Colubris Networks CN3000, Administrator'S Manual

Page 1: ...CN3000 Administrator s Guide...

Page 2: ...or other countries All other names mentioned herein are trademarks or registered trademarks of their respective owners Changes are periodically made to the information herein these changes will be inc...

Page 3: ...8 Connecting to the Internet 39 The RADIUS server 40 CN3000 authentication 40 Customer authentication 40 Administrator authentication 40 Connecting to a RADIUS server 40 More information 41 Firewall 4...

Page 4: ...rnal pages 117 Examples 119 Using a remote login page 121 Activating a remote login page 121 How it works 123 Security issues 123 Example 124 Location aware authentication 125 How it works 125 Example...

Page 5: ...5 Step 3 Converting a certificate to PKCS 12 format 206 Step 4 Installing a new SSL certificate 207 Manual installation 207 Automatic installation 207 Step 5 Installing certificates in a browser 208 I...

Page 6: ...fault user quotas 274 Default user idle timeout 275 Default user SMTP server 275 Default user session timeout 275 Default user one to one NAT 276 IPass login url 276 Internal pages 276 External pages...

Page 7: ...354 Chapter 16 Sample setup Microsoft RADIUS 355 Overview 356 Prerequisites 356 Equipment setup 357 Topology 357 About the components 357 Step 1 Install software on Server 1 358 Windows 2000 358 Inte...

Page 8: ...Table of Contents 8...

Page 9: ...Chapter 1 Introduction Chapter 1 Introduction This chapter provides an overview of this manual and other important information...

Page 10: ...chapter provides an overview of the configuration options provided by the management tool for most of the important features on the CN3000 For information on features not covered in this section cons...

Page 11: ...urope 100 meters 300 feet Power output North America 200mW Europe 100mW Compatibility Communicates with all Wi Fi certified wireless adapters Supports all operating systems Networking IEEE 802 1d comp...

Page 12: ...MSCHAP v2 MSCHAP v1 MAC level authentication for non HTTP devices Supports up to 100 concurrent users Provides accounting by time used or data transferred received by customers Traffic quotas Manageme...

Page 13: ...contact your reseller Information about Colubris Networks products and services including documentation and software updates is available on our web site at www colubris com CN3000 Wireless Access Con...

Page 14: ...ng to the management tool web interface submenus are indicated using the sign The example refers to the Ports submenu which is found under the Network menu ip_address Items in italics are parameters t...

Page 15: ...Chapter 2 How it works Chapter 2 How it works Thischaptercoversimportanttopicsthatwillhelpyoutounderstandhow to install deploy and manage a wireless public access network...

Page 16: ...on may be suitable for a simple wireless hotspot that provides access to the Internet more complex setups require more fine grained control of the protected network resources To support this the CN300...

Page 17: ...on for a small location Computers on the attached wired LAN also have access to the network No RADIUS server is required By making use of a RADIUS server in a network oprating center the same installa...

Page 18: ...ides a wireless network and is also connected to a LAN to enable a number of wired computers to act as public access stations Each CN3000 is connected to the Internet via a broadband modem The Interne...

Page 19: ...lized management accounting and customer authentication About this installation A single CN3000 is installed along with one or more CN300 CN320 satellites at areas 1 and 3 At area 2 the CN3000 provide...

Page 20: ...DAs that only support a single browser window will have difficulty using the public access interface in its standard configuration To solve this problem see Supporting PDAs on page 120 Important The t...

Page 21: ...an optional page For a complete description of the other pages that make up the public access interface see Chapter 6 Customizing the public access interface The CN3000 ships with a default set of pa...

Page 22: ...efine for each wireless profile Allow any IP address This feature enables wireless client stations that are using a static IP address to connect to the CN3000 The client station s IP address does not...

Page 23: ...on a per customer basis This enables customers to send e mail through the public access network without the restrictions imposed by most ISPs regarding the source address of outgoing mail It works by...

Page 24: ...of the e mail server to use for redirection of the customer s e mail URLs specifying the location of customized Welcome and Goodbye pages for the customer When you create a profile for each customer...

Page 25: ...ir MAC address appear on the network the CN3000 attempts to authenticate them To setup these accounts see page 160 WPA 802 1x The CN3000 provides full support for customers with 802 1x or WPA client s...

Page 26: ...ing can be either static or DHCP A unique feature of the CN3000 is its ability to support connections from client stations that have a preconfigured static IP address Set the SSID to be Colubris Netwo...

Page 27: ...st occur via a secure connection Before this connection can be established you must accept a Colubris Networks security certificate The procedure for accepting the certificate varies depending on the...

Page 28: ...word cannot be authenticated To setup RADIUS authentication do the following 1 On the main menu click Security then click RADIUS 2 Click Add a New Profile 3 Define the settings for the RADIUS profile...

Page 29: ...cure remote management Secure remote management is possible using the integrated PPTP and IPSec client software This enables the CN3000 to create a secure tunnel to a remote server using a public netw...

Page 30: ...s connectors for two external antennas Consult the specifications for the antennas you are using to determine how they affect wireless coverage Interference Interference is caused by other access poin...

Page 31: ...s that are shared by all profiles This includes radio settings operating frequency distance between access points transmit power wireless port address and mask dynamic key length and key change interv...

Page 32: ...separation as possible in their operating frequencies This reduces cross talk and enables client stations connected to each access point to transmit at the same time Choosing non overlapping channels...

Page 33: ...would create the following installation Reducing transmission delays by using different operating frequencies However It is possible to stagger your cells to reduce overlap and increase channel separ...

Page 34: ...adjustment open the Wi Fi Wireless page For most installations the large setting should be used However if you are installing multiple CN3000s and the channels available to you do not provide enough...

Page 35: ...ither use a backbone LAN to interconnect the units or daisy chain them together using cross over cables See the Administrator s Guide for the CN300 CN320 for details Configuration issues Operating fre...

Page 36: ...horized access points which you must define If the discovered access point does not appear in the list it is displayed in the Unauthorized access points list List of authorized access points The forma...

Page 37: ...work Address allocation page Internet port Addressing options for the Internet port include DHCP client PPPoE client static and none To set these options open the Network Ports Internet port page Host...

Page 38: ...the LAN port are bridged so changing the LAN port address also changes the address of the wireless network The CN3000 acts as a bridge between the wireless LAN and the wired LAN This means that if you...

Page 39: ...CN3000 Another option is to enable DHCP relay or use static IP addressing on the WLAN To configure the DHCP server 1 Click Network Address Allocation 2 Select the DHCP server and click Configure 3 Con...

Page 40: ...ation of a CN3000 configuration file The MAC addresses of devices to authenticate The default idle timeout for customer sessions The default address for the mail server used to support SMTP redirectio...

Page 41: ...how to accomplish this Note If you change a RADIUS profile to connect to a different server while customers are logged in all RADIUS traffic for active customer sessions is immediately sent to the new...

Page 42: ...rking requirements If the CN3000 is connected to a wired LAN the firewall protects the wired LAN as well Blocking unauthorized access with the firewall Firewall presets The easiest way to make use of...

Page 43: ...erver Passed NetMeeting make call Passed IPSec pass through Passed NetBIOS Blocked Incoming traffic Firewall setting Application Low Medium High FTP passive mode 1 Passed Blocked Blocked FTP active mo...

Page 44: ...s the rule the rule is triggered and the data is rejected accepted by the firewall Rules operate on IP datagrams sometimes also called packets Datagrams are the individual packages of data that travel...

Page 45: ...tside network i e the Internet or a remote site via VPN While this is great for security in some cases it is useful to make a computer on the internal network accessible externally For example if you...

Page 46: ...lows you to assign multiple IP addresses to the Internet port and use them to distinguish outgoing NAT traffic for customers making VPN connections How it works One to one NAT functions as follows Def...

Page 47: ...hese stations are still not visible externally Remote computers send their requests to 202 125 11 26 and the CN3000 routes them to the proper client To configure the CN3000 to support this example you...

Page 48: ...r 2 48 4 To support the FTP server two additional mappings need to be created with the following values Standard Services ftp data TCP 20 and IP address 192 168 1 3 Standard Services ftp control TCP 2...

Page 49: ...VPN tunnel bypasses the CN3000 s firewall Important The VPN tunnel cannot be used to transport customer traffic The tunnel should be used to carry management traffic only RADIUS SNMP management sessio...

Page 50: ...ing it or for installations with less than 50 customers and no need for accounting support For an example on how to use local mode see Scenario 1a Hotspot with Internet access local mode on page 69 En...

Page 51: ...mode it must log into a RADIUS server before it can activate the public access interface This is required so that the CN3000 can retrieve configuration settings which are used to customize the operati...

Page 52: ...longer functions as an access controller Instead it automatically forwards all wireless traffic onto the Internet port This is useful when a remote site performs all access control functions To safegu...

Page 53: ...nsive to run cabling to a wireless access point In this scenario the CN300 is used to expand the coverage of the wireless network Building to building connections The CN3000s wireless bridging feature...

Page 54: ...page for the link opens 3 In the Settings box select Enabled 4 In the Addressing box specify the Remote MAC address This is the MAC address of the other access point 5 Click Save 6 Open the Wireless W...

Page 55: ...ipped 5 Click Install Note The CN3000 will automatically restart after the firmware has been installed to activate it This will disconnect all client stations Once the CN3000 resumes operation all cli...

Page 56: ...still encrypted Note If you want to secure the connection with the CN3000 using certificates you must use the cacert option to specify where the CA certificates are located on your computer This also...

Page 57: ...s so they can be easily restored in case of failure This option is also used when you want to directly edit the configuration file See Chapter 13 for details Reset configuration Use this option to ret...

Page 58: ...on your computer This also requires that you specify the host name wireless colubris com instead of using its IP address The host name must be resolved either via a DNS server or using the hosts file...

Page 59: ...t Resetting the configuration to factory defaults 1 Prepare the CN3000 to receive the login curl s k https 24 28 15 22 home asp 2 Login to the management interface curl s k dump header cookie txt http...

Page 60: ...Chapter 2 How it works Chapter 2 60...

Page 61: ...Chapter 3 Installation Chapter 3 61 Chapter 3 Installation Chapter 3 Installation This chapter explains how to install the CN3000...

Page 62: ...address is assigned to it by the network flashing Internet port is connected to a broadband link or WAN but an IP address is not yet assigned off Internet port is not connected on The CN3000 is fully...

Page 63: ...ton quickly to restart the CN3000 This is equivalent to disconnecting and reconnecting the power The CN3000 will restart immediately Resetting to factory defaults To reset the CN3000 to its factory de...

Page 64: ...trated below Installing rubber feet The CN3000 can be used upright or lying down To prevent slipping attach the four rubber feet as shown below Do not mount the CN3000 on a wall or ceiling until after...

Page 65: ...ncluded in the package are two screws and anchors suitable for attaching the CN3000 to walls constructed out of drywall or similar material 1 Mark the anchor locations on a wall or ceiling using the n...

Page 66: ...automatically starts up when you connect the power there is no on off switch and becomes fully operational when the power light stops flashing For more information on the front panel lights refer to S...

Page 67: ...Chapter 4 Scenarios Chapter 4 Scenarios This chapter provides sample deployment strategies for common scenarios Thesescenarioswillgiveyouagoodideaonhowtoapproach your installation...

Page 68: ...apter 3 and know how to install the CN3000 Contents The following scenarios are described in this chapter Scenario See page Scenario 1a Hotspot with Internet access local mode 69 Scenario 2b Custom pu...

Page 69: ...ting The CN3000 is set to local mode which means that a RADIUS server is not required to activate the public access interface Instead the default public access interface resident on the CN3000 is used...

Page 70: ...based user logins and select Local authentication Define the local user list Security Users page 268 Add usernames and passwords for all users Test the public access interface To test your installatio...

Page 71: ...apter 4 Scenarios Chapter 4 71 3 Specify a valid customer name and password to login 4 The CN3000 session page will open 5 Next you are automatically redirected to the web site you originally requeste...

Page 72: ...ow to customize the operation of the public access interface while running in local mode How it works In this scenario a web server is used to store custom pages for the public access interface The CN...

Page 73: ...login page and logo 1 Create a folder called newpages on the web sever 2 Create a file called logo gif that contains your logo and place it in the newpages folder 3 Copy the following files from the...

Page 74: ...must be configured as the client s default gateway This is done by default if the wireless client is using DHCP 1 Start the client station s web browser and enter the IP address or domain name of a w...

Page 75: ...uthentication A local area network is connected to the CN3000 s LAN port to support wired customers There are two ways to deploy this scenario Topology 1 In this version the NOC is located on the Inte...

Page 76: ...nnect the Internet port to the broadband modem and then restart it 3 Start the management tool Configure the wireless network Wireless Neighborhood page 225 Open this page to see if there are other ac...

Page 77: ...ble the CN3000 RADIUS authentication option 2 Select the RADIUS profile you just defined 3 Specify the username and password the CN3000 will use to login to the RADIUS server 4 Click Force authenticat...

Page 78: ...Chapter 4 Scenarios Chapter 4 78 4 Next you are automatically redirected to the web site you originally requested...

Page 79: ...Define attributes on the RADIUS server On the RADIUS server add the following entries to the RADIUS profile for the CN3000 login page web_server_URL newpages login html transport page web_server_URL...

Page 80: ...rk supports a different type of customer 802 1x WPA or customers using a web browser to log in Configuration roadmap Configure the wireless profiles Wireless Wi Fi WLAN profiles page 218 219 Add the f...

Page 81: ...ting access to the Internet This scenario supports two types of customers Customers who login via an HTML session Traffic for these customers is routed through GRE tunnel 1 which is configured to hand...

Page 82: ...r details 2 Use the default settings for all other parameters Configure the Internet port Network Ports Internet port page 228 1 Select the addressing option supported by your ISP and click Configure...

Page 83: ...GRE box do the following Map Authenticated 802 1x user traffic to Tunnel 1 Map Unauthenticated user traffic to Tunnel 2 4 Disable Wireless protection 5 Click Save 6 Click Add New WLAN Profile 7 Speci...

Page 84: ...s How it works Each WISP provides their own NOC linked to the private broadband network The NOCs control customer logins to the public access network and granting access to the Internet The CN3000 is...

Page 85: ...etails 2 Use the default settings for all other parameters Configure the Internet port Network Ports Internet port page 228 1 Select the addressing option supported by your ISP and click Configure 2 D...

Page 86: ...enticated 802 1x user traffic to WISP1_8021x or WISP2_802 1x Map Unauthenticated user traffic to WISP1_HTML or WISP2_HTML WISP1_WPA and WISP2_WPA 1 Enable Wireless protection and select WPA 2 Set Key...

Page 87: ...duties In addition a web server is required to host the customized public access interface Customers can choose which WISP to use by selecting the appropriate SSID when they start their wireless clien...

Page 88: ...ISP and click Configure 2 Define all settings as required Enable the firewall Security Firewall page 253 Select the Preset firewall with Security level set to High Create a RADIUS profile Security RAD...

Page 89: ...remote NOC Name them IPSecVPN1 and IPSecVPN2 Configure them as follows In the Security policy box set Only permit outgoing traffic addressed to the IP address of the NOC subnet Configure WLAN profiles...

Page 90: ...3000 control the network resources guests can reach For example guests can use the Internet and specific servers or printers on the corporate Intranet CN300 RADIUS server VLAN 51 52 53 70 802 1Q trunk...

Page 91: ...es RADIUS account This enables employees to be assigned to VLAN 51 52 or 53 according to their needs Configuration roadmap Install the CN3000 1 Install the CN3000 as described in Chapter 3 2 Connect t...

Page 92: ...le HTML based user logins and assign them to RADIUS authentication 3 Select RADIUS Profile 1 4 Use the default settings for all other parameters Configure the shared secret Security Authentication Adv...

Page 93: ...DIUS attributes Tunnel type Set to VLAN Tunnel medium type Set to 802 Tunnel private group id Set to the VLAN number See VLAN support on page 171 for more information 3 In the CN3000 account add an ac...

Page 94: ...Chapter 4 Scenarios Chapter 4 94...

Page 95: ...Chapter 5 Activating the public access interface Chapter 5 Activating the public access interface This chapter explains how to configure and start the public access interface...

Page 96: ...public access interface will appear but customers will get an error when they try to log in This applies regardless of the method you are using to authenticate customers Until you define access lists...

Page 97: ...with any RADIUS server that supports RFC 2865 and RFC 2866 Authentication occurs via EAP MD5 CHAP MSCHAP v1 v2 or PAP Important To safeguard the integrity of the customer accounts it is important that...

Page 98: ...time out If no reply is received within this interval the CN3000 switches between the primary and secondary RADIUS servers if defined If a reply is received after the interval expires it is ignored T...

Page 99: ...ied to any previous RADIUS access request If the request times out the next request is sent to the other RADIUS server if defined For example assume that the primary RADIUS server was not reachable an...

Page 100: ...ist defining the network resources unauthenticated customers have access to URLs specifying the location of any customized Web pages and their support files a URL specifying the location of a custom s...

Page 101: ...the CN3000 it is strongly recommended that a large interval 12 hours or more be used You can override this value using the RADIUS Attribute Session timeout which enables the following effective strat...

Page 102: ...time limit for the customer s session Access list for the customer Address of the e mail server to use for redirection of the customer s e mail URLs specifying the location of customized Welcome and...

Page 103: ...d and these users will not be able to login If you enable both Local and RADIUS options the Local user list is checked first Local authentication User logins are authenticated with the list defined on...

Page 104: ...og onto a RADIUS server and retrieve certain operating settings which you must define Therefore you must create at least one RADIUS profile for use by the CN3000 If you have multiple CN3000s they can...

Page 105: ...onfigured as the client s default gateway This is done by default if the wireless client is using DHCP 1 Start the client station s web browser and enter the IP address or domain name of a web site on...

Page 106: ...Chapter 5 Activating the public access interface Chapter 5 106...

Page 107: ...Chapter 6 Customizing the public access interface Chapter 6 Customizing the public access interface This chapter provides an overview of the public access interface and explains how to customize it...

Page 108: ...d enabling you to manage multiple units effortlessly Common configuration tasks The following table lists some common configuration tasks and indicates where to find more information Task For instruct...

Page 109: ...109 Site map The public access interface is composed of seven pages and is structured as follows Note Customers using 802 1x WPA are automatically logged in and will not see the Login page The pages...

Page 110: ...s a single graphic element suitable for a logo or other identifying element and two fields username and password The default Login page is Note You can also create a remote login page that resides on...

Page 111: ...ref http CN3000_hostname port session asp Session page a Forcing a logout You can force a logout with this URL http CN3000_hostname port goform HtmlLogout For example http wireless colubris com 8080 g...

Page 112: ...n an external web server and is not downloaded to the CN3000 See Using a remote login page on page 121 for details Welcome page The Welcome page includes a link to the page that was originally request...

Page 113: ...Chapter 6 Customizing the public access interface Chapter 6 113 How it works The following diagram illustrates the sequence of events that occur when a customer attempts to browse an external web site...

Page 114: ...e the internal pages must be loaded onto the CN3000 the following restrictions apply to their construction You must specify a URL for all the internal pages even if you only want to change one page Th...

Page 115: ...s The following optional placeholders can be appended to the Colubris AVPair value strings for the internal pages These placeholders are not available in local mode Chapter 17 Internal page Colubris A...

Page 116: ...r the CN3000 login page web_server_URL newpages login html transport page web_server_URL newpages transport html session page web_server_URL newpages session html fail page web_server_URL newpages fai...

Page 117: ...ains a separate copy of the URLs for external pages for each customer This means it is possible to provide different pages on a per customer basis See Displaying custom welcome and goodbye pages on pa...

Page 118: ...URL requested by the customer i Returns the domain name assigned to the CN3000 s Internet port p Returns the IP port number on the CN3000 where customer login information should be posted for authent...

Page 119: ...remium goodbye html 5 Add the following entry to the RADIUS profile for the CN3000 This gives all unauthenticated users access to the web server hosting the goodbye page access list loginserver ACCEPT...

Page 120: ...ill not be able to log out The solution To solve the problem modify the Welcome page to include a logout button You can do this as follows 1 Create a folder called PDAcustomers on your web sever 2 Cop...

Page 121: ...with the NOC authentication feature to enable a remote web server to manage customer logins For details see Chapter 8 NOC authentication Activating a remote login page The remote login page is activat...

Page 122: ...mode o Returns the original URL requested by the customer i Returns the domain name assigned to the CN3000 s Internet port p Returns the port number on the CN3000 where customer login information sho...

Page 123: ...know CA to ensure that customer logins are secure Without SSL security logins are exposed and may be compromised enabling fraudulent use of the network CN3000 RADIUS server Customer Web server hostin...

Page 124: ...newlogin transport html session page web_server_URL newlogin session html fail page web_server_URL newlogin fail html logo web server URL newlogin logo gif access list loginserver ACCEPT tcp web_serv...

Page 125: ...Type will be set to 8744 decimal Called Station ID value By default this will be the MAC address of the wireless port the customer is associated with This is the MAC address of the wvlan0 interface i...

Page 126: ...er side code can be used to determine the access point they are associated with by inspecting the Called Station ID Then using customer s account information access can either be granted or denied Sec...

Page 127: ...ion aware feature is automatically activated Otherwise to activate location aware authentication do the following 1 Open the Security Authentication Advanced Settings page 2 Enable the Location aware...

Page 128: ...pot you must define the IPass authentication server on the Security RADIUS page You can use either Profile 1 or Profile 2 to do this You will also need to define the IPass login url See IPass login ur...

Page 129: ...when an authentication request fails The RADIUS server must be configured to support this feature The information contained in the returned string depends on the configuration of the RADIUS server Ge...

Page 130: ...the Fail page URL if a login or logout request is currently pending Returns the Transport page URL if the customer is already logged in This function is designed to be used in conjunction with IsReque...

Page 131: ...l amount of connection time configured for the current customer session in hours minutes and seconds in the format hh mm ss ConvertMaxSessionTime unit Returns the total amount of connection time confi...

Page 132: ...unit Returns session duration for the current customer in the specified unit See ConvertMaxSession time for details TruncateSessionTime unit Returns session duration for the current customer truncate...

Page 133: ...nt by the current customer session If you specify a value for the optional parameter div then the return value is the number of octets divided by div Session quotas These functions let you retrieve th...

Page 134: ...or the optional parameter div then the return value is the number of octets divided by div GetMaxSessionOutputPackets Returns the maximum number of outgoing packets the current customer session can se...

Page 135: ...port If a customer logs into the CN3000 this function returns the MAC address of the CN3000 s LAN port iPassGetLoginResponseCode Returns one of the following values when a customer attempts to login t...

Page 136: ...ged in err msg already logged in The username you specified is already logged in The customer s password is longer that the limit of 127 characters err msg password too long The password you specified...

Page 137: ...entication software is down stat nas is rebooting The network service is currently unavailable The customer has already logged out stat logged out Already logged out Pending login in request stat logg...

Page 138: ...s WISPAccessGatewayParam Redirect MessageType 100 MessageType ResponseCode iPassGetRedirectResponseCode ResponseCode AccessProcedure iPassGetAccessProcedure AccessProcedure LocationName iPassGetLocati...

Page 139: ...c logo gif alt width 219 height 51 border 0 td tr tr td align center span class labels id title GetAuthenticationErrorMessage GetRadiusReplyMessage GetMsChapV2Failed span td tr table br table border 0...

Page 140: ...rl title Transport title script type text javascript CDATA function opensessionwin whichone Define the size of your remote window in pixels with width and height remote window open sessionwin width 24...

Page 141: ...eft Max font td td font face verdana size 1 b GetSessionTime nbsp nbsp GetSessionRemainingTime nbsp nbsp GetMaxSessionTime b font td tr tr td align right font face verdana size 1 Idle time Cur Left Ma...

Page 142: ...cessGatewayParam LogoffReply MessageType 130 MessageType ResponseCode iPassGetLogoutResponseCode ResponseCode LogoffReply WISPAccessGatewayParam head meta http equiv content type content text html cha...

Page 143: ...and customer settings Chapter 7 Customizing CN3000 and customer settings This chapter presents a summary of the configuration settings you can define to customize the operation of your public access n...

Page 144: ...at you intend to install See page 149 for details Create a RADIUS profile for the CN3000 Before it can activate the public access interface the CN3000 must log into a RADIUS server and retrieve certai...

Page 145: ...Response MSCHAPv2 Response EAP Message State NAS Identifier NAS Ip Address Framed MTU Connect Info Service Type Message Authenticator Access Accept MS MPPE Recv Key MS MPPE Send Key EAP Message Class...

Page 146: ...type number 0 Attribute type string Colubris Intercept SMI network management private enterprise code 8744 Vendor specific attribute type number 1 Attribute type integer Attribute value summary The fo...

Page 147: ...ts value max output octets value tunnel type VLAN tunnel medium type 802 tunnel private group id value group value ssid value nat port range startport endport RADIUS limitations The maximum number of...

Page 148: ...st was specified 9 NAS Error Not Supported not applicable 10 NAS Request Not Supported not applicable 11 NAS Reboot Supported Customer was logged out because the CN3000 was restarted 12 Port Unneeded...

Page 149: ...ess This is the IP address assigned to the CN3000 s Internet port If the CN3000 is using a PPTP connection to communicate with the RADIUS server then this is the address assigned to the CN3000 by the...

Page 150: ...d Station Id string By default this is set to the MAC address of the CN3000 s wireless LAN port in IEEE format For example 00 02 03 5E 32 1A To use the MAC address of the Internet port you must edit t...

Page 151: ...on the Security Authentication page Class string As defined in RFC 2865 Multiple instances are supported EAP Message string Only supported when authentication is EAP MD5 Note that the content will no...

Page 152: ...URLs and supporting files Enables you to customize the public access interface See Chapter 6 for details Access list Enables you to create one or more access groups which define the set of network res...

Page 153: ...e connected to the CN3000 s Internet port How access lists work Each customer and each access point can be associated with its own access list Incoming traffic cascades through the currently active li...

Page 154: ...er s browser to verify that the certificate is valid without displaying any warning messages Customers may have configured their web browsers to check all SSL certificates against the Certificate Revo...

Page 155: ...stname OPTIONAL action protocol address port account interval use access list uselistname Where Parameter Description listname Specify a name up to 32 characters long to identify the access list this...

Page 156: ...eyword none if the protocol does not take an address range ICMP for example port Specify a specific port to check or a port range as follows none Used with ICMP since it has no ports all Check all por...

Page 157: ...nts The RADIUS profile for the faculty contains use access list faculty This definition creates three access lists everyone students and faculty Everyone This list applies to all users students teache...

Page 158: ...ulty This list applies to authenticated faculty members only It is composed of the following entries access list faculty ACCEPT tcp 192 168 50 1 80 faculty_reg 500 Enables web traffic to the registrat...

Page 159: ...y using the following placeholder you can customize the URL for each CN3000 This is useful when you need to update multiple units Example configuration file http www colubris com s_configfile Placehol...

Page 160: ...ng mac address address username password Where Example Consider the scenario where several CN300 CN320s are installed with a CN3000 If the CN300 CN320s are going to perform firmware upgrades from a re...

Page 161: ...AVPair value string default user acct interim update value Where Parameter Description seconds Specify the maximum amount of time a customer session can be connected Once this time expires the session...

Page 162: ...ustomer session is terminated based on a quota a new non standard termination cause is used The value for this termination cause is 0x8744 You can customize this by modifying the value of radius quota...

Page 163: ...is attribute let you define the location of the IPass login page The CN3000 will automatically redirect customers with IPass client software to this page Colubris AVPair value string ipass login url U...

Page 164: ...IEEE format For example 00 02 03 5E 32 1A To use the MAC address of the Internet port you must edit the config file and change the setting of radius called station id port to WAN in the ACCESS CONTROL...

Page 165: ...transmission Session Timeout 32 bit unsigned integer Maximum time a session can be active The CN3000 re authenticates itself when this timer expires Omitting this attribute or specifying 0 will disabl...

Page 166: ...CN3000 is using to communicate with the RADIUS server NAS Port 32 bit unsigned integer A virtual port number starting at 1 Assigned by the CN3000 NAS Port Type 32 bit unsigned integer Always set to 19...

Page 167: ...66 for possible values Only present when Acct Status Type is Stop Accounting response None Colubris AVPair attribute For each customer profile you can specify one or more instances of a Colubris AVPai...

Page 168: ...e range 5000 to 10000 Colubris AVPair value string nat port range startport endport Where SSID Note This feature only applies when location aware authentication is being used Security Authentication A...

Page 169: ...nd set it to the GRE tunnel you just defined One to one NAT Add this attribute if the customer requires a unique IP address when NAT is enabled on the CN3000 For more information see One to one NAT on...

Page 170: ...irecting it to an SMTP server that you configure Important For mail redirection to work the customer s email server name must be publicly known If the e mail server name cannot be resolved mail redire...

Page 171: ...umbers on a per customer basis Note The CN3000 does not directly support VLANs VLAN support is available when using CN300 CN320s as satellite stations only And only for customers using 802 1x WPA RADI...

Page 172: ...a security hole Supported RADIUS attributes Admin Access Request User Name string The name assigned to the administrator NAS Identifier string The NAS ID set on the Security RADIUS page for the profil...

Page 173: ...Chapter 8 NOC authentication Chapter 8 NOC authentication This chapter explains how to use a remote login page and NOC authentication...

Page 174: ...ogin to the public access interface without exposing their web browsers to the SSL certificate on the CN3000 This eliminates warning messages caused by having an SSL certificate on the CN3000 that is...

Page 175: ...the CN3000 for authentication NOC CA certificate ssl noc ca certificate URL_of_the_certificate Certificate of the certificate authority CA that issued the NOC certificate Custom SSL certificate ssl ce...

Page 176: ...b the customer is using to communicate with the access point G When the location aware feature is enabled returns the group name of the wireless access point the customer is associated with C When the...

Page 177: ...ng diagram shows the sequence of events for a typical customer session when using the NOC based authentication feature CN3000 RADIUS server Customer Non authenticated customer attempts to browse an ex...

Page 178: ...SSL certificate When the login application presents its SSL certificate the CN3000 retrieves ssl noc certificate and checks to make sure that they match For further authentication a second attribute s...

Page 179: ...all a certificate on CN3000 Note This step is optional but recommended Install an SSL certificate on the CN3000 to replace its default SSL certificate This certificate will be used to secure communica...

Page 180: ...192 168 4 2 8090 Parameter Description CN3000_ip Defines the IP address of the CN3000 or you could use a domain name if you have defined one using the hosts file on the web server By default the secu...

Page 181: ...r Host a p The CN3000 sends the username and password to the RADIUS server to authenticate the customer If authentication is successful the customer s IP address is used to grant wireless network acce...

Page 182: ...Colubris Internal folder on the CD and place them in the newlogin folder login html transport html session html fail html logo gif 3 Customize login html to accept username and password information fr...

Page 183: ...e CN3000 define the following login url URL_of_page_on_remote_server access list loginserver ACCEPT tcp web_server_IP_address 443 ssl noc certificate URL_of_the_certificate ssl noc ca certificate URL_...

Page 184: ...ther other application that is using the same SSL certificate The CN3000 returns a positive or negative answer for the customer logout as standard HTML The login application must parse this informatio...

Page 185: ...Chapter 9 SNMP interface Chapter 9 SNMP interface This chapter provides an overview of the SNMP interface and the MIBs supported by the CN3000...

Page 186: ...he main menu click Management then click SNMP The SNMP configuration page opens 2 Enable the options that you require The options are described in the sections that follow 3 Click Save Attributes Syst...

Page 187: ...II traps coldStart linkUp linkDown authenticationFailure In addition the CN3000 supports a number of Colubris specific traps as described in the Colubris Enterprise MIB The Colubris Enterprise MIB is...

Page 188: ...MPV2C protocol MIB II support details The CN3000 provides complete read support of MIB II objects 1 10 The following table lists all MIB II objects defined as read write and indicates the objects that...

Page 189: ...ToMediaIfIndex N ipNetToMediaNetAddress N ipNetToMediaType Can be other 1 invalid 2 dynamic 3 or static 4 N Tcp tcpConnState Can be closed 1 listen 2 synSent 3 synReceived 4 established 5 finWait1 6 f...

Page 190: ...OLUBRIS AAA CLIENT MIB my COLUBRIS CDP MIB my COLUBRIS IEEE802DOT11 my This MIB is based on the IEEE Std 802 11b D8 0 September 2001 Annex D MIB COLUBRIS MAINTENANCE MIB my COLUBRIS PRODUCTS MIB my CO...

Page 191: ...Chapter 10 SSL certificates Chapter 10 SSL certificates Thischapter explains how to create andinstallSSL certificates tosecure communications with the CN3000...

Page 192: ...tion needed to establish the SSL connection to the web browser The certificate is signed using the private key of a certificate authority CA This is usually a well known commercial entity 3 The web br...

Page 193: ...ny request that matches the certificate host name by returning the IP address assigned to the wireless port All other DNS requests are forwarded to the appropriate DNS servers as configured on the Net...

Page 194: ...y a company you have not chosen to trust This indicates that your browser has no knowledge of the certificate and treats it as if it cannot be trusted The warning is caused by not having a CA certific...

Page 195: ...Chapter 10 SSL certificates Chapter 10 195 Note Once you comply with all three criteria client stations will no longer get a certificate warning in their browser...

Page 196: ...e on page 197 2 Prepare the certificate chain For instructions see Preparing the certificate chain on page 205 3 Convert the certificate For instructions see Converting a certificate to PKCS 12 format...

Page 197: ...ws 1 Download the Backend sample archive from www colubris com support download CN3000 or retrieve it from the CD 2 Download openssl 0 9 7c win32 bin zip from http curl haxx se download html OpenSSL L...

Page 198: ...1b 0b c8 a8 48 09 db 6f 01 c2 45 41 d0 a4 eb b0 11 78 3d 55 ea 49 26 e1 dc 9a 02 79 ae fc 2c 4a 8a d7 d7 eb 50 49 ec 08 d3 7b fe 66 52 fd 74 0a 9d f4 e1 79 95 3a 7f 46 d6 79 ea 04 7c 63 1b 36 9c c2 28...

Page 199: ...random state done Generating a 1024 bit RSA private key writing new private key to CA private CAkey pem Enter PEM pass phrase CA_key_password Verifying password Enter PEM pass phrase CA_key_password...

Page 200: ...EA EkyYje3aQl U1IMUsSuKKKSQMI8JIkf1PI3iro32TukUDIkm9gqS3Fqb HfnlDPb hpOYGzQ3PV4Gnk3ZUE9XtT YBq0nJqhctzbgEK6is1rtkFqQhQ UjgFVfeVpsWAZ nGg7TBxLtwu1R52lktZF3 Rq25avWBOIwsL5ZjsyHbw END CERTIFICATE At this...

Page 201: ...3b ca bd e0 ae eb ad af 44 bf 20 a2 f8 30 cc 14 f1 0a 0e 3b b5 32 a3 c9 2a 14 05 25 BEGIN CERTIFICATE REQUEST MIIB2zCCAUQCAQAwgZoxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxDjAM BgNVBAcTBUxhdmFsMRUwEwYD...

Page 202: ...domain_name C certificates newselfcert www company com You will now be prompted for a password that will protect the new private key Loading screen into random state done 0 semi random bytes loaded G...

Page 203: ...AgTBlF1ZWJlYzEOMAwGA1UEBxMFTGF2YWwxFTATBgNVBAoTDENvbXBhbnkg SW5jLjETMBEGA1UECxMKRGVwYXJ0bWVudDEYMBYGA1UEAxMPd3d3LmNvbXBhbnku Y29tMSQwIgYJKoZIhvcNAQkBFhV3ZWJtYXN0ZXJAY29tcGFueS5jb20wgZ8wDQYJ KoZIhvcNAQ...

Page 204: ...bWVudDEoMCYGA1UEAxMfVGVzdC1Pbmx5 IENlcnRpZmljYXRlIEF1dGhvcml0eTEdMBsGCSqGSIb3DQEJARYOY2FAY29tcGFu eS5jb20wHhcNMDIwMjI4MTYzMTE3WhcNMDMwMjI4MTYzMTE3WjCBmjELMAkGA1UE BhMCQ0ExDzANBgNVBAgTBlF1ZWJlYzEOMAwGA...

Page 205: ...in To resolve this problem all the public key certificates must be appended to the certificate www company com pem file for example in base64 format For example if the CN3000 certificate has been sign...

Page 206: ...r and have the same name with a different extension You will be prompted for two passwords PEM pass phrase Password used to protect the private key Export password Password that will lock the PKCS 12...

Page 207: ...restored It must contain the entire certificate chain if signed by an intermediate certificate authority It must not have a _ in its name The name in the certificate is automatically assigned as the...

Page 208: ...p of well known certificate authorities included with most browsers This means customers will get a security warning when establishing the SSL connection with the Login page To eliminate this warning...

Page 209: ...Chapter 10 SSL certificates Chapter 10 209 4 Click Import The Certificate Import Wizard starts Click Next 5 Click Browse...

Page 210: ...Chapter 10 SSL certificates Chapter 10 210 6 Specify pem in the File name box and press the Enter key then select CAcert pem and click Open 7 Click Next 8 Click Next...

Page 211: ...Chapter 10 SSL certificates Chapter 10 211...

Page 212: ...t menu click Preferences 2 Click Privacy Security 3 Click Certificates 4 Click Manage Certificates 5 Click Authorities 6 Click Import 7 Select your Public Key certificate If you are using the examples...

Page 213: ...ers Chapter 11 Configuration parameters Thischapterprovidesanoverviewoftheconfigurationoptionsprovided bythemanagementtoolformostoftheimportantfeaturesontheCN3000 Forinformationonfeaturesnotcoveredint...

Page 214: ...nt stations that can be connected to the CN3000 at the same time across all WLAN profiles is 255 Important Important Only 100 customers can be logged into the public access interface at one time Custo...

Page 215: ...ld Use this parameter to control collisions on the link that can reduce throughput If the Status Wireless page shows increasing values for Tx multiple retry frames or Tx single retry frames you should...

Page 216: ...nded that the preshared key be at least 20 characters long and be a mix of letters and numbers RADIUS profile 802 1x This option enables support for users with 802 1x client software The CN3000 suppor...

Page 217: ...refully chosen HEX keys You can include ASCII characters between 32 and 126 inclusive in the key However note that not all client stations support non alphanumeric characters such as spaces punctuatio...

Page 218: ...that enables them to automatically discover access points that broadcast their names and automatically connect to the one with the strongest signal If this option is disabled client stations will hav...

Page 219: ...urity Authentication Advanced settings Access controller mode is set to Centralized you will see Access point WLAN name SSID Specify a name to uniquely identify your wireless network Each client compu...

Page 220: ...lic access interface Login page will not be displayed and these users will not be able to login If you enable both Local and RADIUS options the Local user list is checked first Local authentication Us...

Page 221: ...or 40 bit encryption specify 5 ASCII characters or 10 HEX digits For 128 bit encryption specify 13 ASCII characters or 26 HEX digits When encryption is enabled wireless stations that do not support en...

Page 222: ...Security Authentication Advanced settings Access controller mode is set to Internal All user traffic Routes all user traffic through the specified GRE tunnel Intercepted user traffic Routes all inter...

Page 223: ...e Wireless link configuration This table shows the status of the wireless links to remote access points To configure a link click the link name Status Indicates if the link is enabled or disabled Name...

Page 224: ...d link which is enabled Link name Identifies the link Speed Sets the speed the link will operate at For load balancing you may want to limit the speed of a link when connecting to multiple destination...

Page 225: ...oes not appear in the list it is displayed in the Unauthorized access points list List of authorized access points Specify the URL of the file that contains a list of all authorized access points The...

Page 226: ...s Indicates if the unit is functioning correctly Channel Channel the access point is operating on Signal Signal strength Noise Amount of noise SNR Signal to noise ratio Info Additional information abo...

Page 227: ...t port speed based on the type of equipment it is connected to 100 Forces the port to operate at 100 mbps 10 Forces the port to operate at 10 mbps Duplex Auto Lets the CN3000 automatically set duplex...

Page 228: ...tomatically assign an address to the CN3000 which functions as a DHCP client Static This option enables you to manually assign an IP address to the CN3000 s Internet port Link settings The title bar s...

Page 229: ...se a port that is outside of the allocated port range Important If you enable this feature you should not assign static NAT mappings in the range 5000 to 10000 PPPoE client Settings Username Specify t...

Page 230: ...age indicates why IP address Identifies the IP address assigned to the CN3000 by the ISP Mask Identifies the subnet mask that corresponds to the assigned IP address Primary DNS address Identifies the...

Page 231: ...o the CN3000 by the ISP Mask Identifies the subnet mask that corresponds to the assigned IP address Primary DNS address Identifies the IP address of the main DNS server the CN3000 will use to resolve...

Page 232: ...ddress mask Select the appropriate mask for the IP address you specified Alternate IP addresses The CN3000 allows you to assign multiple IP addresses to the Internet port Each address must be valid on...

Page 233: ...ect the CN3000 to a wired LAN the CN3000 will also assign addresses to computers on the wired LAN as well However for this to function properly no other DHCP server must be operating on the wired LAN...

Page 234: ...ned on the DNS WINS page its address is provided to DHCP clients as well Start End Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client...

Page 235: ...3000 should forward DHCP requests to Secondary DHCP server address Specify the IP address of the secondary DHCP server the CN3000 should forward DHCP requests to Note DHCP relay is not supported via P...

Page 236: ...affic rate is over limit for just a short burst the data will be queued and forwarded without loss If the traffic rate is over limit for a sustained period the CN3000 will drop data to bring the rate...

Page 237: ...es the number of bits in the destination address that is checked for a match Gateway Indicates the IP address of the gateway the CN3000 will forward routed traffic to The gateway address must be on th...

Page 238: ...ciated with is closed and opened When the routes are active they will also appear in the Active routes table About PPTP client routes Internet port If you disabled the Auto route discovery option Secu...

Page 239: ...if static addressing is in use This setting does not override DNS servers assigned when the PPTP client option is enabled Server 1 Specify the IP address of the first DNS server that the CN3000 will...

Page 240: ...E settings Note If you enable one or more GRE tunnels you must make sure to restart the CN3000 any time you make a change to any parameter on any page in the management tool Name Tunnel name Local tun...

Page 241: ...sure to restart the CN3000 any time you make a change to any parameter on any page in the management tool Name Tunnel name Local tunnel IP address Specify the IP address of the CN3000 inside the tunn...

Page 242: ...on the CN3000 Static NAT mappings apply to the Internet port only and do not apply to VPN connections Server IP address Indicates the IP address of the device that traffic will be forwarded to Servic...

Page 243: ...your convenience several popular services have been predefined Custom service Use this option to forward a service that is not defined in the Standard services list Port Specify the port number the se...

Page 244: ...in one of two modes on each of the CN3000 s ports Note RIP is not supported if you are using PPPoE on the Internet port Passive mode The CN3000 listens for routing broadcasts to update the routing tab...

Page 245: ...als To avoid potential service interruptions that may occur when new operating information is activated by the CN3000 it is strongly recommended that a large interval 12 hours or more be used You can...

Page 246: ...on the public access interface Login page will not be displayed and these users will not be able to login If you enable both Local and RADIUS options the Local user list is checked first Local authent...

Page 247: ...nfigured with the address 10 10 4 99 it will still be able to connect to the CN3000 without changing its address or settings for DNS server and default gateway This feature is enabled by default Allow...

Page 248: ...re it is disconnected The initial query is always done after the client station has been idle for 60 seconds If there is no answer to this query the settings for Interval and Retries are used to contr...

Page 249: ...remote login page feature The remote login page feature enables customers to be redirected to a remote web server to login instead of using the internal login page on the CN3000 To validate customer l...

Page 250: ...he CN3000 For backup redundancy each profile supports a primary and secondary server The CN3000 will function with any RADIUS server that supports RFC 2865 and RFC 2866 Authentication occurs via EAP M...

Page 251: ...the CN3000 switches between the primary and secondary RADIUS servers if defined If a reply is received after the interval expires it is ignored This parameter applies to access and accounting requests...

Page 252: ...o any previous RADIUS access request If the request times out the next request is sent to the other RADIUS server if defined For example assume that the primary RADIUS server was not reachable and tha...

Page 253: ...Chapter 11 Configuration parameters Chapter 11 253 Firewall Preset Open the Network Firewall page Choose a preset setting and click View to see the rules that apply when it is active...

Page 254: ...ch portion of the address is used for matching Destination Specify the destination address of the traffic to apply the rule to The destination address is the IP address of the intended receiver Destin...

Page 255: ...ates New or Established A connection changes from the New to Established state after a reply packet passes through the firewall Although stateful matching options must be enabled on rule by rule basis...

Page 256: ...restarts Auto route discovery Enable this option if you want the CN3000 to automatically discover and add routes to IP addresses on the other side of the PPTP tunnel The addresses must be part of the...

Page 257: ...e NAT it effectively hides the addresses of all local computers so that they are not visible on the other side of the PPTP connection If you disable NAT then the appropriate IP routes must be added to...

Page 258: ...h the CN3000 Depending on its settings a policy may allow one or more peers to establish an SA with the CN3000 Each time an SA is established a new entry is added to the IPSec security associations ta...

Page 259: ...led by setting a number of different IKE options To simplify the configuration of IPSec the CN3000 presets some of these options while others are automatically defined based on the needs of the peer T...

Page 260: ...ection as main mode does It is helpful when setting up a LAN to LAN tunnel when the Internet IP address is dynamic The remote gateway can then use the group name to know which LAN to LAN tunnel to act...

Page 261: ...24 hours as required by the peer Peer Accept any peer only available in tunnel mode Enable this option to permit the policy to accept an IPSec security association from any peer When this option is e...

Page 262: ...ings enable you to filter incoming traffic so that only traffic addressed to a specific network or network device is permitted from the peer Note that the setting you make for this parameter must matc...

Page 263: ...pports MD5 and SHA 1 Phase 2 encryption algorithm 3DES Oakley group or Diffie Hellman Accepts the group proposed by the peer Supports groups 2 and 5 ID type and ID If you enable Preshared key for Auth...

Page 264: ...te the certificates supplied by peers during the authentication process Multiple CA certificates can be installed to support validation of peers with certificates issued by different CAs Certificate f...

Page 265: ...ificate password Install Click this button to install the certificate IPSec Manage local certificate Use this box to manage the local certificate Certificate This box displays the common name of the i...

Page 266: ...vate key The password is used to access the private key not have a name that is an IP address The name should be a domain name containing at least one dot If you try to add a certificate with an inval...

Page 267: ...arameters Chapter 11 267 SSL View Web Server Certificate The Certificate field shows the contents of the CN field in the certificate This is the domain name of the certificate Click View to see the co...

Page 268: ...US server Add new user Fill in the name password and confirm password fields then specify an idle timeout in seconds If the user s session remains idle for this length of time they are automatically l...

Page 269: ...s active To enable local mode disable the CN3000 RADIUS authentication option on the Security Authentication page Local mode lets you run the CN3000 without setting up a RADIUS server to handle authen...

Page 270: ...et of rules that governs how the CN3000 controls access to network resources You can create multiple access lists each with multiple rules to manage the traffic on your public access network Syntax ac...

Page 271: ...CCEPT Allow traffic matching this rule DENY Reject traffic matching this rule protocol Specify the protocol to check tcp udp icmp all address Specify one of the following IP address or domain name up...

Page 272: ...authentication The CN3000 can authenticate devices based on their MAC address This is useful for authenticating devices that do not have a web browser cash registers for example It can also be used to...

Page 273: ...ed to log in to the public access network By using MAC based authentication this can easily be accomplished Default user idle timeout Use this to set the default idle timeout for all customers whose R...

Page 274: ...ax input octets value Parameter Description seconds Specify the maximum amount of time a customer session can be connected Once this time expires the session is automatically terminated A value of 0 m...

Page 275: ...unsigned integer value For octets 64 bit unsigned integer value Parameter Description seconds Specify the maximum amount of time a customer session can be idle Once this time expires the session is a...

Page 276: ...ernal pages are resident on the CN3000 You have the option of using the default pages supplied with the CN3000 or replacing them with customized pages of your own design Login login page URL_of_page p...

Page 277: ...me url URL_of_page placeholder The customer is authenticated so the welcome page can be located on any URL reachable by the customer Login error login err url URL_of_page placeholder Access to the web...

Page 278: ...ure n Returns the NAS ID assigned to the CN3000 By default this is the unit s serial number Not supported in local mode s Returns the RADIUS login name assigned to the CN3000 By default this is the un...

Page 279: ...tomer login information does indeed come from a trusted application For example from a login application on the web server ssl noc certificate URL_of_the_Certificate Certificate issued to the applicat...

Page 280: ...DIUS profile on the Security RADIUS page Username Login name for the administrator The default login name is admin Current password Current administrator password New passwords must be at least six ch...

Page 281: ...t tool HTTP connections made to this port are met with a warning and the browser is redirected to the secure web server port By default this parameter is set to port 80 Security Allowed addresses Lets...

Page 282: ...act information for the CN3000 Community name This is the password that controls access to the SNMP information A network management program must supply this password when attempting to set or get SNM...

Page 283: ...on the Colubris Networks web site Community name Specify the password required by the remote host that will receive the trap Host Specify the IP address or domain name of the host that the CN3000 will...

Page 284: ...e time zone setting the new value does not take effect until you restart the CN3000 Set date and time manually Use this option to manually set the system date and time Set date and time time server Ch...

Page 285: ...ice ID Serial number of the satellite Click this number to view more information on the satellite Wireless MAC address MAC address assigned to the satellite s wireless interface Device MAC address MAC...

Page 286: ...e Management Country page Country Set the country that the CN3000 is operating in This enables the CN3000 to properly customize the list of operating frequencies that you can choose from Only frequenc...

Page 287: ...Chapter 12 Building a cross over cable Chapter 12 Building a cross over cable This chapter explains how to build a cross over cable...

Page 288: ...formation in the following diagrams to build a cross over cable Construction details for a standard category 5 cable Wiring diagram for a standard cable Wiring diagram for a cross over cable Note Some...

Page 289: ...Chapter 13 The configuration file Chapter 13 The configuration file This chapter provides an overview of the configuration file and explains how to edit it...

Page 290: ...onfig file management page on the Maintenance menu to download upload the configuration file HTTPS The configuration file can be downloaded and uploaded via HTTPS Using a tool like cURL makes this eas...

Page 291: ...b section contains parameters Sub sections start with SUB SECTION_NAME and end with another block section or sub section name Sub section names are not case sensitive Parameter A parameter takes the f...

Page 292: ...Chapter 13 The configuration file Chapter 13 292...

Page 293: ...p instructions for installing and configuring the necessary backend software to support a public access hotspot You can use this setup as a platform to experiment with the CN3000 feature set IMPORTANT...

Page 294: ...IDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION EVEN IF COLUBRIS NETWORKS INC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE COLUBRIS NETWORKS INC SP...

Page 295: ...mote login page and a RADIUS server Server 2 is used to simulate an external web server Or you can use this setup Both are functionally identical See Wiring details on page 288 for information on how...

Page 296: ...QL database Colubris Backend archive which contains configuration files for RADIUS and MySQL as well as new pages for public access interface Server 2 Server 2 is can be used to test the setup once it...

Page 297: ...and SSL support PHP v4 3 2 http www php net downloads php Filename is php 4 3 2 Win32 zip phpMyAdmin v 2 5 2 pl1 http sourceforge net projects phpmyadmin Filename is phpMyAdmin 2 5 2 pl1 php zip If th...

Page 298: ...in php and replace all instances of the address 192 168 2 99 with the IP address or domain name of Server 1 Edit c colubris web demo php noc noc php and replace all instances of the address 192 168 2...

Page 299: ...is complete open a Windows command line session 3 Run c opensa apache apache exe This starts the web server 4 Launch your web browser and point it to http localhost The following page should open 5 C...

Page 300: ...ned by a certificate authority known to your web browser Later in this example instructions are provided for eliminating this message 9 Click Yes The OpenSA test page will open again This time in an H...

Page 301: ...lled in c mysql Configure the OBDC data source The OBDC database acts as the repository for all the parameters for each user account The Steel Belted Radius server retrieves account information from t...

Page 302: ...Chapter 14 Sample setup Backend software Chapter 14 302 3 Click the System DSN tab 4 Click Add 5 Select MySQL ODBC 3 51 Driver then click Finish...

Page 303: ...phpMyAdmin 2 5 2 pl1 php zip into the directory c OpenSA Apache htdocs 2 Rename OpenSA Apache htdocs phpMyAdmin 2 5 2 pl1 to phpMyAdmin Setting the path To adjust the path do the following 1 Right cl...

Page 304: ...tabase A batch file is provided that will automatically create the database entries needed for this example This saves you the trouble of making these entries manually 1 Start a windows command line s...

Page 305: ...ius server It was automatically started after installation 3 Copy the following files from c colubris radius to c radius service Sqlacct acc Sqlacct2 acc Sqlauth aut If you are prompted to replace the...

Page 306: ...services and then reboot These services will continue to interfere with the Steel Belted Radius server until you reboot Define a RAS client for the CN3000 Any device that uses the services of a RADIUS...

Page 307: ...4 Click OK 5 Specify the address of the CN3000 s Internet port For this example specify 192 168 2 1 6 Set Make model to Colubris Wireless LAN Routers 7 Click Edit authentication shared secret 8 Specif...

Page 308: ...ot password hotspot DEMO USERS Profile used by customers of the public access network login name user password user DEMO ADMIN Profile used by administrators who want to login to the management tool o...

Page 309: ...Click Disconnect 4 Open a command line session and execute the command net stop Steel Belted Radius net start Steel Belted Radius 5 Return to the Steel Belted Radius Configurator window 6 Click Connec...

Page 310: ...ey Replace certificate with the name of the certificate file If you are using the sample provided the PEM pass phrase is www company com For example C colubris certificates decryptkey www company com...

Page 311: ...Stop the web server with the command apache k stop 5 Restart the web server in SSL mode with the command apache exe D SSL 6 Close all active web browsers 7 Open a new browser window and point it to ht...

Page 312: ...Chapter 14 Sample setup Backend software Chapter 14 312 8 Click View Certificate You should see the details of the certificate you just installed For example...

Page 313: ...L This starts Apache in secure mode Assign a static address Perform the following steps using the CN3000 Management tool 1 On the Network menu click Ports 2 Click Internet port in the table 3 Select S...

Page 314: ...settings on page 143 1 On the Security menu click RADIUS 2 Click Add New Profile The RADIUS settings page opens 3 Configure the following parameters Primary server address Specify the address of Serv...

Page 315: ...erly configured on the CN3000 and Steel Belted Radius If the number of Rejects is incriminated instead there may be a problem with a badly set username and or password Check the log file in c radius s...

Page 316: ...N3000 with your own to eliminate the warning message clients see when they try to login to the public access interface Refer to Chapter 10 SSL certificates for complete discussion of certificates and...

Page 317: ...d to test if the customer is successfully redirected to the originally requested page 1 Install Windows 2000 Professional Server or Advanced Server and then install Service Pack 3 2 Make sure that IIS...

Page 318: ...r 2 2 The CN3000 should intercept the URL and redirect the browser to the login page You should see the modified login page shown below Depending on the type of certificate you installed on the CN3000...

Page 319: ...Chapter 14 Sample setup Backend software Chapter 14 319 5 Click the link You will be redirected to the web server on Server 2...

Page 320: ...his feature enables the CN3000 to redirect customers to a remote URL to login instead of using the internal login page For more information see Using a remote login page on page 121 Enable the remote...

Page 321: ...ave 9 Open the CN3000 s management tool and go to the Security Authentication page 10 Click Force Authenticate 11 Wait about 1 minute before continuing to let the CN3000 download the change Test the r...

Page 322: ...etup Backend software Chapter 14 322 remote secure web page 3 To login specify user as both the username and password The Welcome page should open 4 Click the link You should be redirected to the web...

Page 323: ...feature allows you to validate customer logins using a remote server instead of using the CN3000 See Chapter 8 NOC authentication for a complete description of this feature and its benefits Enable NOC...

Page 324: ...Wait about 1 minute for the CN3000 to download the changes Test NOC authentication 1 Start the client station s web browser and enter the IP address or domain name of Server 2 2 The CN3000 should inte...

Page 325: ...14 Sample setup Backend software Chapter 14 325 3 To login specify user as both the username and password The Welcome page should open 4 Click the link You should be redirected to the web server on S...

Page 326: ...f you installed OpenSA in a different location than c edit the scripts and change the value of the APACHEDIR variable to your installation directory Mysql mysql start cmd mysql stop cmd mysql restart...

Page 327: ...left and then click the Browse tab By clicking Edit you can modify the information for an existing user You can add a new user by clicking Insert new row and fill in all the parameters or Edit an exis...

Page 328: ...Chapter 14 Sample setup Backend software Chapter 14 328 u_user_id since this is a primary key for the user table Duplicates are not allowed for this field...

Page 329: ...is 0 the CN3000 is not properly connected to the server either directly or through other networking devices If the number of Silent Discards is non zero it means the CN3000 and the server have a diff...

Page 330: ...g wrong with the configuration of the DNS for the entry related to the CN3000 After logout the goodbye page cannot be displayed Check that the IP address and port number for the web server hosting the...

Page 331: ...Steel Belted Radius The CN3000 is compliant with RFC 2865 and RFC 2866 and will work withavarietyofRADIUSservers Thisexampleisforillustrativepurposes only and does not imply that you need to use Stee...

Page 332: ...cking of usage and accounting information is only possible when using an OBDC database therefore this example is best suited to installations that require user authentication only Prerequisites Softwa...

Page 333: ...his setup Both are functionally identical See Wiring details on page 288 for information on how to build a x over cable To test the setup when installation and configuration is complete you will use t...

Page 334: ...ce it is complete You should install a web server on this computer This example uses IIS running on Windows 2000 professional Client station The client station is required to test the setup once it is...

Page 335: ...example use the address 192 168 2 99 4 Shut down and restart Server 1 Steel Belted Radius 1 Retrieve Funk Steel Belted Radius Server v4 Evaluation version from funk com 2 Run the executable installati...

Page 336: ...radius dct ATTRIBUTE Colubris AVPAIR 26 vid 8744 type1 0 len1 2 data string RO For more information on the format of this file see c radius service readme dct 3 Edit c radius service dictiona dcm Add...

Page 337: ...ep 2 Connect to the Steel Belted Radius server Do the following on server 1 1 On the Start menu click Steel Belted Radius then click Steel Belted Radius Administrator The following window opens 2 Clic...

Page 338: ...the Status window you must resolve them before continuing For example A common cause for these errors is to forget to terminate the IAS and IIS services and then reboot These services will continue to...

Page 339: ...n you need to know the IP address assigned to the Internet port on the CN3000 For this example use the address 192 168 2 1 Note The configuration settings you make here will match the settings you mak...

Page 340: ...00 7 Click Edit authentication shared secret 8 Specify a carefully chosen shared secret In a production environment you should use a combination of at least eight uppercase lowercase letters as well a...

Page 341: ...utes are returned once authentication is successful For this example you will create a RADIUS profile for the CN3000 Public access customers subscribing to SMTP redirection Public access customers not...

Page 342: ...for a complete list of all supported attributes To add each entry Click Ins Select Colubris AVPair and enter the appropriate string For example A colubris AVPair access list all ACCEPT tcp 192 168 2...

Page 343: ...and those without it To this end this example will create two profiles CUSTOMERS SMTP REDIRECT and CUSTOMERS NO SMTP Note This example assumes the SMTP server is located on Server 2 although no such s...

Page 344: ...efer to Creating a profile for the CN3000 on the RADIUS server on page 150 for a complete list of all supported attributes A Idle Timeout 30 This causes the CN3000 to log the customer out if the sessi...

Page 345: ...Defining an CN3000 administrator profile By defining an administrator profile you can enable multiple administrators to log in to the management tool on the CN3000 Each administrator can have their ow...

Page 346: ...dius Chapter 15 346 5 Click the Ins button The Add New Attribute dialog box opens 6 Select Service Type and set it to the value Administrative Click Add 7 Click Close Return list attributes are not su...

Page 347: ...of the profiles that were just defined For this example you will create the following RADIUS user accounts Defining user accounts Repeat the following procedure to create each user account 1 Click Use...

Page 348: ...5 Sample setup Steel Belted Radius Chapter 15 348 5 In the Profile name box select the profile which will be used as the basis for the account The settings for the profile will appear For example 6 Cl...

Page 349: ...uld be set to the address of the router providing access to the Internet Configure RADIUS settings The CN3000 must be configured to communicate with the Steel Belted Radius server For a detailed expla...

Page 350: ...ile 1 RADIUS username Set to hotspot RADIUS password Set to hotspot 7 In the HTML based User Logins box set RADIUS profile to RADIUS Profile 1 8 Click Save The CN3000 will attempt to connect to the St...

Page 351: ...month and dd the day For example 20030822 log for August 22 2003 If the number of Silent Discards is incriminated it probably means that either the IP address of the CN3000 and or the shared secret ha...

Page 352: ...IIS are installed on Server 2 You can any another operating system and web server 1 Install Windows 2000 Professional Server or Advanced Server and then install Service Pack 3 2 Make sure that IIS is...

Page 353: ...the setup of this example this is automatic If not adjust the configuration of the client accordingly 1 Start the client station s web browser and enter the IP address or domain name of Server 2 in th...

Page 354: ...r logins If you configured administrator accounts on the RADIUS server you can test them now as follows 1 Open the CN3000 management tool with your web browser 2 On the main menu click Management The...

Page 355: ...ice that comes with Windows 2000 server and Windows 2000 Advanced server The CN3000 is compliant with RFC 2865 and RFC 2866 and will work withavarietyofRADIUSservers Thisexampleisforillustrativepurpos...

Page 356: ...nded updates Internet Explorer 6 0 service pack 1 Hardware a network hub a second network hub or a cross over cable two computers capable of running Windows 2000 Professional Server or Advanced Server...

Page 357: ...rver Server 2 is used to simulate an external web server Or you can use this setup Both are functionally identical See Wiring details on page 288 for information on how to build a x over cable About t...

Page 358: ...rvice Pack 3 and all recommended updates 2 Make sure that IAS is also installed 3 Connect Server 1 to the hub and assign a static IP address to it For this example use the address 192 168 2 99 4 Shut...

Page 359: ...account each administrator must have their own account each customer must have their own account To create the accounts 1 Click Start Programs Administrative Tools Computer Management 2 Double click...

Page 360: ...dministrators Customers with SMTP redirection Customers without SMTP redirection To create the groups 1 Click Groups 2 Create the following groups by clicking New Group on the Action menu After you cr...

Page 361: ...tup Microsoft RADIUS Chapter 16 361 4 All users are automatically added to the Users group Select customer1 and customer2 and click Remove You need to remove these users so they do not have access to...

Page 362: ...ter 16 362 Step 4 Start the RADIUS server Start the RADIUS server configuration by selecting Start Menu Programs Administrative Tools Internet Authenticating Service The following window will open 1 C...

Page 363: ...Therefore each CN3000 is considered to be a RADIUS client and must have its own client account 1 Click Clients 2 On the Action menu click New client The Add Client dialog box opens 3 Specify a Friend...

Page 364: ...ress of the CN3000 s Internet port For this example specify 192 168 2 1 7 Leave Client Vendor set to RADIUS Standard 8 Leave Client must always send the signature attribute in the request checked The...

Page 365: ...tions that apply to a group of RADIUS users This section shows how to define an access policy for the Public Access Hotspots group 1 Click Remote Access Policies 2 On the Action menu click New remote...

Page 366: ...crosoft RADIUS Chapter 16 366 4 Click Next The Add Remote Access Policy dialog box opens 5 Click Add The Select Attribute dialog box opens 6 Select Service type and click Add 7 Select Administrative c...

Page 367: ...setup Microsoft RADIUS Chapter 16 367 8 You return Add Remote Access Policy dialog box 9 Click Add The Select Attribute dialog box opens 10 Select Windows Groups and click Add 11 The Groups dialog bo...

Page 368: ...S Chapter 16 368 12 The Select Groups dialog box opens Select Public Access Hotspots and then click Add and then OK 13 Return to the Add Remote Access Policy dialog box and click Next 14 Select Grant...

Page 369: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 369 15 Click Edit Profile 16 The Edit Dial in Profile window opens 17 Click the Authentication tab and enable the options as shown...

Page 370: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 370...

Page 371: ...k the Advanced tab This tab is where you specify the values that are returned to the CN3000 when it logs into the RADIUS server 19 Select Framed Protocol and click Remove 20 Select Service Type and cl...

Page 372: ...ing The location of custom HTML pages that must be downloaded by the CN3000 One or more access lists for specifying the set of network resources customers have access to For this example you should cr...

Page 373: ...r 16 Sample setup Microsoft RADIUS Chapter 16 373 To add this entry Click Add The Add Attributes dialog box opens Select Vendor Specific and click Add The Multivalued Attribute Information dialog box...

Page 374: ...s Click Configure Attribute The Configure VSA RFC compliant dialog box opens For Vendor assigned attribute number specify 0 For Attribute format select String For Attribute value specify the following...

Page 375: ...f both policies is identical expect for a few steps at the end of the procedure So repeat this procedure to create both policies 1 Click Remote Access Policies 2 On the Action menu click New remote ac...

Page 376: ...tup Microsoft RADIUS Chapter 16 376 4 Click Next The Add Remote Access Policy dialog box opens 5 Click Add The Select Attribute dialog box opens 6 Select Service Type and click Add 7 Select Framed cli...

Page 377: ...etup Microsoft RADIUS Chapter 16 377 8 Return to the Add Remote Access Policy dialog box 9 Click Add The Select Attribute dialog box opens 10 Select Windows Groups and click Add 11 The Groups dialog b...

Page 378: ...US Chapter 16 378 12 The Select Groups dialog box opens Select Customers with SMTP redirect click Add and then OK 13 Return to the Add Remote Access Policy dialog box and click Next 14 Select Grant re...

Page 379: ...e Edit Dial in Profile window opens 17 Define the maximum idle time for customer sessions by selecting Disconnect if idle for and setting an appropriate time 18 Define the maximum duration for custome...

Page 380: ...r 16 380 19 Click the Authentication tab and enable the options as shown 20 Click the Advanced tab This tab is where you specify the values that are returned to the CN3000 when a customer is authentic...

Page 381: ...fy the reporting interval in seconds that the CN3000 will use to send accounting information to the RADIUS server 25 Click OK You can now specify the attributes that will be returned after a customer...

Page 382: ...168 2 100 Add this when defining the Public Access Customers SMTP Redirect access policy use access list cust This access list was defined in the Public Hotspot Policy It is activated here to provide...

Page 383: ...ode 8744 in Enter Vendor Code Select Yes It conforms Click Configure Attribute The Configure VSA RFC compliant dialog box opens For Vendor assigned attribute number specify 0 For Attribute format sele...

Page 384: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 384 26 When done click OK on all dialog boxes to return to the Add Remote Access Policy dialog box 27 Click Finish...

Page 385: ...r instead of locally on each CN3000 Note Setting up administrator profiles is optional and is not required for proper operation of this sample 1 Click Remote Access Policies 2 On the Action menu click...

Page 386: ...er 16 386 5 Click Add The Select Attribute dialog box opens 6 Select Service Type and click Add 7 Select Administrative click Add then click OK 8 Return to the Add Remote Access Policy dialog box 9 Cl...

Page 387: ...mple setup Microsoft RADIUS Chapter 16 387 10 Select Windows Groups and click Add 11 The Groups dialog box opens Click Add 12 The Select Groups dialog box opens Select Hotspot Administrators click Add...

Page 388: ...hapter 16 Sample setup Microsoft RADIUS Chapter 16 388 13 Return to the Add Remote Access Policy dialog box and click Next 14 Select Grant remote access permission and click Next 15 Click Edit Profile...

Page 389: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 389 16 The Edit Dial in Profile window opens 17 Click the Authentication tab and enable the options as shown...

Page 390: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 390 18 Click the Advanced tab 19 Remove all entries 20 Click OK 21 Click Finish...

Page 391: ...of the router providing access to the Internet In a real setup you would also need to define DNS settings Configure RADIUS settings The CN3000 must be configured to communicate with the RADIUS server...

Page 392: ...spot RADIUS password Set to hotspot 7 In the HTML based User Logins box set RADIUS profile to RADIUS Profile 1 8 Click Save The CN3000 will attempt to connect to the Microsoft Radius server If success...

Page 393: ...IS are installed on Server 2 You can any another operating system and web server 1 Install Windows 2000 Professional Server or Advanced Server and then install Service Pack 3 2 Make sure that IIS is r...

Page 394: ...his is automatic If not adjust the configuration of the client accordingly 1 Start the client station s web browser and enter the IP address of Server 2 192 168 2 100 2 The CN3000 should intercept the...

Page 395: ...ollows To test the accounts that were setup to validate administrator logins using the RADIUS server do the following 1 Open the CN3000 management tool with your web browser 2 On the main menu click M...

Page 396: ...Chapter 16 Sample setup Microsoft RADIUS Chapter 16 396...

Page 397: ...hat you can use to become familiar with the feature Thesamplesetupinthischapterfunctionsfromthecommand lineusing VPScript The ASP version of the script can be used as a starting point for porting or i...

Page 398: ...cript application on the web server It is signed by noc ca crt noc ca crt Installed on the web server noc client pfx Installed on the web server and used by the VBScript program to secure the session...

Page 399: ...This example uses the same equipment setup presented in Chapter 14 You should follow the instructions in Chapter 14 to install this sample and get it working For your reference the topology is Or you...

Page 400: ...Certificates box click Browse 3 Select the following folder on the CN3000 CD ROM backend winhttpauth www noc cn3000 com pfx 4 In the Password field specify www noc cn3000 com 5 Click Install 6 The CN...

Page 401: ...lient crt ssl noc ca certificate https 192 168 2 99 demo php upload noc ca crt These files are included as part of the backend example Force authentication For the CN3000 to authenticate to the RADIUS...

Page 402: ...ities to prevent your computer from trusting web sites using certificates signed by the private key present in noc ca pfx As this key is provided as an part of an example it should not be considered a...

Page 403: ...hapter 17 Experimenting with NOC authentication Chapter 17 403 4 On the Console menu click Add Remove Snap in 5 Click Add 6 Click Certificates then click Add 7 Then select Computer account 8 Click Nex...

Page 404: ...erimenting with NOC authentication Chapter 17 404 9 Choose Local Computer and click Finish 10 Click Close and OK to return to the mmc console window 11 Open Certificates under Trusted Root Certificati...

Page 405: ...must be executed on a per user basis To check if winhttpcertcfg exe is installed on the server do the following 1 Open a command line session 2 Execute winhttpcrtcfg exe 3 If you get an error it means...

Page 406: ...o the private key imported from noc client pfx to the application that will send customer login information to the CN3000 In this example access needs to be granted to two accounts The VBscript applic...

Page 407: ...ame assigned to its Internet port is www noc cn3000 com In order for requests from the VBScript application to successfully reach the CN3000 this name must be added to the WINNT system32 drivers etc h...

Page 408: ...s on page 410 Examples Example 1 successful authentication In this example authentication is requested for a valid customer account that was defined during creation of the backend sample with Login na...

Page 409: ...returned so that the customer s web browser can be asked to open the session window Example 2 successful authentication already logged in This example re executes the previous command resulting in an...

Page 410: ...e program even if the possibility of such damages has been advised against The entire risk as to the quality the performance and the fitness of the program for any particular purpose lies with the par...

Page 411: ...ANNOT_GET_PEER_CERT L cannot get peer cert define NOC_MISSING_USERNAME_OR_PASSWORD L missing username or password define NOC_CERT_EXPIRED L cert expired define NOC_CERT_NOT_YET_VALID L cert not yet va...

Page 412: ...sl noc certificate in the RADIUS profile for the CN3000 However it the certificate is not signed by the CA defined by noc ca certificate in the RADIUS profile for the CN3000 HTML NOC_INFO_STATUS NOC_S...

Page 413: ...lready in use by an active session HTML status already logged in HTML Customer authentication was refused by the RADIUS server This could be due to an unknown username or invalid username or password...

Page 414: ...Chapter 17 Experimenting with NOC authentication Chapter 17 414...

Page 415: ...Chapter 18 Regulatory wireless interoperability and health information Chapter 18 Regulatory wireless interoperability and health information...

Page 416: ...ontact during normal operation When using this device in combination with Colubris Networks antenna products a certain separation distance between the antenna and nearby persons has to be kept to ensu...

Page 417: ...etween the CN3000 and the receiver Connect the CN3000 to an outlet on a circuit different from that which the receiver is connected Consult your dealer or an experienced radio TV technician for help C...

Page 418: ...consensus of the scientific community and result from deliberations of panels and committees of scientists who continually review and interpret the extensive research literature In some situations or...