manualshive.com logo in svg

Extreme Networks Altitude 4000 Series, Справочное руководство, Страница: 298 / 521

Поделиться
Скачать
Extreme Networks Altitude 4000 Series Скачать руководство пользователя страница 298

 

Chapter 8: Security Configuration

Altitude

TM

 4000 Series Access Point System Reference Guide

298

TCP IP TTL Zero

The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto 
the network which have a 

Time To Live 

(TTL) of 0. This causes packets 

to loop back to the spoofed originating machine, and can cause the 
network to overload.

IP Spoof

IP Spoof is a category of Denial of Service attack that sends IP packets 
with forged source addresses. This can hide the identity of the attacker.

LAND

The LAND DoS attack sends spoofed packets containing the SYN flag to 
the target destination using the target port and IP address as both the 
source and destination. This will either crash the target system or result 
in high resource utilization slowing down all other processes.

Option Route

Enables the IP Option Route denial of service check in the firewall.

Router Advertisement

In this attack, the attacker uses ICMP to redirect the network router 
function to some other host. If that host can not provide router services, 
a DoS of network communications occurs as routing stops. This can also 
be modified to single out a specific system, so that only that system is 
subject to attack (because only that system sees the 'false' router). By 
providing router services from a compromised host, the attacker can also 
place themselves in a "man-in-the-middle' situation and take control of 
any open channel at will (as mentioned earlier, this is often used with 
TCP packet forgery and spoofing to intercept and change open TELNET 
sessions).

Router Solicit

The ICMP Router Solicitation scan is used to actively find routers on a 
network. Of course, a hacker could set up a protocol analyzer to detect 
routers as they broadcast routing information on the network. In some 
instances, however, routers may not send updates. For example, if the 
local network does not have other routers, the router may be configured 
to not send routing information packets onto the local network.

ICMP offers a method for router discovery. Clients send ICMP router 
solicitation multicasts onto the network, and routers must respond (as 
defined in RFC 1122). 

By sending ICMP Router Solicitation packets (ICMP type 9) on the 
network and listening for ICMP Router Discovery replies (ICMP type 10), 
hackers can build a list of all of the routers that exist on a network 
segment. Hackers often use this scan to locate routers that do not reply 
to ICMP echo requests

Smurf

The Smurf DoS Attack sends ICMP echo requests to a list of broadcast 
addresses in a row, and then repeats the requests, thus flooding the 
network.

Snork

The Snork DoS attack uses UDP packet broadcasts to consume network 
and system resources.

TCP Bad Sequence

Enables a TCP Bad Sequence denial of service check in the firewall.

TCP FIN Scan

Hackers use the TCP FIN scan to identify listening TCP port numbers 
based on how the target device reacts to a transaction close request for 
a TCP port (even though no connection may exist before these close 
requests are made). This type of scan can get through basic firewalls 
and boundary routers that filter on incoming TCP packets with the Finish 
(FIN) and ACK flag combination. The TCP packets used in this scan 
include only the TCP FIN flag setting.

If the target device's TCP port is closed, the target device sends a TCP 
RST packet in reply. If the target device's TCP port is open, the target 
device discards the FIN and sends no reply. 

Содержание Altitude 4000 Series

Страница 1: ...nroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com AltitudeTM 4000 Series Access Point System Reference Guide Software Version 5 2 Published November 2011...

Страница 2: ...SummitStack Triumph Unified Access Architecture Unified Access RF Manager UniStack the Extreme Networks logo the Alpine logo the BlackDiamond logo the Extreme Turbodrive logo the Summit logos and the...

Страница 3: ...figuration Operation Icons 22 Access Type Icons 23 Administrative Role Icons 23 Device Icons 24 Chapter 4 Quick Start 25 Using the Initial Setup Wizard 25 Chapter 5 Dashboard 45 Dashboard 45 Dashboard...

Страница 4: ...guration 130 Managing Virtual Controllers 132 Overriding a Device Configuration 134 Basic Configuration 135 Assigning Certificates 137 Certificate Management 139 RSA Key Management 146 Certificate Cre...

Страница 5: ...S Policy 264 Configuring a Radio s QoS Policy 265 Radio QoS Configuration and Deployment Considerations 272 AAA Policy 273 Association ACL 282 Association ACL Deployment Considerations 284 Smart RF Po...

Страница 6: ...perations 389 Managing Firmware and Config Files 390 Upgrading Device Firmware 391 Managing File Transfers 393 Using the File Browser 395 AP Upgrades 396 Certificates 400 Certificate Management 401 RS...

Страница 7: ...Viewing Interface Statistics Graph 476 Network 477 ARP Entries 477 Route Entries 478 Bridge 478 DHCP Options 481 Cisco Discovery Protocol 482 Link Layer Discovery Protocol 483 DHCP Server 484 DHCP Bi...

Страница 8: ...Table of Contents AltitudeTM 4000 Series Access Point System Reference Guide 8 Graph 517 Appendix A Customer Support 519 Registration 519 Documentation 519...

Страница 9: ...ired to transition to a more advanced configuration of the access point The installation guide is unique to the particular access point model purchased Altitude Access Point System Reference Guide thi...

Страница 10: ...hat could result in personal injury or equipment damage Notational Conventions The following additional notational conventions are used in this document Italic text is used to highlight the following...

Страница 11: ...update from the Virtual Controller AP s assigned profile configuration the administrator should apply a Device Override to change just that access point s configuration For more information on applyi...

Страница 12: ...support is significantly reduced as traffic does not require an unnecessary backhaul Within a network up to 80 of the network traffic can remain on the AP wired mesh without going back to the central...

Страница 13: ...in wired and wireless networks Thus users benefit from an extremely reliable network that adapts to meet their needs and delivers mixed media applications Firmware and configuration updates are suppo...

Страница 14: ...Chapter 2 Overview AltitudeTM 4000 Series Access Point System Reference Guide 14...

Страница 15: ...ent For information on how to access and use the Web UI see Accessing the Web UI on page 15 Glossary of Icons Used on page 17 Accessing the Web UI The access point uses a Graphical User Interface GUI...

Страница 16: ...point s IP address using its MAC address a Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows b Wi...

Страница 17: ...2 Access Type Icons on page 23 Administrative Role Icons on page 23 Device Icons on page 24 Global Icons Web UI Overview This section lists global icons available throughout the interface Logoff Selec...

Страница 18: ...To edit a policy click on the policy and select this button Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to...

Страница 19: ...ected that did not stop the process from completing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has complet...

Страница 20: ...dicates a bridging policy configuration has been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domai...

Страница 21: ...conjunction with captive portal to provide hotspot services to wireless clients DHCP Server Policy Indicates a DHCP server policy is being applied DHCP provides IP addresses to wireless clients A DHCP...

Страница 22: ...s a file that records the status of all the processes and memory when a process fails Panic Snapshots Indicates a panic snapshot has been generated A panic snapshot is a file that records the status o...

Страница 23: ...console access permission A user with this permission is permitted to access using the access point s serial console Superuser Indicates superuser privileges A superuser has complete access to all co...

Страница 24: ...nds view or retrieve logs and reboot an access point Web User Indicates a Web user privilege A Web user is allowed accessing the access point s Web user interface System This icon indicates system wid...

Страница 25: ...ons on how to use the initial setup wizard see Using the Initial Setup Wizard on page 25 Using the Initial Setup Wizard Once the access point is installed and powered on complete the following steps t...

Страница 26: ...oints management interface has been accessed an introductory screen displays that outlines the parameters that can be configured sequentially using the setup wizard NOTE The Initial Setup Wizard displ...

Страница 27: ...igation Panel and Introduction for the configuration activities comprising the access point s initial setup A green checkmark to the left of an item in the Navigation Panel defines the listed task as...

Страница 28: ...to the previous screen in the Navigation Panel without saving your updates NOTE While you can navigate to any page in the navigation panel you cannot complete the Initial AP Setup Wizard until each t...

Страница 29: ...same model Standalone AP Select this option to deploy this access point as an autonomous fat access point A standalone AP isn t managed by a Virtual Controller AP or adopted by a controller NOTE If de...

Страница 30: ...the preferred controllers If using the static method you ll also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically NOTE The best way...

Страница 31: ...t supported by just a single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas brid...

Страница 32: ...rmation for the LAN interface Use DHCP Select the checkbox to enable an automatic network address configuration using the access point s DHCP server Static IP Address Subnet Enter an IP Address and a...

Страница 33: ...ault Gateway Define a default gateway address for use with the default gateway This is a required parameter DNS Forwarding Select this option to allow a DNS server to translate domain names into IP ad...

Страница 34: ...e required fields The port connected to the WAN Select the port used as the physical access point connection to the external network This ports available differ depending on the access point model dep...

Страница 35: ...he ADSP Sensor Support field displays at the bottom of the screen only if a radio has been dedicated as a sensor 16 Set the following parameters for each radio Configure as a Date Radio Select this op...

Страница 36: ...ce Select Static to assign the access point a permanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor...

Страница 37: ...the Initial Setup Wizard AltitudeTM 4000 Series Access Point System Reference Guide 37 18 Set the following parameters for each if the WLAN configurations available as part of this Initial AP Setup W...

Страница 38: ...is used WPA Key If a WPA key is required PSK Authentication and WPA2 Encryption enter an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting a...

Страница 39: ...he Username Password Description and Actions columns to review credentials of existing RADIUS Server user accounts Add new accounts or edit the properties of existing accounts as updates are required...

Страница 40: ...Re enter or modify the password as a means of confirming the password This is a required parameter Description Optionally provide a description of the user account as means of further differentiating...

Страница 41: ...eless network Contact Specify the contact information for the administrator The credentials provided should accurately reflect the individual responding to service queries Country Select the Country w...

Страница 42: ...h the NTP resource 27 If an NTP resource is unavailable set the System Date and Time calendar date time and AM PM designation 28 Optionally enter the IP address of a server used to provide system time...

Страница 43: ...uide 43 30 If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summ...

Страница 44: ...Chapter 4 Quick Start AltitudeTM 4000 Series Access Point System Reference Guide 44...

Страница 45: ...havior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard on page 45 Netw...

Страница 46: ...splays the Health tab by default Dashboard Conventions The Dashboard displays device information using the following conventions Health Displays information about the state of the access point managed...

Страница 47: ...Health Health The Health tab displays information about the state of the access point managed network Information in this tab is classified as Device Details on page 48 Radio RF Quality Index on page...

Страница 48: ...tment Periodically select Refresh at the bottom of the screen to update the data displayed Radio RF Quality Index Health The Radio RF Quality Index field displays a RF quality table for the access poi...

Страница 49: ...t to wireless client load and radio band Periodically select Refresh at the bottom of the screen to update the RF quality data Radio Utilization Index Health The Radio Utilization Index field displays...

Страница 50: ...ent radios connected to the access point The RF Quality Index measures the overall effectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as...

Страница 51: ...ected access point The Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a spec...

Страница 52: ...update the radio information WLAN Utilization Inventory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures h...

Страница 53: ...client support requirements NOTE Altitude 4532 and Altitude 4700 series model access points can support up to 256 client connections to a single access point Altitude 4511 and Altitude 4521 4522 model...

Страница 54: ...played using a number of different color options Access points and clients can be selected and viewed using various color schemes in respect to neighboring access points connected devices and performa...

Страница 55: ...play connected clients Navigate the System Browser as required to review device connections within the access point managed network Many of these peer access points are available for connection to acc...

Страница 56: ...4 GHz radio band and Blue 5 GHz radio band Selecting Band is a good way to determine whether 2 4 and 5 GHz radios are optimally deployed in respect to the access point client loads on both bands Chann...

Страница 57: ...Access Point System Reference Guide 57 Optionally select the Statistics link at the bottom of the display a screen where Access Point device data can be reviewed on a much more granular level For mor...

Страница 58: ...Chapter 5 Dashboard AltitudeTM 4000 Series Access Point System Reference Guide 58...

Страница 59: ...dministered design For more information see RF Domain Overrides on page 153 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same...

Страница 60: ...pports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the...

Страница 61: ...by the access point alone The access point works in conjunction with a dedicated WIPS server Location Assign the physical location of the RF Domain This name could be as specific as the floor of a bui...

Страница 62: ...by the RF Domain 6 Use the spinner control to specify the Port of each WIPS server The default port is 443 7 Select OK to save the changes to the AirDefense WIPS configuration or select Reset to Rever...

Страница 63: ...ompared to the default radio configurations in previous WiNG 5 releases is that default profiles are used as pointers of an access point s configuration not just templates from which the configuration...

Страница 64: ...complex programmable logic device CPLD The CPLD determines proper supply sequencing the maximum power available and other status information One of the primary functions of the CPLD is to determine t...

Страница 65: ...ccess point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To define an access point s power configur...

Страница 66: ...elect OK to save the changes made to the access point power configuration Select Reset to revert to the last saved configuration Profile Adoption Auto Provisioning Configuration Adoption is the proces...

Страница 67: ...o save the changes made to the general profile configuration Select Reset to revert to the last saved configuration Profile Interface Configuration A access point profile can support customizable Ethe...

Страница 68: ...d significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 91 Ethernet Port Configuration Profile Interface Configuration Displays th...

Страница 69: ...n the port are expected as untagged and mapped to the native VLAN If set to Trunk the port allows packets from a list of VLANs added to the trunk A port configured as Trunk supports multiple 802 1Q ta...

Страница 70: ...ransmit the data Select either 10 Mbps 100 Mbps 1000 Mbps Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission...

Страница 71: ...you add to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default mode Native VLAN Use the spinner contro...

Страница 72: ...define the following Trust ARP Responses Select the radio button to enable ARP trust on this access point port ARP packets received on this port are considered trusted and information from these pack...

Страница 73: ...tion Profile Interface Configuration A Virtual Interface is required for layer 3 IP access to provide layer 3 service on a VLAN The Virtual Interface defines which IP address is associated with each V...

Страница 74: ...ssigned when it was created The name is between 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed access point interface Des...

Страница 75: ...he default value is disabled Enable Zero Configuration The access point can use Zero Config for IP assignments on an individual virtual interface basis Select Primary to use Zero Config as the designa...

Страница 76: ...c Configuration screen Select Reset to revert to the last saved configuration 11 Select the Security tab 12 Use the Inbound IP Firewall Rules drop down menu to select the firewall rule configuration t...

Страница 77: ...d select the Edit button The port channel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name can...

Страница 78: ...Select either of these options to establish a 10 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port These options are not available if Auto is...

Страница 79: ...the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select the checkbox to tag the native...

Страница 80: ...save the changes to the security configuration Select Reset to revert to the last saved configuration 15 Select the Spanning Tree tab Trust ARP Responses Select the check box to enable ARP trust on t...

Страница 81: ...ceiving a BPDU Thus no BPDUs are processed The default setting is None Enable as Edge Port Select the check box to define this port as an edge port Using an edge private port you can isolate devices t...

Страница 82: ...onfiguration Profile Interface Configuration An access point profile can have its radio configuration modified once its radios have successfully associated to the network To define a Access Point radi...

Страница 83: ...the radio s configuration was added or modified Admin Status A red X defines the radio s admin status as currently disabled A green checkmark designates the admin status as enabled RF Mode Displays w...

Страница 84: ...xisting Association ACL policy to apply to the access point radio An Association ACL is a policy based Access Control List ACL that either prevents or allows wireless clients from connecting to a acce...

Страница 85: ...transmissions and receipts over two antennas for dual antenna models The default setting is dynamic based on the access point model deployed and its transmit power settings Enable Antenna Diversity S...

Страница 86: ...ng the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold between 1 2 347 bytes for use by the WLAN s adop...

Страница 87: ...model can support up to 8 BSS IDs 14 Select the OK button located at the bottom right of the screen to save the changes to the WLAN Mapping Select Reset to revert to the last saved configuration 15 S...

Страница 88: ...lect the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 20 Select the Advanced Settings tab Me...

Страница 89: ...PDU Modes Use the drop down menu to define the A MPDU mode supported Options include Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the defaul...

Страница 90: ...packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twi...

Страница 91: ...the following deployment guidelines to ensure these configuration are optimally effective WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card Enable WAN 3G Check this box t...

Страница 92: ...onfiguration Setting an access point profile s network configuration is a large task comprised of numerous administration activities An access point profile network configuration process consists of t...

Страница 93: ...Servers field provide the IP addresses of up to three DNS server resources available to the access point 8 Select OK to save the changes made to the DNS configuration Select Reset to revert to the las...

Страница 94: ...ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address...

Страница 95: ...priority voice traffic The profile QoS screen maps the 6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP head...

Страница 96: ...s Select Reset to revert to the last saved configuration Static Routes Profile Network Configuration DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet cla...

Страница 97: ...s 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Static Routes 5 Select Add Row as needed to include single rows in the static routes table 6...

Страница 98: ...ase 5 Define a Bridge Aging Time between 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before being deleted due to lack of acti...

Страница 99: ...n though they are on separate physical subnets The systems in conference rooms X and Y are managed by the same single device but ignore the systems that aren t using same VLAN ID Administrators often...

Страница 100: ...An edge VLAN is the VLAN where hosts are connected For example if VLAN 10 is defined with wireless clients and VLAN 20 is where the default gateway resides VLAN 10 should be marked as an edge VLAN and...

Страница 101: ...utomatic Select Automatic mode to let the access point determine the best bridging mode for the VLAN Local Select Local to use local bridging mode for bridging traffic on the VLAN Tunnel Select Tunnel...

Страница 102: ...d an administrator can better track the leases when hostnames are used instead of devices To include a hostnames in DHCP request 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Selec...

Страница 103: ...ofile configuration is optimally effective Administrators often need to route traffic to interoperate between different VLANs Bridging VLANs are only for non routable traffic like tagged VLAN frames d...

Страница 104: ...verage existing firewall wireless client role and WIPS policies and configurations and apply them to the profile s configuration This affords each profile a truly unique combination of data protection...

Страница 105: ...improperly issued a certificate or if a private key is compromised The most common reason for revocation is the user no longer being in sole possession of the private key To define a CRL configuration...

Страница 106: ...querading technique to hide private IP addresses behind a single public facing IP address NAT is a process of modifying network address information in IP packet headers while in transit across a traff...

Страница 107: ...lists those NAT policies created thus far Any of these policies can be selected and applied to the access point profile 5 Select Add to create a new NAT policy that can be applied to a profile Select...

Страница 108: ...NAT type either Inside or Outside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perime...

Страница 109: ...is the default setting 12 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records ke...

Страница 110: ...oth timeouts and retransmissions TCP establishes a full duplex virtual connection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP o...

Страница 111: ...fied is destination Network Select Inside or Outside NAT as the network direction Inside is the default setting Source List ACL Lists the ACL defining packet selection criteria for the NAT configurati...

Страница 112: ...ed will not be exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside NAT as the network direction for the dynamic N...

Страница 113: ...e profile to block undesirable traffic from being routed For outbound Internet access a stateful firewall can be configured to deny all traffic If port address translation is required a stateful firew...

Страница 114: ...ptive portal policy use the default captive portal policy or select the Create link to create a new captive portal configuration that can be applied to this profile For more information see Configurin...

Страница 115: ...Management Configuration The access point has mechanisms to allow deny management access to the network for separate interfaces and protocols HTTP HTTPS Telnet SSH or SNMP These management access conf...

Страница 116: ...Chapter 6 Device Configuration AltitudeTM 4000 Series Access Point System Reference Guide 116...

Страница 117: ...verity coincides with the syslog logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4...

Страница 118: ...servers require users to authenticate with a username and password before sending e mail through the server Enable Configuration Upgrade Select this option to enable automatic configuration file upda...

Страница 119: ...e maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrade to a newer firmware version using i...

Страница 120: ...ubnet mask of 255 255 0 0 3 Ping the Altitude 4532 from the computer to ensure IP connectivity 4 Open an SSH session on the computer and connect to the Altitude 4532 s IP address 5 Login with a userna...

Страница 121: ...d configuration is comprised of defining connected client load balance settings a MINT protocol configuration and miscellaneous settings NAS ID access point LEDs and RF Domain Manager To set an access...

Страница 122: ...n clients Select this option to use probes from shared clients in the neighbor selection process This feature is enabled by default to provide the best common group of available clients amongst access...

Страница 123: ...d if wishing to prioritize client traffic on the 2 4 GHz radio band The higher the value set the greater the weight assigned to radio traffic load on the 2 4 GHz radio band The default setting is 1 Th...

Страница 124: ...more important than a high client connection count The default setting is 10 Max 5GHz Load Difference Considered Equal Use the spinner control to set a value between 0 100 considered an adequate discr...

Страница 125: ...ators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network...

Страница 126: ...ile Level 1 Area ID Select the check box to enable a spinner control for setting the Level 1 Area ID between 1 4 294 967 295 The default value is disabled Designated IS Priority Adjustment Use the spi...

Страница 127: ...tab to display the link IP network address information shared by the devices managed by the access point s MINT configuration The IP tab displays the IP address routing level link cost hello packet in...

Страница 128: ...level of either 1 or 2 Listening Link Specify a listening link of either 0 or 1 UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone a...

Страница 129: ...and Adjacency Hold Time managed devices use to securely communicate amongst one another Select Add to create a new VLAN link configuration or Edit to modify an existing configuration NOTE If creating...

Страница 130: ...resenting a physical port When the wireless controller authorizes users it queries the user profile database using a username representative of the physical NAS port making the connection VLAN If addi...

Страница 131: ...managed device as being capable of being the RF Domain manager for a particular RF Domain The default value is enabled The RF Domain manager can support up to 24 access point of the same model Altitud...

Страница 132: ...not the CLI The CLI provides the ability to define more than one profile while the UI only provides one per access point model Consequently the two interfaces cannot be used collectively to manage pr...

Страница 133: ...r s radio coverage area Each listed access point is listed by its assigned System Name MAC Address and Virtual Controller designation Only Standalone APs of the same model can have their Virtual Contr...

Страница 134: ...tration and management of all the APs in the network in does introduce the risk of allowing device association to a potential rogue device That s why this setting is disabled by default 8 Select OK to...

Страница 135: ...sic configuration parameters be set and its deployment location defined Additionally the number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual...

Страница 136: ...the RF Domain or Profile the access points supports and is identified by Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exc...

Страница 137: ...the owner s public key the certificate expiration date the owner s name and other public key owner information Each certificate is digitally signed by a trustpoint The trustpoint signing the certifica...

Страница 138: ...tificate configurations Selecting Reset reverts the screen to its last saved configuration For more information on the certification activities refer to the following HTTPS Trustpoint Either use the d...

Страница 139: ...ertificate Management Assigning Certificates If not wanting to use an existing certificate or key with a selected device an existing stored certificate can be leveraged from a different device Device...

Страница 140: ...nt screen displays with the Trustpoints section displayed by default 2 Select a device from amongst those displayed to review its certificate information Refer to the Certificate Details to review the...

Страница 141: ...e key used by both the device and the server or repository of the target trustpoint Select the Show textbox to expose the actual characters used in the key Leaving the Show checkbox unselected display...

Страница 142: ...the default setting Cut and Paste Select the Cut and Paste radio button to copy an existing CA certificate into the cut and past field When pasting a valid CA certificate no additional network address...

Страница 143: ...ng the Certificate Revocation List CRL Configuration on page 105 10 Define the following configuration parameters required for the Import of the CRL Trustpoint Name Enter the 32 character maximum name...

Страница 144: ...for the Import of the CA certificate Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 and usb2 IP Address If selecting Advanced enter IP address...

Страница 145: ...ficate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certif...

Страница 146: ...RSA key is the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import export keys to and from remote locations Trustpoint Name Enter t...

Страница 147: ...an have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected de...

Страница 148: ...the server or repository of the target RSA key Select the Show textbox to expose the actual characters used in the passphrase Leaving the Show checkbox unselected displays the passphrase as a series o...

Страница 149: ...signed to the RSA key Key Passphrase Define the key passphrase used by both the access point and the server Select the Show textbox to expose the actual characters used in the passphrase Leaving the S...

Страница 150: ...er left hand side of the Certificate Management screen 3 Define the following configuration parameters required to Create New Self Signed Certificate Certificate Name Enter the 32 character maximum na...

Страница 151: ...an identity certificate digitally signed with the private key of the CA To create a CSR Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s...

Страница 152: ...Use Existing Key Select the radio button and use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Sele...

Страница 153: ...point supports a single RF domain An access point RF Domain cannot be used on a different model access point For example an Altitude 4532 RF Domain override can only be applied to another Altitude 45...

Страница 154: ...t location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the maintenance...

Страница 155: ...iodic refinement from their original administered design Consequently a device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particu...

Страница 156: ...er to the following to complete the override of the access point s entire profile configuration Radio Power Overrides Adoption Overrides Profile Interface Override Configuration AutoKey Select the rad...

Страница 157: ...PLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces...

Страница 158: ...s changed the access point requires a reset to implement the change If 802 3at is selected the access point assumes 23 26 watts are available 8 Set or override the Access Point radio s 802 3af Power M...

Страница 159: ...an access point solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an exist...

Страница 160: ...es made to the access point adoption configuration Select Reset to revert to the last saved configuration Profile Interface Override Configuration An access point requires its Virtual Interface be con...

Страница 161: ...ne an Ethernet port configuration override 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select a target device by double clinking it from amongst those...

Страница 162: ...rt Admin Status A green checkmark defines the port as active and currently enabled with the profile A red X defines the port as currently disabled and not available for use The interface status can be...

Страница 163: ...When a frame is tagged the 12 bit frame VLAN ID is added to the 802 1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to The device reads the 12 bit VLAN ID and forwards the...

Страница 164: ...face updates to a multicast address to advertise its presence to neighbors Cisco Discover Protocol Transmit Select the radio button to allow the Cisco discovery protocol for transmitting data on this...

Страница 165: ...the native VLAN The IEEE 802 1Q specification is supported for tagging frames and coordinating VLANs between devices IEEE 802 1Q adds four bytes to each frame identifying the VLAN ID for upstream dev...

Страница 166: ...tion networks for routing To review existing Virtual Interface configurations and either create a new Virtual Interface configuration modify override an existing configuration or delete an existing co...

Страница 167: ...e the configuration of an existing Virtual Interface or Delete to permanently remove a selected Virtual Interface Name Displays the name of each listed Virtual Interface assigned when it was created T...

Страница 168: ...eans of providing an IP address this eliminates the means to assign one manually Selecting Secondary is preferred when wanting the option to either use Zero Config or manual assignments None is the de...

Страница 169: ...o Setting the Profile s NAT Configuration on page 106 for instructions on creating a profile s NAT configuration 14 Select OK button to save the changes and overrides to the Basic Configuration screen...

Страница 170: ...vice menu to expand it into sub menu options 4 Select Interface to expand its sub menu options 5 Select Radios NOTE A blue override icon to the left of a parameter defines the parameter as having an o...

Страница 171: ...er enabled or disabled for client or sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be lis...

Страница 172: ...channel with the fewest access points In case of multiple access points on the same channel it will select the channel with the lowest average power level The default value is Smart Transmit Power Set...

Страница 173: ...to specify whether the radio is located Indoors or Outdoors The placement should depend on the selected country of operation and its regulatory domain requirements for radio emissions The default sett...

Страница 174: ...m recovery from electromagnetic interference and data collisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS thresho...

Страница 175: ...sign each WLAN its own BSSID If using a single radio Altitude 4511 or Altitude 4521 access point there are 8 BSSIDs available If using a dual radio Altitude 4532 or Altitude 4700 series access point t...

Страница 176: ...preference 20 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advance...

Страница 177: ...value to None for high priority traffic to reduce packet delay A MPDU Modes Use the drop down menu to define the A MPDU mode Options include Transmit Only Receive Only Transmit and Receive and None Th...

Страница 178: ...be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation To define a W...

Страница 179: ...the WAN 3G Backhaul card Reset WAN Card If the WAN Card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card Enable WAN 3G Check...

Страница 180: ...twork Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP add...

Страница 181: ...to forward DNS queries if DNS resources are unavailable The DNS name servers are used to resolve IP addresses Use the Clear link next to each DNS server to clear the DNS name server s IP address from...

Страница 182: ...packet length and format and sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine kn...

Страница 183: ...the changes and overrides to the ARP configuration Select Reset to revert to the last saved configuration Overriding a Quality of Service QoS Configuration Overriding the Network Configuration Switch...

Страница 184: ...per hop behavior that is applied to a packet This QoS assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar access...

Страница 185: ...is eliminates the need for a long configuration file and reduces the resource space required to maintain address pools To create or override a static routes 1 Select Devices from the Configuration tab...

Страница 186: ...c from a managed device to another network segment The default gateway connects the network to the outside network Internet The gateway is associated with a router which uses headers and forwarding ta...

Страница 187: ...er similar device models To define or override a forwarding database configuration 1 Select Devices from the Configuration tab 2 Select a target device from the Device Browser in the lower left hand s...

Страница 188: ...try will remain in the a bridge s forwarding table before being deleted due to lack of activity If an entry replenishments a destination generating continuous traffic this timeout value will never be...

Страница 189: ...te physical subnets The systems in conference rooms X and Y are managed by the same single entity but ignore the systems that aren t using same VLAN ID Administrators often need to route traffic to in...

Страница 190: ...ssigned when it was created or modified The description should be unique to the VLAN s specific configuration and help differentiate it from other VLANs with similar configurations Edge VLAN Mode Defi...

Страница 191: ...enabled DHCP packets from a DHCP server are considered trusted and permissible within the network DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks Bridging Mode Specify...

Страница 192: ...n tab 2 Select a target device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Network to expa...

Страница 193: ...eless client role policy WEP shared key authentication NAT policy and VPN policy applied If an existing firewall client role or NAT policy is unavailable create the required security policy configurat...

Страница 194: ...I 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Security to expand its sub menu options 5 Select General NOTE A blue override icon to the left of a parame...

Страница 195: ...arget device from the Device Browser in the lower left hand side of the UI 3 Select Profile Overrides from the Device menu to expand it into sub menu options 4 Select Security to expand its sub menu o...

Страница 196: ...NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another In most deployme...

Страница 197: ...sts those NAT policies created thus far Any of these policies can be selected and applied to a profile 6 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or...

Страница 198: ...et the NAT type either Inside or Outside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a...

Страница 199: ...ult setting 10 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the LAN are searched against to the records kept by the N...

Страница 200: ...y an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram se...

Страница 201: ...CL Lists an ACL name to define the packet selection criteria for the NAT configuration NAT is applied only on packets which match a rule defined in the access list These addresses once translated are...

Страница 202: ...n the access list These addresses once translated will not be exposed to the outside world when the translation address is used to interact with the remote destination Network Select Inside or Outside...

Страница 203: ...estrictive access to the network The primary means of securing such guest access is a hotspot A captive portal policy s hotspot configuration provides secure authenticated access using a standard Web...

Страница 204: ...ion must be modified from its original device profile configuration Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define or o...

Страница 205: ...Adoption Overrides AltitudeTM 4000 Series Access Point System Reference Guide 205...

Страница 206: ...ogging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debu...

Страница 207: ...le and firmware updates Username for SMTP Server Specify the username of the sender on the outgoing SMTP server Many SMTP servers require users to authenticate with an username and password before sen...

Страница 208: ...nges and overrides made to the profile maintenance Heartbeat tab Select Reset to revert to the last saved configuration Enable Controller Upgrade of AP Firmware Select the access point model to upgrad...

Страница 209: ...ever administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device o...

Страница 210: ...he IP tab to display the link IP network address information shared by the devices managed by the MINT configuration Level 1 Area ID Select the box to enable a spinner control for setting the Level 1...

Страница 211: ...b displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another Select A...

Страница 212: ...UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamicall...

Страница 213: ...o revert to the last saved configuration 17 Select the Advanced Miscellaneous menu item VLAN Define a VLAN ID between 1 4 094 used by peer controllers for interoperation when supporting the MINT proto...

Страница 214: ...RF Domain Managers can support up to 512 client connections An Altitude 4511 or Altitude 4521 RF Domain Manager can support up to 256 client connections 22 Select the Priority radio button within the...

Страница 215: ...point profile 4 Click the Add Row button at the bottom of the table to add a new critical resource 5 Set the following parameters to define the Critical Resource configuration Ping Interval Set the du...

Страница 216: ...ular devices By default there s no enabled event policy and one needs to be created and implemented When initially displayed the Event Policy screen lists the access point interfaces Existing policies...

Страница 217: ...of the screen and select an event module used to track the occurrence of each list event 5 Review each event and select or deselect the SNMP Syslog Forward to Switch or Email Notification option as r...

Страница 218: ...Chapter 6 Device Configuration AltitudeTM 4000 Series Access Point System Reference Guide 218...

Страница 219: ...such as guest access control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit...

Страница 220: ...on to assess the attributes of each available WLAN WLAN Displays the name of each WLAN available to the access point Each WLAN can be selected and its SSID and client management properties modified Ea...

Страница 221: ...N by means of load balance distribution The VLAN is picked from a pool assigned to the WLAN Keep in mind however typical deployments only map a single VLAN to a WLAN The use of a pool is strictly opti...

Страница 222: ...Description Provide a textual description for the WLAN to help differentiate it from others with similar configurations A description can be up to 64 characters WLAN Status Select the Enabled radio bu...

Страница 223: ...re defining a WLAN s basic configuration refer to the following deployment guidelines to ensure the configuration is optimally effective Extreme Networks recommends one VLAN be deployed for secure WLA...

Страница 224: ...tication on page 226 PSK None on page 227 Secure guest access to the network is referred to as captive portal A captive portal is guest access policy for providing guests temporary and restrictive acc...

Страница 225: ...urther protect user information forwarded over wireless controller managed WLANs The EAP process begins when an unauthenticated supplicant client device tries to connect with an authenticator in this...

Страница 226: ...eset to revert back to the last saved configuration EAP EAP PSK and EAP MAC Deployment Considerations 802 1x EAP EAP PSK and EAP MAC Before defining a 802 1x EAP EAP PSK or EAP MAC supported configura...

Страница 227: ...elect the Edit icon to modify the configuration of a selected AAA policy 6 Authentication authorization and accounting AAA is a framework for intelligently controlling access to the wireless client ma...

Страница 228: ...efault Select the Captive Portal Policy to use with the WLAN from the drop down menu If no relevant policies exist select the Create icon to define a new policy to use with this WLAN or the Edit icon...

Страница 229: ...WLAN WPA WPA2 TKIP configuration for the WLAN 5 Define the Key Settings 6 Define Key Rotation values Unicast messages are addressed to a single device on the network Broadcast messages are addressed t...

Страница 230: ...roadcast Rotation Interval When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define an interval for broadcast ke...

Страница 231: ...the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally differen...

Страница 232: ...ave enough data using a single key to attack the deployed encryption scheme Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string bo...

Страница 233: ...Rotation Interval When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated based on the defined interval Define an interval for broadcast key transm...

Страница 234: ...bit key concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter WEP algorithm for a hacker to potent...

Страница 235: ...P 128 in key structure WEP can be used with open shared MAC and 802 1 X EAP authentications WEP is optimal for WLANs supporting legacy deployments when also used with 802 1X EAP authentication to prov...

Страница 236: ...s to display a high level display of the existing WLANs available to the wireless controller managed network 2 Select the Add button to create an additional WLAN or select Edit to modify the propertie...

Страница 237: ...cess control and is considered a first line of defense in protecting proprietary information within an access point managed WLAN The means by which this is accomplished varies but in principle a Firew...

Страница 238: ...eless LANs Wireless LANs to display a high level display of the existing WLANs 2 Select the Add button to create a new WLAN or Edit to modify the properties of an existing wireless controller WLAN 3 S...

Страница 239: ...ines what to do with the packet if it matches the specified criteria The following actions are supported Deny Instructs the Firewall to prohibit a packet from proceeding to its destination Permit Inst...

Страница 240: ...ns for ICMP type and code Selecting either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions are supported Log Creates a log e...

Страница 241: ...destination Source and Destination MAC Enter both Source and Destination MAC addresses The access point uses the source IP address destination MAC address as basic matching criteria Provide a subnet...

Страница 242: ...an Ethertype of either ipv6 arp wisp monitor 8021q An EtherType is a two octet field within an Ethernet frame It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame...

Страница 243: ...le to the wireless network 2 Select the Add button to create a new WLAN or select and existing WLAN and Edit to modify the properties of an existing WLAN 3 Select the Client Settings tab 4 Define the...

Страница 244: ...the Firewall per wireless client This feature is disabled by default Enforce Client Load Balancing Select the checkbox to distribute clients evenly amongst associated Access Point radios This feature...

Страница 245: ...ting WLAN 3 Select Accounting 4 Set the following Syslog Accounting information 5 Select Enable RADIUS Accounting to use an external RADIUS resource for AAA accounting When the radio button is selecte...

Страница 246: ...S service should be used Extreme Networks recommends authorization policies be implemented when users need to be restricted to specific WLANs or time and date restrictions need to be applied Authoriza...

Страница 247: ...ds 0 and 10 000 Minutes 0 166 or Hours 0 2 the access point uses to discover a client s band capabilities before associating The default is 24 seconds Capability Ageout Time Define a value in either S...

Страница 248: ...lable to the wireless controller managed network 2 Select the Add button to create an additional WLAN or Edit to modify the properties of an existing WLAN 3 Select Advanced Allow Single Band Clients S...

Страница 249: ...US server consists of user profiles for each connected network access server NAS port Each profile is matched to a username representing a physical port When the access point authorizes users it queri...

Страница 250: ...they support basic MCS as well as non 11n basic rates The selected rates apply to associated client traffic within this WLAN only 6 Select OK when completed to update this WLAN s Advanced settings Sel...

Страница 251: ...up to 32 WLAN QoS policies with the exception of Altitude 4511 and Altitude 4521 models which can only support 16 WLAN QoS policies NOTE WLAN QoS configurations differ significantly from QoS policies...

Страница 252: ...o Video Optimized for video traffic Implies all traffic on this WLAN is prioritized as video traffic on the radio Normal Optimized for best effort traffic Implies all traffic on this WLAN is prioritiz...

Страница 253: ...llision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should be granted the opportuni...

Страница 254: ...n this radio This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is require...

Страница 255: ...cify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include Video Voice Normal and Low Normal is the default setting Tra...

Страница 256: ...e current Arbitrary Inter frame Space Number AIFSN between 2 15 The default value is 7 ECW Min The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range...

Страница 257: ...nstream traffic Extreme Networks recommends you define the normal number of ARP broadcast multicast and unknown unicast packets that typically transmit and receive from each supported WMM access categ...

Страница 258: ...eshold for the maximum the number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defined rate is dropped and a log message is generated The default s...

Страница 259: ...ed threshold is dropped and a log message is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general upstream rate is known by the network admi...

Страница 260: ...sage is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general downstream rate is known by the network administrator using a time trend analys...

Страница 261: ...dropped and a log message is generated Video traffic consumes significant bandwidth so this value can be set to a higher value once a general upstream rate is known by the network administrator using...

Страница 262: ...t effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downst...

Страница 263: ...condary multicast mask an administrator can indicate which frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast...

Страница 264: ...ents supporting low and high priority traffic contend with one another for data resources The IEEE 802 11e amendment has defined Enhanced Distributed Channel Access EDCA mechanisms stating high priori...

Страница 265: ...sions to their clients are controlled using per radio WMM settings while parameters used by wireless clients are controlled by a WLAN s WMM settings Access points support static QoS mechanisms per WLA...

Страница 266: ...ients that do not send TPSEC frames only Implicit TPSEC A green checkmark defines the policy as requiring wireless clients to send their traffic specifications to an access point before they can trans...

Страница 267: ...ng a high level of voice quality For higher priority traffic categories like voice the Transmit Ops value should be set to a low number The default value is 47 AIFSN Set the current AIFSN value betwee...

Страница 268: ...Higher priority traffic video categories should have lower AIFSNs than lower priority traffic categories This will cause lower priority traffic to wait longer before attempting access The default valu...

Страница 269: ...ireless clients to send their traffic specifications to the access point before they can transmit or receive data This feature is enabled by default 12 Set the following Voice Access admission control...

Страница 270: ...ription This value helps ensure the radio s bandwidth is available for lower bandwidth normal traffic if anticipated to proliferate the wireless medium Normal background traffic only needs a short rad...

Страница 271: ...fault value is 10 Enable Background Select the check box to enable admission control for lower priority traffic Only low traffic admission control is enabled not any of the other access categories eac...

Страница 272: ...ult value is 25 When wireless client count exceeds the above limit When the wireless client count using accelerated multicast exceeds the maximum number set the radio to either Reject new wireless cli...

Страница 273: ...a list of authentication methods and then applying the list to various access point interfaces The list defines the authentication schemes performed and their sequence The list must be applied to an...

Страница 274: ...e Start Only Sends a start accounting notice to initiate user accounting Start Stop Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process The start ac...

Страница 275: ...lf or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Dis...

Страница 276: ...generic form The specific form which must contain the user portion and may contain the portion identifies a single user The generic form allows all users in a given or without a to be configured on a...

Страница 277: ...3 seconds If this time is exceeded the authentication session is terminated Retry Timeout Factor Specify the amount of time between 50 and 200 seconds between retry timeouts for the access points s re...

Страница 278: ...the time between 1 and 60 seconds for the access point s re transmission of request packets The default is 5 seconds If this time is exceeded the authentication session is terminated Request Attempts...

Страница 279: ...AI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user The generic form allows all users in a gi...

Страница 280: ...points re transmission of request packets The default is 100 DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is betwe...

Страница 281: ...nce Guide 281 Protocol for MAC Captive Portal Authentication The authentication protocol Password Authentication Protocol PAP or Challenge Handshake Authentication Protocol CHAP when the server is use...

Страница 282: ...thentication Server Index Uses the same index as the authentication server for RADIUS accounting Select Accounting Server Independently Allows users to specify a RADIUS accounting server separate from...

Страница 283: ...L screen displays for defining a new ACL or modifying a selected ACL 3 Select the Add Row button to add an association ACL template that requires configuration 4 If creating a new Association ACL prov...

Страница 284: ...costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio Smart RF centralizes the decision process and makes intelligent RF configura...

Страница 285: ...RF is not a solution it s a temporary measure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist CAUTION Smart RF is not able to detect...

Страница 286: ...le radio button to enable Smart RF for immediate inclusion within a RF Domain Smart RF is enabled by default Auto Assign Sensor Select the radio button to auto assign an access point sensor radio for...

Страница 287: ...the 5 GHz band 4 dBm is the default setting 5 0 GHz Maximum Power Use the spinner control to select a 1 20 dBm maximum power level Smart RF can assign a radio in the 5 GHz band 17 dBm is the default s...

Страница 288: ...er 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to working radios to avo...

Страница 289: ...monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen 11 Enable or disabl...

Страница 290: ...either Seconds 1 120 or Minutes 0 2 The default setting is 6 seconds for both the 5 and 2 4 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency between 0 50 Thi...

Страница 291: ...ing neighbor recovery Set the time in either Seconds 0 86 400 Minutes 0 1 440 or Hours 0 24 or Days 0 1 The default setting is 1 hour 5 0 GHz Neighbor Recovery Power Threshold Use the spinner control...

Страница 292: ...of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select the radio button to allow Smart RF to scan for exces...

Страница 293: ...dio This parameter is the difference between noise levels on the current channel and a prospective channel If the difference is below the configured threshold the channel will not change The default s...

Страница 294: ...performed during scheduled maintenance intervals or non business hours For Smart RF to provide effective recovery RF planning must be performed to ensure overlapping coverage exists at the deployment...

Страница 295: ...etwork The means by which this is accomplished varies but in principle a Firewall can be thought of as mechanisms both blocking and permitting data traffic within the wireless network Firewalls implem...

Страница 296: ...strict traffic exchanged between hosts hosts residing on separate WLANs or hosts forwarding traffic to wired devices For more information refer to the following Defining a Firewall Configuration on pa...

Страница 297: ...oS packets is dropped No further action is taken Log Level Select this option to enable logging to the system log Then select a standard Syslog level from the Log Level drop down menu Ascend Ascend Do...

Страница 298: ...nd routers on a network Of course a hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network In some instances however routers may not send update...

Страница 299: ...ptionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get...

Страница 300: ...he Storm Control tab 7 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to app...

Страница 301: ...eway settings flow timeout configuration and TCP protocol checks Traffic Type Use the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Br...

Страница 302: ...his feature is enabled by default DHCP Broadcast to Unicast Select the radio button to enable the conversion of broadcast DHCP offers to unicast Converting DHCP broadcast traffic to unicast traffic ca...

Страница 303: ...ion for the maximum segment size of packets at a global level Max Fragments Datagram Set a value for the maximum number of fragments between 2 and 8 129 allowed in a datagram before it is dropped The...

Страница 304: ...tes 1 540 or Hours 1 9 The default setting is 10 seconds Stateless TCP Flow Define a flow timeout value in either Seconds 1 32 400 Minutes 1 540 or Hours 1 9 The default setting is 90 seconds Stateles...

Страница 305: ...IP ACL NOTE Once defined a set of IP Firewall rules must be applied to an interface to be a functional filtering tool To add or edit an IP based Firewall Rule policy 1 Select Configuration Security I...

Страница 306: ...he access policy filter can also include other parameters specific to a protocol type like source and destination port for TCP UDP protocol Provide a subnet mask if needed Protocol Select the protocol...

Страница 307: ...ackets based on the IP from which they arrive as opposed to filtering packets on Layer 2 ports Optionally filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses A MAC Firewall rule...

Страница 308: ...ions are supported Deny Instructs the Firewall to not to allow a packet to proceed to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination Source and Destinati...

Страница 309: ...not supported natively by an Altitude 4511 or Altitude 4521 model access point and must be deployed using an external WIPS server resource A WIPS server can be deployed as a dedicated solution within...

Страница 310: ...ult 2 Select the Activate Firewall IPS Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to apply the config...

Страница 311: ...S attacks come under this category Use the Excessive Action Events table to select and configure the action taken when events are triggered 8 Set the configurations of the following Excessive Action E...

Страница 312: ...o set the intervals clients can be filtered upon the generation of each event 11 Set the following MU Anomaly Event configurations Filter Expiration Set the duration an event generating client is filt...

Страница 313: ...r disable an event Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for...

Страница 314: ...aly event This column lists the event tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each AP Anomaly ev...

Страница 315: ...atching with the WIPS signature Match on SSID Lists each SSID used for matching purposes Enable Signature Select the radio button to enable the WIPS signature for use with the profile The default sign...

Страница 316: ...administrator to focus on alarms on devices actually behaving in a suspicious manner An intruder with a device erroneously authorized could potentially perform activities that harm your organization...

Страница 317: ...uration Security Device Categorization The Device Categorization screen lists the device authorizations defined thus far 2 Select Add to create a new Device Categorization policy Edit to modify the at...

Страница 318: ...to add a device to a list of devices sanctioned for network operation 6 Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification...

Страница 319: ...specifying a range of IP or MAC addresses to include or exclude from connectivity These MAC or IP access control mechanisms are configured as Firewall Rules to further refine client filter and matchin...

Страница 320: ...lied Roles with lower numbers are applied before those with higher numbers While there s no default precedence for a role two or more roles can share the same precedence 6 Refer to the Match Expressio...

Страница 321: ...uals The role is only applied when the authentication or encryption type does not match the exact method s specified by radio button selections Any The role is applied to any type This is the default...

Страница 322: ...nd destination IP addresses and the unique rules and precedence orders assigned Both IP and non IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC Additional...

Страница 323: ...e it from others that may have similar configurations Allow Every IP Firewall rule is made up of matching criteria rules The action defines what to do with the packet if it matches the specified crite...

Страница 324: ...set of ICMP specific options to set the ICMP Type and Code Selecting either TCP or UDP displays an additional set of specific TCP UDP source and destinations port options Action The following actions...

Страница 325: ...Instructs the Firewall to prohibit a packet from proceeding to its destination Permit Instructs the Firewall to allow a packet to proceed to its destination VLAN ID Enter a VLAN ID representative of t...

Страница 326: ...guest user traffic from being routed to trusted networks and hosts Before configuring WIPS support refer to the following deployment guidelines to ensure the configuration is optimally effective WIPS...

Страница 327: ...rained wireless network administrator can determine the criteria used to authorize or ignore devices You may want to consider your organization s overall security policy and your tolerance for risk ve...

Страница 328: ...Chapter 8 Security Configuration AltitudeTM 4000 Series Access Point System Reference Guide 328...

Страница 329: ...thenticated access using a standard Web browser Captive portals provide authenticated access by capturing and re directing a wireless user s Web browser session to a captive portal login page where th...

Страница 330: ...ame of the external centralized server validating guest user permissions for the listed captive portal policy Captive Portal Server Mode Lists each hosting mode as either Internal Self or External cen...

Страница 331: ...the policy s security access and whitelist basic configuration before HTML pages can be defined for guest user access AAA Policy Lists each AAA policy used to authorize client guest access requests T...

Страница 332: ...Chapter 9 Services Configuration AltitudeTM 4000 Series Access Point System Reference Guide 332...

Страница 333: ...r External centralized If the mode is Internal Self the access point is maintaining the captive portal internally while External centralized means the captive portal is being supported on an external...

Страница 334: ...should be in the Whitelist Refer to the drop down menu of existing DNS White List entries to select a policy to be applied to this captive portal policy a If creating a new Whitelist assign it a name...

Страница 335: ...ation screen Selecting Reset reverts the settings back to the last saved configuration 12 Select the Web Page tab to create HTML pages requesting wireless clients use to login and navigate within the...

Страница 336: ...ptive portal policy The Welcome page asserts a user has logged in successfully and can access the captive portal The Fail page asserts the authentication attempt has failed and the user is not allowed...

Страница 337: ...e Login Message Specify a message containing unique instructions or information for the users accessing each specific page In the case of the Terms and Conditions page the message can be the condition...

Страница 338: ...rtal pages as needed to managed devices that may be displaying and hosting captive portal connections For more information refer to Managing File Transfers on page 393 Login URL Define the complete UR...

Страница 339: ...tination Web server s should be in the Whitelist Each supported access point model can support up to 32 Whitelists with the exception of Altitude 4511 and Altitude 4521 models which can only support u...

Страница 340: ...ver not an administrator All Altitude 4000 independent series access points Altitude 4500 series and Altitude 4700 series access points have an internal DHCP server resource The DHCP server groups wir...

Страница 341: ...equest The name assigned cannot be modified as part of the edit process If a network pool configuration is obsolete it can be deleted Subnet Displays the network address and mask used by clients reque...

Страница 342: ...en the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Dom...

Страница 343: ...ng ranges of unavailable addresses is a good practice to ensure IP address resources are in reserve Select the Delete icon as needed to remove an excluded address range e Select OK to save the updates...

Страница 344: ...nding configuration Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client...

Страница 345: ...using this host pool Domain Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain na...

Страница 346: ...b Assign a Value to each option with codes in the range 1 through 254 A vendor specific option definition only applies to the vendor class for which it is defined 14 Within the Network field define on...

Страница 347: ...ets are sent from one location to another location there s just one sender and one receiver Select this option to forward unicast messages to just a single device within the network pool NetBIOS Node...

Страница 348: ...he list of those available b Assign a Value to each option with codes in the range 1 through 254 A vendor specific option definition only applies to the vendor class for which it s defined 20 Refer to...

Страница 349: ...able b Use the Type drop down menu to specify whether the DHCP option is being defined as a numerical IP address or ASCII string or Hex string Highlight an entry from within the Global Options screen...

Страница 350: ...IP addresses from the defined range Refer to the DHCP Class Policy screen to review existing DHCP class names and their current multiple user class designations Multiple user class options enable a us...

Страница 351: ...the RADIUS Configuration Remote Authentication Dial In User Service RADIUS is a client server protocol and software enabling remote access servers to authenticate users and authorize their access to...

Страница 352: ...elect Configuration Services Select Configuration Services The upper left hand side of the user interface displays the RADIUS option The RADIUS Group screen displays by default For information on crea...

Страница 353: ...nates the group as having permanent access to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions Management Group A green checkmark desi...

Страница 354: ...on to assign only guest access and temporary permissions to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions This setting is disabled...

Страница 355: ...designate the RADIUS group as a management group If set as management group assign a role to the members of the group using the Access drop down menu allowing varying levels of administrative rights...

Страница 356: ...e a new user pool Edit to modify the configuration of an existing pool or Delete to remove a selected pool 4 If creating a new pool assign it a name up to 32 characters and select Continue The name sh...

Страница 357: ...mporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group D...

Страница 358: ...e password s actual character string Leaving the option unselected displays the password as a string of asterisks Guest User Select the checkbox to designate this user as a guest with temporary access...

Страница 359: ...he access point s local RADIUS server has access to a database of authentication information used to validate client authentication requests The RADIUS server ensures the information is correct using...

Страница 360: ...pplied to the access point profile 4 Define the following Settings required in the creation or modification of the server policy RADIUS User Pools Select the user pools to apply to this server policy...

Страница 361: ...and PEAP TLS Uses TLS as the EAP type TLS and MD5 The EAP type is TTLS with default authentication using MD5 TTLS and PAP The EAP type is TTLS with default authentication using PAP TTLS and MSCHAPv2...

Страница 362: ...ot possess a shared secret for the client the request is dropped If the client received a verified access accept packet the username and password are considered correct and the user is authenticated I...

Страница 363: ...as a RADIUS server to the NAS whereas the proxy appears to act as a RADIUS client to the RADIUS server When the access point s RADIUS server receives a request for a user name containing a realm the s...

Страница 364: ...to expose the shared secret s actual character string Leave the option unselected to display the shared secret as a string of asterisks 23 Click the OK button to save the changes Click the Reset butt...

Страница 365: ...te to remove a LDAP server from the list of those available Redundancy Displays whether the listed LDAP server IP address has been defined as a primary or secondary server resource Designating at leas...

Страница 366: ...tion between the access point and remote LDAP resource Port Use the spinner control to set the physical port used by the RADIUS server to secure a connection with the remote LDAP server resource The d...

Страница 367: ...g at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server were to become unavailable Bind Password Enter a valid password for the LDAP serve...

Страница 368: ...Chapter 9 Services Configuration AltitudeTM 4000 Series Access Point System Reference Guide 368...

Страница 369: ...ministrative roles access control permissions authentication settings and SNMP settings are correctly set If the access point is a Virtual Controller AP these are the management settings used by adopt...

Страница 370: ...ation Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when...

Страница 371: ...SSH Console Select this option to enable access to the access point s console Superuser Select this option to assign complete administrative rights to this user This entails all the roles listed Syste...

Страница 372: ...to function as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better secu...

Страница 373: ...elnet access is disabled by default Telnet Port Set the port on which Telnet connections are made 1 65 535 The default port is 23 Change this value using the spinner control or by entering the port nu...

Страница 374: ...ord required when logging in to the FTP server Reconfirm the password in the field provided to ensure it has been entered correctly The password cannot exceed 63 characters FTP Root Directory Provide...

Страница 375: ...policy fro the drop down menu and select the Edit icon to update its configuration For more information on defining the configuration of a AAA policy see AAA Policy on page 273 5 Select OK to update...

Страница 376: ...gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to...

Страница 377: ...elect the checkbox to enable SNMPv3 support SNMPv3 adds security and remote configuration capabilities to previous versions The SNMPv3 architecture introduces the User based Security Model USM for mes...

Страница 378: ...Management Access Deployment Considerations Before defining an access control configuration as part of a Management Access policy refer to the following deployment guidelines to ensure the configurati...

Страница 379: ...em Reference Guide 379 Extreme Networks recommends SNMPv3 be used for device management as it provides both encryption and authentication Enabling SNMP traps can provide alerts for isolated attacks at...

Страница 380: ...Chapter 10 Management Access Policy Configuration AltitudeTM 4000 Series Access Point System Reference Guide 380...

Страница 381: ...ed when hardware or software issues are detected Diagnostic capabilities include Fault Management on page 381 Crash Files on page 384 Advanced Diagnostics on page 385 Fault Management Fault management...

Страница 382: ...e of their severity Critical Only critical events are displayed Error Only errors are displayed Warning Only warnings are displayed Informational Only informational events are displayed Module Select...

Страница 383: ...er Use the View Events screen to track and troubleshoot events using source and severity levels defined in the Configure events screen 6 Refer to the following event parameters to assess nature and se...

Страница 384: ...vice Crash Files Use the Crash Files screen to review files created when an access point encounters a critical error or malfunction Timestamp Displays the timestamp time zone specific each listed even...

Страница 385: ...button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button Advanced Diagnostics...

Страница 386: ...Real Time NETCONF Messages area lists an XML representation of any message generated by the system The main display area of the screen is updated in real time Refer to the Request Response and Time T...

Страница 387: ...Access Point System Reference Guide 387 Schema Browser Advanced Diagnostics Use the schema browser to navigate To review device debugging information 1 Select Diagnostics Advanced to display the UI De...

Страница 388: ...pdated 3 Expand a configuration parameter to review its settings The Configuration tab provides an ideal place to verify if the last saved configuration differs from default settings or has been erron...

Страница 389: ...nd transmit power for each managed access point radio For more information refer to the following Device Operations on page 389 Certificates on page 400 Smart RF on page 416 Refer to Operations Deploy...

Страница 390: ...n only be performed on access points of the same model as the Virtual Controller AP These tasks can be performed on individual access points and wireless clients Managing Firmware and Config Files Dev...

Страница 391: ...rently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render...

Страница 392: ...e Details screen By default the Firmware Upgrade screen displays a URL field to enter the URL destination location of the device s firmware file Enter the complete path to the firmware file 3 If neede...

Страница 393: ...To administrate files for managed devices Port Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates This option is not valid for cf usb1 and...

Страница 394: ...to indicate the file is on the access point itself File If the source is Access Point enter the name of the file to be transferred Protocol If advanced is selected select the protocol for file manage...

Страница 395: ...rring the file This option is not valid for cf usb1 and usb2 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If a...

Страница 396: ...nce defined select the Create Folder button to implement 4 Optionally use the Delete Folder or Delete File buttons to remove a folder or file from within a memory resource AP Upgrades Device Operation...

Страница 397: ...e to take place at a specified time enter a date and time Select whether you require an immediate reboot once the AP is updated If you would like a reboot later schedule the time accordingly The AP mu...

Страница 398: ...ame and the primary MAC Address are listed in the table Cancel Clicking the Cancel button will clear any options in this screen and cancel AP updates in progress Update Firmware Clicking the Update Fi...

Страница 399: ...include tftp Select this option to specify a file location using Trivial File Transfer Protocol A port and IP address or hostname are required A path is optional ftp Select this option to specify a f...

Страница 400: ...uration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One ke...

Страница 401: ...tes If not wanting to use an existing certificate or key with a selected device an existing stored certificate can be leveraged from a different device for use with the target device Device certificat...

Страница 402: ...de 402 1 Select Operations Certificates The Trustpoints screen displays for the selected MAC address 2 Refer to the Certificate Details to review certificate properties self signed credentials validit...

Страница 403: ...ual characters used in the key Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the trustpoint Protocol if using Advance...

Страница 404: ...radio button to provide network address information to the location of the target CA certificate The number of additional fields that populate the screen is also dependent on the selected protocol Thi...

Страница 405: ...ation with an enrolled identity certificate From Network Select the From Network radio button to provide network address information to the location of the target CRL The number of additional fields t...

Страница 406: ...of the CA certificate Hostname If using Advanced settings provide the hostname of the server used to import the CRL This option is not valid for cf usb1 and usb2 Path If using Advanced settings specif...

Страница 407: ...ey If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates 16 Define the following configuration pa...

Страница 408: ...ns generate additional keys or import export keys to and from remote locations 1 Select Operations Certificates 2 Select RSA Keys Key Passphrase Define the key used by both the access point and the se...

Страница 409: ...erate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 3 Select Generate Key to create a new key with a defined size 4 Select...

Страница 410: ...e Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key If needed select Advanced to expand the dialog to display...

Страница 411: ...rs used in the passphrase Leaving the checkbox unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key If needed select Advanced to expand t...

Страница 412: ...te the key supported Select OK to proceed with the deletion or Cancel to revert back to the last saved configuration Certificate Creation Certificates The Certificate Management screen provides the fa...

Страница 413: ...t the radio button and use the drop down menu to select the existing key used by both the access point and the server or repository of the target RSA key Create a New RSA Key To create a new RSA key s...

Страница 414: ...ht to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operat...

Страница 415: ...between 1 024 2 048 bits Extreme Networks recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more information see RSA Key Management on page 408 Certific...

Страница 416: ...alibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received fr...

Страница 417: ...ded to the network This index helps distinguish this radio from others within the RF Domain with similar configurations This value is not subject to change as a result of a calibration activity but ea...

Страница 418: ...Calibration has calculated Write Writes the new channel and power values to the radios under their respective device configurations Discard Discards the results of the Interactive Calibration without...

Страница 419: ...button Operations Deployment Considerations Before defining the access point s configuration using the Operations menu refer to the following deployment guidelines to ensure the configuration is opti...

Страница 420: ...Chapter 12 Operations AltitudeTM 4000 Series Access Point System Reference Guide 420...

Страница 421: ...ed clients Individual access point or connected clients can be reviewed in isolation as well The access point user interface allows you filter statistics by System Statistics on page 421 RF Domain on...

Страница 422: ...access point supported system and its connected clients This includes information on device availability overall RF quality resource utilization and network threat perception To display the health of...

Страница 423: ...cally select Refresh to update the statistics counters to their latest system health values Inventory System Statistics Worst 5 Displays five RF Domains with the lowest quality indices in the wireless...

Страница 424: ...d navigation pane 3 Select Inventory from the System menu 4 The Device Types table displays an exploded pie chart depicting system wide access point distribution 5 The Radios table displays radios in...

Страница 425: ...to update the inventory to its latest device membership information Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the access points in the system b...

Страница 426: ...ays the type of device adopted to an access point system member RF Domain Name Displays the adopting access point s RF Domain name Model Number Displays the model number of the access point providing...

Страница 427: ...es screen provides the following information for devices pending access point connection Adoption Time Displays the time when the listed adopted device was connected to its associated access point Upt...

Страница 428: ...as to why the device is still pending adoption Discovery Option Displays the discovery option code for each AP listed pending adoption Last Seen Displays the date and time stamp of the last time the...

Страница 429: ...is access point s RF Domain including data from all its members VLAN Displays the current VLAN number of the device pending adoption RF Domain Name Displays the name of this access point s RF Domain m...

Страница 430: ...ocal point for the radio system and acts as a central registry of applications hardware and capabilities It also serves as a mount point for all the different pieces of the hardware system file 5 The...

Страница 431: ...splays the radio MAC of the wireless client Vendor Displays the vendor name of the wireless client Total WLANs Displays the total number of WLANs managed by RF Domain member access points Top 5 Displa...

Страница 432: ...RT RF within the access point RF Domain RF Domain Threat Level Indicates the threat from the wireless clients trying to find network vulnerabilities within the access point RF Domain The threat level...

Страница 433: ...ibution of the different radio types 5 The Radios by Channel field displays the total number of radios using the 5GHz and 2 4GHz bands within the access point RF Domain 6 The Wireless Clients table di...

Страница 434: ...item from under the System node on the top left hand side of the screen 3 Select Access Points from the RF Domain menu MAC Address Displays the Media Access Control MAC address of the RF Domain member...

Страница 435: ...bership with access points of the same model Client Count Displays the number of clients connected with each listed access point Altitude 4532 and Altitude 4700 series access points can support up to...

Страница 436: ...nts connected to RF Domain member access points To review a RF Domain s access point connected wireless clients BSSID Displays the Broadcast Service Set ID SSID of the network to which the detected ac...

Страница 437: ...ss is hard coded at the factory and can not be modified WLAN Displays the name of the access point defined WLAN the wireless client is currently using for its access point interoperation Hostname Disp...

Страница 438: ...ffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 moderate...

Страница 439: ...ect Status This Radio Status screen provides the following information Radio Displays the name assigned to each listed RF Domain member access point radio Each name displays as a link that can be sele...

Страница 440: ...cess point was defined to use Compare the configured channel with the current channel to ensure the radio is supporting client traffic on the correct intended channel Configured Power Displays the pow...

Страница 441: ...mber access point radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data r...

Страница 442: ...ad packets Rx Packets Displays the total number of packets received by each RF Domain member access point radio This includes all user data as well as any management overhead packets Tx User Data Rate...

Страница 443: ...the configured hostname for each client connected to a RF Domain member access point Client Radio MAC Displays the Media Access Control for each client connected to a RF Domain member access point Po...

Страница 444: ...Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu This screen provides the following information Individual...

Страница 445: ...de 445 Select the Energy Graph tab for a RF Domain member access point radio to review the radio s operating channel and noise level and neighbor count This information helps assess whether Smart RF n...

Страница 446: ...see WIPS Client Blacklist on page 446 WIPS Events on page 447 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by WIPS Blacklisted clients are not allowed to ass...

Страница 447: ...n 3 Expand the WIPS menu item and select WIPS Events Event Name Displays the name of the wireless intrusion event detected by a RF Domain member access point Blacklisted Client Displays the MAC addres...

Страница 448: ...tatistics menu from the Web UI 2 Select the default item from under the System node on the top left hand side of the screen 3 Select Captive Portal from the RF Domain menu Event Name Displays the name...

Страница 449: ...aptive portal access Client IP Displays the IP address of each listed client using its connected RF Domain member access point for captive portal access Captive Portal Lists the name of the captive po...

Страница 450: ...mprising the RF Domain Radio MAC Displays the radio MAC address of each access point radio comprising the RF Domain Radio Index Displays the numerical identifier assigned to each access point radio wi...

Страница 451: ...on page 477 DHCP Server on page 484 Firewall on page 487 Certificates on page 494 WIPS on page 497 Sensor Servers on page 499 Captive Portal on page 500 Network Time on page 501 Load Balancing on page...

Страница 452: ...ude 4760 Altitude 4511 or Altitude 4521 Model Number Displays the access point s model to help further differentiate the access point from its peers RF Domain Name Displays the access point s RF Domai...

Страница 453: ...e System Clock Displays the system clock information Bottom Radios Displays radios having very low quality indices RF quality index indicates the overall RF performance The RF quality indices are 0 50...

Страница 454: ...s a user to store a known legacy version and a new version in device memory The user can test the new software and use an automatic fallback which loads the old version on the access point if the new...

Страница 455: ...Displays the fan speed Number Displays the number of temperature elements used by the access point Temperature Displays the current temperature in Celsius to assess a potential access point overheat...

Страница 456: ...an access point for statistical observation 3 Select AP Upgrade Primary Build Date Displays the build date when this access point firmware version was created Primary Install Date Displays the date t...

Страница 457: ...t performed the upgrade Type Displays the model of the access point The updating access point must be of the same model as the access point receiving the update MAC Displays the MAC address of the acc...

Страница 458: ...d the Adoption menu item 4 Select Adopted APs 5 The Adopted APs screen displays the following Access Point Displays the name assigned to the access point as part of its device configuration Type Lists...

Страница 459: ...int Adoption time Displays each listed access point s time of adoption by this access point whose MAC address displays in the banner of the screen Uptime Displays each listed access point s in service...

Страница 460: ...ollowing MAC Address Displays the MAC address of the device pending adoption Type Displays the AP type AP4600 AP4700 AP4511 AP4532 etc IP Address Displays the current IP Address of the device pending...

Страница 461: ...statistical observation 3 Select AP Detection This screen provides the following information Unsanctioned Displays the MAC address of a detected unauthorized access point Reporting AP Displays the har...

Страница 462: ...observation 3 Select Wireless Clients This screen displays the following wireless client data Clear All Select the Clear All button to clear the screen of its current status and begin a new data colle...

Страница 463: ...d side of the screen expand the default node and select an access point for statistical observation 3 Select Wireless LANs This screen displays the following access point WLAN utilization information...

Страница 464: ...expand the default node and select an access point for statistical observation 3 Select Critical Resources Traffic Index Displays the traffic utilization index which measures how efficiently the WLAN...

Страница 465: ...access point placement An Altitude 4700 model access point can support from 2 3 radios IP Address Lists the IP address of the critical resource This is the address the device assigned and is used by t...

Страница 466: ...ccess point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Use the Details s...

Страница 467: ...ng information Radio Displays the name assigned to the radio as its unique identifier Radio MAC Displays the factory encoded hardware MAC address and assigned to the radio Radio Type Defines whether t...

Страница 468: ...nique identifier Signal Displays the radio s current power level in dBm SNR Displays the signal to noise ratio of the radio s associated wireless clients Tx Physical Layer Rate Displays the data trans...

Страница 469: ...int for statistical observation 3 Expand Radios 4 Select Traffic Statistics This screen provides the following information Quality Index Displays an integer that indicates overall RF performance The R...

Страница 470: ...ets Rx Packets Displays the total number of packets received by each listed radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps use...

Страница 471: ...the RF Domain mesh network Client Hostname Displays the configured hostname for each access point in the RF Domain mesh network Client Radio MAC Displays the MAC address for each access point in the R...

Страница 472: ...ormation on a selected access point interface such as its MAC address type and TX RX statistics To view the general interface statistics 1 Select the Statistics menu from the Web UI 2 Select System fr...

Страница 473: ...ce The General field describes the following Name Displays the name of the access point interface selected from the upper left hand side of the screen Altitude 4700 Altitude 4532 Altitude 4760 Altitud...

Страница 474: ...hat you can add to the trunk Metric Displays the metric value associated with the route through the selected interface Maximum Speed Displays the maximum speed at which the selected interface transmit...

Страница 475: ...eive Error Displays the number of received packets failed because of an internal MAC sublayer that is not a late collision excessive collision count or a carrier sense error Bad CRC Displays the CRC e...

Страница 476: ...d at the interface First in First Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival FIFO entails no priority for traffic There is only one queu...

Страница 477: ...ress or network layer address is known To view an access point s ARP statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the scree...

Страница 478: ...technique used in networks Bridging makes no assumption about where a particular address is located It relies on the flooding and examination of source addresses in received packet headers to locate u...

Страница 479: ...is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet Using an appropriate algorithm a multicast router instructs...

Страница 480: ...re the multicast transmission is conducted Group Address Displays the Multicast Group ID supporting the statistics displayed This group ID is the multicast address hosts are listening to Port Members...

Страница 481: ...rovides the DHCP server name image file on the DHCP server and its configuration To view a network s DHCP Options 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane...

Страница 482: ...ork and expand the menu to reveal its sub menu items 4 Select Cisco Discovery Protocol Server Information Displays the IP address of the DHCP server used on behalf of the access point Image File Displ...

Страница 483: ...tistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation Capabilities Di...

Страница 484: ...ic configuration parameters IP address network mask gateway etc from a DHCP server to a host Capabilities Displays the capabilities code for the device either Router Trans Bridge Source Route Bridge H...

Страница 485: ...tems 4 Select General The General screen displays the following DHCP Bindings Network Interfaces Displays the interface used for the newly created DHCP configuration State Displays the current state o...

Страница 486: ...valid client request the server assigns the computer an IP address a lease the validity of time and other IP configuration parameters The Networks screen provides network pool information such as the...

Страница 487: ...ch individual packet type The Packet Flows screen displays data traffic packet flow utilization The chart represents the different protocol flows supported and displays a proportional view of the flow...

Страница 488: ...ommunications requests so it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable DoS attacks are implemented by either forcing the targeted computer s...

Страница 489: ...t is secured through the use of Internet Protocol security Block a connection Rules can be created for either inbound or outbound traffic To view the IP firewall rules Attack Type Displays the Denial...

Страница 490: ...to bypass the access point s security filters Firewall rules can be created to support one of the three actions listed below that match the rule s criteria Allow a connection Allow a connection only i...

Страница 491: ...wall s NAT translations 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for...

Страница 492: ...is an ICMP flow Forward Dest IP Displays the destination IP address for the forward NAT flow Forward Dest Port Displays the destination port for the forward NAT flow contains an ICMP ID if it is an IC...

Страница 493: ...n be issued to client requests on this interface IP Address Displays the IP address used for DHCP discovery and requests between the DHCP server and DHCP clients Netmask Displays the subnet mask used...

Страница 494: ...he trustpoint signing the certificate can be a certificate authority corporate or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration para...

Страница 495: ...em Reference Guide 495 The Certificate Details field displays the following Subject Name Lists details about the entity to which the certificate is issued Alternate Subject Name Displays alternative d...

Страница 496: ...1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen expand the default node and select an access point for statistical observation...

Страница 497: ...AN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities Basic forms of this behavior can be monitored and reported without a dedicated WIPS When the...

Страница 498: ...s WIPS The WIPS Events screen details the wireless intrusion event by an access point To view the WIPS events statistics Event Name Displays the name of the wireless intrusion event detected by this a...

Страница 499: ...To view the network address and status information of the sensor server resources available to the access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on...

Страница 500: ...directed to a Web page To view the captive portal statistics of an access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the scree...

Страница 501: ...em time The access point can also use several forms of NTP messaging to sync system time with authenticated network traffic The Network Time screen provides detailed statistics of an associated NTP Se...

Страница 502: ...rvation 3 Select Network Time The NTP Status screen displays by default with the following information Clock Offset Displays the time differential between the access point s time and its NTP resource...

Страница 503: ...for statistical observation 3 Select Network Time and expand the menu to reveal its sub menu items 4 Select the NTP Association tab Reference Displays the address of the time source the access point...

Страница 504: ...the lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server IP Address Displays the numerical...

Страница 505: ...lso be filtered for display Each element can either be displayed individually or collectively in the graph To view the access point s load balance in a filtered graph format 1 Select the Statistics me...

Страница 506: ...graph section displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Reque...

Страница 507: ...eviewed through the following Health on page 507 Details on page 510 Traffic on page 512 WMM TSPEC on page 514 Association History on page 516 Graph on page 517 Health Wireless Client Statistics The H...

Страница 508: ...e selected wireless client WLAN Displays the client s access point WLAN membership BSS Displays the basic service station ID BSS of the network the wireless client belongs to VLAN Displays the VLAN ID...

Страница 509: ...icates possible network or hardware problems SNR Displays the signal to noise ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbing...

Страница 510: ...n access point to display its connected client MAC addresses 3 Select a client MAC address from those connected to the selected access point 4 Select Details The Wireless Client area displays the foll...

Страница 511: ...ys whether this feature is enabled or not To prolong battery life the 802 11 standard defines an optional Power Save Mode which is available on most 80211 clients End users can simply turn it on or of...

Страница 512: ...rces and synchronize with a radio NIC An NIC begins the association process by sending an association request to an access point This association request is sent as a frame This frame carries informat...

Страница 513: ...cast Mcast Packets Displays the total number of broadcast management packets processed by the client Management Packets Displays the number of management packets processed by the client Tx Dropped Pac...

Страница 514: ...e retry rate and the error rate The RF quality index value can be interpreted as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and above High utilization Retry Rate Dis...

Страница 515: ...s this feature is disabled A green check mark indicates this feature is enabled Video Displays the status of prioritization for video traffic A red X indicates this feature is disabled A green check m...

Страница 516: ...lay its connected client MAC addresses 3 Select a client MAC address from those connected to the selected access point 4 Select Association History Parameter Displays the parameter for defining the tr...

Страница 517: ...vigation pane on the left hand side of the screen expand the default node and expand an access point to display its connected client MAC addresses 3 Select a client MAC address from those connected to...

Страница 518: ...se transmit or receive values 6 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 minutes 20 minutes or 1 hour 30 seconds is the...

Страница 519: ...the Technical Assistance Center User Guide at www extremenetworks com go TACUserGuide The Extreme Networks eSupport website provides the latest information on Extreme Networks products including the l...

Страница 520: ...Appendix A Customer Support AltitudeTM 4000 Series Access Point System Reference Guide 520...

Страница 521: ......

Отзывы:

Нет отзывов