gigy assumes the IP properties of Gigx If Gigx fails the AP automatically fails over to Gigy When a failover occurs in this mode Gigy issues gratuitous ARPs to allow it to substitute for Gigx at Layer 3 as well as Layer 2 See Figure 103 a You may include more than two ports in the bond with Active Backup to provide add...

Page 203: ...UDP the source and destination IP addresses are used to do the calculation If the packet is TCP or UDP over IP then the source IP address destination IP address source port number and destination port number are all used to do the calculation The network switch must also support 802 3ad If a port fails the connection degrades gracefully the other port still transmits See Figure 103 b c Transmit Tr...

Page 204: ...her bonds that contain it 5 Active VLANs Active VLANs shows the VLANs that you have selected to be passed through this port Create and manage the list of VLANs that are allowed to be passed through this port Traffic will be dropped for VLANs that are not in this list The default setting is to pass All VLANs a To add a VLAN to the list of allowed VLANs click this field and select the desired VLAN f...

Page 205: ...lugged into Bondy to capture traffic for troubleshooting while the bonded ports provide network connectivity for data traffic If each bond contains just one port then you have the simple case of one port mirroring another Figure 105 Mirroring Traffic 7 When done configuring bonds and bridging as desired click the Save button if you wish to make your changes permanent See Also Interfaces DNS Settin...

Page 206: ...th DHCP pools See DHCP Server on page 200 At least one DNS server must be set up if you want to offer clients associating with the AP the ability to use meaningful host names instead of numerical IP addresses When finished click the Save button if you wish to make your changes permanent Figure 106 DNS Settings Procedure for Configuring DNS Servers 1 DNS Host Name Enter a valid DNS host name 2 DNS ...

Page 207: ...on such as the device manufacturer and model network capabilities and IP address with other directly connected network devices Wireless APs can both advertise their presence by sending CDP announcements and gather and display information sent by neighbors see CDP List on page 112 This window allows you to establish your CDP settings When finished use the Save button if you wish to make your change...

Page 208: ...its last announcement The default is 180 seconds See Also CDP List Network Interfaces Network Statistics LLDP Settings Link Layer Discovery Protocol LLDP is a Layer 2 network protocol used to share information such as the device manufacturer and model network capabilities and IP address with other directly connected network devices APs can both advertise their presence by sending LLDP announcement...

Page 209: ...e the AP checks that the port is able to supply the peak power that is required by this AP model The Request Power feature does this by requesting this peak power in watts from the PoE source and it expects the PoE source to reply with the amount of power allocated If the AP does not receive a response confirming that the power allocated by the PoE source is equal to or greater than the power requ...

Page 210: ... 2236 two 3x3 radios 26 1W XR 2425 2426 four 2x2 radios 30W Note that Request Power is not available on the XR 2435 2436 Additionally it is not available on certain other APs including these XR Series models XR 1000 XR 4000 XR 6000 XR 7000 See Also LLDP List Network Interfaces Network Statistics ...

Page 211: ...ows each DHCP pool name whether the pool is enabled the IP address range the gateway address lease times and the DNS domain being used There are no configuration options available in this window but if you are experiencing issues with network services you may want to print this window for your records Figure 109 Services The following sections discuss configuring services on the AP Time Settings N...

Page 212: ... s clock with an NTP server also ensures that Syslog time stamping is maintained across all units It is possible to use authentication with NTP to ensure that you are receiving synchronization from a known source For example the instructions for requesting a key for the NIST Authenticated NTP server are available at http www nist gov pml div688 grp00 upload ntp_instructions pdf The AP allows you t...

Page 213: ...ng NTP use this field if you want to adjust the current system time Enter a revised time hours minutes seconds am pm in the corresponding fields Click Set Time to apply the changes b Adjust Date month day year If you are not using NTP use this field if you want to adjust the current system date Enter a revised date month day and year in the corresponding fields Click Set Date to apply the changes ...

Page 214: ...ion Key ID Enter the key ID which is a decimal integer d NTP Primary Authentication Key Enter your key which is a string of characters e NTP Secondary Server Enter the IP address or domain name of an optional secondary NTP server to be used in case the AP is unable to contact the primary server You may use the authentication fields as described above if you wish to set up authentication for the se...

Page 215: ...m certain IP addresses or across specific network interfaces allows administrators to track usage by various areas Traffic flow information may be used to engineer networks for better performance Procedure for Configuring NetFlow 1 Enable NetFlow Select one of the Netflow versions to enable NetFlow functionality v5 v9 or IPFIX Internet Protocol Flow Information Export IPFIX is an IETF protocol www...

Page 216: ... disable this feature 2 Wi Fi Tag UDP Port If Wi Fi tagging is enabled enter the UDP port that the Wi Fi tagging server will use to query the AP for data When queried the AP will send back information on tags it has observed For each the AP sends information such as the MAC address of the tag transmitting device and the RSSI and noise floor observed 3 Wi Fi Tag Channel BG If you enabled Wi Fi tagg...

Page 217: ...rmation that is broadcast by Wi Fi enabled devices Devices that are only detected are included as well as those that actually connect to the AP Multiple data points may be sent for a station data is sent for each IAP that sees a probe request from the station The AP sending the data also sends its own ID so that the server knows where the visitors were detected Data messages are uploaded via HTTPS...

Page 218: ...signed to you as a customer by Euclid The AP will send JSON formatted messages in the form required by Euclid via HTTPS For any other location analytics server enter its URL The AP will send JSON formatted messages in the form described in Location Service Data Formats on page 531 4 Location Customer Key optional If a Location Customer Key has been entered data is sent encrypted using AES with tha...

Page 219: ...il notification the Syslog service will send Syslog messages at the selected severity or above to the defined Syslog servers and email address An option allows you to use a Splunk application to analyze AP events by sending data in key value pairs as described in About Using Splunk for Xirrus APs on page 196 Figure 115 System Log Procedure for Configuring Syslog 1 Enable Syslog Server Choose Yes t...

Page 220: ...nt You may also change the port used on each server if you do not wish to use 514 the default port You may set one of the server addresses to the address of a server for Splunk see About Using Splunk for Xirrus APs on page 196 6 Email Notification Optional The following parameters allow you to send an email to a designated address each time a Syslog message is generated The email will include the ...

Page 221: ... generates requests to 57 other URLs all are logged Furthermore each visit to the same URL generates an additional log message No deep packet inspection is performed by the URL logging so no Application Control information is included in the Syslog message The following information is included in the syslog message Date Time Source Device MAC and IP address Destination Port Destination Site addres...

Page 222: ...your mailbox from being filled up with a large number of less severe messages such as informational messages 10 Click the Save button if you wish to make your changes permanent About Using Splunk for Xirrus APs Splunk may be used to provide visibility into client experience and analyze usage on APs A Splunk application has been developed to present this operational intelligence at a glance The app...

Page 223: ...TP SNMP This window allows you to enable or disable SNMP v2 and SNMP v3 and define the SNMP parameters SNMP allows remote management of the AP by the XMS and other SNMP management tools SNMP v3 was designed to offer much stronger security You may enable either SNMP version neither or both Figure 116 SNMP ...

Page 224: ...ctionality When used in conjunction with the Xirrus Management System SNMP v2 not SNMP v3 must be enabled on each AP to be managed with XMS The default for this feature is Enabled 2 SNMP Read Write Community String Enter the read write community string The default is xirrus 3 SNMP Read Only Community String Enter the read only community string The default is xirrus_read_only SNMPv3 Settings 4 Enab...

Page 225: ...e This username and password do not allow configuration changes to be made on the AP The default is xirrus ro 12 SNMP Read Only Authentication Password Enter the read only password for authentication i e logging in The default is xirrus ro 13 SNMP Read Only Privacy Password Enter the read only password for privacy i e a key for encryption The default is xirrus ro SNMP Trap Settings 14 SNMP Trap Ho...

Page 226: ...Settings NTP DHCP Server This window allows you to create enable modify and delete DHCP Dynamic Host Configuration Protocol address pools DHCP allows the AP to provide wireless clients with IP addresses and other networking information The DHCP server will not provide DHCP services to the wired side of the network If you do not use the DHCP server on the AP then your wired network must be configur...

Page 227: ...e in seconds to define the maximum allowable DHCP lease time The default is 300 seconds 5 Network Address Translation NAT Check this box to enable the Network Address Translation feature The NATed address uses the IP address of the AP s outbound gigabit Ethernet interface 6 Lease IP Range Start Enter an IP address to define the start of the IP range that will be used by the DHCP server The default...

Page 228: ...s Blue Coat or Netbox Blue to control Internet access use this page to configure proxy forwarding on the AP Options are provided for proxying user traffic and AP management traffic Proxy services for user traffic are discussed in the following topics About Proxy Forwarding on page 203 Proxy Forwarding for HTTPS on page 204 Summary of Proxy Forwarding Behavior on the AP on page 205 Configuring Prox...

Page 229: ...ing a prefix with the user s ID and the SSID the SSID serves as a user group for unauthenticated clients the MAC address serves as the user name The proxy server checks whether its configured policies permit this access for this user and SSID If so the frame is forwarded to the desired web site Proxy forwarding on the AP is designed for proxy servers such as Blue Coat and Netbox Blue whose purpose...

Page 230: ... AP Each client must also download and install the SSL certificate from the Blue Coat or Netbox Blue proxy server Follow the procedure below to perform these steps on each client Note that when a proxy is set up and used for HTTPS HTTP traffic will also use the proxy server so configure both as instructed in Configuring Proxy Forwarding on Clients for HTTPS on page 206 Blue Coat policy configurati...

Page 231: ...ptured and proxied by the AP The browser still uses HTTPS port 443 and this traffic is passed transparently through the AP If proxy forwarding is not working correctly HTTP traffic port 80 is blocked If proxy forwarding is enabled for Blue Coat or Netbox Blue and the client browser is configured to use a proxy The browser is configured to proxy HTTPS to www xirrus com port 4388 The browser automat...

Page 232: ...Internet Properties dialog is displayed Figure 119 Click the LAN Settings button The Local Area Network dialog displays Figure 119 Set up a Proxy Server on each Client Windows 2 In the Proxy Server section click the Advanced button The Proxy Settings dialog displays Figure 120 For HTTPS Enter any valid address such as your company s web site in the Proxy address to use field For example www xyzcor...

Page 233: ...hat should receive all HTTPS traffic if you are using a proxy server For HTTP HTTP traffic will automatically use the same port that you have configured for HTTPS 4388 We suggest that you enter your company s web site Port 4388 here to make it obvious that HTTP traffic is being proxied in this way Continue to Step 5 Figure 120 Specify Proxy Servers Windows ...

Page 234: ...r on each Client Apple 4 Select the Proxies tab Figure 122 Check Secure Web Proxy HTTPS Under Secure Web Proxy Server you can enter any valid address We suggest that you enter www xirrus com This field is not actually used but it must be a valid address or domain name You must set the Port to 4388 This is very important This is the AP port that must receive all HTTPS traffic if you are using a pro...

Page 235: ...t you enter www xirrus com Port 4388 to make it obvious that HTTP traffic is being proxied in this way Figure 122 Specify Proxy Servers Apple 5 SSL Certificate you must download and install the security certificate from your proxy server Blue Coat or Netbox Blue It must be installed on each of your client devices ...

Page 236: ... Management Traffic Some deployments require that all Internet traffic including management traffic use proxy services For instance some school systems require all traffic to use a proxy server The AP generates management traffic to implement essential functions such as licensing activation XMS Cloud configuration and XMS Guest Access authentication The AP allows you to configure clients that are ...

Page 237: ...to Version 5 if no version is declared The SOCKS proxy client requires a whitelist of networks that will not be proxied At the least this must include the loopback address and the subnet where the proxy server lives Additional defined subnets should include DNS servers and authentication servers Procedure for Configuring Proxy Client for Management Traffic 1 Enable For each proxy client you must E...

Page 238: ...name and Password here 4 SOCKS 4 SOCKS 5 Select the version of SOCKS in use on your proxy server The default is SOCKS 5 5 Socks Network Whitelist Enter a whitelist of subnetworks that must not be proxied Specify each subnet by entering its Network address and its subnet Mask then click Add At the least create entries for the loopback address and the subnet where the proxy server lives You should a...

Page 239: ...on page 215 In addition to listing all VLANs this window shows your settings for the Default Route VLAN and the Native Untagged VLAN Step 1 page 217 Figure 125 VLANs You should create VLAN entries on the AP for all of the VLANs in your wired network if you wish to make traffic from those VLANs available on the wireless network Each tagged VLAN should be associated with a wireless SSID see VLAN Man...

Page 240: ...gured for a number of different tunnel types protocols and encryption types For use with APs we recommend the following configuration choices Tunnel Type Ether Ethernet tunnel Protocol UDP Encryption Type select one of the encryption types supported by VTun AES and Blowfish options are available Keepalive yes VTS Client Server Interaction The AP is a client of the Virtual Tunnel Server When you sp...

Page 241: ...their loads Each client device is assigned to a pool VLAN with a computation based on the lower digits of its MAC address so that the device will always be assigned to the same VLAN This ensures that a client roaming from one AP to the next will be handled properly Note that the VLAN assigned is also based on the VLANs in the pool so that if changes are made to the pool the client device may be as...

Page 242: ... you to set up VLANs and VLAN Pools After creating a new VLAN added to the list of VLANs you can modify the configuration parameters of an existing VLAN or delete a selected VLAN For ArrayOS 6 6 and later releases you may create up to 64 VLANs up to 32 on XR 520 Figure 126 VLAN Management ...

Page 243: ... management is tagged or untagged If you select a Native VLAN then that VLAN will use an untagged Native link Otherwise the AP will use 802 1Q tagging and a specific VLAN ID with management enabled for management of the AP VLAN Pools 3 See VLAN Pools on page 215 for a discussion of VLAN pools To add a new pool type its name in Create New Pool and click ENTER The new VLAN pool entry is added to the...

Page 244: ...emove to delete this pool You may use Reset All Pools on the bottom to delete all pools VLANs 5 Create New VLAN Enter a name for the new VLAN in this field ID Enter a number for this VLAN 0 4094 Click the Create VLAN button The new VLAN appears in the list Entries are sorted alphabetically by VLAN name Select the new entry to modify any of the settings below 6 Management Move the slider if you wan...

Page 245: ... tunneling For more information on virtual tunnels please see Understanding Virtual Tunnels on page 214 13 Tunnel Server Port If this VLAN is to be tunneled enter the port number of the tunnel server 14 New Secret Enter the password expected by the tunnel server 15 Delete VLAN To delete the selected VLAN simply click the Delete button to remove the VLAN from the list 16 Click the Save button if yo...

Page 246: ...nel to give guests direct access to the Internet without allowing access to the local network In a small office you may define a tunnel to connect users to the corporate office network Tunnels may also used when providing cellular offload capability Tunnels may be implemented with The Xirrus Tunnel Server XTS see the Xirrus Tunnel Server User s Guide For an additional discussion see the Xirrus Tun...

Page 247: ...ed The new tunnel is created in the disabled state Click this checkbox to enable it 3 Type Enter the type of tunnel none or gre 4 Local Endpoint Enter the IP address of the AP Gigabit or 10 Gigabit port where the tunnel is to begin 5 Primary Remote Endpoint Enter the IP address of the remote endpoint of the tunnel 6 Secondary Remote Endpoint This provides a failover capability If the primary tunne...

Page 248: ... Option 82 with SSIDs 8 MTU Set maximum transmission unit MTU size 9 Interval The tunnel mechanism will ping the current remote endpoint periodically to ensure that it is still reachable Enter the ping interval in seconds 10 Failures Enter the number of consecutive ping failures that will cause the AP to consider the tunnel to be down tunnel to failover to the other remote endpoint 11 Click the Sa...

Page 249: ...tation traffic bridged through that tunnel will be tagged accordingly Figure 129 Tunnel SSID Assignments Procedure for Assigning SSIDs This window lists the tunnels and SSIDs that you have defined SSIDs to be tunneled do not need to be associated with a VLAN see SSID Management on page 276 1 For each tunnel select the SSIDs that are to be bridged to the remote endpoint Clear the checkbox for any S...

Page 250: ...but if you are experiencing issues with security you may want to print this window for your records Figure 130 Security For additional information about wireless network security refer to Security Planning on page 56 Understanding Security on page 225 The Security section of Frequently Asked Questions on page 520 For information about secure use of the WMI refer to Certificates and Connecting Secu...

Page 251: ...fault administrator password the default is admin and choose a strong replacement password containing letters numbers and special characters When appropriate issue read only administrator accounts Other security considerations include SSH versus Telnet Be aware that Telnet is not secure over network connections and should be used only with a direct serial port connection When connecting to the uni...

Page 252: ... modes than WEP using Temporal Key Integrity Protocol TKIP or Advanced Encryption Standard AES to encrypt data WPA solves security issues with WEP It also allows you to establish encryption keys on a per user basis with key rotation for added security In addition TKIP provides Message Integrity Check MIC functionality and prevents active attacks on the wireless network AES is the strongest encrypt...

Page 253: ... and 63 characters 20 is preferred Always use a combination of letters numbers and special characters Never use English words separated by spaces RADIUS 802 1x with EAP 802 1x uses a RADIUS server to authenticate large numbers of clients and can handle different Extensible Authentication Protocol EAP authentication methods including EAP TLS EAP TTLS EAP PEAP and LEAP Passthrough The RADIUS server ...

Page 254: ...is connecting to that host Certificate Authorities CAs are entities that digitally sign certificates using their own certificates for example VeriSign is a well known CA When the AP presents its certificate to the client s browser the browser looks up the CA that signed the certificate to decide whether to trust it Browsers ship with a small set of trusted CAs already installed If the browser trus...

Page 255: ...s CA into your CA cache see HTTPS X 509 Certificate on page 244 for more information This instructs your browser to trust any of the certificates signed by the Xirrus CA so that when you connect to any of our APs you should no longer see the warning about an untrusted site Note however that this only works if you use the host name when connecting to the AP If you use the IP address to connect you ...

Page 256: ...urity error if the AP s certificate was obtained from an external CA that is already trusted by the user s browser WMI provides options for creating a Certificate Signing Request that you can send to an external CA and for uploading the signed certificate to the AP after you obtain it from the CA This certificate will be tied to the AP s host name and private key See External Certificate Authority...

Page 257: ...rators cannot save changes to configurations Or you may select one of your custom defined privilege levels see Admin Privileges on page 232 3 New Password Enter a password for this ID The length of the password must be between 5 and 50 characters inclusive 4 Verify Re enter the password in this field to verify that you typed the password correctly If you do not re enter the correct password an err...

Page 258: ...le say that you set the privilege level to 4 for Reboot AP Security Radius Server and SNMP and you leave all other configuration sections at the default privilege level of 1 In this case any administrator with a privilege level of 4 or higher may perform any operation on the AP while an administrator with a privilege level lower than 4 but at least 1 may perform any operation except those whose le...

Page 259: ...l The name may be used to describe the access granted by this level By default levels 0 and 1 are named read only and read write respectively and levels 2 through 7 have the same name as their level number 2 Privilege Levels Use this section to assign a Minimum Privilege Level to selected Configuration Sections as desired By default all sections are assigned level 1 When you select a higher privil...

Page 260: ... the Console port using CLI If you are using the Console port the AP will authenticate administrators using accounts configured on the Admin Management window first and then use the RADIUS servers This provides a safety net to be ensure that you are not completely locked out of an AP if the RADIUS server is down About Creating Admin Accounts on the RADIUS Server Permissions for RADIUS administrato...

Page 261: ...US Click Yes to enable the use of RADIUS to authenticate administrators logging in to the AP You will need to specify the RADIUS server s to be used b Authentication Type Select the protocol used for authentication of administrators CHAP or PAP the default Password Authentication Protocol PAP is a simple protocol PAP transmits ASCII passwords over the network in the clear unencrypted and is theref...

Page 262: ...this RADIUS server will be using then re enter the shared secret to verify that you typed it correctly 3 Admin RADIUS Secondary Server optional If desired enter an alternative external RADIUS server If the primary RADIUS server becomes unreachable the AP will failover to the secondary RADIUS server defined here a Host Name IP Address Enter the IP address or domain name of this RADIUS server b Port...

Page 263: ...empts via ssh or telnet the Failed login retry period is enforced The default is 3 b Failed login retry period 0 65535 seconds After the maximum number defined above of consecutive failing administrator login attempts via ssh or telnet the administrator s IP address is denied access to the AP for the specified period of time in seconds The default is 0 c Pre login Banner Text that you enter here w...

Page 264: ... the file Click Upload when done Figure 136 Pre login Banner d Post login Banner Text that you enter here will be displayed in a message box after a user logs in to the WMI If you wish to display more than 256 characters of text upload a text file Click Choose File and browse to the file then click Upload ...

Page 265: ... Enter a value in this field to define the timeout in seconds before your SSH connection is disconnected The value you enter here must be between 30 seconds and 100 000 seconds c Port Enter a value in this field to define the port used by SSH The default port is 22 3 Telnet a On Off Choose On to enable AP management over a Telnet connection or Off to disable this feature SSH offers a more secure c...

Page 266: ...rrayOS only Choose this radio button to enable Xircon access at the ArrayOS level only i e Xircon can access CLI only Access to the AP at the Xirrus Boot Loader XBL level is disabled c Boot only Choose this radio button to enable Xircon access at the Xirrus Boot Loader XBL level only ArrayOS level CLI access to the AP is disabled d Connection Timeout 30 100000 Seconds Enter a value in this field t...

Page 267: ...tween 30 seconds and 100 000 seconds 6 HTTPS a Connection Timeout 30 100000 Seconds Enter a value in this field to define the timeout in seconds before your HTTPS connection is disconnected The value you enter here must be between 30 seconds and 100 000 seconds Management via HTTPS i e the Web Management Interface cannot be disabled on this window To disable management over HTTPS you must use the ...

Page 268: ...resses or host names If a server becomes unreachable a Syslog message is generated When the server again becomes reachable another Syslog message is generated To view the status of all configured servers checked by this feature please see Network Assurance on page 113 b PCI Audit Mode Click the On button to enable this mode which is provided as an aid to setting up APs to pass PCI DSS audit requir...

Page 269: ...s displayed showing the changes that were performed The AP continues to enforce FIPS requirements by preventing you from making non compliant configuration changes Click the Off button to stop enforcing FIPS requirements Note that when you enable FIPS the AP does not save your previous settings and it will not restore them if you click the Off button If you think you may wish to disable FIPS and r...

Page 270: ...you assign a Host Name to your AP using the Express Setup window then the next time you reboot the AP or restart the HTTPS ArrayOS releases 6 5 and above only support 2048 bit certificates while previous releases only support 1024 bit certificates When ArrayOS is upgraded to 6 5 or above a new self signed certificate will be automatically generated If you have imported a previous pre Release 6 5 v...

Page 271: ... avoid having certificate errors on your browser when using WMI You must have assigned a host name to the AP and rebooted at some time after that Use Import Xirrus Authority into Browser Access WMI by using the host name of the AP rather than its IP address b HTTPS X 509 Certificate Signed By This read only field shows the signing authority for the current certificate 9 External Certificate Author...

Page 272: ... certificate signing request csr file Step 10 click the View button to review it If it is satisfactory click the name of the csr file to display the text of the request You can then copy this text and use it as required by the CA You may also click on the filename of the csr file to download it to your local computer b Upload Signed Certificate To use a custom certificate signed by an authority ot...

Page 273: ...Admin Management External Radius Global Settings Internal Radius Access Control List Security Access Control List This window allows you to enable or disable the use of the global Access Control List ACL which controls whether a station with a particular MAC address may associate to the AP You may create station access control list entries and delete existing entries and control the type of list T...

Page 274: ...ist Denies the listed MAC addresses permission to associate to the AP All others are allowed 2 MAC Address If you want to add a MAC address to the ACL enter the new MAC address here then click on the Add button The MAC address is added to the ACL You may use a wildcard for one or more digits to match a range of addresses You may create up to 1000 entries 3 Delete You can delete selected MAC addres...

Page 275: ... wireless network security refer to Security Planning on page 56 and Understanding Security on page 225 Figure 142 Global Settings Security Procedure for Configuring Network Security 1 Authentication Server Mode Choose the type of Authentication Server that you will use for authenticating wireless users Internal RADIUS defines wireless user accounts locally on the AP See Internal Radius on page 25...

Page 276: ...o enable TKIP Temporal Key Integrity Protocol or choose No to disable TKIP 3 AES Enabled Choose Yes to enable AES Advanced Encryption Standard or choose No to disable AES If both AES and TKIP are enabled the station determines which will be used 4 WPA Group Rekey Time seconds Enter a value to specify the group rekey time in seconds The default is Never 5 WPA Preshared Key Verify Key If you enabled...

Page 277: ...ed hexadecimal values will appear to the right if you selected the Show Cleartext button Re enter the key to verify that you typed it correctly You may include special ASCII characters except for the double quote symbol 7 Encryption Key 2 to 4 Verify Key 2 to 4 Key Mode Length optional If desired enter up to four encryption keys in the same way that you entered the first key 8 Default Key Choose w...

Page 278: ...Wireless Access Point 252 Configuring the Wireless AP See Also Admin Management External Radius Internal Radius Access Control List Management Control Security Security Planning SSID Management ...

Page 279: ...o set up an external RADIUS server you must choose External Radius as the Authentication Server Mode in Global Settings on page 249 Figure 143 External RADIUS Server If you want to include user group membership in the RADIUS account information for users see Understanding Groups on page 303 User groups allow you to easily apply a uniform configuration to a user on the AP ...

Page 280: ...Number Enter the port number of this external RADIUS server The default is 1812 c Shared Secret Verify Secret Enter the shared secret that this external RADIUS server will be using then re enter the shared secret to verify that you typed it correctly 2 Secondary Server optional If desired enter an alternative external RADIUS server If the primary RADIUS server becomes unreachable the AP will failo...

Page 281: ...thin the DAS Time Window If the Event Timestamp is not current then the DM or CoA Message will be silently discarded d DAS Time Window This is the time window used with the DAS Event Timestamp above e NAS Identifier From the point of view of a RADIUS server the AP is a client also called a Network Access Server NAS Enter the NAS Identifier IP address that the RADIUS servers expect the AP to use no...

Page 282: ... to facilitate functions such as onboarding and guest access when stations are roaming between APs a Accounting Interval seconds Specify how often Interim records are to be sent to the server The default is 300 seconds b Primary Server Host Name IP Address Enter the IP address or domain name of the primary RADIUS accounting server that you intend to use c Primary Port Number Enter the port number ...

Page 283: ...ings Internal Radius Access Control List Management Control Security Understanding Groups Internal Radius This window allows you to define the parameters for the AP s internal RADIUS server for user authentication However the internal RADIUS server will only authenticate wireless clients that want to associate to the AP This can be useful if an external RADIUS server is not available To set up the...

Page 284: ...on to add the new user to the list Procedure for Managing Existing Users 1 SSID Restriction Optional If you want to restrict a user to associating to a particular SSID choose an SSID from its pull down list 2 User Group Optional If you want to change the user s group choose a group from the pull down list This will apply all of the user group s settings to the user See Understanding Groups on page...

Page 285: ...needing to set up and use an External Radius server The AP performs authentication by utilizing an Active Directory server that you have deployed within your network domain This window configures the settings required to connect to the Active Directory server Additionally Active Directory Test Tools are provided to ease the process of validating proper communication between the Active Directory se...

Page 286: ...ill use this together with the password to create a machine account on the domain for the AP This can be the name of any account that can join a machine to the domain 3 Domain Password The password for the Domain Administrator entered above 4 Domain Controller Enter the hostname to access the domain controller This cannot be entered as an IP address The AP will check that it is able to access the ...

Page 287: ...hand window and select Properties This will display the Domain name that should be entered Figure 146 Finding the Domain Name from Active Directory 6 Realm Realm name may be the same as the domain name Workgroup and Realm are both required To find the Realm open a command window on the server and type echo userdnsdomain This will display the Realm 7 Click Apply Active Directory Settings to use the...

Page 288: ...ys detailed status information for the Active Directory 11 List Groups Shows the groups defined in the Active Directory for this Workgroup 12 List Users Shows the users defined in the Active Directory for this Workgroup 13 Check Secret The continued validity of the secret granted by Join Domain may be checked with this test tool 14 Check Authentication Enter a User name and Password Select the Typ...

Page 289: ...fy what to match e g the MAC address SSID or manufacturer You may use the character as a wildcard to match any string at this position For example 00 0f 7d matches any string that starts with 00 0f 7d Xirrus APs start with 00 0f 7d or 50 60 28 00 0f 7d By default the Rogue Control List contains two entries that match 00 0f 7d and 50 60 28 and apply the classification Known to all Xirrus APs 2 Rogu...

Page 290: ... 0 Management This window displays a list of tokens granted by the AP for access to its RESTful API see API Documentation on page 426 for a description of the features available in the API OAuth 2 0 is used to provide the tokens The list will be blank until tokens have been issued as described below You may revoke delete existing tokens from the list if desired Xirrus APs use the OAuth 2 0 standar...

Page 291: ...me and client_id must match password password for the same administrator account on the AP The OAuth Authorization API provides a permanent token that the application may use to access the RESTful API This token remains valid until the administrator revokes the token on the OAuth 2 0 Management page unless the token file somehow becomes corrupted or is removed from the AP s file system The token w...

Page 292: ...Wireless Access Point 266 Configuring the Wireless AP Please see API Documentation on page 426 for a description of the features available in the API ...

Page 293: ...ssociated VLAN IDs radio availability and DHCP pools defined per SSID Click on an SSID s name to jump to the edit page for the SSID There are no configuration options available on this page but if you are experiencing problems or reviewing SSID management parameters you may want to print this page for your records Figure 149 SSIDs For a complete discussion of implementing Voice over Wi Fi on the A...

Page 294: ... SSIDs are managed with the following windows SSID Management on page 276 Active IAPs on page 297 Per SSID Access Control List on page 298 Honeypots on page 299 Personal Wi Fi on page 301 SSIDs are discussed in the following topics Understanding SSIDs on page 268 Understanding QoS Priority on the Wireless AP on page 270 High Density 2 4G Enhancement Honeypot SSID on page 274 Understanding SSIDs Th...

Page 295: ...Ps support the ability to define and use multiple SSIDs simultaneously Using SSIDs The creation of different wireless network names allows system administrators to separate types of users with different requirements The following policies can be tied to an SSID The wireless security mode needed to join this SSID The wireless Quality of Service QoS desired for this SSID The wired VLAN associated wi...

Page 296: ...to your requirements For example you typically assign the highest priority to voice traffic since this type of traffic requires delay to be under 10 ms The AP has four separate queues for handling wireless traffic at different priorities and thus it supports four traffic classes QoS levels For a complete discussion of implementing Voice over Wi Fi on the AP see the Voice over Wireless Application ...

Page 297: ...riority levels and the AP implements four wireless QoS levels user priorities are mapped to QoS as described below Figure 152 Priority Level DSCP DiffServ Layer 3 Differentiated Services Code Point or DiffServ DSCP uses 6 bits in the IPv4 or IPv6 packet header defined in RFC2474 and RFC2475 The DSCP value classifies a Layer 3 packet to determine the Quality of Service QoS required DSCP replaces th...

Page 298: ...y based on their SSID and 802 1p tag if any as shown in the table below This table follows the mapping recommended by IEEE802 11e FROM AP QoS Wireless TO Priority Tag 802 1p Wired 1 Lowest priority 1 0 0 2 Default 5 3 Highest priority 6 FROM Priority Tag 802 1p Wired TO AP QoS Wireless Typical Use 0 0 Best Effort 1 1 Lowest priority Background explicitly designated as low priority and non delay se...

Page 299: ...and an incoming wired packet s user priority tag is mapped to a higher QoS value then the higher QoS value is used b If a group or filter has a QoS setting this overrides the QoS value above See Groups on page 303 and Filters on page 389 c Voice packets have the highest priority see Voice Support below d If DSCP to QoS Mapping Mode is enabled the IP packet is mapped to QoS level 0 to 3 as specifie...

Page 300: ...reless bandwidth The AP honeypot SSID targets this problem Simply create an SSID named honeypot lower case on the AP with no encryption or authentication select None Open Once this SSID is created and enabled it will respond to any station probe looking for a named open SSID unencrypted and unauthenticated that is not configured on the AP It will make the station go through its natural authenticat...

Page 301: ...ANs on page 213 Use the honeypot feature carefully as it could interfere with legitimate SSIDs and prevent clients from associating to another available network You may define a whitelist of allowed SSIDs which are not to be honeypotted See Honeypots on page 299 Th Honey pots page also allows you to change the SSID name that is broadcast for the honeypot SSID ...

Page 302: ... edit schedule rename and delete assign security parameters and VLANs on a per SSID basis and configure the Web Page Redirect WPR captive portal functionality Figure 153 SSID Management Create new SSID Configure parameters Configure WPR Configure WPA Set traffic limits usage schedule Configure authentication server ...

Page 303: ...gned SSIDs When you create a new SSID the SSID name appears in this table Click any SSID in this list to select it 3 Enabled Check this box to activate this SSID or clear it to deactivate it Once the SSID is enabled its availability is also controlled by settings in SSID Limits and Scheduling on page 283 4 Brdcast Check this box to make the selected SSID visible to all clients on the network Altho...

Page 304: ...ing QoS Priority on the Wireless AP on page 270 The default value for this field is 2 8 DHCP Pool If you want to associate an internal DHCP pool to this SSID choose the pool from the pull down list An internal DHCP pool must be created before it can be assigned To create an internal DHCP pool go to DHCP Server on page 200 9 DHCP Option When this option is enabled the AP snoops station DHCP request...

Page 305: ... Wireless AP or external 12 Encryption Choose the encryption that will be required specific to this SSID either None WEP WPA WPA2 or WPA Both The None option provides no security and is not recommended WPA2 provides the best Wi Fi security Each SSID supports only one encryption type at a time except that WPA and WPA2 are both supported on an SSID if you select WPA Both If you need to support other...

Page 306: ...ameters as those described in Procedure for Configuring Network Security on page 249 The U PSK User PSK Authentication settings are only used in conjunction with XMS Cloud s EasyPass Onboarding Portals XMS Cloud automatically configures this setting for an SSID when you create an Onboarding portal and you assign that SSID to the portal Thus you should not normally change this setting manually Note...

Page 307: ...me the next time that the station associates to the AP since there is no need to query the U PSK cloud server again U PSK Cache Timeout specifies how long the cached entry is used before it must be re validated U PSK Server Error specifies what to do if the U PSK server in the cloud cannot be accessed to check station authentication status You may Allow station traffic if the server is unavailable...

Page 308: ...fy Whitelist entries a list of web sites to which users have unrestricted access without needing to be redirected to the WPR page first See Whitelist Configuration for Web Page Redirect on page 292 for details 16 Fallback Network Assurance checks network connectivity for the AP When Network Assurance detects a failure perhaps due to a bad link or WDS failure if Fallback is set to Disable the AP wi...

Page 309: ...ons allowed on this SSID This step is optional Note that the IAPs Global Settings window also has a station limit option Max Station Association per IAP and the windows for Global Settings 11an and Global Settings 11bgn also have Max Stations settings If multiple station limits are set all will be enforced As soon as any limit is reached no new stations can associate until some other station has t...

Page 310: ...rvice For example a convention center might wish to set up SSIDs ahead of time for exhibitions that are scheduled for the next six months and have each SSID be used only for the specified period The SSID must be Enabled see Step 1 on page 277 or the scheduling settings will be ignored Note that once the SSID has reached its scheduled time and is in service it will then obey the settings for Days A...

Page 311: ... optional 26 Use Expiration to specify a date to delete this SSID when it is taken out of service at the specified date i e this option cleans up after itself when it reaches the expiration time Leave Expiration and Date off set to none the default if you want this SSID to remain in service indefinitely after its scheduled start Use Specific Date Time to delete the SSID at the specified date and t...

Page 312: ...nagement HTTPS port WPR uses that port too See HTTPS on page 241 Figure 155 WPR Internal Splash Page Fields SSID Management Note that when clients roam between APs their WPR Authentication will follow them so that re authentication is not required You may select among several different modes for use of the Web Page Redirect feature each displaying a different set of parameters that must be entered...

Page 313: ...URL If you want the user redirected to a specific landing page instead enter its address in Landing Page URL Internal Splash page This option displays a splash page instead of the first user requested URL The splash page files reside on the AP Note that there is an upload function that allows you to replace the default splash page if you wish Please see Web Page Redirect Captive Portal on page 421...

Page 314: ...ing Page URL To set up external login page usage set Server to External Login Enter the URL of the external web server in Redirect URL and enter that server s shared secret in Redirect Secret Select the RADIUS Authentication Type This is the protocol used for authentication of users CHAP or PAP the default Password Authentication Protocol PAP is a simple protocol PAP transmits ASCII passwords over...

Page 315: ... AP are entirely managed automatically by XMS Cloud based on the configuration that the network administrator has selected there You should not make any changes to the following settings configured by XMS XMS will set Server to Cloud Login and set the values of Redirect URL and Redirect Secret Landing Page Only This option redirects the user to a specific landing page If you select this option ent...

Page 316: ...ly For example if a hotel offers Xirrus Personal Wi Fi guests will be able to set up SSIDs that mimic their home networks Their devices will automatically connect securely for the duration of the guest s stay until the personal SSID expires See Personal Wi Fi on page 301 for more details The personal SSID is created with the default values shown below Encryption Authentication 8WPA2 PSK 02 1x Broa...

Page 317: ...n optional jpg gif or png file to display in the background of the page Other customizations logo header footer will overlay the background so that it will not be visible in those areas Logo Image specify an optional jpg gif or png file to display at the top of the page Header Text File specify an optional txt file to display at the top of the page beneath the logo if any Footer Text File specify ...

Page 318: ...omain name Up to 32 entries may be created Example whitelist entries Hostname www yahoo com but not www yahoo com abc def html Wildcards are supported yahoo com IP address 121 122 123 124 Some typical applications for this feature are to add allowed links to the WPR page to add a link to terms of use that may be hosted on another site to allow embedded video on WPR page Note the following details ...

Page 319: ...otspot in a business or venue It offers a number of features such as user analytics filtering of inappropriate content marketing and social media options Once you have signed up with Purple WiFi set up APs as described below For more details of operation see Purple WiFi Client Login Process Details on page 295 To deploy APs in a venue that uses Purple WiFi to provide guest access use the following...

Page 320: ...rather than the server used globally on the AP In the section labeled Authentication Service Configuration enter the following Set the Authentication Server type to External RADIUS Enter the Host or IP Address Port and the Shared Secret password of the Primary Server provided by Purple WiFi If you did select Global in Step 13 on page 279 then the SSID uses the Authentication Server that you define...

Page 321: ... As soon as the client opens a browser it is redirected to the configured Purple WiFi portal page that was configured in the AP External Login page via the Redirect URL 3 The AP contacts the Redirect URL along with the AP s MAC address Ethernet MAC This is used to match the Purple WiFi customer site against a database of AP MAC addresses managed by Purple WiFi which delivers a customized splash pa...

Page 322: ...entication Step 11 on page 279 to anything but OPEN and you set Encryption Step 12 to anything but WEP and you did not check the Global checkbox Step 13 This means that you wish to set up a RADIUS server or Active Directory server to be used for this particular SSID If Global is checked then the security settings including the RADIUS server if any established at the global level are used instead s...

Page 323: ...re active on them Figure 159 Setting Active IAPs per SSID Procedure for Specifying Active IAPs 1 SSID For a given SSID row check the IAPs that should offer that SSID to clients Uncheck any IAPs which should not offer that SSID 2 All IAPs This button in the last column may be used to allow or deny this SSID on all IAPs i e switch all IAPs between allow or deny 3 All SSIDs This button in the bottom ...

Page 324: ... per SSID There is also a global ACL see Access Control List on page 247 If the same MAC address is listed in both the global ACL and in an SSID s ACL and if either ACL would deny that station access to that SSID then access will be denied Figure 160 Per SSID Access Control List Procedure for Configuring Access Control Lists 1 SSID Select the line for the SSID whose ACL you wish to manage Click th...

Page 325: ... you wish to make your changes permanent Honeypots The honeypot SSID feature prevents the airwaves from being crowded with probes for named SSIDs These probes are automatically generated by some popular wireless devices When you create and enable a honeypot SSID on an AP it responds to any station probe looking for a named open SSID unencrypted and unauthenticated that is not configured on the AP ...

Page 326: ...igh Density 2 4G Enhancement Honeypot SSID on page 274 Type in each SSID name and click Create to add it to the whitelist Up to 50 SSIDs may be listed The SSID names entered in this list are not case sensitive You may use the character as a wildcard to match any string at this position For example xir matches any string that starts with XIR or xir You may use a as a wildcard to match a single char...

Page 327: ...een selected there You should not make any changes to the settings configured by XMS Figure 162 Personal Wi Fi Settings for Personal Wi Fi 1 Limit All Stations 0 12 the maximum number of personal SSIDs that may exist on this AP at one time The default value is 4 2 Limit Per Station 0 4 the maximum simultaneous number of personal SSIDs that can be created by a single station The default value is 1 ...

Page 328: ...fter Duration to specify the length of time before the SSID expires in days hours and minutes Use the format DD HH MM where hours and minutes are optional For example to have the SSID expire after one day one hour and 30 minutes have passed enter 1 01 30 Set Expiration to Never the default if you want this SSID to remain in service indefinitely after its scheduled start ...

Page 329: ...or your defined groups For example this window shows the current state of a group enabled or disabled how much group and per station traffic is allowed time on and time off and days on and off For information to help you understand groups see Understanding Groups below For an in depth discussion please see the User Groups Application Note in the Xirrus Resource Center Figure 163 Groups Understandi...

Page 330: ...her than for an entire SSID If you set parameter values for an SSID and then enter different values for the same parameters for a user group the user group values have priority i e group settings will override SSID settings Group names are case sensitive and can contain up to 32 alphanumeric characters do not include spaces when defining Groups Using Groups User accounts are used to authenticate w...

Page 331: ...oup basis and configure the Web Page Redirect captive portal functionality Figure 164 Group Management Procedure for Managing Groups 1 New Group Name To create a new group enter a new group name next to the Create button then click Create You may create up to 16 groups up to 8 on the XR 500 Series To configure and enable this group proceed with the following steps 2 Group This column lists current...

Page 332: ...l Radius server When adding a user account to the external server this Radius ID value should be entered for the user When the user is authenticated Radius sends this value to the AP This tells the AP that the user is a member of the group having this Radius ID 6 Device ID You may select a device type from this drop down list for example Notebook phone iPhone or Android This allows you to apply th...

Page 333: ...o DHCP Server on page 200 10 Filter List Optional If you wish to apply a set of filters to this user group s traffic select the desired Filter List See Filters on page 389 11 Xirrus Roaming Optional For this group select roaming behavior Select L2 L3 to enable fast roaming between IAPs or APs at Layer 2 and Layer 3 If you select L2 then roaming uses Layer 2 only You may only select fast roaming at...

Page 334: ...l be enforced As soon as any station limit is reached no new stations can associate until some other station has terminated its association As soon as any traffic limit is reached it is enforced If any connection date time restriction applies it is enforced You can picture this as a logical AND of all restrictions For example suppose that a station s SSID is available Monday Friday between 8 00am ...

Page 335: ... want this group to be active every day of the week or select only the specific days that you want this group to be active Days that are not checked are considered to be the inactive days 17 Time Active Choose Always if you want this group active without interruption or enter values in the Time On and Time Off fields to limit the time that group members may associate 18 To delete an entry click it...

Page 336: ...ting Figure 166 If you set a channel manually via IAP Settings it will be listed as manual If an autochannel operation changed a channel then it is labeled as auto If the channel is set to the current factory default setting the source will be default This column also shows whether the channel selection is locked or whether the IAP was automatically switched to this channel because the AP detected...

Page 337: ...51 Global Settings 11ac on page 349 Advanced RF Settings on page 357 Hotspot 2 0 on page 366 NAI Realms on page 369 NAI EAP on page 370 Intrusion Detection on page 372 LED Settings on page 378 DSCP Mappings on page 379 Roaming Assist on page 380See Also IAP Statistics Summary Understanding Fast Roaming To maintain sessions for real time data traffic such as voice and video users must be able to ma...

Page 338: ... on two pages To enable the fast roaming options that you want to make available on your AP see Step 29 to Step 31 in Global Settings on page 318 To choose which of the enabled options are used by an SSID or Group see Procedure for Managing SSIDs on page 277 Step 14 or Procedure for Managing Groups on page 305 IAP Settings This window allows you to enable disable IAPs define the wireless mode for ...

Page 339: ... 802 11ac settings go to Global Settings 11ac on page 349 Procedure for Manually Configuring IAPs 1 The row for each IAP summarizes its settings Click to expand it and display the settings Click again to collapse the entry 2 In the Enable field select enabled or select disabled if you want to turn off the IAP The state of the channel is displayed with a green dot if enabled and a red dot if disabl...

Page 340: ... that it is a valid choice for that WiFi Mode By selecting appropriate WiFi Modes for the radios on your APs you can greatly improve wireless network performance For example if you have 802 11n and 802 11ac stations using the same IAP throughput on that radio is reduced greatly for the 802 11ac stations By supporting 802 11n stations only on selected radios in your network the rest of your 802 11a...

Page 341: ...o the listed channel Off Do not bond his channel to another channel 40 MHz Bond this channel to an adjacent channel The bonded channel is selected automatically by the AP based on the Channel Step 5 The choice of banded channel is static fixed once the selection is made 80 MHz Bond this channel to three adjacent channels The bonded channels are selected automatically by the AP based on the Channel...

Page 342: ... the AP to change cell sizes so that coverage between cells is maintained Each cell size is optimized to limit interference between sectors of other APs on the same channel This eliminates the need for a network administrator to manually tune the size of each cell when installing multiple APs In the event that an AP or a radio goes offline an adjacent AP can increase its cell size to help compensa...

Page 343: ...Channels button at the top of the list A message will inform you that all enabled radios have been taken down and brought back up 13 Buttons at the top of the list allow you to Enable All IAPs or Disable All IAPs 14 Click the Save button if you wish to make your changes permanent See Also Coverage and Capacity Planning Global Settings Global Settings 11an Global Settings 11bgn Global Settings 11n ...

Page 344: ...lish global IAP settings Global IAP settings include enabling or disabling all IAPs regardless of their operating mode and changing settings for beacons station management and advanced traffic optimization including multicast processing load balancing and roaming Changes you make on this page are applied to all IAPs without exception ...

Page 345: ...click on the Disable All IAPs button to disable all IAPs 3 Short Retries This sets the maximum number of transmission attempts for a frame the length of which is less than or equal to the RTS Threshold before a failure condition is indicated The default value is 7 Enter a new value 1 to 128 in the Short Retry Limit field if you want to increase or decrease this attribute 4 Long Retries This sets t...

Page 346: ...e value you enter here is applied to all IAPs 8 802 11h Beacon Support This option enables beacons on all of the AP s radios to conform to 802 11h requirements supporting dynamic frequency selection DFS and transmit power control TPC to satisfy regulatory requirements for operation in Europe 9 802 11k Beacon Support 802 11k offers faster and more efficient roaming When enabled each beacon lists th...

Page 347: ...tablish a best effort traffic stream outside the operation of WMM Admission Control The default setting is Off Note that the QoS priority of traffic queues is voice video best effort background this gives the highest priority to voice transmissions 13 WMM ACM Voice Click On to enable Wireless Multimedia Admission Control for voice calls As for WMM ACM Video above when admission control for voice i...

Page 348: ... Max Station Association per IAP This defines how many station associations are allowed per IAP Note that the SSIDs SSID Management window also has a station limit option Station Limit and the windows for Global Settings 11an and Global Settings 11bgn also have Max Stations settings If multiple station limits are set all will be enforced As soon as any limit is reached no new stations can associat...

Page 349: ...ooping to determine the stations that are subscribed to the multicast traffic IGMP Internet Group Management Protocol is used to establish and manage the membership of multicast groups Multicast handling options are only applicable to traffic transmitted from the AP to wireless stations Select one of the following options Send multicasts unmodified This is useful when multicast is not needed becau...

Page 350: ...end unicast packets to all stations This may be useful in link local multicast situations Convert to unicast snoop IGMP and only send to stations subscribed send as multicast if no subscription This option is useful when you need to stream voice or video multicast traffic to all stations but some stations are capable of subscribing to multicast groups while other stations are not The stations that...

Page 351: ...multicast traffic between wired VLANs and wireless SSIDs For example Apple devices use mDNS to advertise and find services using local network multicasts that are not routed This creates an issue when you are using Apple devices on the Wireless LAN and have other devices that provide services connected on the wired infrastructure in a different VLAN for example printers and AppleTV devices One way...

Page 352: ... any VLAN specified in Multicast VLAN Forwarding they are forwarded to the corresponding wireless SSID for that VLAN Multicast packets coming in from the wireless network on an SSID tied to one of the specified VLANs and matching one of the Multicast Forwarding Addresses are forwarded to the specified VLANs on the wired network No modifications are made to the forwarded packets they are just forwa...

Page 353: ...s all VLANs If you enter VLANs then this acts as an allow filter and Multicast Forwarding traffic is passed only to the listed VLANS To add a new VLAN to the list enter its number or name in the top field and click the Add button to its right You may enter multiple VLANs at once separated by a space To remove an entry select it in the list and click Delete To remove all entries from the list click...

Page 354: ...ts right The drop down list offers packet types such as AirTunes Note that Multicast Forwarding and mDNS Filtering capabilities also work if both devices are wireless For example let s say that AppleTV is using wireless to connect to an SSID that is associated with VLAN 56 and the wireless client is on an SSID that is associated with VLAN 58 Normally the wireless client would not be able to use Bo...

Page 355: ... select it in the list and click Delete To remove all entries from the list click Reset Figure 170 Additional Optimization Settings 25 Broadcast Rates This changes the rates of broadcast traffic sent by the AP including beacons When set to Optimized each broadcast or multicast packet that is transmitted on each radio is sent at the lowest transmit rate used by any client associated to that radio a...

Page 356: ... amount of data This starves the available bandwidth from faster clients reducing performance significantly Xirrus solves this issue with ACExpress that automatically separates devices onto different IAPs by their speeds and capability ACExpress identifies station capabilities based on fingerprinting and automatically groups devices by performance It works on all modes 802 11a b g n ac and bands 2...

Page 357: ...l are already exceeded If a station has already been turned down a number of times when attempting to associate i e the station will eventually be allowed onto the IAP after a number of attempts have failed Choose Off to disable load balancing 27 ARP Filtering Address Resolution Protocol finds the MAC address of a device with a given IP address by sending out a broadcast message requesting this in...

Page 358: ...ly Depending on your wired network you may wish to allow fast roaming at Layer 3 This may result in delayed traffic 30 Xirrus Roaming Mode This feature utilizes the Xirrus Roaming Protocol RP ensuring fast and seamless roaming capabilities between IAPs or APs at Layer 2 and Layer 3 as specified in Step 31 while maintaining security Fast roaming eliminates long delays for re authentication thus sup...

Page 359: ...g Targets If you chose Target Only use this option to add target MAC addresses Enter the MAC address of each target AP then click on Add add as many targets as you like To find a target s MAC address open the AP Info window on the target AP and look for IAP MAC Range then use the starting address of this range To delete a target select it from the list then click Delete See Also Coverage and Capac...

Page 360: ...nd specifying the fragmentation and RTS thresholds for all 802 11an IAPs Figure 171 Global Settings 11an Procedure for Configuring Global 802 11an IAP Settings 1 802 11a Data Rates The AP allows you to define which data rates are supported for all 802 11an radios Select or deselect data rates by clicking in the corresponding Supported and Basic data rate check boxes Basic Rate a wireless station c...

Page 361: ... on page 361 Click Factory Defaults if you wish to instruct the AP to return all IAPs to their factory preset channels As of release 6 3 APs no longer all use the same factory preset values for channel assignments Instead if the AP has been deployed for a while and already has data from the spectrum analyzer and Xirrus Roaming Protocol about channel usage on neighboring APs it performs a quick aut...

Page 362: ... 116 DFS required 44 48 Non radar 132 136 DFS required 52 56 DFS required 140 144 DFS required 60 64 DFS required 149 153 Non radar 100 104 DFS required 157 161 Non radar 108 112 DFS required 165 Non radar Channels Required to Use DFS Radar Avoidance in Europe 36 40 Non radar 116 120 DFS required 44 48 Non radar 124 128 DFS required 52 56 DFS required 132 136 DFS required 60 64 DFS required 140 14...

Page 363: ...en if they are using different channels called Auto Cell by Band or Multichannel Auto Cell This will result in smaller cell sizes See Fine Tuning Cell Sizes on page 37 7 Auto Cell Period seconds You may set up auto configuration to run periodically readjusting optimal cell sizes for the current conditions Enter a number of seconds to specify how often auto configuration will run If you select None...

Page 364: ...o determine and set the best cell size for each 802 11an IAP whose Cell Size is auto on the IAP Settings window based on changes in the environment This is the recommended method for setting cell size You may look at the Tx and Rx values on the IAP Settings window to view the cell size settings that were applied 13 Fragmentation Threshold This is the maximum size for directed data packets transmit...

Page 365: ...tion Limit page 283 respectively If multiple station limits are set all will be enforced As soon as any limit is reached no new stations can associate until some other station has terminated its association See Also Coverage and Capacity Planning Global Settings Global Settings 11bgn Global Settings 11n IAPs IAP Statistics Summary Advanced RF Settings IAP Settings ...

Page 366: ... global 802 11b g IAP settings These settings include defining which 802 11b and 802 11g data rates are supported enabling or disabling all 802 11b g IAPs auto configuring 802 11b g IAP channel allocations and specifying the fragmentation and RTS thresholds for all 802 11b g IAPs Figure 172 Global Settings 11bgn ...

Page 367: ...ettings 4 802 11b g IAP Control Click Enable All 802 11b g IAPs to enable all 802 11b g IAPs for this AP or click Disable All 802 11b g IAPs to disable them 5 Channel Configuration Click Auto Configure to instruct the AP to determine the best channel allocation settings for each 802 11b g IAP and select the channel automatically based on changes in the environment This is the recommended method fo...

Page 368: ...an overview of RF power and cell size settings please see RF Power and Sensitivity on page 360 Capacity and Cell Sizes on page 36 and Fine Tuning Cell Sizes on page 37 7 Auto Cell By Channel By default this feature is On and auto cell will adjust the cell size for a radio when nearby APs have radios on the same channel within earshot of each other so that the two radios minimize interference with ...

Page 369: ...ing APs that hear each other best will hear each other at 70dB For 0 overlap that number is 90dB The default value is 50 10 Auto Cell Min Cell Size Use this setting if you wish to set the minimum cell size that Auto Cell may assign The values are Default Large Medium or Small 11 Auto Cell Min Tx Power dBm Enter the minimum transmit power that the AP can assign to a radio when adjusting automatic c...

Page 370: ...by preventing 802 11b and 802 11g stations from transmitting simultaneously When Auto CTS or Auto RTS is enabled and any 802 11b station is associated to the IAP additional frames are sent to gain access to the wireless network Auto CTS requires 802 11g stations to send a slow Clear To Send frame that locks out other stations Automatic protection reduces 802 11g throughput when 802 11b stations ar...

Page 371: ...tation Threshold value between 256 and 2346 19 RTS Threshold The RTS Request To Send Threshold specifies the packet size Packets larger than the RTS threshold will use CTS RTS prior to transmitting the packet useful for larger packets to help ensure the success of their transmission Enter a value between 1 and 2347 20 Max Stations This defines how many station associations are allowed per 802 11bg...

Page 372: ... the entire AP specifying the number of transmit and receive chains data stream used for spatial multiplexing setting a short or standard guard interval auto configuring channel bonding and specifying whether auto configured channel bonding will be static or dynamic Before changing your settings for 802 11n please read the discussion in About IEEE 802 11ac on page 42 Figure 173 Global Settings 11n...

Page 373: ...hether the AP has 2x2 or 3x3 radios The default value is always the maximum supported by the radio type See Up to Eight Simultaneous Data Streams Spatial Multiplexing on page 44 4 RX Chains Select the number of separate data streams received by the antennas of each IAP This number should be greater than or equal to TX Chains The maximum number of chains is determined by whether the AP has 2x2 or 3...

Page 374: ...nnels be automatically updated as conditions change Select Static to have the bonded channels remain the same once they are selected The default is Dynamic See 80 MHz and 160 MHz Channel Widths Bonding on page 48 9 Global channel bonding These buttons allow you to turn channel bonding on or off for all IAPs in one step The effect of using one of these buttons will be shown if you go to the IAP Set...

Page 375: ... settings These settings include enabling or disabling 802 11ac mode for the entire AP specifying the number of data streams used in spatial multiplexing and setting a short or long guard interval Before changing your settings for 802 11ac please read the discussion in About IEEE 802 11ac on page 42 Figure 174 Global Settings 11ac ...

Page 376: ...AM or allow 256 QAM with its higher data rate It also determines the coding scheme used for error correction Higher MCS levels allocate fewer bits to error correction and thus a higher proportion is used for data transfer The default Max MCS value is MCS9 The higher the MCS values the higher the data rate as shown in 802 11ac Supported Rates below Higher MCS levels require higher signal to noise r...

Page 377: ...tc Internet Connectivity Indicates whether the network provides Internet connectivity Authentication Indicates whether additional authentication steps will be required to use the network as well as the network authentication types that are in use Venue Information The type and name of the location where the access point is found Identification A globally unique identification for the access point ...

Page 378: ...nfiguring the Wireless AP Cellular Networks The service network may have arrangements with one or more cellular service providers who can transparently provide wireless and Internet connectivity Figure 175 802 11u Global Settings ...

Page 379: ...ck Unspecified otherwise for example depending on the SLAs service level agreements of the mobile user Internet access may or may not be provided 4 Additional Step Required for Access Click Disabled if no additional authentication steps will be required to complete the connection and Enabled otherwise The available authentication techniques are described in the Network Authentication Types field S...

Page 380: ...through two levels of NATing Port restricted IPv4 addresses refer to specific UDP and TCP port numbers associated with standard Internet services for example port 80 for web pages The choices for this field are a Double NATed private IPv4 address available b IPv4 address not available c IPv4 address availability not known d Port restricted IPv4 address available e Port restricted IPv4 address and ...

Page 381: ...work code MNC Use this control to build up a list of cell networks Enter the MCC as a three digit number and the MNC as a two or three digit number and click Add The cell network will appear in the list A cell network may be deleted by selecting it in the list and clicking Delete All networks may be deleted by clicking Reset 13 Network Authentication Types Each network authentication that is in us...

Page 382: ...clicking Delete All authentication types may be deleted by clicking Reset 14 Venue Names The list of names associated with the venue are specified here A venue name may be added to the list in English or Chinese Enter the name in the appropriate field and click Add The name will appear in the list A name may be deleted by selecting it in the list and clicking Delete All names may be deleted by cli...

Page 383: ...by modes Changes you make on this page are applied to all IAPs without exception Figure 176 Advanced RF Settings About Standby Mode Standby Mode supports the AP to AP fail over capability When you enable Standby Mode the AP functions as a backup unit and it enables its radios if it detects that its designated target AP has failed The use of redundant APs to provide this fail over capability allows...

Page 384: ...o divide its time between monitoring and acting as a standard radio that allows stations to associate to it Timeshare mode is especially useful for small APs with two IAPs such as the XR 500 600 and XR 1000 Series allowing one IAP to be shared between monitoring the airwaves for problems and providing services to stations Settings allow you to give priority to monitoring or wireless services depen...

Page 385: ...Radio Assurance mode will take action according to the preference that you have specified Failure alerts only The AP will issue alerts in the Syslog but will not initiate repairs or reboots Failure alerts repairs but no reboots The AP will issue alerts and perform resets of one or all of the radios if needed Failure alerts repairs reboots if needed The AP will issue alerts perform resets and sched...

Page 386: ...seconds should be sufficient The default value is None 7 Auto Cell Size Overlap Enter the percentage of cell overlap that will be allowed when the AP is determining automatic cell sizes For 100 overlap the power is adjusted such that neighboring APs that hear each other best will hear each other at 70dB For 0 overlap that number is 90dB The default value is 50 8 Auto Cell Min Cell Size Use this se...

Page 387: ... or Auto but not Max If IAP cell size is set to Max the Sharp Cell feature will be disabled for that radio RF Spectrum Management 12 Configuration Status Shows the status of auto channel configuration If an operation is in progress the approximate time remaining until completion is displayed otherwise Idle is displayed 13 Band Configuration Automatic band configuration is the recommended method fo...

Page 388: ...is AP or not Click Auto Configure to instruct the AP to determine the best channel allocation settings for each enabled IAP and select the channel automatically based on changes in the environment This is the recommended method for channel allocation see RF Spectrum Management on page 361 The following options may be selected for auto configuration Negotiate negotiate air time with other APs befor...

Page 389: ...ion or is just being deployed for the first time it has no prior data about its RF environment In this case it will pick a set of compatible channel assignments at random 15 Auto Channel Configuration Mode This option allows you to instruct the AP to auto configure channel selection for each enabled IAP when the AP is powered up Choose On AP PowerUp to enable this feature or choose Disabled to dis...

Page 390: ...monitors the quality of the connections that users are experiencing on the wireless network You can quickly detect stations that are having problems and take steps to correct them Use these settings to establish threshold values for errors and other problems Station assurance is enabled by default with a set of useful default thresholds that you may adjust as desired When a connection is experienc...

Page 391: ...he AP will check whether Max Authentication Failures has been reached in this number of seconds 21 Min Average Associated Time seconds Station assurance detects whether the average length of station associations falls below this threshold during a period 22 Max Authentication Failures Station assurance detects whether the number of failed login attempts reaches this threshold during a period 23 Ma...

Page 392: ...ng Global Settings 11an Global Settings 11bgn Global Settings 11n IAPs IAP Settings Radio Assurance Hotspot 2 0 Understanding Hotspot 2 0 Hotspot 2 0 is a part of the Wi Fi Alliance s Passpoint certification program It specifies additional information above and beyond that found in 802 11u which allows mobile clients to automatically discover select and connect to networks based on preferences and...

Page 393: ...ion 2 Downstream Group addressed Forwarding Click Enabled to allow the access point to forward group addressed traffic broadcast and multicast to all connected devices Click Disabled to cause the access point to convert group addressed traffic to unicast messages 3 WAN Downlink Speed Enter the WAN downlink speed in kbps into the field 4 WAN Uplink Speed Enter the WAN uplink speed in kbps into the ...

Page 394: ...inese name into one of the fields An incorrectly entered name can be deleted by clicking the corresponding Delete 6 Connection Capabilities A Hotspot 2 0 access point limits the particular protocols that clients may use The set of default protocols is shown initially This table specifies the protocols in terms of a A common Name such as FTP or HTTP ...

Page 395: ...ocol fields and unknown for the status Enter the appropriate Protocol and Port values before setting the Status field to open NAI Realms Understanding NAI Realm Authentication A network access identifier NAI is a specification of a particular user A NAI takes the general form of an e mail address Examples of NAIs are joe example com fred foo 9 example com jack 3rd depts example com fred smith exam...

Page 396: ... button 2 Enter Authentication Information The NAI EAP page is used to specify authentication for a realm Click on the name of a realm to go to the NAI EAP page for that realm See NAI EAP on page 370 NAI EAP This window allows specification of the authentication techniques for a realm Figure 180 NAI EAP Procedure for NAI Realms Settings 1 Select the realm to be configured in the NAI Realm drop dow...

Page 397: ...on the number corresponding to the authentication method i e 1 2 3 4 or 5 This displays the EAP n Auth Parameter Configuration below the list of EAP Methods For up to five of the parameters select the Type and Value or Vendor ID Type The choices for the Type are Credential Type Expanded EAP Method Expanded Inner EAP Method Inner Authentication EAP Method Type Non EAP Inner Authentication Type None...

Page 398: ...tion The Xirrus AP employs a number of IDS IPS Intrusion Detection System Intrusion Prevention System strategies to detect and prevent malicious attacks on the wireless network Use this window to adjust intrusion detection settings Figure 181 Intrusion Detection Settings ...

Page 399: ...the table below When an attack is detected the AP logs a Syslog message at the Alert level Impersonation Detection These malicious attacks use various techniques to impersonate a legitimate AP or station often in order to eavesdrop on wireless communications The AP detects a number of types of impersonation attacks as described in the table below When an attack is detected the AP logs a Syslog mes...

Page 400: ... all stations on a channel in response to data frames Duration Attack Duration Field Spoofing Injecting packets into the WLAN with huge duration values This forces the other nodes in the WLAN to keep quiet since they cannot send any packet until this value counts down to zero If the attacker sends such frames continuously it silences other nodes in the WLAN for long periods thereby disrupting the ...

Page 401: ...ers for qualifying blocking so that APs must meet certain criteria before being blocked This keeps the AP from blocking every AP that it detects You may Set a minimum RSSI value for the AP for example if an AP has an RSSI value of 90 it is probably a harmless AP belonging to a neighbor and not in your building Block based on encryption level Block based on whether the AP is part of an ad hoc netwo...

Page 402: ...e remaining Auto Block fields will be active 3 Auto Block RSSI Set the minimum RSSI for rogue APs to be blocked APs with lower RSSI values will not be blocked They are assumed to be farther away and probably belonging to neighbors and posing a minimal threat 4 Auto Block Level Select rogue APs to block based on the level of encryption that they are using The choices are Automatically block unknown...

Page 403: ...pe may be separately enabled or disabled For each attack a default Threshold and Period seconds are specified If the number of occurrences of the type of packet being detected exceeds the threshold in the specified number of seconds then the AP declares that an attack has been detected You may modify the Threshold and Period For the Flood attack settings you also have a choice of Auto or Manual Ma...

Page 404: ...ff separately For AP or Station Impersonation attacks a default Threshold and Period seconds are specified If the number of occurrences of the type of packet being detected exceeds the threshold in the specified number of seconds then the AP declares that an attack has been detected You may modify the Threshold and Period 10 Sequence number anomaly You may specify whether to detect this type of at...

Page 405: ...ct one or more activities to trigger when the LEDs blink For default behavior see AP LED Operating Sequences on page 73 3 Click the Save button if you wish to make your changes permanent See Also Global Settings Global Settings 11an Global Settings 11bgn IAPs LED Boot Sequence DSCP Mappings DSCP is the 6 bit Differentiated Services Code Point DiffServ field in the IPv4 or IPv6 packet header define...

Page 406: ...sist Roaming assist is a Xirrus feature that helps clients roam to APs that will give them high quality connections Some smart phones and tablets will stay connected to a radio with poor signal quality even when there s a radio with better signal strength within range When roaming assist is triggered the AP assists the device by deauthenticating it when certain parameters are met This encourages a...

Page 407: ...ssist Procedure for Configuring Roaming Assist 1 Enable Roaming Assist Use the Yes and No buttons to enable or disable this feature 2 Backoff Period After deauthenticating a station it may re associate to the same radio To prevent the AP from repeatedly deauthenticating the station when it comes back there is a backoff period This is the number of seconds the station is allowed to stay connected b...

Page 408: ...ayers are sticky they have high roaming thresholds that tend to keep them attached to the same radio despite the presence of radios with better signal strength You may check off one or more entries but use care since roaming assist may cause poor results in some cases If no Device Classes or Device Types are selected then all devices are included in roaming assist If you select entries in both Dev...

Page 409: ...Ps have this AP as their target The summary identifies the source client AP for each link Both summaries identify the IAPs that are part of the link and whether the connection for each is up or down See WDS Planning on page 63 for an overview Figure 185 WDS About Configuring WDS Links A WDS link connects a client AP and a host AP see Figure 186 on page 384 The host must be the AP that has a wired ...

Page 410: ...ell must extend all the way to the other AP When configuring WDS if you use WPA PSK Pre Shared Key as a security mechanism ensure that EAP is disabled Communication between two APs in WDS mode will not succeed if the client AP has both PSK and EAP enabled on the SSID used by WDS See SSID Management TKIP encryption does not support high throughput rates per IEEE 802 11n TKIP should never be used fo...

Page 411: ...with long transmission times See IAP Settings on page 312 Set the approximate distance in miles between this IAP and the connected AP in the WDS Dist Miles column This will increase the wait time for frame transmission accordingly See Also SSID Management Active IAPs WDS Client Links WDS Statistics WDS Client Links This window allows you to set up a maximum of four WDS client links Figure 187 WDS ...

Page 412: ...e cumulative weighted RSSI value utilized in checking the threshold above to make a roaming decision The higher the weight the lower the influence of a new RSSI reading This is not exactly a percentage but a factor in the formula for computing the current RSSI value based on new readings Once some IAP has been selected to act as a WDS client link no other association will be allowed on that IAP Ho...

Page 413: ...e enable Reset All Links this command tears down all links configured on the AP and sets them back to their factory defaults effective immediately 6 Client Link Shows the ID 1 to 4 of each of the four possible WDS links 7 Enabled Check this box if you want to enable this WDS link or uncheck the box to disable the link 8 Max IAPs Allowed 1 3 Enter the maximum number of IAPs for this link between 1 ...

Page 414: ...the fields on this line WDS Client Link IAP Assignments 14 For each desired client link select the IAPs that are part of that link The IAP channel assignments are shown in the column headers 15 IAP Channel Assignment Click Auto Configure to instruct the AP to automatically determine the best channel allocation settings for each IAP that participates in a WDS link based on changes in the environmen...

Page 415: ... application of all defined filtering rules Stateful inspection runs automatically on the AP The rest of this section describes how to view and manage filters Filters are organized in groups called Filter Lists A filter list allows you to apply a uniform set of filters to SSIDs or Groups very easily Similarly you can use a custom Application Control list to create a set of applications that are ha...

Page 416: ...redefined filter list named Global which cannot be deleted Filter lists including Global may be applied to SSIDs or to Groups Only one filter list at a time may be applied to a group or SSID although the filter list may contain a number of filters All filters are created within filter lists Use a custom Application Control list to create a set of applications that may then be handled as a group wh...

Page 417: ...filter list name and you will be taken to the Filter Management window for that filter list You may create up to 16 filter lists up to 8 on the XR 500 Series 4 On Check this box to enable this filter list or leave it blank to disable the list If the list is disabled you may still add filters to it or modify it but none of the filters will be applied to data traffic 5 Filters This read only field d...

Page 418: ...the desired applications to this list one at a time Up to 250 applications may be added This field also provides a search feature type in a string and the list will display only the choices whose names contain that string in any position Click the Apply button on the right when done adding applications to this list Click Reset if you want to remove all of the entries from this field i e to empty i...

Page 419: ...ce provided by the Application Control Windows on page 150 Figure 190 Filter Management Based on Application Control s analysis of your wireless traffic you can create filters to enhance wireless usage for your business needs Usage of non productive and risky applications like BitTorrent can be restricted Traffic for mission critical applications like VoIP and WebEx may be given higher priority Qo...

Page 420: ... in improved performance Web Access Only may be selected to allow only web access protocols to be used For more information please see Air Cleaner on page 466 When you select one of the filter presets the appropriate filters will be added to the list so that you can see exactly what settings have been used 2 Filter List Select the filter list to display and manage on this window All of the filters...

Page 421: ... an application to filter based on settings from Step 22 and Step 23 If an application has been selected you should not enter Protocol or Port application filters have intelligence built into them and perform filtering that you cannot accomplish with just port and protocol See Application Control Windows on page 150 11 Port Number This is a match criterion From the pull down list choose the target...

Page 422: ...tal or per station Then enter the numeric limit in the field to the left 16 Scheduled Time shows the times at which this filter is active if you have established a schedule in Step 19 17 Move Up Down The filters are applied in the order in which they are displayed in the list with filters on the top applied first To change an entry s position in the list just click its Up or Down button 18 To dele...

Page 423: ... address to match as a filter criterion Click the radio button for the desired type of address or other attribute to match Then specify the value to match in the field to the right of the button Choose any to use any destination address Check Not to match any address except for the specified address Below the Source and Destination Addresses you may enter a Category or an Application or an Applica...

Page 424: ...to a previously configured Custom Application Control List select the desired list You may not select a Category or an Application in addition to the list 25 Click the Save button if you wish to make your changes permanent See Also Filters Filter Statistics Understanding QoS Priority on the Wireless AP VLANs ...

Page 425: ...ed in the following topics Cluster Management Cluster Management Clusters are displayed and managed in the single Cluster Management window This window allows new clusters to be created and APs to be added or removed from clusters The Clusters window provides you with an overview of all clusters that have been defined for this AP and the APs that have been added to each Clusters are listed and clu...

Page 426: ...r Definition 1 New Cluster Name Enter a name for the new cluster in the field to the left of the Create button then click Create to add this entry The new cluster is added to the list in the window 2 Delete To delete a cluster expand the entry for the cluster and click its Remove Cluster button 3 Click the Save button if you wish to make your changes permanent 4 Expand the entry for a cluster to a...

Page 427: ...e an AP click its button 6 Click the Save button if you wish to make your changes permanent In Cluster Mode all configuration operations that you execute in WMI or CLI are performed on the members of the cluster They are not performed on the AP where you are running WMI unless it is a member of the cluster You must use the Save button at the top of configuration windows to permanently save your ch...

Page 428: ...aging only the AP to which it is connected Status and Statistics Windows in Cluster Mode In Cluster Mode many of the Status and Statistics windows will display information for all of the members of the cluster You can tell whether a window displays cluster information if so it will display the Cluster Name near the top as shown in Figure 194 Figure 194 Viewing Statistics in Cluster Mode You have t...

Page 429: ...Wireless Access Point Configuring the Wireless AP 403 You may terminate cluster mode operation by clicking the button to the right of the row ...

Page 430: ...ne the status of a user s device and allow access to the wireless network only if the device is enrolled and compliant with the policies of the service AirWatch Individual SSIDs may be configured to require AirWatch enrollment and compliance before a mobile device such as a smartphone or tablet is admitted to the wireless network The AP uses the AirWatch API with the settings below to request that...

Page 431: ...all to determine the enrollment and compliance status of a mobile device attempting to connect to the AP The steps that the user will need to take are described in User Procedure for Wireless Access on page 406 2 API Key Obtain this from your AirWatch server Go to the System Advanced API REST page General tab and copy the API Key string into this field The key is required for access to the API 3 A...

Page 432: ...re for Managing SSIDs see Step 17 on page 282 User Procedure for Wireless Access 1 A user attempts to connect a mobile device to an SSID that uses AirWatch 2 The device will authenticate according to the SSID s authentication settings Open Radius MAC 802 1x 3 The user browses to any destination on the Internet The AP asks the user to wait while it checks device enrollment and compliance status by ...

Page 433: ...s AirWatch to again check device compliance The user s browser is redirected to a wait page until the AP has confirmed compliance with AirWatch The user s browser is then redirected to a page announcing that the device is now allowed network access If the AP is unable to access AirWatch to obtain enrollment and compliance status for example due to bad credentials timeout etc device access to the n...

Page 434: ...Wireless Access Point 408 Configuring the Wireless AP ...

Page 435: ...ns System Tools on page 410 CLI on page 424 API Documentation on page 426 Options on page 431 Logout on page 432 This section does not discuss using status or configuration windows For information on those windows please see Viewing Status on the Wireless AP on page 95 Configuring the Wireless AP on page 161 If you have added modular IAPs to your AP note that its model number will be automatically...

Page 436: ...e page contains a number of sections that you may expand About Licensing and Upgrades If you are a customer using XMS when you upgrade an AP using XMS your license will automatically be updated for you first The AP s license determines some of the features that are available on the AP For example the Application Control feature is an option that must be separately licensed To check the features su...

Page 437: ...ew license key To upgrade from ArrayOS Release 7 0 1 to Release 7 0 3 use your existing license key If you are not using XMS to perform a software upgrade you may use the Auto provisioning Start button to get an updated license from Xirrus before performing an upgrade If you will be entering license keys and performing upgrades on many APs the effort will be streamlined by using the Xirrus Managem...

Page 438: ...s A license update will automatically save a copy of the current configuration of the AP See Step 3 on page 416 If you attempt to enter an invalid key you will receive an error message and the current key will not be replaced Operating System Software Upload This feature upgrades the ArrayOS to a newer version provided by Xirrus Please note that you typically will need an updated license key to co...

Page 439: ...Image drop down list to display all of the software versions that are on your AP Select the version from the list that you would like to become the active version the next time that you reboot 3 Save Reboot or Reboot Use Save Reboot to save the current configuration and then reboot the AP The AP will reboot using the software version that you have selected in Active Software Image above The LEDs o...

Page 440: ...APs are rebooted they will automatically download the new configuration file from a single location on the specified TFTP server 1 Remote TFTP Server This field defines the path to a TFTP server to be used for automated remote update of software image and configuration files when rebooting You may specify the server using an IP address or host name 2 Remote Boot Image When the AP boots up it fetch...

Page 441: ...from the file You can then load the file on each AP and the local IP addresses will not change A remote configuration is never saved to the compact flash unless you issue a Save command Configuration Management Figure 198 Configuration Management 1 If you need an updated license for example if you are upgrading an AP to a new major release say from 7 0 to 7 1 and you are not using XMS to The Remot...

Page 442: ... field updates AP settings from a local configuration file on the AP Select one of the following files from the drop down list factory conf The factory default settings lastboot conf The setting values from just before the last reboot saved conf The last settings that were explicitly saved using the Save button at the top of each window history saved yyyymmdd pre update conf history saved yyyymmdd...

Page 443: ...ion under an existing file name select the file then click Save Note that you cannot save to the file names factory conf lastboot conf and saved conf these files are write protected You may enter the desired file name then click Save Click Set Restore Point to save a copy of the current configuration basing the file name on the current date and time For example history saved 20100318 1842 conf Not...

Page 444: ... s current configuration settings to the factory default values except for the AP s management IP address which is left unchanged This function allows you to maintain management connectivity to the AP even after the reset This will retain the Gigabit Ethernet port s IP address see Interfaces on page 170 or if you have configured management over a VLAN it will maintain the management VLAN s IP addr...

Page 445: ... Customer Support will instruct you to save two diagnostic logs about ten minutes apart so that they can examine the difference in statistics between the two snapshots for example to see traffic and error statistics for the interval Thus you must rename the first diagnostic log file 9 Health Log This file is created automatically but only if the AP encounters unexpected and serious problems Normal...

Page 446: ...the current file before it gets overwritten You may use the Clear button to remove the tar file and all temporary data from the AP s memory This feature should only used at the request of Customer Support Application Control Signature File Management Application Control recognizes applications using a file containing the signatures of hundreds of applications This file may be updated regularly to ...

Page 447: ...t Captive Portal The AP uses a Perl script and a cascading style sheet to define the default splash login Web page that the AP delivers for WPR You may replace these files with files for one or more custom pages of your own See Step 14 below to view the default files See Step 15 page 282 for more information about WPR and how the splash login page is used Each SSID that has WPR enabled may have it...

Page 448: ...13 Remove File Enter the name of the WPR file you want to remove then click on the Delete button You can use the List Files button to show you a list of files that have been saved on the AP for WPR The list is displayed in the Status section at the bottom of the WMI window You must reboot to make your changes take effect 14 Download Sample Files Click on a link to access the corresponding sample W...

Page 449: ... contact the server In Figure 203 B RADIUS Ping verifies that the host information and secret for a RADIUS server are correct but that the user account information is not Select RADIUS allows you to select a RADIUS server that you have already configured When you make a choice in this field additional fields will be displayed Set Select RADIUS to External Radius Internal Radius or a server specifi...

Page 450: ...are displayed in the Status frame Progress Bar and Status Frame The Progress bar is displayed for commands such as Software Upgrade and Ping The Status frame presents the output from system commands Ping and Trace Route as well as other information such as the results of software upgrade CLI The WMI provides this window to allow you to use the AP s Command Line Interface CLI You can enter commands...

Page 451: ... the mode to config iap The prompt will indicate the current command mode for example My AP config iap You can abbreviate a command and it will be executed if you have typed enough of the command to be unambiguous The command will not auto complete however Only the abbreviated command that you actually typed will be shown You can type a partial command and press Tab to have the command auto comple...

Page 452: ... cumbersome for polling large amounts of data Results are returned in JavaScript Object Notation JSON format a text based open standard designed for human readable data interchange The API documentation is tightly integrated with the server code The API Documentation page allows you to interact with the API in a sandbox UI that gives clear insight into how the API responds to parameters and option...

Page 453: ... Since this is a read only API the list consists exclusively of GET operations The figure below shows part of the list displayed by clicking settings Click again to collapse hide the list Status requests include GET requests for many of the status and statistics items described in the chapter titled Viewing Status on the Wireless AP on page 95 Settings requests include GET requests for many of the...

Page 454: ...onse Developers can use this feature to design and implement applications that use this response Enter any necessary Parameters and click the Try it out button Most GET requests do not use any parameters If they are required their names will be listed and there will be a field or a drop down list to specify each one An example is shown in Figure 206 In some cases there may be two versions of a req...

Page 455: ...s the response for ethernet stats name The response is produced in the human readable JSON format The status and statistics data shown are as described in Viewing Status on the Wireless AP on page 95 Click Hide Response if you wish to hide the output The Response Code and the Response Header are standard for HTTP S ...

Page 456: ...uests Hiding and then showing again displays the requests as they were before i e expanded GET requests will still be expanded when displayed again List Operations expands this list of GET requests Each individual entry is collapsed Expand Operations shows all of the GET requests in this list Each individual entry is expanded Raw shows the source XML code for this list of GET requests Click the li...

Page 457: ...dure for Configuring Options 1 Refresh Interval in Seconds Many of the windows in the Status section of the WMI have an Auto Refresh option You may use this setting to change how often a status or statistics window is refreshed if its auto refresh option is enabled Enter the desired number of seconds between refreshes The default refresh interval is 30 seconds ...

Page 458: ...ess Access Point 432 Using Tools on the Wireless AP Logout Click on the Logout button to terminate your session When the session is terminated you are presented with the login window Figure 210 Login Window ...

Page 459: ...hing a Secure Shell SSH Connection Use this procedure to initialize the system and log in to the Command Line Interface CLI via a Secure Shell SSH utility such as PuTTY When connecting to the unit s Command Line Interface over a network connection you must use a Secure SHell version 2 SSH 2 utility Make sure that your SSH utility is set up to use SSH 2 1 Start your SSH session and communicate with...

Page 460: ...e Gigabit 1 or Gigabit 2 Ethernet port You may need to change the IP address of the port on your computer that is connected to the AP change that port s IP address so that it is on the same 10 0 2 xx subnet as the AP port 2 At the login prompt enter your user name and password the default for both is admin Login names and passwords are case sensitive You are now logged in to the AP s Command Line ...

Page 461: ... in the CLI window is determined by the host name you assigned to your AP The prompt Xirrus_Wi Fi_AP is displayed throughout this document simply as a sample host name assigned to the AP To terminate your session at any time use the quit command Entering Commands When typing commands you need only type enough characters to uniquely specify the command For example you can type the abbreviated term ...

Page 462: ... that are available with the CLI Figure 212 Help Window Command This command is available at any prompt and provides either FULL or PARTIAL help Using the question mark command when you are ready to enter an argument will display all the possible arguments full help Partial help is provided when you enter an abbreviated argument and you want to know what arguments will match your input Figure 213 ...

Page 463: ...ccess Point The Command Line Interface 437 Figure 214 shows an example of how the Help system can provide the argument and format when specifying the time zone under the date time command Figure 214 Partial Help ...

Page 464: ...d formats and structure go to Configuration Commands on page 450 Root Command Prompt The following table shows the top level commands that are available from the root command prompt MyAP Command Description Type n to execute command n as shown by the history command configure Enter the configuration mode See Configuration Commands on page 450 exit Exit the CLI and terminate your session if this co...

Page 465: ...verride XMS managed mode and allow local configuration changes according to your user privileges See Managing APs Locally or Using XMS on page 85 Command Description Type n to execute command n as shown by the history command acl Configure the Access Control List activation Start or stop activation server polling admin Define administrator access parameters auth Configure Oauth tokens authenticati...

Page 466: ...protocol filter parameters group Define user groups with parameter settings help Description of the interactive Help system history List history of commands that have been executed hostname Host name for this AP interface Select the interface to configure lldp Configure LLDP settings load Load running configuration from flash location Location name for this AP location reporting Configure location...

Page 467: ...all settings to their factory default values and reboot revert Revert to saved configuration after specified delay in seconds if configuration not saved roaming assist Set parameters for roaming assistance run tests Run selective tests save Save the running configuration to FLASH search Search for pattern in show command output security Set the security parameters for the AP show Display current i...

Page 468: ...unnel Configure tunnels uptime Display time since the last boot vlan Configure VLAN parameters wifi tag Configure VLAN parameters xms override Override XMS managed mode and allow local configuration changes according to your user privileges See Managing APs Locally or Using XMS on page 85 Command Description ...

Page 469: ...ociated stations Display stations that have associated to the AP auth Show Open Authentication tokens authentication server Authentication server settings summary bond Bond information boot env Display Boot loader environment variables capabilities Display detailed station capabilities cdp Display Cisco Discovery Protocol settings channel list Display list of AP s 802 11an and bgn channels cluster...

Page 470: ...ntroller status for the outdoor enclosure error numbers Display the detailed error number in error messages ethernet Display Ethernet interface summary information external radius Display summary information for the external RADIUS server settings factory config Display the AP factory configuration information filter Display filter information filter list Filter list information group User Group s...

Page 471: ...etwork assurance Network Assurance status network map Display network map information proxy fwd Display Proxy Forwarding summary radio assurance Radio Assurance status realtime monitor Display realtime statistics for all IAPs roaming assist Roaming assist settings roaming stations Roaming station information rogue ap Display rogue AP information route Display the routing table rssi map Display RSS...

Page 472: ...rmation statistics Display statistics syslog Display the system log syslog settings Display the system log Syslog settings system info System information temperature Display the current board temperatures tunnel Tunnel information unassociated stations Display unassociated station information undefined vlan Undefined VLANs detected uptime Display time since last boot vlan Display VLAN information ...

Page 473: ...Wireless Access Point The Command Line Interface 447 cr Display configuration or status information IAP NAME iap1 iap2 IAP interface information Command Description ...

Page 474: ...filter list Display statistics for defined filter list if any FORMAT statistics filter filter list iap Display statistical data for the defined IAP FORMAT statistics iap iap2 station Display statistical data about associated stations FORMAT statistics station billw vlan Display statistical data for the defined VLAN You must use the VLAN number not its name when defining a VLAN FORMAT statistics vl...

Page 475: ...Command Line Interface 449 Ethernet Name eth0 gig1 gig2 Display statistical data for the defined Ethernet interface either eth0 gig1 or gig2 FORMAT statistics gig1 IAP NAME iap1 iap2 IAP interface information Command Description ...

Page 476: ...commands are case sensitive To see examples of some of the key configuration tasks and their associated commands go to Sample Configuration Tasks on page 495 acl The acl command MyAP config acl is used to configure the Access Control List Command Description add Add a MAC address to the list FORMAT acl add AA BB CC DD EE FF del Delete a MAC address from the list FORMAT acl del AA BB CC DD EE FF di...

Page 477: ...y user in the Administrator List FORMAT admin edit userID privilege name Define administrator privilege level names privilege section Define administrator privilege level required by config section radius Define a RADIUS server to be used for authenticating administrators FORMAT admin radius disable enable off on timeout seconds auth type PAP CHAP admin radius primary secondary port portid server ...

Page 478: ...nfigure the Cisco Discovery Protocol Command Description del Delete an Oauth token FORMAT auth del Oauth token reset Delete all Oauth tokens FORMAT auth reset Command Description disable Disable the Cisco Discovery Protocol FORMAT cdp disable enable Enable the Cisco Discovery Protocol FORMAT cdp enable hold time Select CDP message hold time before messages received from neighbors expire FORMAT cdp...

Page 479: ...Line Interface 453 interval The AP sends out CDP announcements at this interval FORMAT cdp interval seconds off Disable the Cisco Discovery Protocol FORMAT cdp off on Enable the Cisco Discovery Protocol FORMAT cdp on Command Description ...

Page 480: ...fy the permanent option then the station is deauthenticated and put on the access control list FORMAT clear authentication permanent authenticated station history Clear the history of CLI commands executed FORMAT clear history screen Clear the screen where you re viewing CLI output FORMAT clear screen station assurance Clear all station assurance data but continue to collect new data FORMAT clear ...

Page 481: ...Point The Command Line Interface 455 syslog Clear all Syslog messages but continue to log new messages FORMAT clear syslog undefined vlan Clear undefined VLAN information FORMAT clear undefined vlan Command Description ...

Page 482: ...only to the AP to which you are connected For more information see Clusters on page 399 Command Description add Create a new AP cluster Enters edit mode for that cluster to allow you to specify the APs that belong to the cluster FORMAT cluster add cluster name del Delete an AP cluster Type del to list the existing clusters FORMAT cluster del cluster name edit Enter edit mode for selected cluster t...

Page 483: ... contact information Command Description email Add an email address for the contact must be in quotation marks FORMAT contact info email contact mail com name Add a contact name must be in quotation marks FORMAT contact info name Contact Name phone Add a telephone number for the contact must be in quotation marks FORMAT contact info phone 8185550101 ...

Page 484: ... defining an offset from the UTC value For example Pacific Standard Time is 8 hours behind UTC time so the offset from UTC time would be 8 Command Description dst_adjust Enable adjustment for daylight savings FORMAT date time dst_adjust no Disable daylight savings adjustment FORMAT date time no dst_adjust ntp Enable the NTP server FORMAT date time ntp on or off to disable offset Set an offset from...

Page 485: ...nfig dhcp server is used to add delete and modify DHCP pools Command Description add Add a DHCP pool FORMAT dhcp server add dhcp pool del Delete a DHCP pool FORMAT dhcp server del dhcp pool edit Edit a DHCP pool FORMAT dhcp server edit dhcp pool reset Delete all DHCP pools FORMAT dhcp server reset ...

Page 486: ... name FORMAT dns domain www mydomain com server1 Enter the IP address of the primary DNS server FORMAT dns server1 1 2 3 4 server2 Enter the IP address of the secondary DNS server FORMAT dns server1 2 3 4 5 server3 Enter the IP address of the tertiary DNS server FORMAT dns server1 3 4 5 6 use dhcp Enable or disable updates to DNS settings via DHCP FORMAT dns use dhcp off on ...

Page 487: ... destinationfile create text Create a text file on the flash file system EOF to finish dir List the contents of a directory FORMAT file dir directory erase Delete a file from the FLASH file system FORMAT file erase filename format Format flash file system ftp Open an FTP connection with a remote server Files will be transferred in binary mode FORMAT file ftp host hostname ip port port_ user anonym...

Page 488: ... https file example com 8080 mydir myfile ext http or https may be omitted in which case HTTP is assumed local_file is an optional parameter that describes the path and name where the file should be saved if no local_file is specified the file will be saved in the root of the flash storage the local_file does support specifying a directory which will be created if it doesn t already exist list Lis...

Page 489: ... you enter file remote config the help response suggests possibilities by listing all of the configuration files that are currently in the AP s flash remote image When the AP boots up it fetches the named image file from the TFTP server defined in the file remote server command and upgrades to this file before booting This must be an AP image file with a bin extension FORMAT file remote image imag...

Page 490: ...fy the port to use tftp Open a TFTP connection with a remote server FORMAT file tftp host hostname ip port port_ user anonymous username password passwd put source_file dest_file get source_file dest_file Note Any time you transfer any kind of software image file for the AP it must be transferred in binary mode or the file may be corrupted Command Description ...

Page 491: ... the end of this table FORMAT filter add air cleaner name add list Add a filter list FORMAT filter add list name del Delete a filter FORMAT filter del name del list Delete a filter list FORMAT filter del list name edit Edit a filter FORMAT filter edit name type edit list Edit a filter list FORMAT filter edit list name type enable Enable a filter list FORMAT filter enable move Change a filter prior...

Page 492: ...aner all All air cleaner filters arp Eliminate station to station ARPs over the air broadcast Eliminate broadcast traffic from the air dhcp Eliminate stations serving DHCP addresses from the air multicast Eliminate chatty multicast traffic from the air netbios Eliminate NetBIOS traffic from the air off Disable a filter list FORMAT filter off on Enable a filter list FORMAT filter on reset Delete al...

Page 493: ...essary for a specific site Remember that the order of the rules is important Figure 215 Air Cleaner Filter Rules Explanations of some sample rules are below Air cleaner Arp 1 blocks ARPs from one client from being transmitted to clients via all of the radios The station to station block setting doesn t block this traffic so this filter eliminates this unnecessary traffic Air cleaner Dhcp 1 drops a...

Page 494: ... cleaner Mcast 3 drops all multicast traffic with a destination MAC address starting with 09 A lot of Appletalk traffic and other multicast traffic is blocked by this filter Note that for OSX 10 6 Snow Leopard no longer supports Appletalk Air cleaner Bcast 1 allows all ARP traffic other than the traffic that was denied by Air cleaner Arp 1 This is needed because Air cleaner Bcast 5 would drop this...

Page 495: ... over user privileges without the need to create large numbers of SSIDs For more information see Groups on page 303 hostname The hostname command MyAP config hostname is used to change the hostname used by the AP Command Description add Create a new user group FORMAT group add group name del Delete a user group FORMAT group del group name edit Set parameters values for a group FORMAT group edit gr...

Page 496: ... For example using the command at the MyAP config gig1 prompt displays a listing of all commands for the gig1 interface Command Description bond1 Bond 1 bond2 Bond 2 console Select the console interface The console interface is used for management purposes only FORMAT interface console gig1 Select the Gigabit 1 interface FORMAT interface gig1 gig2 Select the Gigabit 2 interface FORMAT interface gi...

Page 497: ...ption factory conf Load the factory settings configuration file FORMAT load factory conf lastboot conf Load the configuration file from the last boot up FORMAT load lastboot conf myfile conf If you have saved a configuration enter its name to load it FORMAT load myfile conf saved conf Load the configuration file with the last saved settings FORMAT load saved conf Command Description cr Set the loc...

Page 498: ...ription cust key Set Location Server customer key FORMAT location reporting cust key enc loc server customer key disable off Disable location reporting FORMAT location reporting disable enable on Enable location reporting FORMAT location reporting enable period Set Location Server reporting period seconds FORMAT location reporting period seconds url Set URL of Location Server FORMAT location repor...

Page 499: ...anner Configure login banner messages clear Remove clear requested elements cloud Enable disable Cloud access console Configure console management parameters fips Enable disable FIPS 140 2 Level 2 Security See Implementing FIPS Security on page 599 help Description of the interactive help system history Display history of commands executed https Enable disable HTTPS access license Set access point...

Page 500: ...delay if configuration not saved save Save running configuration to flash search Search show command output for pattern show Display current information about the selected item spanning tree Enable disable Spanning Tree Protocol ssh Enable disable SSH access standby Configure standby parameters statistics Display statistics telnet Enable disable telnet access top Return to top level of configurati...

Page 501: ...atch api Set Location Server customer key FORMAT mdm airwatch api The following types of settings may be configured in management mode access error Set AirWatch API access error action key Set AirWatch API key password Set AirWatch API password poll period Set AirWatch API poll period timeout Set AirWatch API timeout url Set AirWatch API URL username Set AirWatch API username redirect url Set URL ...

Page 502: ...mand Line Interface more The more command MyAP config more is used to turn terminal pagination ON or OFF Command Description disable off Turn OFF terminal pagination FORMAT more off enable on Turn ON terminal pagination FORMAT more on ...

Page 503: ...y Command Description collector Set the Netflow collector IP address or fully qualified domain name host domain Only one collector may be set If port is not specified the default is 2055 FORMAT netflow collector host ip addr domain port port disable off Disable netflow FORMAT netflow disable ipfix Enable NetFlow IPFIX probe off Disable netflow FORMAT netflow off v5 Enable NetFlow v5 probe v9 Enabl...

Page 504: ...Ps acl Disable the Access Control List FORMAT no acl clear text Disable entry and display of passwords and secrets in the clear gig1 Disable gig1 gig2 Disable gig2 https Disable https access FORMAT no https intrude detect Disable intrusion detection FORMAT no intrude detect management Disable management on all Ethernet interfaces FORMAT no management more Disable terminal pagination FORMAT no more...

Page 505: ... ssh syslog Disable the Syslog services FORMAT no syslog telnet Disable Telnet access FORMAT no telnet Command Description Classroom Configure AP for classroom deployment FORMAT quick config Classroom Configures the AP for use in classroom settings K 12 schools Higher education etc High density Configure AP for high density deployment FORMAT quick config High density Configures the AP for use in h...

Page 506: ...r changes have not been saved you are prompted to save your changes to Flash At the prompt answer Yes to save your changes or answer No to discard your changes Command Description active directory Configure Active Directory parameters external radius Configure an external RADIUS server FORMAT authentication server external radius To configure a RADIUS server primary secondary or accounting server ...

Page 507: ...Wireless Access Point The Command Line Interface 481 use Choose the active RADIUS server either external or internal FORMAT authentication server use external or internal Command Description ...

Page 508: ...r default values then reboot the AP Command Description cr Reboot the AP FORMAT reboot delay Reboot the AP after a delay of 1 to 60 seconds FORMAT reboot delay n Command Description cr Reset all configuration parameters to their factory default values FORMAT reset The AP is rebooted automatically preserve ip settings Preserve all ethernet and VLAN settings and reset all other configuration paramet...

Page 509: ... config restore is used to restore configuration to a version that was previously saved locally Command Description Use this to display the list of available config files FORMAT restore filename Enter the name of the locally saved configuration to restore FORMAT restore config filename ...

Page 510: ...T roaming assist data rate 1 99 devices Set device types or classes to assist FORMAT roaming assist devices all unidentified DEVICE CLASS ID string DEVICE TYPE ID string disable off Disable roaming assist FORMAT roaming assist disable enable on Enable roaming assist FORMAT roaming assist enable period Set roaming assist backoff period seconds FORMAT roaming assist period seconds threshold Set roam...

Page 511: ...ay detailed Active Directory information ad list groups List all domain groups ad status Display Active Directory status capture Execute a packet capture clear Remove clear requested elements diagnostic log Generate diagnostic log file end Exit configuration mode help Description of the interactive help system history Display history of commands executed iperf Execute iperf utility FORMAT run test...

Page 512: ...ing internal server radserver port radport secret radsecret user raduser password radpasswd auth type CHAP PAP You may select a RADIUS server that you have already configured ssid or external or internal or specify another server restore Restore to previous saved configuration revert Revert to saved configuration after delay if configuration is not saved save Save running configuration to flash se...

Page 513: ...tility to dump traffic for selected interface or VLAN Supports 802 11 headers FORMAT run tests tcpdump telnet Execute telnet utility FORMAT run tests telnet hostname ip addr command line switches optional traceroute Execute traceroute utility FORMAT run tests traceroute host name ip addr uptime Display time since last boot Command Description wep Set the WEP encryption parameters FORMAT security w...

Page 514: ... is used to enable disable or configure SNMP Command Description trap Configure traps for SNMP Up to four trap destinations may be configured and you may specify whether to send traps for authentication failure FORMAT snmp trap v2 Enable SNMP v2 FORMAT snmp v2 v3 Enable SNMP v3 FORMAT snmp v3 ...

Page 515: ... parameters Command Description add Add an SSID FORMAT ssid add newssid del Delete an SSID FORMAT ssid del oldssid edit Edit an existing SSID FORMAT ssid edit existingssid reset Delete all SSIDs and restore the default SSID FORMAT ssid reset stations Set station limit for this SSID traffic Set traffic limits for this SSID ...

Page 516: ...og console on off level 0 7 disable off Disable the Syslog server FORMAT syslog disable email Disable the Syslog server FORMAT syslog email from email from address level 0 7 password email acct password server email server IPaddr test test msg text to list recipient email addresses user email acct username enable on Enable the Syslog server FORMAT syslog enable local file Set the size and or sever...

Page 517: ... address of the secondary backup Syslog server and or the severity level of messages to be logged FORMAT syslog primary 1 2 3 4 level 0 7 sta format Select format of station information in Syslog messages sta url log Enable or disable station URL logging tertiary Set Tertiary Syslog Server parameters time format Select format of date time information in Syslog messages Command Description add Add ...

Page 518: ...an command MyAP config vlan is used to establish your VLAN parameters edit Modify an existing tunnel FORMAT tunnel edit existingtunnel reset Delete all existing tunnels FORMAT tunnel reset Command Description continuous Continuously update information cr Display time since last reboot FORMAT uptime Command Description add Add a VLAN FORMAT vlan add newvlan Command Description ...

Page 519: ... Assign a VLAN for the default route for outbound management traffic FORMAT vlan default route defaultroute delete Delete a VLAN FORMAT vlan delete oldvlan edit Modify an existing VLAN FORMAT vlan edit existingvlan native vlan Assign a native VLAN traffic is untagged FORMAT vlan native vlan nativevlan no Disable the selected feature FORMAT vlan no feature reset Delete all existing VLANs FORMAT vla...

Page 520: ...AT wifi tag disable enable on Enable wifi tag FORMAT wifi tag enable refresh Disable and enable WiFi tag server Set hostname or IP address of the tag server tag channel bg Set an 802 11b or g channel for listening for tags FORMAT wifi tag tag channel bg 1 255 udp port Set the UDP port which a tagging server will use to query the AP for tagging information FORMAT wifi tag udp port 1025 65535 ...

Page 521: ... Loopback Tests on page 507 To facilitate the accurate and timely management of revisions to this section the examples shown here are presented as screen images taken from a Secure Shell SSH session in this case PuTTY Depending on the application you are using to access the Command Line Interface and how your session is set up for example font and screen size the images presented on your screen ma...

Page 522: ...reless Access Point 496 The Command Line Interface Configuring a Simple Open Global SSID This example shows you how to configure a simple open global SSID Figure 216 Configuring a Simple Open Global SSID ...

Page 523: ... Interface 497 Configuring a Global SSID using WPA PEAP This example shows you how to configure a global SSID using WPA PEAP encryption in conjunction with the AP s Internal RADIUS server Figure 217 Configuring a Global SSID using WPA PEAP ...

Page 524: ...ce Configuring an SSID Specific SSID using WPA PEAP This example shows you how to configure an SSID specific SSID using WPA PEAP encryption in conjunction with the AP s Internal RADIUS server Figure 218 Configuring an SSID Specific SSID using WPA PEAP ...

Page 525: ...reless Access Point The Command Line Interface 499 Enabling Global IAPs This example shows you how to enable all IAPs radios regardless of the wireless technology they use Figure 219 Enabling Global IAPs ...

Page 526: ...eless Access Point 500 The Command Line Interface Disabling Global IAPs This example shows you how to disable all IAPs radios regardless of the wireless technology they use Figure 220 Disabling Global IAPs ...

Page 527: ...ommand Line Interface 501 Enabling a Specific IAP This example shows you how to enable a specific IAP radio In this example the IAP that is being enabled is a1 the first IAP in the summary list Figure 221 Enabling a Specific IAP ...

Page 528: ... Command Line Interface Disabling a Specific IAP This example shows you how to disable a specific IAP radio In this example the IAP that is being disabled is a2 the second IAP in the summary list Figure 222 Disabling a Specific IAP ...

Page 529: ...to configuration to adjust the sizes Be aware that if the intrude detect feature is enabled on the monitor radio its cell size is unaffected by this command Also any IAPs used in WDS links are unaffected Auto configuration may be set to run periodically at intervals specified by auto_cell period in seconds if period is non zero The percentage of overlap allowed between cells in the cell size compu...

Page 530: ...e aware that if the intrude detect feature is enabled on the monitor radio the cell size cannot be set globally you must first disable the intrude detect feature on the monitor radio In this example the cell size is being set to small for all IAPs You have the option of setting IAP cell sizes to small medium large or max See also Fine Tuning Cell Sizes on page 37 Figure 224 Setting the Cell Size f...

Page 531: ...ws you how to establish the cell size for a specific IAP radio In this example the cell size for a2 is being set to medium You have the option of setting IAP cell sizes to small medium large or max the default is max See also Fine Tuning Cell Sizes on page 37 Figure 225 Setting the Cell Size for a Specific IAP ...

Page 532: ...s on an Open SSID This example shows you how to configure VLANs on an Open SSID Figure 226 Configuring VLANs on an Open SSID Setting the default route enables the AP to send management traffic such as Syslog messages and SNMP information to a destination behind a router ...

Page 533: ...air without reboot the AP will issue an alert and reset radios at the Physical Layer Layer 1 and possibly at the MAC layer The reset should not be noticed by users and they will not need to reassociate reboot allowed the AP will issue an alert reset the radios and schedule the AP to reboot at midnight per local AP time if necessary All stations will need to reassociate to the AP off Disable IAP lo...

Page 534: ...Wireless Access Point 508 The Command Line Interface Figure 227 Configuring Radio Assurance Mode Loopback Testing ...

Page 535: ...Wireless Access Point Appendices 509 Appendices ...

Page 536: ...Wireless Access Point 510 Appendices Page is intentionally blank ...

Page 537: ...tly Topics include Factory Default Settings on page 511 Keyboard Shortcuts on page 517 Factory Default Settings The following tables show the Wireless AP s factory default settings Host Name Network Interfaces Serial Setting Default Value Host name Serial Number e g XR4012802207C Setting Default Value Baud Rate 115200 Word Size 8 bits Stop Bits 1 Parity No parity Time Out 10 seconds ...

Page 538: ...ue Enabled Yes DHCP Yes Default IP Address 10 0 2 1 Default IP Mask 255 255 255 0 Default Gateway None Auto Negotiate On Duplex Full Speed 1000 Mbps MTU Size 1500 Management Enabled Yes Setting Default Value Enabled No Primary time nist gov Secondary pool ntp org Setting Default Value Enabled Yes ...

Page 539: ...Information Setting Default Value Enabled Yes Read Only Community String v2 xirrus_read_only Read Write Community String v2 xirrus Read Only Community String v3 xirrus ro Read Write Community String v3 xirrus rw Trap Host null no setting Trap Port 162 Authorization Fail Port On Setting Default Value Enabled No Maximum Lease Time 300 minutes Default Lease Time 300 minutes Setting Default Value ...

Page 540: ...2 168 1 4 IP End Range 192 168 1 254 NAT Disabled IP Gateway None DNS Domain None DNS Server 1 to 3 None Setting Default Value ID xirrus VLAN None Encryption Off Encryption Type None QoS 2 Enabled Yes Broadcast On Setting Default Value Enabled Yes WEP Keys null all 4 keys Setting Default Value ...

Page 541: ...s PSK Enabled No Pass Phrase null Group Rekey Disabled Setting Default Value Enabled Yes Primary Server None Primary Port 1812 Primary Secret null no secret Secondary Server null no IP address Secondary Port 1812 Secondary Secret null no secret Time Out before primary server is retired 600 seconds Accounting Disabled Interval 300 seconds Setting Default Value ...

Page 542: ...Secondary Server None Secondary Port 1813 Secondary Secret null no secret Setting Default Value Enabled No The user database is cleared upon reset to the factory defaults For the Internal RADIUS Server you have a maximum of 1 000 entries Setting Default Value ID admin Password admin Setting Default Value SSH On SSH timeout 300 seconds Setting Default Value ...

Page 543: ...300 seconds Action Shortcut Cut selected data and place it on the clipboard Ctrl X Copy selected data to the clipboard Ctrl C Paste data from the clipboard into a document at the insertion point Ctrl V Go to top of screen Ctrl Z Copy the active window to the clipboard Alt Print Screen Copy the entire desktop image to the clipboard Print Screen Abort an action at any time Esc Go back to the previou...

Page 544: ...Wireless Access Point 518 ...

Page 545: ...ormance of your Wireless APs The Wireless AP requires careful handling For best performance units should be mounted in a dust free and temperature controlled environment If using multiple APs in the same area maintain a distance of at least 100 feet 30m between APs if there is direct line of sight between the units or at least 50 feet 15 m if a wall or other barrier exists between the units Keep t...

Page 546: ...access point The Extended Service Set ESS refers to the group of BSSIDs that are grouped together to form one ESS The ESSID often referred to as SSID or wireless network name identifies the Extended Service Set Clients must associate to a single ESS at any given time Clients ignore traffic from other Extended Service Sets that do not have the same SSID Legacy access points typically support one SS...

Page 547: ... Management Interface go to the SSID Management page 2 Select Yes to make the SSID visible to all clients on the network Although the Wireless AP will not broadcast SSIDs that are hidden clients can still associate to a hidden SSID if they know the SSID name to connect to it 3 Select the minimum security that will be required by users for this SSID 4 If desired optional select a Quality of Service...

Page 548: ...ng PCI DSS on page 593 Q How do I know my management session is secure A Follow these guidelines Administrator passwords Always change the default administrator password the default is admin and choose a strong replacement password When appropriate issue read only administrator accounts SSH versus Telnet Be aware that Telnet is not secure over network connections and should be used only with a dir...

Page 549: ...lity like PuTTy Wired Equivalent Privacy WEP This option provides minimal protection though much better than using an open network An early standard for wireless data encryption and supported by all Wi Fi certified equipment WEP is vulnerable to hacking and is therefore not recommended for use by Enterprise networks Wi Fi Protected Access WPA This is a much stronger encryption model than WEP and u...

Page 550: ...hes the key stored by the administrator in your Wireless APs RADIUS 802 1x with EAP 802 1x uses a RADIUS server to authenticate large numbers of clients and can handle different EAP Extensible Authentication Protocol authentication methods including EAP TLS EAP TTLS and EAP PEAP The RADIUS server can be internal provided by the Wireless AP or external An external RADIUS server offers more function...

Page 551: ...e Wireless AP has integrated monitor capabilities which can constantly scan the local wireless environment for rogue APs non Xirrus devices that are not part of your wireless network unencrypted transmissions and other security issues Administrators can then classify each rogue AP and ensure that these devices do not interrupt or interfere with the network See Also General Hints and Tips Multiple ...

Page 552: ... extend the operation of wired VLANs to the wireless side of the network Wireless VLANs can be mapped to wireless SSIDs so that traffic from wired VLANs can be sent to wireless users of a particular SSID The reverse is also true where wireless traffic originating from a particular SSID can be tagged for transmission on a particular wired VLAN Sixteen SSIDs can be defined on your AP allowing a tota...

Page 553: ...lly set the Antenna selection to Internal Omni also required for monitoring See the IAP Settings on page 312 for more details The values above are the factory default settings for the AP You must also enable RF Monitor Mode on the AP either Timeshare or Dedicated See Advanced RF Settings on page 357 How Monitoring Works When the monitor radio has been configured as just described it performs these...

Page 554: ...dios it issues an alert in the Syslog If repair is allowed see Radio Assurance Options on page 529 the AP will reset and reprogram that particular radio at the Physical Layer PHY Layer 1 This action takes under 100ms and stations are not deauthenticated thus users should not be impacted 3 After another 10 minutes roughly another 60 passes if the monitor still has not heard beacons or probe respons...

Page 555: ...nced RF Settings window see Step 2 Failure alerts only The AP will issue alerts in the Syslog but will not initiate repairs or reboots Failure alerts repairs but no reboots The AP will issue alerts and perform resets of the PHY and MAC as described above Failure alerts repairs reboots if needed The AP will issue alerts perform resets of the PHY and MAC and schedule reboots as described above Disab...

Page 556: ...he RADIUS VSA is used by APs to define the following attribute for administrator accounts AP administrators the Xirrus Admin Role attribute sets the privilege level for this account Set the value to the string defined in Privilege Level Name as described in About Creating Admin Accounts on the RADIUS Server on page 234 Note that the VSA key VENDOR value for Xirrus is 21013 1 ...

Page 557: ...cation Server If the Location Server URL contains the string euclid then it specifies a Euclid server Data is sent at the specified intervals in the proprietary format expected by the Euclid location server Non Euclid Location Server If the Location Server URL doesn t contain the string euclid then data is sent as a JSON object at the specified intervals with the following fields Field Name Descri...

Page 558: ...rame in this window Unix time in seconds ct Current Time Timestamp of last frame in this window Unix time in seconds cf Current Frequency Frequency MHz last frame was heard on il Interval Low Minimum interval between frames within 24 hr period ih Interval High Maximum interval between frames within 24 hr period sl Signal Low Minimum signal strength within 24 hr period sh Signal High Maximum signal...

Page 559: ...ks well http www solarwinds com The TFTP install process creates the TFTP Root directory on your C drive which is the default target for sending and receiving files This may be changed if desired Place the extracted Xirrus software update file s on this directory You must make the following change to the default configuration of the Solar Winds TFTP server In the File menu select Configure then se...

Page 560: ... in the bootloader environment 6 Type dir and hit return to see what s currently in the compact flash 7 Type update server TFTP server ip addr XS 7 x x xxxx bin the actual file name will vary depending on AP model and software version use the file name from your software update and hit return The software update will be transferred to the AP s memory and will be written to the compact flash card S...

Page 561: ... is being rebooted Sending trap done Rebooting Xirrus Boot Loader 6 3 0 6171 Dec 11 2014 15 41 48 Board Xirrus CN5020 CP CPU Board Clocks CPU 300 MHz DDR 666 MHz I2C Bus 384 KHz sampling at 11 MHz Reset Reset requested Watchdog Enabled 5 secs System DDR 512 MB DDR2 Unbuffered non ECC FLASH 2 MB CRC OK RTC Fri 2014 Dec 12 19 40 11 GMT CPU BIST pass PCI PCI 32 bit BAR 0 0x08000000 Radios 0 1 Network...

Page 562: ...11 23 57 16 ssl 2014 Dec 11 23 57 16 wmi 2014 Dec 12 19 35 18 history 2014 Dec 12 18 49 12 storage 2014 Dec 12 18 46 28 wpr 2014 Dec 12 19 39 20 tmp 2014 Dec 12 18 41 28 77993740 XS 7 1 2 5152 bin 2014 Dec 12 19 38 14 29 lastboot old 2014 Dec 12 19 38 58 29 lastboot 2014 Dec 12 18 47 26 proxy client 6 file s 7 dir s XBL update server 10 100 44 44 XS 7 2 3 5452 bin TFTP Device eth0 1000 Mbps Full D...

Page 563: ...File or Directory name 2014 Dec 12 18 47 16 17776 factory conf 2014 Dec 12 19 39 42 17810 lastboot conf 2014 Dec 12 19 37 56 17810 saved conf 2014 Dec 11 23 57 16 ssl 2014 Dec 11 23 57 16 wmi 2014 Dec 12 19 35 18 history 2014 Dec 12 18 49 12 storage 2014 Dec 12 18 46 28 wpr 2014 Dec 12 19 39 20 tmp 2014 Dec 12 18 41 28 77993740 XS 7 1 2 5152 bin 2014 Dec 12 19 38 14 29 lastboot old 2014 Dec 12 19 ...

Page 564: ...7 52 39 UTC Image Type MIPS Linux Multi File Image uncompressed Image Size 78027552 Bytes 74 4 MB Image Contents File 0 17248885 Bytes 16 4 MB Image Contents File 1 49149529 Bytes 46 9 MB Image Contents File 2 11629116 Bytes 11 1 MB Boot Image Verifying image OK Boot Loading Multi File Image OK Boot Watchdog Disabling OK Boot Execute Transferring control to OS Initializing hardware OK Xirrus Wi Fi...

Page 565: ...w wi fi org FCC Notice This device complies with Part 15 of the FCC Rules with operation subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause unwanted operation This Appendix contains Notices Warnings and Compliance information for the XD4 and XR500 600 Series only For ...

Page 566: ... the equipment and the receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced wireless technician for help Use of a shielded twisted pair STP cable must be used for all Ethernet connections in order to comply with EMC requirements This transmitter must not be co located or operating in conjunction with ...

Page 567: ...se with this product is not allowed The device shall not be co located with another transmitter Installez l appareil en veillant à conserver une distance d au moins 30 cm entre les éléments rayonnants et les personnes Cet avertissement de sécurité est conforme aux limites d exposition définies par la norme CNR 102 at relative aux fréquences radio Industry Canada Statement This device complies with...

Page 568: ... When operating the XR 600 Series in the band 5250 5350 MHz with a maximum e i r p greater than 200 mW in Canada please adjust antenna EUT to comply with the following e i r p elevation mask where θ is the angle above the local horizontal plane of the Earth as shown below i 13 dB W MHz for 0 θ 8 ii 13 0 716 θ 8 dB W MHz for 8 θ 40 iii 35 9 1 22 θ 40 dB W MHz for 40 θ 45 iv 42 dB W MHz for θ 45 Ave...

Page 569: ...statnimi odpovidajcimi ustano veni mi Směrnice 1999 5 EC Dansk Danish Dette udstyr er i overensstemmelse med de væsentlige krav og andre relevante bestemmelser i Direktiv 1999 5 EF Deutsch German Dieses Gerat entspricht den grundlegenden Anforderungen und den weiteren entsprechenden Vorgaben der Richtinie 1999 5 EU Eesti Estonian See seande vastab direktiivi 1999 5 EU olulistele nöuetele ja teiste...

Page 570: ...irektyvos nuostatas Nederlands Dutch Dit apparant voldoet aan de essentiele eisen en andere van toepassing zijnde bepalingen van de Richtlijn 1995 5 EC Malti Maltese Dan l apparant huwa konformi mal htigiet essenzjali u l provedimenti l ohra rilevanti tad Direttiva 1999 5 EC Margyar Hungarian Ez a készülék teljesiti az alapvetö követelményeket és más 1999 5 EK irányelvben meghatározott vonatkozó r...

Page 571: ... Marking For the Xirrus XR 500 XR 520H XR 2000 and XR 4000 Series Wireless APs the approval mark is affixed to the equipment Slovensko Slovenian Ta naprava je skladna z bistvenimi zahtevami in ostalimi relevantnimi popoji Direktive 1999 5 EC Slovensky Slovak Toto zariadenie je v zhode so základnými požadavkami a inými prislušnými nariadeniami direktiv 1999 5 EC Suomi Finnish Tämä laite täyttää dir...

Page 572: ...he appropriate take back systems will reuse or recycle most of the materials of this equipment in a way that will not harm the environment The crossed out wheeled bin symbol in accordance with European Standard EN 50419 invites you to use those take back systems and advises you not to combine the material with refuse destined for a land fill If you need more information on collection re use and re...

Page 573: ... authorities for the current status of their national regulations for both 2 4 GHz and 5 GHz wireless LANs The following countries have additional requirements or restrictions than those listed in the above table Belgium The Belgian Institute for Postal Services and Telecommunications BIPT must be notified of any outdoor wireless link having a range exceeding 300 meters Xirrus recommends checking ...

Page 574: ...product is operating within the boundaries of the owner s property its use requires a general authorization Please check with www communicazioni it it for more details Questo prodotto é conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia Se non viene installato all interno del proprio fondo l utilizzo di prodotti wireless ...

Page 575: ... Management Interface WMI or Command Line Interface CLI Operating Frequency The operating frequency in a wireless LAN is determined by the access point As such it is important that the access point is correctly configured to meet the local regulations See National Restrictions in this section for more information If you still have questions regarding the compliance of Xirrus products or you cannot...

Page 576: ...in this section is relevant to the listed countries outside of the European Union and other countries that have implemented the EU Directive 1999 5 EC Declaration of Conformity Brazil This Appendix contains Notices Warnings and Compliance information for the XD4 and XR500 600 Series only For other models see the notes under Notices XR 1000 to XR 6000 Indoor Models on page 563 XR 500 ...

Page 577: ...ss Point 551 Declaration of Conformity Mexico XR 520 Dictamen 1402D00742 XR 600 Dictamen 1402CE08098 XR 520 Cofetel Cert RCPXIXR13 1003 Thailand This telecommunication equipment conforms to NTC technical requirement ...

Page 578: ...stalling Xirrus equipment Additionally verify that the ambient operating temperature does not exceed 50 C 40 C for the XR500 600 Series Explosive Device Proximity Warning Do not operate the XR Series Wireless AP near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use Lightning Activity Warning Do not work on the XR Se...

Page 579: ...ème avant d installer des équipements Xirrus Vérifiez également que la température de fonctionnement ambiante n excède pas 50 C 40 C pour XR 520 Proximité d appareils explosifs N utilisez pas l unité XR Wireless AP à proximité d amorces non blindées ou dans un environnement explosif à moins que l appareil n ait été spécifiquement modifié pour un tel usage Foudre N utilisez pas l unité XR Wireless ...

Page 580: ...ion means the user manuals and all other all documentation instructions or other similar materials accompanying the Software covering the installation application and use thereof 1 2 Licensor means Xirrus and its suppliers 1 3 Product means a multi radio access point containing four or more distinct radios capable of simultaneous operation on four or more non overlapping channels 1 4 Software mean...

Page 581: ... not itself or through any parent subsidiary affiliate agent or other third party i sell rent lease license or sublicense assign or otherwise transfer the Software or any of Customer s rights and obligations under this Agreement except as expressly permitted herein ii decompile disassemble or reverse engineer the Software in whole or in part provided that in those jurisdictions in which a total pr...

Page 582: ... on which the Software is installed has not been subject to any unusual electrical charge 3 2 DISCLAIMER EXCEPT AS EXPRESSLY STATED IN THIS SECTION 3 ALL ADDITIONAL CONDITIONS REPRESENTATIONS AND WARRANTIES WHETHER IMPLIED STATUTORY OR OTHERWISE INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE SATISFACTORY QUALITY ACCURACY AGAINS...

Page 583: ...LIMITED WARRANTIES SET FORTH UNDER THIS AGREEMENT IN THE EVENT YOU ARE LOCATED IN ANY SUCH JURISDICTION THE FOREGOING LIMITATIONS SHALL APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED IN SUCH JURISDICTIONS IN NO EVENT SHALL THE FOREGOING EXCLUSIONS AND LIMITATIONS ON DAMAGES BE DEEMED TO APPLY TO ANY LIABILITY BASED ON FRAUD WILLFUL MISCONDUCT GROSS NEGLIGENCE OR PERSONAL INJURY OR DEATH 4 0 CONFIDENTI...

Page 584: ...he other party or b Either party ceases to carry on business as a going concern either party becomes the object of the institution of voluntary or involuntary proceedings in bankruptcy or liquidation which proceeding is not dismissed within ninety 90 days or a receiver is appointed with respect to a substantial part of its assets 5 3 Effect of Termination a Upon termination of this Agreement in wh...

Page 585: ...l and international laws governing the Software This Agreement will be governed by and construed under the laws of the State of California and the United States as applied to agreements entered into and to be performed entirely within California without regard to conflicts of laws provisions thereof and the parties expressly exclude the application of the United Nations Convention on Contracts for...

Page 586: ...supplying the Equipment to Customer In no event does Xirrus warrant that the Equipment is error free or that Customer will be able to operate the Equipment without problems or interruptions This warranty does not apply if the Equipment a has been altered except by Xirrus b has not been installed operated repaired or maintained in accordance with instructions supplied by Xirrus c has been subjected...

Page 587: ...ustomer to Xirrus with respect to the Product shall be Xirrus property and deemed confidential information of Xirrus Equipment including technical data is subject to U S export control laws including the U S Export Administration Act and its associated regulations and may be subject to export or import regulations in other countries Customer agrees to comply strictly with all such regulations and ...

Page 588: ...Wireless Access Point 562 ...

Page 589: ...he FCC Rules with operation subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause unwanted operation This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC rules These limits are designed to This App...

Page 590: ...ienced wireless technician for help Use of a shielded twisted pair STP cable must be used for all Ethernet connections in order to comply with EMC requirements High Power Radars High power radars are allocated as primary users meaning they have priority in the 5250MHz to 5350MHz and 5650MHz to 5850MHz bands These radars could cause interference and or damage to LE LAN devices Non Modification Stat...

Page 591: ... Notice and Marking This Class A digital apparatus complies with Canadian ICES 003 Cet appareil numérique de la classe A est conforme à la norme NMB 003 du Canada The term IC before the radio certification number only signifies that Industry Canada technical specifications were met Under Industry Canada regulations this radio transmitter may only operate using an antenna of a type and maximum or l...

Page 592: ...aux CNR d Industrie Canada applicables aux appareils radio exempts de licence L exploitation est autorisée aux deux conditions suivantes 1 l appareil ne doit pas produire de brouillage et 2 l utilisateur de l appareil doit accepter tout brouillage radioélectrique subi même si le brouillage est susceptible d en compromettre le fonctionnement This equipment should be installed and operated with a mi...

Page 593: ...e v souladu se základnimi požadavky a ostatnimi odpovidajcimi ustano veni mi Směrnice 1999 5 EC Dansk Danish Dette udstyr er i overensstemmelse med de væsentlige krav og andre relevante bestemmelser i Direktiv 1999 5 EF Deutsch German Dieses Gerat entspricht den grundlegenden Anforderungen und den weiteren entsprechenden Vorgaben der Richtinie 1999 5 EU Eesti Estonian See seande vastab direktiivi ...

Page 594: ...irektyvos nuostatas Nederlands Dutch Dit apparant voldoet aan de essentiele eisen en andere van toepassing zijnde bepalingen van de Richtlijn 1995 5 EC Malti Maltese Dan l apparant huwa konformi mal htigiet essenzjali u l provedimenti l ohra rilevanti tad Direttiva 1999 5 EC Margyar Hungarian Ez a készülék teljesiti az alapvetö követelményeket és más 1999 5 EK irányelvben meghatározott vonatkozó r...

Page 595: ... Marking For the Xirrus XR 500 XR 520H XR 2000 and XR 4000 Series Wireless Arrays the approval mark is affixed to the equipment Slovensko Slovenian Ta naprava je skladna z bistvenimi zahtevami in ostalimi relevantnimi popoji Direktive 1999 5 EC Slovensky Slovak Toto zariadenie je v zhode so základnými požadavkami a inými prislušnými nariadeniami direktiv 1999 5 EC Suomi Finnish Tämä laite täyttää ...

Page 596: ...he appropriate take back systems will reuse or recycle most of the materials of this equipment in a way that will not harm the environment The crossed out wheeled bin symbol in accordance with European Standard EN 50419 invites you to use those take back systems and advises you not to combine the material with refuse destined for a land fill If you need more information on collection re use and re...

Page 597: ... authorities for the current status of their national regulations for both 2 4 GHz and 5 GHz wireless LANs The following countries have additional requirements or restrictions than those listed in the above table Belgium The Belgian Institute for Postal Services and Telecommunications BIPT must be notified of any outdoor wireless link having a range exceeding 300 meters Xirrus recommends checking ...

Page 598: ...product is operating within the boundaries of the owner s property its use requires a general authorization Please check with www communicazioni it it for more details Questo prodotto é conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il Piano Nazionale di ripartizione delle frequenze in Italia Se non viene installato all interno del proprio fondo l utilizzo di prodotti wireless ...

Page 599: ...ace WMI or Command Line Interface CLI Operating Frequency The operating frequency in a wireless LAN is determined by the access point As such it is important that the access point is correctly configured to meet the local regulations See National Restrictions in this section for more information Russia CU Approval XR 2000 4000 Series If you still have questions regarding the compliance of Xirrus p...

Page 600: ...999 5 EC Declaration of Conformity Mexico Thailand This Appendix contains Notices Warnings and Compliance information for all Array models except for the XR 500 600 XD Series and models including the letter H For information for those models see the notes at the start of this chapter Mexico XR 1000 XR 2000 XR 4000 XR 6000 7000 Dictamen 1402D00741 Models with 2x2 radios Cofetel Cert RCPXIXI13 0807 ...

Page 601: ...Wireless Access Point 575 Declaration of Conformity Brazil XR 1000 XR 2000 XR 4000 ...

Page 602: ...he system ground prior to installing Xirrus equipment Additionally verify that the ambient operating temperature does not exceed 50 C 40 C for the XR500 Series Explosive Device Proximity Warning Do not operate the XR Series Wireless Array near unshielded blasting caps or in an explosive environment unless the device has been modified to be especially qualified for such use Lightning Activity Warni...

Page 603: ...r l intégrité de la terre du système avant d installer des équipements Xirrus Vérifiez également que la température de fonctionnement ambiante n excède pas 50 C 40 C pour XR 520 Proximité d appareils explosifs N utilisez pas l unité XR Wireless Array à proximité d amorces non blindées ou dans un environnement explosif à moins que l appareil n ait été spécifiquement modifié pour un tel usage Foudre...

Page 604: ...ion means the user manuals and all other all documentation instructions or other similar materials accompanying the Software covering the installation application and use thereof 1 2 Licensor means XIRRUS and its suppliers 1 3 Product means a multi radio access point containing four or more distinct radios capable of simultaneous operation on four or more non overlapping channels 1 4 Software mean...

Page 605: ... not itself or through any parent subsidiary affiliate agent or other third party i sell rent lease license or sublicense assign or otherwise transfer the Software or any of Customer s rights and obligations under this Agreement except as expressly permitted herein ii decompile disassemble or reverse engineer the Software in whole or in part provided that in those jurisdictions in which a total pr...

Page 606: ... on which the Software is installed has not been subject to any unusual electrical charge 3 2 DISCLAIMER EXCEPT AS EXPRESSLY STATED IN THIS SECTION 3 ALL ADDITIONAL CONDITIONS REPRESENTATIONS AND WARRANTIES WHETHER IMPLIED STATUTORY OR OTHERWISE INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE SATISFACTORY QUALITY ACCURACY AGAINS...

Page 607: ...LIMITED WARRANTIES SET FORTH UNDER THIS AGREEMENT IN THE EVENT YOU ARE LOCATED IN ANY SUCH JURISDICTION THE FOREGOING LIMITATIONS SHALL APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED IN SUCH JURISDICTIONS IN NO EVENT SHALL THE FOREGOING EXCLUSIONS AND LIMITATIONS ON DAMAGES BE DEEMED TO APPLY TO ANY LIABILITY BASED ON FRAUD WILLFUL MISCONDUCT GROSS NEGLIGENCE OR PERSONAL INJURY OR DEATH 4 0 CONFIDENTI...

Page 608: ...he other party or b Either party ceases to carry on business as a going concern either party becomes the object of the institution of voluntary or involuntary proceedings in bankruptcy or liquidation which proceeding is not dismissed within ninety 90 days or a receiver is appointed with respect to a substantial part of its assets 5 3 Effect of Termination a Upon termination of this Agreement in wh...

Page 609: ...l and international laws governing the Software This Agreement will be governed by and construed under the laws of the State of California and the United States as applied to agreements entered into and to be performed entirely within California without regard to conflicts of laws provisions thereof and the parties expressly exclude the application of the United Nations Convention on Contracts for...

Page 610: ...supplying the Equipment to Customer In no event does Xirrus warrant that the Equipment is error free or that Customer will be able to operate the Equipment without problems or interruptions This warranty does not apply if the Equipment a has been altered except by Xirrus b has not been installed operated repaired or maintained in accordance with instructions supplied by Xirrus c has been subjected...

Page 611: ...ustomer to Xirrus with respect to the Product shall be Xirrus property and deemed confidential information of Xirrus Equipment including technical data is subject to U S export control laws including the U S Export Administration Act and its associated regulations and may be subject to export or import regulations in other countries Customer agrees to comply strictly with all such regulations and ...

Page 612: ...Wireless Access Point 586 ...

Page 613: ...ation in the configuration in which it will be used Guidance and manufacturer s declaration electromagnetic emissions The Xirrus wireless device is intended for use in the electromagnetic environment specified below The customer or the user of the Xirrus device should assure that it is used in such an environment Emissions test Compliance Electromagnetic environment guidance RF emissions CISPR 11 ...

Page 614: ...y should be at least 30 Electrical fast transient burst IEC 61000 4 4 2 kV for power supply lines 1 kV for input output lines Not applicable for power supply lines 1 kV for input output lines Surge IEC 61000 4 5 1 kV line s to line s 2 kV line s to earth Not applicable Not applicable Voltage dips short interruptions and voltage variations on power supply input lines IEC 61000 4 11 5 Ut 95 dip in U...

Page 615: ... 150 kHz to 80 MHz 3 V m 80 MHz to 2 5 GHz 3 V 3 V m Portable and mobile RF communication equipment should be no closer to any part of the Xirrus wireless device including cables than the recommended separation distance calculated from the equation applicable to the frequency of the transmitter Recommended separation distance d 1 17 P d 1 17 P 80 MHz to 800 MHz d 2 33 P 800 MHz to 2 5 GHz Where P ...

Page 616: ...ical Equipment and Xirrus Wireless Devices Xirrus wireless devices are intended for use in an electromagnetic environment in which radiated RF disturbances are controlled The customer or the user of the Xirrus wireless device can help prevent electromagnetic interference by maintaining a minimum distance between portable and mobile RF communication equipment transmitters and the Xirrus wireless de...

Page 617: ... operation 1 2 3 4 5 6 7 8 9 10 11 5GHz Exact channels available will be based on country of operation UNII I Non DFS Channels 36 40 44 48 UNII 2A DFS channel 52 56 60 64 UNII 2C DFS channels 100 104 108 112 116 132 136 140 144 UNI III Non DFS Channels 149 153 157 161 165 RF Channels Supported in Europe 2 4GHz Exact channels available will be based on country of operation 1 2 3 4 5 6 7 8 9 10 11 1...

Page 618: ...Wireless Access Point 592 Maximum EIRP 2 4GHz 36dBm 5150 5250MHz 23dBm 5250 5350MHz 30dBm 5470 5725MHz 30dBm 5725 5850MHz 36dBm ...

Page 619: ...ssessor PCI DSS lays out a set of requirements that must be met in order to provide adequate security for sensitive data Payment Card Industry Data Security Standard Overview The PCI Data Security Standard PCI DSS has 12 main requirements that are grouped into six control objectives The following table lists each control objective and the specific requirements for each objective For the latest upd...

Page 620: ...applications Objective Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need to know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Objective Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data Requ...

Page 621: ...ld invalidate a PCI compliant configuration This item is covered on the following pages The pci audit Command p 596 Allow only necessary protocols and networks to be accessed by configuring your corporate firewall or using the internal AP firewall Filters p 389 Change the default Admin account password Remove any unnecessary admin or user accounts Change the SNMP community string from the default ...

Page 622: ...ance Configuration above to ensure that you are using the AP in accordance with the PCI DSS requirements Check that external RADIUS servers have been configured for use with 802 1x and WPA WPA2 wireless security Ensure that AP Administration Accounts are being validated by External RADIUS servers SSIDs p 267 and Global Settings p 249 Admin RADIUS p 234 Ensure that each AP is physically inaccessibl...

Page 623: ...put of pci audit command Additional Resources PCI Security Standards Web site www pcisecuritystandards org List of Qualified PCI Security Assessors www pcisecuritystandards org pdfs pci_qsa_list pdf SS AP config pci audit PCI audit failure telnet enabled PCI audit failure admin RADIUS authentication disabled PCI audit failure SSID ssid2 encryption too weak PCI audit failure SSID ssid3 encryption t...

Page 624: ...Wireless Access Point 598 ...

Page 625: ...vel 2 using CLI on page 604 To check if AP is in FIPS mode on page 604 The settings that are required for FIPS Level 2 are discussed in About FIPS Configuration on page 605 Securing the AP Physically Operator Required Actions The Cryptographic Officer is responsible for the following Applying tamper evident seals to the cryptographic module Controlling any unused tamper evident seals Configuring c...

Page 626: ... Tamper Evident Seals This section describes applying seals for indoor APs For outdoor deployments special outdoor AP models for FIPS must be ordered these are modified at the factory for FIPS Level 2 compliance Figure 229 Tamper Evident Seal Application for Indoor Enclosure 1 For Indoor APs Install the AP in a properly mounted locking Indoor Enclosure per the instructions in its Quick Install Gui...

Page 627: ...anagement Interface WMI follow the steps below after the AP has Internet connectivity To do this using the CLI please see To implement FIPS 140 2 Level 2 using CLI on page 604 1 Open a web browser and enter the hostname of the AP By default this is its serial number which may be found on the back of the AP and on the label of the box that it came in For example enter the URL https XR4012807707A Lo...

Page 628: ...gure 231 AP Information 3 If you need to run a different software release first log in to your account at support xirrus com Download the desired FIPS certified software image see the Note on page 599 Click Tools System Tools in the menu on the left of the WMI window Follow the directions in Step System Upgrade under System on page 412 4 Click Configuration Security in the menu on the left of the ...

Page 629: ...Wireless Access Point 603 Figure 232 Security Management Control Window 5 You may now proceed to define SSIDs as described in SSIDs on page 227 ...

Page 630: ... settings required to put the AP in FIPS mode AP config AP config management AP config mgmt fips on 3 You may now proceed to define SSIDs as described in SSIDs on page 227 4 Use the fips off command if you wish to stop enforcing FIPS security requirements on the AP AP config mgmt fips off To check if AP is in FIPS mode You may determine whether or not the AP is running in FIPS mode In the WMI open...

Page 631: ...led See management on page 473 6 Management over IAP is disabled See Global Settings on page 318 7 Fast roaming is disabled See Global Settings on page 318 8 RADIUS administrator authentication is disabled See Admin RADIUS on page 234 9 Global security settings AES is enabled TKIP is disabled PSK is enabled EAP is disabled WPA Pre Shared Key is set to the FIPS default hex value 0123456789abcdef012...

Page 632: ...re not allowed in FIPS mode FTP TFTP and zero touch activation Only FIPS approved ciphers are used for SSH HTTPS in FIPS mode 12 When FIPS mode is enabled disabled CSPs critical security parameters are zeroed configuration is saved and the system is rebooted ...

Page 633: ...ide use of 802 11 WLANs It allows Access Points to communicate information on the permissible radio channels with acceptable power levels for user devices Because the 802 11 standards cannot legally operate in some countries 802 11d adds features and restrictions to allow WLANs to operate within the rules of these countries 802 11g A supplement to the IEEE 802 11 WLAN specification that describes ...

Page 634: ...in on the medium without encountering significant attenuation loss of power beacon interval When a device in a wireless network sends a beacon it includes with it a beacon interval which specifies the period of time before it will send the beacon again The interval tells receiving devices on the network how long they can wait in low power mode before waking up to handle the beacon Network administ...

Page 635: ... of the wireless networking protocols For example 802 11ac and 802 11g use 14 channels in the 2 4 GHz band only 3 of which don t overlap 1 6 and 11 CoS Class of Service A category based on the type of user type of application or some other criteria that QoS systems can use to provide differentiated classes of service default gateway The gateway in a network that a computer will use to access anoth...

Page 636: ...e refers to the company com specifies that the domain belongs to a commercial enterprise DTIM Delivery Traffic Indication Message A DTIM is a signal sent as part of a beacon by an access point to a client device in sleep mode alerting the device to a packet awaiting delivery EAP Extensible Authentication Protocol When you log on to the Internet you re most likely establishing a PPP connection via ...

Page 637: ...r encryption Any procedure used in cryptography to translate data into a form that can be decrypted and read only by its intended receiver Fast Ethernet A version of standard Ethernet that runs at 100 Mbps rather than 10 Mbps FCC Federal Communications Commission US wireless regulatory authority The FCC was established by the Communications Act of 1934 and is charged with regulating Interstate and...

Page 638: ...ame The unique name that identifies a computer on a network On the Internet the host name is in the form comp xyz net If there is only one Internet site the host name is the same as the domain name One computer can have more than one host name if it hosts more than one Internet site for example home xyz net and comp xyz net In this case comp and home are the host names and xyz net is the domain na...

Page 639: ...c time requests to servers obtaining server time stamps and using them to adjust the client s clock packet Data sent over a network is broken down into many small pieces packets by the Transmission Control Protocol layer of TCP IP Each packet contains the address of its destination as well the data Packets may be sent on any number of routes to their destination where they are reassembled into the...

Page 640: ...equestor and never shared The requestor uses the private key to decrypt text that has been encrypted with the public key by someone else PSK Pre Shared Key A TKIP passphrase used to protect your network traffic in WPA public key In cryptography one of a pair of keys one public and one private that are created with the same algorithm for encrypting and decrypting messages and digital signatures The...

Page 641: ...another The AP only allows SSH 2 connections SSH 2 provides strong authentication and secure communications over insecure channels SSH 2 protects a network from attacks such as IP spoofing IP source routing and DNS spoofing Attackers who has managed to take over a network can only force SSH to disconnect they cannot play back the traffic or hijack the connection when encryption is enabled When usi...

Page 642: ...ch you can convert to dBm User group See Group VLAN Virtual LAN A group of devices that communicate as a single network even though they are physically located on different LAN segments Because VLANs are based on logical rather than physical connections they are extremely flexible A device that is moved to another location can remain on the same VLAN without any hardware reconfiguration VLAN taggi...

Page 643: ...ving to install data cabling to each AP WEP Wired Equivalent Privacy An optional IEEE 802 11 function that offers frame transmission privacy similar to a wired network The Wired Equivalent Privacy generates secret shared encryption keys that both source and destination stations can use to alter frame bits to avoid disclosure to eavesdroppers Wi Fi Alliance A nonprofit international association for...

Page 644: ...prise and consumer Wi Fi users with a high level of assurance that only authorized users can access their wireless networks Like WPA WPA2 is designed to secure all versions of 802 11 devices including 802 11a 802 11b 802 11g and 802 11n multi band and multi mode Xirrus Management System XMS A Xirrus product used for managing large Wireless AP deployments from a centralized Web based interface Xirr...

Page 645: ...XR 1 account user 259 ACLs 56 224 522 active directory 259 active IAPs per SSID 297 active software image 413 Address Resolution Protocol window 110 Address Resolution Protocol ARP 331 Admin 522 Admin ID 230 authentication via RADIUS 234 Admin Management 230 admin privileges setting in admin RADIUS account 234 admin RADIUS account if using Console port 234 admin RADIUS authentication 234 administr...

Page 646: ... 357 assurance station see station assurance 364 attack DoS see DoS attack 377 attack impersonation see impersonation attack 378 auth CLI command 452 authentication 20 259 of admin via RADIUS 234 authentication Oauth token CLI command auth 452 authority certificate 228 244 auto block rogue APs settings 376 Auto Cell by band for 5G 337 342 by channel for 5G 337 342 monitor mode 337 343 auto negotia...

Page 647: ...ain see bridging 173 channel auto configuration 357 configuration 357 list selection 357 channels 34 120 312 318 334 340 non overlapping 20 CHAP Challenge Handshake Au thentication Protocol Admin RADIUS settings 235 web page redirect 288 CHAP Challenge Handshake Authen tication Protocol RADIUS ping 423 character restrictions 93 Chrome 30 Cisco Discovery Protocol see cdp 452 Cisco Discovery Protoco...

Page 648: ...7 show 443 snmp 488 ssid 489 statistics 448 syslog 490 tunnel 491 vlan 492 Community String 513 compass heading 100 configuration 161 522 express setup 163 reset to factory defaults 418 configuration changes applying 93 configuration files automatic update from remote server 414 download 415 update from local file 415 update from remote file 415 connection tracking window 111 connectivity servers ...

Page 649: ...2 display WMI options 431 DNS 81 163 180 DNS domain 180 DNS server 180 Domain Name System 180 DoS attack detection settings 377 DTIM 318 DTIM period 318 duplex 170 dynamic VLAN overridden by group 306 E EAP 514 522 EAP MDS 20 EAP PEAP 522 EAP TLS 20 56 522 EAP TTLS 20 56 522 EasyPass Onboarding User PSK 280 EDCF 318 Encryption 514 522 encryption 20 encryption method recommended WPA2 with AES 226 s...

Page 650: ...rol list 390 392 stateful filtering disabling 391 statistics 147 FIPS 243 FIPS 140 2 Security 599 Firefox 30 firewall 389 and port usage 58 stateful filtering disabling 391 fragmentation threshold 334 340 frequently asked questions 520 FTP 522 G General Hints 519 getting started express setup 163 Gigabit 69 75 77 81 163 170 511 global settings 318 334 340 glossary of terms 607 Google Chrome 30 Gro...

Page 651: ...67 installation workflow 67 interfaces 163 Web 85 internal login page web page redirect 286 web page redirect customize 291 internal splash page web page redirect 287 web page redirect customize 291 Internet Explorer 30 interval automatic WMI refresh 431 intrusion detection 120 376 and auto block settings 376 configuration 357 setting as approved or known 120 intrusion detection IDS viewing event ...

Page 652: ...IDS intrusion detection viewing window 158 log system event viewing window 150 logging in 75 77 92 Login 92 login via Console port 234 login page web page redirect 286 421 web page redirect customize 291 logout 432 long retry limit 318 loopback see radio assurance 507 loopback testing radio assurance mode 357 M MAC 56 75 77 520 522 MAC Access Control Lists 56 MAC Access List 247 MAC address 247 52...

Page 653: ...ction tracking window 111 routing table window 110 viewing leases 111 Network Time Protocol 81 163 186 network tools ping traceroute RADIUS ping 422 nomenclature 2 non overlapping channels 20 north see compass heading 100 NTP 81 163 186 512 NTP Server 186 O Oauth CLI command auth 452 Onboarding EasyPass User PSK 280 Open encryption method 226 optimization VLAN 332 options WMI 431 orientation see c...

Page 654: ...D 269 278 about setting QoS 520 521 default QoS 514 user group 306 quality of user experience 364 Quality of Service 21 see QoS 278 306 quick reference guide 511 quick start express setup 163 R radio 81 163 334 340 378 assurance self test 358 359 fast roaming 311 Intrusion Detection IDS IPS 372 radio assurance loopback testing 357 radio assurance loopback mode 358 359 radio distribution 18 radio L...

Page 655: ...AM 23 RF configuration 357 RF management see channel 357 RF monitor mode for Auto Cell 337 343 RF Performance Manager see RPM 21 RF resilience 357 RF Security Manager see RSM 22 roaming 20 107 332 see fast roaming 311 Rogue AP 4 62 120 263 264 522 rogue AP blocking 375 settings for blocking 373 Rogue AP List 120 rogue APs auto block settings 376 blocking 357 Rogue Control List 263 264 rogue detect...

Page 656: ... XMS 198 software upgrade license key 80 412 software image active software image 413 Software Upgrade 409 software upgrade 412 spatial multiplexing 44 specifications 27 spectrum RF management 357 speed 3 75 77 170 11 Mbps 3 54 Mbps 3 splash page web page redirect 287 421 web page redirect customize 291 SSH 29 30 62 81 163 170 225 516 522 SSH 2 225 SSID 4 81 86 120 163 264 276 514 520 525 about us...

Page 657: ... log viewing window 150 System Reboot 409 System Tools 409 system tools 410 T tag WiFi 190 TCP port requirements 58 technical support frequently asked questions 520 Telnet 225 516 522 Temporal Key Integrity Protocol 522 TFTP server automatic update of boot image configuration 414 Time Out 512 time zone 81 163 186 timeout 318 409 Tips 519 TKIP 20 56 66 81 163 514 522 TKIP encryption and XR Arrays 2...

Page 658: ...vlan CLI command 492 VLAN ID 276 VLANs 213 and fast roaming 311 voice fast roaming 311 implementing on Array 270 Voice over IP 340 VoIP 340 VoWLAN 21 VPN 81 163 522 VTS Virtual Tunnel Server 214 219 VTun specifying tunnel server 214 219 understanding 214 W wall thickness considerations 32 warning messages 89 WDS 383 385 about 63 long distance 316 385 planning 63 statistics 144 timeouts 316 385 WDS...

Page 659: ... interval 431 vs XMS 85 workflow 67 WPA 4 66 81 163 224 276 514 522 WPA Wi Fi Protected Access and WPA2 encryption method 226 WPA2 4 WPR Cloud 289 see web page redirect 421 wpr pl 421 422 X X 509 certificate 228 244 Xirrus certificate authority 244 Xirrus Advanced RF Analysis Manag er see RAM 23 Xirrus Advanced RF Performance Manager see RPM 21 Xirrus Advanced RF Security Manager see RSM 22 Xirrus...

Page 660: ...Wireless Access Point 634 Index ...

Page 661: ......

Page 662: ...Drive Thousand Oaks CA 91320 USA To learn more visit xirrus com or email info xirrus com 201 Xirrus Inc All Rights Reserved The Xirrus logo is a registered trademark of Xirrus Inc All other trademarks are the property of their respective owners Content subject to change without notice 800 0022 001R ...

Reviews:

No comments

Related manuals for XR Series

Parrot DS3120 Quick Start Manual preview
DS3120
Brand: Parrot Pages: 32
JBL B380 Technical Manual preview
B380
Brand: JBL Pages: 2
Oklahoma Sound 711 Product Handbook preview
711
Brand: Oklahoma Sound Pages: 4
Uconnect 430 Owner'S Manual Supplement preview
430
Brand: Uconnect Pages: 153
V-Tec D250 User Manual preview
D250
Brand: V-Tec Pages: 24
Magnavox FW391C Instructions Manual preview
FW391C
Brand: Magnavox Pages: 26
Magnavox MRD130 Quick Start Manual preview
MRD130
Brand: Magnavox Pages: 4
Cambridge Audio SX-50 Manual preview
SX-50
Brand: Cambridge Audio Pages: 12
Samsung Wisenet SNK-B73040BW Quick Start Manual preview
Wisenet SNK-B73040BW
Brand: Samsung Pages: 16
C-TEC EACIE User Manual & Log Book preview
EACIE
Brand: C-TEC Pages: 10
Garmin FUSION Apollo MS-WB670 Owner'S Manual preview
FUSION Apollo MS-WB670
Brand: Garmin Pages: 44
Garmin GMA 340 Supplemental Operation Manual preview
GMA 340
Brand: Garmin Pages: 10
salmson ZOOM Installation And Operating Instructions Manual preview
ZOOM
Brand: salmson Pages: 12
Teac LP-R550USB Quick-Start Recording Manual preview
LP-R550USB
Brand: Teac Pages: 2
Teac AG-D200 Quick Start Manual preview
AG-D200
Brand: Teac Pages: 4
VeGue VS-1088 Instruction Manual preview
VS-1088
Brand: VeGue Pages: 12
Vanatoo TRANSPARENT ZERO Quick Start Manual preview
TRANSPARENT ZERO
Brand: Vanatoo Pages: 2
OWI T874 Specifications preview
T874
Brand: OWI Pages: 1

Brands by name

Popular brands

Load more brands