SMC Networks ELITECONNECT SMC2504W Скачать руководство пользователя | Manualshive

Страница: 1 / 242

background image

.

E

LITE

C

ONNECT

WLAN S

ECURITY

S

YSTEM

♦

Full authentication support—supports RADIUS, LDAP, 802.1x,
Kerberos, Windows NT/2000 domain and built-in database.

♦

VPN support allows secure wireless communications to and from
wireless clients.

♦

Rights-based network access increases network security by
providing network administrators full control on users’ access to a
network, based on user identification, location, and time.

♦

Web-based configuration is easy-to-use, convenient and provides
simple configuration management.

♦

Network access and usage policies can be set for trusted users and
guests by user identification, location, and time.

♦

Roaming across different subnets and persistent session roaming
eliminates the need for re-authentication by roaming users.

User Manual

SMC2504W
SMC2502W

1
2
3
...
»

Содержание ELITECONNECT SMC2504W

Страница 1: ...roviding network administrators full control on users access to a network based on user identification location and time Web based configuration is easy to use convenient and provides simple configura...

Страница 2: ......

Страница 3: ...ELITECONNECT WLAN SECURITY SYSTEM USER MANUAL From SMC s EliteConnect line of enterprise wireless LAN solutions 38 Tesla March 2002 Irvine CA 92618 Part No 01 111343 006 Phone 949 679 8000...

Страница 4: ......

Страница 5: ...orporated located at 38 Tesla Irvine CA 92618 SMC is a registered trademark and EliteConnect is a trademark of SMC Networks Inc Other product and company names are trademarks or registered trademarks...

Страница 6: ...to SMC pursuant to any warranty Products returned to SMC should have any customer installed accessory or add on components such as expansion modules removed prior to returning the product for replace...

Страница 7: ...USE PERFORMANCE FAILURE OR INTERRUPTION OF ITS PRODUCTS EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WA...

Страница 8: ...quipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient the receiving antenna Increase the separation between the equipment and...

Страница 9: ...work Settings 2 6 Setting the Shared Secret 2 10 Authorizing the Shared Secret on the WLAN Secure Server 2 10 Setting the Secure Server IP Address and Shared Secret 2 11 Configuring SNMP 2 11 Specifyi...

Страница 10: ...the Rights Manager 6 1 Rights Manager Terminology 6 2 About the Rights Manager 6 3 Two Simple Rights Examples 6 4 Example 1 Visiting Professor 6 4 Example 2 Contractors with Extended Hours 6 4 Getting...

Страница 11: ...6 47 Changing Rights Allows in Groups 6 50 Adding Rights Allows 6 50 Modifying a Rights Allow 6 53 Deleting a Rights Allow 6 53 Redirecting Packets 6 54 Creating or Modifying a Redirect 6 54 Deleting...

Страница 12: ...B 12 Rights Tutorial C 1 Starting with Locations C 2 Group Editor C 4 Logon Expire Times for Groups C 5 Default Groups C 6 Logon Rights C 6 Guest Rights C 7 User Rights C 9 Required Rights C 11 Built...

Страница 13: ...SNMP D 2 Supported Management Information Base Objects D 3 MIB Objects D 3 System MIB D 4 Hardware Description MIB Object D 5 Hardware Version MIB Object D 5 Software Version MIB Object D 5 Serial Nu...

Страница 14: ...xiv...

Страница 15: ...iate background and knowledge to complete the procedures described in this document How To Use This Document This document contains procedural information describing all configuration and management o...

Страница 16: ...eboot Chapter 5 Viewing Status Information This chapter explains how to view the status of the components of the EliteConnect WLAN Security System Chapter 6 Configuring the Rights Manager This chapter...

Страница 17: ...torial Appendix This appendix explains Rights Management through examples Appendix D Simple Network Management Protocol This appendix describes the Management Information Base modules used in EliteCon...

Страница 18: ...x Preface...

Страница 19: ...ODUCTION This chapter gives a brief description of the SMC EliteConnect WLAN Security System Solution products It consists of the following sections 1 1 Overview 1 2 1 2 The EliteConnect WLAN Security...

Страница 20: ...lly customizable Rights Manager component In addition the Airwave Security feature can encrypt all client traffic using standard encryption technology including PPTP L2TP or IPSec The WLAN Security Sy...

Страница 21: ...Security System consists of three logical functions WLAN Access Manager Control Server Rights Manager There are two physical components of the EliteConnect WLAN Security System The WLAN Secure Server...

Страница 22: ...through the WLAN Secure Server to the WLAN Access Manager This rights package is based on the user s identity location and the time and date In addition to filtering and redirecting packets the WLAN A...

Страница 23: ...by the Rights Manager to the WLAN Access Manager limits the packets allowed into the network Additionally any HTTP requests from the end user are redirected to the Rights Manager The Rights Manager s...

Страница 24: ...nection to the Access Manager When a client sends a packet through the WLAN Access Manager the WLAN Access Manager rewrites the IP address field and the port number field to a value that is unique and...

Страница 25: ...irectors match packets using the powerful pattern matching language introduced by the tcpdump utility program If NAT is not enabled for a set of rights then these rights should also include a filter a...

Страница 26: ...1 8 Introduction internal tables and informs the Rights Manager The Rights Manager starts the linger timer If the linger timer expires the user must re authenticate...

Страница 27: ...ludes the following sections 2 1 Administrative Login 2 2 2 2 Changing Your Network Configuration 2 4 2 3 Advanced Network Settings 2 6 2 4 Setting the Shared Secret 2 10 2 5 Configuring SNMP 2 11 2 6...

Страница 28: ...ce through the specially recognized URL http 42 0 0 1 Note Your browser must accept cookies to log in Figure 2 1 Administrator s Login Note The text is adjusted appropriately depending on whether the...

Страница 29: ...EliteConnect WLAN Security System User Manual 2 3 Figure 2 2 Main Menu for the WLAN Secure Server Figure 2 3 Main Menu for the WLAN Access Manager...

Страница 30: ...installation Refer to this section if you need to change your network configuration To change your network configuration Step 1 Click Network from the Main Menu Figure 2 4 shows the Network Configura...

Страница 31: ...here on the network This applies only to clients that are not using Network Address Translation NAT since a network address translated client will have its DHCP request satisfied by the WLAN Access Ma...

Страница 32: ...rom a DHCP server Step 5 Choose the Netmask address from the drop down box Step 6 Type the Default Router IP address Step 7 Type the Primary DNS server IP address and if applicable the Secondary DNS s...

Страница 33: ...r Bridged traffic a Click Cisco Discovery Protocol to enable CDP packets through this WLAN Secure Server or WLAN Access Manager This Layer 2 protocol is used by Cisco network hardware and software to...

Страница 34: ...mory 2 the WLAN Access Manager sends a message to the Rights Manager which tells the Rights Manager that the client is no longer connected At this point the Rights Manager starts the linger timer The...

Страница 35: ...IP address which the WLAN Access Manager or WLAN Secure Server passes on to an external DHCP server This DHCP request will obtain an IP address on the WLAN Access Manager or WLAN Secure Server s subn...

Страница 36: ...the WLAN Access Manager to establish this trust relationship You must set this shared secret on the WLAN Secure Server that controls one or more WLAN Access Managers 2 4 1 Authorizing the Shared Secr...

Страница 37: ...ver from the Main Menu of the WLAN Access Manager The Specify the Control Server screen appears as shown in Figure 2 8 Figure 2 8 Specify the Control Server Step 2 Type the Control Server IP address S...

Страница 38: ...need SNMP to work with your overall network SNMP is disabled by default Click Yes to enable SNMP Step 3 Type your Community Name which is analogous to a password The default name is public SMC recomm...

Страница 39: ...anager IP addresses IP addresses such as 192 168 1 1 netmask addresses such as 192 168 1 0 24 a hostname such as snmp fiesta com or a wildcard address for example 0 0 0 0 0 Note To query the SNMP agen...

Страница 40: ...xample Applied Research Lab Step 7 Click Submit Changes to save your choices 2 7 Specifying Session Logging The WLAN Security System creates logs of session information known as session logs for the W...

Страница 41: ...ssary for logs and for troubleshooting Accurate and synchronized time and dates across multiple systems is especially important You use the Time and Date Configuration screen to set the System timezon...

Страница 42: ...rs Step 4 To configure the time manually a Click Set time manually When you click Set time now you disconnect from the NTP server b Click Set time now to set the time with the fields below Type the da...

Страница 43: ...he screen for example if you click Help on the Time and Date screen a screen appears with information on setting the time and date Step 3 Review the information in the Release Notes so that you are aw...

Страница 44: ...2 18 Configuring the WLAN Security System...

Страница 45: ...WLAN Secure Server This VPN or Airwave security is an integrated feature of the EliteConnect WLAN Security System that creates a secure VPN tunnel to protect your information over the airwaves It incl...

Страница 46: ...AN Security System can use the PPTP user authentication for its own authentication In this case the WLAN Secure Server login page is not necessary For encryption it uses either 40 bit or 128 bit MPPE...

Страница 47: ...data encryption Both the IKE and ESP phases can use Data Encryption Standard DES Triple DES Blowfish or CAST encryption The secure hash used for data integrity in both the IKE and ESP phases can be e...

Страница 48: ...ive performance Availability As previously mentioned the availability of a client is an important part of the selection of an algorithm to use for VPN Security Table 3 2 shows availability of PPTP L2T...

Страница 49: ...nfiguring a location to use PPTP and L2TP encryption has a non obvious effect on how IP addresses are assigned at that location Normally an WLAN Access Manager provides an IP address for clients with...

Страница 50: ...Click PPTP and L2TP Configuration from the Main menu The PPTP and L2TP Configuration appears as shown in Figure 3 1 Figure 3 1 PPTP and L2TP Step 2 Click Yes for Enable PPTP if appropriate Step 3 Cli...

Страница 51: ...owed encryption and secure hash algorithms There is also an enable require IPSec setting on a per location basis in the Rights Manager An IPSec client negotiates with the IPSec server to set the vario...

Страница 52: ...ret authentication Step 4 Click the appropriate type of Internet Key Encryption IKE Step 5 Click MD5 and or SHA for IKE integrity Step 6 Click the appropriate IKE Diffie Hellman settings Step 7 Click...

Страница 53: ...hut down the WLAN Secure Servers and WLAN Access Managers It also describes how to reset the SMC WLAN Secure Server to its factory defaults It includes the following sections 4 1 Creating and Storing...

Страница 54: ...ten multiple WLAN Access Managers contain nearly identical configuration and the amount of data kept in each WLAN Access Manager is small You might consider manually re entering a WLAN Access Manager...

Страница 55: ...nfirm Create Backup Step 3 Click Continue with Create Backup The Starting to backup Image screen appears as shown in Figure 4 3 Figure 4 3 Starting to Backup Image It is important that you save your b...

Страница 56: ...tem You cannot restore a backed up image from the WLAN Secure Server or WLAN Access Manager 4 1 2 Saving the Backup To save the back up image to your local computer Step 1 Click Save Backup as shown i...

Страница 57: ...screens Figure 4 6 Save As Screen on your local computer The default backup image file name automatically appears next to File Name You can use this default or rename it Choose the folder in which yo...

Страница 58: ...s as shown in Figure 4 8 Figure 4 8 Confirm Restore From File Use the Browse feature if necessary to locate the backed up image you want to restore Enter the backup image file name in the Image file t...

Страница 59: ...4 3 Updating the System Software Upgrading system software is a two step process First download a new software image This new image becomes the Alternate Version Then reboot from the Alternate Version...

Страница 60: ...e box that says Immediately Reboot with update when finished downloading Step 5 Enable Proxy if appropriate An FTP proxy enables you to download the new image through an enterprise firewall Step 6 If...

Страница 61: ...box that says Reboot with new version when finished downloading then the download proceeds with the new software replacing the alternate version software and without rebooting The Update Software scr...

Страница 62: ...tep 3 Click Shutdown and Power Off to shut down the system The Confirm System Shutdown and Power Off screen appears Click the Continue with Shutdown and Power Off to proceed with the reboot Step 4 Cli...

Страница 63: ...tory Defaults Caution If you click this option you must restore all settings from a backup image that was created before the reset Step 5 Click Main Menu if you do not want to reboot or shut down Caut...

Страница 64: ...4 12 Controlling the System Functions...

Страница 65: ...List 5 4 5 4 Viewing Active Session Information 5 6 5 5 Viewing Log Files 5 7 5 6 Viewing Version and License Information 5 9 Note The text and the buttons are adjusted appropriately depending on whet...

Страница 66: ...Filtering Information Entry Details Lines You can specify a number of entries to be displayed The default is 25 You can choose 10 25 100 1000 or unlimited Protocol Choose the protocol from the drop d...

Страница 67: ...t of WLAN Access Managers Step 1 Click View WLAN Access Manager List from the Main Menu The WLAN Access Manager list appears as shown in Figure 5 2 Figure 5 2 View WLAN Access Manager List Step 2 To v...

Страница 68: ...een appears as shown in Figure 5 3 Figure 5 3 View Active Clients The screen presents user name machine name IP address port number sessions and the idle time for each active session Step 2 You can fi...

Страница 69: ...Number The port number of the WLAN Access Manager to which the user is connected IP Security Displays the type of tunnelling protocol used by the client none PPTP L2TP or IPSec the type of authentica...

Страница 70: ...ars as shown in Figure 5 5 Figure 5 5 Active Sessions Step 2 You can filter by MAC address protocol port number and by the number of lines to be displayed Step 3 You can sort by MAC addresses The colu...

Страница 71: ...ients that are currently connected or the specific client chosen by the MAC address filter Client Source Actual Source When a client sends a packet it puts its IP address in the header of packet which...

Страница 72: ...Filter to view filtered results click Reset Filter to reset to the default view Step 6 Click Export Log as plain text to save the log as a plain text file on your web browser s system You might want t...

Страница 73: ...w version and license information click Version and License Information from the Main Menu Table 5 4 Session Log Parameters Entry Name Definition Start Start time of session in seconds since 1 1 2000...

Страница 74: ...5 10 Viewing System Status...

Страница 75: ...Associated with Locations 6 6 6 5 Changing Group Properties 6 22 6 6 Adding Modifying or Deleting a User 6 34 6 7 Enforcing Authentication 6 40 6 8 Changing Rights Allows in Groups 6 50 6 9 Redirecti...

Страница 76: ...ing types Guest the rights given to someone who clicks the Guest button on the logon page Implicit users the base group in which rights are allocated to all authenticated users at the specified locati...

Страница 77: ...f the WLAN Secure Server that allocates rights to devices and users in the EliteConnect WLAN Security System The Rights Manager enables you to determine site policy based on location user groups times...

Страница 78: ...f his rights compared to those of usual professors at this location Figure 6 2 Example 1 Visiting Professor In Figure 6 2 Professor Lupine has access to the university network for the month of January...

Страница 79: ...Step 1 Set your browser to the IP address or hostname of the WLAN Secure Server or WLAN Access Manager Step 2 Press Enter Step 3 The Main Menu appears as shown in Figure 6 4 Figure 6 4 Main Menu Where...

Страница 80: ...ging Rights Associated with Locations A Location is a group of Wheres and some set of rights associated with the location itself A Where is a WLAN Access Manager or a WLAN Access Manager port or a spe...

Страница 81: ...is demonstrations to defend their research In this example you might want to limit access to only graduate students so that only these students can use network resources 6 4 2 Adding a Location To add...

Страница 82: ...n name Step 4 Add or change the Where a Click New under Where to add a new WLAN Access Manager See Adding a WLAN Access Manager b Click Edit under Where to change the properties of an existing WLAN Ac...

Страница 83: ...d but not required b Require Encryption c Require Encryption except for choose from the list of groups You can choose one or more of these groups Step 12 Click Enable PPTP L2TP Authentication This box...

Страница 84: ...to enable either MS CHAP v2 or to enable MS CHAP or MS CHAP v2 Step 17 Click Update The Locations Editor now shows Music in the Location Name textbox as shown in Figure 6 9 Figure 6 9 Location Editor...

Страница 85: ...a location Step 1 In the Location Manager as shown in Figure 6 7 on page 6 7 click the location name that you want to modify The Location Editor appears as shown in Figure 6 10 Figure 6 10 Location Ed...

Страница 86: ...lete a location Step 1 Click a Location that you want to delete from the Location Editor as shown in Figure 6 11 Figure 6 11 Location Manager with a Location to be Deleted Step 2 Click Delete The Dele...

Страница 87: ...ager if your environment has changed For example you might want to add a WLAN Access Manager to handle increased network traffic in a meeting room You might want to modify the hours that a WLAN Access...

Страница 88: ...iguring the Rights Manager Figure 6 13 Location Manager Step 2 Click New Location to add a WLAN Access Manager from the Locations Manager menu The Locations Editor appears as shown in Figure 6 14 on p...

Страница 89: ...EliteConnect WLAN Security System User Manual 6 15 Figure 6 14 Location Editor Step 3 Click New under Where The Where Editor appears as shown in Figure 6 15...

Страница 90: ...ess Manager The WLAN Access Manager Editor appears as shown in Figure 6 16 Figure 6 16 WLAN Access Manager Editor Step 5 Type the WLAN Access Manager Name Step 6 Type the MAC address You can find the...

Страница 91: ...ager The Where Editor appears with your new WLAN Access Manager as shown in Figure 6 17 Step 9 Type a name for your Where Figure 6 17 Where Editor with the New WLAN Access Manager Step 10 Click Update...

Страница 92: ...6 18 Configuring the Rights Manager Figure 6 18 Location Editor with New Where Added Step 12 Click Update New Where...

Страница 93: ...9 Figure 6 19 Where Editor with Graham and Geology Step 2 Click Edit The Choose a WLAN Access Manager to Edit screen appears with the list of the WLAN Access Manager at that location as shown in Figur...

Страница 94: ...5 When you are done click Update The WLAN Access Manager is modified or created if you changed the WLAN Access Manager name Changing Other Where Properties You can change other Where properties as sh...

Страница 95: ...te Deleting a Where To delete a Where Step 1 Click Edit under Where to select the WLAN Access Manager from the Location Editor The Choose a Where to edit screen appears as shown in Figure 6 23 Figure...

Страница 96: ...hts Manager has the following standard groups Logon users are users who have not yet logged in and have not been authenticated Guest users who have guest rights allocated Normal authenticated users wi...

Страница 97: ...nnect WLAN Security System User Manual 6 23 Figure 6 26 Groups Manager Step 2 Click New Group Step 3 Type the Group Name that you want to add in this example Contractors as shown in Figure 6 27 on pag...

Страница 98: ...e specific times when this group is allowed access Under Valid Times click New The When Editor appears as shown in Figure 6 31 on page 6 29 Click the appropriate times these set of rights are valid or...

Страница 99: ...at you want members of this group to have Match an NT Group Name Use these rights when a user logs into a Matching NT domain NAT Whether NAT addresses are enabled Static IP allowed Whether static IP a...

Страница 100: ...e times when a group can access Changing the times when the group can access Changing the Allows that appear on the Group Manager screen Note If you leave When blank it is available all of the time In...

Страница 101: ...EliteConnect WLAN Security System User Manual 6 27 Figure 6 29 Group Manager The Group Editor appears as shown in Figure 6 30 on page 6 28...

Страница 102: ...6 28 Configuring the Rights Manager Figure 6 30 Group Editor Step 2 Click New under Valid Times The When Editor appears as shown in Figure 6 31 on page 6 29...

Страница 103: ...tes or a specific range of dates You might have a visitor for example who is with you for the month of January so you could click from January 1 through January 31 b You might want to choose specific...

Страница 104: ...ons to change schedules might include a change in schedule that requires more hours for a particular group a visiting colleague who needs access to the network only for a week or month To change the t...

Страница 105: ...ew valid times either a range of dates days or times Step 5 Click Update Modifying the Group Allows Column You can modify the Group Allows Column so that you see a subset of the Allows To change which...

Страница 106: ...6 35 Figure 6 35 Group Allow Column Modifier Use the Group Allow Column Modifier to include or exclude any Allows in the Groups Manager To choose the columns to display choose one of the following opt...

Страница 107: ...ows respectively When you are done click Update The Groups Manager appears with the columns you have selected 6 5 3 Deleting a Group To delete a group Step 1 Click Groups The Group Manager screen appe...

Страница 108: ...ager It also explains how to add a specific MAC address as a user Users can belong to one or more groups or to no group User can also be a member of a group of one user which gives that user a unique...

Страница 109: ...6 5 1 Adding a New Group 6 22 if you need to add a new group Step 5 If you use the Built in authentication service you might need to type a password If you use LDAP RADIUS or Kerberos authentication...

Страница 110: ...click the user you want to modify The User Editor appears as shown in Figure 6 41 on page 6 36 Figure 6 41 Modifying a User s Characteristic Step 2 Make the changes that you require in the User Editor...

Страница 111: ...lete Step 2 The User Editor screen appears as shown in Figure 6 43 with the name of the user you selected Figure 6 43 User Editor With User Selected Step 3 To delete this user click Delete The Delete...

Страница 112: ...MAC address as a user Typical applications for this feature include an Access Point a server running without user intervention a wireless device without SSL capability or a specific user who does not...

Страница 113: ...address in the User Name text box as shown in Figure 6 46 Step 3 Click the This user is a MAC address user check box Figure 6 46 User Editor with MAC Address for User Name Step 4 Click Update The User...

Страница 114: ...ntication SMC uses the following authentication services Built in the default service created by SMC LDAP RADIUS Kerberos The Built in service is available if you choose not use the other authenticati...

Страница 115: ...r Manager Screen If you are choosing an Authentication service for the first time you see the Built in method screen as shown in Figure 6 49 on page 6 41 If you have previously chosen an Authenticatio...

Страница 116: ...Location Editor to enable watching for 802 1x logons If you enable 802 1x logons use these fields to specify the 802 1x RADIUS server Step 4 Type the port number The default port number is 1812 Step 5...

Страница 117: ...r running the LDAP service Username field Field to use to retrieve the Username Port Port for LDAP typically 389 Timeout Authentication timeout period Base DN The suffix for LDAP Group Field Group fie...

Страница 118: ...hentication screen appears as shown in Figure 6 52 on page 6 45 Table 6 3 RADIUS Authentication Options Entry Explanation Name User name Server FQDN of the server running RADIUS Port Port for RADIUS t...

Страница 119: ...does not work properly A description of the Kerberos fields is given in Table 6 4 Note The Kerberos protocol is designed to operate across organizational boundaries Each organization wishing to run a...

Страница 120: ...on screen appears as shown in Figure 6 53 Figure 6 53 Advanced Authentication Screen Use Advanced Authentication when you want multiple authentication realms or when you want default realms to support...

Страница 121: ...realm for PPTP authentication if appropriate Step 5 Use the move arrows or to choose the methods you want into the Use these methods box The methods that appear are based on authentication services th...

Страница 122: ...ealm you want to modify from the Realm Editor screen as shown in Figure 6 54 Figure 6 55 Choose a Realm to Modify The Realm Editor screen appears as shown in Figure 6 56 on page 6 48 Figure 6 56 Editi...

Страница 123: ...ethods you want into the Use these methods box The methods that appear are based on authentication services that you previously selected Step 5 Choose Edit a method to choose another method The system...

Страница 124: ...he Groups Manager screen appears as shown in Figure 6 57 Figure 6 57 Groups Manager Screen Step 2 The Groups Manager shows the Allows for each group The Groups are color coded as shown in Table 6 5 St...

Страница 125: ...EliteConnect WLAN Security System User Manual 6 51 Figure 6 58 Allow Editor Step 4 Type the Allow Name as shown in Figure 6 59 Figure 6 59 Typing New Allow Name...

Страница 126: ...ights Manager Step 5 Click Update The Allow Editor appears as shown in Figure 6 60 Figure 6 60 New Allow Added to Groups Manager Step 6 If you click Advanced in Figure 6 59 the Filter screen appears a...

Страница 127: ...roup intersection in the Groups Manager as shown in Figure 6 57 on page 6 50 Then click Update Step 2 To modify the Protocol Port and Address click the Allow in the Groups Manager and change these par...

Страница 128: ...edirected to the enterprise DNS server rather than the one that was originally specified Redirects can include Original protocol Original port Original address Redirect port Redirect IP address Redire...

Страница 129: ...EliteConnect WLAN Security System User Manual 6 55 Figure 6 63 Selecting a Group from the Groups Manager Screen Select Contractors for Redirects...

Страница 130: ...the group given under Group Name as shown in Figure 6 64 Figure 6 64 Group Editor Screen With Group Selected Step 2 Under Redirects click New if you want to create a redirect or Click Edit if you want...

Страница 131: ...ect to edit from the drop down list The Redirect Editor appears as shown in Figure 6 66 Figure 6 66 Redirect Editor Step 4 Select the Protocol and the address to which you want packets redirected Then...

Страница 132: ...as shown in Figure 6 64 on page 6 56 select the redirect you want to delete under the proper group Click Edit The Redirect Editor appears as shown in Figure 6 65 on page 6 57 Step 2 Select the Redire...

Страница 133: ...ts To change Allow Rights Step 1 From the Group Editor click Edit under Allow to change the type of Allows rights for a group Figure 6 69 Allow Editor Step 2 Type the Allow Name Step 3 Choose the Prot...

Страница 134: ...anager Figure 6 70 Advanced Allow Step 6 Click Update Changing a Group s Redirect Rights To change a group s Redirect rights Step 1 Click New Redirect to change Redirect rights The Redirect Editor app...

Страница 135: ...ct Editor Step 2 Type the Redirect Name Step 3 Choose the Protocol Port or Address you want redirected Step 4 Choose the address or an address and port to which you want the Redirect packets sent Step...

Страница 136: ...6 62 Configuring the Rights Manager Figure 6 72 Filter Redirect Editor Step 6 Click Update...

Страница 137: ...any Rights Manager screen click Debug as shown in Figure 6 73 Figure 6 73 Rights Manager Screen The Rights Debugger appears as shown in Figure 6 74 Figure 6 74 Rights Debugger Step 2 Select either th...

Страница 138: ...p 4 Click Done when you are finished viewing the rights When simulating the rights for an LDAP or RADIUS user use the Everyone Else user from the drop down list This is an incomplete simulation becaus...

Страница 139: ...EliteConnect WLAN Security System User Manual 6 65 Figure 6 76 Selecting Guest User at Location Everywhere Else Step 6 Click Show Me and the Rights for Guests screen appears as shown in Figure 6 77...

Страница 140: ...6 66 Configuring the Rights Manager Figure 6 77 Rights for Guest Step 7 When you have finished click Done...

Страница 141: ...ck Logs The Rights Manager Logs Viewer appears as shown in Figure 6 78 Step 2 Click the option under Logs Configuration a Click Log failed Logon attempts to track this activity b Click Log successful...

Страница 142: ...choose Alert Critical Informational Warning Error or Debug Click Within to choose the time period to display You can choose the last hour day week or unlimited Click Update Click Clear Log to empty t...

Страница 143: ...ghts Step 1 Look at Export Image created month date time year If the image that was created at the time listed is suitable you can export it If you need a more recent export image create one See Creat...

Страница 144: ...ding the XML Schema To download the XML schema Step 1 Click Schema to download the current XML schema The schema is a text file that you can view with any text editor Step 2 You see export xsd in the...

Страница 145: ...to the appropriate node of a large network Different locations at the site might have their own authentication scheme which must be indicated on the logon screen 6 13 1 Customizing the Logon Screen T...

Страница 146: ...Browse to locate the proper directory and file name c Click Update Step 6 To update the text for the logon screen a type the name of a text or HTML file that contains the text or HTML source you want...

Страница 147: ...fficial signed and trusted SSL certificate users accessing the logon screen receive a message warning of an untrusted certificate Replacing the default SSL certificate with one signed by an external s...

Страница 148: ...ith the information you entered and the Certificate Signing Request as shown in Figure 6 86 on page 6 74 Figure 6 86 Upload SSL Certificate You use this certificate signing request either to request a...

Страница 149: ...use the CSR to generate your own self signed certificate Step 4 Type the filename of the certificate you received from the certificate authority the one you generated Step 5 Click Upload Certificate N...

Страница 150: ...6 76 Configuring the Rights Manager...

Страница 151: ...dst Examples are src foo dst net 128 3 src or dst port ftp data If there is no dir qualifier src or dst is assumed For null link layers i e point to point protocols such as slip the inbound and outbo...

Страница 152: ...number of net net net mask mask True if the IP address matches net with the specific netmask Can be qualified with src or dst net net len True if the address matches net a netmask len bits wide Can b...

Страница 153: ...onal This is shorthand for ether 0 1 0 ip multicast True if the packet is an IP multicast packet ether proto protocol True if the packet is of ether type protocol Protocol can be a number or one of th...

Страница 154: ...ghest precedence Alternation and concatenation have equal precedence and associate left to right Note that explicit and tokens not juxtaposition are now required for concatenation If an identifier is...

Страница 155: ...owing categories B 1 Syntax for Command Line Interface B 2 B 2 CLI Help Commands B 2 B 3 CLI Access Control Commands B 2 B 4 Diagnostic Commands B 3 B 5 System Status Commands B 4 B 6 Diagnostic Log C...

Страница 156: ...e brackets that are separated by the pipe symbol You can also specify no option Parentheses indicate that you must choose one option for example show clients mac mac address sort mac ip user machine p...

Страница 157: ...Translates to nslookup timeout 10 hostname ping ip address hostname Ping an IP address or a hostname Translates to ping c 3 ip address or ping c 3 hostname debug ip interface Show IP traffic on an int...

Страница 158: ...ess hostname hops probes probewait Displays the traceroute for an IP address or hostname Translates to traceroute n m hops q probes w probewait ip address or traceroute n m hops q probes w probewait h...

Страница 159: ...upgrade downgrade or same version of the software if one exists on the system B 6 Diagnostic Log Commands show logs severity max lines for count time units reverse Display entries in the error log cle...

Страница 160: ...ess to display Format xx xx xx xx xx xx logoff client all mac mac address Log off a client or all clients mac address MAC Ethernet address to log off Format xx xx xx xx xx xx B 8 System Configuration...

Страница 161: ...ternate versions is specified it must match the type of alternate version installed on the system See the show version command shutdown Shuts down the system url The URL encoded location of the softwa...

Страница 162: ...ip address ip address Set the IP addresses of the DNS servers clear dns Clear the IP addresses of the DNS servers set sharedsecret secret secret Set the Access Manager or Control Server shared secret...

Страница 163: ...ess and netmask for the specified port clear portip port Clear the IP address and netmask for the specified port show portip Display the current IP address and netmask settings for all ports B 8 4 Acc...

Страница 164: ...Sec shared secret Prompts for the secret if not entered on the command line show ipsec This command shows PPTP and L2TP settings set ipsec on off Enable or disable IPSec clear ipsecsecret If IPSec is...

Страница 165: ...ip address hostname ip address hostname Set the NTP servers IP address or hostnames Hostnames must be fully qualified if specified clear ntpserver Clear the NTP servers IP address or hostnames This c...

Страница 166: ...ieved backup cancel backup Cancel a running store backup or get backup task show backup Display information about the list of local backup and the status of a running store backup or get backup task B...

Страница 167: ...all of them set snmplocation location Sets the SNMP sysLocation object defined in RFC 1213 as the physical location of this node for example telephone closet 3rd floor clear snmplocation Clears the S...

Страница 168: ...B 14 Command Line Interface...

Страница 169: ...in Chapter 6 Please read it before reading this chapter This appendix covers the following topics C 1 Starting with Locations C 2 C 2 Group Editor C 4 C 3 Built in Users C 11 C 4 Example 1 Rights Debu...

Страница 170: ...best place to start is the Location editor Step 2 Click Locations The Locations Manager appears as shown in Figure C 1 Figure C 1 Location Manager Notice there is a location called Everywhere Else Th...

Страница 171: ...yet answer the When question We have not yet specified any times that groups can access the network from this location This particular location is always valid The WLAN Security System also associates...

Страница 172: ...ded out to a client who appears at this location but has not yet logged on as a user or a guest Guest None or only one This group defines what rights are handed out to a client at this location who lo...

Страница 173: ...st of Logon Guest User or Normal groups for use in the Location Editor See Section C 2 2 Default Groups for more information Note Normal groups are the only ones that users can join A user can not bel...

Страница 174: ...s see Configuring the Rights Manager and Redirecting Packets C 2 3 Logon Rights Table C 3 describes Logon rights and Redirects Table C 3 Default Allows and Redirects Table C 2 Default Allows and Redir...

Страница 175: ...address 42 0 0 1 As a new client you have Logon rights If you take a detailed look at this Redirect you will see it actually redirects to port 82 This is because our web server will internally redire...

Страница 176: ...is on the INTRANET network This is defined by the settings in the Network configuration web page Logon page shortcut is a redirect that allows the client to access the web through http 1 1 1 1 and get...

Страница 177: ...9 SSL Stop page and Stop page allow access to port 81 and port 446 which are used to display the stop page once a client is redirected to it See Customizing the Logon Screen for more information C 2 5...

Страница 178: ...C 10 Rights Tutorial Figure C 5 User Rights shown in the Rights Debugger In this example All IP allows access to all network traffic DNS redirect and Logon page shortcut are the same as above...

Страница 179: ...S Logon page See Configuring the Rights Manager for more information C 3 Built in Users Let s look at the User Editor Step 1 Click Users Step 2 Click New User The User Editor screen appears as shown i...

Страница 180: ...e authentication procedure is explained in the Rights Management chapter In order for the rights to be allocated you must meet the who when and where criteria Who is the authentication via the built i...

Страница 181: ...ceive rights Location There is a drop down list containing all locations that have been created and the pre existing Everywhere Else location When there is a section that allows you to specify either...

Страница 182: ...C 14 Rights Tutorial Figure C 8 Rights for Guest Table C 4 explains the Rights Debugger...

Страница 183: ...that based on the location the Guest group is allowed so we keep this group and its expire time Allows HTTPS Logon page DHCP Outside World SSL Stop page HTTP logon redirector tells us that given the...

Страница 184: ...ort ip_redirect ip_redirect match tcp dst port 80 and not dst host 42 0 0 1 match ip 192 168 10 86 ip port 82 port ip_redirect ip_redirect match tcp dst port 443 and not dst host 42 0 0 1 match ip 192...

Страница 185: ...complicated situation C 5 Example 2 Allowed User Groups Step 1 Add a group called Example group 1 Step 2 Make it as follows a Normal group NAT Linger 60 seconds Expire 10000 seconds Allow DHCP DNS re...

Страница 186: ...d Example group 2 following the procedure in the Rights Management chapter Step 4 Make it as follows a Normal group Linger 0 Expire NEVER Allow All IP traffic DNS redirect HTTP logon redirect HTTPS lo...

Страница 187: ...e Group 2 Step 5 Click New User in the User Manager The User Editor screen appears as shown in Figure C 11 Step 6 Add user Fred and make Fred a member of both Example Group 1 and Example Group 2 A pas...

Страница 188: ...ts Tutorial Figure C 11 User Editor for Fred Step 8 After adding user Fred go back to the Rights Debugger as shown in Figure C 7 and select Fred at location Everywhere Else at time Now as shown in Fig...

Страница 189: ...EliteConnect WLAN Security System User Manual C 21 Figure C 12 Rights Debugger for Fred...

Страница 190: ...two example groups This happened because although Fred is a member of the two example groups the location did not allow those groups So the rest of the information corresponds to the Allows Redirects...

Страница 191: ...10 Click Debug The Rights Debugger appears as shown in Figure C 14 Figure C 14 Rights Debugger after Allowing Groups The first three lines are the same as before but now Final Group Expire contains th...

Страница 192: ...WLAN Access Manager receives these rights the WLAN Access Manager will request new rights from the Rights Manager If these groups location haven t changed then the same rights package will be sent to...

Страница 193: ...n that Everywhere Else did not have It has a list of Wheres blank list at the moment in which you will choose a location At least one Where must be chosen from this list so that we know the Where to w...

Страница 194: ...te a new WLAN Access Manager a To create a WLAN Access Manager we need to know the MAC address of the WLAN Access Manager we want to specify To find out the MAC address go to the WLAN Access Manager w...

Страница 195: ...each WLAN Access Manager UI is the WLAN Access Manager s MAC address You can also create a dummy MAC address by typing in 12 hexidecimal digits in the MAC address field Step 5 Click Update to return...

Страница 196: ...they will end up with Logon rights again This is an interesting concept Rather than a client receiving no rights at all the system tries to hand out logon rights again This is why you must specify a L...

Страница 197: ...ng No rights at all translates at the WLAN Access Manager to NAT true and no other traffic allowed But they can t use DHCP since no traffic at all is allowed They won t be able to get a logon page or...

Страница 198: ...group with the same Allows and Redirects as the User group we started editing See Figure C 20 Figure C 20 Group Editor Step 3 Now create a new location that uses this group and does not use any other...

Страница 199: ...user who shows up on this WLAN Access Manager on port 1 is associated with this location Where before they associate with the other where The more specific interface always overrides the more general...

Страница 200: ...c MAC address to access the net without logging on This could be because it is a server of some sort that runs without a user intervention a wireless device that does not have SSL capability or a spec...

Страница 201: ...nual C 33 Figure C 23 User Editor However when we look at the rights as specified by the debugger the MAC address user will get User rights instead of Logon rights even though the MAC address has not...

Страница 202: ...er for MAC User Thus for known MAC addresses you can skip the logon process completely Also if you wanted to give the MAC address user special rights that the implicit User group does not have you cou...

Страница 203: ...s in question is explicitly denied Then add a group that specifically gets access to that machine and add users to that group So let s decide that the traffic we want to disallow is to the specific su...

Страница 204: ...addresses except for the one specified as shown in Figure C 26 Figure C 26 Allow Editor Step 6 Click Update to add this Allow to the list of Allows Step 7 Click Cancel from the Edit Selector as shown...

Страница 205: ...Getting Access to the Subnet Now let s create a group that gets access to part of this subnet Step 1 Click New Group to add a group of type Normal Step 2 Name it Allow192 168 1 Step 3 Click New under...

Страница 206: ...C 38 Rights Tutorial Figure C 29 Allow Editor Step 5 Click Update to create this Allow Step 6 Return to the Groups Manager Step 7 Select this Allow in our new group as shown in Figure C 30...

Страница 207: ...EliteConnect WLAN Security System User Manual C 39 Figure C 30 Group Editor with new Allows Step 8 Click Update Step 9 Create another group using the Allow 192 168 2 0 24 as shown in Figure C 31...

Страница 208: ...C 40 Rights Tutorial Figure C 31 Allow Editor Step 10 Click Update The Group Editor shows this added as an Allow as shown in Figure C 32...

Страница 209: ...ser Manual C 41 Figure C 32 Group Editor C 11 3 Adding Users Now let s create a couple users who take advantage of these groups Step 1 Create a new user Harry as a subnet 1 user as shown in Figure C 3...

Страница 210: ...k C 11 4 Creating a Location Now let s create a location that takes advantage of this Step 1 Create a new location See this procedure the Rights Management chapter Step 2 Then in the Location Editor a...

Страница 211: ...et User and the normal groups 192 168 1 and 192 168 2 and the Subnet Where location as shown in Figure C 36 Figure C 36 Location Editor Now let s see how our two users differ in the Rights Debugger St...

Страница 212: ...y Notice 192 168 1 0 24 is allowed so this user gets explicit use of the 1 subnet Also anything except 192 168 0 0 16 is allowed so all other traffic will be let through Step 7 Display the rights for...

Страница 213: ...xample I used all ports but you could get more restrictive and only handout specific ports if necessary Also in your particular network you might want to use group names like Accounting or Engineering...

Страница 214: ...Figure C 40 shows the Locations Manager screen with the location Subnet Location and the groups that are valid at this location As expected the groups valid at this location are Logon Subnet User and...

Страница 215: ...r is how to block a well known streaming port in a public Access Point Let s take Gnutella s default port 6346 as an example Step 1 Modify our default Guest group so that Guests can t use this port St...

Страница 216: ...C 48 Rights Tutorial Figure C 41 Redirect Editor This closes the 6346 port to everyone who uses this group Step 4 Select this Redirect in the Guest group and click Update as shown in Figure C 42...

Страница 217: ...d start by allowing nothing and then add more allows as your users demand more services This can also be achieved by setting up the Guest and User groups Start by deselecting all Allows for these grou...

Страница 218: ...ault set of Redirects includes a redirect for SOCKS proxy It is not selected by default but if you have a SOCKS proxy then your users need this to access the network See the Redirect section in the Ri...

Страница 219: ...ow Also you probably want to allow conference attendees to get access through their own laptops Let s say you have 50 public access kiosks and it takes 40 Access Points for you to cover the entire sho...

Страница 220: ...n The problem with the Wheres we ve seen so far is they are based on WLAN Access Manager port Since there are only 40 access points and 50 public kiosks you don t have enough access points to dedicate...

Страница 221: ...tor Step 3 Enter the Location Name in this case Public Kiosks Step 4 We also need a new Where so click New under the list of Wheres and enter the name Kiosk1 Step 5 Also click the Client MAC address r...

Страница 222: ...his Where If this was really for a conference we would only want this kiosk to be valid during the show so let s create a When for the show Step 7 Click New under the list of Whens Step 8 Set up the w...

Страница 223: ...up s users will get at this location Step 11 Name the group 20 Minute User make the group an implicit user s group only valid during show hours Step 12 Select the allows DHCP HTTPS logon page outside...

Страница 224: ...ding 20 Minute User Step 14 Click Update to create this group and go back to the Location Editor Step 15 Select the Where as Kiosk 1 the When as Show hours the Logon group Logon and the User group 20...

Страница 225: ...Step 16 Click Update to create this location Now you have created the Location Public Kiosks with different rights from the rest of the network based on the fact that the users are logging in at a spe...

Страница 226: ...ant part of this example is that you have created a new location that is expandable on a kiosk by kiosk basis It does not cost you anymore in WLAN Access Manager ports because it uses existing coverag...

Страница 227: ...SMC implementation of Simple Network Management Protocol The sections include D 1 Introduction to WLAN Security System SNMP D 2 D 2 Supported Management Information Base Objects D 3 All the MIB v2 obj...

Страница 228: ...al aspects associated with the device including fan status interface status and temperature subject to hardware and operating system support Receive asynchronous notifications when important events oc...

Страница 229: ...re D 2 1 MIB Objects Base MIB Module Object SMCNETWORKS BASE MIB DEFINITIONS BEGIN IMPORTS MODULE IDENTITY FROM SNMPv2 SMI enterprises FROM RFC1155 SMI smcNetworks MODULE IDENTITY LAST UPDATED 0202270...

Страница 230: ...Manager smc2502w OBJECT IDENTIFIER smcNetworksProduct 2 END D 2 2 System MIB SMCNETWORKS SYSTEM MIB DEFINITIONS BEGIN IMPORTS MODULE IDENTITY OBJECT TYPE Gauge32 NOTIFICATION TYPE Unsigned32 Integer3...

Страница 231: ...the HW product smcNetworksSysMib 1 D 2 4 Hardware Version MIB Object smcProductHWVersion OBJECT TYPE SYNTAX OCTET STRING MAX ACCESS read only STATUS current DESCRIPTION HW version of the product smcN...

Страница 232: ...he power supply smcNetworksSysMib 7 Chassis Temperature MIB Object smcChassisTemperature OBJECT TYPE SYNTAX OCTET STRING MAX ACCESS read only STATUS current DESCRIPTION Current temperature in degrees...

Страница 233: ...STATUS current DESCRIPTION Operational status of a cooling fan smcFanStatusEntry 2 Fan Speed MIB smcFanSpeed OBJECT TYPE SYNTAX INTEGER32 MAX ACCESS read only STATUS current DESCRIPTION Speed of the f...

Страница 234: ...ICATION TYPE OBJECTS smcCpuTemperature STATUS current DESCRIPTION A temperatureAlarm signifies that the SNMP entity acting in an agent role has detected that the smcCpuTemperature has a value that exc...

Страница 235: ...ming handoff Expire time a timer that determines how long before a a user must re authenticate Everywhere else the Rights Manager location that a client belongs to if it does not associate with any ot...

Страница 236: ...nt packets Rights Manager the SMC component that allocates rights or access privileges for locations groups and users The Rights Manager also authenticates clients Roaming the act of moving from one w...

Страница 237: ...face 2 1 Configuring the Date and Time 2 15 Configuring the time and date 2 15 Control Server 1 4 Creating or Modifying a Redirect 6 54 D Debug 6 63 Default Groups C 6 Delete a location 6 12 Deleting...

Страница 238: ...15 C 24 Linger seconds 6 3 1 1 Location delete 6 12 modify 6 11 Location Editor 6 11 C 52 C 56 Location Expire C 15 Location Manager C 46 Locations Manager 6 10 C 52 Login Screen 2 2 Logon C 56 Logon...

Страница 239: ...red Secret 6 9 Shared secret 3 8 Show Me C 13 Simple Network Management Protocol SNMP D 1 SMB C 7 SMTP C 49 SNMP objects D 1 SNMP port 2 12 SNMP traps 2 12 SOCKS C 50 C 51 Specifying location descript...

Страница 240: ...X 4 Index...

Страница 241: ...2 739 12 33 Fax 39 02 739 14 17 Benelux 31 33 455 72 88 Fax 31 33 455 73 30 Central Europe 49 0 89 92861 0 Fax 49 0 89 92861 230 Switzerland 41 0 1 9409971 Fax 41 0 1 9409972 Nordic 46 0 868 70700 Fax...

Страница 242: ...ii...

Отзывы:

Нет отзывов

Похожие инструкции для ELITECONNECT SMC2504W

Бренд: PaloAlto Networks Страницы: 20

Бренд: PaloAlto Networks Страницы: 2

Бренд: PaloAlto Networks Страницы: 20

Бренд: PaloAlto Networks Страницы: 60

PA-7050 PAN-AIRDUCT

Бренд: PaloAlto Networks Страницы: 2

Бренд: GajShield Страницы: 12

Бренд: Watchguard Страницы: 2

SUPERSTACK 3CR16110-95

Бренд: 3Com Страницы: 214

SecPath F5000 Series

Бренд: H3C Страницы: 51

ProSAFE FVS318G v2

Бренд: NETGEAR Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды