Motorola P-7131N-FGR, Product Reference Manual

Page 1: ...Motorola Solutions AP 7131N FGR Product Reference Guide M ...

Page 2: ...ons and the Stylized M logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are a properties of their owners 2014 Motorola Solutions Inc All rights reserved ...

Page 3: ...AP 7131N FGR Access Point Product Reference Guide ...

Page 4: ......

Page 5: ...port 1 6 Sensor Support 1 6 Mesh Roaming Client 1 9 Dual Mode Radio Options 1 9 Separate LAN and WAN Ports 1 9 Multiple Mounting Options 1 10 Antenna Support for 2 4 GHz and 5 GHz Radios 1 10 Sixteen Configurable WLANs 1 10 Support for 4 BSSIDs per Radio 1 10 Quality of Service QoS Support 1 11 Industry Leading Data Security 1 11 EAP Authentication 1 12 WPA2 CCMP 802 11i Encryption 1 12 Firewall S...

Page 6: ... File Import Export Functionality 1 18 Default Configuration Restoration 1 18 DHCP Support 1 18 Mesh Networking 1 19 Additional LAN Subnet 1 20 On board Radius Server Authentication 1 20 Hotspot Support 1 20 Routing Information Protocol RIP 1 21 Manual Date and Time Settings 1 21 Dynamic DNS 1 21 Auto Negotiation 1 22 Adaptive AP 1 22 Rogue AP Enhancements 1 22 Radius Time Based Authentication 1 2...

Page 7: ...D Indicators 2 18 Dual Radio 2 4 5 GHz LEDs 2 20 Rear LED 2 21 Setting Up MUs 2 21 Legacy MUs 2 21 802 11n MUs 2 22 Chapter 3 Getting Started Installing the Access Point 3 1 Configuration Options 3 2 Initially Connecting to the Access Point 3 3 Connecting to the Access Point using the WAN Port 3 3 Connecting to the Access Point using the LAN Port 3 3 Basic Configuration 3 4 Configuring Your Browse...

Page 8: ...SNMP Traps 4 34 Configuring Specific SNMP Traps 4 36 Configuring SNMP RF Trap Thresholds 4 39 Configuring Network Time Protocol NTP 4 41 Logging Configuration 4 45 Importing Exporting Configurations 4 47 Updating Device Firmware 4 51 Key Zeroisation 4 54 Key Zeroisation Process 4 55 Chapter 5 Network Management Configuring the LAN Interface 5 1 Configuring VLAN Support 5 5 Configuring LAN1 and LAN...

Page 9: ... the Access Point Password 6 4 Enabling Authentication and Encryption Schemes 6 4 Configuring 802 1x EAP Settings 6 6 Configuring WPA2 CCMP 802 11i 6 11 Configuring Firewall Settings 6 13 Configuring LAN to WAN Access 6 16 Available Protocols 6 17 Configuring Advanced Subnet Access 6 18 Configuring VPN Tunnels 6 22 Creating a VPN Tunnel between Two Access Points 6 26 Configuring Manual Key Setting...

Page 10: ... Statistics 7 12 Viewing WLAN Statistics 7 15 Viewing Radio Statistics Summary 7 18 Viewing Radio Statistics 7 20 Retry Histogram 7 24 Viewing MU Statistics Summary 7 25 Viewing MU Details 7 27 Pinging Individual MUs 7 30 MU Authentication Statistics 7 31 Viewing the Mesh Statistics Summary 7 32 Viewing Known Access Point Statistics 7 34 Chapter 8 CLI Reference Connecting to the CLI 8 2 Accessing ...

Page 11: ...all Commands 8 148 Network Router Commands 8 153 System Commands 8 159 Power Setup Commands 8 164 Adaptive AP Setup Commands 8 167 System Access Commands 8 171 System Certificate Management Commands 8 175 System SNMP Commands 8 188 System SNMP Access Commands 8 189 System SNMP Traps Commands 8 194 System User Database Commands 8 200 System Radius Commands 8 218 System Network Time Protocol NTP Com...

Page 12: ...Client Bridge 9 20 Configuring AP 1 9 21 Configuring AP 2 9 24 Configuring AP 3 9 25 Verifying Mesh Network Functionality for Scenario 1 9 27 Scenario 2 Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge 9 27 Configuring AP 1 9 28 Configuring AP 2 9 29 Configuring AP 3 9 30 Verifying Mesh Network Functionality for Scenario 2 9 32 Mesh Networking Frequently Asked Questions 9 33 Ch...

Page 13: ... Adaptive AP Manually 10 11 Adopting an Adaptive AP Using a Configuration File 10 13 Switch Configuration 10 13 Adaptive AP Deployment Considerations 10 15 Sample Switch Configuration File for IPSec and Independent WLAN 10 16 Appendix A Technical Specifications Physical Characteristics A 2 Electrical Characteristics A 2 Radio Characteristics A 3 Country Codes A 4 Appendix B Usage Scenarios Configu...

Page 14: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 10 ...

Page 15: ...l access point Document Conventions The following document conventions are used in this document NOTE Indicate tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in personal injury or equipment damage ...

Page 16: ...umbered lists Service Information If a problem is encountered with the access point contact Customer Support Refer to Appendix C Customer Support for contact information Before calling have the model and serial number on hand If the problem cannot be solved over the phone you may need to return your equipment for servicing If that is necessary you will be given specific instructions Motorola Solut...

Page 17: ...in access port into a single device This mode enables the deployment of a fully featured intelligent access point that can be centrally configured and managed via a Motorola Solutions wireless switch in either corporate headquarters or a network operations center NOC In the event the connection between the access point and the wireless switch is lost a Remote Site Survivability RSS feature ensures...

Page 18: ...ts Unlike the AP 7131 and AP 7131N models however an AP 7131N FGR has specialized data protection mechanisms and prompts the user when secure information is displayed within the access point GUI applet The AP 7131N FGR enables you to configure one radio for 802 11a n support and the other for 802 11b g n support The two models available to the AP 7131N FGR series include AP 7131N 66040 FGR 802 11a...

Page 19: ...ess points supported bandwidth management on a per WLAN basis Each WLAN could be configured to receive at most a certain percentage of the total available downstream bandwidth The new rate limiting feature is a replacement of the bandwidth management feature allowing for better MU radio bandwidth allotments on a per WLAN basis To globally enable or disable the MU rate limit and assess the WLANs in...

Page 20: ... the maximum power available to the AP by a POE device Once an operational power configuration is defined the AP firmware can read the power setting and configure operating characteristics based on the AP s SKU and power configuration If the POE cannot provide sufficient power with all interfaces enabled the following interfaces could be disabled or modified Radio transmit power could be reduced d...

Page 21: ... now since 802 11i WPA2 is considered more secure For information on configuring VPN support see Configuring VPN Tunnels on page 6 22 For instructions on configuring a IPSec VPN tunnel using two access points see Creating a VPN Tunnel between Two Access Points on page 6 26 1 2 Feature Overview The following legacy features have been carried forward into the 4 x firmware baseline 802 11n Support Se...

Page 22: ...ents Radius Time Based Authentication QBSS Support 1 2 1 802 11n Support Motorola Solutions provides full life cycle support for either a new or existing 802 11n mobility deployment from network design to day to day support For information on deploying your 802 11n radio see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 1 2 2 Sensor Support The Motorola Solutions Wireless Intrusion P...

Page 23: ... is supported on the access point radio s available to each WLAN When an access point radio is functioning as a WIPS sensor it is able to scan in sensor mode across all channels within the 2 4 and 5 0 GHz bands The following is a network topology illustrating how a sensor functions within an access point supported wireless network NOTE Sensor support requires a Motorola Solutions AirDefense WIPS S...

Page 24: ... and MUs operating in a WLAN Live view support exists throughout the WIPS application wherever a device icon appears in an information panel or navigation tree Access Live View by right clicking on the device which automatically limits the data to the specific device your choose Sensor radios can be tuned to channels in both the 2 4GHz and 5 0 GHz band The channels in use by a given radio are defi...

Page 25: ...oint enables you to configure one radio for 802 11a n support and the other for 802 11b g n support The two models available to the AP 7131N FGR series include AP 7131N 66040 FGR 802 11an and 802 11bgn capable AP 7131N 44040 FGR 802 11a and 802 11bg capable For detailed information see Setting the WLAN s Radio Configuration on page 5 51 1 2 5 Separate LAN and WAN Ports The access point has one LAN...

Page 26: ...al 802 11a n and 802 11b g n radio antennas Select the antenna best suited to the radio transmission requirements of your coverage area 1 2 8 Sixteen Configurable WLANs A Wireless Local Area Network WLAN is a data communications system that flexibly extends the functionalities of a wired LAN A WLAN does not require lining up devices for line of sight transmission and are thus desirable for wireles...

Page 27: ...atency increases and throughput reductions These forms of higher priority data traffic can significantly benefit from the QoS implementation The WiFi Multimedia QOS Extensions WMM implementation used by the shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications In addition U APSD WMM Power Save is also supported WMM defines four access...

Page 28: ...if the server cannot provide proof of device identification Using EAP a user requests connection to a WLAN through the access point The access point then requests the identity of the user and transmits that identity to an authentication server The server prompts the AP for proof of identity supplied to the by the user and then transmits the user data back to the server to complete the authenticati...

Page 29: ...information on configuring the access point s firewall see Configuring Firewall Settings on page 6 13 1 2 11 4 VPN Tunnels Virtual Private Networks VPNs are IP based networks using encryption and tunneling providing users remote access to a secure LAN In essence the trust relationship is extended from one LAN across the public network to another LAN without sacrificing security A VPN behaves like ...

Page 30: ...s even when they are not members of the same network segment For detailed information on configuring VLAN support see Configuring VLAN Support on page 5 5 1 2 13 Multiple Management Accessibility Options The access point can be accessed and configured using one of the following Java Based Web UI Human readable config file imported via SFTP MIB Management Information Base Command Line Interface CLI...

Page 31: ... network growth The access point supports SNMP management functions for gathering information from its network components The MIB files are available at https portal motorolasolutions com Support US EN In the given portal the user should serach for AP7131N GR MIBS 4 0 4 0 For more information refer Appendix C Customer Support Few acronyms used in the MIB files The access point s SNMP agent functio...

Page 32: ...nt on the access point s LAN port eliminating the need for separate Ethernet and power cables For detailed information on using the Power Injector see Power Injector System on page 2 6 1 2 17 MU MU Transmission Disallow The access point s MU MU Disallow feature prohibits MUs from communicating with each other even if on the same WLAN assuming one of the WLAN s is configured to disallow MU MU commu...

Page 33: ...isplay robust transmit and receive statistics for the WAN and LAN ports WLAN stats can be displayed collectively and individually for enabled WLANs Transmit and receive statistics are available for the access point s 802 11a n and 802 11b g n radios An advanced radio statistics page is also available to display retry histograms for specific data packet retry information Associated MU stats can be ...

Page 34: ...default configuration or a partial default configuration with the exception of current WAN and SNMP settings Restoring the default configuration is a good way to create new WLANs if the MUs the access point supports have been moved to different radio coverage areas For detailed information on restoring a default or partial default configuration see Configuring System Settings on page 4 2 1 2 25 DH...

Page 35: ...ss point radio to accept client bridge connections The two bridges communicate using the Spanning Tree Protocol STP The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection Once the spanning tree converges both access points begin learning which destinations reside on which side of the network This allows them to forw...

Page 36: ...information on configuring the access point for additional LAN subnet support see Configuring the LAN Interface on page 5 1 1 2 28 On board Radius Server Authentication The access point can function as a RADIUS Server to provide user database information and user authentication Several new screens have been added to the access point s menu tree to configure RADIUS server authentication and configu...

Page 37: ...an interior gateway protocol that specifies how routers exchange routing table information The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used For detailed information on configuring RIP functionality as part of the access point s Router functionality see Setting the RIP Configuration on page 5 71 1 2 31 Manual Date and Time Sett...

Page 38: ...ncryption decryption local traffic bridging the tunneling of centralized traffic to the wireless switch For a information overview of the adaptive AP feature as well as how to configure it refer to Adaptive AP on page 10 1 1 2 35 Rogue AP Enhancements The access point can scan for rogues over all channels on both of the access point s radio bands The switching of radio bands is based on a timer wi...

Page 39: ...mit and receive electric signals without wires Users communicate with the network by establishing radio links between mobile units MUs and access points The access point uses DSSS direct sequence spread spectrum to transmit digital data from one device to another A radio signal begins with a carrier signal that provides the base or center frequency The digital data signal is encoded onto carriers ...

Page 40: ...s point with a matching ESSID and synchronizes associates to establish communications This device association allows MUs within the coverage area to move about or roam As the MU roams from cell to cell it associates with a different access point The roam occurs when the MU analyzes the reception quality at a location and determines a different provides better signal strength and lower MU load dist...

Page 41: ...ess Resolution Protocol request packet the access point forwards it over all enabled interfaces except over the interface the ARP request packet was received On receiving the ARP response packet the access point database keeps a record of the destination address along with the receiving interface With this information the access point forwards any directed packet to the correct destination Transmi...

Page 42: ...cifications The bit redundancy within the chipping sequence enables the receiving MU to recreate the original data pattern even if bits in the chipping sequence are corrupted by interference The ratio of chips per bit is called the spreading ratio A high spreading ratio increases the resistance of the signal to interference A low spreading ratio increases the bandwidth available to the user The ac...

Page 43: ...begins forwarding frames addressed to the target MU Each frame contains fields for the current direct sequence channel The MU uses these fields to resynchronize to the access point The scanning and association process continues for active MUs This process allows MUs to find new access points and discard out of range or deactivated access points By testing the airwaves MUs can choose the best netwo...

Page 44: ...transfers on the AP interfaces The access point requires one of the following connection methods to perform a custom installation and manage the network Secure Java Based WEB UI use Sun Microsystems JRE 1 6 available from Sun s Web site and be sure to disable Microsoft s Java Virtual Machine if installed Command Line Interface CLI via Serial and SSH Config file Human readable Importable Exportable...

Page 45: ...e access point chassis WAN GE2 WAN MAC address 1 LAN2 A virtual LAN not mapped to the LAN Ethernet port This address is the lowest of the two radio MAC addresses Radio1 802 11b g n Random address located on the Web UI CLI and SNMP interfaces Radio2 802 11a n Random address located on the Web UI CLI and SNMP interfaces The access point s BSS virtual AP MAC addresses are calculated as follows BSS1 T...

Page 46: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 1 30 ...

Page 47: ...ess point to the network connecting antennae and applying power Installation procedures vary for different environments See the following sections for more details Precautions Requirements Package Contents Access Point Placement Power Options Power Injector System Mounting an AP 7131N FGR LED Indicators Setting Up MUs ...

Page 48: ...No 50 14000 247R or Power Injector Part No AP PSBIAS 1P3 AFR A power outlet Dual band antennae or an antenna specifically supporting the AP s 2 4 or 5 GHz band 2 3 Package Contents Check package contents for the correct model and accessories Each available configuration at a minimum contains AP 7131N FGR access point accessories dependent on SKU ordered AP 7131N FGR Install Guide China ROHS compli...

Page 49: ...overage is analogous to lighting Users might find an area lit from far away to be not bright enough An area lit sharply might minimize coverage and create dark areas Uniform antenna placement in an area like even placement of a light bulb provides even efficient coverage Place the access point using the following guidelines NOTE The access point façade with 6 Element Antenna Part No ML 2452 PTA2M3...

Page 50: ...fferent to support the radio coverage area Motorola Solutions recommends conducting a new site survey and developing a new coverage area floor plan when switching from legacy access points to a new AP 7131N FGR model as the device placement requirements could be significantly different 2 4 2 Antenna Options Motorola Solutions supports two antenna suites for AP 7131N FGR One antenna suite supportin...

Page 51: ...i ML 2499 11PNA2 01R Wide Angle Directional 8 5 ML 2499 HPA3 01R Omni Directional Antenna 3 3 ML 2499 BYGA2 01R Yagi Antenna 13 9 ML 2452 APA2 01 Dual Band 3 4 ML 2452 PTA2M3X3 1 Facade with 6 Element Antenna Module 3 5 ML 2452 PTA3M3 036 3 Port MIMO Antenna 4 75 5 5 NOTE An additional adapter is required to use ML 2499 11PNA2 01 and ML 2499 BYGA2 01 model antennae Please contact Motorola Solution...

Page 52: ...nna 13 ML 5299 HPA1 01R Wide Band Omni Directional Antenna 5 0 ML 2452 APA2 01 Dual Band 3 4 ML 2452 PTA2M3X3 1 Facade with 6 Element Antenna Module 4 75 5 5 ML 2452 PTA3M3 036 3 Port MIMO Antenna 5 5 ML 2452 APA6J 01 Dipole 2 4GHz Peak Gain 5 76dBi 5GHz Peak Gain band 1 3 77dBi band 2 3 38dBi band 3 2 84dBi band 4 2 94dBi CAUTION An AP 7131N FGR and must use the 48 Volt Power Supply designed spec...

Page 53: ...131N can also be used with the 3af power injector AP PSBIAS 1P2 AFR However AP functionality is limited when powered by an AP PSBIAS 1P2 AFR since the AP has Ethernet connectivity limited to only the GE1 port The Motorola Solutions access point Power Supply Part No 50 14000 247R is not included with the access point and is orderable separately as an accessory If the access point is provided both P...

Page 54: ... using the unit s wall mounting key holes The following guidelines should be adhered to before cabling the Power Injector to an Ethernet source and access point Do not block or cover airflow to the Power Injector Keep the unit away from excessive heat humidity vibration and dust CAUTION The access point supports any standards based compliant power source including non Motorola Solutions power sour...

Page 55: ...On Off power switch The Power Injector receives power and is ready for access point connection and operation as soon as AC power is applied Refer to the Installation Guide shipped with the Power Injector for a description of the device s LED behavior 3 Verify all cable connections are complete before supplying power to the access point CAUTION To avoid problematic performance and restarts disable ...

Page 56: ... 2 7 1 Wall Mounted Installations Wall mounting requires hanging the access point along its width or length using the pair of slots on the bottom of the unit and using the access point mounting template for the screws The hardware and tools customer provided required to install the access point on a wall consists of Two Phillips pan head self tapping screws ANSI Standard 6 18 X 0 875in Type A or A...

Page 57: ...Hardware Installation 2 11 ...

Page 58: ...screw and stop when there is 1mm between the screw head and the wall If pre drilling a hole the recommended hole size is 2 8mm 0 11in if the screws are going directly into the wall and 6mm 0 23in if wall anchors are being used 6 If required install and attach a security cable to the access point s lock port 7 Attach the antennas to their correct connectors For more information on available antenna...

Page 59: ...or CAT6 Ethernet cable between the network data supply host and the access point s GE1 POE port b Verify the power adapter is correctly rated according the country of operation c Connect the power supply line cord to the power adapter d Attach the power adapter cable into the power connector on the access point e Plug the power adapter into an outlet 11 Verify the behavior of the access point s LE...

Page 60: ...the Ethernet source to the Power Injector and access point does not exceed 100 meters 333 ft The Power Injector has no On Off power switch The Power Injector receives power as soon as AC power is applied For more information on using the Power Injector see Power Injector System on page 2 6 For standard 48 Volt Power Adapter Part No 50 14000 247R and line cord installations a Connect a RJ 45 CAT5e ...

Page 61: ...ystem Configuration on page 4 1 2 7 3 Above the Ceiling Plenum Installations An above the ceiling installation requires placing the access point above a suspended ceiling and installing the provided light pipe under the ceiling tile for viewing the rear panel status LEDs of the unit An above the ceiling installation enables installations compliant with drop ceilings suspended ceilings and industry...

Page 62: ...6 Use a drill to make a hole in the tile the approximate size of the LED light pipe 7 Remove the light pipe s rubber stopper before installing the light pipe NOTE The AP 7131N FGR is Plenum rated to UL2043 and NEC1999 to support above the ceiling installations CAUTION Motorola Solutions does not recommend mounting the access point directly to any suspended ceiling tile with a thickness less than 1...

Page 63: ...e point or security cable if used to the access point s lock port 13 Align the ceiling tile into its former ceiling space 14 Cable the access point using either a Power Injector or approved line cord and power supply For Power Injector installations a Connect a RJ 45 CAT5e or CAT6 Ethernet cable between the network data supply host and the Power Injector Data In connector b Connect a RJ 45 CAT5e o...

Page 64: ...int is ready to configure For information on an access point default configuration see Getting Started on page 3 1 For specific details on system configurations see System Configuration on page 4 1 2 8 LED Indicators An AP 7131N FGR model access point has six LEDs on the top of the access point housing and one optional LED light pipe at the bottom of the unit However an AP 7131N FGR model access p...

Page 65: ...ble in wall and below ceiling installations The top housing LEDs have the following display and functionality NOTE Depending on how the 5 GHz and 2 4 GHz radios are configured the LEDs will blink at different intervals between amber and yellow 5 GHz radio and emerald and yellow 2 4 GHz radio ...

Page 66: ...802 11a activity A 5 second Amber and Yellow blink rate defines 802 11an activity A 2 second Amber and Yellow blink rate defines 802 11an 40 MHz activity When functioningas a sensor LED alternates between Amber and Yellow The blink interval is 0 5 seconds It s 1 second when no Server is connected Blinking Emerald indicates 802 11bg activity A 5 second Emerald and Yellow blink rate defines 802 11bg...

Page 67: ...Refer to the LA 5030 LA 5033 Wireless Networker PC Card and PCI Adapter Users Guide available from the Motorola Solutions Web site for installing drivers and client software if operating in an 802 11a g network environment Refer to the Spectrum24 LA 4121 PC Card LA 4123 PCI Adapter LA 4137 Wireless Networker User Guide available from the Motorola Solutions Web site for installing drivers and clien...

Page 68: ...hange the access point s settings to support legacy 802 11a bg operation using Windows XP 1 Select My Network Places 2 Right click and select Properties The Network Connections screen displays 3 Select right click on the adapter supporting 802 11n operation with the access point and select Properties 4 Click on the Configure button The Network Connection screen displays supporting the 802 11n adap...

Page 69: ...ick OK to save the updates to the adapter s configuration NOTE If re enabling the adapter for 802 11 support ensure additional 802 11n settings Aggregation Channel Width Guard Interval etc are also enabled to ensure optimal operation ...

Page 70: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 2 24 ...

Page 71: ...er options outlined in Hardware Installation See the following sections for more details Installing the Access Point Configuration Options Basic Configuration 3 1 Installing the Access Point Make the required cable and power connections before mounting the access point in its final operating position Test the access point with an associated MU before mounting and securing the access point Carefull...

Page 72: ...e the network Secure Java Based WEB UI use Sun Microsystems JRE 1 6 available from Sun s Web site Disable Microsoft s Java Virtual Machine if installed For information on using the Web UI to set access point default configuration see Basic Configuration on page 3 4 or chapters 4 through 7 of this guide Command Line Interface CLI via Serial and SSH The access point CLI is accessed through the RS232...

Page 73: ...nitially connect to the access point using the access point s LAN port 1 The LAN or GE1 POE port has a default static IP address of 192 168 0 1 24 2 To view the IP address connect one end of a null modem serial cable to the access point and the other end to the serial port of a computer running HyperTerminal or similar emulation program 3 Configure the following settings Baud Rate 19200 Data Bits ...

Page 74: ...itionally ensure JRE version 1 6 is installed on the computer accessing the AP 7131N FGR GUI applet The following sections describe how to change your browser settings using either Internet Explorer or Mozilla Firefox in order to correctly launch and display the AP 7131N FGR GUI applet Without these browser modifications you will not be able to access the AP 7131N FGR GUI applet 3 4 1 1 Accessing ...

Page 75: ... Firefox used 3 Within the Protocols field ensure the Use TLS 1 0 option is selected Remember the AP 7131N FGR does not support SSL 2 0 or SSL 3 0 A Website Certified by an Unknown Authority screen displays stating Firefox is unable to define a trusted site 4 Select either the Accept this certificate permanently or Accept this certificate temporarily for this session Click the OK button to continu...

Page 76: ...refox require unique settings be defined in order for the browser to access the AP 7131N FGR GUI applet For instructions on configuring these browser settings see Configuring Your Browser for AP 7131N FGR Support on page 3 4 1 Start a browser and enter the following IP address in the address field https 192 168 0 1 2 Log in using admin as the default Username and motorola as the default Password U...

Page 77: ...iguring Device Settings on page 3 8 to validate the country setting The export function will always export the encrypted Admin User password The import function will import the Admin Password only if the access point is set to factory default If the access point is not configured to factory default settings the Admin User password WILL NOT get imported NOTE Though the access point can have its bas...

Page 78: ...displayed 2 Select the System Configuration tab to define the access point s system WIPS server and radio configuration NOTE Beginning with the 4 0 release of the access point firmware a new scheme for radio configuration and WIPS server management has been implemented within the Quick Setup GUI applet These radio buttons define how WLAN and sensor functionality are supported amongst the radios av...

Page 79: ...g message also displays stating an incorrect country setting may result in illegal radio operation Selecting the correct country is central to legally operating the access point Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted To ensure compliance with national and local laws set the country accurately ...

Page 80: ...tting alternate time servers and setting a synchronization interval for the access point to adjust its displayed time WIPS Servers Define a primary and alternate WIPS server IP Address for WIPS Server 1 and 2 These are the addresses of the primary and secondary WIPS console server WIPS support requires a Motorola Solutions AirDefense WIPS Server on the network WIPS functionality is not provided by...

Page 81: ...ers for using the WAN interface a Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port Disable this Sensor only Spectrum Analysis mode no WLAN Radio 1 WIPS Radio 2 WIPS 2 4 GHz WLAN no Sensor Radio1 WLAN Radio 2 Disabled 5 0 GHz WLAN no Sensor Radio1 Disabled Radio 2 WLAN Radios Off Radios 1 and 2 Disabl...

Page 82: ...xample 255 255 255 0 is a valid subnet mask e Define a Default Gateway address for the access point s WAN connection The ISP or a network administrator provides this address f Specify the address of a Primary DNS Server The ISP or a network administrator provides this address g Optionally use the Enable PPP over Ethernet checkbox to enable Point to Point Protocol over Ethernet PPPoE for a high spe...

Page 83: ...e Bootp client option to enable a diskless system to discover its own IP address c Enter the network assigned IP Address of the access point d The Subnet Mask defines the size of the subnet The first two sets of numbers specify the network domain the next set specifies the subset of hosts within a larger network These values help divide a network into subnetworks and simplify routing and data tran...

Page 84: ...o2 and configure the Radio Settings field at a minimum If you know the radio s Properties Performance and Beacon Settings those fields can also be defined at this time Define the Channel Settings Power Level and 802 11 mode in respect to the 2 4 or 5 GHz 802 11b g n or 802 11a n radio traffic and anticipated gain of the antennas NOTE A maximum of 16 WLANs are configurable within the Wireless Confi...

Page 85: ...the Security Policy item At a minimum a basic security scheme in this case WPA2 CCMP is recommended in a network environment where sensitive data is transmitted 2 Ensure the Name of the security policy entered suits the intended configuration or function of the policy Multiple WLANs can share the same security policy so be careful not to name security policies after specific WLANs or risk defining...

Page 86: ...natively rotated on every interval specified in the Broadcast Key Rotation Interval Enabling broadcast key rotation enhances the broadcast traffic security on the WLAN This value is disabled by default Update broadcast keys every 30 604800 seconds Specify a time period in seconds to rotate the key index used for the broadcast key Set the interval to a shorter duration like 3600 seconds for tighter...

Page 87: ...ss Network Management Protocol WNMP ping packets to the associated MU Use the Echo Test screen to specify a target MU and 256 bit Key To use a hexadecimal value and not an ASCII passphrase select the checkbox and enter 16 hexadecimal characters into each of the four fields displayed Pre Authentication Selecting this option enables an associated MU to carry out an 802 1x authentication with another...

Page 88: ...urn to the MU Stats Summary screen 3 4 5 Where to Go from Here Once basic connectivity has been verified the access point can be fully configured to meet the needs of the network and the users it supports Refer to the following For detailed information on access point device access SNMP settings network time importing exporting device configurations and device firmware updates see Chapter 4 System...

Page 89: ...rk Management on page 5 1 For detailed information on configuring specific encryption and authentication security schemes for individual access point WLANs see Chapter 6 Configuring Access Point Security on page 6 1 To view detailed statistics on the access point and its associated MUs see Chapter 7 Monitoring Statistics on page 7 1 ...

Page 90: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 3 20 ...

Page 91: ...nternet Explorer 5 0 or later or Netscape Navigator 6 0 or later To connect to the access point an IP address is required If connected to the access point using the WAN port the default static IP address is 10 1 1 1 The default password is motorola If connected to the access point using the LAN port the default static IP addrees is 192 168 0 1 24 The user is required to know the IP address to conn...

Page 92: ...e the System Settings screen to specify the name and location of the access point assign an e mail address for the network administrator restore the AP s default configuration or restart the AP To configure System Settings for the access point 1 Select System Configuration System Settings from the access point menu tree CAUTION The access point s country of operation is set from within the System ...

Page 93: ...gured as a sensor and the WIPS functionality connects to the WIPS server The WIPS module only accepts names with up to 20 characters keep that if intending to use this AP as a sensor System Location Enter the location of the access point The System Location parameter acts as a reminder of where the AP can be found Use the System Name field as a specific identifier of device location Use the System...

Page 94: ... most recent firmware available from Motorola Solutions Use the Firmware Update screen to keep the AP s firmware up to date For more information see Updating Device Firmware on page 4 51 System Uptime Displays the current uptime of the access point defined in the System Name field System Uptime is the cumulative time since the access point was last rebooted or lost power Serial Number Displays the...

Page 95: ... Restore Partial Default Configuration Select the Restore Partial Default Configuration button to restore a default configuration with the exception of the current LAN WAN SNMP settings and IP address used to launch the browser If selected a message displays warning the user all current configuration settings will be lost with the exception of WAN and SNMP settings Before using this feature Motoro...

Page 96: ... available and other status information One of the primary functions of the CPLD is to determine the access point s maximum power budget When the AP is powered on or performing a cold reset the CPLD determines the maximum power provided by the POE device and the budget available to the access point The CPLD also determines the access point hardware SKU and the number of radios If the access point ...

Page 97: ...s point s radio at full power and should not be exceeded NOTE An AP 7131N FGR model uses 22 watts when its power status is 3af 23 26 watts when its power status is 3at and 27 watts when its power status is Full Power CAUTION The power modes described in the section are only obtainable using the 48 Volt Power Supply Part No 50 14000 247R designed for an AP 7131N FGR or using the single port Power I...

Page 98: ...z 20 17 MCS0 MCS8 5 HT20 40 23 20 MCS1 MCS9 10 HT20 40 23 20 MCS2 MCS10 13 HT20 40 23 20 MCS3 MCS11 16 HT20 40 23 19 MCS4 MCS12 19 HT20 40 22 19 MCS5 MCS13 22 HT20 40 22 18 MCS6 MCS14 25 HT20 40 21 17 MCS7 MCS15 28 HT20 40 20 17 CAUTION Exceeding the limits listed below can cause damage to the access point or cause the radio to operate unpredictably Thus these values should be viewed as the safe l...

Page 99: ... MCS0 MCS8 5 HT20 40 22 19 MCS1 MCS9 10 HT20 40 22 19 MCS2 MCS10 13 HT20 40 21 18 MCS3 MCS11 16 HT20 40 21 17 MCS4 MCS12 19 HT20 40 20 17 MCS5 MCS13 22 HT20 40 19 16 MCS6 MCS14 25 HT20 40 18 15 MCS7 MCS15 28 HT20 40 17 15 NOTE The access point could allow the operation of only one radio depending on the POE power level provided When only one radio is operational it is configured as either a WIPS o...

Page 100: ... tree 2 Refer to the following to assess the access point s current power state Once known determine how available power resources are applied to the access point s radios a NOTE Within the Power Settings field an installation professional selects a power mode as auto or 3af Contact Motorola Solutions Support if unsure of your access point s optimal power management settings ...

Page 101: ...he power budget available to the access point Using the Auto setting default setting the access point automatically determines the best power configuration based on the available power budget If 3af is selected the AP assumes 12 95 watts are available If the mode is changed the access point requires a reset to implement the change Power Status Refer to the read only power status field to review th...

Page 102: ...he switch FQDN to transmit and receive with the AAP The default control port is 24576 Switch FQDN Add a complete switch fully qualified domain name FQDN to add a switch to the 12 available switch IP addresses available for connection The access point resolves the name to one or more IP addresses if a DNS IP address is present This method is used when the access point fails to obtain an IP address ...

Page 103: ...he Adaptive AP Setup screen to the last saved configuration Auto Discovery Enable When the Auto Discovery Enable checkbox is selected the access point begins the switch discovery adoption process using DHCP first then a user provided domain name lastly using static IP addresses This setting is disabled by default When disabled the AP functions as a standalone access point without trying to adopt a...

Page 104: ...creen checkboxes to enable or disable LAN1 LAN2 and or WAN access using the protocols and ports listed If access is disabled this effectively locks out the administrator from configuring the access point using that interface To avoid jeopardizing the network data managed by the access point Motorola Solutions recommends enabling only those interfaces used in the routine daily management of the net...

Page 105: ...iguration applet using a Secure Sockets Layer SSL for encrypted HTTP sessions CLI SSH2 port 22 Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point CLI using the SSH Secure Shell protocol SNMP port 161 Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point configuration settings from an SNMP capable client HTTPS Timeout Disables access to the acc...

Page 106: ...H session to the access point if no data activity is detected over the session after the user defined interval The default value is 2 minutes Local The access point verifies the authentication connection Radius Designates that a RADIUS server is used in the authentication credential verification If using this option the connected PC is required to have its RADIUS credentials verified with an exter...

Page 107: ... case sensitive string using letters and numbers The default is motorola Change Admin Password Click the Change Admin Password button to display a screen for updating the AP administrator password Enter and confirm a new administrator password as required Message Settings Click the Message Settings button to display a screen used to create a banner text message The user can enter a 1024 characters...

Page 108: ... 11 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 5 Managing Certificate Authority CA Certificates Certificate management includes the following sections Importing a CA Certificate Creating Self Certificates 4 5 1 Importing a CA Certificate A certificate authority CA is a network authority that issues and ma...

Page 109: ...point s firmware version using either the GUI or CLI After a certificate has been successfully loaded export it to a secure location to ensure its availability after a firmware update If restoring the access point s factory default firmware you must export the certificate file BEFORE restoring the access point s factory default configuration Import the file back after the updated firmware is insta...

Page 110: ... to import it into the CA Certificate list 4 Once in the list select the certificate ID within the View Imported root CA Certificates field to view the certificate issuer name subject and certificate expiration data 5 To delete a certificate select the ID from the drop down menu and click the Del button 4 5 2 Creating Self Certificates The access point requires two kinds of certificates CA certifi...

Page 111: ...to create the certificate request The Certificate Request screen displays 3 Complete the request form with the pertinent information Only 4 values are required the others optional CAUTION Self certificates can only be generated using the access point GUI and CLI interfaces No functionality exists for creating a self certificate using the access point s SNMP configuration option ...

Page 112: ...l name for the certificate to help distinguish between certificates The name can be up to 7 characters in length Subject The required Subject value contains important information about the certificate Contact the CA signing the certificate to determine the content of the Subject parameter Signature Algorithm Use the drop down menu to select the signature algorithm used for the certificate The opti...

Page 113: ... e mail to your CA paste the content of the request into the body of the message and send it to the CA The CA signs the certificate and will send it back Once received copy the content from the e mail into the clipboard 7 Click the Paste from clipboard button Note that this feature will work with Internet Explorer browser version 6 and above only The content of the e mail displays in the window Cl...

Page 114: ...tion Certificate Mgmt Self Certificates from the access point menu tree 2 Click on the Add button to create the certificate request The Certificate Request screen displays 3 Complete the request form with the pertinent information NOTE If the access point is restarted after a certificate request has been generated but before the signed certificate is imported the import will not execute properly D...

Page 115: ...sing the certificate resides State Optionally enter the name of the State where the access point using the certificate resides Postal Code Optionally enter the name of the Postal Zip Code where the access point using the certificate resides Country Code Optionally enter the access point s Country Code Email Enter a organizational e mail address avoid using a personal address if possible to associa...

Page 116: ...ertificate request using a base 64 encoded PKCS 10 file or a renewal request using a base64 encoded PKCS file option Click Next to continue 12 Paste the content of certificate in the Saved Request field within the Submit a Saved Request screen If you do not have administrative privileges ensure the Web Server option has been selected from the Certificate Template drop down menu Click Submit 13 Sel...

Page 117: ...tication of MUs has now been generated and loaded into the access point s flash memory 4 6 Configuring SNMP Settings Simple Network Management Protocol SNMP facilitates the exchange of management information between network devices SNMP uses Management Information Bases MIBs to manage the device configuration and monitor Internet devices in potentially remote locations MIB information accessed via...

Page 118: ...tion apWlanSecPolicyTable MU ACL Configuration apWlanMuAclPolicyTable QOS Configuration apWlanQosPolicyTable Radio Configuration apRadio Bandwidth Management apWlanRateLimit SNMP Trap Selection apTrapCtrl SNMP RF Trap Thresholds apTrapCtrlEnableTable MU Authentication Stats apnStats Feature MIB Reference Subnet Configuration ccSubnet DHCP Server Configuration ccSubnetDhcpServer WAN IP Configuratio...

Page 119: ...unctions as a command responder and is a multilingual agent responding to SNMP v3 managers command generators The factory default configuration maintains SNMP v3 support of the community names hence providing backward compatibility Firewall Configuration ccWanFirewall Router Configuration ccRouter System Settings ccAdmin NTP Server Configuration ccNtp Logging Configuration ccLogging Firmware Updat...

Page 120: ...ved security SNMP v3 encrypts transmissions and provides authentication for users generating requests To configure SNMP v3 user definitions for the access point 1 Select System Configuration SNMP Access from the access point menu tree 2 Configure the SNMP v3 User Definitions field if SNMP v3 is used to add and configure SNMP v3 user definitions SNMP v3 user definitions allow read only or read writ...

Page 121: ...u to specify SHA1 as the authentication algorithm Use the Privacy Algorithm drop down menu to define an algorithm of AES 128bit When entering the same username on the SNMP Traps and SNMP Access screens the password entered on the SNMP Traps page overwrites the password entered on the SNMP Access page To avoid this problem enter the same password on both pages Access Use the Access pull down list t...

Page 122: ...nfiguration 7 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed For additional SNMP configuration information see Configuring SNMP Access Control Enabling SNMP Traps Configuring Specific SNMP Traps Configuring SNMP RF Trap Thresholds SNMP v3 Engine ID The access point SNMP v3 Engine ID field lists the unique SNMP ...

Page 123: ...L to limit by Internet Protocol IP address who can access the access point SNMP interface To configure SNMP user access control for the access point 1 Select System Configuration SNMP Access from the access point menu tree Click on the SNMP Access Control button from within the SNMP Access screen 2 Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP acces...

Page 124: ...IP and End IP addresses numerical addresses only no DNS names supported to specify a range of user that can access the access point SNMP interface An SNMP capable client can be set up whereby only the administrator for example can use a read write community definition Use just the Starting IP Address column to specify a SNMP user Use both the Starting IP Address and Ending IP Address columns to sp...

Page 125: ...een properly configured to protect communications with the external SNMP server Changes will not be applied otherwise Add Click Add to create a new SNMP v3 Trap Configuration entry Delete Select Delete to remove an entry for an SNMP v3 user Destination IP Specify a numerical non DNS name destination IP address for receiving the traps sent by the access point SNMP agent Port Specify a destination U...

Page 126: ...urations for both SNMP v3 To configure specific SNMP traps on the access point 1 Select System Configuration SNMP Access SNMP Traps from the menu tree Username Enter a username specific to the SNMP capable client receiving the traps Security Level Use the Security Level drop down menu to specify security level as AuthPriv authorization with privacy The AuthPriv setting requires login authorization...

Page 127: ... Generates a trap when an MU becomes unassociated with or gets dropped from one of the access point s WLANs MU denied association Generates a trap when an MU is denied association to a access point WLAN Can be caused when the maximum number of MUs for a WLAN is exceeded or when an MU violates the access point s Access Control List ACL MU denied authentication Generates a trap when an MU is denied ...

Page 128: ...ata This can result from an incorrect login or missing incorrect user credentials SNMP ACL violation Generates a trap when an SNMP client cannot access SNMP management functions or data due to an Access Control List ACL violation This can result from a missing incorrect IP address entered within the SNMP Access Control screen Physical port status change Generates a trap whenever the status changes...

Page 129: ...ld of the SNMP RF Traps screen Thresholds are displayed for the access point WLAN selected radio and the associated MU To configure specific SNMP RF Traps on the access point 1 Select System Configuration SNMP Access SNMP RF Trap Thresholds from the menu tree System Cold Start Generates a trap when the access point re initializes while transmitting possibly altering the SNMP agent s configuration ...

Page 130: ...ternal SNMP server Changes will not be applied otherwise NOTE Average Bit Speed of Non Unicast Average Signal Average Retries Dropped and Undecryptable are not access point statistics Pkts s Enter a maximum threshold for the total throughput in Pps Packets per second Throughput Set a maximum threshold for the total throughput in Mbps Megabits per second Average Bit Speed Enter a minimum threshold ...

Page 131: ...ck with a master clock an NTP server For example the access point resets its clock to 07 04 59 upon reading a time of 07 04 59 from its designated NTP server Average Signal Enter a minimum threshold for the average signal strength in dBm for each device Average Retries Set a maximum threshold for the average number of retries for each device Dropped Enter a maximum threshold for the total percenta...

Page 132: ...rver is defined to provide the access point the correct time or the correct time is manually set the access point displays 1970 01 01 00 00 00 as the default time CAUTION If using the RADIUS time based authentication feature to authenticate access point user permissions ensure UTC has been selected from the Date and Time Settings screen s Time Zone field If UTC is not selected time based authentic...

Page 133: ...ng 3 Select the Set Date Time button to display the Manual Date Time Setting screen This screen enables the user to manually enter the access point s system time using a Year Month Day HH MM SS format This option is disabled when the Enable NTP checkbox has been selected and therefore should be viewed as a second means to define the access point system time 4 If using the Manual Date Time Setting ...

Page 134: ... selected time based authentication will not work properly For information on configuring RADIUS time based authentication see Defining User Access Permissions by Group on page 6 67 EnableNTPonaccess point Select the Enable NTP on access point checkbox to allow a connection between the access point and one or more specified NTP servers A preferred first alternate and second alternate NTP server ca...

Page 135: ...reen to set the desired logging level standard syslog levels and view or save the current access point system log To configure event logging for the access point 1 Select System Configuration Logging Configuration from the access point menu tree 2 Configure the Log Options field to save event logs set the log level and optionally port the access point s log to an external server CAUTION Ensure IPS...

Page 136: ...des in memory AP memory is completely cleared each time the AP reboots Logging Level Use the Logging Level drop down menu to select the desired log level for tracking system events Eight logging levels 0 to 7 are available Log Level 6 Info is the access point default log level These are the standard UNIX LINUX syslog levels The levels are as follows 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warnin...

Page 137: ...ture to speed up the setup process significantly at sites using multiple access points Another benefit is the opportunity to save the current AP configuration before making significant changes or restoring the default configuration All options on the access point are deleted and updated by the imported file Therefore the imported configuration is not a merge with the configuration of the target ac...

Page 138: ...ion Config Import Export from the access point menu tree 2 Execute the command transfer_keys_cfg from Console SSH before importing exporting the configuration Refer the command AP7131N admin system config transfer_keys_cfg on page 8 260 NOTE When modifying the text file manually and spaces are used for wireless security MU policy names etc ensure you use 20 between the spaces For example Second 20...

Page 139: ...ines the optional path name used to import export the target configuration file Username Specify a username to be used when logging in to the SFTP Server Import Configuration Click the Import Configuration button to import the configuration file from the server with the assigned filename and login information The system displays a confirmation window indicating the administrator must log out of th...

Page 140: ...formation is only exported when the This interface is a DHCP Client checkbox is not selected For more information on these settings see Configuring the LAN Interface on page 5 1 and Configuring WAN Settings on page 5 16 The system displays a confirmation window prompting the administrator to log out of the access point after the operation completes for the changes to take effect Click Yes to conti...

Page 141: ...rt their 1 0 configuration for backup purposes prior to upgrading When downloading to a lower firmware version all configuration settings are lost and the access point returns to factory default settings of the lower version If a firmware update is required use the Firmware Update screen to specify a filename and define a file location for updating the firmware CAUTION An AP 7131N FGR model access...

Page 142: ... for instructions on exporting the access point s current configuration to have it available after the firmware is updated 2 Select System Configuration Firmware Update from the access point menu tree Execute the command transfer_keys_fw from Console SSH before upgrading the image from GUI Refer AP7131N admin system fw update transfer_keys_fw on page 8 264 NOTE The firmware file must be available ...

Page 143: ...te path for the file within the Filepath optional field 5 Enter an IP address for the SFTP server used for the update Only numerical IP address names are supported no DNS can be used 6 Set the username for the SFTP server login 7 Click the Perform Update button to initiate the update Upon confirming the firmware update the AP reboots and completes the update NOTE Click Apply to save the settings b...

Page 144: ...ity Parameters CSP by overwriting the storage area three times with an alternating pattern i e three different patterns Key zeroisation can be invoked in following ways Hard reset via AP7131N s reset button When the AP7131N boots up you will be prompted with a message Press AP reset buton to perform key zeroization default the config as well Through a CLI command Through a GUI button Once Zeroisat...

Page 145: ...EAP primary password EAP secondary password RADIUS accounting password RADIUS shared password 2 Zeroise RADIUS variables using three patterns RADIUS related local and global variables 3 Zeroise DynDNS password using three patterns DynDNS password 4 Zeroise AP Firmware Image Signing Keys using three patterns AP Firmware Image Signing Keys 40 Digit Image Verification Keys 5 Zeroise VPN IPsec related...

Page 146: ... files Admin password RADIUS client configuration file EAP configuration file RADIUS CA certificate RADIUS client certificate RADIUS client password file HTTPS certificate Image Verification Keys file 8 Restore factory default configuration Restore factory default configuration 9 Reboot the AP Reboot the AP ...

Page 147: ... LANs WLANs Configuring Router Settings Configuring IP Filtering 5 1 Configuring the LAN Interface The AP 7131N FGR has one physical LAN port supporting two unique LAN interfaces The AP 7131N FGR LAN port has its own MAC address The LAN port MAC address is always the value of the access point WAN port MAC address plus 1 The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats...

Page 148: ...sign them names define which LAN is currently active on the access point Ethernet port and assign a timeout value to disable the LAN connection if no data traffic is detected within a defined interval To configure the access point LAN interface 1 Select Network Configuration LAN from the access point menu tree 2 Configure the LAN Settings field to enable the access point LAN1 and or LAN2 interface...

Page 149: ...led by default LAN Name Use the LAN Name field to modify the existing LAN name LAN1 and LAN2 are the default names assigned to the LANs until modified by the user Ethernet Port The Ethernet Port radio buttons allow you to select one of the two available LANs as the LAN actively transmitting over the access point s LAN port Both LANs can be active at any given time but only one can transmit over th...

Page 150: ...r basis Selecting Auto Negotiate disables the Mbps and duplex checkbox options 1000 Mbps Select this option to establish a 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the access point s LAN port This option is not available if Auto Negotiation is selected 100 Mbps Select this option to establish a 100 Mbps data transfer rate for the selected half dupl...

Page 151: ...point An administrator can map 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment VLANs enable organizations to share network resources in various network segments within large areas airports shopping malls etc A VLAN is a group of clients with a common set of requirements independent of their physical location VLANs have the same attributes as physical LANs but they enable system ...

Page 152: ... VLAN is assigned to it If it is not in the database it simply uses a default VLAN assignment The VLAN assignment is sent to the access point The access point then maps the target WLAN for the assigned VLAN and traffic passes normally allowing for the completion of the DHCP request and further traffic To create new VLANs or edit the properties of an existing VLAN 1 Select Network Configuration LAN...

Page 153: ...dit the properties of an existing VLAN click the Edit button 4 Assign a unique VLAN ID from 1 to 4095 to each VLAN added or modified The VLAN ID associates a frame with a specific VLAN and provides the information the access point needs to process the frame across the network Therefore it may be practical to assign a name to a VLAN representative or the area or type of network traffic it represent...

Page 154: ...stination these tags help distinguish data traffic Authentication servers such as Radius must be on the same Management VLAN Additionally DHCP and BOOTP servers must be on the same Management VLAN as well 9 Define a Native VLAN Tag for LAN1 and LAN2 A trunk port configured with 802 1Q tagging can receive both tagged and untagged traffic By default the access point forwards untagged traffic with th...

Page 155: ... settings for that LAN For more information see Configuring Advanced DHCP Server Settings on page 5 13 Additionally LAN1 and LAN2 each have separate Type Filter submenu items used to prevent specific an potentially unneccesary frames from being processed for more information see Setting the Type Filter Configuration on page 5 14 To configure unique settings for either LAN1 or LAN2 1 Select Network...

Page 156: ...a protocol that includes mechanisms for IP address allocation and delivery of host specific configuration parameters from a DHCP server to a host If DHCP Client is selected the first DHCP or BOOTP server to respond sets the IP address and network address values since DHCP and BOOTP are interoperable This interface is a BOOTP Client Select this button to enable BOOTP to set access point network add...

Page 157: ...Network Mask The first two sets of numbers specify the network domain the next set specifies the subset of hosts within a larger network These values help divide a network into subnetworks and simplify routing and data transmission The subnet mask defines the size of the subnet Default Gateway The Default Gateway parameter defines the numerical non DNS name IP address of a router the access point ...

Page 158: ...twork maintains hello forward delay and max age timers These settings can be used as is using the current default settings or be modified However if these settings are modified they need to be configured for the LAN connecting to the mesh network WLAN For information on mesh networking capabilities see Configuring Mesh Networking on page 9 1 If new to mesh networking and in need of an overview see...

Page 159: ...long as it remains in active use The lease time is the number of seconds an IP address is reserved for re connection after its last use Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than available IP addresses This is useful for example in education and customer environments where MU users change frequently Use longer leases if there are fewer ...

Page 160: ...he updated settings within the Advanced DHCP Server screen can be saved by clicking the Apply button 7 Click Cancel to undo any changes made Undo Changes reverts the settings displayed to the last saved configuration 5 1 2 2 Setting the Type Filter Configuration Each access point LAN either LAN1 or LAN2 can keep a list of frame types that it forwards or discards The Type Filtering feature prevents...

Page 161: ... designate whether the Ethernet Types defined for the LAN are allowed or denied for use by the access point 3 To add an Ethernet type click the Add button The Add Ethernet Type screen displays Use this screen to add one type filter option at a time for a list of up to 16 entries ...

Page 162: ...ply results in all changes to the screens being lost 6 Click Cancel to securely exit the LAN1 or LAN2 Ethernet Type Filter Configuration screen without saving your changes 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 2 Configuring WAN Settings A Wide Area Network WAN is a widely dispersed telecommunications network Th...

Page 163: ...onfigured as DHCP clients Enable WAN Interface Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port Disable this option to effectively isolate the access point s WAN No connections to a larger network or the Internet are possible MUs cannot communicate beyond the LAN By default the WAN port is static wit...

Page 164: ...strator An IP address uses a series of four numbers expressed in dot notation for example 190 188 12 1 Subnet Mask Specify a subnet mask for the access point s WAN connection This number is available from the ISP for a DSL or cable modem connection or from an administrator if the access point connects to a larger network A subnet mask uses a series of four numbers expressed in dot notation similar...

Page 165: ...ation displayed within the WAN IP Configuration field Auto Negotiation Select the Auto Negotiation checkbox to enable the access point to automatically exchange information over its WAN port about data transmission speed and duplex capabilities Auto negotiation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis Selecti...

Page 166: ...that the access point can incorrectly carry over previously configured static IP information and maintain two connected routes once it gets an IP address from a PPPOE connection Enable Use the checkbox to enable Point to Point over Ethernet PPPoE for a high speed connection that supports this protocol Most DSL providers are currently using or deploying this protocol PPPoE is a data link protocol f...

Page 167: ...fter outbound and inbound traffic is not detected The Idle Time field is grayed out if Keep Alive is enabled Authentication Type Use the Authentication Type menu to specify the authentication protocol s for the WAN connection Choices include PAP or CHAP PAP or CHAP Password Authentication Protocol PAP and Challenge Handshake Authentication Protocol CHAP are competing identify verification methods ...

Page 168: ...ble range of private side IP addresses Ranges can be specified from each of the private side subnets To configure IP address mappings for the access point 1 Select Network Configuration WAN NAT from the access point menu tree 2 Configure the Address Mappings field to generate a WAN IP address define the NAT type and set outbound inbound NAT mappings WAN IP Address The WAN IP addresses on the NAT s...

Page 169: ...ny from the NAT Type drop down menu 3 Click on the Port Forwarding button within the Inbound Mappings area Outbound Mappings When 1 to 1 NAT is selected a single IP address can be entered in the Outbound Mappings area This address provides a 1 to 1 mapping of the WAN IP address to the specified IP address When 1 to Many is selected as the NAT Type the Outbound Mappings area displays a 1 to Many Ma...

Page 170: ...eing forwarded The name can be any alphanumeric string and is used for identification of the service Transport Use the Transport pull down menu to specify the transport protocol used in this service The choices are ALL TCP UDP ICMP AH ESP and GRE Start Port and End Port Enter the port or ports used by the port forwarding service To specify a single port enter the port number in the Start Port area...

Page 171: ...cess point 1 Select Network Configuration WAN DynDNS from the access point menu tree 2 Select the Enable checkbox to allow domain name information to be updated when the IP address associated with that domain changes A username password and hostname must be specified for domain name information to be updated IP Address Enter the numerical non DNS name IP address to which the specified service is f...

Page 172: ... displayed on the screen to the last saved configuration 5 3 Enabling Wireless LANs WLANs A Wireless Local Area Network WLAN is a data communications system that flexibly extends the functionalities of a wired LAN A WLAN does not require lining up devices for line of sight transmission and are thus desirable Within the WLAN roaming users can be handed off from one access point to another like a ce...

Page 173: ...on VLAN ID and security policy of existing WLANs WLAN Name The Name field displays the name of each WLAN that has been defined The WLAN names can be modified within individual WLAN configuration screens See Creating Editing Individual WLANs on page 5 29 to change the name of a WLAN ESSID Displays the Extended Services Set Identification ESSID associated with each WLAN The ESSID can be modified wit...

Page 174: ... 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed Radio The Radio field displays the name of the access point radio the WLAN is mapped to either the 802 11a n radio or the 802 11b g n radio To change the radio designation for a specific WLAN see Creating Editing Individual WLANs on page 5 29 VLAN The VLAN field displays the...

Page 175: ... properties of an existing WLAN 1 Select Network Configuration Wireless from the access point menu tree The Wireless Configuration screen displays 2 Click the Create button to configure a new WLAN or highlight a WLAN and click the Edit button to modify an existing WLAN Either the New WLAN or Edit WLAN screen displays NOTE Before editing the properties of an existing WLAN ensure it is not being use...

Page 176: ...arameters in the Configuration field as required for the WLAN CAUTION When using the access point s hotspot functionality ensure MUs are re authenticated when changes are made to the characteristics of a hotspot enabled WLAN as MUs within the WLAN will be dropped from device association ...

Page 177: ...o be configured as a base bridge or repeater base and client bridge on the radio If the radio for the WLAN is to be defined as a client bridge only the Available On checkbox should not be selected For more information on defining a WLAN for mesh support see Configuring a WLAN for Mesh Networking Support on page 9 9 Max MUs Use the Max MUs field to define the number of MUs permitted to interoperate...

Page 178: ... Hotspot button launches a screen wherein the parameters of the hotspot can be defined For information on configuring a target WLAN for hotspot support see Configuring WLAN Hotspot Support on page 5 45 For an overview of what a hotspot is and what it can provide your wireless network see Hotspot Support on page 1 20 CAUTION A WLAN cannot be enabled for both mesh and hotspot support at the same tim...

Page 179: ...rently using Sites with heightened security requirements may want to leave the checkbox unselected and configure each MU with an ESSID The default is selected enable Rate Limiting Select this checkbox to set MU rate limiting values for this WLAN in both the upstream and downstream direction Once selected two fields display enabling you to set MU radio bandwidth for each associated MU in both the w...

Page 180: ...o any WLAN A security policy can be used by more than one WLAN if its logical to do so For example there may be two or more WLANs within close proximity of each other requiring the same data protection scheme To create a new security policy or modify an existing policy 1 Select Network Configuration Wireless Security from the access point menu tree The Security Configuration screen appears with ex...

Page 181: ...ccess points and how to configure them see to Configuring Security Options on page 6 2 2 Click Logout to exit the Security Configuration screen 5 3 1 2 Configuring a WLAN Access Control List ACL An Access Control List ACL affords a system administrator the ability to grant or restrict MU access by specifying a MU MAC address or range of MAC addresses to either include or exclude from access NOTE W...

Page 182: ...ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name policies after specific WLANs as individual ACL policies can be used by more than one WLAN For detailed information on assigning ACL policies to specific WLANs see Creating Editing Individual WLANs on page 5 29 To create or edit ACL policies for WLANs 1 Select Network Configuration Wireless...

Page 183: ... Management 5 37 2 Click the Create button to configure a new ACL policy or select a policy and click the Edit button to modify an existing ACL policy The access point supports a maximum of 16 MU ACL policies ...

Page 184: ...within the Mobile Unit Access Control List field to allow or deny MU access to the access point The MU adoption list identifies MUs by their MAC address The MAC address is the MU s unique Media Access Control number printed on the device for example 00 09 5B 45 9B 07 by the manufacturer A maximum of 200 MU MAC addresses can be added to the New Edit MU ACL Policy screen Access for the listed Mobile...

Page 185: ...S policies for advanced network traffic management and multimedia applications support If the existing QoS policies are insufficient a new policy can be created or an existing policy can be modified using the New QoS Policy or Edit QoS Policy screens Once new policies are defined they are available for use within the New WLAN or Edit WLAN screens to assign to specific WLANs based on MU interoperab...

Page 186: ...icy or select a policy and click the Edit button to modify an existing QoS policy The access point supports a maximum of 16 QoS policies NOTE When the access point is first launched a single QoS policy default is available and mapped to WLAN 1 It is anticipated additional QoS policies will be created as the list of WLANs grows ...

Page 187: ...ertain products may not receive priority over other voice or data traffic Consequently ensure the Support Voice Prioritization checkbox is selected if using products that do not support Wi Fi Multimedia WMM to provide preferred queuing for these VOIP products If the Support Voice Prioritization checkbox is selected the access point will detect non WMM capable legacy phones that connect to the acce...

Page 188: ...cess Categories for the radio traffic within this WLAN Only advanced users should manually configure the Access Categories as setting them inappropriately could negatively impact the access point s performance 11n wifi Use this setting for high end multimedia devices that using the high rate 802 11n radio 11b wifi Use this setting for high end devices multimedia devices that use the 802 11b radio ...

Page 189: ...udes music streaming and application traffic requiring priority over all other types of network traffic Voice Voice traffic includes VoIP traffic and typically receives priority over Background and Best Effort traffic CW Min The contention window minimum value is the least amount of time the MU waits before transmitting when there is no other data traffic on the network The longer the interval the...

Page 190: ...proach when a VoIP traffic stream is detected The MU then buffers frames from the voice traffic stream and sends a VoIP frame with an implicit poll request to its associated access point The access point responds to the poll request with buffered VoIP stream frame s When a voice enabled MU wakes up at a designated VoIP frame interval it sends a VoIP frame with an implicit poll request to its assoc...

Page 191: ...pot provider User authentication Authenticates users using a Radius server Walled garden support Enables a list of IP address not domain names accessed without authentication Billing system integration Sends accounting records to a Radius accounting server To configure hotspot functionality for an access point WLAN 1 Ensure the Enable Hotspot checkbox is selected from within the target WLAN screen...

Page 192: ...er to the HTTP Redirection field to specify how the Login Welcome and Fail pages are maintained for this specific WLAN The pages can be hosted locally or remotely Use Default Files Select the Use Default Files checkbox if the login welcome and fail pages reside on the access point ...

Page 193: ...the login welcome and fail pages To create a redirected page you need to have a TCP termination locally On receiving the user credentials from the login page the access point connects to a radius server determines the identity of the connected wireless user and allows the user to access the Internet based on successful authentication NOTE If an external URL is used the external Web pages are requi...

Page 194: ...t s WAN IP address should be entered in the White List Enable Accounting Select the Enable Accounting checkbox to enable a Radius Accounting Server used for Radius authentication for a target hotspot user Server Address Specify an IP address for the external Radius Accounting server used to provide Radius accounting for the hotspot If using this option an internal Radius server cannot be used The ...

Page 195: ...e used for the primary server Pri Server IP Define the IP address of the primary Radius server This is the address of your first choice for Radius server Pri Port Enter the TCP IP port number for the server acting as the primary Radius server The default port is 1812 Pri Secret Enter the shared secret password used with the primary Radius Server Sec Server IP Define the IP address of the secondary...

Page 196: ...sure the Login page is designed so the submit action always posts the login data on the access point To define the White List for a target WLAN 1 Click the White List Entries button from within the WLAN s Hotspot Config screen 2 Click the Add button to define an IP address for an allowed destination IP address 3 Select a White List entry and click the Del button to remove the address from the Whit...

Page 197: ...nect Wireless Sniffing All received frames are reported to the WIPS server This feature provides the WIPS server with visibility into the activity on the wireless network The WIPS server processes the received traffic and provides the IT administrator with useful information about the 802 11 RF activities in the enterprise Spectrum Analysis The data needed to provide the current RF Spectrum is pro...

Page 198: ...y right clicking on the device which automatically limits the data to the specific device your choose The Radio Configuration screen displays with tabs for each access point radio Verify tabs are selected and configured separately to enable the radio s and optionally set their mesh network definitions To set the access point radio configuration 1 Select Network Configuration Wireless Radio Configu...

Page 199: ...presenting the maximum for dual radio models Once the settings within the Radio Configuration screen are applied for an initial deployment the current number of client bridge connections for this specific radio displays NOTE This section describes mesh networking setting the radio s base and client bridge configuration at a high level For a detailed overview on the theory of mesh networking see Me...

Page 200: ...isting radio within a mesh network these values update in real time 6 Click the Advanced button to define a prioritized list of access points to define Mesh Connection links For a detailed overview on mesh networking and how to configure the radio for mesh networking support see Configuring Mesh Networking Support on page 9 7 7 With dual radio model AP 7131N FGR access points refer to the Mesh Tim...

Page 201: ...oon as the first mesh connection is established However if the client bridge radio loses its uplink connection the second radio shuts down immediately Uplink detect is the recommended setting within a multi hop mesh network Enabled If the mesh connection is down on one radio radio 1 the other radio radio 2 is brought down and stops beaconing after the timeout period 45 65535 seconds This allows th...

Page 202: ... as a sub menu item under the Radio Configuration menu item Use the radio configuration screen to set the radio s placement properties define the radio s threshold and QoS settings set the radio s channel and antenna settings and define beacon and DTIM intervals To configure the access point s 802 11a n or 802 11b g n radio 1 Select Network Configuration Wireless Radio Configuration Radio1 default...

Page 203: ... hardware encoded Media Access Control MAC or IEEE address MAC addresses determine the device sending or receiving data A MAC address is a 48 bit number written as six hexadecimal bytes separated by colons For example 00 A0 F8 24 9A C8 For additional information on access point MAC address assignments see MAC Address Assignment on page 1 29 Radio Type The Radio Type parameter simply displays the r...

Page 204: ...d exclusively for 802 11b legacy clients or transmits in the 2 4 Ghz band for 802 11g n clients Selecting b and g enables the access point to transmit to both b and g clients if legacy clients 802 11b partially comprise the network Select accordingly based on the MU requirements of the network The rates for the access point s 2 4 GHz radio are as follows B G and N Allows only basic rates default s...

Page 205: ...llowing channel selection options exist User Selected This is the default setting If 20 40 MHz is selected as the Channel Width supporting 11n the Secondary Channel drop down menu becomes enabled The user must define the primary channel first Then depending on the primary channel defined the secondary channel list is filled with channels making the combination of primary and secondary channels val...

Page 206: ...tes as needed for additional supported rates Enable the Support Short Guard Interval checkbox to set a guard interval for interference protection for 20 MHz and 40 MHz channel widths When enabled the AP s radio defines values to enable a packet to be transmitted with guard interval based on the configuration and capabilities of associated clients Clients can associate to an access point regardless...

Page 207: ...Network Management 5 61 4 Configure the Performance field to set the preamble thresholds values and QoS values for the radio ...

Page 208: ... RF QOS screen to set QoS parameters for the radio Do not confuse with the QoS configuration screen used for a WLAN The Set RF QoS screen initially appears with default values displayed Select manual from the Select Parameter set drop down menu to edit the CW min and CW max contention window AIFSN Arbitrary Inter Frame Space Number and TXOPs Time for each Access Category These are the QoS policies...

Page 209: ... transmitted by the access point Select the Enable Transmit A MPDU checkbox within the A MPDU Aggregation field to allow the aggregation of MAC Protocol frames When enabled long frames can be both sent and received up to 64 KB When enabled define an A MPDU Transmit Size Limit default is 2 bytes A MPDU Receive Size Limit default is 65535 bytes and an A MPDU Minimum Spacing Time default is 0 usec Se...

Page 210: ...d increase power savings The default is 100 Avoid changing this parameter as it can adversely affect performance DTIM Interval The DTIM interval defines how often broadcast frames are delivered for each of the four access point BSSIDs If a system has an abundance of broadcast traffic and it needs to be delivered quickly Motorola recommends decreasing the DTIM interval for that specific BSSID Howev...

Page 211: ...rimary WLANs can Enable QBSS load element When enabled the access point communicates channel usage data to associated devices using an interval you define The QBSS load represents the percentage of time the channel is in use by the access point and the access point s MU count This information is helpful in assessing the access point s overall load on a channel its availability for additional devic...

Page 212: ...n changes to the screens being lost 10 Click Undo Changes if necessary to undo any changes made to the screen and its sub screens Undo Changes reverts the settings to the last saved configuration NOTE When using a AP 7131N FGR dual radio access point 4 BSSIDs for the 802 11b g n radio and 4 BSSIDs for the 802 11a n radio are available WLAN Lists the WLAN names available to the 802 11a n or 802 11b...

Page 213: ...allotted to individual WLANs MU rate limiting enables an administrator to determine how much radio bandwidth is allowed to each MU within any one of the 16 supported AP WLANs To define MU rate limits for specific WLANs on an access point radio 1 Select Network Configuration Wireless Rate Limit from the access point menu tree 2 Select the enable Rate Limiting option to globally enable MU rate limit...

Page 214: ...reverts the settings displayed on the Bandwidth Management screen to the last saved configuration 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 4 Configuring Router Settings The access point router uses routing tables and protocols to forward data packets from one network to another The access point router manages traf...

Page 215: ...network mask and gateway settings are those belonging to each subnet Displayed interfaces are those associated with destination IP addresses To change any of the network address information within the WAN screen see Configuring WAN Settings on page 5 16 3 From the Use Default Gateway drop down menu select the WAN or either of the two LANs if enabled to server as the default gateway to forward data...

Page 216: ...ick the Add button to create a new table entry b Highlight an entry and click the Del delete button to remove an entry c Specify the destination IP address subnet mask and gateway information for the internal static route d Select an enabled subnet from the Interface s column s drop down menu to complete the table entry Information in the Metric column is a user defined value from 1 to 65535 used ...

Page 217: ...vate LAN RIP v1 RIP version 1 is a mature stable and widely supported protocol It is well suited for use in stub networks and in small autonomous systems that do not have enough redundant paths to warrant the overhead of a more sophisticated protocol RIP v2 v1 compat RIP version 2 compatible with version 1 is an extension of RIP v1 s capabilities but it is still compatible with RIP version 1 RIP v...

Page 218: ... of compromises to the LAN or LAN firewall Select Yes to acknowledge the risk and continue or No to return to the Router screen None This option disables the RIP authentication Simple This option enable RIP version 2 s simple authentication mechanism This setting activates the Password Simple Authentication field MD5 This option enables the MD5 algorithm for data verification MD5 takes as input a ...

Page 219: ...ring rules can be enforced on the access point s LAN1 or LAN2 interfaces and within any of the 16 access point WLANs An additional default action is also available denying traffic when filter rules fail Lastly imported and exported configurations retain their defined IP filtering configurations IP filtering is a network layer facility The IP filtering mechanism does not know anything about the app...

Page 220: ... you create a filter policy apply it to an interface in either an incoming or outgoing direction Traffic entering the access point s LAN1 LAN2 or WLAN 1 16 from a client is classified as Incoming traffic Traffic leaving the access point s LAN1 LAN2 or WLAN 1 16 in route to a client is classified as Outgoing traffic To filter packets to better segregate desired versus undesired data traffic 1 Selec...

Page 221: ...wed or denied permission to the target LAN1 LAN2 or WLAN Port End Defines the socket number or port number representing the ending protocol port range either allowed or denied permission to the target LAN1 LAN2 or WLAN Src Start Creates a range beginning source IP address to be either allowed or denied IP packet forwarding The source address is where the packet originated Setting the Src End value...

Page 222: ...om the LAN1 or LAN2 screen a Select Network Configuration LAN LAN1 or LAN2 from the access point menu tree b Select the Enable IP Filtering button in the lower right hand side of the screen c Select the IP Filtering button From the Wireless screen a Select Network Configuration Wireless from the access point menu tree b Click the Create button to apply the filter to a new WLAN or highlight an exis...

Page 223: ...recedence 2 Use the Filter name drop menu to select an existing filter 3 Set the Direction as Incoming or Outgoing as required 4 Apply an Action of Allow or Deny to permit or restrict the rules of this filter in the direction selected 5 Select Add to apply the filter s and their rules and permissions to the LAN or WLAN 6 Click Insert to insert the filter s to the LAN or WLAN 7 Click OK add the IP ...

Page 224: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 5 78 ...

Page 225: ...ccess point Sixteen separate ESSIDs WLANs can be supported on an access point and must be managed if necessary between the 802 11a n and 802 11b g n radio The user has the capability of configuring separate security policies for each WLAN Each security policy can be configured based on the authentication 802 1x EAP or encryption WPA2 CCMP scheme best suited to the coverage area that security polic...

Page 226: ...gs on page 6 13 To create VPN tunnels allowing traffic to route securely through a IPSEC tunnel to a private network see Configuring VPN Tunnels on page 6 22 To configure the access point to block transmissions with devices detected as Rogue AP s hostile devices see Configuring Rogue AP Detection on page 6 42 6 2 Setting Passwords Before setting the access point security parameters verify an admin...

Page 227: ... The user is required to know the IP address to connect to the access point using a Web browser The access point Login screen displays 4 Log in using the admin as the default Username and motorola as the default Password If the default login is successful the Change Admin Password window displays Change the default login and password to significantly decrease the likelihood of hacking NOTE For opt...

Page 228: ...AN side of the access point the WLAN side of the access point supports authentication and encryption schemes Authentication is a challenge response procedure for validating user credentials such as username password and sometimes secret key information Encryption applies a specific algorithm to alter its appearance and prevent unauthorized reading Decryption applies the algorithm in reverse to res...

Page 229: ...n type selected 4 Enable and configure an Authentication option if necessary for the target security policy 5 Enable and configure an Encryption option if necessary for the target security policy CAUTION Mesh configurations do not support mismatched security policies when operating using a mixed mode scheme Ensure the encryptions and authentication schemes used by APs in a mesh network are complim...

Page 230: ...t device tries to connect with an authenticator in this case the authentication server The access point passes EAP packets from the client to an authentication server on the wired side of the access point All other packet types are blocked until the authentication server typically a Radius server verifies the MU s identity To configure 802 1x EAP authentication on the access point 1 Select Network...

Page 231: ... Name of the security policy entered suits the intended configuration or function of the policy 5 If using the access point s Internal Radius server leave the Radius Server drop down menu in the default setting of Internal If an external Radius server is used select External from the drop down menu CAUTION When using external radius authentication with admin users when the connectivity to the Radi...

Page 232: ... Radius server is listening Optionally specify the port of a secondary failover server Older Radius servers listen on ports 1645 and 1646 Newer servers listen on ports 1812 and 1813 Port 1645 or 1812 is used for authentication Port 1646 or 1813 is used for accounting The ISP or a network administrator needs to confirm the appropriate primary and secondary port numbers for authentication This setti...

Page 233: ... the authentication session The default is 2 retries Enable Syslog Select the Enable Syslog checkbox to enable Radius accounting syslog messages relating to EAP events to be written to the specified syslog server Syslog Server IP Address Enter the IP address of the destination syslog server to be used to log EAP events Enable Reauthentication Select the Enable Reauthentication checkbox to configur...

Page 234: ...t Period 1 65535 secs Specify an idle time in seconds between MU authentication attempts as required by the authentication server The default is 10 seconds MU Timeout 1 255 secs Define the time in seconds for the access point s retransmission of EAP Request packets The default is 10 seconds MU Tx Period 1 65635 secs Specify the time period in seconds for the access point s retransmission of the EA...

Page 235: ...block of data The end result is an encryption scheme as secure as any the access point provides To configure WPA2 CCMP on the AP 7131N FGR 1 Select Network Configuration Wireless Security from the access point menu tree If security policies supporting WPA2 CCMP exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clickin...

Page 236: ...ternatively rotated on every interval specified in the Broadcast Key Rotation Interval Enabling broadcast key rotation enhances the broadcast traffic security on the WLAN This value is disabled by default Update broadcast keysevery 30 604800 seconds Specify a time period in seconds to rotate the key index used for the broadcast key Set the interval to a shorter duration like 3600 seconds for tight...

Page 237: ...ms located in the gateway on the WAN side of the access point The firewall uses a collection of filters to screen information packets for known types of system attacks Some of the access point s filters are continuously enabled others are configurable 256 bit Key To use a hexadecimal value and not an ASCII passphrase select the checkbox and enter 16 hexadecimal characters into each of the four fie...

Page 238: ...and data encryption parameters To configure the access point firewall settings 1 Select Network Configuration Firewall from the access point menu tree 2 Refer to the Timeout Configuration field to define a timeout interval to terminate IP address translations NAT Timeout Network Address Translation NAT converts an IP address in one network to a different IP address or set of IP addresses in a diff...

Page 239: ...loiting the use of an intermediate host to gain access to a private host Winnuke Attack Check A Win nuking attack uses the IP address of a destination host to send junk packets to its receiving port FTP Bounce Attack Check An FTP bounce attack uses the PORT command in FTP mode to gain access to arbitrary ports on machines other than the originating client IP Unaligned Timestamp Check An IP unalign...

Page 240: ...on Firewall Subnet Access from the access point menu tree 2 Refer to the Overview field to view rectangles representing subnet associations The three possible colors indicate the current access level as defined for each subnet association Color Access Type Description Green Full Access No protocol exceptions rules are specified All traffic may pass between these two areas Yellow Limited Access One...

Page 241: ...settings displayed on the Subnet Access screen to the last saved configuration 5 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 6 1 1 Available Protocols Protocols that are not pre configured can be specified using the drop down list within the Transport column within the Subnet Access and Advanced Subnet Access screens T...

Page 242: ...etween two end points Also AH can be used in tunnel mode providing security like that of a Virtual Private Network VPN ESP Encapsulating Security Protocol is one of two key components of IP Security Protocol IPsec The other key component is Authentication Header AH ESP encrypts the packets and provides authentication services ESP can be used in transport mode providing security between two end poi...

Page 243: ...bnet access rules port forwarding and 1 to many mappings from the system Only enable advanced subnet access rules if your configuration requires rules that cannot be configured within the Subnet Access screen Import rules from Subnet Access Select this checkbox to import existing access ruls NAT packet forwarding VPN rules etc into the Firewall Rules field This rule import overrides any existing r...

Page 244: ...ton to insert a new rule at the bottom of the table Click on a row to display a new window with configuration options for that field Insert Click the Insert button to insert a new rule directly above a selected rule in the table Clicking on a field in the row displays a new window with configuration options Del Delete Click Del to remove the selected rule from the table The index numbers for all t...

Page 245: ...ress or address range for the firewall rule To configure the Source IP range click on the field A new window displays for entering the IP address and range Destination IP The Destination IP range determines the target address or address range for the firewall rule To configure the Destination IP range click on the field A new window displays for entering the IP address and range Transport Select a...

Page 246: ...rough an IPSec tunnel to a private network A VPN port is a virtual port which handles tunneled traffic When connecting to another site using a VPN the traffic is encrypted so if anyone intercepts the traffic they cannot see what it is unless they can break the encryption The traffic is encrypted from your computer through the network to the VPN At that point the traffic is decrypted Use the VPN sc...

Page 247: ...onfigure a specific tunnel select it from the list and use the parameters within the VPN Tunnel Config field to set its properties Del Click Del to delete a highlighted VPN tunnel There is no confirmation before deleting the tunnel Tunnel Name The Tunnel Name column lists the name of each VPN tunnel on the access point Remote Subnet The Remote Subnet column lists the remote subnet for each tunnel ...

Page 248: ... Type column lists the key exchange type for passing keys between both ends of a VPN tunnel If Manual Key Exchange is selected this column displays Manual If Auto IKE Key Exchange is selected the field displays Automatic NOTE When creating a tunnel the remote subnet and remote subnet mask must be that of the target device s LAN settings The remote gateway must be that of the target device s WAN IP...

Page 249: ...hange Selecting Manual Key Exchange requires you to manually enter keys for AH and or ESP encryption and authentication Click the Manual Key Settings button to configure the settings Manual Key Settings Select Manual Key Exchange and click the Manual Key Settings button to open a screen where AH authentication and ESP encryption authentication can be configured and keys entered For more informatio...

Page 250: ... describes how to define a simple configuration using two access points to create an IPSec tunnel To create a IPSec VPN tunnel between two access points 1 Ensure the WAN ports are connected via the internet 2 Select Network Configuration WAN VPN from the access point menu tree 3 Enter any tunnel name tunnel names do not need to match 4 Enter the WAN port IP address of AP 1 in the Local WAN IP fiel...

Page 251: ...red Key PSK 13 Enter the Passphrase Passphrases must match on both VPN devices 14 Select AES 128 bit 15 Select Group 2 16 Click OK This will take you back to the main VPN configuration screen 17 Click Apply to save the updates 18 Select Network Configuration WAN VPN VPN Status from the access point menu tree Check the VPN status on the access point ...

Page 252: ...protect data flow A transform set specifies one or two IPSec security protocols either AH ESP or both and specifies the algorithms to use for the selected security protocol If you specify an ESP protocol in a transform set specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform When the particular transform set is used during negotiations fo...

Page 253: ...bound encryption or authentication keys an error message could display stating the keys provided are weak Some attack tools invoke a dictionary to hack keys based on commonly used words To avoid entering a weak key try to not to produce a key using commonly used terms and attempt to mix alphabetic and numerical key attributes when possible ...

Page 254: ...y check on outbound traffic with the selected authentication algorithm The key must be 32 40 hexadecimal 0 9 A F characters in length The key value must match the corresponding inbound key on the remote security gateway Inbound SPI Hex Enter an up to six character hexadecimal value to identify the inbound security association created by the AH algorithm The value must match the corresponding outbo...

Page 255: ...s include SHA1 Enables Secure Hash Algorithm 1 which requires 160 bit 40 character hexadecimal keys Inbound ESP Authentication Key Define a key for computing the integrity check on the inbound traffic with the selected authentication algorithm The key must be 32 40 hexadecimal 0 9 A F characters in length The key must match the corresponding outbound key on the remote security gateway Outbound ESP...

Page 256: ...y Settings screen select the Manual Key Exchange radio button and set the keys within the Manual Key Setting screen To configure auto key settings for the access point 1 Select Network Configuration WAN VPN from the access point menu tree 2 Refer to the VPN Tunnel Config field select the Auto IKE Key Exchange radio button and click the Auto Key Settings button 3 Configure the Auto Key Settings scr...

Page 257: ...e the drop down menu to select the ESP type ESP Enables ESP for this tunnel ESP with Authentication Enables ESP with authentication ESP Encryption Algorithm Use this menu to select the encryption and authentication algorithms for this VPN tunnel AES 128 bit Selects the Advanced Encryption Standard algorithm with 128 bit No keys are required to be manually provided AES 192 bit Selects the Advanced ...

Page 258: ...automatic means of negotiation and authentication for communication between two or more parties In essence IKE manages IPSec keys automatically for the parties To configure IKE key settings for the access point 1 Select Network Configuration WAN VPN from the access point menu tree 2 Refer to the VPN Tunnel Config field select the Auto IKE Key Exchange radio button and click the IKE Settings button...

Page 259: ... if the remote ID type is the IP address specified as part of the tunnel FQDN Select FQDN if the remote ID type is a fully qualified domain name such as sj motorola com The setting for this field does not have to be fully qualified however it must match the setting for the Certificate Authority UFQDN Select this item if the remote ID type is a user unqualified email address such as johndoe motorol...

Page 260: ...lect the encryption and authentication algorithms for the VPN tunnel from the drop down menu AES 128 bit Uses the Advanced Encryption Standard algorithm with 128 bit No keys are required to be manually provided AES 192 bit Enables the Advanced Encryption Standard algorithm with 192 bit No keys are required to be manually provided AES 256 bit Uses the Advanced Encryption Standard algorithm with 256...

Page 261: ...he access point For information on configuring a tunnel see Configuring VPN Tunnels on page 6 22 Status The Status column lists the status of each configured tunnel When the tunnel is not in use the status reads NOT_ACTIVE When the tunnel is connected the status reads ACTIVE Outb SPI The Outb SPI column displays the outbound Security Parameter Index SPI for each tunnel The SPI is used locally by t...

Page 262: ... defined When the lifetime expires the SA can no longer be used to protect data traffic The maximum SA lifetime is 65535 seconds Tx Bytes The Tx Bytes column lists the amount of data in bytes transmitted through each configured tunnel Rx Bytes The Rx Bytes column lists the amount of data in bytes received through each configured tunnel Tunnel Name Displays the name of each of the tunnels configure...

Page 263: ...stem administrators selective control on the content proliferating the network and is a powerful data and network screening tool Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound requests To configure content filtering for the access point 1 Select Network Configuration WAN Content Filtering from the access point menu tree 2 Configur...

Page 264: ...the access point WAN port HTTP blocks commands on port 80 only The Block Outbound HTTP option allows blocking of the following user selectable outgoing HTTP requests Web Proxy Blocks the use of Web proxies by clients ActiveX Blocks all outgoing ActiveX requests by clients Selecting ActiveX only blocks traffic scripting language with an ocx extension Block Outbound URL Extensions Enter a URL extens...

Page 265: ...ntifies a recipient of mail data DATA Tells the SMTP receiver to treat the following information as mail data from the sender QUIT Tells the receiver to respond with an OK reply and terminate communication with the sender SEND Initiates a mail transaction where mail is sent to one or more remote terminals SAML Send and Mail Initiates a transaction where mail data is sent to one or more local mailb...

Page 266: ...he user defined interval the access point waits to search for rogue APs Additionally the access point does not detect rogue APs on illegal channels channels not allowed by the regulatory requirements of the country the access point is operating in Block Outbound FTP Actions File Transfer Protocol FTP is the Internet standard for host to host mail transport FTP generally operates over TCP port 20 a...

Page 267: ...rogue AP A longer interval will have less of an impact to the MU s but it will increase the amount of time used to detect rogue APs Therefore the interval should be set according to the perceived risk of rogue devices and the criticality of MU performance To configure Rogue AP detection for the access point 1 Select Network Configuration Wireless Rogue AP Detection from the access point menu tree ...

Page 268: ...U or access point and define the 802 11a n or 802 11b g n radio to conduct the rogue AP search CAUTION Users cannot define a rogue detection method when one of the access point radios is functioning as a WIPS sensor To use one of the radios as a detector you must disable WIPS sensor mode first then set a radio for the desired detection method ...

Page 269: ... If the access point is a dual radio model select the RF Scan by Detector Radio checkbox to enable the selected 11a or 11b g radio to scan for rogue APs For example if 11b g is selected the existing 11a radio would act as the detector radio scanning on all 11b g channels while the existing 11b g radio continues to service MUs The assumption is when planning to do an all channel scan on one band th...

Page 270: ...f allowed APs 1 Select Network Configuration Wireless Rogue AP Detection Active APs from the access point menu tree Del Delete Click the Delete button to remove the highlighted line from the Rule Management field The MAC and ESS address information previously defined is no longer applicable unless the previous configuration is restored Delete All Click the Delete All button to remove all entries f...

Page 271: ...he approved AP list permanently 3 Enter a value in minutes in the Rogue APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the rogue AP list and reevaluated A zero 0 for this value default value indicates an AP can remain on the rogue AP list permanently 4 Highlight an AP from within the Rogue APs table and click the Add to Allowed APs List button to...

Page 272: ...ply to save any changes to the Active APs screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 9 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Active APs screen to the last saved configuration 10 Click Logout to securely exit the Access Point applet A prompt displays confirming th...

Page 273: ...d the device should be defined as an allowed AP ESSID Displays the ESSID of the rogue AP This information could be useful if the ESSID is determined to be non hostile and the device should be defined as an allowed AP RSSI Shows the Relative Signal Strength RSSI of the rogue AP Use this information to assess how close the rogue AP is The higher the RSSI the closer the rogue AP If multiple access po...

Page 274: ...rogue detection area can be significantly extended To use associated rogue AP enabled MUs to scan for rogue APs 1 Select Network Configuration Wireless Rogue AP Detection MU Scan from the access point menu tree The On Demand MU Scan screen displays with associated MUs with rogue AP detection enabled Detection Method Displays the RF Scan by MU RF On Channel Detection or RF Scan by Detector Radio me...

Page 275: ...ESSID and RSSI values to determine the device listed in the table is truly a rogue device or one inadvertently detected as a rogue AP 3 If necessary highlight an individual MU from within the Scan Result field and click the Add to Allowed AP List button to move the AP into the Allowed APs table within the Active APs screen 4 Additionally if necessary click the Add All to Allowed APs List button to...

Page 276: ...ernal LDAP Servers AAA Servers to provide user database information and user authentication 6 10 1 Configuring the Radius Server The Radius Server screen enables an administrator to define data sources and specify authentication information for the Radius Server To configure the Radius Server 1 Select System Configuration User Authentication Radius Server from the menu tree CAUTION Ensure IPSec ha...

Page 277: ...source Use the User Database screen to enter the user data For more information see Managing the Local User Database on page 6 61 LDAP If LDAP is selected the switch will use the data in an LDAP server Configure the LDAP server settings on the LDAP screen under Radius Server on the menu tree For more information see Configuring LDAP Authentication on page 6 57 NOTE When using LDAP only PEAP GTC an...

Page 278: ...AP uses a TLS layer on top of EAP as a carrier for other EAP modules PEAP is an ideal choice for networks using legacy EAP authentication methods TTLS Select the TTLS checkbox to enable all three TTLS types MD5 PAP and MSCHAP V2 available to the access point TTLS is similar to EAP TLS but the client authentication portion of the protocol is not performed until after a secure transport tunnel is es...

Page 279: ... is authorized WatchGuard products do not support the PAP protocol because the username and password are sent as clear text that a hacker can read MSCHAP V2 Microsoft CHAP MSCHAP V2 is an encrypted authentication method based on Microsoft s challenge response authentication protocol MD5 This option enables the MD5 algorithm for data verification MD5 takes as input a message of arbitrary length and...

Page 280: ...sing a server certificate signed by a CA import that CA s root certificate using the CA certificates screen for information see Importing a CA Certificate on page 4 18 After a valid CA certificate has been imported it is available from the CA Certificate drop down menu WARNING If you have imported a Server or CA certificate the certificate will not be saved when updating the access point s firmwar...

Page 281: ...ons with the external LDAP server Changes will not be applied otherwise NOTE For the onboard Radius server to work with Windows Active Directory or open LDAP as the database the user has to be present in a group within the organizational unit The same group must be present within the onboard Radius server s database The group configured within the onboard Radius server is used for group policy con...

Page 282: ... the data source for the Radius server The LDAP server must be accessible from the WAN port or from the access point s active subnet Port Enter the TCP IP port number for the LDAP server acting as a data source for the Radius The default port is 389 Login Attribute Specify the login attribute used by the LDAP server for authentication In most cases the default value should work Windows Active Dire...

Page 283: ...ed name used to bind with the LDAP server Password Enter a valid password for the LDAP server The password length must be 8 to 16 characters Base Distinguished Name Enter a name that establishes the base object for the search The base object is the point in the LDAP tree at which to start searching Group Attribute Define the group attribute used by the LDAP server Group Filter Specify the group fi...

Page 284: ...onfiguration field to define the proxy server s retry count and timeout values CAUTION When configuring the credentials of an MU ensure its login or user name is a Fully Qualified Domain Name FQDN or it cannot be authenticated by the access point s proxy server For example ap7131 2kserver FUSCIA com CAUTION Ensure IPSec has been properly configured to protect communications with the external Proxy...

Page 285: ...he Radius server The database of groups is employed if Local is selected as the Data Source from the Radius Server screen For information on selecting Local as the Data Source see Configuring the Radius Server on page 6 52 To add groups to the User database Retry Count Enter a value between 3 and 6 to indicate the number of times the access point attempts to reach a proxy server before giving up T...

Page 286: ...be added and deleted but there is no capability to edit the name of a group 4 Click the List of Groups cell A new screen displays enabling you to associate groups with the user For more information on mapping groups with a user see Mapping Users to Groups on page 6 65 5 Click Apply to save any changes to the Users screen Navigating away from the screen without clicking Apply results in all changes...

Page 287: ...unt 3 To add a new user click the Add button at the bottom of the Management Users Upto 24 users can be added for managing the AP So there can be a total of 25 management users including the default admin user NOTE The default admin user has the following special privileges compared to other management users Add Delete Edit operations are only allowed for default admin user other management users ...

Page 288: ...button A small window displays Enter a new password for the user and click Apply button to save the changes Change Login Password button is available for non default management user accounts only 6 Click Apply to save any changes to the Users screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost ...

Page 289: ...red for inclusion to one some or all of the groups also created within the Users screen To map users to groups for group authentication privileges 1 If you are not already in the Users screen select System Configuration User Authentication User Database from the menu tree Existing users and groups display within their respective fields If user or group requires creation or modification make your c...

Page 290: ...e Add button Assigned users will display within the Assigned table Map one or more groups as needed for group authentication access for this particular user 4 To remove the user from a group select the group in the Assigned list on the left and click the Delete button 5 Click the OK button to save your user and group mapping assignments and return to the Users screen ...

Page 291: ...hin the Users screen displays in the Access Policy screen within the groups column Similarly existing WLANs can be individually mapped to user groups by clicking the WLANs button to the right of each group name For more information on creating groups and users see Managing the Local User Database on page 6 61 For information on creating a new WLAN or editing the properties of an existing WLAN see ...

Page 292: ...e access intervals for specific days and hours A mechanism also exists for mapping specific WLANs to these intervals For more information see Editing Group Access Permissions on page 6 69 For information on creating a new group see Managing the Local User Database on page 6 61 Time of Access The Time of Access field displays the days of the week and the hours defined for group access to access poi...

Page 293: ...for any day of the week and include any hour of the day Ten unique access intervals can be defined for each existing group To update a group s access permissions 1 Select User Authentication Radius Server Access Policy from the menu tree 2 Select an existing group from within the groups field 3 Select the Edit button The Edit Access Policy screen displays Associated WLANs The Associated WLANs fiel...

Page 294: ... the week for which each policy applies If continual access is required select the All Days option If continual access is required during Monday through Friday but not Saturday or Sunday select the Weekdays option Use the Start Time and End Time values to define the access interval in HHMM format for each access policy Each policy for a given group should have unique intervals Policies can be crea...

Page 295: ...ccess Policy screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 7 Click Cancel if necessary to undo any changes made Undo Changes reverts the settings displayed on the Edit Access Policy screen to the last saved configuration NOTE Groups have a strict start and end time as defined using the Edit Access Policy screen Only during this period...

Page 296: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 6 72 ...

Page 297: ...n and 802 11b g n radios An advanced radio statistics page is also available to display retry histograms for specific data packet retry information Associated MU stats can be displayed collectively for associated MUs and individually for specific MUs An echo ping test is also available to ping specific MUs to assess the strength of the AP association Finally the access point can detect and display...

Page 298: ...s screen to view real time statistics for monitoring the access point activity through its Wide Area Network WAN port The Information field of the WAN Stats screen displays basic WAN information generated from settings on the WAN screen The Received and Transmitted fields display statistics for the cumulative packets bytes and errors received and transmitted through the WAN interface since it was ...

Page 299: ...n displays no connection information and statistics To enable the WAN connection see Configuring WAN Settings on page 5 16 HW Address The Media Access Control MAC address of the access point WAN port The WAN port MAC address is hard coded at the factory and cannot be changed For more information on how access point MAC addresses are assigned see MAC Address Assignment on page 1 29 IP Addresses The...

Page 300: ... received over the WAN port The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted RX Bytes RX bytes are bytes of information received over the WAN port The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted To restart the access point to begin a new data collecti...

Page 301: ...llection see Configuring System Settings on page 4 2 TX Bytes TX bytes are bytes of information sent over the WAN connection The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Errors TX errors include dropped data packets buffer overruns and carrier ...

Page 302: ...e Received and Transmitted fields of the screen display statistics for the cumulative packets bytes and errors received and transmitted over the LAN1 or LAN2 port since it was last enabled or the access point was last restarted The LAN Stats screen is view only with no user configurable data fields To view access point LAN connection stats 1 Select Status and Statistics LAN Stats LAN1 Stats or LAN...

Page 303: ...his information to assess the current connection status of LAN 1 or LAN2 Speed The LAN 1 or LAN 2 connection speed is displayed in Megabits per second Mbps for example 54Mbps If the throughput speed is not achieved examine the number of transmit and receive errors or consider increasing the supported data rate To change the data rate of the 802 11a n or 802 11b g n radio see Configuring the 802 11...

Page 304: ...Packets TX packets are data packets sent over the access point LAN port The displayed number is a cumulative total since the LAN connection was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Bytes TX bytes are bytes of information sent over the LAN port The displayed number is a cumulative total since the LAN Connec...

Page 305: ...bility to track its own unique STP statistics Refer to the LAN STP Stats page when assessing mesh networking functionality for each of the two access point LANs Access points in bridge mode exchange configuration messages at regular intervals typically 1 to 4 seconds If a bridge fails neighboring bridges detect a lack of configuration messaging and initiate a spanning tree recalculation when spann...

Page 306: ... calculation to occur when the bridge is powered up or when a topology change is detected Designated Root Displays the access point MAC address of the bridge defined as the root bridge in the Bridge STP Configuration screen For information on defining an access point as a root bridge see Setting the LAN Configuration for Mesh Networking Support on page 9 7 Bridge ID The Bridge ID identifies the pr...

Page 307: ...n tuned between 1 and 10 sec For information on setting the Bridge Hello Time see Setting the LAN Configuration for Mesh Networking Support on page 9 7 The 802 1d specification recommends the Hello Time be set to a value less than half of the Max Message age value Bridge Forward Delay The Bridge Forward Delay value is the time spent in a listening and learning state This time is equal to 15 sec by...

Page 308: ... WAN Settings on page 5 16 to enable the WLAN For information on configuring the properties of individual WLANs see Creating Editing Individual WLANs on page 5 29 To view access point WLAN Statistics 1 Select Status and Statistics Wireless Stats from the access point menu tree Designated Bridge There is only one root bridge within each mesh network All other bridges are designated bridges that loo...

Page 309: ...splays the total number of MUs currently associated with each enabled WLAN Use this information to assess if the MUs are properly grouped by function within each enabled WLAN To adjust the maximum number of MUs permissible per WLAN see Creating Editing Individual WLANs on page 5 29 T put Displays the total throughput in Megabits per second Mbps for each active WLAN ABS Displays the Average Bit Spe...

Page 310: ...a gathering activity or risk losing all data calculations to that point Total pkts per second Displays the average number of RF packets sent per second across all active WLANs on the access point The number in black represents packets for the last 30 seconds and the number in blue represents total pkts per second for the last hour Total bits per second Displays the average bits sent per second acr...

Page 311: ...n RF traffic and throughput The RF Status field displays information on RF signal averages from the associated MUs The Error field displays RF traffic errors based on retries dropped packets and undecryptable packets The WLAN Stats screen is view only with no user configurable data fields To view statistics for an individual WLAN 1 Select Status and Statistics Wireless Stats WLANx Stats x target W...

Page 312: ...number of MUs currently associated with the WLAN If this number seems excessive consider segregating MU s to other WLANs if appropriate Packets per second The Total column displays the average total packets per second crossing the selected WLAN The Rx column displays the average total packets per second received on the selected WLAN The Tx column displays the average total packets per second sent ...

Page 313: ...ackets for the last hour Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the selected WLAN The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour If the signal is low consider mapping the MU to a different WLAN if a better functional grouping of MUs can be determined Avg MU No...

Page 314: ...ics can be displayed as well by selecting a specific radio from within the access point menu tree To view high level access point radio statistics 1 Select Status and Statistics Radio Stats from the access point menu tree Dropped Packets Displays the percentage of packets which the AP gave up on for all MUs associated with the selected WLAN The number in black represents this statistic for the las...

Page 315: ...n on page 5 51 MUs Displays the total number of MUs currently associated with each access point radio T put Displays the total throughput in Megabits per second Mbps for each access point radio listed To adjust the data rate for a specific radio see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 ABS Displays the Average Bit Speed ABS in Megabits per second Mbps for each access point r...

Page 316: ...nformation field displays device address and location information as well as channel and power information The Traffic field displays statistics for cumulative packets bytes and errors received and transmitted The Traffic field does not add retry information to the stats displayed Refer to the RF Status field for an average MU signal noise and signal to noise ratio information Finally the Errors f...

Page 317: ...the factory and can be found on the bottom of the access point For more information on how access point MAC addresses are assigned see MAC Address Assignment on page 1 29 Radio Type Displays the radio type either 802 11a n or 802 11b g n Power The power level in milliwatts mW for RF signal strength To change the power setting for the radio see Configuring the 802 11a n or 802 11b g n Radio on page...

Page 318: ...e last hour Throughput The Total column displays average throughput on the radio TheRx column displays average throughput in Mbps for packets received The Tx column displays average throughput for packets transmitted The number in black represents statistics for the last 30 seconds and the number in blue represents statistics for the last hour Use this information to assess whether the current thr...

Page 319: ... last 30 seconds and the number in blue represents MU noise for the last hour If MU noise is excessive consider moving the MU closer to the access point or in area with less conflicting network traffic Avg MU SNR Displays the average Signal to Noise Ratio SNR for all MUs associated with the access point radio The Signal to Noise Ratio is an indication of overall RF performance on your wireless net...

Page 320: ...e To display a Retry Histogram screen for an access point radio 1 Select Status and Statistics Radio Stats Radio1 802 11b g n Stats Retry Histogram from the access point menu tree A Radio Histogram screen is available for each access point radio regardless of single or dual radio model The table s first column shows 0 under Retries The value under the Packets column directly to the right shows the...

Page 321: ... confirming the logout before the applet is closed 7 5 Viewing MU Statistics Summary Use the MU Stats Summary screen to display overview statistics for mobile units MUs associated with the access point The MU List field displays basic information such as IP Address and total throughput for each associated MU The MU Stats screen is view only with no user configurable data fields However individual ...

Page 322: ...h of the associated MU WLAN Displays the WLAN name each MU is interoperating with Radio Displays the name of the 802 11a n or 802 11b g n radio each MU is associated with T put Displays the total throughput in Megabits per second Mbps for each associated MU ABS Displays the Average Bit Speed ABS in Megabits per second Mbps for each associated MU Retries Displays the average number of retries per p...

Page 323: ...o securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 7 5 1 Viewing MU Details Use the MU Details screen to display throughput signal strength and transmit error information for a specific MU associated with the access point The MU Details screen is separated into four fields MU Properties MU Traffic MU Signal and MU Errors The MU Properties fi...

Page 324: ...radio traffic Motorola recommends CAM for those MUs transmitting with the AP frequently and for periods of time of two hours HW Address Displays the Media Access Control MAC address for the MU Radio Association Displays the name of the AP MU is currently associated with If the name of the access point requires modification see Configuring System Settings on page 4 2 QoS Client Type Displays the da...

Page 325: ...a rate of the AP if the current bit speed does not meet network requirements For more information see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 The associated MU must also be set to the higher rate to interoperate with the access point at that data rate of Non unicast pkts Displays the percentage of the total packets for the selected mobile unit that are non unicast Non unicast p...

Page 326: ...t received on for the selected MU The number in black represents the percentage of packets for the last 30 seconds and the number in blue represents the percentage of packets for the last hour of Undecryptable Pkts Displays the percentage of undecryptable packets for the MU The number in black represents the percentage of undecryptable packets for the last 30 seconds and the number in blue represe...

Page 327: ...t the Echo Test screen and return to the MU Stats Summary screen 7 5 3 MU Authentication Statistics The access point can access and display authentication statistics for individual MUs To view access point authentication statistics for a specific MU 1 Select Status and Statistics MU Stats from the access point menu tree 2 Highlight a target MU from within the MU List field 3 Click the MU Authentic...

Page 328: ...information is used to create a list of known wireless bridges To view detected mesh network statistics 1 Select Status and Statistics Mesh Stats from the access point menu tree The Mesh Statistics Summary screen displays the following information Conn Type Displays whether the bridge has been defined as a base bridge or a client bridge For information on defining configuring the access point as e...

Page 329: ...station identifier This value is hard coded at the factory by the manufacturer and cannot be changed WLAN Displays the WLAN name each wireless bridge is interoperating with Radio Displays the name of the 802 11a n or 802 11b g n radio each bridge is associated with T put Displays the total throughput in Megabits per second Mbps for each associated bridge ABS Displays the Average Bit Speed ABS in M...

Page 330: ... Access Point applet A prompt displays confirming the logout before the applet is closed 7 7 Viewing Known Access Point Statistics The access point has the capability of detecting and displaying the properties of other Motorola access points located within its coverage area Detected access point s transmit a WNMP message ...

Page 331: ...nown AP Stats from the access point menu tree The Known AP Statistics screen displays the following information NOTE The Known AP Statistics screen only displays statistics for access points located on the same subnet IP Address The network assigned Internet Protocol address of the located AP MAC Address The unique 48 bit hard coded Media Access Control address known as the devices station identif...

Page 332: ... Start Flash button to flash the LEDs of other access points detected and displayed within the Known AP Statistics screen Use the Start Flash button to determine the location of the devices displayed within the Known AP Statistics screen When an access point is highlighted and the Start Flash button is selected the LEDs on the selected access point flash When the Stop Flash button is selected the ...

Page 333: ...ess point CLI follows the same conventions as the Web based user interface The CLI does however provide an escape sequence to provide diagnostics for problem identification and resolution The CLI treats the following as invalid characters In order to avoid problems when using the CLI these characters should be avoided ...

Page 334: ...untry code is set A new password will also need to be created 8 1 2 Accessing the CLI via SSH To connect to the access point CLI through a SSH connection 1 If this is your first time connecting to your access point keep in mind the access point uses a static IP WAN address 10 1 1 1 Additionally the access point s LAN port default static IP address is 192 168 0 1 24 2 Enter the default username of ...

Page 335: ...mand are shown below Syntax help Displays general user interface help passwd Changes the admin password summary Shows a system summary network Goes to the network submenu system Goes to the system submenu stats Goes to the stats submenu Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 336: ... a function argument is treated as an argument Eg admin network lan set lan enable Here is an invalid extra argument because it is after the argument enable ctrl q go backwards in command history ctrl p go forwards in command history Note 1 commands can be incomplete Eg sh sho show 2 introduces a comment and gets no resposne from CLI admin help Displays command line help using combinations of func...

Page 337: ...For information on configuring passwords using the applet GUI see Setting Passwords on page 6 2 passwd Changes the admin password for access point access This requires typing the old admin password and entering a new password and confirming it Passwords can be between 8 and19 characters The access point CLI treats the following as invalid characters In order to avoid problems when using the access...

Page 338: ...s 2 4 and 5 0 GHz VLAN VLAN1 Security Policy Default QoS Policy Default Rate Limiting disabled LAN1 Name LAN1 LAN1 Mode enable LAN1 IP 0 0 0 0 LAN1 Mask 0 0 0 0 LAN1 DHCP Mode client LAN2 Name LAN2 LAN2 Mode enable LAN2 IP 192 235 1 1 LAN2 Mask 255 255 255 0 LAN2 DHCP Mode client WAN Interface IP Address Network Mask Default Gateway DHCP Client enable 172 20 23 10 255 255 255 192 172 20 23 20 enab...

Page 339: ...scription Displays the parent menu of the current menu This command appears in all of the submenus under admin In each case it has the same function to move up one level in the directory structure Example admin network lan admin network ...

Page 340: ...de 8 8 AP7131N admin Description Displays the root menu that is the top level CLI menu This command appears in all of the submenus under admin In each case it has the same function to move up to the top level in the directory structure Example admin network lan admin ...

Page 341: ...s in all of the submenus under admin In each case it has the same function to save the current configuration Syntax Example admin save admin save Saves configuration settings The save command works at all levels of the CLI The save command must be issued before leaving the CLI for updated settings to be retained ...

Page 342: ...quit Description Exits the command line interface session and terminates the session The quit command appears in all of the submenus under admin In each case it has the same function to exit out of the CLI Once the quit command is executed the login prompt displays again Example admin quit ...

Page 343: ...oes to the LAN submenu wan Goes to the WAN submenu wireless Goes to the Wireless Configuration submenu firewall Goes to the Firewall submenu router Goes to the Router submenu ipfilter Goes to the IP Filter submenu Goes to the parent menu Goes to the root menu save Saves the current configuration to the system flash quit Quits the CLI and exits the current session ...

Page 344: ...e applet GUI see Configuring the LAN Interface on page 5 1 show Shows current access point LAN parameters set Sets LAN parameters bridge Goes to the mesh configuration submenu wlan mapping Goes to the WLAN Lan Vlan Mapping submenu dhcp Goes to the LAN DHCP submenu type filter Goes to the Ethernet Type Filter submenu ipfpolicy Goes to the LAN IP Filter Policy submenu Goes to the parent menu Goes to...

Page 345: ...M Duplex full LAN1 Information LAN Name LAN1 LAN Interface enable 802 11q Trunking disable LAN IP mode DHCP client IP Address 192 168 0 1 Network Mask 255 255 255 255 Default Gateway 192 168 0 1 Domain Name Primary DNS Server 192 168 0 1 Secondary DNS Server 192 168 0 2 WINS Server 192 168 0 254 Native VLAN Tag Mode untagged LAN2 Information LAN Name LAN2 LAN Interface disable 802 11q Trunking dis...

Page 346: ...ress 192 168 1 1 Network Mask 255 255 255 255 Default Gateway 192 168 1 1 Domain Name Primary DNS Server 192 168 0 2 Secondary DNS Server 192 168 0 3 WINS Server 192 168 0 255 admin network lan For information on displaying LAN information using the applet GUI see Configuring the LAN Interface on page 5 1 ...

Page 347: ...seconds Sets the interval in seconds the access point uses to terminate its LAN interface if no activity is detected for the specified interval trunking mode Enables or disables 802 11q Trunking over the access point LAN port native vlan tag mode Specifies 802 1q native vlan tag mode as tagged untagged auto negotiation mode Enables or disables auto negotiation for the access point LAN port speed m...

Page 348: ...Information LAN Name LAN1 LAN Interface enable 802 1q Trunking disable Native VLAN Tag Mode untagged LAN IP mode Static IP IP Address 172 16 10 22 Network Mask 255 255 255 0 Default Gateway 192 168 0 1 Domain Name Primary DNS Server 192 168 0 1 Secondary DNS Server 192 168 0 1 WINS Server 192 168 0 254 admin network lan Related Commands For information on configuring the LAN using the applet GUI s...

Page 349: ...int s mesh networking options using the applet GUI see Configuring Mesh Networking on page 9 1 show Displays the mesh configuration parameters for the access point s LANs set Sets the mesh configuration parameters for the access point s LANs Moves to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI and exits the session ...

Page 350: ...iority 65500 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 LAN2 Bridge Configuration Bridge Priority 65500 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 For an overview of the access point s mesh networking options using the applet GUI see Configuring Mesh Networking on pag...

Page 351: ...seconds 300 LAN2 Mesh Configuration Bridge Priority 63335 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 For an overview of the access point s mesh networking options using the applet GUI see Configuring Mesh Networking on page 9 1 set priority LAN idx seconds Sets bridge priority time in seconds 0 65535 for specified LAN hello LAN idx ...

Page 352: ...guring VLAN Support on page 5 5 show Displays the VLAN list currently defined for the access point set Sets the access point VLAN configuration create Creates a new access point VLAN edit Edits the properties of an existing access point VLAN delete Deletes a VLAN lan map Maps access point existing WLANs to an enabled LAN vlan map Maps access point existing WLANs to VLANs Moves to the parent menu G...

Page 353: ... 1 VLAN_1 2 2 VLAN_2 3 3 VLAN_3 4 4 VLAN_4 admin network lan wlan mapping show vlan cfg LAN No Management VLAN Tag Native VLAN Tag 1 1 1 2 1 1 WLAN WLAN1 mapped to VLAN none VLAN Mode static admin network lan wlan mapping show lan wlan WLANs on LAN1 WLAN1 WLAN2 WLAN3 WLANs on LAN2 show name Displays the existing list of VLAN names vlan cfg Shows WLAN VLAN mapping and VLAN configuration lan wlan Di...

Page 354: ... Warning This will display secure information Do you want to continue n y y WLAN1 WLAN Name WLAN1 ESSID 101 Radio Bands 2 4 and 5 0 GHz VLAN Security Policy Default QoS Policy Default Rate Limiting disabled For information on displaying the VLAN screens using the applet GUI see Configuring VLAN Support on page 5 5 ...

Page 355: ...ic admin network lan wlan mapping show vlan cfg LAN No Management VLAN Tag Native VLAN Tag 1 10 12 2 1 1 WLAN WLAN1 mapped to VLAN none VLAN Mode static For information on configuring VLANs using the applet GUI see Configuring VLAN Support on page 5 5 set mgmt tag id Defines the Management VLAN tag index 1 or 2 to tag number 1 4095 native tag id Sets the Native VLAN tag index 1 or 2 to tag number ...

Page 356: ...tes a VLAN for the access point Syntax Example admin network lan wlan mapping admin network lan wlan mapping create 5 vlan 5 For information on creating VLANs using the applet GUI see Configuring VLAN Support on page 5 5 create vlan id id Defines the VLAN ID 1 4095 vlan name name Specifies the name of the VLAN 1 31 characters in length ...

Page 357: ...tion Modifies a VLAN s name and ID Syntax For information on editing VLANs using the applet GUI see Configuring VLAN Support on page 5 5 edit name name Modifies an exisiting VLAN name 1 31 characters in length id id Modifies an existing VLAN ID 1 4095 characters in length ...

Page 358: ...7131N admin network lan wlan mapping delete Description Deletes a specific VLAN or all VLANs Syntax For information on deleting VLANs using the applet GUI see Configuring VLAN Support on page 5 5 delete VLANid Deletes a specific VLAN ID 1 16 all Deletes all defined VLAN entries ...

Page 359: ...Syntax admin network lan wlan mapping lan map wlan1 lan1 For information on mapping VLANs using the applet GUI see Configuring VLAN Support on page 5 5 lan map wlanname Maps an existing WLAN to an enabled LAN All names and IDs are case sensitive lanname Defines enabled LAN name All names and IDs are case sensitive ...

Page 360: ...s point VLAN to a WLAN Syntax admin network lan wlan mapping vlan map wlan1 vlan1 For information on mapping VLANs using the applet GUI see Configuring VLAN Support on page 5 5 vlan map wlanname Maps an existing WLAN to an enabled LAN All names and IDs are case sensitive vlanname Defines the existing VLAN name All names and IDs are case sensitive ...

Page 361: ...available are displayed below show Displays DHCP parameters set Sets DHCP parameters add Adds static DHCP address assignments delete Deletes static DHCP address assignments list Lists static DHCP address assignments Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI and exits the session ...

Page 362: ...ent Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 LAN2 DHCP Information DHCP Address Assignment Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 For information on configuring DHCP using the applet GUI see Configuring the LAN Interface on page 5 1 show Displays DHCP parameter settings for the access point These para...

Page 363: ...DHCP Information DHCP Address Assignment Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 For information on configuring DHCP using the applet GUI see Configuring the LAN Interface on page 5 1 set range LAN idx ip1 ip2 Sets the DHCP assignment range from IP address ip1 to IP address ip2 for the specified LAN 1 lan1 2 lan2 lease LAN idx lease Sets the DHCP le...

Page 364: ...92 160 24 6 admin network lan dhcp add 1 00A0F1112234 192 169 24 7 admin network lan dhcp list 1 Index MAC Address IP Address 1 00A0F8112233 192 160 24 6 2 00A0F8112234 192 169 24 7 For information on adding client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 add LAN idx mac ip Adds a reserved static IP address to a MAC address for ...

Page 365: ... 7 admin network lan dhcp delete 1 index mac address ip address 1 00A0F8102030 10 10 1 2 2 00A0F8112234 10 1 2 3 3 00A0F8112235 192 160 24 6 4 00A0F8112236 192 169 24 7 admin network lan dhcp delete 1 all index mac address ip address For information on deleting client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 delete LAN idx entry...

Page 366: ...MAC Address IP Address 1 00A0F8112233 10 1 2 4 2 00A0F8102030 10 10 1 2 3 00A0F8112234 10 1 2 3 4 00A0F8112235 192 160 24 6 5 00A0F8112236 192 169 24 7 admin network lan dhcp For information on listing client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 list LAN idx cr Lists the static DHCP address assignments for the specified LAN ...

Page 367: ...ubmenu The items available under this command include show Displays the current Ethernet Type exception list set Defines Ethernet Type Filter parameters add Adds an Ethernet Type Filter entry delete Removes an Ethernet Type Filter entry Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 368: ...nt Ethernet Type Filter configuration Syntax Example admin network lan type filter show 1 Ethernet Type Filter mode allow index ethernet type 1 8137 For information on displaying the type filter configuration using the applet see Setting the Type Filter Configuration on page 5 14 show LAN idx Displays the existing Type Filter configuration for the specified LAN ...

Page 369: ... Syntax Example admin network lan type filter set mode 1 allow For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 14 set mode LAN idx mode allow or deny Allows or denies the access point from processing a specified Ethernet data type for the specified LAN ...

Page 370: ...network wireless type filter add 2 0806 admin network wireless type filter show 1 Ethernet Type Filter mode allow index ethernet type 1 8137 2 0806 3 0800 4 8782 For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 14 add LAN idx type Adds entered Ethernet Type to list of data types either allowed or denied access point pr...

Page 371: ...e Filter mode allow index ethernet type 1 0806 2 0800 3 8782 admin network lan type filter delete 2 all admin network lan type filter show 2 Ethernet Type Filter mode allow index ethernet type For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 14 delete LAN idx index Deletes the specified Ethernet Type index entry 1 thro...

Page 372: ...n and the access point s current PPPoE configuration set Defines the access point s WAN and PPPoE configuration nat Displays the NAT submenu wherein Network Address Translations NAT can be defined vpn Goes to the VPN submenu where the access point VPN tunnel configuration can be set content Goes to the outbound content filtering menu dyndns Displays the Dynamic DNS submenu wherein dyndns settings ...

Page 373: ...NS Server 0 0 0 0 Auto negotiation enable Speed 100M Duplex full WAN IP 2 disable WAN IP 3 disable WAN IP 4 disable WAN IP 5 disable WAN IP 6 disable WAN IP 7 disable WAN IP 8 disable PPPoE Mode enable PPPoE User Name JohnDoe PPPoE Password PPPoE keepalive mode enable PPPoE Idle Time 600 PPPoE Authentication Type pap chap PPPoE State admin network wan For an overview of the WAN configuration optio...

Page 374: ...WAN Settings on page 5 16 set wan enable disable Enables or disables the access point WAN port dhcp enable disable Enables or disables WAN DHCP Client mode ipadr idx a b c d Sets up to 8 using indx from 1 to 8 IP addresses a b c d for the access point WAN interface mask a b c d Sets the subnet mask for the access point WAN interface dgw a b c d Sets the default gateway IP address to a b c d dns id...

Page 375: ...on options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 show Displays the access point s current NAT parameters for the specified index set Defines the access point NAT settings add Adds NAT entries delete Deletes NAT entries list Lists NAT entries Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit...

Page 376: ... 2 NAT Type 1 to many Inbound Mappings Port Forwarding unspecified port forwarding mode enable unspecified port fwd ip address 111 223 222 1 one to many nat mapping LAN No WAN IP 1 157 235 91 2 2 157 235 91 2 admin network wan nat For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 show idx cr Displays access point...

Page 377: ... mapping LAN No WAN IP 1 157 235 91 2 2 10 1 1 1 For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 set type index type Sets the type of NAT translation for WAN address index idx 1 8 to type none 1 to 1 or 1 to many ip index ip Sets NAT IP mapping associated with WAN address idx to the specified IP address ip inb ...

Page 378: ...e applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 add idx name tran port1 port2 ip dst_port Sets an inbound network address translation NAT for WAN address idx where name is the name of the entry 1 to 7 characters tran is the transport protocol one of tcp udp icmp ah esp gre or all port1 is the starting port number in a port range port2 is the ending port number in...

Page 379: ...etwork wan nat list 1 index name Transport start port end port internal ip translation Related Commands For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 delete idx entry Deletes a specified NAT index entry entry associated with the WAN idx all Deletes all NAT entries associated with the WAN add Adds entries to t...

Page 380: ...ex name Transport start port end port internal ip translation 1 special tcp 20 21 192 168 42 16 21 Related Commands For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 22 list idx Lists the inbound NAT entries associated with the WAN index 1 8 delete Deletes inbound NAT entries from the list add Adds entries to the li...

Page 381: ...et GUI see Configuring VPN Tunnels on page 6 22 add Adds VPN tunnel entries set Sets key exchange parameters delete Deletes VPN tunnel entries list Lists VPN tunnel entries reset Resets all VPN tunnels stats Lists security association status for the VPN tunnels ikestate Displays an Internet Key Exchange IKE summary Goes to the parent menu Goes to the root menu save Saves the configuration to syste...

Page 382: ... tunnel type is Manual proper SPI values and Keys must be configured after adding the tunnel admin network wan vpn For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 22 add name idx LWANIP RSubnetIP RSubnetMask RGatewayIP Creates a tunnel name 1 to 13 characters to gain access through local WAN IP LWanIP from the remote subnet with address RSubnetIP and s...

Page 383: ... esp enckey name dir enckey Sets the Manual Encryption Key in ASCII for tunnel name and direction IN or OUT to the key enc key The size of the key depends on the encryption algorithm 32 hex characters for AES128 48 hex characters for AES192 64 hex characters for AES256 esp authalgo name authalgo Sets the ESP authentication algorithm Option is r SHA1 esp authkey name dir authkey Sets ESP Authentica...

Page 384: ...ion for name to idtype This value is not required when the ID type is set to IP remiddata name idtype Sets the Local ID data for IKE authentication for name to idtype This value is not required when the ID type is set to IP authtype name authtype Sets the IKE Authentication type for name to authtype PSK authalgo name authalgo Sets the IKE Authentication Algorithm for name to SHA1 phrase name phras...

Page 385: ...92 168 24 198 SJSharkey Manual 206 107 22 45 27 206 107 22 2 209 235 12 55 admin network wan vpn delete Eng2EngAnnex admin network wan vpn list Tunnel Name Type Remote IP Mask Remote Gateway Local WAN IP SJSharkey Manual 206 107 22 45 27 206 107 22 2 209 235 12 55 admin network wan vpn For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 22 delete all Delet...

Page 386: ... 2 209 235 12 55 admin network wan vpn list SJSharkey Detail listing of VPN entry Name SJSharkey Local Subnet 1 Tunnel Type Manual Remote IP 206 107 22 45 Remote IP Mask 255 255 255 224 Remote Security Gateway 206 107 22 2 Local Security Gateway 209 239 160 55 AH Algorithm None Encryption Type ESP Encryption Algorithm AES ESP Inbound SPI 0x00000100 ESP Outbound SPI 0x00000100 For information on di...

Page 387: ...tion Resets all of the access point s VPN tunnels Syntax Example admin network wan vpn reset VPN tunnels reset admin network wan vpn For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 22 reset Resets all VPN tunnel states ...

Page 388: ...sts statistics for all active tunnels Syntax Example admin network wan vpn stats Tunnel Name Status SPI OUT IN Life Time Bytes Tx Rx Eng2EngAnnex Not Active SJSharkey Not Active For information on displaying VPN information using the applet GUI see Viewing VPN Status on page 6 36 stats Display statistics for all VPN tunnels ...

Page 389: ...emaining Life Eng2EngAnnex Not Connected SJSharkey Not Connected admin network wan vpn For information on configuring IKE using the applet GUI see Configuring IKE Key Settings on page 6 34 ikestate Displays status about Internet Key Exchange IKE for all tunnels In particular the table indicates whether IKE is connected for any of the tunnels it provides the destination IP address and the remaining...

Page 390: ...bound Content Filtering menu The items available under this command include addcmd Adds control commands to block outbound traffic delcmd Deletes control commands to block outbound traffic list Lists application control commands Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 391: ...and activex Adds activex files file Adds Web URL extensions 10 files maximum The filename should be 1 15 characters smtp Adds SMTP commands to block outbound traffic helo helo command mail mail command rcpt rcpt command data data command quit quit command send send command saml saml command reset reset command vrfy vrfy command expn expn command ftp Adds FTP commands to block outbound traffic put ...

Page 392: ...tbound traffic proxy Deletes a Web proxy command activex Deletes activex files file Deletes Web URL extensions 10 files maximum smtp Deletes SMTP commands to block outbound traffic helo helo command mail mail command rcpt rcpt command data data command quit quit command send send command saml saml command reset reset command vrfy vrfy command expn expn command ftp Deletes FTP commands that block o...

Page 393: ...st smtp SMTP Commands HELO deny MAIL allow RCPT allow DATA deny QUIT allow SEND allow SAML allow RESET allow VRFY allow EXPN allow admin network wan content list ftp FTP Commands Storing Files deny Retreiving Files allow Directory Files allow Create Directory allow Change Directory allow Passive Operation allow list web Lists WEB application control record smtp Lists SMTP application control recor...

Page 394: ...ubmenu The items available under this command include For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 set Sets Dynamic DNS parameters update Sets key exchange parameters show Shows the Dynamic DNS configuration Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 395: ...ns set host greengiant For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 set mode enable disable Enables or disbales the Dynamic DNS service for the access point username name Enter a 1 32 character username for the account used for the access point password password Enter a 1 32 character password for the account used for the access...

Page 396: ...s point s current WAN IP address with the DynDNS service Syntax Example admin network wan dyndns update IP Address 157 235 91 231 Hostname greengiant For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 update Updates the access point s current WAN IP address with the DynDNS service ...

Page 397: ...secure information Do you want to continue n y y DynDNS Configuration Mode enable Username percival Password Hostname greengiant DynDNS Update Response IP Address 157 235 91 231 Hostname greengiant Status OK For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 show Shows the access point s current Dynamic DNS configuration ...

Page 398: ... ACL submenu to restrict or allow MU access to access point WLANs radio Displays the radio configuration submenu used to specify how the 802 11a n or 802 11b g radio is used with specific WLANs qos Displays the Quality of Service QoS submenu to prioritize specific kinds of data traffic within a WLAN rate limiting Displays the Rate Limiting submenu rogue ap Displays the Rogue AP submenu to configur...

Page 399: ...cessary to undo any changes made Undo Changes reverts the settings displayed on the screen to the last saved configuration on page 5 26 show Displays the access point s current WLAN configuration create Defines the parameters of a new WLAN edit Modifies the properties of an existing WLAN delete Deletes an existing WLAN hotspot Displays the WLAN hotspot menu ipfpolicy Goes to the WLAN IP Filter Pol...

Page 400: ... 5 0 GHz Radio available 802 11n 2 4 GHz Radio not available Client Bridge Mesh Backhaul available Hotspot not available Maximum MUs 127 MU Idle Timeout 30 Security Policy Default MU Access Control Default disallow MU to MU Communication disable Use Secure Beacon disable answer Broadcast ESSID enable QoS Policy Default per mu rate limiting disabled per mu rate limit wired to wl 1000 kb per mu rate...

Page 401: ...Enables or disables the Client Bridge Mesh Backhaul option hotspot mode Enables or disables the Hotspot mode max mu number Defines the maximum number of MU able to operate within the WLAN default 127 MUs idle timeout minutes Sets the interval the access point uses to timeout idle MUs from WLAN inclusion Set between 1 65535 minutes Default is 30 minutes security name Sets the security policy to the...

Page 402: ...t Lobby WPA Countermeasure enable admin network wireless wlan create show acl ACL Policy Name Associated WLANs 1 Default Front Lobby 2 Admin 3rd Floor 3 Demo Room 5th Floor admin network wireless wlan create show qos QOS Policy Name Associated WLANs 1 Default Front Lobby 2 Voice Audio Dept 3 Video Video Dept The CLI treats the following as invalid characters thus they should not be used in the cre...

Page 403: ... edit Description Edits the properties of an existing WLAN policy Syntax For information on editing a WLAN using the applet GUI see Creating Editing Individual WLANs on page 5 29 edit index Edits the properties of an existing and specified WLAN policy 1 16 ...

Page 404: ...n Deletes an existing WLAN Syntax Example admin network wireless wlan delete all admin network wireless wlan For information on deleting a WLAN using the applet GUI see Creating Editing Individual WLANs on page 5 29 delete wlan name Deletes a target WLAN using the name supplied all Deletes all WLANs defined except default WLAN ...

Page 405: ... the Hotspot options available to the using the applet GUI see Configuring WLAN Hotspot Support on page 5 45 show Show hotspot parameters redirection Goes to the hotspot redirection menu radius Goes to the hotspot Radius menu white list Goes to the hotspot white list menu save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 406: ...L External Fail URL Primary Server Ip adr 157 235 21 21 Primary Server Port 1812 Primary Server Secret Secondary Server Ip adr 157 235 32 12 Secondary Server Port 1812 Secondary Server Secret Accounting Mode disable Accounting Server Ip adr 0 0 0 0 Accounting Server Port 1813 Accounting Server Secret Accoutning Timeout 10 Accoutning Retry count 3 Session Timeout Mode enable Session Timeout 15 Whit...

Page 407: ...figuring the hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 45 redirection set page loc Sets the hotspot http re direction by index 1 16 for the specified URL exturl Shows hotspot http redirection details for specifiec index 1 16 for specified page login welcome fail and target URL show Shows hotspot http redirection details save S...

Page 408: ...dius menu Syntax For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 45 set Sets the Radius hotspot configuration show Shows Radius hotspot server details save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 409: ... Hotspot options available to the access ointusing the applet GUI see Configuring WLAN Hotspot Support on page 5 45 set server idx srvr_type ipadr Sets the Radius hotpost server IP address per wlan index 1 16 secret idx srvr_type secret Sets the Radius hotspot server shared secret password acct mode idx mode Sets the Radius hotspot server accounting mode enable disable acct server idx ipadr Sets t...

Page 410: ... 157 235 12 12 Primary Server Port 1812 Primary Server Secret Secondary Server Ip adr 0 0 0 0 Secondary Server Port 1812 Accounting Mode enable Accounting Server Ip adr 157 235 15 16 Accounting Server Port 1813 Accounting Server Secret Accounting Timeout 10 Accounting Retry count 3 Session Timeout Mode enable admin network wireless wlan hotspot radius For information on configuring the Hotspot opt...

Page 411: ...IP Address 1 157 235 21 21 For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 45 white list add rule Adds hotspot whitelist rules by index 1 16 for specified IP address clear Clears hotspot whitelist rules for specified index 1 16 show Shows hotspot whitelist rules for specified index 1 16 save Saves ...

Page 412: ...de For information on the security configuration options available to the access point using the applet GUI see Configuring Security Options on page 6 2 show Displays the access point s current security configuration create Creates a security policy edit Edits the properties of an existing security policy delete Removes a specific security policy Goes to the parent menu Goes to the root menu save ...

Page 413: ...icy 1 Warning This will display secure information Do you want to continue n y y Policy Name Default Authentication type 802 1x EAP Server Settings primary radius server 0 0 0 0 secondary radius server 0 0 0 0 primary radius server port 1812 secondary radius server port 1812 primary radius shared secret secondary radius shared secret Reauthentication eap reauth mode disable Radius Accounting accou...

Page 414: ...cryption type WPA2 CCMP 802 11i ccmp broadcast key rotate mode disable 802 11i ccmp preauthentication disable WPA2 PTK timeout 2 admin network wireless security Related Commands For information displaying existing WLAN security settings using the applet GUI see Enabling Authentication and Encryption Schemes on page 6 4 create Defines security parameters for the specified WLAN ...

Page 415: ...1 primary or 2 secondary The default password is now motorola instead of symbol Be cognizant of this when importing a configuration from the 1 1 baseline as this shared secret will have to be changed to motorola after the import to avoid MU authentication failures This change can only be made using the access point CLI reauth mode mode Enables or disables EAP reauthentication period time Sets the ...

Page 416: ... retry count Sets the EAP maximum number of MU retries to count 1 10 svr timeout time Sets the server timeout time in seconds 1 255 svr retry count Sets the maximum number of server retries to count 1 255 enc idx type Sets the encryption type to type for the WLAN idx ccmp rotate mode mode Enables or disabled the broadcast key interval time Sets the broadcast key rotation interval to time in second...

Page 417: ...r information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 Disregards the policy creation and exits the CLI session ...

Page 418: ...to continue n y y admin network wireless security edit 1 admin network wireless security edit For information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 set index Edits security policy parameters The values subject to modification are the same ones created using the AP7131N admin network w...

Page 419: ...te that all WLANs will be assigned the default security policy admin network wireless security For information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 delete sec name Removes the specified security policy from the list of supported policies all Removes all security policies except the d...

Page 420: ...Mobile Unit Access Control List ACL submenu The items available under this command include show Displays the access point s current ACL configuration create Creates an MU ACL policy edit Edits the properties of an existing MU ACL policy delete Removes an MU ACL policy Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 421: ...dmin Administration 3 Demo Room Customers admin network wireless acl show policy 1 Policy Name Default Policy Mode allow index start mac end mac 1 00A0F8348787 00A0F8348798 For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 show summary Displays the list of existing MU ACL policies policy ind...

Page 422: ...k wireless acl create add policy For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 create show acl name Displays the parameters of a new ACL policy set acl name index Sets the MU ACL policy name mode acl mode Sets the ACL mode for the defined index 1 16 Allowed MUs can access the access poin...

Page 423: ...sing the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 show Displays MU ACL policy and its parameters set Modifies the properties of an existing MU ACL policy add addr Adds an MU ACL table entry delete Deletes an MU ACL table entry including starting and ending MAC address ranges change Completes the changes made and exits the session Cancels the changes made and exits the...

Page 424: ...less acl delete Description Removes an MU ACL policy Syntax For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 delete idx Deletes a partilcular MU ACL policy index all Deletes all MU ACL policies ...

Page 425: ...u The items available under this command include show Summarizes access point radio parameters at a high level set Defines the access point radio configuration radio1 Displays the 2 4 GHz radio submenu radio2 Displays the 5 0 GHz radio submenu Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 426: ...ble Max Wireless AP Clients 6 Client Bridge Mode disable Roaming Client Bridge Mode disable Client Bridge WLAN WLAN1 Mesh Connection Timeout enable Radio 2 Name Radio 2 Radio Mode enable Radio Function WIPS RF Band of Operation 802 11n 5 GHz Roaming Client Bridge Mode disabled Wireless Mesh Configuration Base Bridge Mode enable Max Wireless AP Clients 5 Client Bridge Mode disable Roaming Client Br...

Page 427: ...ground 24 25 26 27 28 29 30 31 3 best effort 32 33 34 35 36 37 38 39 4 video 40 41 42 43 44 45 46 47 5 video 48 49 50 51 52 53 54 55 6 voice 56 57 58 59 60 61 62 63 7 voice admin network wireless radio For information on configuring the Radio Configuration options available to the access point using the applet GUI see Setting the WLAN s Radio Configuration on page 5 51 ...

Page 428: ... not apply to single radio access points mesh base mode idx Enables or disables base bridge mode based on radio index mesh max clients Sets the maximum number of wireless bridge clients mesh client mode Enables or Disables client bridge mode mesh roaming client mode Enables or disables the mesh roaming client mode For information on the Mesh Roaming Client feature see Mesh Roaming Client on page 1...

Page 429: ...ork wireless radio set mesh roaming client 1 enable admin network wireless radio set mesh wlan wlan1 admin network wireless radio set dot11 auth shared key allowed Two Radio SKU For information on the options available to the access point see Setting the WLAN s Radio Configuration on page 5 51 set radio config value 1 7 1 Radio 1 WLAN Radio 2 WIPS 2 Radio 1 WIPS Radio 2 WLAN 3 Radio 1 WLAN Radio 2...

Page 430: ...n configuring Radio 1 Configuration options available to the access point using the applet GUI see Setting the WLAN s Radio Configuration on page 5 51 show Displays 802 11n 2 4 GHz radio settings set Defines specific 802 11n 2 4 GHz radio parameters advanced Displays the Adavanced radio settings submenu mesh Goes to the Wireless AP Connections submenu Goes to the parent menu Goes to the root menu ...

Page 431: ...HT Channel Setting user selection Power Level 5 dbm 4 mW 802 11 rate compatibility mode B G and N Beacon Interval 100 K usec DTIM Interval 10 beacon intvls short preamble disable RTS Threshold 2341 bytes QBSS Channel Util Beacon Intervl 10 beacon intvls QBSS Load Element Mode enable Single Anetenna disable show radio Displays specific 802 11n 2 4 GHz radio settings rates Displays specific 802 11n ...

Page 432: ...21 5 Mbps 7 Supported 65 0 Mbps 135 0 Mbps 8 Supported 13 0 Mbps 27 0 Mbps 9 Supported 26 0 Mbps 54 0 Mbps 10 Supported 39 0 Mbps 81 0 Mbps 11 Supported 52 0 Mbps 108 0 Mbps 12 Supported 78 0 Mbps 162 0 Mbps 13 Supported 104 0 Mbps 216 0 Mbps 14 Supported 117 0 Mbps 243 0 Mbps 15 Supported 130 0 Mbps 270 0 Mbps admin network wireless radio 802 11n 2 4 GHz admin network wireless radio 802 11n 2 4 G...

Page 433: ...e 3 7 1 47 1 504 For information on configuring the Radio 1 configuration options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 CAUTION If you do NOT include the index number for example set dtim 50 the DTIMs for all four BSSIDs will be changed to 50 To change individual DTIMs for BSSIDs specify the BSS Index number for example set d...

Page 434: ... 2 4 GHz set qbss beacon 110 admin network wireless radio 802 11n 2 4 GHz set qbss mode enable For information on configuring the Radio 1 Configuration options available to the access point using the applet GUI see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 set placement Defines the access point radio placement as indoors or outdoors ch mode Determines how the radio channel is sel...

Page 435: ... for the 802 11n 2 4 GHz radio The items available under this command include Syntax show Displays advanced radio settings for the 802 11n 2 4 GHz radio set Defines advanced parameters for the 802 11n 2 4 GHz radio Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 436: ...uration is ok BSSID Primary WLAN 1 Lobby 2 HR 3 Office admin network wireless radio 802 11n 2 4 GHz advanced show wlan Warning This will display secure information Do you want to continue n y y WLAN 1 WLAN name WLAN1 ESS ID 101 Radio Band s 2 4 and 5 0 GHz VLAN none Security Policy Default QoS Policy Default Rate Limiting disabled For information on configuring Radio 1 Configuration options availa...

Page 437: ...advanced set wlan demoroom 1 admin network wireless radio 802 11n 2 4 GHz advanced set bss 1 demoroom For information on configuring Radio 1 Configuration options available to the access point using the applet GUI see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 set wlan wlan name bssid Defines advanced WLAN to BSSID mapping for the target radio bss bss id wlan name Sets the BSSID t...

Page 438: ... GHz radio The items available under this command include Syntax show Displays mesh settings and status for the 802 11n 2 4 GHz radio set Defines mesh parameters for the 802 11n 2 4 GHz radio add Adds a 802 11n 2 4 GHz radio mesh connection delete Deletes a 802 11n 2 4 GHz radio mesh connection Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits th...

Page 439: ...tax Example admin network wireless radio 802 11n 2 4 GHz mesh show config Mesh Connection Auto Select enable admin network wireless radio 802 11n 2 4 GHz mesh show status idx AP MAC Address Channel Signal dBm admin network wireless radio 802 11n 2 4 GHz mesh show config Displays the connection list configuration status Shows the available mesh connection status ...

Page 440: ...Hz mesh set Description Defines mesh parameters for the 802 11n 2 4 GHz radio Syntax Example admin network wireless radio 802 11n 2 4 GHz mesh set auto select enable admin network wireless radio 802 11n 2 4 GHz mesh show config Mesh Connection Auto Select enable set auto select Enables or disables auto select mesh connections ...

Page 441: ...io 802 11n 2 4 GHz mesh add Description Adds a 802 11n 2 4 GHz radio mesh connection Syntax Example admin network wireless radio 802 11n 2 4 GHz mesh add 2 AA21DCDD12DE add priority Defines the connection priority 1 16 mac Sets the access point MAC address ...

Page 442: ...radio 802 11n 2 4 GHz mesh delete Description Deletes a 802 11n 2 4 GHz radio mesh connection by specified index or by removing all entries Syntax Example admin network wireless radio 802 11n 2 4 GHz mesh delete 2 delete idx Deletes a mesh connection by specified index 1 16 all Removes all mesh connections ...

Page 443: ...available under this command include Syntax show Displays 802 11n 5 0 GHz radio settings set Defines specific 802 11n 5 0 GHz radio parameters advanced Displays the Advanced radio settings submenu mesh Goes to the Mesh Connections submenu Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 444: ... GHz HT Protection Mode Pure HT Channel Setting uniform spreading Power Level 20 dbm 100 mW 802 11 rate compatibility mode A and N Beacon Interval 100 K usec DTIM Interval 10 beacon intvls RTS Threshold 2341 bytes QBSS Channel Util Beacon Intervl 10 beacon intvls QBSS Load Element Mode enable Single Antenna disable show radio Displays specific 802 11n 5 0 GHz radio settings rates Displays specific...

Page 445: ...5 0 Mbps 8 Supported 13 0 Mbps 27 0 Mbps 9 Supported 26 0 Mbps 54 0 Mbps 10 Supported 39 0 Mbps 81 0 Mbps 11 Supported 52 0 Mbps 108 0 Mbps 12 Supported 78 0 Mbps 162 0 Mbps 13 Supported 104 0 Mbps 216 0 Mbps 14 Supported 117 0 Mbps 243 0 Mbps 15 Supported 130 0 Mbps 270 0 Mbps admin network wireless radio 802 11n 5 0 GHz admin network wireless radio 802 11n 5 0 GHz show aggr Radio Aggregation Set...

Page 446: ... Set 11n default Access Category CWMin CWMax AIFSN TXOPs 32 usec TXOPs ms Background 15 1023 7 0 0 000 Best Effort 15 63 3 31 0 992 Video 7 15 1 94 3 008 Voice 3 7 1 47 1 504 For information on configuring the Radio 2 Configuration options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 35 ...

Page 447: ...ormation on configuring the Radio 2 Configuration options available to the access point using the applet GUI see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 set placement Defines the access point radio placement as indoors or outdoors ch mode Determines how the radio channel is selected channel Defines the actual channel used by the radio Channel allowed depends on actual country o...

Page 448: ...isplays the advanced submenu for the 802 11n 5 0 GHz radio The items available under this command include Syntax show Displays advanced radio settings for the 802 11n 5 0 GHz radio set Defines advanced parameters for the 802 11n 5 0 GHz radio Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 449: ...mary WLAN 1 Lobby 2 HR 3 Office admin network wireless radio 802 11n 5 0 GHz advanced show wlan Warning This will display secure information Do you want to continue n y y WLAN 1 WLAN name WLAN1 ESS ID 101 Radio 2 4 and 5 0 GHz VLAN none Security Policy Default QoS Policy Default Rate Limiting disable For information on configuring the Radio 2 Configuration options available to the access point usi...

Page 450: ... radio 802 11n 5 0 GHz advanced set wlan demoroom 1 admin network wireless radio 802 11n 5 0 GHz advanced set bss 1 demoroom For information on configuring Radio 2 Configuration options available to the access point using the applet GUI see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 set wlan wlan name bssid Defines advanced WLAN to BSSID mapping for the target 5 0 GHz radio bss bs...

Page 451: ...ble under this command include Syntax show Displays mesh settings and status for the 802 11n 5 0 GHz radio set Defines mesh parameters for the 802 11n 5 0 GHz radio add Adds a 802 11n 5 0 GHz radio mesh connection delete Deletes a 802 11n 5 0 GHz radio mesh connection Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 452: ...he 802 11n 5 0 GHz radio Syntax Example admin network wireless radio 802 11n 5 0 GHz mesh show config Mesh Connection Auto Select enable admin network wireless radio 802 11n 5 0 GHz mesh show status idx AP MAC Address Channel Signal dBm admin network wireless radio 802 11n 5 0 GHz mesh show config Displays the connection list configuration status Shows the available mesh connection status ...

Page 453: ...nes mesh parameters for the 802 11n 5 0 GHz radio Syntax Example admin network wireless radio 802 11n 5 0 GHz mesh set auto select enable admin network wireless radio 802 11n 5 0 GHz mesh show config Mesh Connection Auto Select enable set auto select Enables or disables auto select mesh connections ...

Page 454: ... admin network wireless radio 802 11n 5 0 GHz mesh add Description Adds a 802 11n 5 0 GHz radio mesh connection Syntax Example admin network wireless radio 802 11n 5 0 GHz mesh add 2 AA21DCDD12DE add priority Defines the connection priority 1 16 mac Sets the access point MAC address ...

Page 455: ...delete Description Deletes a 802 11n 5 0 GHz radio mesh connection by specified index or by removing all entries Syntax Example admin network wireless radio 802 11n 5 0 GHz mesh delete 2 delete idx Deletes a mesh connection by specified index 1 16 all Removes all mesh connections ...

Page 456: ...ccess point Quality of Service QoS submenu The items available under this command include show Displays access point QoS policy information create Defines the parameters of the QoS policy edit Edits the settings of an existing QoS policy delete Removes an existing QoS policy Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 457: ...wireless qos show policy 1 Policy Name Default Support Voice Prioritization disable Multicast Mask Address 1 01005E000000 Multicast Mask Address 2 09000E000000 WMM QOS Mode disable WMM QOS Parameter Set 11ag default For information on configuring the WLAN QoS options available to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 39 show summary Disp...

Page 458: ... mac index Defines primary and secondary Multicast MAC address Defines multicast address index between 1 2 wmm qos index Enables or disables the QoS policy index specified param set set name Defines the data type used with the qos policy and mesh network When set to a value other then manual editing the access category values is not necessary Options include 11g default 11b default 11g wifi 11b wi...

Page 459: ...by index for legacy VOIP devices mcast mac Defines primary and secondary Multicast MAC address wmm qos index Enables or disables the QoS policy index specified param set set name Defines the data type used with the qos policy and mesh network When set to a value other then manual editing the access category values is not necessary Options include 11g default 11b default 11g wifi 11b wifi 11g voice...

Page 460: ...ete Description Removes a QoS policy Syntax For information on configuring the WLAN QoS options available to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 39 delete qos name all Deletes the specified QoS polciy index or all of the policies except default policy ...

Page 461: ...cess point Rate Limiting submenu The items available under this command include show Displays Rate Limiting information for how data is processed by the access point set Defines Rate Limiting parameters for the access point Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 462: ...admin network wireless rate limiting show wlan Warning This will display secure information Do you want to continue n y y WLAN 1 WLAN Name WLAN1 ESSID 101 Radio Band s 2 4 and 5 0 GHz VLAN none Security Policy Default QoS Policy Default Rate Limiting disable For information on configuring the Rate Limiting options available to the access point using the applet GUI see Configuring MU Rate Limiting ...

Page 463: ... configuration Syntax Example admin network wireless rate limiting set mode enable admin network wireless rate limiting For information on configuring the Rate Limiting options available to the access point using the applet GUI see Configuring MU Rate Limiting on page 5 67 set mode mode Enables or disables Rate Limiting ...

Page 464: ...and include show Displays the current access point Rogue AP detection configuration set Defines the Rogue AP detection method mu scan Goes to the Rogue AP mu uscan submenu allowed list Goes to the Rogue AP Allowed List submenu active list Goes the Rogue AP Active List submenu rogue list Goes the Rogue AP List submenu Goes to the parent menu Goes to the root menu save Saves the configuration to sys...

Page 465: ...an disable MU Scan Interval 60 minutes On Channel disable Detector Radio Scan enable Auto Authorize Motorola APs disable Approved APs age out 0 minutes Rogue APs age out 0 minutes For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 show Displays the current access point Rogue AP detection configurati...

Page 466: ...l 10 minutes On Channel disable Detector Radio Scan disable Auto Authorize Motorola APs enable Approved AP age out 10 minutes Rogue AP age out 10 minutes For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 set mu scan mode Enables or disables to permit MUs to scan for rogue APs interval minutes Defin...

Page 467: ... the Rogue AP mu scan submenu Syntax add Add all or just one scan result to Allowed AP list show Displays all APs located by the MU scan start Initiates scan immediately by the MU Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 468: ...an from a user provided MAC address Syntax Example admin network wireless rogue ap mu scan start 00af8000001 admin network wireless rogue ap mu scan For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 start mu mac Initiates MU scan from user provided MAC address ...

Page 469: ...Syntax Example admin network wireless rogue ap mu scan show Scan Result Not Available admin network wireless rogue ap mu scan For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 show Displays all APs located by the MU scan ...

Page 470: ...ist Description Displays the Rogue AP allowed list submenu show Displays the rogue AP allowed list add Adds an AP MAC address and ESSID to the allowed list delete Deletes an entry or all entries from the allowed list Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 471: ...n network wireless rogue ap allowed list show Allowed AP List index ap mac essid 1 00 A0 F8 71 59 20 2 00 A0 F8 33 44 55 101 3 00 A0 F8 40 20 01 Marketing For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 show Displays the rogue AP allowed list ...

Page 472: ...00A0F83161BB 103 admin network wireless rogue ap allowed list show index ap essid 1 00 A0 F8 71 59 20 2 00 A0 F8 33 44 55 fffffffffff 3 00 A0 F8 40 20 01 Marketing 4 00 A0 F8 31 61 BB 103 For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 add mac addr ess id Adds an AP MAC address and ESSID to exist...

Page 473: ...e admin network wireless rogue ap allowed list delete 1 cfg read write failed admin network wireless rogue ap allowed list For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 42 delete idx 1 50 all Deletes an AP MAC address and ESSID or all addresses from the allowed list ...

Page 474: ...wireless wips Description Displays the WIPS submenu The items available under this command include show Displays the current WLAN Intrusion Prevention configuration set Sets WLAN Intrusion Prevention parameters Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 475: ...vention configuration Syntax Example admin network wireless wips show Warning This will display secure information Do you want to continue n y y WIPS Server 1 IP Address 192 168 0 21 WIPS Server 2 IP Address 10 1 1 1 admin network wireless wips show Displays the WLAN Intrusion Prevention configuration ...

Page 476: ...dmin network wireless wips set Description Sets the WLAN Intrusion Prevention configuration Syntax Example admin network wireless wips set server 1 192 168 0 21 admin network wireless wips set idx 1 and 2 ip Defines the WLAN Intrusion Prevention Server IP Address for server IPs 1 and 2 ...

Page 477: ...ning Description Displays the MU Locationing submenu The items available under this command include show Displays the current MU Locationing configuration set Defines MU Locationing parameters Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 478: ...in network wireless mu locationing show Description Displays the MU probe table configuration Syntax Example admin network wireless mu locationing show MU Probe Table Mode disable MU Probe Table Size 200 admin network wireless mu locationing show Displays the MU probe table configuration ...

Page 479: ...tax Example admin network wireless mu locationing set admin network wireless mu locationing set mode enable admin network wireless mu locationing set size 200 admin network wireless mu locationing set Defines the MU probe table configuration mode Enables disables a mu probe scan size Defines the number of MUs in the table the maximum allowed is 200 ...

Page 480: ...vailable under this command include show Displays the access point s current firewall configuration set Defines the access point s firewall parameters access Enables disables firewall permissions through the LAN and WAN ports advanced Displays interoperaility rules between the LAN and WAN ports Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits th...

Page 481: ...e syn flood attack filter enable unaligned ip timestamp filter enable source routing attack filter enable winnuke attack filter enable seq num prediction attack filter enable mime flood attack filter enable max mime header length 8192 bytes max mime headers 16 headers For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Set...

Page 482: ...e routing attack filter enable winnuke attack filter enable seq num prediction attack filter enable mime flood attack filter enable max mime header length 8192 bytes max mime headers 16 headers set nat timeout interval Defines the NAT timeout value syn mode Enables or disables SYN flood attack check src mode Enables or disables source routing check win mode Enables or disables Winnuke attack check...

Page 483: ...321 tcp 2048 2048 5 lan wan abc ah 100 1000 For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Settings on page 6 13 show Displays LAN to WAN access rules set Sets LAN to WAN access rules add Adds LAN to WAN exception rules delete Deletes LAN to WAN access exception rules list Displays LAN to WAN access exception rules fo...

Page 484: ...rewall adv lan access outb list Idx RuleId Src IP Netmask Dst IP Netmask Tp Src Ports Dst Ports NAT Action 1 10 111 110 0 15 157 235 205 30 all 1 65535 1 65535 none null 255 255 255 0 255 255 255 0 For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Settings on page 6 13 show Shows advanced subnet access parameters set Set...

Page 485: ...s available under this command are show Displays the existing access point router configuration set Sets the RIP parameters add Adds user defined routes delete Deletes user defined routes list Lists user defined routes Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 486: ...0 255 255 255 0 0 0 0 0 wan 0 5 157 235 19 5 255 255 255 0 192 168 24 1 wan 1 Default gateway Interface wan admin network router show rip Warning This will display secure information Do you want to continue n y y rip type off rip direction both rip authentication type none rip simple auth password rip md5 id 1 1 rip md5 key 1 rip md5 id 2 2 rip md5 key 2 admin network router For information on con...

Page 487: ...ngs on page 5 68 set auth Sets the RIP authentication type none simple or MD5 dir Sets RIP direction rx tx or both id Sets MD5 authetication ID 1 256 for specific index 1 2 key Sets MD5 authetication key up to 16 characters for specified inded 1 2 passwd Sets the password up to 16 characters for simple authentication type Defines the RIP type off ripv1 ripv2 or ripv1v2 dgw iface Sets the default g...

Page 488: ...er list index destination netmask gateway interface metric 1 192 168 3 0 255 255 255 0 192 168 2 1 lan1 1 For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 68 add dest netmask gw iface metric Adds a route with destination IP address dest IP netmask netmask destination gateway IP address gw interface LAN1 L...

Page 489: ...0 0 255 255 255 0 0 0 0 0 lan2 0 admin network router delete 2 admin network router list index destination netmask gateway interface metric 1 192 168 2 0 255 255 255 0 0 0 0 0 lan1 0 2 192 168 0 0 255 255 255 0 0 0 0 0 lan1 0 admin network router For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 68 delete ...

Page 490: ...er list index destination netmask gateway interface metric 1 192 168 2 0 255 255 255 0 192 168 0 1 lan1 1 2 192 168 1 0 255 255 255 0 0 0 0 0 lan2 0 3 192 168 0 0 255 255 255 0 0 0 0 0 lan1 0 For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 68 list Displays a list of user defined routes ...

Page 491: ... Adaptive AP Settings submenu access Goes to the access point access submenu where access point access methods can be enabled cmgr Goes the Certificate Manager submenu snmp Goes to the SNMP submenu userdb Goes to the user database submenu radius Goes to the Radius submenu ntp Goes to the Network Time Protocol submenu logs Displays the log file submenu config Goes to the configuration file update s...

Page 492: ...ase be sure to save changes before resetting Are you sure you want to restart the AP 7131N yes no AP 7131N Boot Firmware Version 4 0 0 0 002GDN Copyright c Motorola 2009 All rights reserved Press escape key to run boot firmware Power On Self Test testing ram pass testing nor flash pass testing nand flash pass testing ethernet pass For information on restarting the access point using the applet GUI...

Page 493: ...location Atlanta Field Office admin email address johndoe mycompany com system uptime 0 days 4 hours 41 minutes AP 7131N firmware version 4 0 2 0 021GDN country code us ap mode independent serial number 05224520500336 model AP 7131N admin system For information on displaying System Settings using the applet GUI see Configuring System Settings on page 4 2 show Displays access point system informati...

Page 494: ...9 characters The access point does not allow intermediate space characters between characters within the system name For example AP7131N sales must be changed to AP7131Nsales to be a valid system name loc loc Sets the access point system location to loc 0 to 59 characters email email Sets the access point admin email address to email 0 to 59 characters cc code Sets the access point country code us...

Page 495: ...1 25 14 61 A8 C 157 235 92 179 ether 00 14 22 F3 D7 39 C 157 235 92 248 ether 00 11 25 B2 09 60 C 157 235 92 180 ether 00 0D 60 D0 06 90 C 157 235 92 3 ether 00 D0 2B A0 D4 FC C 157 235 92 181 ether 00 15 C5 0C 19 27 C 157 235 92 80 ether 00 11 25 B2 0D 06 C 157 235 92 95 ether 00 14 22 F9 12 AD C 157 235 92 161 ether 00 06 5B 97 BD 6D C 157 235 92 126 ether 00 11 25 B2 29 64 C admin system ...

Page 496: ... information on configuring power settings using the applet GUI see Configuring Power Settings on page 4 6 show Displays the current power setting configuration set Defines the access point s power setting configuration Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session ...

Page 497: ...mple admin system power setup show Power Mode 3af Power Status Mid Power 3af Power Option option 3at Power Option default Default Radio Radio2 admin system power setup For information on configuring power settings using the applet GUI see Configuring Power Settings on page 4 6 show Displays the access point s current power configuration ...

Page 498: ... power setup set power option 3af option admin system power setup set def radio 1 For information on configuring power settings using the applet GUI see Configuring Power Settings on page 4 6 set mode Sets the power mode to either Auto or 3af Changing the power mode restarts the AP for the change to take effect power option Defines the power option def radio Defines the radio receiving access port...

Page 499: ...P Setup on page 4 11 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 show Displays Adaptive AP information set Defines the Adaptive AP configuration delete Deletes static switch address assignments Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the curren...

Page 500: ...P Address 4 0 0 0 0 IP Address 5 0 0 0 0 IP Address 6 0 0 0 0 IP Address 7 0 0 0 0 IP Address 8 0 0 0 0 IP Address 9 0 0 0 0 IP Address 10 0 0 0 0 IP Address 11 0 0 0 0 IP Address 12 0 0 0 0 Tunnel to Switch disable AC Keepalive 5 Load Balancing enable Current Switch 157 235 22 11 AP Adoption State AAP not adopted admin system aap setup For information on configuring adaptive AP using the applet G...

Page 501: ...stem aap setup For information on configuring adaptive AP using the applet GUI see Adaptive AP Setup on page 4 11 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 set auto discovery Sets the switch auto discovery mode enable disable ipadr Defines the switch IP address used name Defines the switch name for DNS lookups up to 127 characters port Sets the ...

Page 502: ...ts Syntax Example admin system aap setup delete 1 admin system aap setup For information on configuring Adaptive AP using the applet GUI see Adaptive AP Setup on page 4 11 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 delete idx Deletes static switch address assignments by selected index all Deletes all assignments ...

Page 503: ... access submenu show Displays access point system access capabilities set Goes to the access point system access submenu rmlock Removes AP login locks Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session ...

Page 504: ...rs from LAN swan Enables disables applet HTTPS access parameters from WAN app timeout minutes Sets the applet timeout Default is 300 Mins ssh Sets the CLI SSH access parameters auth timout seconds Disables the radio interface if no data activity is detected after the interval defined Default is 120 seconds inactive timeout minutes Inactivity interval resulting in the AP terminating its connection ...

Page 505: ...le enable enable https timeout in mins 3 ssh server authentication timeout in secs 120 ssh server inactivity timeout in secs 500 remote login failure threshold SSH GUI 1 console inactivity timeout in secs 550 admin authentication mode local Login Message This is a User Configured Message Related Commands For information on configuring access point access settings using the applet GUI see Configuri...

Page 506: ... 8 174 AP7131N admin system access rmlock Description Removes AP login locks The lock can be removed through console management interface local RS 232 port only Syntax Example admin system access rmlock ssh admin system access rmlock Removes login locks of access point ...

Page 507: ...cate signed by CA listself Lists the self certificate loaded loadca Loads trusted certificate from CA delca Deletes the trusted certificate listca Lists the trusted certificate loaded showreq Displays a certificate request in PEM format delprivkey Deletes the private key listprivkey Lists names of private keys expcert Exports the certificaqte file impcert Imports the certificate file Goes to the p...

Page 508: ...lIo7wIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQCClQ5LHdbG C1f Bj8AszttSo bA4dcX3vHvhhJcmuuWO9LHS2imPA3xhX d6 Q1SMbs tG4RP0lRSr iWDyuvwx END CERTIFICATE REQUEST For information on configuring certificate management settings using the applet GUI see Managing Certificate Authority CA Certificates on page 4 18 genreq IDname Subject ou OrgUnit on OrgName cn City st State p PostCode cc CCode e Email d Domain i IP...

Page 509: ...iption Deletes a self certificate Syntax Example admin system cmgr delself MyCert2 For information on configuring self certificate settings using the applet GUI see Creating Self Certificates on page 4 20 delself IDname Deletes the self certificate named IDname ...

Page 510: ...ertificate Authority Syntax Example admin system cmgr loadself 1 Currently Only certificates in PEM format can be uploaded Enter Ctrl C to abort Paste the certificate For information on configuring self certificate settings using the applet GUI see Creating Self Certificates on page 4 20 loadself IDname Load the self certificate signed by the CA with name IDname ...

Page 511: ...oaded self certificates Syntax Example admin system cmgr listself Self Certificate List admin system cmgr For information on configuring self certificate settings using the applet GUI see Creating Self Certificates on page 4 20 listself Lists all self certificates that are loaded ...

Page 512: ...cate Authority Syntax Example admin system cmgr loadca Currently Only certificates in PEM format can be uploaded Enter Ctrl C to abort Paste the certificate For information on configuring certificate settings using the applet GUI see Importing a CA Certificate on page 4 18 loadca Loads the trusted certificate in PEM format only that is pasted into the command line ...

Page 513: ...min system cmgr delca Description Deletes a trusted certificate Syntax For information on configuring certificate settings using the applet GUI see Importing a CA Certificate on page 4 18 delca IDname Deletes the trusted certificate ...

Page 514: ... Guide 8 182 AP7131N admin system cmgr listca Description Lists the loaded trusted certificate Syntax For information on configuring certificate settings using the applet GUI see Importing a CA Certificate on page 4 18 listca Lists the loaded trusted certificates ...

Page 515: ...on Displays a certificate request in PEM format Syntax For information on configuring certificate settings using the applet GUI see Importing a CA Certificate on page 4 18 showreq IDname Displays a certificate request named IDname generated from the genreq command ...

Page 516: ...nce Guide 8 184 AP7131N admin system cmgr delprivkey Description Deletes a private key Syntax For information on configuring certificate settings using the applet GUI see Creating Self Certificates on page 4 20 delprivkey IDname Deletes private key named IDname ...

Page 517: ...rivkey Description Lists the names of private keys Syntax For information on configuring certificate settings using the applet GUI see Importing a CA Certificate on page 4 18 listprivkey Lists all private keys and displays their certificate associations ...

Page 518: ...nreq generate a certificate request delself deletes a signed certificate loadself loads a signed certficiate signed by the CA listself lists the loaded signed self certificate loadca loads the root CA certificate delca deletes the root CA certificate listca lists the loaded root CA certificate showreq displays certificate request in PEM format delprivkey deletes the private key listprivkey lists t...

Page 519: ... request delself deletes a signed certificate loadself loads a signed certficiate signed by the CA listself lists the loaded signed self certificate loadca loads the root CA certificate delca deletes the root CA certificate listca lists the loaded root CA certificate showreq displays certificate request in PEM format delprivkey deletes the private key listprivkey lists the names of the private key...

Page 520: ...AP7131N admin system snmp Description Displays the SNMP submenu The items available under this command are shown below access Goes to the SNMP access submenu traps Goes to the SNMP traps submenu Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 521: ... the SNMP Access menu The items available under this command are shown below show Shows SNMP v3 engine ID add Adds SNMP access entries delete Deletes SNMP access entries list Lists SNMP access entries Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 522: ...iption Shows the SNMP v3 engine ID Syntax Example admin system snmp access show eid AP 7131N snmp v3 engine id 000001846B8B4567F871AC68 admin system snmp access For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 show eid Shows the SNMP v3 Engine ID ...

Page 523: ...sername 1 to 31 characters access read write access ro rw oid string 1 to 127 chars E g 1 3 6 1 sec security auth priv auth algorithm sha1 required only if sec is auth auth priv pass1 auth password 8 to 31 chars required only if sec is auth auth priv priv algorithm aes required only if sec is auth priv pass2 privacy password 8 to 31 chars required only if sec is auth priv The following parameters ...

Page 524: ...9 236 24 46 admin system snmp access delete acl all admin system snmp access list acl index start ip end ip For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 delete acl idx Deletes entry idx 1 10 from the access control list all Deletes all entries from the access control list v3 idx Deletes entry idx 1 10 from the v3 user def...

Page 525: ...ant to continue n y y index 1 username user access permission read write object identifier 1 3 6 1 security level auth priv auth algorithm sha1 auth password privacy algorithm aes privacy password admin system snmp access For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 list acl Lists SNMP access control list entries v3 idx L...

Page 526: ...ion Displays the SNMP traps submenu The items available under this command are shown below show Shows SNMP trap parameters set Sets SNMP trap parameters add Adds SNMP trap entries delete Deletes SNMP trap entries list Lists SNMP trap entries Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI ...

Page 527: ...etwork Traps physical port status change enable denial of service enable denial of service trap rate limit 10 seconds SNMP System Traps system cold start disable system config changed disable rogue ap detection disable ap radar detection disable wpa counter measure disable mu hotspot status disable vlan disable lan monitor disable DynDNS Update enable For information on configuring SNMP traps usin...

Page 528: ...e trap interval rate Sets denial of service trap interval cold enable disable Enables disables the system cold start trap cfg enable disable Enables disables a configuration changes trap rogue ap enable disable Enables disables a trap when a rogue ap is detected ap radar enable disable Enables disables the AP Radar Detection trap wpa counter enable disable Enables disables the WPA counter measure ...

Page 529: ...acy password For information on configuring SNMP traps using the applet GUI see Configuring SNMP RF Trap Thresholds on page 4 39 add v3 ip user sec auth pass1 priv pass2 Adds an entry to the SNMP v3 access list with the destination IP address set to ip the destination UDP port is set to port the username set to user 1 to 31 characters and the authentication type set to one of auth or auth priv The...

Page 530: ...Description Deletes SNMP trap entries Syntax Example admin system snmp traps delete v3 all For information on configuring SNMP traps using the applet GUI see Configuring SNMP Settings on page 4 27 delete v3 idx Deletes entry idx from the v3 access control list all Deletes all entries from the v3 access control list ...

Page 531: ...nmp traps list v3 all index 1 destination ip 201 232 24 33 destination port 555 username BigBoss security level none auth algorithm sha1 auth password privacy algorithm aes privacy password For information on configuring SNMP traps using the applet GUI see Configuring SNMP RF Trap Thresholds on page 4 39 ist v3 idx Lists SNMP v3 access entry idx 1 10 all Lists all SNMP v3 access entries ...

Page 532: ...escription Goes to the user database submenu Syntax For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 user Goes to the user submenu group Goes to the group submenu save Saves the configuration to system flash Goes to the parent menu Goes to the root menu ...

Page 533: ... Group on page 6 67 Wireless Users add Adds a new user delete Deletes a new user clearall Removes all existing user IDs from the system set Sets a password for a user show Displays the current user database configuration Goes to the parent menu Goes to the root menu save Saves the configuration to system flash Management Users mgmt user add Adds a new management user mgmt delete Deletes a manageme...

Page 534: ...w user to the user database Syntax Example admin system userdb user add george password admin system userdb user For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 add Adds a new user ID id and password pw string 8 19 characters to the user database ...

Page 535: ...er database Syntax Example admin system userdb user delete george admin system userdb user For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 delete Removes a user ID id and password pw string from the user database ...

Page 536: ...scription Removes all existing user IDs from the system Syntax Example admin system userdb user clearall admin system userdb user For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 clearall Removes all existing user IDs from the system ...

Page 537: ...ax Example admin system userdb user set george password admin system userdb user For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 set user pw Sets user id and password pw string 8 19 characters for a specific user ...

Page 538: ...06 AP7131N admin system userdb user mgmt add Description Adds a new management user Syntax Example admin system userdb user mgmt add John Motorola123 admin system userdb user mgmt add user pw Creates a user id and password pw string 8 19 characters for a new management user ...

Page 539: ...7 AP7131N admin system userdb user mgmt delete Description Deletes a management user identity Syntax Example admin system userdb user mgmt delete george admin system userdb user mgmt delete user Deletes a management user ...

Page 540: ... AP7131N admin system userdb user mgmt clearall Description Removes all the management user accounts except admin account Syntax Example admin system userdb user mgmt clearall admin system userdb user mgmt clearall Removes all the management user accounts except admin account ...

Page 541: ...r mgmt set Description Sets the password for management user Syntax Example admin system userdb user mgmt set john motorola123 admin system userdb user mgmt set user pw Sets a user id and password pw string 8 19 characters for a specific management user ...

Page 542: ...s existing user details Syntax Example admin system userdb user show mgmt users Warning This will display secure information Do you want to continue n y y List of User Ids John admin system userdb user show mgmt users Displays existing management users users Displays configured user IDs for a group groups Displays configured groups ...

Page 543: ...atabase permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 create Creates a group name delete Deletes a group name clearall Removes all existing group names from the system add Adds a user to an existing group remove Removes a user from an existing group show Displays existing groups save Saves the configuration to system flash Goes to the parent menu Moves...

Page 544: ...p name Once defined users can be added to the group Syntax Example admin system userdb group create 2 admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 create Creates a group name string Once defined users can be added to the group ...

Page 545: ...tes an existing group Syntax Example admin system userdb group delete 2 admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 delete Deletes an existing group name string ...

Page 546: ...ption Removes all existing group names from the system Syntax Example admin system userdb group clearall admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 clearall Removes all existing group names from the system ...

Page 547: ...ting group Syntax Example admin system userdb group add lucy group x admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 add userid group Adds a user userid to an existing group group ...

Page 548: ...emoves a user from an existing group Syntax Example admin system userdb group remove lucy group x admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 remove userid group Removes a user userid from an existing group group ...

Page 549: ...re information Do you want to continue n y y List of Group Names engineering marketing demo room admin system userdb group For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 67 show Displays existing groups and users users Displays configured user IDs for a group groups Displays configured groups ...

Page 550: ...ing Radius using the applet GUI see Configuring User Authentication on page 6 52 eap Goes to the EAP submenu policy Goes to the access policy submenu ldap Goes to the LDAP submenu proxy Goes to the proxy submenu client Goes to the client submenu set Sets Radius parameters show Displays Radius parameters save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to...

Page 551: ...base Syntax Example admin system radius set database local admin system radius show all Database local admin system radius For information on configuring Radius using the applet GUI see Configuring User Authentication on page 6 52 set Sets the Radius user database show all Displays the Radius user database ...

Page 552: ... on configuring EAP Radius using the applet GUI see Configuring User Authentication on page 6 52 peap Goes to the Peap submenu ttls Goes to the TTLS submenu import Imports the requested EAP certificates set Defines EAP parameters show Displays the EAP configuration save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 553: ... Syntax For information on configuring PEAP Radius using the applet GUI see Configuring User Authentication on page 6 52 set Defines Peap parameters show Displays the Peap configuration save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 554: ...and displays Peap parameters Syntax Example admin system radius eap peap set auth gtc admin system radius eap peap show PEAP Auth Type gtc For information on configuring EAP PEAP Radius values using the applet GUI see Configuring User Authentication on page 6 52 set Sets the Peap authentication type show Displays the Peap authentication type ...

Page 555: ...x For information on configuring EAP TTLS Radius values using the applet GUI see Configuring User Authentication on page 6 52 set Defines TTLS parameters show Displays the TTLS configuration save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 556: ...displays TTLS parameters Syntax Example admin system radius eap ttls set auth pap admin system radius eap ttls show TTLS Auth Type pap For information on configuring EAP TTLS Radius values using the applet GUI see Configuring User Authentication on page 6 52 set Sets the default TTLS authentication type show Displays the TTLS authentication type ...

Page 557: ...nfiguring Radius access policies using the applet GUI see Configuring User Authentication on page 6 52 set Sets a group s WLAN access policy access time Goes to the time based login submenu show Displays the group s access policy save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 558: ...LAN access policy Syntax Example admin system radius policy set engineering 16 admin system radius policy For information on configuring Radius WLAN policy values using the applet GUI see Configuring User Authentication on page 6 52 set group name wlan name Defines the group s group name WLAN access policy defined as a string delimited by a space ...

Page 559: ...ime permissions Access time is in Day DDDD DDDD format show Displays the group s access time rule save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu Context Command Description system radius policy access time set start time group value group Valid group name value 4 digit value representing HHMM 0000 2359 allowed system radius policy acce...

Page 560: ...min system radius policy show Warning This will display secure information Do you want to continue n y y List of Access Policies engineering 16 marketing 10 demo room 3 test demo No Wlans admin system radius policy For information on configuring Radius WLAN policy values using the applet GUI see Configuring User Authentication on page 6 52 show Displays a group s access policy ...

Page 561: ...For information on configuring a Radius LDAP server using the applet GUI see Configuring LDAP Authentication on page 6 57 set Defines the LDAP parameters show all Displays existing LDAP parameters save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 562: ...LANgroup admin system radius ldap set filter 123 admin system radius ldap set membership radiusGroupName admin system radius ldap For information on configuring a Radius LDAP server using the applet GUI see Configuring LDAP Authentication on page 6 57 set Defines the LDAP parameters ipadr Sets LDAP IP address binddn Sets LDAP bind distinguished name basedn Sets LDAP base distinguished name passwd ...

Page 563: ...s LDAP Base DN o radius LDAP Login Attribute uid Stripped User Name User Name LDAP Password attribute userPassword LDAP Group Name Attribue Wlangroup LDAP Group Membership Filter objectClass GroupOfNames member Ldap objectClass GroupOfUniqueNames uniquemember Ldap UserDn LDAP Group Membership Attribute radiusGroupName admin system radius ldap For information on configuring a Radius LDAP server usi...

Page 564: ...nfiguring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 59 add Adds a proxy realm delete Deletes a proxy realm clearall Removes all proxy server records set Sets proxy server parameters show Displays current Radius proxy server parameters save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 565: ...elot 157 235 241 22 1812 muddy admin system radius proxy For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 59 add Adds a proxy realm name name Realm name ip1 ip1 Authentication server IP address The default port is set to 1812 sec sec Shared secret password ...

Page 566: ...tem radius proxy delete Description Adds a proxy Syntax Example admin system radius proxy delete lancelot admin system radius proxy For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 59 delete name Deletes a realm name ...

Page 567: ...server records from the system Syntax Example admin system radius proxy clearall admin system radius proxy For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 59 clearall Removes all proxy server records from the system ...

Page 568: ...radius proxy set count 5 admin system radius proxy For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 59 set Sets Radius proxy server parameters delay Defines retry delay time in seconds for the proxy server The minimum value is 5 and maximum value is 10 count Defines retry count value for the proxy server The minimum valu...

Page 569: ...us client values using the applet GUI see Configuring the Radius Server on page 6 52 add Adds a Radius client to list of available clients delete Deletes a Radius client from list of available clients show Displays a list of configured clients save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu ...

Page 570: ...tax Example admin system radius client add 157 235 132 11 255 255 255 225 muddy admin system radius client For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 52 add Adds a proxy ip ip Client s IP address mask ip1 Network mask address of the client secret sec Shared secret password The password length must be 8 16 characters ...

Page 571: ...e to the Radius server Syntax Example admin system radius client delete 157 235 132 11 admin system radius client For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 52 delete ipadr Removes a specified Radius client ipadr from those available to the Radius server ...

Page 572: ...stem radius client show Warning This will display secure information Do you want to continue n y y Idx Subnet Host Netmask SharedSecret 1 157 235 132 11 255 255 255 225 admin system radius client For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 52 show Removes a specified Radius client from those available to the Radius server ...

Page 573: ...gured accurately on the access point Syntax For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 41 show Shows NTP parameters settings date zone Show date time and time zone zone list Displays list of time zones set Sets NTP parameters Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI...

Page 574: ...plays the NTP server configuration Syntax Example admin system ntp show current time Tue 2011 Dec 13 16 58 59 0530 IST time zone Asia Calcutta ntp mode disable admin system ntp For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 41 show Shows all NTP server settings ...

Page 575: ...tp date zone Date Time Tue 2011 Jan 02 18 35 37 0000 UTC Time Zone UTC CliAuditLog User admin Command date zone Status success From Ssh 172 16 10 10 MU_Mac NULL admin system ntp For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 41 date zone Show date time and time zone ...

Page 576: ...tem ntp zone list Index TimeZone 1 Africa Abidjan 2 Africa Accra 3 Africa Addis_Ababa 4 Africa Algiers 5 Africa Asmera 6 Africa Bamako 7 Africa Bangui 8 Africa Banjul 9 Africa Bissau 10 Africa Blantyre Hit any key to continue admin system ntp For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 41 zone list Displays list of time zone indexes f...

Page 577: ...on on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 41 set mode ntp mode Enables or disables NTP server idx ip Sets the NTP sever IP address intrvl period Defines the clock synchronization interval used between the access point and the NTP server in minutes 15 65535 time time Sets the current system time yyyy year mm month dd day of the month hh hour of t...

Page 578: ...plays the access point log submenu Logging options include Syntax show Shows logging options filter show Shows all filters set Sets log options and parameters unset filter Unsets filters view Views system log delete Deletes the system log Goes to the parent menu Goes to the root menu save Saves configuration to system flash quit Quits the CLI ...

Page 579: ...ng settings Syntax Example admin system logs show log level L6 Info syslog server logging enable syslog server ip address 192 168 0 102 For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 45 show Displays the current access point logging configuration ...

Page 580: ...ce console MU MAC any IP address any Filter Precedence 3 is not yet set Filter Precedence 4 is not yet set Filter Precedence 5 is not yet set Filter Precedence 6 is not yet set Filter Precedence 7 is not yet set Filter Precedence 8 is not yet set Filter Precedence 9 is not yet set Filter Precedence 10 is not yet set admin system logs admin system logs filter show 2 Filter Precedence 2 Permission l...

Page 581: ... 2 Unset Filter precedence 3 is not yet set Filter precedence 4 is not yet set Filter precedence 5 is not yet set Filter precedence 6 is not yet set Filter precedence 7 is not yet set Filter precedence 8 is not yet set Filter precedence 9 is not yet set Filter precedence 10 is not yet set admin system logs unset filter idx Unsets filters based on the specified rule precedence number all Unsets all...

Page 582: ...o the system log L0 Emergency L1 Alert L2 Critical L3 Errors L4 Warning L5 Notice L6 Info default setting L7 Debug mode mode Enables or disables syslog server logging ipadr ip Sets the external syslog server IP address to ip a b c d audit filter Sets audit filter for filtering the logs rule Sets the rule precedence value from 1 10 for filtering the logs log no log Allows or Disallows system loggin...

Page 583: ...n 7 16 16 01 none CC 4 16pm up 6 days 16 16 load average 0 00 0 01 0 00 Jan 7 16 16 01 none CC Mem 62384 32520 29864 0 0 Jan 7 16 16 01 none CC 0000077e 0012e95b 0000d843 00000000 00000003 0000121 e 00000000 00000000 0037ebf7 000034dc 00000000 00000000 00000000 Jan 7 16 16 13 none klogd ps log fc queue maintenance Jan 7 16 16 44 none klogd ps log fc queue maintenance Jan 7 16 17 15 none klogd ps l...

Page 584: ... 8 252 AP7131N admin system logs delete Description Deletes the log files Syntax Example admin system logs delete For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 45 delete Deletes the access point system log file ...

Page 585: ... partial default access point configuration show Shows import export parameters set Sets import export access point configuration parameters export Exports access point configuration to a designated system import Imports configuration to the access point transfer_keys_cfg Exports SSH keys to turn off interactive mode Goes to the parent menu Goes to the root menu save Saves the configuration to acc...

Page 586: ... point factory default configuration Syntax Example admin system config default Are you sure you want to default the configuration yes no For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 47 default Restores the access point to the original factory configuration ...

Page 587: ... SNMP settings are uneffected by the partial restore Syntax Example admin system config partial Are you sure you want to partially default AP 7131N yes no For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 47 default Restores a partial access point configuration ...

Page 588: ...on file Syntax Example admin system config show Warning This will display secure information Do you want to continue n y y cfg filename cfg txt cfg filepath sftp server ip address 192 268 0 10 sftp user name For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 47 show Shows all import export parameters ...

Page 589: ... line such as set rf function X wips wlan where X is 1 or 2 is never generated For configuration file import the legacy command set rf function X wips wlan is processed There is no CLI menu allowing the user to enter set rf function X wips wlan where X is 1 or 2 Instead the command set radio configX where X is 1 2 3 4 5 6 7 or 8 is created in the configuration files for export For information on i...

Page 590: ... progress File transfer Done Export Operation Done For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 47 export sftp Exports the access point configuration to the SFTP server Use the set command to set the server user password and file name before using this command CAUTION Make sure a copy of the access point s ...

Page 591: ...ee Importing Exporting Configurations on page 4 47 import sftp Imports the access point configuration file from the SFTP server Use the set command to set the server user password and file CAUTION A single radio model access point cannot import export its configuration to a dual radio model access point In turn a dual radio model access point cannot import export its configuration to a single radi...

Page 592: ...n system config transfer_keys_cfg Description Exports SSH keys in order to turn off interactive mode Syntax Example admin system config transfer_keys_cfg Transfer of ssh public key in progress Done admin system config transfer_keys Exports SSH keys in order to turn off interactive mode xx ...

Page 593: ...rmware regardless of whether the reboot is conducted uing the GUI or CLI interfaces show Displays the current access point firmware update settings set Defines the access point firmware update parameters transfer_keys_fw Exports ssh keys to turn off interactive mode for firmware update Executes the firmware update Goes to the parent menu Goes to the root menu save Saves the current configuration t...

Page 594: ...in system fw update show Warning This will display secure information Do you want to continue n y y firmware filename apn bin firmware path sftpboot sftp server ip address 168 197 2 2 sftp user name jsmith For information on updating access point device firmware using the applet GUI see Updating Device Firmware on page 4 51 show Shows the current system firmware update settings for the access poin...

Page 595: ...235 111 22 admin system fw update set user mudskipper For information on updating access point device firmware using the applet GUI see Updating Device Firmware on page 4 51 set file name Defines the firmware file name 1 to 39 characters path path Specifies a path for the file 1 to 39 characters server ip The IP address for the SFTP server used for the firmware and or config file update user name ...

Page 596: ... firmware Syntax Example admin system fw update transfer_keys_fw ssh keygen for cli in progress Transfer of ssh public key in progress for CLI ssh keygen for applet in progress Transfer of ssh public key in progress for Applet Checking For Image Verification Keys Required for Firmware Upgrade for Applet Done admin system fw update transfer_keys_fw Exports ssh keys to turn off interactive mode on f...

Page 597: ...ss point device firmware using the applet GUI see Updating Device Firmware on page 4 51 update mode Defines the sftp mode used to conduct the firmware update Specifies whether the update is executed over the access point s WAN LAN1 or LAN2 interface NOTE The access point must complete the reboot process to successfully update the device firmware regardless of whether the reboot is conducted uing t...

Page 598: ...menu The items available under this command are shown below run self test Performs self test zeroisekeys Zeroization of critical security parameters showlog Displays the PoST Log File success or error status Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session ...

Page 599: ...18 47 52 2012 6e HMAC SHA 224 hash successful Fri Aug 31 18 47 52 2012 6f HMAC SHA 256 hash successful Fri Aug 31 18 47 52 2012 6g HMAC SHA 384 hash successful Fri Aug 31 18 47 52 2012 6h HMAC SHA 512 hash successful Fri Aug 31 18 47 52 2012 The tests completed without errors Fri Aug 31 18 47 52 2012 openSSL power up self test successful Fri Aug 31 18 47 52 2012 FIPS power up tests for wireless cr...

Page 600: ...e concatenated into a combined key and the SHA 256 hash of this combined key is calculated This hash value is stored in a file As authorized users create custom keys to use instead of the defaults this process is repeated to generate a new hash over the modified keyset During startup the combined SHA 256 Hash of the persistent keys are calculated and compared against the stored hash value This int...

Page 601: ...quired Syntax admin system fips test zeroisekeys WARNING Zeroizing Do you want to continue n y WARNING Zeroizing Do you want to continue n y y System will now reset for restoring default configuration After the system restarts you will need to set the country code for correctc operation admin system fips test zeroisekeys Conducts a zeroization of critical security parameters The country code must ...

Page 602: ...ference Guide 8 270 AP7131N admin system fips test showlog Description Displays the PoST Logs File file success or error state Syntax admin system fips test showlog admin system fips test showlog file Displays the PoST Logs File file success or error state ...

Page 603: ...Displays access point WLAN MU LAN and WAN statistics clear Clears all statistic counters to zero flash all leds Starts and stops the flashing of all access point LEDs echo Defines the parameters for pinging a designated station ping Iniates a ping test Moves to the parent menu Goes to the root menu save Saves the current configuration to system flash quit Quits the CLI ...

Page 604: ...ewing MU Statistics Summary on page 7 25 For information on displaying Mesh statistics using the applet GUI see Viewing the Mesh Statistics Summary on page 7 32 For information on displaying Known AP statistics using the applet GUI see Viewing Known Access Point Statistics on page 7 34 show wan Displays stats for the access point WAN port lan Displays stats for the access point LAN port stp Displa...

Page 605: ...N index either clear lan 1 or clear lan 2 all rf Clears all RF data all wlan Clears all WLAN summary information wlan Clears individual WLAN statistic counters all radio Clears access point radio summary information radio1 Clears statistics counters specific to radio1 radio2 Clears statistics counters specific to radio2 all mu Clears all MU statistic counters mu Clears MU statistics counters known...

Page 606: ...int s LEDs Syntax Example admin stats admin stats flash all leds 1 start Password admin stats flash all leds 1 stop admin stats For information on flashing access point LEDs using the applet GUI see Viewing Known Access Point Statistics on page 7 34 flash all leds index Defines the Known AP index number of the target AP to flash stop start Begins or terminates the flash activity ...

Page 607: ...ntax For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 30 show Shows the Mobile Unit Statistics Summary list Defines echo test parameters and result set Determines echo test packet data start Begins echoing the defined station Goes to parent menu Goes to root menu quit Quits CLI session ...

Page 608: ...n Shows Mobile Unit Statistics Summary Syntax Example admin stats echo show Idx IP Address MAC Address WLAN Radio T put ABS Retries 1 192 168 2 0 00 A0F8 72 57 83 demo 11a For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 30 show Shows Mobile Unit Statistics Summary ...

Page 609: ...results Syntax Example admin stats echo list Station Address 00A0F8213434 Number of Pings 10 Packet Length 10 Packet Data in HEX 55 admin stats echo For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 30 list Lists echo test parameters and results ...

Page 610: ...ters of the echo test Syntax For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 30 set station mac Defines MU target MAC address request num Sets number of echo packets to transmit 1 539 length num Determines echo packet length in bytes 1 539 data hex Defines the particular packet data ...

Page 611: ...xample admin stats echo start admin stats echo list Station Address 00A0F843AABB Number of Pings 10 Packet Length 100 Packet Data in HEX 1 Number of MU Responses 2 For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 30 start Initiates the echo test ...

Page 612: ...a ping test to an AP with the same ESSID Syntax For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 30 ping show Shows Known AP Summary details list Defines ping test packet length set Determines ping test packet data start Begins pinging the defined station Goes to parent menu Goes to root menu quit Quits CLI session ...

Page 613: ...dmin stats ping show Description Shows Known AP Summary Details Syntax Example admin stats ping show Idx IP Address MAC Address MUs KBIOS Unit Name 1 192 168 2 0 00 A0F8 72 57 83 3 0 access point show Shows Known AP Summary Details ...

Page 614: ...Lists ping test parameters and results Syntax Example admin stats ping list Station Address 00A0F8213434 Number of Pings 10 Packet Length 10 Packet Data in HEX 55 admin stats ping For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 30 list Lists ping test parameters and results ...

Page 615: ...et request 10 admin stats ping set length 100 admin stats ping set data 1 admin stats ping For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 30 set station Defines the AP target MAC address request Sets number of ping packets to transmit 1 539 length Determines ping packet length in bytes 1 539 data Defines the particular packet data ...

Page 616: ...Initiates the ping test Syntax Example admin stats ping start admin stats ping list Station Address 00A0F843AABB Number of Pings 10 Packet Length 100 Packet Data in HEX 1 Number of AP Responses 2 For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 30 start Initiates the ping test ...

Page 617: ...locate other access points using the WLAP client s ESSID Then it is required to go through the association and authentication process to establish wireless connections with the located devices This association process is identical to the access point s current MU association process Once the association and authentication process is complete the wireless client adds the connection as a port on its...

Page 618: ... is not blocked Once the client bridge establishes at least one wireless connection it begins establishing other wireless connections as it finds them available Thus the client bridge is able to establish simultaneous redundant links A mesh network must use one of the two access point LANs If intending to use the access point for mesh networking support Motorola recommends configuring at least one...

Page 619: ...red preferred connection list The association and authentication process is identical to the MU association process The client access point sends 802 11 authentication and association frames to the base access point The base access point responds as if the client is an actual mobile unit Depending on the security policy the two access point s engage in the normal handshake mechanism to establish k...

Page 620: ...ase bridge AP 2 repeater both a base and client bridge In the case of a mesh enabled radio the client bridge configuration always takes precedence over the base bridge configuration Therefore when a radio is configured as a repeater AP 2 the base bridge configuration takes effect only after the client bridge connection to AP 1 is established Thus AP 2 keeps scanning to find the base bridge form th...

Page 621: ...assigned to one of two different subnets From a layer 2 perspective the system has two different bridge functionalities each with its own STP The WLAN assignment controls the subnet LAN1 or 2 upon which a given connection resides If WLAN2 is assigned to LAN1 and WLAN2 is used to establish a client bridge connection then the mesh network connection resides on LAN1 Therefore depending upon the WLAN ...

Page 622: ... other access points mesh network configuration parameters will get sent or saved to other access points However if using the Known AP Statistics screen s Send Cfg to APs functionality auto select and preferred list settings do not get imported CAUTION When using the Import Export screen to import a mesh supported configuration do not import a base bridge configuration into an existing client brid...

Page 623: ...he user does not necessarily have to change these settings as the default settings will work However Motorola encourages the user to define an access point as a base bridge and root using the base bridge priority settings within the Bridge STP Configuration screen Members of the mesh network can be configured as client bridges or additional base bridges with a higher priority value To define a LAN...

Page 624: ...ult bridge priority of 63335 Maximum Message age The Maximum Message age timer is used with the Message Age timer The Message Age timer is used to measure the age of the received protocol information recorded for a port and to ensure the information is discarded when it exceeds the value set for the Maximum Message age timer Hello Time The Hello Time is the time between each bridge protocol data u...

Page 625: ...mbers of the mesh network 1 Select Network Configuration Wireless from the AP 7131 menu tree The Wireless Configuration screen displays with those existing WLANs displayed within the table 2 Select the Create button to configure a new WLAN specifically to support mesh networking An existing WLAN can be modified or used as is for mesh networking support by selecting it from the list of available WL...

Page 626: ...e it from WLANs defined for non mesh support The name assigned to the WLAN is what is selected from the Radio Configuration screen for use within the mesh network NOTE It is possible to have different ESSID and WLAN assignments within a single mesh network one set between the Base Bridge and repeater and another between the repeater and Client Bridge However for ease of management and to not waste...

Page 627: ...ed 6 Select the Enable Client Bridge Backhaul checkbox to make this WLAN available in the Mesh Network Name drop down menu within the Radio Configuration screen Only WLANs defined for mesh networking support should have this checkbox selected in order to keep the list of WLANs available within the Radio Configuration screen restricted to just WLANs configured specifically with mesh attributes 7 Re...

Page 628: ...evices within the mesh network If a hacker tries to find an ESSID via an MU the access point s ESSID does not display since the ESSID is not in the beacon Motorola recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN 11 Select the Accept Broadcast ESSID checkbox to associate an MU that has a blank ESSID regardless of which ESSID the access point is currently usin...

Page 629: ... Configuration Wireless Radio Configuration from the access point menu tree NOTE The dual radio model AP 7131N FGR affords users better optimization of the mesh network feature by allowing the access point to transmit to other access points in base or client bridge mode using one independent radio and transmit with its associated devices using the second independent radio A single radio access poi...

Page 630: ... is an existing radio within a mesh network these values update in real time NOTE With this 4 0 release of the access point firmware a new scheme for radio configuration and WIPS server management has been implemented within the Quick Setup GUI applet Up to eight radio buttons are now available depending on the number radios supported by the SKU These radio buttons define how WLAN and WIPS are sup...

Page 631: ...use the Mesh Network Name drop down menu to select the WLAN ESS the client bridge uses to establish a wireless link The default setting is WLAN1 Motorola recommends creating and naming a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non Mesh supported WLANs For more information see Configuring a WLAN for Mesh Networking Support on page 9 9 Once the set...

Page 632: ...s becomes unavailable 8 Refer to the Available Base Bridge List to view devices located by the access point using the WLAN selected from the Radio Configuration screen Refer the following for information on located base bridges NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen NOTE Auto ...

Page 633: ...ck the Down button to decrease its likelihood of being selected as a member of the mesh network 13 If a device MAC address is on the Preferred Base Bridge List and constitutes a threat as a potential member of the mesh network poor RSSI etc select it and click the Remove button to exclude it from the preferred list If all of the members of the Preferred Base Bridge List constitute a risk as a memb...

Page 634: ...dio 1 does not have a mesh connection the other radio radio 2 is not affected Radio 2 continues to beacon and associate MUs but MU s can only communicate amongst themselves using the access point Disabled is the default value Uplink Detect When Uplink Detect is selected the access point only boots up the radio configured as a client bridge The access point boots up the second radio as soon as the ...

Page 635: ... from the AP 7131 menu tree For additional information on configuring the access point s radio see Configuring the 802 11a n or 802 11b g n Radio on page 5 56 For two fictional deployment scenarios see Mesh Network Deployment Quick Setup on page 9 20 CAUTION When defining a Mesh configuration and changes are saved the mesh network temporarily goes down The mesh network is unavailable because the a...

Page 636: ...mesh network with a base bridge repeater combined base bridge and client bridge mode and a client bridge 9 3 1 Scenario 1 Two Base Bridges and One Client Bridge In scenario 1 the following three access point configurations will be deployed within the mesh network AP 1 An active base bridge AP 2 A redundant base bridge AP 3 A client bridge connecting to both AP 1 and AP 2 simultaneously AP 1 and AP...

Page 637: ...rking 9 21 9 3 1 1 Configuring AP 1 1 Provide a known IP address for the LAN1 interface NOTE Enable the LAN1 Interface of AP 1 as a DHCP Server if you intend to associate MUs and require them to obtain an IP address via DHCP ...

Page 638: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide 9 22 2 Assign a Mesh STP Priority of 40000 to LAN1 Interface 3 Define a mesh supported WLAN ...

Page 639: ...Configuring Mesh Networking 9 23 4 Enable base bridge functionality on the 802 11a n radio Radio 2 ...

Page 640: ... AP 2 can be configured the same as AP 1 with the following exceptions Assign an IP Address to the LAN1 Interface different than that of AP 1 Assign a higher Mesh STP Priority 50000 to the AP 2 LAN1 Interface NOTE In a typical deployment each base bridge can be configured for a Mesh STP Priority of 50000 In this example different values are used to force AP 1 to be the forwarding link since it s a...

Page 641: ...iguration for AP 3 a client bridge connecting to both AP 1 and AP 2 simultaneously 1 Provide a known IP address for the LAN1 interface NOTE Ensure AP 1 and AP 2 use the same channel for each 802 11a n radio or the APs will not be able to hear each other over different channels ...

Page 642: ...ge checkbox to enable client bridge functionality on the 802 11a n radio Use the Mesh Network Name drop down menu to select the name of the WLAN created in step 3 NOTE This WLAN should not be mapped to any radio Therefore leave both of the Available On radio options unselected NOTE You don t need to configure channel settings on the client bridge AP 3 It automatically finds the base bridges AP 1 a...

Page 643: ...ce completed pass traffic among the three APs comprising the mesh network 9 3 2 Scenario 2 Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge By default the mesh algorithm runs an automatic link selection algorithm to determine the best possible active and redundant links If member APs are not far apart in physical distance the algorithm intelligently chooses a single hop link to...

Page 644: ...P 3 is a client b ridge 9 3 2 1 Configuring AP 1 The setup of AP 1 within this usage scenario is exactly the same as the AP 1 configuration within Scenario 1 Two Base Bridges and One Client Bridge for step by step instructions for configuring AP 1 see Configuring AP 1 on page 9 21 Once completed return to Configuring AP 2 on page 9 29 within this section ...

Page 645: ...king 9 29 9 3 2 2 Configuring AP 2 AP 2 requires the following modifications from AP 2 in the previous scenario to function in base bridge client bridge repeater mode 1 Enable client bridge backhaul on the mesh supported WLAN ...

Page 646: ...bridge functionality on the 802 11a n radio 9 3 2 3 Configuring AP 3 To define AP 3 s configuration 1 The only change needed on AP 3 with respect to the configuration used in scenario 1 is to disable the Auto Link Selection option Click the Advanced button within the Mesh Client Bridge Settings field ...

Page 647: ...02 11a n radio if each AP The Radio MAC Address the BSSID 1 MAC Address is used for the AP 2 Preferred Base Bridge List Ensure both the AP 1 and AP 2 Radio MAC Addresses are in the Available Base Bridge List Add the AP 2 MAC Address into the Preferred Base Bridge List 3 Determine the Radio MAC Address and BSSID MAC Addresses ...

Page 648: ... 9 32 9 3 2 4 Verifying Mesh Network Functionality for Scenario 2 You now have a three AP demo multi hop mesh network ready to demonstrate Associate an MU on the WLANs configured on the 802 11b g n radio for each AP and pass traffic among the members of the mesh network ...

Page 649: ...e Connectivity You have configured three access points in mesh mode one base bridge AP1 one client bridge base bridge AP2 and one client bridge AP3 However the client bridge AP3 is connecting to both AP1 and AP2 and using its link to base bridge AP1 to forward traffic Resolution This is valid behavior you see this when your mesh APs are close enough in proximity so the client bridge can see both t...

Page 650: ...a secure beacon on a mesh backhaul supported WLAN In fact it is a Motorola recommended practice Mesh Deployment Issue 6 Is my mesh topology complete How can I determine if all my mesh APs are connected and the mesh topology is complete Resolution Each mesh AP has a Known AP Table available in the applet CLI and SNMP All APs whether they are supporting mesh or not periodically exchange ID messages ...

Page 651: ...FGR support wireless firmware updates Mesh Deployment Issue 12 Can I perform firmware configuration file updates with DHCP options Can I use the AP s Automatic Firmware Configuration update functionalities with DHCP Options on the AP for mesh nodes as well Resolution Yes mesh nodes also support Automatic Firmware Configuration updates using DHCP Options Make sure you create DHCP reservations for e...

Page 652: ...tion Yes all client bridges perform periodic background scanning both passively by sniffing the air for beacons and actively by sending Probe Requests Therefore a client bridge automatically detects the presence of a new base bridge or repeater added to the mesh network topology and forms a seam less connection without affecting current operation Mesh Deployment Issue 15 Can a mesh supported AP re...

Page 653: ...e access point connects to a Motorola RFS7000 model switch and receives its AAP configuration An AAP provides local 802 11 traffic termination local encryption decryption local traffic bridging the tunneling of centralized traffic to the wireless switch The switch can be discovered using one of the following mechanisms Switch fully qualified domain name FQDN Static IP addresses ...

Page 654: ...h your existing infrastructure 10 1 1 Where to Go From Here Refer to the following for a further understanding of AAP operation Adaptive AP Management Licensing Switch Discovery Securing a Configuration Channel Between Switch and AP Adaptive AP WLAN Topology Configuration Updates Securing Data Tunnels between the Switch and AAP Adaptive AP Switch Failure Remote Site Survivability RSS Adaptive Mesh...

Page 655: ... a switch can be used for an AAP deployment Regardless of how many AP300 and or AAPs are deployed you must ensure the license used by the switch supports the number of radio ports both AP300s and AAPs you intend to adopt 10 1 4 Switch Discovery For an access point to function as an AAP regardless of mode it needs to connect to a switch to receive its configuration Manual Adoption Configuration 10 ...

Page 656: ...ndent WLANs are local to an AAP and can be configured from the switch You must specify a WLAN as independent to stop traffic from being forwarded to the switch Independent WLANs behave like WLANs on a standalone access point Both Extended and independent WLANs are configured from the switch and operate simultaneously 10 1 7 Configuration Updates An AAP receives its configuration from the switch in...

Page 657: ...pt the AAP using an IPSec tunnel To review a sample AAP configuration see Sample Switch Configuration File for IPSec and Independent WLAN on page 10 16 10 1 9 Adaptive AP Switch Failure In the event of a switch failure an AAP s independent WLAN continues to operate without disruption The AAP attempts to connect to another switch if available in background Extended WLANs are disabled once switch ad...

Page 658: ...kes less than 2 seconds forcing associated MUs to be deauthenticated and the Mesh link will go down MUs are able to quickly associate but the Mesh link will need to be re established before MUs can pass traffic This typically takes about 90 to 180 seconds depending on the size of the mesh topology For an overview of mesh networking and how to configure an access point to support mesh see Configuri...

Page 659: ...me of adoption from the wireless switch Instead the firmware is upgraded using the firmware update procedure manually An AAP can use its LAN1 interface or WAN interface for adoption The default gateway interface is set to LAN1 If the WAN Interface is used explicitly configure WAN as the default gateway interface Motorola recommends using the LAN1 interface for adoption in multi cell deployments If...

Page 660: ...lly by the AAP No wireless traffic is tunneled back to the switch Each independent WLAN is mapped to the access point s LAN1 interface The only traffic between the switch and the AAP are control messages for example heartbeats statistics and configuration updates 10 2 4 Extended WLANs with Independent WLANs An AAP can have both extended WLANs and independent WLANs operating in conjunction When use...

Page 661: ...wnloads a configuration file from the switch it obtains the version number of the image it should be running The switch does not have the capacity to hold the access point s firmware image and configuration The access point image must be downloaded using a means outside the switch If there is still an image version mismatch between what the switch expects and what the AAP is running the switch wil...

Page 662: ...able on the switch to adopt the required number of AAPs 2 As soon as the AAP displays in the adopted list Adjust each AAP s radio configuration as required This includes WLAN radio mappings and radio parameters WLAN VLAN mappings and WLAN parameters are global and cannot be defined on a per radio basis WLANs can be assigned to a radio as done today for an AP300 model access port Optionally configu...

Page 663: ...sisting of the adaptive parameters pushed to the access point Each of these adoption techniques is described in the sections that follow 10 4 1 1 Adopting an Adaptive AP Manually To manually enable the access point s switch discovery method and connection medium required for adoption 1 Select System Configuration Adaptive AP Setup from the access point s menu tree NOTE Refer to Adaptive AP Deploym...

Page 664: ...for AAP connection The AAP will begin establishing a connection with the first addresses in the list If unsuccessful the AP will continue down the list in order until a connection is established 4 If a numerical IP address is unknown but you know a switch s fully qualified domain name FQDN enter the name as the Switch FQDN value 5 Select the Enable AP Switch Tunnel option to allow AAP configuratio...

Page 665: ...are on page 4 51 10 4 2 Switch Configuration RFS7000 running firmware version 4 0 or later require an explicit adaptive configuration to adopt an access point if IPSec is not being used for adoption The same licenses currently used for AP300 adoption can be used for an AAP Disable the switch s Adopt unconfigured radios automatically option and manually add AAPs requiring adoption or leave as defau...

Page 666: ... Only checkbox Selecting the checkbox designates the WLAN as independent and prevents traffic from being forwarded to the switch Independent WLANs behave like WLANs as used on a a standalone access point Leave this option unselected as is by default to keep this WLAN an extended WLAN a typical centralized WLAN created on the switch Once an AAP is adopted by the switch it displays within the switch...

Page 667: ...ement and native VLANs are configured The WLAN used for mesh backhaul must always be an independent WLAN The switch configures an AAP If manually changing wireless settings on the AP they are not updated on the switch It s a one way configuration from the switch to the AP An AAP always requires a router between the AP and the switch An AAP can be used behind a NAT An AAP uses UDP port 24576 for co...

Page 668: ...re 3 network element id RFS7000 username admin password 1 8e67bb26b358e2ed20fe552ed6fb832f397a507d username admin privilege superuser username operator password 1 40fc8eaf6500a3e4ba113b2be120af8f93b6ae00 ip access list extended My ACL deny ip host 172 16 10 160 any log rule precedence 10 permit ip 172 16 10 160 29 host 172 19 97 167 log rule precedence 20 permit ip host 172 16 10 168 host 172 19 9...

Page 669: ... log rule precedence 10 spanning tree mst cisco interoperability enable spanning tree mst configuration name My Name crypto pki trustpoint MS CA subject name RFS7000 CC IN KAR BANGALORE MOTOROLA EWLAN crypto pki trustpoint WIN2008 CA subject name RFS7000 CC IN KAR BLR MOTO EWLAN crypto pki trustpoint Win2008 CA subject name CC RFS TLS IN KAR BANG MOTO EWLAN country code fr redundancy group id 13 r...

Page 670: ...e crypto isakmp key 2 FBZx1Kdh3F1jRcala5eptQWPgXER9 pBp 92wgv6T3IA address 255 255 255 255 crypto isakmp key 2 X11qUCSaU3ANqPhD6ZANQKYeiH9Ey0DcQ3v5MAsA cGA address 0 0 0 0 crypto isakmp key 2 eLiatzafD9AY7Mxh0iI0WwiUle1jA t4u87VBeU62pNA address 192 168 5 89 crypto isakmp key 2 gfagIEbg7lGebx2pRlFpBgx6Q9hlV5OTlqsVqRo0UUAA address 192 168 0 10 crypto isakmp key 2 YZPZWUHNyPz9ZD2v1XrTXwFM8gI Ai uqWFr...

Page 671: ...1 radius server primary 192 168 0 10 wlan 1 radius server primary radius key 2 FpIbb6rdLjRpRPpzcP ePR6wJ56t8l3pi7STrYFpbTLA wlan 1 aap proxy radius enable no wlan 1 dot11i pmk caching no wlan 1 dot11i opp pmk caching wlan 2 ssid R D U wlan 2 vlan 40 wlan 2 encryption type ccmp wlan 2 authentication type eap wlan 2 inactivity timeout 60 wlan 2 radius server primary 192 168 0 4 wlan 4 enable wlan 4 ...

Page 672: ...adio 1 description RADIO16 radio 1 radio number 1 radio add 2 00 23 AE 0E 85 D6 11an aap7131 radio 2 description RADIO18 radio 2 radio number 2 radio add 3 00 23 AE 0D 85 D8 11bgn aap7131 radio 3 radio number 1 radio add 4 00 23 AE 0D 85 D8 11an aap7131 radio 4 radio number 2 radio 4 bss 1 1 radio add 5 00 23 AE 0D 85 D8 11bgn aap7131 radio 5 radio number 3 no ap ip default ap switch ip ap 00 23 A...

Page 673: ...ent unauthorized ap using authorized ssid filter ageout 60 smart rf radio 1 radio mac 00 23 68 97 D4 10 radio 2 radio mac 00 23 68 97 D2 60 radio 3 radio mac 00 23 68 0F 46 10 radio 4 radio mac 00 23 68 0F 45 F0 radio 5 radio mac 00 23 68 0F 48 60 wireless radius server local authentication eap auth type all ca trust point Win2008 CA server trust point Win2008 CA rad user user1 password 2 SBJs6Egy...

Page 674: ...ec transform set REMOTE TFSET esp 3des esp sha hmac mode transport crypto ipsec transform set RADIUS TFS esp 3des esp sha hmac mode tunnel crypto map AAP SYSLOG MAP 13 ipsec isakmp set peer 255 255 255 255 set mode main match address AAP ACL set transform set AAP TFSET crypto map AAP SYSLOG MAP 11 ipsec isakmp set peer 192 168 0 10 match address RADIUS ACL set transform set RADIUS TFS crypto map C...

Page 675: ...rface ge3 switchport access vlan 192 ip dhcp trust interface ge4 switchport access vlan 10 ip dhcp trust interface me1 ip address 10 1 1 100 24 interface vlan1 ip address dhcp crypto map CLUSTER MOB MAP interface vlan192 ip address dhcp crypto map AAP SYSLOG MAP interface vlan222 ip address 222 222 222 222 24 ip dhcp pool Vlan222 ...

Page 676: ...lt router 222 222 222 222 network 222 222 222 0 24 address range 222 222 222 2 222 222 222 200 service dhcp rtls rfid espi sole ip route 172 20 0 0 16 192 168 0 13 line con 0 exec timeout 35791 0 line vty 0 exec timeout 2 0 line vty 1 exec timeout 1 0 line vty 2 24 auth time 1 end ...

Page 677: ...Technical Specifications This appendix provides technical specifications for the following Physical Characteristics Electrical Characteristics Radio Characteristics Country Codes ...

Page 678: ...stics Dimensions 5 50 in Depth x 7 88 in Width x 1 38 in Height 14 cm Depth x 20 32 cm Width x 3 5 cm Height Housing Metal plenum rated housing UL2043 Weight 2 7 lbs Operating Temperature 4 F to 122 F 20 C to 50 C Storage Temperature 40 F to 158 F 40 C to 70 C Altitude 8000 ft 2438 m 82 F 28 C Operating 15000 ft 4572 m 53 F 12 C Storage Humidity 5 to 95 RH non condensing Electrostatic Discharge 15...

Page 679: ...nd 54Mbps 802 11n MCS 0 15 up to 300Mbps Wireless Medium Direct Sequence Spread Spectrum DSSS Orthogonal Frequency Division Multiplexing OFDM Spatial multiplexing MIMO Network Standards 802 11a 802 11b 802 11g 802 3 802 11n Draft 2 0 Maximum Available Transmit Power Maximum available conducted transmit power per chain 2 4Ghz 23dBm Maximum available conducted transmit power all chains 2 4GHz 27 7dB...

Page 680: ... MD Austria AT Morocco MA Bahamas BS Nambia NA Bahrain BH Netherlands NL Barbados BB Netherlands Antilles AN Belarus BY New Zealand NZ Belgium BE Nicaragua NI Bermuda BM Norfolk Island NF Bolivia BO Northern Mariana Islands MP Botswana BW Norway NO Botznia Herzegovina BA Oman OM Brazil BR Pakistan PK Bulgaria BG Panama PA Canada CA Paraguay PY Cayman Islands KY Peru PE Chile CL Philippines PH Chin...

Page 681: ...ds FK Spain ES Finland FI Sri Lanka LK France FR Sweden SE French Guiana GF Switzerland CH Germany DE Taiwan TW Greece GR Thailand TH Guadeloupe GP Trinidad and Tobago TT Guam GU Tunisia TN Guyana GY Turkey TR Haiti HT Ukraine UA Honduras HN UAE AE Hong Kong HK United Kingdom GB Hungary HU USA US Iceland IS Uruguay UY India IN Venezuela VE Indonesia ID Vietnam VN Ireland IE Virgin Islands British ...

Page 682: ...ss Point Product Reference Guide A 6 Italy IT Jamaica JM Japan JP Jordan JO Kazakhstan KZ Kuwait KW Latvia LV Lebanon LB Liechtenstein LI Lithuania LT Luxembourg LU Macedonia MK Malaysia MY Malta MT Martinique MQ Country Code Country Code ...

Page 683: ...age scenarios for many of the access point s key features This information should be referenced as a supplement to the information contained within this Product Reference Guide The following scenario is described Configuring an IPSEC Tunnel and VPN FAQs ...

Page 684: ...etween Two Access Points Configuring a Cisco VPN Device Frequently Asked VPN Questions B 1 1 Configuring a VPN Tunnel Between Two Access Points The access point can connect to a non AP device supporting IPSec such as a Cisco VPN device labeled as Device 2 For this usage scenario the following components are required 2 access points 1 PC on each side of the access point s LAN To configure a VPN tun...

Page 685: ...2 7 Enter the WAN port IP address of AP 2 Device 2 for a Remote Gateway 8 Click Apply to save the changes 9 Select the Auto IKE Key Exchange radio button 10 Select the Auto Key Settings button NOTE For this example Auto IKE Key Exchange is used Any key exchange can be used depending on the security needed as long as both devices on each end of the tunnel are configured exactly the same ...

Page 686: ...roup14 as the Diffie Hellman Group Click OK This will take you back to the VPN screen 17 Click Apply to make the changes 18 Check the VPN Status screen Notice the status displays NOT_ACTIVE This screen automatically refreshes to get the current status of the VPN tunnel Once the tunnel is active the IKE_STATE changes from NOT_CONNECTED to SA_MATURE 19 On access point 2 Device 2 repeat the same proc...

Page 687: ...co PIX Below is how the access point VPN Status screen should look if the entire configuration is setup correctly once the VPN tunnel is active The status field should display ACTIVE NOTE The Cisco PIX device configuration should match the access point VPN configuration in terms of Local WAN IP PIX WAN Remote WAN Gateway access point WAN IP Remote Subnet access point LAN Subnet and the Remote Subn...

Page 688: ...3 x etc Question 2 Even if a wildcard entry of 0 0 0 0 is entered in the Remote Subnet field in the VPN configuration page can the AP access multiple subnets on the other end of a VPN concentrator for the APs LAN WAN side No Using a 0 0 0 0 wildcard is an unsupported configuration In order to access multiple subnets the steps in Question 1 must be followed Question 3 Can the AP be accessed via its...

Page 689: ...uestion 9 I have setup my tunnel and the status still says Not Connected What should I do now VPN tunnels are negotiated on an as needed basis If you have not sent any traffic between the two subnets the tunnel will not get established Once a packet is sent between the two subnets the VPN tunnel setup occurs Question 10 I still can t get my tunnel to work after attempting to initiate traffic betwe...

Page 690: ...t flow for IPSec to work properly with Advanced LAN Access These rules should be configured first before other rules are configured Question 12 Do I need to add any special routes on the access point to get my VPN tunnel to work Scr Remote Subnet IP range Dst Local Subnet IP range Transport ANY Scr port 1 65535 Dst port 1 65535 Rev NAT None Scr Local Subnet IP range Dst Remote Subnet IP range Tran...

Page 691: ...ver clients could need extra routing information Clients on the local LAN side should either use the access point as their gateway or have a route entry tell them to use the access point as the gateway to reach the remote subnet ...

Page 692: ...Motorola Solutions AP 7131N FGR Access Point Product Reference Guide B 10 ...

Page 693: ... Central provides our customers with a wealth of information and online assistance including developer tools software downloads product manuals and online repair requests When contacting the Motorola Solutions Support Center please provide the following information serial number of unit model number or product name software type and version number ...

Page 694: ...ide North America Motorola Solutions inc Symbol Place Winnersh Triangle Berkshire RG41 5TP United Kingdom 0800 328 2424 Inside UK 44 118 945 7529 Outside UK Web Support Sites Product Downloads and Manuals https portal motorolasolutions com Support US EN Additional Information Obtain additional information by contacting Motorola Solutions at 1 800 722 6234 inside North America 1 516 738 5200 in out...

Page 695: ...1 Firmware 1 14 AP 5131 management options 1 14 AP 5131 operating modes 1 27 AP 5131 placement 2 3 AP 5131 statistical displays 1 17 association process beacon 1 17 RSSI 1 27 available protocols 6 17 B Bandwidth Management 5 67 basic device configuration 3 4 beacon 1 17 CAM stations 1 17 PSP stations 1 17 BSSID 1 10 C CA certificate 4 18 CAM 1 17 certificate authority 4 18 certificate management 4...

Page 696: ...tion options 3 2 configuration restoration 1 18 Content Filtering 1 13 content filtering 6 39 country codes 4 4 A 4 customer support B 1 D data access configuring 4 14 data encryption 1 11 data security 1 11 device firmware 4 51 device settings 3 8 DHCP support 1 18 DHCP advanced settings 5 13 direct sequence spread spectrum 1 26 Document Conventions 1 vii E EAP 1 12 EAP authentication 1 12 electr...

Page 697: ...autions 2 2 programmable SNMP trap 1 9 PSP 1 17 PSP stations 1 17 beacon 1 17 MU 1 17 Q QoS support 1 11 Quality of Service QoS 1 11 R radio options 1 9 radio retry histogram 7 24 radio statistics 7 18 restore default configuration 4 5 roaming across routers TIM 1 17 rogue AP detection 6 42 rogue AP detection allowed APs 6 46 rogue AP details 6 49 Routing Information Protocol RIP 1 21 S security c...

Page 698: ...erations 1 23 transmit power control 1 17 type filter configuration 5 14 V VLAN support 1 14 VLAN configuring 5 5 VLAN management tag 5 8 VLAN name 5 3 VLAN native tag 5 8 Voice prioritization 1 16 VPN 1 13 VPN Tunnels 1 13 VPN auto key settings 6 32 VPN configuring 6 22 VPN IKE key settings 6 34 VPN manual key settings 6 28 VPN status 6 36 W wall mounting 2 10 WAN port 1 9 WAN configuring 5 16 WA...

Page 699: ......

Page 700: ...MOTOROLA Solutions INC 1301 E ALGONQUIN ROAD SCHAUMBURG IL 60196 1078 U S A http www motorolasolutions com 72E 161311 01 Revision B March 2014 ...