Motorola WiNG 5.6, Reference Manual

Page 1: ...Motorola Solutions WiNG 5 6 ACCESS POINT SYSTEM REFERENCE GUIDE ...

Page 2: ......

Page 3: ...MOTOROLA SOLUTIONS WING 5 6 ACCESS POINT SYSTEM REFERENCE GUIDE MN000335A01 Revision A March 2014 ...

Page 4: ...yright law The user shall not modify merge or incorporate any form or portion of a licensed program with other program material create a derivative work from a licensed program or use a licensed program in a network without written permission from Motorola Solutions The user agrees to maintain Motorola Solution s copyright notice on the licensed programs delivered hereunder and to include the same...

Page 5: ...og Box Icons 2 5 2 2 3 Table Icons 2 5 2 2 4 Status Icons 2 6 2 2 5 Configurable Objects 2 6 2 2 6 Configuration Objects 2 9 2 2 7 Configuration Operation Icons 2 9 2 2 8 Access Type Icons 2 10 2 2 9 Administrative Role Icons 2 10 2 2 10 Device Icons 2 11 Chapter 3 Quick Start 3 1 Using the Initial Setup Wizard 3 2 3 1 1 Typical Setup Wizard 3 5 3 1 1 1 Virtual Controller AP Mode 3 8 3 1 1 2 Stand...

Page 6: ...hapter 5 Device Configuration 5 1 RF Domain Configuration 5 2 5 1 1 RF Domain Sensor Configuration 5 4 5 1 2 RF Client Name Configuration 5 5 5 1 3 RF Domain Alias Configuration 5 5 5 1 3 1 Network Basic Alias 5 7 5 1 3 2 Network Group Alias 5 10 5 1 3 3 Network Service Alias 5 12 5 2 System Profile Configuration 5 14 5 2 1 General Profile Configuration 5 15 5 2 2 Profile Radio Power 5 16 5 2 3 Pr...

Page 7: ...nt Considerations 5 160 5 2 8 Virtual Router Redundancy Protocol VRRP Configuration 5 161 5 2 9 Profile Critical Resources 5 165 5 2 10 Profile Services Configuration 5 168 5 2 10 1 Profile Services Configuration and Deployment Considerations 5 169 5 2 11 Profile Management Configuration 5 170 5 2 11 1 Upgrading AP6532 Firmware from 5 1 5 174 5 2 11 2 Profile Management Configuration and Deploymen...

Page 8: ...3 PSK None 6 12 6 1 2 4 Captive Portal 6 12 6 1 2 5 Passpoint Policy 6 13 6 1 2 6 MAC Registration 6 13 6 1 2 7 External Controller 6 14 6 1 2 8 WPA WPA2 TKIPTKIP CCMP 6 14 6 1 2 9 WPA2 CCMP 6 17 6 1 2 10 WEP 64 6 20 6 1 2 11 WEP 128 and KeyGuard 6 22 6 1 3 Configuring WLAN Firewall Support 6 24 6 1 4 Configuring Client Settings 6 32 6 1 5 Configuring WLAN Accounting Settings 6 34 6 1 6 Configurin...

Page 9: ...0 8 3 Device Fingerprinting 8 23 8 4 Configuring MAC Firewall Rules 8 30 8 5 Wireless IPS WIPS 8 33 8 6 Device Categorization 8 43 8 7 Security Deployment Considerations 8 45 Chapter 9 Services Configuration 9 1 Configuring Captive Portal Policies 9 2 9 1 1 Configuring a Captive Portal Policy 9 2 9 2 Setting the DNS Whitelist Configuration 9 13 9 3 Setting the DHCP Server Configuration 9 14 9 3 1 ...

Page 10: ... 1 Schema Browser 11 8 11 3 2 View UI Logs 11 9 11 3 3 View Sessions 11 10 Chapter 12 Operations 12 1 Devices 12 2 12 1 1 Managing Firmware and Configuration Files 12 2 12 1 1 1 Managing Running Configuration 12 3 12 1 1 2 Managing Startup Configuration 12 6 12 1 2 Rebooting the Device 12 8 12 1 3 Managing Crypto CMP Certificates 12 10 12 1 4 Upgrading Device Firmware 12 11 12 1 5 Troubleshooting ...

Page 11: ...ce Upgrade 13 9 13 1 7 Licenses 13 10 13 1 8 WIPS Summary 13 13 13 2 RF Domain Statistics 13 16 13 2 1 Health 13 16 13 2 2 Inventory 13 19 13 2 3 Devices 13 21 13 2 4 AP Detection 13 22 13 2 5 Wireless Clients 13 23 13 2 6 Device Upgrade 13 24 13 2 7 Wireless LANs 13 26 13 2 8 Radios 13 27 13 2 8 1 Status 13 27 13 2 8 2 RF Statistics 13 29 13 2 8 3 Traffic Statistics 13 30 13 2 9 Mesh 13 31 13 2 1...

Page 12: ...3 14 4 OSPF Route Statistics 13 90 13 3 14 5 OSPF Interface 13 93 13 3 14 6 OSPF State 13 94 13 3 15 L2TPv3 Tunnels 13 95 13 3 16 VRRP 13 97 13 3 17 Critical Resources 13 98 13 3 18 LDAP Agent Status 13 99 13 3 19 GRE Tunnels 13 100 13 3 20 Dot1x 13 101 13 3 21 Network 13 103 13 3 21 1 ARP Entries 13 103 13 3 21 2 Route Entries 13 104 13 3 21 3 Bridge 13 105 13 3 21 4 IGMP 13 106 13 3 21 5 DHCP Op...

Page 13: ...alth 13 143 13 4 2 Details 13 146 13 4 3 Traffic 13 150 13 4 4 WMM TSPEC 13 152 13 4 5 Association History 13 153 13 4 6 Graph 13 154 Chapter 14 WiNG Events 14 1 Event History Messages 14 2 Appendix A Customer Support Appendix B Publicly Available Software B 1 General Information B 1 B 2 Open Source Software Used B 2 B 3 OSS Licenses B 11 B 3 1 Apache License Version 2 0 B 11 B 3 2 The BSD License...

Page 14: ...License version 2 0 B 43 B 3 12 GNU Lesser General Public License version 2 1 B 48 B 3 13 MIT License B 53 B 3 14 Mozilla Public License version 2 B 54 B 3 15 The Open LDAP Public License B 58 B 3 16 OpenSSL License B 58 B 3 17 WU FTPD Software License B 59 B 3 18 zlib License B 60 ...

Page 15: ...e Mobility Support Center Motorola Solutions End User Software License Agreement NOTE In this guide AP7131 AP7161 and AP7181 are collectively represented as AP71XX Similarly AP8122 and AP8132 are collectively represented as AP81XX Also the APs AP8222 and AP8232 are collectively represented as AP82XX NOTE ES6510 is an Ethernet Switch managed by a wireless controller such as RFS4000 RFS6000 RFS7000 ...

Page 16: ...documents Bullets indicate lists of alternatives lists of required steps that are not necessarily sequential action items Sequential lists those describing step by step procedures appear as numbered lists NOTE Indicates tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in personal inju...

Page 17: ...acting Enterprise Mobility support please provide the following information Serial number of the unit Model number or product name Software type and version number Motorola Solutions responds to calls by e mail telephone or fax within the time limits set forth in support agreements If you purchased your Enterprise Mobility business product from a Motorola Solutions business partner contact that bu...

Page 18: ...t of acceptance by the end user then that agreement supersedes this End User License Agreement as to the end use of that particular Product 2 GRANT OF LICENSE 2 1 Subject to the provisions of this End User License Agreement Motorola Solutions grants to End User Customer a personal limited non transferable except as provided in Section 4 and non exclusive license under Motorola Solutions copyrights...

Page 19: ...t which End User Customer uses such Software End User Customer may make one additional copy for each computer owned or controlled by End User Customer at each such site End User Customer may temporarily use the Software on portable or laptop computers at other sites End User Customer must provide a written list of all sites where End User Customer uses or intends to use the Software 4 TRANSFERS 4 ...

Page 20: ...hich or for which the Software and Documentation have been provided by Motorola Solutions unless End User Customer breaches this End User License Agreement in which case this End User License Agreement and End User Customer s right to use the Software and Documentation may be terminated immediately by Motorola Solutions In addition if Motorola Solutions reasonably believes that End User Customer i...

Page 21: ...es of Action End User Customer must bring any action under this End User License Agreement within one year after the cause of action arises except that warranty claims must be brought within the applicable warranty period 11 7 Entire Agreement and Amendment This End User License Agreement contains the parties entire agreement regarding End User Customer s use of the Software and may be amended onl...

Page 22: ...8 WiNG 5 6 Access Point System Reference Guide ...

Page 23: ...pects of independent and dependent architectures to create a smart network that meets the connectivity quality and security needs of each user and their applications based on the availability of network resources including wired networks By distributing intelligence and control amongst access points a WiNG 5 network can route directly via the best path as determined by factors including the user l...

Page 24: ...ation and use of the WiNG 5 software designed specifically for AP6511 AP6521 AP6522 AP6532 AP6562 AP71XX AP81XX and AP82XX access points and ES6510 model ethernet switch It does not describe the version of the WiNG 5 software designed for use with the RFS4000 RFS6000 RFS7000 NX4500 NX4524 NX6500 NX6524 NX7500 NX9000 NX9500 and NX9510 For information on using WiNG 5 in a controller managed network ...

Page 25: ...sary backhaul Within a WiNG 5 network up to 80 of the network traffic can remain on the wireless mesh and never touch the wired network so the 802 11n load impact on the wired network is negligible In addition latency and associated costs are reduced while reliability and scalability are increased A WiNG 5 network enables the creation of dynamic wireless traffic flows so bottlenecks can be avoided...

Page 26: ...1 4 WiNG 5 6 Access Point System Reference Guide ...

Page 27: ...ess point can manage up to 24 other access points of the same model and share data amongst managed access points In Standalone mode an access point functions as an autonomous non adopted access point servicing wireless clients If adopted to controller an access point is reliant on its connected controller for its configuration and management For information on how to access and use the access poin...

Page 28: ...to a computer with a working Web browser 2 Set the computer to use an IP address between 192 168 0 10 and 192 168 0 250 on the connected port Set a subnet network mask of 255 255 255 0 3 To derive the access point s IP address using its MAC address 4 Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Wind...

Page 29: ...d field 11 Select the Login button to load the management interface If this is the first time the management interface has been accessed the first screen to display will prompt for a change of the default access point password Then a dialogue displays to start the initial setup wizard For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 30: ...Icons Used This section lists global icons available throughout the interface Logout Select this icon to log out of the system This icon is always available and is located at the top right hand corner of the UI Add Select this icon to add a row in a table When this icon is selected a new row is created in the table or a dialog box opens where you can enter values for that particular list Delete Se...

Page 31: ...or policy To edit a policy select the policy and this icon Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to a device s profile configuration Mandatory Field Indicates the control s value is a mandatory configuration item You will not be allowed to proceed further without providing all mandatory values in th...

Page 32: ...om completing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has completed successfully without error Information This icon always precedes information displayed to the user This may either be a message displaying progress for a particular process or may just be a message from the system Device Configuration ...

Page 33: ...onfiguration has been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domain States an RF Domain configuration has been impacted RF Domain implement location based security restrictions applicable to all VLANs in a particular physical location Firewall Policy Indicates a Firewall policy has been impac...

Page 34: ...tates a RADIUS user pool is being applied RADIUS user pools are a set of IP addresses that can be assigned to an authenticated RADIUS user RADIUS Server Policy Indicates a RADIUS server policy is being applied RADIUS server policy is a set of configuration attributes used when a RADIUS server is configured for AAA Smart Caching Policy Smart Caching enables NX4500 and NX6500 series service platform...

Page 35: ...ile that records the status of all the processes and memory when a process fails Panic Snapshots Indicates a panic snapshot has been generated A panic snapshot is a file that records the status of all the processes and memory when a failure occurs UI Debugging Select this icon link to view current NETCONF messages View UI Logs Select this icon link to view the different logs generated by the user ...

Page 36: ... permission A user with this permission is permitted to access the access point using the device s serial console Superuser Indicates superuser privileges A superuser has complete access to all configuration aspects of the access point to which they are connected System Indicates system user privileges A system user is allowed to configure some general settings like boot parameters licenses auto i...

Page 37: ...nts that may be interacting at any one time Cluster This icon indicates a cluster A cluster is a set of access points that work collectively to provide redundancy and load sharing amongst its members Service Platform This icon indicates an NX45xx NX65xx or NX9000 series service platform that s part of the managed network RF Domain This icon indicates a RF Domain RF Domains allow administrators to ...

Page 38: ...2 12 WiNG 5 6 Access Point System Reference Guide ...

Page 39: ...amline the process of initially accessing the wireless network The wizard defines the access point s operational mode deployment location basic security network and WLAN settings For instructions on how to use the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 40: ...he default username admin in the Username field 3 Enter the default password motorola in the Password field 4 Select the Login button to load the management interface 5 If this is the first time the access point s management interface has been accessed the Initial Setup Wizard automatically displays NOTE When logging in for the first time you are prompted to change the password to enhance device s...

Page 41: ...ver the different configuration parameters A few more configuration screens are available for customization when the Advanced Setup wizard is used The first page of the Initial Setup Wizard displays the Navigation Panel and Function Highlights for the configuration activities comprising the access point s initial setup This page also displays options to select the typical or advanced mode for the ...

Page 42: ... configuration parameters set correctly A red X defines the task as still requiring at least one parameter be defined correctly Figure 3 3 displays the navigation panel for the Typical Setup Wizard Figure 3 4 Initial Setup Wizard Navigation Panel Advanced Setup Wizard Figure 3 4 displays the navigation panel for the Advanced Setup Wizard NOTE Note the difference in the number of steps between the ...

Page 43: ...ters and creates a working network with the fewest steps The Typical Setup wizard consists of the following Network Topology Selection LAN Configuration WAN Configuration Wireless LAN Setup Summary And Commit Screen To configure the access point using the Typical Setup Wizard 1 Select Typical Setup from the Choose One type to Setup the Access Point field 2 Select Next The Initial Setup Wizard disp...

Page 44: ...r more information see Virtual Controller AP Mode on page 3 8 Standalone AP Select this option to deploy this access point as an autonomous access point A standalone AP is not managed by a Virtual Controller AP or adopted by a RFS series wireless controller For more information see Standalone Mode on page 3 9 NOTE If designating the access point as a Standalone AP Motorola Solutions recommends the...

Page 45: ...nfiguring the access point in the Adopted to Controller mode see Adopt to a controller on page 3 35 4 Select the Country Code where the access point is deployed Selecting a proper country of operation is a very critical task while configuring the access point as it defines the correct channels of operations and ensures compliance to the regulations for the selected country This field is only avail...

Page 46: ... access points can be connected to and managed by a single Virtual Controller AP of the same access point model These connected access points must be of the same model as the Virtual Controller AP To designate an access point as a Virtual Controller AP 1 From the Access Point Settings screen select Virtual Controller AP 2 Select Next The remainder of a Virtual Controller AP configuration is the sa...

Page 47: ... screen select Standalone AP 2 Select Next The remainder of a Standalone AP configuration is the same as a Virtual Controller Access Point CAUTION If designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile and the UI does no...

Page 48: ...cess point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Typical Setup ...

Page 49: ...owing DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the check box to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interface Range Enter a starting and ending IP Address range for client assignments on ...

Page 50: ...ain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s Wireless LAN interface configuration For more information see Wireless LAN Setup on page 3 1...

Page 51: ...configured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define Default Gateway information as the field will become enabled on the bottom portion of the screen The provided IP addres...

Page 52: ...rface Select the option to enable Network Address Translation on the selected GE interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s wireless LAN configuration For more information see Wireless LAN Setup on page 3 15 ...

Page 53: ...r phone system WLANs can therefore be configured around the needs of specific user groups even when they are not in physical proximity Up to two 2 WLANs can be configured for the access point using the wizard Figure 3 9 Initial Setup Wizard Wireless LAN Setup screen for Typical Setup Wizard 1 Set the following WLAN1 configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure ...

Page 54: ...played where additional updates can be made For more information on configuring the onboard RADIUS server see RADIUS Server Configuration on page 3 17 PSK authentication WPA2 encryption Configures a network that uses PSK authentication and WPA2 encryption Select this option to implement a pre shared key that must be correctly shared between the access point and requesting clients using this WLAN W...

Page 55: ...screen to configure the users for the onboard RADIUS server Use the screen to add modify and remove RADIUS users Figure 3 10 Initial Setup Wizard RADIUS Server Configuration screen for Typical Setup Wizard Use the Add User button to add a new RADIUS user A dialog displays where details about the user is entered ...

Page 56: ...e with creating another user select Create To create the user and close this dialog click Create Close To close the dialog and abandon the operation select Cancel Use the Modify User button to modify the details for an existing user in the RADIUS user database Select the user to modify details for and then click Modify User The username for the user cannot be modified using this dialog Use the Del...

Page 57: ...y and Commit screen is an additional means of validating the configuration before it is deployed Figure 3 12 Initial Setup Wizard Summary And Commit Screen of the Typical Setup Wizard If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summary either select the targe...

Page 58: ...ll also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically Up to two 2 controllers can be defined The access point will try to adopt to the controller defined in the Controller 1 field first Should the controller not be found then the access point tries to adopt to the controller defined in Controller 2 field When preferring layer 3...

Page 59: ... following Network Topology Selection LAN Configuration WAN Configuration Radio Configuration Wireless LAN Setup System Information Summary And Commit Screen To configure the access point using the Advanced Setup Wizard 1 Select Advanced Setup from the Choose One type to Setup the Access Point field 2 Select Next The Advanced Setup Wizard displays the Access Point Settings screen to define the acc...

Page 60: ... more information see Virtual Controller AP Mode on page 3 8 Standalone AP Select this option to deploy this access point as an autonomous fat access point A standalone AP is not managed by a Virtual Controller AP or adopted by a RFS series wireless controller For more information see Standalone Mode on page 3 9 NOTE If designating the access point as a Standalone AP Motorola Solutions recommends ...

Page 61: ...roller Any manual configuration changes are overwritten by the controller upon reboot For more information on configuring the access point in the Adopted to Controller mode see Adopt to a controller on page 3 35 4 Select the Next button to start configuring the access point in the selected mode If the Access Point Type is Virtual Controller AP or Standard AP see Network Topology Selection on page ...

Page 62: ...single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Advan...

Page 63: ... this field is not available When selecting this option define the following DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Default Gateway Define a default gateway address for use with the static IP address configuration This is a re quired parameter Use on board DHCP server to assign IP addresses to wireless clients Select...

Page 64: ...name into its corresponding IP address cannot locate the matching IP address Primary DNS Enter an IP Address for the main Domain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Advanced Setup Wizard displays the Radio Configuratio...

Page 65: ...ternal DHCP servers An automatic IP address is configured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define the following Default Gateway information as the field will become enabl...

Page 66: ...at is connected to the WAN Enable NAT on the WAN Interface Select the option to enable Network Address Translation on the selected GE interface 2 Select Next The Advanced Setup Wizard displays the Radio Configuration screen to set the access point s radios For more information see Radio Configuration on page 3 29 ...

Page 67: ...r 5 0 GHz radio band Radio Frequency Band Select the 2 4 GHz or 5 0 GHz radio band to use with the radio when selected as a Data Radio The selected band is used for WLAN client support Consider selecting one radio for 2 4 GHz and another for 5 0 GHz support if using a dual or three radio model when supporting clients in both the 802 11bg and 802 11n bands NOTE The Radio Configuration screen displa...

Page 68: ...nterference Select Static to assign the access point a permanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor support exclusively When functioning as a sensor the radio scans in sensor mode across all channels within the 2 4 and 5 0 GHz bands to identify potential threats If dedicating a radio as a ...

Page 69: ...fic user groups even when they are not in physical proximity Use the Wireless LAN Setup screen to configure the WLAN parameters Up to two 2 WLANs can be configured for the access point Figure 3 19 Initial Setup Wizard WAN Configuration screen for Advanced Setup Wizard 1 Set the following WLAN1 Configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure the encryption and auth...

Page 70: ...e the drop down to specify the type of key provided Select ASCII or HEX to specify the key type provided in the WPA Key field EAP Authentication and WPA2 Encryption Configures a network that uses EAP authentication and WPA2 encryption Select this option to authenticate clients within this WLAN through the exchange and verification of certificates External RADIUS Server When selected provide the IP...

Page 71: ...point prompts for the correct country code on the first login A warning message also displays stating an incorrect country setting may result in illegal radio operation Selecting the correct country is central to legal operation Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted This is a required paramet...

Page 72: ...guration before it is deployed However if a screen displays settings not intended as part of the initial configuration the screen can be selected from within the Navigation Panel and its settings modified accordingly Figure 3 21 Initial Setup Wizard Summary and Commit screen for the Advanced Setup Wizard If the configuration displays as intended select Save Commit to implement these settings to th...

Page 73: ... controller defined in Controller 2 field When preferring layer 3 adoption configure how an IP is assigned to this access point Select Use DHCP to use DHCP to assign an IP address to this access point If this access point requires a static IP select Static IP Address Subnet and provide the appropriate IP address and net mask For your convenience the netmask is automatically set to 24 Also assign t...

Page 74: ...3 36 WiNG 5 6 Access Point System Reference Guide ...

Page 75: ...int managed network Use the dashboard to review the current network topology assess the network s component health and diagnose problematic device behavior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard Network View ...

Page 76: ...1 Select Dashboard Expand the System menu item on the upper left hand side of the UI and select either an access point or connected client The Dashboard screen displays the Health tab by default Figure 4 1 Dashboard Health tab 4 1 1 Dashboard Conventions The Dashboard screen displays device information using the following conventions Health Displays the state of the access point managed network In...

Page 77: ...utilization data for the access point managed network Figure 4 2 Dashboard Health tab For more information see Device Details Radio RF Quality Index Radio Utilization Index Client RF Quality Index 4 1 1 1 1 Device Details Health The Device Details field displays model and version information ...

Page 78: ...rcentage of the overall effectiveness of the RF environment It is a function of the data rate in both directions the retry rate and the error rate Figure 4 4 Dashboard Health tab Radio RF Quality Index field RF Quality displays as the average quality index for the single RF Domain utilized by the access point The table lists the bottom five 5 RF quality values for the RF Domain The quality is meas...

Page 79: ...ughput Refer to the number or errors and dropped packets to assess radio performance relative to the number of packets both transmitted and received Periodically select Refresh at the bottom of the screen to update the radio utilization information displayed Figure 4 5 Dashboard Health tab Radio Utilization Index field 4 1 1 1 4 Client RF Quality Index Dashboard Conventions The Client RF Quality I...

Page 80: ...ectiveness of the RF environment as a percentage Its a function of the connect rate in both directions as well as the retry rate and the error rate The quality is measured as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Client MAC Displays the factory encoded MAC address assigned to each connected radio listed Use this information to assist in the identificat...

Page 81: ...point The Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a radio Figure 4 7 Dashboard Inventory tab The Inventory tab is partitioned into the following fields Radio Types WLAN Utilization Wireless Clients Clients by Radio Type ...

Page 82: ...entory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures how efficiently the RF medium is utilized It is defined as a percentage of the current throughput relative to the maximum throughput possible The quality is measured as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and ...

Page 83: ...a bar graph illustrating the number of connected clients currently operating on supported radio bands Figure 4 11 Dashboard Inventory tab Clients by Radio Type field For 5 0 GHz clients are displayed supporting the 802 11a and 802 11an radio bands For 2 4 GHz clients are displayed supporting the 802 11b 802 11bg and 802 11bgn radio bands Use this information to determine if all the access point s ...

Page 84: ...evice performance and utilization as well as the RF band channel and vendor For more information see Network View Display Options on page 4 11 To review a device s Network Topology select Dashboard Network View Figure 4 12 Network View Topology The left hand side of the Network View screen contains an expandable System Browser where access points can be selected and expanded to display connected c...

Page 85: ...are available None Select this option to keep the Network View display as it currently appears without any additional color or device interaction adjustments Utilization Select this option to filter based on the percentage of current throughput relative to maximum throughput Utilization results include Red Bad Utilization Orange Poor Utilization Yellow Fair Utilization and Green Good Utilization Q...

Page 86: ...iables in blue within the Network View display 3 Select the Update button to update the display with the changes made to the filter options Select Close to close the options field and remove it from the Network View 4 2 2 Device Specific Information Network View A device specific information screen is available for individual devices selected from within the Network View not the System Browser The...

Page 87: ...re as their general client support roles are quite similar However access point configurations may need periodic refinement and overrides from their original RF Domain administered design For more information see RF Domain Overrides on page 5 217 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same model Profiles can be used to...

Page 88: ...ement from its original RF Domain designation Unlike a RFS series wireless controller an access point supports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the RF Domain configuration Thus a configuration should only be overridden when needed For more inf...

Page 89: ...s specific as the floor of a building or as generic as an entire site The location defines the physical area where a common set of access point configurations are deployed and managed by the RF Domain policy Contact Provide the name of the contact E mail or administrator assigned to respond to events created by or impacting the RF Domain Time Zone Set the geographic time zone for the RF Domain The...

Page 90: ... an existing Sensor Server Configuration and select the Delete icon to remove it 6 Use the spinner control to assign a numerical Server ID to each WIPS server defined The server with the lowest defined ID is the first reached by the access point The default ID is 1 7 Provide the numerical non DNS IP Address of each server used as a WIPS sensor server by the RF Domain 8 Use the spinner control to s...

Page 91: ...o all the remote sites is a complex and time consuming operation Also this practice does not scale gracefully for quick growing deployments An alias enables an administrator to define a configuration item such as a hostname as an alias once and use the defined alias across different configuration items such as multiple ACLs Once a configuration item such as an ACL is utilized across remote locatio...

Page 92: ... alias configuration changes made at a remote location override any updates at the management center For example if an Network Alias defines a network range as 192 168 10 0 24 for the entire network and at a remote deployment location the local network range is 172 16 10 0 24 the network alias can be overridden at the deployment location to suit the local requirement For the remote deployment loca...

Page 93: ... device s IP address A network alias configuration is utilized for an IP address on a particular network An address range alias is a configuration for a range of IP addresses A basic alias configuration can contain multiple instances for each of the five 5 alias types To edit or delete a basic alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3 Select RF D...

Page 94: ...lias can be used to replace an IP address range in IP firewall rules 7 Select Add Row to define Host Alias settings Use the Host Alias field to create aliases for hosts that can be utilized at different deployments For example if a central network DNS server is set a static IP address and a remote location s local DNS server is defined this host can be overridden at the remote location At the remo...

Page 95: ...g Alias field to create aliases for strings that can be utilized at different deployments For example if the main domain at a remote location is called loc1 domain com and at another deployment location it is called loc2 domain com the alias can be overridden at the remote location to suit the local but remote requirement At one remote location the alias functions with the loc1 domain com domain a...

Page 96: ...ses range entries can be configured inside a network group alias A maximum of 32 network group alias entries can be created A network group alias is used in IP firewall rules to substitute hosts subnets and IP address ranges To edit or delete a network alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3 Select RF Domain 4 Select the Network Group Alias tab...

Page 97: ...w button to specify the Start IP address and End IP address for the alias range or double click on an existing an alias range entry to edit it NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight...

Page 98: ...ies can be configured per network service alias Use a service alias to associate more than one IP address to a network interface providing multiple connections to a network from a single IP node Network Service Alias can be used in the following location to substitute protocols and ports IP Firewall Rules To edit or delete a service alias configuration 1 Select Configuration tab from the Web user ...

Page 99: ...eated Use the drop down menu to select the protocol eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter Ra...

Page 100: ...oints but not those who have had their configuration overridden from their previous profile designation These devices require careful administration as they no longer can be tracked and as profile members Their customized configurations overwrite their profile assignments until the profile can be re applied to the access point Each access point model is automatically assigned a default profile The...

Page 101: ...ct Devices 3 Select System Profile from the options on left hand side of the UI General configuration options display by default with the profile activated for use with this access point model Figure 5 9 General Profile screen 4 Select Add Row below the Network Time Protocol NTP table to define the configurations of NTP server resources used to obtain system time Up to 3 NTP servers can be configu...

Page 102: ...E device and the budget available to the access point The CPLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negativel...

Page 103: ... Power Mode Use the drop down menu for each power mode to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is preferred ove...

Page 104: ...t adoption an access point solicits and receives multiple adoption responses from Virtual Controller APs available on the network These adoption responses contain loading policy information the access point uses to select the optimum Virtual Controller AP for adoption To define the access point profile s adoption configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Selec...

Page 105: ... exchanged between the access point and the adopting wireless controller These messages serve as a connection validation mechanism to ensure the availability of the adopting wireless controller Use the spinner to set a value from 1 120 seconds 9 Define the Adjacency Hold Time value This value sets the time after which the preferred controller group is considered down and unavailable to provide ser...

Page 106: ...tem Profile from the options on left hand side of the UI 4 Select Wired 802 1x Host Use the drop down menu to specify whether the controller adoption resource is defined as a non DNS IP address or a hostname Once defined provide the numerical IP or hostname A hostname cannot exceed 64 characters Pool Use the spinner controller to set a pool of either 1 or 2 This is the pool the target Virtual Cont...

Page 107: ...ns are available for review prior to defining a configuration that could significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 5 62 Dot1x Authentication Control Select this option to globally enable 802 1x authentication for the selected device This setting is disabled by default Dot1x AAA Policy Use the drop down menu to select...

Page 108: ... AP7161 GE1 POE LAN GE2 WAN AP7181 GE1 POE LAN GE2 WAN AP8122 AP8132 AP8232 GE1 POE LAN GE2 WAN To define a profile s Ethernet port configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Ethernet Ports Figure 5 13 Profile Interfaces Ethernet Ports screen 5 Refer to the...

Page 109: ...nfigured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN untagged traffic is directed over when using a port i...

Page 110: ...d half duplex or full duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duplex...

Page 111: ...s Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port allows packets from a list of VLANs you add to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default mode Nati...

Page 112: ...ation Select Reset to revert to the last saved configuration 13 Select the Security tab Figure 5 15 Ethernet Ports Security tab 14 Refer to the Access Control field As part of the port s security configuration Inbound IP and MAC address firewall rules are required Use the Inbound MAC Firewall Rules drop down menus to select the firewall rules to apply to this profile s Ethernet port configuration ...

Page 113: ...ble a mismatch check for the source MAC in both the ARP and Ethernet header The default value is disabled Trust 8021p COS values Select this option to enable 802 1p COS values on this port The default value is enabled Trust IP DSCP Select this option to enable IP DSCP values on this port The default value is enabled NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC a...

Page 114: ... groups of VLANs A MSTP supported deployment uses multiple MST regions with multiple MST instances MSTI Multiple regions and other STP bridges are interconnected using one single common spanning tree CST MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduce...

Page 115: ...uces the time taken for a port to complete STP PortFast must only be enabled on ports on the wireless controller which are directly connected to a server workstation and not to another hub or controller PortFast can be left unconfigured on the access point Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is di...

Page 116: ...s attached to it or is directly connected to an user device Link Type Select either the Point to Point or Shared radio button Selecting Point to Point indicates the port should be treated as connected to a point to point link Selecting Shared means this port should be treated as having a shared connection A port connected to a hub is on a shared link while one connected to a access point is a poin...

Page 117: ... Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Virtual Interfaces Figure 5 17 Profile Interfaces Virtual Interfaces screen 5 Review the following parameters unique to each virtual interface configuration Name Displays the name of each listed Virtual Interface assigned when it was created The name is from 1 4094 and cannot...

Page 118: ...is being modified 7 If creating a new Virtual Interface use the Name spinner control to define a numeric ID from 1 4094 8 Define the following parameters from within the Properties field 9 Define the Network Address Translation NAT direction VLAN Displays the numerical VLAN ID associated with each listed interface IP Address Defines whether DHCP was used to obtain the primary IP address used by th...

Page 119: ...on to request information from the DHCPv6 server using stateless DHCPv6 DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configuration attributes required on an IPv6 network This setting is disabled by default Prefix Delegation Client Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface...

Page 120: ...Pv4 tab Accept Router Advertisement Enable this option to allow router advertisements over this virtual interface IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages When first connected to a network a host sends a link local router solicitation multicast request for its configuration paramet...

Page 121: ... screen IPv6 tab Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings Zero config can be us...

Page 122: ...ormat IPv6 Mode Select this option to enable IPv6 support on this virtual interface IPv6 is disabled by default IPv6 Address Static Define up to 15 global IPv6 IP addresses that can created statically IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format tha...

Page 123: ...address and interface VLAN ID can be set Figure 5 23 Virtual Interfaces Basic Configuration screen IPv6 tab Add DHCPv6 Relay Select OK to save the changes to the DHCPv6 relay configuration Select Exit to close the screen without saving the updates Delegated Prefix Name Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format Using EUI64 a host can automatically assign itse...

Page 124: ... policy to the virtual interface Router advertisements are periodically sent to hosts or sent in response to solicitation requests The advertisement includes IPv6 prefixes and other subnet and host information 28 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Figure 5 25 Virtual Interfaces Basic...

Page 125: ...nutes Hours or Days value used to measurement criteria for the prefix s expiration 30 days 0 hours 0 minutes and 0 seconds is the default lifetime Valid Lifetime Date If the lifetime type is set to External fixed set the date in MM DD YYYY format for the expiration of the prefix Valid Lifetime Time If the lifetime type is set to decrementing set the time for the prefix s validity Set the time in a...

Page 126: ... to apply to this profile s virtual interface configuration Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration IPv6 is the latest revision of the Internet Protocol IP replacing IPv4 IPV6 provides enhanced identification and location information for systems routing traffic across the Internet IPv6 addresses are compose...

Page 127: ...nel Basic Configuration screen displays by default Name Displays the port channel s numerical identifier assigned to it when it was created The numerical name cannot be modified as part of the edit process Type Displays whether the type is port channel Description Lists a a short description 64 characters maximum describing the port channel or differentiating it from others with similar configurat...

Page 128: ...duplex or full duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port channel to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duple...

Page 129: ...llows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additionally the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode The default value is 1 Tag the Native VLAN Select this option to tag the native VLAN Access points support the IEEE 802 1Q specification for tagging frames and coordinating VLANs bet...

Page 130: ... profile s port channel configuration IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons If a firewall rule does not exist suiting the data protection nee...

Page 131: ...ted Neighbor discovery allows the discovery of an adjacent device s MAC addresses similar to Address Resolution Protocol ARP on Ethernet in IPv4 The default value is disabled Trust DHCPv6 Responses Select the check box to enable DHCPv6 trust If enabled only DHCPv6 responses are trusted and forwarded on this port channel and a DHCPv6 server can be connected only to a trusted port The default value ...

Page 132: ...l shutdown on receiving a BPDU Thus no BPDUs are processed The default setting is None Enable as Edge Port Select this option to define this port as an edge port Using an edge private port you can isolate devices to prevent connectivity over this port channel This setting is disabled by default Link Type Select either the Point to Point or Shared radio button Selecting Point to Point indicates the...

Page 133: ... greater likelihood of the port becoming a designated port 22 Select Add Row needed to include additional indexes 23 Select OK to save the changes made to the Ethernet Port Spanning Tree configuration Select Reset to revert to the last saved configuration 10000000 bits sec 2000000 100000000 bits sec 200000 1000000000 bits sec 20000 10000000000 bits sec 2000 100000000000 bits sec 200 1000000000000 ...

Page 134: ...ew the following radio configuration data to determine whether a radio configuration requires modification to better support the network Name Displays whether the reporting radio is radio 1 radio 2 or radio 3 AP7131 models can have up to 3 radios depending on the SKU AP6522 AP6522M AP6532 AP6562 AP8132 AP8232 AP7181 and AP7161 models have 2 radios while AP6521 and AP6511 models have 1 radio Type D...

Page 135: ...e Radio Settings tab Channel Lists the channel setting for the radio Smart is the default setting If set to Smart the access point scans non overlapping channels listening for beacons from other access points After the channels are scanned it selects the channel with the fewest access points In the case of multiple access points on the same channel it will select the channel with the lowest averag...

Page 136: ... party access point and bridge frames to it Lock RF Mode Select this option to lock Smart RF operation for this radio The default setting is disabled as Smart RF utilization will impact throughput Channel Use the drop down menu to select the channel of operation for the radio Only a trained installation professional should define the radio channel Select Smart for the radio to scan non overlapping...

Page 137: ...the radio to dynamically change the number of transmit chains This option is enabled by default Data Rates Once the radio band is provided the drop down menu populates with rate options depending on the 2 4 or 5 0 GHz band selected If the radio band is set to Sensor or Detector the Data Rates drop down menu is not enabled as the rates are fixed and not user configurable If 2 4 GHz is selected as t...

Page 138: ...gs lengthening the time to let nodes sleep longer and preserve their battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold from 1 2 347 bytes for use by the WLAN s adopted access point radios RTS is a transmitting station s signal that requests a Clear To S...

Page 139: ...ct this option for the radio to transmit using a short preamble Short preambles improve throughput However some devices SpectraLink phones require long preambles The default value is disabled Guard Interval Use the drop down menu to specify a Long or Any guard interval The guard interval is the space between symbols characters being transmitted The guard interval is there to eliminate inter symbol...

Page 140: ...et a priority 1 6 for connection preference 20 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and then connect through ...

Page 141: ...e is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Frame Size Limit If a support mode is enable allowing A MPDU frames to be ...

Page 142: ... is Follow DTIM Host for Redirected Packets If packets are re directed from an access point radio define an IP address of a resource additional host system used to capture the re directed packets This address is the numerical non DNS address of the host used to capture the re directed packets Channel to Capture Packets Use the drop down menu to specify the channel used to capture re directed packe...

Page 143: ...MHz With SGI 40 MHz No SGI 40MHz With SGI 0 1 6 5 7 2 13 5 15 1 1 13 14 4 27 30 2 1 19 5 21 7 40 5 45 3 1 26 28 9 54 60 4 1 39 43 4 81 90 5 1 52 57 8 108 120 6 1 58 5 65 121 5 135 7 1 65 72 2 135 150 Table 5 2 MCS 2Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 2 13 14 4 27 30 1 2 26 28 9 54 60 2 2 39 43 4 81 90 3 2 52 57 8 108 120 4 2 78 86 7 162 1...

Page 144: ...ughput for single spatial streams MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 80 MHz No SGI 80MHz With SGI 0 6 5 7 2 13 5 15 29 3 32 5 1 13 14 4 27 30 58 5 65 2 19 5 21 7 40 5 45 87 8 97 5 3 26 28 9 54 60 117 130 4 39 43 3 81 90 175 5 195 5 52 57 8 108 120 234 260 6 58 5 65 121 5 135 263 3 292 5 7 65 72 2 135 150 292 5 325 8 78 86 7 162 180 351 390 9 n a n a 180 200 390 43...

Page 145: ... communications PPP packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation The following 3G cards are supported Veri...

Page 146: ...aul card Enable WAN 3G Select this option to enable 3G WAN card support on the access point A supported 3G card must be connected for this feature to work Username Provide username for authentication support by the cellular data carrier Password Provide password for authentication support by the cellular data carrier Access Point Name APN Enter the name of the cellular data provider if necessary T...

Page 147: ...these configuration are optimally effective If the WAN card does not connect after a few minutes after a no shutdown check the access point s syslog for a detected ttyUSB0 No such file event If this event has occurred linux didn t detect the card Re seat the card If the WAN card has difficulty connecting to an ISP syslog shows that it retries LCP ConfReq for a long time ensure the SIM card is stil...

Page 148: ...operation is enabled it discovers an available server and establishes a PPPoE link for traffic slow When a wired WAN connection failure is detected traffic flows through the WWAN interface in fail over mode if the WWAN network is configured and available When the PPPoE link becomes accessible again traffic is redirected back through the access point s wired WAN link When the access point initiates...

Page 149: ... protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the numeri...

Page 150: ...y the PPPoE client Use the Show option to view the actual characters comprising the password Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmissio...

Page 151: ...file Configuration IGMP Snooping MLD Snooping Quality of Service QoS Spanning Tree Configuration Routing Dynamic Routing OSPF Forwarding Database Bridge VLAN Cisco Discovery Protocol Configuration Link Layer Discovery Protocol Configuration Miscellaneous Network Configuration Alias Before beginning any of the profile network configuration activities described in the sections above review the confi...

Page 152: ...ld need to remember a series of numbers 123 123 123 123 instead of an easy to remember domain name www domainname com To define the DNS configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select DNS Figure 5 38 Network DNS screen 5 Provide a default Domain Name used when res...

Page 153: ...o all the machines on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied To define an ARP supported configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System P...

Page 154: ...ved configuration Switch VLAN Interface Use the spinner control to select a VLAN for an address requiring resolution IP Address Define the IP address used to fetch a MAC Address MAC Address Displays the target MAC address that s subject to resolution This is the MAC used for mapping an IP address to a MAC address that s recognized on the network Device Type Specify the device type the ARP entry su...

Page 155: ...creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is r...

Page 156: ...sages assist in the identification of a tunnelled peer UDP Listen Port Select this option to set the port used for listening to incoming traffic Select a port from 1 024 65 353 Tunnel Bridging Select this option to enable or disable bridge packets between two tunnel end points This setting is disabled by default Enable Logging Select this option to enable the logging of Ethernet frame events to an...

Page 157: ... largest protocol data unit that the layer can pass between tunnel peers Use Tunnel Policy Lists the L2TPv3 tunnel policy assigned to each listed tunnel Local Hostname Lists the tunnel specific hostname used by each listed tunnel This is the hostname advertised in tunnel establishment messages Local Router ID Specifies the router ID sent in the tunnel establishment messages Establishment Criteria ...

Page 158: ...eout for a tunnel A tunnel is not usable without a session and a subsequent session name The tunnel is closed when the last session tunnel session is closed Pseudowire ID Define a psuedowire ID for this session A pseudowire is an emulation of a layer 2 point to point connection over a packet switching network PSN A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 pro...

Page 159: ...unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers Define a MTU between 128 1 460 bytes The default setting is 1 460 A larger MTU means processing fewer packets for the same amount of data Use Tunnel Policy Select the L2TPv3 tunnel policy The policy consists of user defined values for protocol specific parameters which can be used with d...

Page 160: ...n the tunnel is disabled When a tunnel is established the listed critical resources are checked for availability Tunnel establishment is started if the critical resources are available Similarly for incoming tunnel termination requests listed critical resources are checked and tunnel terminations are only allowed when the critical resources are available For more information on managing critical r...

Page 161: ...dary peer for tunnel failover If the peer is not specified tunnel establishment does not occur However if a peer tries to establish a tunnel with this access point it creates the tunnel if the hostname and or Router ID matches Peer IP Address Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the peer a hostname ...

Page 162: ...as the local tunnel end point address not the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed ...

Page 163: ...address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message to the L2TP peer MTU Define the session maximum transmission unit MTU as the size in bytes of the largest protocol data unit the layer can pass between...

Page 164: ...t This is the port where the L2TP service is running Source VLAN Define the VLAN range 1 4 094 to include in the tunnel Tunnel session data includes VLAN tagged frames Native VLAN Select this option to define the native VLAN that will not be tagged Cookie Size Set the size of the cookie field within each L2TP data packet Options include 0 4 and 8 The default setting is 0 Value 1 Set the cookie val...

Page 165: ...e links which do not require them To configure IGMP Snooping 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select IGMP Snooping Figure 5 47 IGMP Snooping screen 5 Set the following parameters to configure General IGMP Snooping values Enable IGMP Snooping Select this option to enable...

Page 166: ...tibility to IGMP version 1 2 or 3 The default IGMP version is 3 IGMP Query Interval Sets the IGMP query interval This parameter is used only when the querier functionality is enabled Define an interval value in Seconds 1 18000 seconds Minutes 1 300 minutes or Hours 1 5 hours up to maximum of 5 hours The default value is 60 seconds IGMP Robustness Variable Sets the IGMP robustness variable The robu...

Page 167: ...t group traffic The controller service platform or access point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces To set an IPv6 MLD snooping configuration for the profile 1 Select Configuration Profiles Network 2 Expand the Network menu to display its submenu options 3 Select MLD Snooping Figure 5 48 Profile Ne...

Page 168: ...D Query Interval Set the interval in which query messages are sent to discover device multicast group memberships Set an interval in either Seconds 1 18 000 Minutes 1 300 or Hours 1 5 The default interval is 1 minute MLD Robustness Variable Set a MLD IGMP robustness value 1 7 used by the sender of a query The MLD robustness variable enables refinements to account for expected packet loss on a subn...

Page 169: ...6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP header DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence DSCP specifies a specific per hop behavior applied to a packet To define an QoS configuration for DSCP mappings 1 Select the Configur...

Page 170: ... The valid values for this field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control Traffic Class Devices that originate a packet must identify different classes or priorities for IPv6 packets Devices use the traffic class field in the IPv6 header to set this priority 802 1p Priori...

Page 171: ...e Bridge Protocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages...

Page 172: ...s the BPDU considers valid in the spanning tree topology The available range is from 7 127 The default setting is 20 MST Config Name Define a 64 character maximum name for the MST region to use as an identifier for the configuration MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select...

Page 173: ...ning and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to set the maximum time in seconds to listen for the root bridge The root bridge is the spanning tree bridge with the smallest lowest bridge ID Each bridge has a unique ID and a configurable priority number the bridge ID contains bot...

Page 174: ...nd reduces the resource space required to maintain address pools Both IPv4 and IPv6 routes are separately configurable using their appropriate tabs For IPv6 networks routing is the part of IPv6 that provides forwarding between hosts located on separate segments within a larger IPv6 network where IPv6 routers provide packet forwarding for other IPv6 hosts To create static routes 1 Select the Config...

Page 175: ...et the following parameters 11 Select the IPv6 Routing tab IPv6 networks are connected by IPv6 routers IPv6 routers pass IPv6 packets from one network segment to another Figure 5 52 Static Routes screen IPv6 Routing tab Static Default Route Priority Use the spinner control to set the priority value 1 8 000 for the default static route This is weight assigned to this route versus others that have b...

Page 176: ...on to Unicast settings 18 Select Add Row as needed within the IPv6 Routes table to add an additional 256 IPv6 route resources Figure 5 53 Static Routes screen Add IPv6 Route RA Convert milliseconds Select this option to convert multicast router advertisements RA to unicast router advertisements at the dot11 layer Unicast addresses identify a single network interface whereas a multicast address is ...

Page 177: ...ined as stub area A stub area is an area which does not receive route advertisements external to the autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer rout...

Page 178: ... address it does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passive Remo...

Page 179: ...heck Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted before the OSPF process is shut down The available ran...

Page 180: ...ration Edit to modify an existing configuration or Delete to remove a configuration Figure 5 56 Network OSPF Area Configuration screen Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 181: ...ating a stub Set a value from 1 16 777 215 Translate Type Define how messages are translated Options include translate candidate translate always and translate never The default setting is translate candidate Range Specify a range of addresses for routes matching address mask for OSPF summarization Name Displays the name defined for the interface configuration Type Displays the type of interface D...

Page 182: ... Inside Outside or None radio buttons Inside The inside network is transmitting data over the network to its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Outside Packets passing through the NAT on the way back to the LAN are searched against the records kept by the NAT engine There the destination IP address is changed bac...

Page 183: ...k from those reachable using a router Request DHCPv6 Options Select this option to request DHCPv6 options on this virtual interface DHCPv6 options provide configuration information for a node that must be booted using the network rather than locally This setting is disabled by default Maximum Transmission Unit MTU Set the PPPoE client maximum transmission unit MTU from 500 1 492 The MTU is the lar...

Page 184: ...value is set to zero no MTU options are sent This setting is disabled by default No Hop Count Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface This setting is disabled by default Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuratio...

Page 185: ...uch a request with a router advertisement packet that contains Internet layer configuration parameters Figure 5 60 Network OSPF Virtual Interfaces Basic Configuration screen IPv6 tab 33 Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized Use DHCP to obtain Gateway DNS Servers Select this option to allow DHCP to obtain a default gateway address and DNS resource fo...

Page 186: ...ect Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MAC is initially separated into two 24 bits with one being an OUI Organizational...

Page 187: ...y address and interface VLAN ID can be set Figure 5 63 Network OSPF Virtual Interfaces Basic Configuration screen IPv6 tab Add DHCPv6 Relay 41 Select OK to save the changes to the DHCPv6 relay configuration Select Exit to close the screen without saving the updates Delegated Prefix Name Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format Using EUI64 a host can automat...

Page 188: ...a policy to the virtual interface Router advertisements are periodically sent to hosts or sent in response to solicitation requests The advertisement includes IPv6 prefixes and other subnet and host information 44 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Figure 5 65 Network OSPF Virtual In...

Page 189: ...nutes Hours or Days value used to measurement criteria for the prefix s expiration 30 days 0 hours 0 minutes and 0 seconds is the default lifetime Valid Lifetime Date If the lifetime type is set to External fixed set the date in MM DD YYYY format for the expiration of the prefix Valid Lifetime Time If the lifetime type is set to decrementing set the time for the prefix s validity Set the time in a...

Page 190: ...wn menu to select the IPv6 specific inbound firewall rules to apply to this profile s virtual interface configuration Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration IPv6 is the latest revision of the Internet Protocol IP replacing IPv4 IPV6 provides enhanced identification and location information for systems rout...

Page 191: ... hand side of the UI 4 Expand the Network menu and select Forwarding Database Figure 5 67 Network Forwarding Database screen 5 Define a Bridge Aging Time from 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before it is deleted due to lack of activity If an entry replenishments a destination generating continuous traffic this t...

Page 192: ... the target VLAN ID if the destination MAC is on a different network segment 9 Provide an Interface Name used as the target destination interface for the target MAC address 10 Select OK to save the changes Select Reset to revert to the last saved configuration ...

Page 193: ...en a data frame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Bridge VLAN forwards the data frame on the appropriate port s VLANs are useful to set separate networks to isolate some computers from others without actually having to have separate cabling and Ethernet switches Another common use is to put ...

Page 194: ...Snoop Table to prevent IP spoof attacks IPv6 Firewall Lists whether IPv6 is enabled on this bridge VLAN A green checkmark defines this setting as enabled A red X defines this setting as disabled IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated...

Page 195: ... device When configured firewalls generate flow tables that store information on the traffic allowed to traverse through the firewall These flow tables occupy a large portion of the limited memory that could be used for other critical purposes With the per VLAN firewall feature enabled on an interface flow tables are only generated for that interface Flow tables are not generated for those interfa...

Page 196: ...fic from the drop down menu If an appropriate outbound MAC ACL is not available select the Create button Tunnel Over Level 2 Select this option to allow VLAN traffic to be tunneled over level 2 links This setting is disabled by default Mint Link Level Select the MINT link level from the drop down menu Rate Define a transmit rate limit between 50 1 000 000 kbps This limit constitutes a threshold fo...

Page 197: ...portal policy see Configuring Captive Portal Policies on page 9 2 14 Select the IGMP Snooping tab Trust ARP Response Select this option to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp cache poisoning attacks This feature is disabled by default Trust DHCP Responses Select this option to use DHCP packets from a DHCP server as trusted and permissible within the n...

Page 198: ...d the settings under bridge configuration are overridden Forward Unknown Multicast Packets Select this option to enable forwarding of multicast packets from unregistered multicast groups If disabled the unknown multicast forward feature is also disabled for this bridge VLAN This settings is enabled by default Interface Names Select the interface used for IGMP snooping over a multicast router Multi...

Page 199: ...t IGMP membership is also learnt on it and only if present then it is forwarded on that port Source IP Address Define an IP address applied as the source address in the IGMP query packet This address is used as the default VLAN querier IP address IGMP Version Use the spinner control to set the IGMP version compatibility to either version 1 2 or 3 The default setting is 3 Maximum Response Time Spec...

Page 200: ...ess Multicast packets are delivered using best effort reliability just like IPv6 unicast MLD snooping is enabled by default Forward Unknown Unicast Packets Use this option to either enable or disable IPv6 unknown multicast forwarding This setting is enabled by default Interface Names Select the ge or radio interfaces used for MLD snooping Multicast Router Learn Mode Set the pim dvmrp or static mul...

Page 201: ...ect Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Cisco Discovery Protocol Figure 5 72 Network Cisco Discovery Protocol CDP screen 5 Enable disable CDP and set the following settings 6 Select the OK button located at the bottom right of the screen to save the changes to the CDP configuration Select Reset to revert to the last save...

Page 202: ... contains one Link Layer Discovery Protocol Data Unit LLDP PDU A single LLDP PDU is transmitted in a single 802 3 Ethernet frame To set the LLDP configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Link Layer Discovery Protocol Figure 5 73 Network Link Layer Discovery ...

Page 203: ...he Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Miscellaneous Figure 5 74 Network Miscellaneous screen 5 Select the Include Hostname in DHCP Request option to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 6 Select the DHCP Persistent Lease option to retain the lease ...

Page 204: ...ese aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override alias values defined in a global alias profiles ...

Page 205: ... VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN alias is used to replace VLANs in the following locations Bridge VLAN I...

Page 206: ... settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overridden at the remote location to suit their local but remote requirement At the remote location the ACL functions with the 172 16 10 ...

Page 207: ... configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for Host Network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias A maximum of 32 Network Group Alias entries can be created A network group alias can be used in IP...

Page 208: ...ect Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a bla...

Page 209: ...k group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing Subnets ca...

Page 210: ...face providing multiple connections to a network from a single IP node A network service alias can be used to substitute protocols and ports in IP firewall rules To edit or delete a network service alias configuration 1 Select Configuration tab from the Web user interface 2 Select System Profiles 3 Select Network to expand it and display its sub menus 4 Select the Alias item the Basic Alias screen...

Page 211: ... created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter...

Page 212: ...e is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Static routes while easy can be overwhelming within a large or complicated network Each time there is a change someone must manually make changes to reflect the new route If a link goes down even if there is a second path the router would ignore it and consider the link down Static routes require ...

Page 213: ...l policy wireless client role policy WEP shared key authentication and NAT policy applied For more information refer to the following Defining Profile VPN Settings Defining Profile Security Settings Setting the Certificate Revocation List CRL Configuration Setting the Profile s NAT Configuration Setting the Profile s Bridge NAT Configuration ...

Page 214: ... utilized for each IPSec peer however for remote VPN deployments one crypto map is used for all the remote IPSec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional features flexibility and configuration simplicity for the IPSec standard IKE automatically negotiates IPSec SAs and enables secure com...

Page 215: ...not exactly agree on the lifetime though if they do not there is some clutter for a superseded connection on the peer defining the lifetime as longer DPD Retries Lists each policy s maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer This screen only appears when IKEv1 is selected Name If creating a new IKE policy assign it a name 32 character m...

Page 216: ...a VPN tunnel connection is defined as dead The available range is from 1 100 The default setting is 5 IKE LifeTime Set the lifetime defining how long a connection encryption authentication keys should last from successful key negotiation to expiration Set this value in either Seconds 600 86 400 Minutes 10 1 440 Hours 1 24 or Days 1 This setting is required for both IKEv1 and IKEV2 Name If creating...

Page 217: ...whether the peer configuration has been defined to use pre shared key PSK or RSA Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s the first algorithm known to be suitable for signing as well as encryption If using IKEv2 this screen displays both local and remote authentication as both ends of the VPN connection require authentication LocalID Lists the access point s l...

Page 218: ...connection require authentication RSA is the default value for both local and remote authentication regardless of IKEv1 or IKEv2 Authentication Value or Local Authentication Value Define the authentication string shared secret that must be shared by both ends of the VPN tunnel connection The string must be from 8 21 characters long If using IKEv2 both a local and remote string must be specified fo...

Page 219: ... creation Again a transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic Authentication Algorithm Lists each transform sets s authentication scheme used to validate identity credentials The authentication scheme is either HMAC SHA or HMAC MD5 Encryption Algorithm Displays each transform set s encryption method for protecting transmitte...

Page 220: ...ansform set define a 32 character maximum name to differentiate this configuration from others with similar attributes Authentication Algorithm Set the transform sets s authentication scheme used to validate identity credentials Use the drop down menu to select either HMAC SHA or HMAC MD5 The default setting is HMAC SHA Encryption Algorithm Set the transform set encryption method for protecting tr...

Page 221: ...ect the Continue button to proceed to the VPN Crypto Map screen Name Lists the 32 character maximum name assigned for each crypto map upon creation This name cannot be modified as part of the edit process IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration Each firewall policy contains a unique set of access deny permissions applied to the VPN tunnel a...

Page 222: ...ased on a sequence number Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface based on the sequence number from 1 1 000 IP Firewall Rules Lists the IP firewall rules defined for each displayed crypto map configuration Each firewall policy contains a unique set of access deny permissions applied to the VPN tun...

Page 223: ...configuration uses a list of entries based on a sequence number Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface based on this selected sequence number from 1 1 000 Type Define the site to site manual site to site auto or remote VPN configuration defined for each listed crypto map configuration ...

Page 224: ...l keys Options include None 2 5 and 14 The default setting is None Lifetime kB Select this option to define a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes Lifetime seconds Select this option to define a lifetime in ...

Page 225: ...rs depending on the selected IKE mode 30 Set the following IKEv1 or IKe v2 Settings Authentication Method Use the drop down menu to specify the authentication method used to validate the credentials of the remote VPN client Options include Local on board RADIUS resource if supported and RADIUS designated external RADIUS resource If selecting Local select the Add Row button and specify a User Name ...

Page 226: ...een Selecting Reset reverts the screen to its last saved configuration 37 Select the Remote VPN Client tab The Remote VPN Client screen provides options for configuring the remote VPN client AAA Policy Select the AAA policy used with the remote VPN client AAA policies define RADIUS authentication and accounting parameters The access point can optionally use AAA server resources when using RADIUS a...

Page 227: ... traffic that needs to be protected Select the appropriate traffic set from the drop down menu or click the icon next to the drop down menu to create a new transform set IKEV2 Peer Use the drop down menu to select the remote IKE v2 peer Use the icon next to the drop down to create a new peer Priority Use the spinner to set the priority in which a remote peer is connected The lower the number the h...

Page 228: ...P peer local ID The ID cannot exceed 128 characters df bit Select the DF bit handling technique used for the ESP encapsulating header Options include clear set and copy The default setting is copy IPsec Lifetime kb Set a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control ...

Page 229: ...r detection Options include Seconds 10 3 600 Minutes 1 60 and Hours 1 The default setting is 30 seconds DPD Retries Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead The available range is from 1 100 The default number of messages is 5 NAT Keep Alive Define the interval or frequency of NAT keep alive mess...

Page 230: ...4 characters Authentication Type Set the IPSec Authentication Type Options include PSK Pre Shared Key or rsa Authentication Key Set the common key for authentication between the remote tunnel peer Key length is between 8 21 characters IKE Version Configure the IKE version to use The available options are ikev1 main ikev1 aggr and ikev2 Enable NAT after IPSec Select this option to enable NAT after ...

Page 231: ...g data traffic within the network If an existing Firewall policy does not meet your requirements select the Create icon to create a new firewall policy that can be applied to this profile An existing policy can also be selected and edited as needed using the Edit icon 6 Select the WEP Shared Key Authentication radio button to require profile supported devices to use a WEP key to access the network...

Page 232: ...vocation Figure 5 94 Profile Security Certificate Revocation List CRL Update Interval screen 5 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a private key was found and nobody had access to it its ...

Page 233: ...of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows an access...

Page 234: ...re not editable but new configurations can be added or existing ones deleted as they become obsolete Static NAT creates a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address transla...

Page 235: ...e world when the translation address is used to interact with the remote destination NAT IP Enter the IP address of the matching packet to the specified value The IP address modified can be either source or destination based on the direction specified Network Select Inside or Outside NAT as the network direction The default setting is Inside Select Inside to create a permanent one to one mapping b...

Page 236: ... 98 Profile Security Static NAT screen Destination tab 13 Select Add to create a new NAT destination configuration or Delete to permanently remove a NAT destination Existing NAT destination configurations are not editable Figure 5 99 NAT Destination Add screen ...

Page 237: ...nly a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadcast delivery not available from TCP The default setting is Any Destination IP Enter the address used at the source end of the sta...

Page 238: ...on address is used to interact with the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overload Type Lists the Overload Type used with the listed IP ACL rule Options include NAT Pool One Gl...

Page 239: ...ult setting Interface Use the drop down menu to select the VLAN ID from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Ensure the VLAN selected represents the intended network traffic within the NAT supported configuration VLAN1 is available by default Optionally select the wwan1 radio button if the access point model supports a wwan ...

Page 240: ...5 154 WiNG 5 6 Access Point System Reference Guide 21 Select OK to save the changes made to the dynamic NAT configuration Select Reset to revert to the last saved configuration ...

Page 241: ...et traffic is routed to the NoC and from there routed to the Internet This increases the access time for the end user on the client To resolve latency issues Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet Traffic towards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with access to the ...

Page 242: ...ion Interface Lists the communication medium outgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP L...

Page 243: ...yment guidelines to ensure the profile configuration is optimally effective Ensure the contents of the certificate revocation list are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated NAT alone does not provide a firewall If deploying NAT on a profile add a firewall on the profile to block undesirable traffic from being routed For ou...

Page 244: ... destination link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup s...

Page 245: ...m 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual rou...

Page 246: ... configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Delete Figure 5 107 Profiles VRRP screen 8 If creating a new VRRP configuration assign a Virtual Router ID from 1 255 In addition to functioning as numerical identifier the ID identifies the access point s virtual router a ...

Page 247: ...lable to preempt a lower priority backup router resource The default setting is enabled When selected the Preempt Delay option becomes enabled to set the actual delay interval for pre emption This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority Preempt Delay If the Preempt option is selected use the spinner control to set th...

Page 248: ... For example a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue to monitored on that VLAN Critical resources can be configured for access points and wireless controllers using their respective profiles To define critical resources 1 Select the Configuration tab from the Web UI 2 Select Devices 3 ...

Page 249: ... a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource 9 Select Add Row to define the following for critical resource configurations IP Address Provide the IP address of the critical resource This is the address used by the access point to ensure the critical resource is available Up to four addresses can be defined Mode Set the ping mode us...

Page 250: ...s the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface Generally the source address 0 0 0 0 is used in the APR packets used to detect critical resources However some devices do not support the above IP address and drop the ARP packets Use this field to provide an IP address specifically used for this purpose The IP address used for Port...

Page 251: ...wser Captive portals provides authenticated access by capturing and re directing a wireless user s Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network Once logged into the captive portal additional Agreement Welcome and Fail pages provide the administrator with a number of options on screen flow and user appearance Either...

Page 252: ...ion refer to the following deployment guidelines to ensure the profile configuration is optimally effective A profile plan should consider the number of wireless clients allowed on the profile s guest captive portal network and the services provided or if the profile should support guest access at all Profile configurations supporting a captive portal should include firewall policies to ensure log...

Page 253: ...agement access configurations can be applied strategically to profiles as resource permissions dictate Additionally an administrator can define a profile with unique configuration file and device firmware upgrade support To define a profile s management configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI...

Page 254: ... to discern an overall pattern that may be negatively impacting performance using the configuration defined for the access point s profile Enable Message Logging Select this option to enable the profile to log system events to a user defined log file or a syslog server Selecting this radio button enables the rest of the parameters required to define the profile s logging configuration This option ...

Page 255: ...ging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Se...

Page 256: ...username on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Password for SMTP Server Specify the sender s username password on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Enable Configuration Update Select ...

Page 257: ...ectory A PoE hub 1 Calculate the AP6532 s IP address The AP6532 has an IP of 169 254 last two digits of its MAC address in decimal with subnet mask of 255 255 0 0 For example if the MAC address is 00 23 68 86 48 18 the last two digits of its IP address will be 72 24 48 hexadecimal 72 decimal 18 hexadecimal 24 decimal So the IP address is 169 254 72 24 with subnet mask of 255 255 0 0 2 Configure th...

Page 258: ...delines to ensure the profile configuration is optimally effective Define profile management access configurations providing both encryption and authentication Management services like HTTPS SSH and SNMPv3 should be used when possible as they provide data privacy and authentication Motorola Solutions recommends SNMPv3 be used for management profile configurations as it provides both encryption and...

Page 259: ... this mesh point prefers to have a mesh connection with over other nodes in the mesh network Preferred Interface Displays the name of the preferred interface A Preferred Interface is an interface on this mesh point that is preferred over other interfaces on the device when forming a mesh network Monitor Critical Resource Displays if this mesh point monitors critical resources for maintaining a mes...

Page 260: ...cr weighted Select this to choose a neighbor path based on the packet completion rate from a neighbor device A device with a higher packet completion rate is chosen over a device with a lower packet completion rate snr leaf Select this to indicate the path with the best signal to noise ratio is always selected Preferred Neighbor Enter the MAC address of the mesh point device that is the preferred ...

Page 261: ...on screen displays NOTE With this release of Motorola Solutions WiNG software an AP7161 model access point can be deployed as a Vehicle Mounted Modem VMM to provide wireless network access to a mobile vehicle car train etc A VMM provides layer 2 mobility for connected devices VMM does not provide layer 3 services such as IP mobility For VMM deployment considerations see Vehicle Mounted Modem VMM D...

Page 262: ...onfigure the mesh point monitored for automatic channel scan This is the mesh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected Off channel Duration Configure the duration in the range of 20 250 milliseconds for the Off Channel Duration field This is the duration the scan dwells on...

Page 263: ...h between two adjacent channels is 20 MHz 40 MHz Indicates the width between two adjacent channels is 40 MHz Priority Meshpoint Configure the mesh point monitored for automatic channel scan This is the mesh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected SNR Delta Configure the s...

Page 264: ...t Path Metric screen Signal Threshold Configure the signal to noise threshold value for path selection When the signal strength of the next hop in the mesh network goes below this value a scan is triggered to select a better next hop Off channel Duration Configure the duration in the range of 20 250 milliseconds for the Off Channel Duration field This is the duration that the scan dwells on each c...

Page 265: ...mesh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected Meshpoint Path Minimum Configure the minimum path metric value for a mesh connection to be established Set a value between 100 20 000 Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automat...

Page 266: ...nabled This setting is disabled from the Command Line Interface CLI using the dynamic chain selection command or in the UI refer Radio Override Configuration on page 5 255 Disable A MPDU Aggregation if the intended vehicular speed is greater than 30 mph For more information see Radio Override Configuration on page 5 255 ...

Page 267: ... left hand side of the UI 4 Expand the Advanced menu item The following items are available as advanced access point profile configuration options Advanced Profile Client Load Balancing Configuring MINT Protocol Advanced Profile Miscellaneous Configuration 5 2 13 1 Advanced Profile Client Load Balancing Advanced Profile Configuration Use the screen to administer the client load across an access po...

Page 268: ... weight to radio traffic on either the 2 4 or 5 0 GHz band This setting is enabled by default Use probes from common clients Select this option to use probes from shared clients in the neighbor selection process This feature is enabled by default to provide the best common group of available clients amongst access points in neighbor selection Use notifications from roamed clients Select this optio...

Page 269: ...d Ratio 2 4GHz Use the spinner control to set a loading ratio from 0 10 the access point 2 4 GHz radio uses in respect to radio traffic load on the 2 4 GHz band This allows an administrator to weight the traffic load if wishing to prioritize client traffic on the 2 4 GHz radio band The higher the value set the greater the weight assigned to radio traffic load on the 2 4 GHz radio band The default ...

Page 270: ...nel designations The default is 5 Weightage given to Client Count Use the spinner control to assign a weight from 0 100 the access point uses to prioritize 2 4GHz radio client count in the 2 4GHz radio load calculation Assign this value higher this 2 4GHz radio is intended to support numerous clients and their throughput is secondary to maintaining association The default setting is 90 Weightage g...

Page 271: ...nce Considered Equal Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing access point radio load balances The default setting is 1 Thus using a default setting of 10 means 10 is considered inconsequential when comparing access point radio load balances Weightage given to Client Count Use the spinner control to assign a weight from 0 100 ...

Page 272: ...yption and authentication A secure network requires users know about certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MINT are suc...

Page 273: ...Advanced Profile Configuration MINT Protocol screen IP tab 10 Select Add to create a new Link IP configuration or Edit to modify an existing MINT configuration Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting from 255 and 255 This is the value added to the base level DIS priority to influence the Designated IS DIS election A value of 1 or...

Page 274: ...tching pair of links one on each end point However that is error prone and does not scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link as a forced link Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set an int...

Page 275: ... securely communicate amongst one another Figure 5 124 Advanced Profile Configuration MINT Protocol screen VLAN tab 13 Select Add to create a new VLAN link configuration or Edit to modify an existing configuration IPSec GW Define either an IP address or hostname for the IPSec gateway NOTE If creating a mesh link between two access points in Standalone AP mode you will need to ensure a VLAN is avai...

Page 276: ...m 1 4 094 used by peers for interoperation when supporting the MINT protocol Routing Level If adding a new VLAN use the spinner control to define a routing level of either 1 or 2 Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hello packets The default...

Page 277: ...e originates 4 Select the Turn on LEDs radio button to ensure this access point s LED remain continuously illuminated Deployments such as hospitals prefer to keep their wireless devices from having illuminating LEDs as they have been reported to disturb their patients this setting however is enabled by default Select the Flash Pattern radio button to enable the access point to blink in a manner th...

Page 278: ...posture If the client device complies then it is allowed access to the network 8 Select OK to save the changes made to the profile s Advanced Miscellaneous configuration Select Reset to revert to the last saved configuration 5 2 14 Environmental Sensor Configuration System Profile Configuration An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point It provi...

Page 279: ... below the set threshold If enabled select All both AP8132 radios radio 1 or radio 2 Low Limit of Light Threshold Set the low threshold limit from 0 1 000 lux to determine whether the lighting is off in the AP8132 s deployment location The default is 100 High Limit of Light Threshold Set the upper threshold limit from 100 10 000 lux to determine whether the lighting is on in the AP8132 s deploymen...

Page 280: ...f designating the access point as a Standalone AP Motorola Solutions recommends the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile while the UI only provides one per access point model Consequently the two interfaces cannot be used collectively to manage profiles without an administrator encounte...

Page 281: ...n to change the selected access point s designation from Standalone to Virtual Controller AP Remember only one Virtual Controller can manage up to 24 access points of the same model Thus an administrator should take care to change the designation of a Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation 7 Select the Adopt Unknown APs Automatically option...

Page 282: ...t location defined Additionally the number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual Controller AP mode To override a managed device s basic configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides 4 Select a target device MAC address from either the device browser in the lower left hand s...

Page 283: ...e Coordinate Optionally provide the longitude coordinate where the device is located The valid value for this field is in the range 180 0000 degrees to 180 0000 degrees When provided this enables the device to be mapped on the geolocation map Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exceed 64 characters Assigning an...

Page 284: ...by the CA s private key Depending on the public key infrastructure the digital certificate includes the owner s public key the certificate expiration date the owner s name and other public key owner information Each certificate is digitally signed by a trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual A trustpoint represents a CA identity pa...

Page 285: ...to its last saved configuration HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop down menu where an existing certificate trustpoint can be leveraged To leverage an existing device certificate for use with this target device select the Launch Manager button For more information see Manage Certificates on page 5 204 SSH RSA Key Either use the defa...

Page 286: ...elected device an existing stored certificate can be leveraged from a different device Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices To configure trustpoints for use with certificates 1 Select Launch Manager from either the HTTPS Trustpoint SSH RSA Key or RADIUS Server Certificate parameters Figur...

Page 287: ...nformation Refer to Certificate Details to review the certificate s properties self signed credentials validity period and CA information 3 To optionally import a certificate select the Import button from the Certificate Management screen Figure 5 133 Certificate Management Import New Trustpoint screen ...

Page 288: ...t the Trustpoint from a location on the network To do so select From Network and provide the following information Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation List CRL CRLs a...

Page 289: ...te for publication on a Web server or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and do not generate a second key unless y...

Page 290: ...onal keys or import export keys to and from remote locations Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address information to the l...

Page 291: ... the Certificate Management screen Figure 5 135 Certificate Management RSA Keys screen 3 Select a listed device to review its current RSA key configuration Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select the Generate Key but...

Page 292: ...ate select the Import button from the RSA Keys screen Figure 5 137 Certificate Management Import New RSA Key screen 8 Define the following configuration parameters required to import a RSA key Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key from 2 048 or 4096 bits Motorola Solutions recommends leaving this value at th...

Page 293: ...ries of asterisks URL Provide the complete URL to the location of the RSA key Protocol If selecting Advanced select the protocol used for importing the target key Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 usb2 usb3 and usb4 IP Address If selecting Advanced enter IP addr...

Page 294: ...ccess point and the server Select the Show option to expose the actual characters used in the passphrase Leaving the Show option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key Protocol If selecting Advanced select the protocol used for exporting the RSA key Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port ...

Page 295: ...ate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create Certificate from the upper left hand side of the Certificate Management screen IP Address If selecting Advanced en...

Page 296: ...ct the existing key used by both the device and the server or repository of the target RSA key Create New Select this option to create a new RSA key Provide a 32 character name to identify the RSA key Use the spinner control to set the size of the key from 2 048 or 4 096 bits Motorola Solutions recommends leaving this value at the default setting 2048 to ensure optimum functionality For more infor...

Page 297: ... is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create CSR from the upper left hand side of the Certificate Management screen State ST Enter a State for the state or province name...

Page 298: ...08 Use Existing Select this option to use an existing RSA key Use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certi...

Page 299: ...or example an AP6532 RF Domain override can only be applied to another AP6532 model access point To define a device s RF Domain override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select RF Domain Overrides Organizational U...

Page 300: ...plied To remove a device s override go to the Basic Configuration screen s Device Overrides field and then select the Clear Overrides button Location Set the deployment location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the access point s configuration and wireless ne...

Page 301: ...ntrol as another data protection option to utilize with a device profile 802 1X is an IEEE standard for media level Layer 2 access control offering the capability to permit or deny network connectivity based on the identity of the user or device 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides from the options on left hand side of the UI 4 Select a target d...

Page 302: ...es to define configurations overriding the parameters set by the target device s original profile configuration To define a general profile override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select Device Overrides from th...

Page 303: ...ert to the last saved configuration NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device AutoKey Select this option to enable an autokey configuration for the NTP resource This is a key rand...

Page 304: ...le Interface Override Configuration Overriding the Network Configuration Overriding a Security Configuration Overriding the Virtual Router Redundancy Protocol VRRP Configuration Profile Critical Resources Overriding a Services Configuration Overriding a Management Configuration Overriding Mesh Point Configuration Overriding an Advanced Configuration Overriding Environmental Sensor Configuration ...

Page 305: ...nnot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To ...

Page 306: ... 802 3af Power Mode and the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when...

Page 307: ...option an access point solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an existing parameter 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower ...

Page 308: ...messages serve as a connection validation mechanism to keep the access point adopted to its wireless controller Set a value from 1 120 seconds 10 Define the Adjacency Hold Time value for this device This is the amount of time before the preferred controller group is considered down and unavailable to provide services Set a value from 2 600 seconds Auto Provisioning Policy Select an auto provisioni...

Page 309: ...pecify whether the controller adoption resource is defined as a non DNS IP address or a hostname Once defined provide the numerical IP or hostname A hostname cannot exceed 64 characters Pool Use the spinner controller to set a pool of either 1 or 2 This is the pool the target Virtual Controller belongs to The default setting is 1 Routing Level Use the spinner controller to set the routing level fo...

Page 310: ...verride to change modify parameters of an access point s Ethernet Port configuration The following ports are available on supported access point models AP6511 fe1 fe2 fe3 fe4 up1 AP6521 GE1 POE LAN AP6522 AP6522M GE1 POE LAN AP6532 GE1 POE LAN AP6562 GE1 POE LAN AP7131 GE1 POE LAN GE2 WAN AP7161 GE1 POE LAN GE2 WAN AP7181 GE1 POE LAN GE2 WAN AP8122 AP8132 AP8232 GE1 POE LAN GE2 WAN To define an Et...

Page 311: ...e expected as untagged and mapped to the native VLAN If set to Trunk the port allows packets from a list of VLANs added to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLA...

Page 312: ...ect the Enabled radio button to define this port as active to the profile it supports Select the Disabled radio button to disable this physical port in the profile It can be activated at any future time when needed Speed Set the speed at which the port can receive and transmit the data Select either 10 Mbps 100 Mbps 1000 Mbps Select either of these options to establish a 10 100 or 1000 Mbps data t...

Page 313: ...Select either the Access or Trunk radio button to set the VLAN switching mode over the port If Access is selected the port accepts packets only form the native VLANs Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port allows packets from a list of VLANs you a...

Page 314: ...or with a number of options on captive portal screen flow and user appearance For information on configuring a captive portal policy see Configuring Captive Portal Policies on page 9 2 12 Optionally select the Port Channel Membership option and define or override a setting from 1 8 using the spinner control This sets the channel group for the port 13 Select OK to save the changes made to the Ether...

Page 315: ...rotection needs of the target port configuration select the Create icon to define a new rule configuration For more information see Wireless Firewall on page 8 2 17 Refer to the Trust field to define the following 18 Refer to the 802 1X Settings field to define the following Trust ARP Responses Select this option to enable ARP trust on this port ARP packets received on this port are considered tru...

Page 316: ...thorized and devices using the port are denied access Max Reauthenticate Count Set the number of reauthentication attempts when a port tries to reauthenticate and fails Once this count exceeds the port is considered unauthorized Maximum Request Set the number of times an attempt is made to authenticate with an EAP server before returning an Authentication Failed message to the device seeking to au...

Page 317: ...n extension to RSTP to optimize the usefulness of VLANs MSTOP allows for a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree topology If there is just one VLAN in the access point managed network a single spanning tree works fine However if the network contains more than one VLAN the network topology defined by single STP wo...

Page 318: ... port no longer receives the better superior BPDU and then the state is changed to Forwarding Select Root to enable this feature Select None to disable 26 Select the Enable Port Fast option to enable or disable PortFast PortFast enables reducing the time taken for a port to complete the MSTP state changes from Blocked to Forward PortFast must only be enabled on ports on the wireless controller whi...

Page 319: ...Virtual Interface configurations and either create a new Virtual Interface configuration modify override an existing configuration or delete an existing configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select Interface to expand ...

Page 320: ...screen Name Displays the name of each listed Virtual Interface assigned when it was created The name is from 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed interface Description Displays the description defined for the Virtual Interface when it was either initially created or edited Admin Status A green check mark defin...

Page 321: ...passing configuration information Description Provide or edit a description up to 64 characters for the Virtual Interface that helps differentiate it from others with similar configurations Admin Status Either select the Disabled or Enabled radio button to define this interface s current status within the network When set to Enabled the Virtual Interface is operational and available The default va...

Page 322: ...ytes a network can transmit Any messages larger than the MTU are divided into smaller packets before being sent A PPPoE client should be able to maintain its point to point connection for this defined MTU size The default MTU is 1 492 IPv6 MTU Set an IPv6 MTU for this virtual interface from 1 280 1 500 A larger MTU provides greater efficiency because each packet carries more user data while protoc...

Page 323: ... configuration parameters Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings Zero config ...

Page 324: ... IPv6 Address Static Define up to 15 global IPv6 IP addresses that can created statically IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MAC is ini...

Page 325: ...Device Overrides Virtual Interfaces Basic Configuration screen IPv6 tab Add Address Prefix from Provider EUI64 Select OK to save the changes to the new IPv6 prefix from provider in EUI64 format Select Exit to close the screen without saving the updates 27 Select the IPv6 RA Prefixes tab Delegated Prefix Name Enter a 32 character maximum name for the IPv6 address prefix from provider Host ID Define...

Page 326: ...rtual interface Router advertisements are periodically sent to hosts or sent in response to solicitation requests The advertisement includes IPv6 prefixes and other subnet and host information 29 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Figure 5 157 Device Overrides Virtual Interfaces Basi...

Page 327: ...nutes Hours or Days value used to measurement criteria for the prefix s expiration 30 days 0 hours 0 minutes and 0 seconds is the default lifetime Valid Lifetime Date If the lifetime type is set to External fixed set the date in MM DD YYYY format for the expiration of the prefix Valid Lifetime Time If the lifetime type is set to decrementing set the time for the prefix s validity Set the time in a...

Page 328: ...IPv4 is a connection less protocol for packet switched networking IPv4 operates as a best effort delivery method since it does not guarantee delivery and does not ensure proper sequencing or duplicate delivery unlike TCP IPv4 and IPv6 are different enough to warrant separate protocols IPv6 devices can alternatively use stateless address autoconfiguration IPv4 hosts can use link local addressing to...

Page 329: ...the Designated Router DR for the network DRs provide routing updates to the network by maintaining a complete topology table of the network and sends the updates to the other routers in the network using multicast Setting a high value increases the chance of this interface becoming a DR Setting this value to Zero 0 prevents this interface from being elected a DR Cost Select this option to enable o...

Page 330: ...cess point s deployment objective To override a port channel configuration for an access point profile 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Expand the Interface menu and select Port Channels Figure 5 160 Device Overrides Port Chann...

Page 331: ... mark defines the listed port channel as active and currently enabled with the access point s profile A red X defines the port channel as currently disabled and not available for use The interface status can be modified with the port channel configuration as required Description Enter a brief description for the port channel 64 characters maximum The description should reflect the port channel s i...

Page 332: ...e port channel accepts packets only form the native VLANs Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port channel allows packets from a list of VLANs you add to the trunk A port channel configured as Trunk supports multiple 802 1Q tagged VLANs and one Nat...

Page 333: ...use link local addressing to provide local connectivity Use the IPv6 Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profile s port channel configuration IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Interne...

Page 334: ... Trust IP DSCP Select this option to enable IP DSCP values on this port channel The default value is enabled Enable PortFast PortFast reduces the time required for a port to complete a MSTP state change from Blocked to Forward PortFast must only be enabled on ports on the wireless controller directly connected to a server workstation and not another hub or controller PortFast can be left unconfigu...

Page 335: ... means this port should be treated as having a shared connection A port connected to a hub is on a shared link while one connected to a access point is a point to point link Point to Point is the default setting Cisco MSTP Interoperability Select either the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setti...

Page 336: ...e configuration Select Reset to revert to the last saved configuration 5 4 5 3 4 Radio Override Configuration Profile Interface Override Configuration Access points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the access point s deployment objective To define a radio configuration override for an access point 1 Select the Configuration t...

Page 337: ...AP6511 and AP6521 models support a single radio Type Displays the type as either Radio for typical client support or sensor If setting an AP6511 or AP6521 model access point to function as a sensor the access point must be rebooted before it can begin to operate as a sensor Description Displays a brief description of the radio provided by the administrator when the radio s configuration was added ...

Page 338: ...nel it will select the channel with the lowest average power level Transmit Power Lists the transmit power for each radio Overrides Click the Clear to clear overrides made to this radio interface This field is blank if there are no overrides for this radio Description Provide or edit a description 1 64 characters in length for the radio that helps differentiate it from others with similar configur...

Page 339: ...ofessional should define the radio channel Select Smart for the radio to scan non overlapping channels to listen for beacons from other access points Once channels are scanned the radio selects the channel with the fewest access points In case of multiple access points on the same channel it will select the channel with the lowest average power level The default value is Smart Channels with a w ap...

Page 340: ...ect this option to allow the access point radio to dynamically change the number of transmit chains This setting is disabled by default The radio uses a single chain antenna for frames at non 802 11n data rates Rate Once the radio band is provided the Rate drop down menu populates with rate options depending on the 2 4 or 5 0 GHz band selected If the radio band is set to Sensor or Detector the Dat...

Page 341: ...des sometimes miss them Increase the DTIM beacon settings lengthening the time to let nodes sleep longer and preserve their battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold from 1 2 347 bytes for use by the WLAN s adopted access point radios RTS is a t...

Page 342: ...t value is disabled Guard Interval Use the drop down menu to specify a Long or Any guard interval The guard interval is the space between symbols characters being transmitted The guard interval eliminates inter symbol interference ISI ISI occurs when echoes or reflections from one symbol interfere with another symbol Adding time between transmissions allows echo s and reflections to settle before ...

Page 343: ...t Add Row to define MAC addresses representing peer devices for preferred mesh connection Use the Priority spinner control to set a priority 1 6 for connection preference 19 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 20 Select the Advanced Settings tab Mesh Options include Clien...

Page 344: ... Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is 4 microseconds Received Frame Size Limit If a suppo...

Page 345: ...rk WWAN card is a specialized network interface card that allows a network device to connect transmit and receive data over a Cellular Wide Area Network Certain AP7131N model access points have a PCI Express card slot that supports 3G WWAN cards The WWAN card uses Point to Point Protocol PPP to connect to the Internet Service Provider ISP and gain access to the Internet PPP is the protocol used fo...

Page 346: ...xpand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Interface to expand its submenu items 5 Select WAN Backhaul Figure 5 169 Device Overrides WAN Backhaul screen 6 Refer to the WAN 3G Backhaul configuration to specify WAN card settings NOTE A blue override icon to the left of a parameter defines the parameter as having an o...

Page 347: ...mpression methods as specified by the PPPoE protocol PPPoE enables WiNG supported controllers and access points to establish a point to point connection to an ISP over existing Ethernet interface To provide this point to point connection each PPPoE session learns the Ethernet address of a remote PPPoE client and establishes a session PPPoE uses both a discover and session phase to identify a clien...

Page 348: ...n it first performs a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID In discovery the PPPoE client discovers a server to host the PPPoE connection To create a PPPoE point to point configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device fr...

Page 349: ...PPoE protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the nu...

Page 350: ...cation by the PPPoE client Select Show to display the actual characters comprising the password Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmis...

Page 351: ...ol Configuration Overriding a Miscellaneous Network Configuration Overriding Alias Configuration 5 4 5 4 1 Overriding the DNS Configuration Overriding the Network Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP addresses If one DNS server doesn t know how t...

Page 352: ...tion screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Enable Domain Lookup Select this option to enable DNS on the access point When enabled human friendly domain names can be converted into numerical IP destination addresses The radio button is selected by default Enable DNS Server Forwarding Select this option to enable the forwarding DNS ...

Page 353: ...d to the right packet length and format and sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply indicating as such ARP updates the ARP cache for future reference and t...

Page 354: ... and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is reflected by the state of the L2TP V3 session If a L2TP V3 session is down the pseudowire associated with it must be shut down The L2TP...

Page 355: ...ove all overrides from the device Host Name Define a 64 character maximum hostname to specify the name of the host that sent tunnel messages Tunnel establishment involves exchanging 3 message types SCCRQ SCCRP and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifie...

Page 356: ... and log L2TPv3 events Name Displays the name of each listed L2TPv3 tunnel assigned upon creation Local IP Address Lists the IP address assigned as the local tunnel end point address not the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address MTU Displays the maximu...

Page 357: ...low for the continuous monitoring of these defined addresses A critical resource if not available can result in the network suffering performance degradation A critical resource can be a gateway AAA server WAN interface or any hardware or service on which the stability of the network depends Critical resources are pinged regularly If there s a connectivity issue an event is generated stating a cri...

Page 358: ...atically based on the tunnel peer IP address This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests MTU Set the maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers Define a MTU from 128 1 460 bytes The default setting is 1 460 A larger MTU means processing fewer pac...

Page 359: ...hat will have the direction burst size and traffic rate settings applied Direction Select the direction for L2TPv3 tunnel traffic rate limiting Egress traffic is outbound L2TPv3 tunnel data coming to the controller service platform or access point Ingress traffic is inbound L2TPv3 tunnel data coming to the controller service platform or access point Maximum Burst Size Set the maximum burst size fo...

Page 360: ...ry peer for tunnel failover If the peer is not specified tunnel establishment does not occur However if a peer tries to establish a tunnel with this access point it creates the tunnel if the hostname and or router ID matches Peer IP Address Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the peer a hostname th...

Page 361: ... chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in a session establishment message to the L2TP peer MTU Displays each sessions s maximum t...

Page 362: ...l When responding to incoming tunnel create requests it would use the IP address on which it had received the tunnel create request IP Set the IP address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message to th...

Page 363: ... tab from the Web UI 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select IGMP Snooping Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmission model wit...

Page 364: ... IGMP querier role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports IGMP multicast packet are not flooded on the wired port IGMP membership is also learnt on it and only if present then forwarded on that port An AP71xx model access point can al...

Page 365: ...fic The controller service platform or access point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces To set an IPv6 MLD snooping configuration for the profile 1 Select the Configuration tab from the Web UI 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device...

Page 366: ...isable IPv6 unknown multicast forwarding This setting is enabled by default Enable MLD Querier Select the option to enable MLD querier on the controller service platform or access point When enabled the device sends query messages to discover which network devices are members of a given multicast group This setting is disabled by default MLD Version Define whether MLD version 1 or 2 is utilized as...

Page 367: ...elect Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select Quality of Service MLD Robustness Variable Set a MLD IGMP robustness value 1 7 used by the sender of a query The MLD robustness variable enables refinements to account for expec...

Page 368: ...erride the priority value DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priority The valid values for this field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Backgroun...

Page 369: ...ber of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigned to these VL...

Page 370: ...he default setting is 20 MST Config Name Define a 64 character maximum name for the MST region as an identifier MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the Enable or Disable radio buttons to enable disable interoperability with Cisco s version of MSTP which is inco...

Page 371: ...port it does not immediately start to forward data It first processes BPDUs and determines the network topology When a host is attached the port always goes into the forwarding state after a delay of while it goes through the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to...

Page 372: ...using static routes provided in the route table This option is enabled by default 7 Select the Policy Based Routing policy to apply to this profile Click the Create icon to create a policy based route or click the Edit to edit an existing policy after selecting it in the drop down list For more information on policy based routing see Policy Based Routing PBR on page 7 2 8 Select Add Row as needed ...

Page 373: ...in the format FC00 7 15 Set a System NS Retransmit Interval from 1 000 to 3 600 000 milliseconds as the interval between neighbor solicitation NS messages NS messages are sent by a node to determine the link layer address of a neighbor or verify a neighbor is still reachable via a cached link layer address The default is 1 000 milliseconds Static Default Route Priority Use the spinner control to s...

Page 374: ...ate information from neighbor routers and constructs RA Convert milliseconds Select this option to convert multicast router advertisements RA to unicast router advertisements at the dot11 layer Unicast addresses identify a single network interface whereas a multicast address is used by multiple hosts This setting is disabled by default Throttle Select this option to throttle RAs before converting ...

Page 375: ...ernal routes that is The only way for traffic to get routed outside of the area is A default route is the only way to route traffic outside of the area When there s only one route out of the area fewer routing decisions are needed lowering system resource utilization non stub An area that imports autonomous system external routes and send them to other areas However it still cannot receive externa...

Page 376: ...s not an IP address it does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default P...

Page 377: ...limit LSAs and encourage aggregate routes VRRP Mode Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted b...

Page 378: ...Select Add to create a new OSPF configuration Edit to modify an existing configuration or Delete to remove a configuration Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 379: ...lect either None simple password or message digest as credential validation scheme used with the OSPF dynamic route The default setting is None Type Set the OSPF area type as either stub totally stub nssa totally nssa or non stub Default Cost Select this option to set the default summary cost advertised if creating a stub Set a value from 1 16 777 215 Translate Type Define how messages are transla...

Page 380: ... for the interface configuration Type Displays the type of interface Description Lists each interface s 32 character maximum description Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route s virtual interface connection VLAN Lists the VLAN IDs set for each listed OSPF route virtual interface IP Address Displays the IP addresses defined as virtual ...

Page 381: ...ended destination On the way out the source IP address is changed in the header and replaced by the public IP address Outside Packets passing through the NAT on the way back to the LAN are searched against the records kept by the NAT engine There the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network None No NAT activ...

Page 382: ...be booted using the network rather than locally This setting is disabled by default Maximum Transmission Unit MTU Set the PPPoE client maximum transmission unit MTU from 500 1 492 The MTU is the largest physical packet size in bytes a network can transmit Any messages larger than the MTU are divided into smaller packets before being sent A PPPoE client should be able to maintain its point to point...

Page 383: ...rimary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings Zero config can be used instead of a wireless network utility from the manufacturer of a computer s wireless netwo...

Page 384: ...tate This option is enabled by default 39 Refer to the IPv6 Address Prefix from Provider table to create IPv6 format prefix shortcuts as supplied by an ISP Select Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined IPv6 Mode Select this option to enable IPv6 support on this virtual interface IPv6 is disabled by default IPv6 Address Static Define up to 15 g...

Page 385: ...ress and interface of the DHCPv6 relay The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6 DHCP relays exchange messages between a DHCPv6 server and client A client and relay agent exist on the same link When A DHCP request is received from the client the relay agent creates a relay forward message and sends it to a specified server address If no addresses are speci...

Page 386: ...icitation requests The advertisement includes IPv6 prefixes and other subnet and host information 44 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Address Enter an address for the DHCPv6 relay These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers The DHCPv6 ...

Page 387: ...ress prefix signifies the address is only on the local link Valid Lifetime Type Set the lifetime for the prefix s validity Options include External fixed decrementing and infinite If set to External fixed just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity If set to decrementing use the lifetime date and time settings to refine the prefix expiry per...

Page 388: ...rementing and infinite If set to External fixed just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity If set to decrementing use the lifetime date and time settings to refine the prefix expiry period If the value is set for infinite no additional date or time settings are required for the prefix and the prefix will not expire The default setting is Ex...

Page 389: ...acing IPv4 IPV6 provides enhanced identification and location information for systems routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons 50 Select the VPN Crypto Map to use with this VLAN configuration Use the drop down menu to apply an existing crypto map configuration to this VLAN interface Use the Create icon to create ...

Page 390: ...rk and sends the updates to the other routers in the network using multicast Setting a high value increases the chance of this interface becoming a DR Setting this value to Zero 0 prevents this interface from being elected a DR Cost Select to enable or disable OSPF cost settings Use the spinner to configure a cost value in the range 1 65535 Use this option to set the OSPF cost of this interface OS...

Page 391: ... its forwarding database with known MAC addresses and their locations on the network This information is then used to decide to filter or forward the packet This forwarding database assignment can be overridden as needed but removes the device configuration from the managed profile that may be shared with other similar device models To define or override a forwarding database configuration 1 Selec...

Page 392: ...t VLAN ID if the destination MAC is on a different network segment 10 Provide an Interface Name used as the target destination interface for the target MAC address 11 Select OK to save the changes and overrides Select Reset to revert to the last saved configuration 5 4 5 4 11Overriding a Bridge VLAN Configuration Overriding the Network Configuration A Virtual LAN VLAN is separately administrated v...

Page 393: ...rameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device VLAN Lists the numerical identifier defined for the Bridge VLAN when it was initially created The available range is from 1 4094 This value cannot be modified during the edit process Description Lists a 6...

Page 394: ...computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages When first connected to a network a host sends a link local router solicitation multicast re...

Page 395: ... interface Firewalls generally are configured for all interfaces on a device When configured firewalls generate a large amount of flow tables that store information on the traffic allowed to traverse through the firewall These flow tables occupy a large portion of the limited memory on the device that could be used for other critical purposes With the Per VLAN firewall feature enabled on an interf...

Page 396: ... button Tunnel Over Level 2 Select this option to allow VLAN traffic to be tunneled over level 2 links This setting is disabled by default NOTE If creating a mesh connection between two access points in Standalone AP mode Tunnel must be selected as the bridging mode to successfully create the mesh link between the two access points Mint Link Level Select the MINT link level from the drop down menu...

Page 397: ...uring Captive Portal Policies on page 9 2 16 Click the IGMP Snooping tab to set or override the IGMP snooping configuration Trust ARP Responses Select this option to use trusted ARP packets to update the DHCP snoop table to prevent IP spoof and arp cache poisoning attacks This feature is disabled by default Trust DHCP Responses Select this option to use DHCP packets from a DHCP server as trusted a...

Page 398: ...d This feature is enabled by default If disabled the settings under bridge configuration are overridden Forward Unknown Multicast Packets Select this option to enable the access point to forward multicast packets from unregistered multicast groups If disabled the Unknown Multicast Forward feature is also disabled for the selected VLANs This settings is enabled by default Interface Name Select the ...

Page 399: ... IGMP membership is also learnt on it and only if present then forwarded on that port Source IP Address Define an IP address applied as the source address in the IGMP query packet This address is used as the default VLAN querier IP address IGMP Version Use the spinner control to set the IGMP version compatibility to IGMP version 1 2 or 3 The default IGMP version is 3 Maximum Response Time Specify ...

Page 400: ... MLD Snooping Enable MLD snooping to examine MLD packets and support content forwarding on this bridge VLAN Packets delivered are identified by a single multicast group address Multicast packets are delivered using best effort reliability just like IPv6 unicast MLD snooping is enabled by default Forward Unknown Unicast Packets Use this option to either enable or disable IPv6 unknown multicast forw...

Page 401: ...cated at the bottom right of the screen to save the changes and overrides to the CDP configuration Select Reset to revert to the last saved configuration 5 4 5 4 13Overriding a Link Layer Discovery Protocol Configuration Overriding the Network Configuration The Link Layer Discovery Protocol LLDP provides a standard way for a controller or access point to advertise information about themselves to n...

Page 402: ...the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select Link Layer Discovery Protocol Figure 5 207 Link Layer Discovery Protocol LLDP screen 6 Set the following LLDP parameters for the profile configuration 7 Select the OK button to save the changes and overrides to the LLDP configuration Select Reset to revert to the last saved configuration Enable LLDP Select ...

Page 403: ...on to save the changes and overrides Select Reset to revert to the last saved configuration 5 4 5 4 15Overriding Alias Configuration Overriding the Network Configuration With large deployments the configuration of remote sites utilizes a set of shared attributes of which a small set of attributes are unique for each location For such deployments maintaining separate configuration WLANs profiles po...

Page 404: ... remote deployment location the local network range is 172 16 10 0 24 the Network Alias can be overridden at the deployment location to suit the local requirement For the remote deployment location the Network Alias works with the 172 16 10 0 24 network Existing ACLs using this Network Alias need not be modified and will work with the local network for the deployment location This simplifies ACL d...

Page 405: ...n with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN alias can be used to replace VLANs in the following locations Bridge VLAN IP Firewall Rules L2TPv3 Switchport Wireless LANs 7 Select Add Row to define Host Alias s...

Page 406: ... field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overridden at the remote location to suit their local but remote requirement At the remote location the ACL functions with the 172 16 10 0 24 network A new ACL need not...

Page 407: ...192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias A maximum of 32 network group alias entries can be created A network group alias is used in IP firewall rules to substitute hosts subnets and IP addr...

Page 408: ...lable Select Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displ...

Page 409: ...he network group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing S...

Page 410: ...gle IP node A network service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand it and di...

Page 411: ...tion can have an override applied as needed to meet the changing data protection requirements of a NOTE The Network Service Alias Name always starts with a dollar sign Protocol Specify the protocol for which the alias has to be created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selecte...

Page 412: ...s section describes how to use the inbuilt wizards to override the VPN parameters The user interface provides two 2 wizards that provide different levels of configuration Figure 5 214 Security Configuration Wizard screen The following options are available Quick Setup Wizard Use this wizard to setup basic VPN Tunnel on the device This wizard is aimed at novice users and enables them to setup a bas...

Page 413: ... of the parameters Figure 5 215 VPN Quick Setup Wizard 1 Provide the following information to configure a VPN tunnel Tunnel Name Provide a name for the tunnel Tunnel name must be such that it easily identifies the tunnel uniquely Tunnel Type Configure the tunnel type as one of the following Site to Site Provides a secured connection between two sites Remote Access Provides access to a network to r...

Page 414: ...Source Provide the source network along with its mask Destination Provide the destination network along with its mask Peer Configures the peer for this tunnel The peer device can be specified either by its hostname or by its IP address Authentication Configure the authentication used to identify peers The following can be configured Certificate Use a certificate to authenticate Pre Shared Key Use ...

Page 415: ...en two remote sites as indicated in the image Remote Access is used to create a tunnel between an user device and a network as indicated in the image Interface Select the interface to use Interface can be a Virtual LAN VLAN or WWAN or PPPoE depending on the interfaces available on the device Traffic Selector ACL This field creates the Access Control List ACL that is used to control who uses the ne...

Page 416: ...cate Local Identity Configure the local identity for the VPN Tunnel IP Address The local identity is an IP address FQDN The local identity is a Fully Qualified Domain Name FQDN Email The local identity is an E mail address Remote Identity Configure the remote identity for the VPN Tunnel IP Address The remote identity is an IP address FQDN The remote identity is a Fully Qualified Domain Name FQDN E...

Page 417: ... encryption to use for creating the tunnel Authentication The authentication used to identify tunnel peers Mode The mode of the tunnel This is how the tunnel will operate From the drop down select any pre configured Transform Set or click the Create New Policy to create a new transform set Encryption This field is enabled when Create New Policy is selected in Transform Set field This is the encryp...

Page 418: ...ts and the wireless controller with minimum configuration pushed through DHCP option settings 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options Mode This field is enabled when Create New Policy is selected in Transform Set field The mode indicates how packets are transported through the tunnel Tunnel Use this mode when the...

Page 419: ... remote tunnel peer Key length is between 8 21 characters IKE Version Configure the IKE version to use The available options are ikev1 main ikev1 aggr and ikev2 Enable NAT after IPSec Select this option to enable NAT after IPSec Enable this if there are NATted networks behind VPN tunnels Use Unique ID In scenarios where different access points behind different NAT boxes routers have the same IP ad...

Page 420: ... to revert to the last saved configuration NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Firewall Policy Select the firewall policy used by devices with this profile Use the icons nex...

Page 421: ...4 Select Security to expand its sub menu options 5 Select Certificate Revocation Figure 5 222 Device Overrides Certificate Revocation screen 6 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a privat...

Page 422: ...s a traffic routing device for the purpose of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT provides outbound Internet access to wired and wireless hosts Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows the acce...

Page 423: ... thus far Any of these policies can be selected and applied to a profile 7 Select Add to create a new NAT policy that can be applied to a profile Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile Figure 5 224 Device Overrides Security NAT Pool screen ...

Page 424: ... use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Figure 5 225 Device Overrides Static NAT screen To map a source IP address...

Page 425: ...will not be exposed to the outside world when the translation address is used to interact with the remote destination NAT IP Enter the IP address of the matching packet to the specified value The IP address modified can be either source or destination based on the direction specified Network Select Inside or Outside NAT as the network direction The default setting is Inside Select Inside to create...

Page 426: ...onnection between two endpoints Each endpoint is defined by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or ...

Page 427: ...t setting Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual a...

Page 428: ...g NAT pool used with the dynamic NAT configuration Overload IP If One Global IP Address is selected as the Overload Type define an IP address used as a filter address for the IP ACL rule ACL Precedence Lists the administrator assigned priority set for the listed source list ACL The lower the value listed the higher the priority assigned to this ACL rule Source List ACL Use the drop down menu to se...

Page 429: ...wards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with access to the Internet To define a Bridge NAT configuration that can be applied to a profile 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides from the options on left hand side of the UI 4 Expand the Security menu and select Bridge NAT Interfac...

Page 430: ...sts the communication medium outgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or w wan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP Lists the addres...

Page 431: ... to configure IP addresses and address ranges that can used to access the Internet 10 Select Add Row to set the IP address range settings for the Bridge NAT configuration Interface Lists the outgoing layer 3 interface on which traffic is re directed The interface can be an access point WWAN or PPPoE interface Traffic can also be redirected to a designated VLAN NAT Pool Displays the NAT pool used b...

Page 432: ... System Reference Guide Figure 5 232 Profile Security Source Dynamic NAT screen Add Row field 11 Select OK to save the changes made within the Add Row and Dynamic NAT screens Select Reset to revert to the last saved configuration ...

Page 433: ...er MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state they monitor the...

Page 434: ...nitially defined This ID identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual router ID Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway addre...

Page 435: ...ces over virtual IP For more information on the VRRP protocol specifications available publicly refer to http www ietf org rfc rfc3768 txt version 2 and http www ietf org rfc rfc5798 txt version 3 7 From within the VRRP tab select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and p...

Page 436: ...ine the following VRRP General parameters Description In addition to an ID assignment a virtual router configuration can be assigned a textual description up to 64 characters to further distinguish it from others with a similar configuration Priority Use the spinner control to set a VRRP priority setting from 1 254 The access point uses the defined setting as criteria in selection of a virtual rou...

Page 437: ...ty Preempt Delay If the Preempt option is selected use the spinner control to set the delay interval in seconds for preemption Interface Select this value to enable disable VRRP operation and define the AP7131 VLAN 1 4 094 interface where VRRP will be running These are the interfaces monitored to detect a link failure Sync Group Select this option to assign a VRRP sync group to this VRRP ID s grou...

Page 438: ...scovered For example a critical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue to monitored on that VLAN Critical resources can be configured for access points and wireless controllers using their respective profiles To define critical resources 1 Select the Configuration tab from the Web UI 2 Select De...

Page 439: ... selected a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource 9 Select Add Row to define the following for critical resource configurations IP Address Provide the IP address of the critical resource This is the address used by the access point to ensure the critical resource is available Up to four addresses can be defined Mode Set the pin...

Page 440: ...eld Sets the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface Generally the source address 0 0 0 0 is used in the APR packets used to detect critical resources However some devices do not support the above IP address and drop the ARP packets Use this field to provide an IP address specifically used for this purpose The IP address used f...

Page 441: ... for use with this profile A captive portal is guest access policy for providing temporary and restrictive access to the network The primary means of securing such guest access is a captive portal A captive portal configuration provides secure authenticated access using a standard Web browser A captive portal provides authenticated access by capturing and re directing a user s Web browser session ...

Page 442: ...f Bonjour advertisements across VLANs to enable the Bonjour Gateway device to build a list of services and the VLANs where these services are available 9 Select OK to save the changes or overrides made to the profile s services configuration Select Reset to revert to the last saved configuration 5 4 5 9 Overriding a Management Configuration Device Overrides There are mechanisms to allow deny manag...

Page 443: ... logging configuration This option is disabled by default Remote Logging Host Use this table to define numerical non DNS IP addresses for up to three external resources where logged system events can be sent on behalf of the profile Select Clear as needed to remove an IP address Facility to Send Log Messages Use the drop down menu to specify the local server facility if used for the profile event ...

Page 444: ...arning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Time to Aggregate Repeated Message...

Page 445: ...uration Update Select this option to enable automatic configuration file updates for the controller profile from a location external to the access point If enabled the setting is disabled by default provide a complete path to the target configuration file used in the update Enable Firmware Update Select this option to enable automatic firmware updates from a user defined remote location This value...

Page 446: ... to its peers Mesh network provides robust reliable and redundant connectivity to all the members of the network When one of the participant node in a mesh network becomes unavailable the other nodes in the network are still able to communicate with each other either directly or through intermediate nodes Mesh Point is the name given to a device that is a part of a meshed network Use the Mesh Poin...

Page 447: ... the drop down menu select the root behavior of this access point Select True to indicate this access point is a root node for this mesh network Select False to indicate this access point is not a root node for this mesh network A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Root Selection Method Use the drop down menu to dete...

Page 448: ...c mesh network is considered This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network Signal Strength Delta Enter a delta value in dB A candidate for selection as a next hop in a dynamic mesh network must have a SNR higher than the value configured here This field along with the Minimum Threshold and Sustained Time ...

Page 449: ...following for more information on the Auto Channel Selection Dynamic Root Selection screen These descriptions are common for configuring the 2 4 GHZ and 5 0 4 9 GHz frequencies Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio The available options are Automatic Indicates the channel width is calculated automatically This is the de...

Page 450: ...ation in the range of 20 250 milliseconds for the Off Channel Duration field This is the duration that the scan dwells on each channel when performing an off channel scan Off Channel Scan Frequency Configure the time duration in seconds between two consecutive Off Channel Scans Set a duration between 1 60 seconds Meshpoint Root Sample Count Configure the number of scans to be performed for data co...

Page 451: ...given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected SNR Delta Configure the signal to noise ratio delta value for path selection When path selection occurs this set value is considered for selecting the optimal path A better candidate on a different channel must have a signal strength that...

Page 452: ...e Automatic Indicates the channel width is calculated automatically This is the default value 20 MHz Indicates the width between two adjacent channels is 20 MHz 40 MHz Indicates the width between two adjacent channels is 40 MHz Priority Meshpoint Configure the mesh point to be monitored for automatic channel scan This is the mesh point that given priority over other available mesh points When conf...

Page 453: ...reater than 30 mph For more information see Radio Override Configuration Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automatic channel selection for mesh point selection Set a value in between 800 65535 Meshpoint Tolerance Period Configure the time duration in seconds to wait before triggering a automatic channel selection for the next hop Meshpoint Root S...

Page 454: ...t certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MiNT are such that these scenarios continue to function as expected with minima...

Page 455: ...ad Balancing fields to configure or override it Using probes from common clients Select this option to enable neighbor selection using probe requests from common clients between the neighbor device and this device Using notifications from roamed clients Select this option to enable neighbor selection using notifications from clients roamed from other devices Using smart rf neighbor detection Selec...

Page 456: ...s secondary to maintaining client association The default setting is 90 Weightage given to Throughput Use the spinner control to assign a weight between 0 100 the access point uses to prioritize 2 4 and 5 GHz radio throughput in the overall access point load calculation Assign this value higher if throughput and radio performance are considered mission critical within the access point managed netw...

Page 457: ...nsidered Equal Use the spinner control to set a value between 0 100 considered an adequate discrepancy when comparing 2 4 and 5GHz radio band load balances on this access point The default setting is 10 Thus using a default setting of 1 means 1 is considered inconsequential when comparing 2 4 and 5 GHz load balances on this access point Band Ratio 2 4GHz Use the spinner control to set a loading ra...

Page 458: ...from 0 60 seconds The default setting has the option disabled Max confirmed Neighbors Use the spinner to set the maximum number of learned neighbors stored at this device Minimum signal strength for smart rf neighbors Use the spinner to set the minimum signal strength of neighbor devices that are learnt through Smart RF before being recognized as neighbors Level 1 Area ID Select this option to ena...

Page 459: ...ncy Hold Time managed devices use to securely communicate amongst one another 25 Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration MLCP IP Select this option to enable MINT Link Creation Protocol MLCP by IP Address MINT Link Creation Protocol is used to create one UDP IP link from the device to a neighbor That neighboring device can be another AP M...

Page 460: ...override a routing level of either 1 or 2 Listening Link Specify a listening link of either 0 or 1 UDP IP links can be created by configuring a matching pair of links one on each end point However that is error prone and doesn t scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link...

Page 461: ...it to override an existing MINT configuration Adjacency Hold Time Set or override a hold time interval in either Seconds 2 600 or Minutes 1 10 for the transmission of hello packets The default interval is 46 seconds IPSec Secure Select this option to use a secure link for IPSec traffic This setting is disabled by default When enabled both the header and the traffic payload are encrypted IPSec GW D...

Page 462: ...4 094 used by peer controllers for interoperation when supporting the MINT protocol Routing Level Use the spinner control to define or override a routing level of either 1 or 2 Link Cost Use the spinner control to define or override a link cost from 1 10 000 The default value is 10 Hello Packet Interval Set or override an interval in either Seconds 1 120 or Minutes 1 2 for the transmission of hell...

Page 463: ...lete 36 Use the drop down menu to configure the access point s Meshpoint Behavior This field configures the access point s mobility behavior The default is External fixed and indicates that the mesh point is fixed The value vehicle mounted indicates that the mesh point is mobile This feature is only available on an AP7161 model access point 37 Use the Root Path Monitor Interval to configure the in...

Page 464: ... Figure 5 255 Profile Environmental Sensor screen 5 Override or set the following Light Sensor settings for the AP8132 s sensor module NOTE This feature is available on the AP8132 model only Enable Light Sensor Select this option to enable the light sensor on the module This setting is enabled by default Polling Time to Determine if Light is On Off Define an interval in Seconds 2 201 or Minutes 1 ...

Page 465: ...le Temperature Sensor Select this option to enable the module s temperature sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is enabled by default Enable Motion Sensor Select this option to enable the module s motion sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is...

Page 466: ...olicies can have their event notification configurations modified as device profile requirements warrant To define an access point event policy 1 Select Devices from the Configuration menu 2 Select Event Policy Figure 5 256 Event Policy screen 3 Ensure the Activate Event Policy option is selected to enable the screen for configuration This option needs to remain selected to apply the event policy ...

Page 467: ...ccess control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit periodic beacons for each BSS A beacon advertises the SSID security requirements supported data rates of the wireless network to enable clients to locate and connect to the WLAN WLANs are mapped to radios on each acc...

Page 468: ...6 2 WiNG 5 6 Access Point System Reference Guide Figure 6 1 Configuration Wireless menu ...

Page 469: ...button to update the SSID designation Description Displays the brief description assigned to each listed WLAN when it was either created or modified WLAN Status Lists each WLAN s status as either Active or Shutdown A green check mark defines the WLAN as available to clients on all radios where it has been mapped A red X defines the WLAN as shutdown meaning even if the WLAN is mapped to radios it s...

Page 470: ...fer to the Encryption Type column to verify if there is some sort of data protection used with the WLAN or risk using this WLAN with no protection at all Encryption Type Displays the name of the encryption scheme used by each listed WLAN to secure client membership transmissions None is listed if encryption is not used within this WLAN In case of no encryption refer to the Authentication Type colu...

Page 471: ...LAN s properties WLANs can also be removed as they become obsolete by selecting Delete Figure 6 3 WLAN Basic Configuration screen 5 Refer to the WLAN Configuration field to define the following WLAN If adding a new WLAN enter its name in the space provided Spaces between words are not permitted The name could be a logical representation of the WLAN coverage area engineering marketing etc If editin...

Page 472: ...l or Tunnel Select Local to bridge VLAN traffic locally or Tunnel to use a shared tunnel for bridging the WLAN s VLAN traffic Local is the default setting DHCP Option 82 Select this option to enable DHCP Option 82 DHCP option 82 provides additional information on the physical attachment of a client This setting is disabled by default Bonjour Gateway Discovery Policy Use the drop down menu to assig...

Page 473: ...ed and the VLAN configuration defined in the preceding step is used If RADIUS authentication fails the VLAN defined is the VLAN assigned to the WLAN 9 Select OK when completed to update the WLAN s basic configuration Select Reset to revert the screen back to the last saved configuration 6 1 1 1 WLAN Basic Configuration Deployment Considerations Basic WLAN Configuration Before defining a WLAN s bas...

Page 474: ... screen Authentication ensures only known and trusted users or devices access an access point managed WLAN Authentication is enabled per WLAN to verify the identity of both users and devices Authentication is a challenge and response procedure for validating user credentials such as user name password and secret key information A client must authenticate to an access point to receive resources fro...

Page 475: ... was introduced Wired Equivalent Privacy WEP was the primary encryption mechanism WEP has since been interpreted as flawed in many ways and is not considered an effective standalone scheme for securing a WLAN WEP is typically used with WLAN deployments supporting legacy clients New deployments should use either WPA or WPA2 encryption Encryption applies a specific algorithm to alter its appearance ...

Page 476: ... an additional measure of security with the WLAN that can be used with EAP Either select an existing AAA Policy from the drop down menu select the Create icon to the right of the AAA Policy parameter to create a new AAA policy or select the Edit icon to modify the selected AAA policy s configuration Authentication authorization and accounting AAA is a framework for intelligently controlling access...

Page 477: ... on a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify its security properties 5 Select Security 6 Select MAC as the Authentication Type Selecting MAC enables the radio buttons for the Open WEP 64 WEP 128 WP...

Page 478: ...hat can be applied to a WLAN see Configuring Captive Portal Policies on page 9 2 To assign a captive portal policy to a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify the properties of an existing WLAN 5 S...

Page 479: ...vice accessing the captive portal This information is stored on board the access point The next time the user accesses the captive portal service using the same device he she is authenticated immediately as the MAC address of the device is available in the access point s database along with the user s identification information The user saves time as identification information is not collected aga...

Page 480: ...ources 10 Select OK when completed to update the External Controller configuration Select Reset to revert the screen back to the last saved configuration 6 1 2 8 TKIP CCMP Configuring WLAN Security The encryption method is Temporal Key Integrity Protocol TKIP TKIP addresses WEP s weaknesses with a re keying mechanism a per packet mixing function a message integrity check and an extended initializa...

Page 481: ... as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the administrator from entering the 256 bit key each time keys are generated Unicast Rotation Interval Define an interval for unicast key transmission interval from 30 86 400 seconds Some clien...

Page 482: ...ster re association Pairwise Master Key PMK Caching Pairwise Master Key PMK Caching is a technique for sidestepping the need to re establish security each time a client roams to a different switch Using PMK caching clients and switches cache the results of 802 1X authentications Therefore access is much faster when a client roams back to a switch to which the client is already authenticated Opport...

Page 483: ... same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally different result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the provided keys are used to derive other ...

Page 484: ...ould not have enough data using a single key to attack the deployed encryption scheme Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the admi...

Page 485: ...pre authentication a client can perform an 802 1X authentication with other detected access points while still connected to its current access points When a device roams to a neighboring access points the device is already authenticated thus providing faster re association Pairwise Master Key PMK Caching Pairwise Master Key PMK Caching is a technique for sidestepping the need to re establish secur...

Page 486: ...uthentication to provide user and device authentication and dynamic WEP key derivation and periodic key rotation 802 1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered WEP 64 uses a 40 bit key concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter ...

Page 487: ... any alphanumeric string The wireless controller other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 fields to specify key numbers For WEP 64 40 bit key the keys are 10 hexadecimal chara...

Page 488: ...1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered If 802 1X support is not available on the legacy device MAC authentication should be enabled to provide device level authentication WEP 128 and KeyGuard use a 104 bit key which is concatenated with a 24 bit initialization vector IV to form the RC4 traffic key WEP may be all a small business user n...

Page 489: ...e button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola Solutions clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without Motorola Solutions adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key numbers For WEP 128 104 bit key the keys ar...

Page 490: ...l overview see Wireless Firewall on page 8 2 WLANs use Firewalls like Access Control Lists ACLs to filter mark packets based on the WLAN from which they arrive as opposed to filtering packets on Layer 2 ports An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions rules a packet must satisfy to match the ACE The order of conditions in the...

Page 491: ...Firewall Rules or Outbound IP Firewall Rules using the drop down menu If no rules exist select the Create icon to create a new firewall rule configuration Select the Edit icon to modify the configuration of a selected firewall If creating a new rule provide a name up to 32 characters 7 Select the Add button ...

Page 492: ...dually as their filtering attributes require a more refined update a Select the Edit Rule icon to the left of a particular IP Firewall rule configuration to update its parameters collectively Figure 6 11 WLAN Security IP Firewall Rules Edit Rule screen b Click the icon within the Description column top right hand side of the screen and select IP filter values as needed to add criteria into the con...

Page 493: ...ess or network group configuration used as a basis matching criteria for this IP ACL rule Source options include Any Indicates any host device in any network Network Indicates all hosts in a particular network Subnet mask information has to be provided for filtering based on network Host Indicates a single host with a specific IP address Alias Indicates a collection of IP addresses or hostnames or...

Page 494: ...ype ICMP messages are used for packet flow control or generated in IP error responses ICMP errors are directed to the source IP address of the originating packet Assign an ICMP type from 1 10 ICMP Code Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code Many ICMP types have a corresponding code helpful for troubleshooting networ...

Page 495: ...t select Create to display a screen where Firewall rules can be created 12 Select the Add Row button 13 Select the added row to expand it into configurable parameters Figure 6 13 WLAN Security MAC Firewall Rules screen 14 Define the following parameters for either the inbound or outbound MAC Firewall Rules Allow Every MAC firewall rule is made up of matching criteria rules The action defines what ...

Page 496: ... employs to interoperate within the network once authenticated by the access point s local RADIUS server Set the VLAN form 1 4094 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu to specify an Ethertype of either ipv6 arp wisp or monitor 8021q An Ethertype is a two octet field within...

Page 497: ...match Select this radio button to check for a source MAC mismatch in the ARP header and Ethernet header This setting is enabled by default DHCP Trust Select this radio button to enable DHCP trust on this WLAN This setting is disabled by default Wireless Client Denied Traffic Threshold If enabled any associated client exceeding the thresholds configured for storm traffic is either deauthenticated o...

Page 498: ...points can support up to 256 clients per access point AP6511 and AP6521 models can support up to 128 clients per access point Client load balancing can be enforced for the WLAN as more and more WLANs are deployed 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create a new WLAN or s...

Page 499: ...fic is distributed In a WLAN each device normally connects to an access point with the strongest signal Depending on the number and locations of the clients this arrangement can lead to excessive demand on one access point and under utilization of others resulting in degradation of overall network performance With 802 11k if the access point with the strongest signal is loaded to its capacity a cl...

Page 500: ...ioning local versus remote users and how to best accommodate each Remote user information can be archived to a remote location for periodic network and user permission administration To configure WLAN accounting settings 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an addi...

Page 501: ...s disabled by default Syslog Host Specify the IP address or hostname of the external syslog host where accounting records are routed Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed The default port is 514 Proxy Mode Use the drop down menu to define how syslog accounting is conducted Options include None Through Wir...

Page 502: ... the Service Monitoring feature enables the captive portal administrators to indicate to all users that the service is temporarily unavailable As the service unavailable information is immediately displayed to the users users are less likely to complain The reasons a captive portal service becomes unavailable can be broadly classified as When the RADIUS authentication server becomes unavailable Th...

Page 503: ...ers are automatically migrated to the VLAN defined in the Adoption Monitoring VLAN field Adoption Monitoring VLAN Use the spinner control to select the VLAN that users are migrated to when a device s connection to its adopting controller is lost DHCP Server Monitoring Enable Select to enable monitoring the configured DHCP Server When the connection to the monitored DHCP server is lost all captive ...

Page 504: ...N Client Load Balancing screen 6 Set the following Load Balance Settings generic to both the 2 4 GHz and 5 0 GHz bands Enforce Client Load Balancing Select this radio button to enforce a client load balance distribution on this WLAN This setting is disabled by default Loads are balanced by ignoring association and probe requests Probes and association requests are not responded to forcing a client...

Page 505: ...cy The default value is 60 Probe Request Interval Enter a value in seconds from 0 10 000 to set an interval for client probe requests beyond which association is allowed for clients on the 2 4 GHz frequency The default setting is 10 seconds Single Band Clients Select this option to enable single band client associations on the 5 0 GHz frequency even if load balancing is available The default setti...

Page 506: ...s NAS Identifier Specify what is included in the RADIUS NAS Identifier field for authentication and accounting packets This is an optional setting and defaults are used if no values are provided NAS Port The profile database on the RADIUS server consists of user profiles for each connected network access server NAS port Each profile is matched to a user name representing a physical port When the a...

Page 507: ...pplicable to client traffic associated with this WLAN only If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associat...

Page 508: ...channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates 802 11n MCS rates are defined as follows both with and without short guard intervals SGI Table 6 1 MCS 1Stre...

Page 509: ...CS 3Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 3 19 5 21 7 40 5 45 1 3 39 43 3 81 90 2 3 58 5 65 121 5 135 3 3 78 86 7 162 180 4 3 117 130 7 243 270 5 3 156 173 3 324 360 6 3 175 5 195 364 5 405 7 3 195 216 7 405 450 Table 6 4 MCS 802 11ac theoretical throughput for single spatial streams MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40M...

Page 510: ...1 5 135 263 3 292 5 7 65 72 2 135 150 292 5 325 8 78 86 7 162 180 351 390 9 n a n a 180 200 390 433 3 Enable Select this option to forward logging messages to an external syslog server Host Use the field to provide a hostname IP address of the remote syslog server Use the drop down menu to select the type of host address Port Use the spinner control to configure the port on which the external sysl...

Page 511: ... in a meshed network and its connection to the mesh is lost then all WLANs on the access point that have this option enabled are shut down Shutdown on Primary Port Link Loss When there is a loss of link on the primary wired link on the access point all the WLANs on the access point that have this option enabled are shut down Shutdown on Critical Resource Down If critical resource monitoring is ena...

Page 512: ...N to shutdown if any one or all of the access point s configured critical resources are not reachable or available This setting is disabled by default Shutdown on Unadoption Select to enable the WLAN to shutdown if the access point is unadopted from its wireless controller This setting is disabled by default Days Configure the days on which the WLAN is accessible Select from one of the following A...

Page 513: ...OK when completed to update this WLAN s Advanced settings Select Reset to revert to the last saved configuration Select Exit to exit the screen End Time Configure the time when the WLAN is unavailable End time is configured as HH MM AM PM ...

Page 514: ...olicies supports an ideal QoS configuration for the intended data traffic for this WLAN select the Add button to create new policy Select the radio button of an existing WLAN and select OK to map the QoS policy to the WLAN displayed in the banner of the screen Use the WLAN Quality of Service QoS screen to add a new QoS policy or edit an existing policy Each access point model supports up to 32 WLA...

Page 515: ...on this WLAN is low priority on the radio SVP Prioritization A green check mark defines the policy as having Spectralink Voice Prioritization SVP enabled to allow the access point to identify and prioritize traffic from Spectralink Polycomm phones using the SVP protocol Phones using regular WMM and SIP are not impacted by SVP prioritization A red X defines the QoS policy as not supporting SVP prio...

Page 516: ...given access category packets are then added to one of four independent transmit queues one per access category voice video best effort or background in the client The client has a collision resolution mechanism to address collision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client should...

Page 517: ...dio This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video Optimized fo...

Page 518: ...load information element in beacons and probe response packets This feature is enabled by default Configure Non WMM Client Traffic Use the drop down menu to specify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include Video Voice Normal and Low The default setting is Normal Transmit Ops Use the slider to set the maxi...

Page 519: ... are used for lower priority traffic The available range is from 0 15 The default value is 4 ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Higher values are used for lower priority traffic The available range is from 0 15 The default value is 10 Transmit Ops Use...

Page 520: ...QoS rate limit configurations for data transmitted from the access point upstream and data transmitted from a WLAN s wireless clients back to their associated access point radios downstream AP6511 and AP6521 model access points do not support rate limiting on an individual client basis Before defining rate limit thresholds for WLAN upstream and downstream traffic Motorola Solutions recommends you ...

Page 521: ...os to associated clients on this WLAN Enabling this option does not invoke rate limiting for data traffic in the downstream direction This feature is disabled by default Rate Define an upstream rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defined rate is ...

Page 522: ...ze for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the ups...

Page 523: ...reshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the downstream direction This is a percentage of the maximum burst size for vide...

Page 524: ... traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for client video traffic in the upstream direction This...

Page 525: ...generated Background traffic consumes the least bandwidth of any access category so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Best Effort Traffic Set a percentage for client best effort traffic in the downstream direction This is a percentage of the maximum burst size for norma...

Page 526: ...lticast mask an administrator can indicate which frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast Mask Secondary Set a secondary multicast mask for the WLAN QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients...

Page 527: ...ing a threshold must be defined for WLAN Before enabling rate limiting on a WLAN a baseline for each traffic type should be performed Once a baseline has been determined a minimum 10 margin should be added to allow for traffic bursts The bandwidth required for real time applications such as voice and video are very fairly easy to calculate as the bandwidth requirements are consistent and can be re...

Page 528: ...er priority from completely dominating the wireless medium thus ensuring lower priority traffic is still supported by connected radios IEEE 802 11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery U APSD that provides a mechanism for wireless clients to retrieve packets buffered by an access point U APSD reduces the amount of signaling frames sent from a...

Page 529: ...figure an access point radio s QoS policy 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Radio QoS Policy to display a high level display of existing Radio QoS policies Figure 6 26 Radio Quality of Service QoS screen 4 Refer to the following information for a radio QoS policy Radio QoS Policy Displays the name of each radio QoS policy This is the name set for each listed...

Page 530: ...n of frames for any traffic class by looking at the amount of traffic the client is receiving and sending If a client sends more traffic than configured for an admission controlled traffic class the traffic is forwarded at the priority of the next non admission controlled traffic class This applies to clients that do not send TPSEC frames only Voice A green check mark indicates voice prioritizatio...

Page 531: ... selected for the back off mechanism Lower values are used for higher priority traffic The available range is from 0 15 The default value is 3 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low number The default value is 0 AIFSN Set the current AIFSN from1 15 ...

Page 532: ...m of a numerical range From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic like video The available range is from 0 15 The default value is 4 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low...

Page 533: ...ssion control for voice supported client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription This value ensures the radio s bandwidth is available for high bandwidth voice traffic if anticipated on the wireless medium or other access category traffic if voice support is not prioritized Voice traffic requires longer radio airtime to process...

Page 534: ...to a different managed access point radio Select from 0 256 clients The default value is 10 Reserved for Roam Set the roam utilization in the form of a percentage of the radio s bandwidth allotted to admission control for normal background supported clients who have roamed to a different managed radio The available percentage range is from 0 150 with 150 available to account for over subscription ...

Page 535: ...rm of a percentage of the radio s bandwidth allotted to admission control for low client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription Best effort traffic only needs a short radio airtime to process so set an intermediate airtime value if the radio QoS policy is reserved to support background data The default value is 75 Maximum Wire...

Page 536: ...owed Specify the maximum number of wireless clients from 0 256 allowed to use accelerated multicast The default value is 25 When wireless client count exceeds the above limit When the wireless client count using accelerated multicast exceeds the maximum number set the radio to either Reject new wireless clients or to Revert existing clients to a non accelerated state The default setting is Reject ...

Page 537: ...Delay for Best Effort Specify the maximum time in milliseconds to delay best effort traffic The default setting is 150 millisecond Max Delay for Background Specify the maximum time in milliseconds to delay background traffic The default setting is 250 millisecond Max Delay for Streaming Video Specify the maximum time in milliseconds to delay streaming video traffic The default setting is 150 milli...

Page 538: ...n WMM clients on the same WLAN Non WMM clients are always assigned a best effort access category Motorola Solutions recommends default WMM values be used for all deployments Changing these values can lead to unexpected traffic blockages and the blockages might be difficult to diagnose Overloading an access point radio with too much high priority traffic especially voice degrades the overall servic...

Page 539: ... a WLAN see Configuring Advanced WLAN Settings on page 6 40 Each supported access point model can support up to 32 Association ACLs with the exception of AP6511 and AP6521 models that support 16 WLAN Association ACLs To define an Association ACL deployable with a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Association ACL to display a high level display of existi...

Page 540: ... the Association ACL settings Select Reset to revert to the last saved configuration Precedence The rules within a WLAN s ACL are applied to packets based on their precedence values Every rule has a unique sequential precedence value you define You cannot add two rules s with the same precedence value The default precedence is 1 so be careful to prioritize ACLs accordingly as they are added Starti...

Page 541: ...nds using the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name ACLs after specific WLANs as individual ACL policies can be used by more than one WLAN You cannot apply more than one MAC based ACL to a Layer 2 interface If a MAC ACL is already configured on a Layer 2 interface and a...

Page 542: ... If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Smart RF policy is mapped the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped the radio selects a random channel If the radio is a dedicated sensor it stops termination on that channel if a neighboring access point detects radar The access point att...

Page 543: ...hboring radios when radio interference is detected When interference is detected Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio If a client s signal to noise value is above the threshold the transmit power is increased until the signal to noise rate falls below the threshold This setting is enabled by default Co...

Page 544: ...rameters can be updated Use the Channel and Power screen to refine Smart RF power settings over both the 5 0 GHz and 2 4 GHz radio bands and select channel settings in respect to the access point s channel usage Figure 6 33 SMART RF Channel and Power screen 9 Refer to the Power Settings field to define Smart RF recovery settings for the access point s 5 0 GHz 802 11a and 2 4 GHz 802 11bg radio NOT...

Page 545: ...ry channel the system is configured for dynamic 20 40 operation When 20 40 is selected clients can take advantage of wider channels 802 11n clients experience improved throughput using 40 MHz while legacy clients either 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to work...

Page 546: ...index as defined in the table with the lowest index being executed first NOTE The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen Day Use the drop down menu to select a day of the week to apply the override Selecting All will apply the policy every day Selecting weeke...

Page 547: ...0 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency from 0 50 This is the frequency radios scan channels on non peer radios The default setting is 5 for both 2 4 GHz and 5 0 GHz bands Sample Count Use the spinner control to set a sample scan count value from 1 15 This is the number of radio RF readings gathered before data is sent to the Smart RF master Th...

Page 548: ...s selected as the Sensitivity setting from the Smart RF Basic Configuration screen 5GHz Neighbor Power Threshold Use the spinner control to set a value from 85 to 55 dBm the access point s 5 0 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within the access point s radio coverage area The default value is ...

Page 549: ...is allowed to compensate for a potential coverage hole The default setting is 3 Dynamic Sample Threshold Use the spinner control to set the number of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select this radio button to allow Smart RF to scan for excess interference from supported radio devices WLANs ar...

Page 550: ...client threshold from 1 255 If the threshold defined number of clients are connected to a radio the radio does not change its channel even though required based on the interference recovery determination made by the smart master The default setting is 50 5 GHz Channel Switch Delta Use the spinner to set a channel switch delta from 5 35 dBm for the 5 0 GHz radio This parameter is the difference bet...

Page 551: ...nd AP6521 model access points can support up to 128 clients per access point or radio The default setting is 1 SNR Threshold Use the spinner control to set a signal to noise SNR threshold from 1 75 dB This is the SNR threshold for an associated client as seen by its associated AP radio When exceeded the radio increases its transmit power to increase coverage for the associated client The default v...

Page 552: ...ion it s a temporary measure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist Motorola Solutions recommends that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS it will switch channels if radar is detected If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is d...

Page 553: ...f each MP to MP link MeshConnex uses this data to dynamically form and continually maintain paths for forwarding network frames In MeshConnex systems a Mesh Point MP is a virtual mesh networking instance on a device similar to a WLAN AP On each device up to 4 MPs can be created and 2 can be created per radio MPs can be configured to use one or both radios in the device If the MP is configured to u...

Page 554: ...status of each configured mesh point either Enabled or Disabled Descriptions Displays any descriptive text entered for each of the configured mesh points Control VLAN Displays VLAN number for the control VLAN on each of the configured mesh points Allowed VLANs Displays the list of VLANs allowed on each of the configured mesh points Security Mode Displays the security for each of the configured mes...

Page 555: ... use mesh point style beacons select mesh point from the drop down menu The default value is mesh point Is Root Select this option to specify the mesh point as a root Control VLAN Use the spinner control to specify a VLAN to carry mesh point control traffic The valid range for control VLAN is from 1 4094 The default value is VLAN 1 Allowed VLAN Specify the VLANs allowed to pass traffic on the mesh...

Page 556: ...authentication for the mesh point Select psk to set a pre shared key as the authentication for the mesh point If psk is selected enter a pre shared key in the Key Settings field Pre Shared Key When the security mode is set as psk enter a 64 character HEX or an 8 63 ASCII character passphrase used for authentication on the mesh point Unicast Rotation Interval Define an interval for unicast key tran...

Page 557: ...s Mesh points can communicate as long as they support the same basic MCS as well as non 11n basic rates The selected rates apply to associated client traffic within this mesh point only 5 0 GHz Mesh Point Choose the Select button to configure radio rates for the 5 0 GHz band Define both minimum Basic and optimal Supported rates as required for 802 11a and 802 11n rates supported by the 5 0 GHz rad...

Page 558: ...ic is supported within this mesh point If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they su...

Page 559: ...or each mesh point The Quality of Service screen displays a list of Mesh QoS policies available to mesh points Each Mesh QoS policy can be selected to edit its properties If none of the exiting Mesh QoS policies supports an ideal QoS configuration for the intended data traffic of this mesh point select the Add button to create new policy Select an existing Mesh QoS policy and select Edit to change...

Page 560: ...nd unknown unicast packets that typically transmit and receive from each supported WMM access category If thresholds are defined too low normal network traffic required by end user devices will be dropped resulting in intermittent outages and performance problems A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction Mesh Rx Rate Limit Display...

Page 561: ...Mesh Tx Rate Limit Select this option to enable rate limiting for all data received from any mesh point in the mesh This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received over the mesh point from all access categories Traffic that exceeds the defined rate is dropped...

Page 562: ...age of the maximum burst size for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general transmit rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value ...

Page 563: ...t to a lower value once a general receive rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for video traffic in the receive direction This is a percentage of the maximum burst size for video traffic Video traffic exceeding the defined threshold is dropped and a log message is generated Video traffic consumes sig...

Page 564: ...adio button to enable rate limiting for data transmitted from connected wireless clients Enabling this option does not invoke rate limiting for data traffic in the transmit direction This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received by the client Traffic that e...

Page 565: ... Detect Multicast Streams Select this option to have bridged multicast packets converted to unicast to provide better overall airtime utilization and performance The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast or specify which multicast streams are to be converted to unicast When the stream is converted and b...

Page 566: ...her relevant information Only relevant information is presented to the client which enables it to decide with network to join To define a Passpoint Policy 1 Select Configuration 2 Select Wireless 3 Select Passpoint Policy to display existing Passpoint policies Figure 6 46 Wireless Passpoint Policy screen 4 Refer to the following configuration data for existing Passpoint policies Name Displays the ...

Page 567: ...name for the operator running the hotspot service Enter a string not longer than 64 characters Venue Name Enter a friendly name for the venue in which this hotspot service is running Enter a string not longer than 252 characters Venue Name Lang Use this table to provide encoding information to display the Venue Name in other languages Use this table to provide the language Code and the hexadecimal...

Page 568: ...6 102 WiNG 5 6 Access Point System Reference Guide ...

Page 569: ... the network configuration options available to the access point refer to the following Policy Based Routing PBR L2TP V3 Configuration Crypto CMP Policy AAA Policy AAA TACACS Policy Alias IPv6 Router Advertisement Policy For configuration caveats specific to Configuration Network path refer to Network Deployment Considerations on page 7 54 ...

Page 570: ... a WLAN ports or SVI mark the packet the new marked DSCP value is used for matching Incoming WLAN Packets can be filtered by the incoming WLAN There are two ways to match the WLAN If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN then this WLAN is used for selection If the device doing policy based routing does not have an onboard radio and a pa...

Page 571: ...If not drop the packet Fallback Fallback to destination based routing if none of the configured next hops are reachable or not configured This is enabled by default Mark IP DSCP Set IP DSCP bits for QoS using an ACL The mark action of the route maps takes precedence over the mark action of an ACL To define a PBR configuration 1 Select Configuration tab from the Web UI 2 Select Network 3 Select Pol...

Page 572: ...oute map consists of multiple entries each carrying a precedence value An incoming packet is matched against the route map with the highest precedence lowest numerical value DSCP Displays each policy s DSCP value used as matching criteria for the route map DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification Packets are filtered based on the traffic...

Page 573: ...raffic class defined in the IP DSCP field One DSCP value can be configured per route map entry Role Policy Use the drop down to select a Role Policy to use with this route map Click the Create icon to create a new Role Policy To view and modify an existing policy click the Edit icon User Role Use the drop down menu to select a role defined in the selected Role Policy This user role is used while d...

Page 574: ...nal considerations Next Hop secondary If the primary hop request were unavailable a second resource can be defined Set either the IP address of the virtual resource or select the Interface option and define either a wwan1 pppoe1 or a VLAN interface Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination the configured default next hop is used This value is ...

Page 575: ...efault Local PBR Select this option to implement policy based routing for this access point s packet traffic This setting is enabled by default so the match and action clauses defined within the Route Maps tab are implemented until disabled using this setting Use CRM Select the Use CRM Critical Resource Management option to monitor access point link status Selecting this option determines the disp...

Page 576: ...2TP V3 tunnel needs to be established between the tunneling entities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the pseudowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for ...

Page 577: ... between L2TP V3 hello keep alive messages exchanged within the L2TP V3 control connection Reconnect Attempts Lists each policy s maximum number of reconnection attempts to reestablish a tunnel between peers Reconnect Interval Displays the duration set for each listed policy between two successive reconnection attempts Retry Count Lists the number of retransmission attempts set for each listed pol...

Page 578: ...e L2 Path Recovery Indicates if L2 Path Recovery is enabled to learn servers gateways and other network devices behind a L2TPV3 tunnel Cookie size L2TP V3 data packets contain a session cookie which identifies the session pseudowire corresponding to it Use the spinner control to set the size of the cookie field present within each L2TP V3 data packet Options include 0 4 and 8 The default setting i...

Page 579: ...ry Time Out Use the spinner control to define the interval in seconds before initiating a retransmission of a L2TP V3 signaling message The available range is from 1 250 with a default value of 5 Rx Window Size Specify the number of packets that can be received without sending an acknowledgement The available range is from 1 15 with a default setting of 10 Tx Window Size Specify the number of pack...

Page 580: ...service platform or access point triggers a request for the configured CMS CA server Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manually created trustpoint for one service like HTTPs and use th...

Page 581: ...quest when a certificate expires 8 Select Add Row and define the following Crypto CPM Policy settings for the server resource 9 Set the following Trust Points settings The trustpoint is used for various services as specifically set the controller service platform or access point Enable Use the drop down menu to set the CMS server as either the Primary first choice or Secondary secondary option CMP...

Page 582: ...ndatory Reference ID Set the user reference value for the CMP CA trust point message The range is 0 256 This field is mandatory Secret Specify the secret used for trustpoint authentication over the designated CMP server resource Sender Name Enter a sender name up to 512 characters for the trustpoint request This field is mandatory Recipient Name Enter a recipient name value of up to 512 characters...

Page 583: ... what the user is authorized to perform These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions The database could be located locally on the access point or be hosted remotely on a RADIUS server Remote RADIUS servers authorize users by associating attribute value AV pairs wi...

Page 584: ...eginning of a process and a stop notice at the end of a process The start accounting record is sent in the background The requested process begins regardless of whether the start accounting notice is received by the accounting server Request Interval Lists the interval at which an access point sends a RADIUS accounting request to the RADIUS server NAC Policy Lists the Network Access Control NAC fi...

Page 585: ...ost onboard self or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is...

Page 586: ...alified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Using NAI each ISP need not have all the acc...

Page 587: ...default is 3 Request Timeout Specify the time from 1 60 seconds for the access point s re transmission of request packets If this time is exceeded the authentication session is terminated The default is 3 seconds Retry Timeout Factor Specify the time from 50 200 seconds between retry timeouts for the access points s re transmission of request packets The default is 100 DSCP Specify the DSCP value ...

Page 588: ...erver Type Displays the type of AAA server in use either Host onboard self or onboard controller Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Displays the time from 1 60 seconds for the access point s re transmission of ...

Page 589: ... not be a valid E mail address or a fully qualified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs ...

Page 590: ...nterval in seconds between two successive re transmission attempts of request packets Specify a value from 50 200 seconds The default is 100 seconds DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is from 0 63 with a default value of 34 NAI Routing Enable Displays NAI routing status AAA servers identify clients using...

Page 591: ...op Request Interval Set the periodicity of the interim accounting requests The default is 30 minutes Accounting Server Preference Select the server preference for RADIUS Accounting The options are Prefer Same Authentication Server Host Uses the authentication server hostname as the host used for RADIUS accounting This is the default setting Prefer Same Authentication Server Index Uses the same ind...

Page 592: ...ity Services Engine ISE to validate the compliance of a client to the network s policies such as the validity of the virus definition files for the antivirus software or the definition files for a anti spy ware software Accounting Delay Time Select this option to enable the support of an accounting delay time attribute within accounting requests This setting is disabled by default Accounting Multi...

Page 593: ...bute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager Options include None and proxier default setting Proxy NAS IPv6 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager Options include None and proxier default setting ...

Page 594: ...rate accounting authentication and authorization services Some of the services provided by TACACS are Authorizing each command with the TACACS server before execution Accounting each session s logon and log off event Authenticating each user with the TACACS server before enabling access to network resources To define unique AAA TACACS configurations 1 Select the Configuration tab from the Web UI 2...

Page 595: ...b displays by default AAA TACACS Policy Displays the name assigned to the AAA TACACS policy when it was initially created The name cannot be edited within a listed profile Accounting Access Method Displays the method used to access the AAA TACACS Accounting server Options include all SSH Console or Telnet Authentication Access Method Displays the method used to access the AAA TACACS Authentication...

Page 596: ...7 28 WiNG 5 6 Access Point System Reference Guide Figure 7 16 AAA TACACS Policy Server Info tab 7 Under the Authentication table select Add Row ...

Page 597: ...ice platform or access point By default the secret is displayed as asterisks Request Attempts Set the number of connection request attempts to the TACACS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Specify the time for the re transmission of request packets after an unsuccessful attempt The default is 3 seconds If the s...

Page 598: ... Request Attempts Displays the number of connection attempts before the controller service platform or access point times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Specify the time for the re transmission of request packets after an unsuccessful attempt The default is 3 seconds If the set time is exceeded the authentication session is termi...

Page 599: ...attempt The default is 3 seconds If the set time is exceeded the authentication session is terminated Retry Timeout Factor Set the scaling of retransmission attempts from 50 200 seconds The timeout at each attempt is the function of the retry timeout factor and the attempt number 100 the default value implies a constant timeout on each retry Smaller values indicate more aggressive shorter timeouts...

Page 600: ...erformed for all types of access without prioritization Console Authorization is performed only for console access Telnet Authorization is performed only for access through Telnet SSH Authorization is performed only for access through SSH Allow Privileged Commands Select this option to enable privileged commands executed without command authorization Privileged commands are commands that can alter...

Page 601: ...Configuration 7 33 20 Select OK to save the updates to the AAA TACACS policy Select Reset to revert to the last saved configuration NOTE A maximum or 5 entries can be made in the Service Protocol Settings table ...

Page 602: ...onfiguration Devices RF Domain Alias screen These aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override al...

Page 603: ...entral network and the VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN Alias can be used to replace VLANs in the followi...

Page 604: ...rements A host alias can be used to replace hostnames in the following locations IP Firewall Rules DHCP 7 Select Add Row to define Network Alias settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL ...

Page 605: ... of host and network configurations Network configurations are complete networks in the form 192 168 10 0 24 or IP address range in the form 192 168 10 10 192 168 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 host entries eight 8 network entries and eight 8...

Page 606: ...ect Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a bla...

Page 607: ... group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing Subnets can...

Page 608: ...n one IP address to a network interface providing multiple connections to a network from a single IP node A network service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Configuration tab from the Web user interface 2 Select Network 3 Select the Alias item the Basic Alias screen displays 4 Select the Network Servic...

Page 609: ... created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter...

Page 610: ...er the source receives the advertisement it can communicate with other devices Advertisement messages are also sent to indicate a change in link layer address for a node on the local link With such a change the multicast address becomes the destination address for advertisement messages To define a IPv6 router advertisement policy 1 Select Configuration Network IPv6 Router Advertisement Policy Fig...

Page 611: ...IPv6 router advertisements A lifetime of 0 indicates that the router is not a default router The router advertisement interval range is 0 9000 Seconds 0 150 Minutes or 0 2 5 Hours The default is 30 minutes Managed Address Configuration Flag Select this option to send the managed address configuration flag in router advertisements When set the flag indicates that the addresses are available via DHC...

Page 612: ...ing is disabled Override System ND Reachable Time in RA Set the period for sending neighbor reachable time in the router advertisements When unspecified the neighbor reachable time configured for the system is advertised The interval range is from 5 000 3 600 000 milliseconds The default is 5000 milliseconds Advertise NS Retransmit Timer in RA Select this option to not specify the neighbor solicit...

Page 613: ...ansfers on the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete In respect to L2TP V3 the control connection keep alive mechanism of L2TP V3 can serve as a monitoring mechanism for the pseudowires associated with a control connection Domain Name Lifetime Type Set the DNS Server Lifetime Type Options include expired External fixed and infinite The de...

Page 614: ...7 46 WiNG 5 6 Access Point System Reference Guide ...

Page 615: ...ion to protect and secure data at each vulnerable point in the network This security is offered at the most granular level with role and location based secure access available to users based on identity as well as the security posture of the client device There are multiple dimensions to consider when addressing the security of an access point managed wireless network including Wireless Firewall C...

Page 616: ...l device from first to last When a rule matches the network traffic processed by an access point the firewall uses that rule s action to determine whether traffic is allowed or denied Rules comprise of conditions and actions A condition describes a packet traffic stream A condition defines constraints on the source and destination devices the service for example protocols and ports and the incomin...

Page 617: ...fic or respond so slowly the device becomes unavailable in respect to its defined data rate DoS attacks are implemented by either forcing targeted devices to reset or consuming the devices resources so it can no longer provide service 4 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays s...

Page 618: ...rator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port port 7 Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network For those that do not ...

Page 619: ...CMP router solicitation multicasts onto the network and routers must respond as defined in RFC 1122 By sending ICMP Router Solicitation packets ICMP type 9 on the network and listening for ICMP Router Discovery replies ICMP type 10 hackers can build a list of all of the routers that exist on a network segment Hackers often use this scan to locate routers that do not reply to ICMP echo requests Smu...

Page 620: ...so configure the connection rate and threshold of outstanding connections Optionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get established in a configurable interval the software intervenes and terminates the connection attempt TCP IP TTL Zero The TCP ...

Page 621: ... system TCP Header Fragment Enables the TCP Header Fragment denial of service check in the firewall Twinge The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes This can crash some Windows systems UDP Short Header Enables the UDP Short Header denial of service check in the firewall WINNUKE The WINNUKE DoS attack sends a large amount of data to UDP port 137 to c...

Page 622: ...e the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Broadcast Multicast and Unicast Interface Type Use the drop down menu to define the interface for which the Storm Control configuration is applied Only the specified interface uses the defined filtering criteria Options include Ethernet WLAN and Port Channel Interface Name Use the ...

Page 623: ...the Advanced Settings tab Use the Advanced Settings tab to enable disable the firewall define application layer gateway settings flow timeout configuration and TCP protocol checks Figure 8 3 Wireless Firewall screen Advanced Settings tab 14 Refer to the Firewall Status radio buttons to define the firewall as either Enabled or Disabled The firewall is enabled by default If disabling the firewall a ...

Page 624: ... to detect if the client is sending routed packets to the correct MAC address IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection This feature is enabled by default and set to Warning IPMAC Routing Conflict Action Use the drop down menu to set the action taken when an attack is detected Options include Log Only Drop Only or Log and Drop The default setting is ...

Page 625: ... ports This feature is enabled by default Signalling Connection Control Part SCCP is a network protocol that provides routing flow control and error correction in telecommunication networks FaceTime ALG Select the check box to allow Apple s FaceTime video calling traffic through the firewall using its default port This feature is enabled by default Log Dropped ICMP Packets Use the drop down menu t...

Page 626: ...ault setting is 30 seconds Check TCP states where aSYNpackettearsdown the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow The default setting is enabled Check unnecessary resends of TCP packets Select the check box to enable the checking of unnecessary resends of TCP packets The default setting is enabled Check S...

Page 627: ...ecimal digits separated by colons 23 Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet A flow is a sequence of packets from a particular source to a particular unicast or multicast destination The flow label helps keep packet streams from looking like one massive flow Flow label rewrites are disabled by default and must be manually enabled Flow label re writes enab...

Page 628: ...resses IPv6 MAC Routing Conflict Select to enable checking for IPv6 routing table next hop IPv6 address MAC address conflicts Option Strict Padding Select to enable strict checks for validating Pad1 and PadN options Option End Point Identification Select to enable end point identification This option is not enabled by default Option Network Service Access Point Select to enable Network Service Acc...

Page 629: ...ll Policy Advanced Settings Select Reset to revert to the last saved configuration The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper left hand side of the access point user interface ...

Page 630: ...Pv6 traffic With either IPv4 or IPv6 create access rules for traffic entering an access point interface because if you are going to deny specific types of packets it is recommended you do it before the access point spends time processing them since access rules are processed before other types of firewall rules IPv6 addresses are composed of eight groups of four hexadecimal digits separated by col...

Page 631: ...ct an existing policy and select Edit to modify the attributes of the rule s configuration 5 Select the added row to expand it into configurable parameters for defining a new rule Figure 8 6 IP Firewall Rules screen Adding a new rule If adding a new rule enter a name up to 32 characters 6 Select Add to add a new firewall rule ...

Page 632: ...e of the screen and select IP filter values as needed to add criteria into the configuration of the IPv4 or IPv6 ACL Figure 8 8 WLAN Security IP Firewall Rules IP Firewall Rules Add Criteria screen Define the following parameters for the IP Firewall Rule NOTE Only those selected IP ACL filter attributes display Each value can have its current settings adjusted by selecting that IP ACL s column to ...

Page 633: ...anges are used in this ACL Protocol Set a service alias as a set of configurations consisting of protocol and port mappings Both source and destination ports are configurable Set an alphanumeric service alias beginning with a and include the protocol as relevant Network Service Alias The service alias is a set of configurations consisting of protocol and port mappings Both source and destination p...

Page 634: ...f ICMP specific options for ICMP type and code Many ICMP types have a corresponding code helpful for troubleshooting network issues 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable etc Start VLAN Select a Start VLAN icon within a table row to set apply a start VLAN range for this IP ACL filter The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must a...

Page 635: ...be removed by highlighting them and selecting Delete Figure 8 10 IP SNMP ACL Add screen 4 Provide a new IP SNMP ACL a Name up to 32 characters in length to help distinguish this ACL from others with similar rules 5 Select Add Row to launch a sub screen where the ACL s permit deny and network type rules can be applied Allow Select this option to allow the SNMP MIB object traffic The default setting...

Page 636: ...rk access permissions 7 Select OK when completed to update the IP Firewall rules Select Reset to revert the screen back to its last saved configuration Type Define whether the permit or deny ACL rule applied to the ACL is specific to a Host IP address a Network address and subnet mask or is applied to Any The default setting is Network IP If Type is not any provide the IP address or host name in t...

Page 637: ...ork by limiting how and what these BYODs can access on and through the corporate network Device fingerprinting feature enables administrators to control how BYOD devices access the network and control their access permissions To configure device fingerprinting 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select Device Fingerprinting to display existing device fingerpr...

Page 638: ...dentities are included Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 12 Security Device Fingerprinting New Client Identity screen 5 Select Pre defined and use the drop down menu to select from a list of pre defined client identities Once a client identity is selected from the drop down menu the DHCP Match Cr...

Page 639: ...discover any and all Use this option to select the message type on which the fingerprint is matched request Indicates the fingerprint is only checked with any DHCP request message received from any device discover Indicates the fingerprint is only checked with any DHCP discover message received from any device any Indicates the fingerprint is checked with either the DHCP request or the DHCP discov...

Page 640: ...re in the DHCP discover messages Match Option The Match Option field contains the following options Option Codes This indicates that the Option Codes passed in the DHCP request discover message is used for matching Options are passed in the DHCP discover request messages as Option Code Option Type Option Value sets When Option Codes is selected all the Option Code passed in the DHCP discover reque...

Page 641: ...om a DHCP server The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices For example Apple devices have Match Type Use the drop down menu to select how the signatures are matched The available options are Exact The complete signature string completely matches the string specified in the Opti...

Page 642: ...e signatures used to identify clients and then use these signatures to classify and assign permissions to them Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 16 Security Device Fingerprinting Client Identity Group New Client Identity Group 13 Provide a name in the Name field for the new client identity and cl...

Page 643: ... Use the buttons next to the drop down to manage and create new Client Identity policies 16 Use the Precedence control to set the precedence for the Client Identity This index sets the sequence the client identity in this Client Identity Group is checked or matched 17 Click Ok to save changes Click Reset to revert all changes made to this screen Click Exit to close the Client Identity Group screen...

Page 644: ...re the result is a typical allow deny or mark designation to packet traffic To add or edit a MAC based Firewall Rule policy 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select MAC Firewall Rules to display existing MAC Firewall Rule policies Figure 8 18 MAC Firewall Rules screen 4 Select Add to create a new MAC Firewall Rule Select an existing policy and select Edit t...

Page 645: ... not to allow a packet to proceed to its destination Permit Instructs the firewall to allow a packet to proceed to its destination Source MAC Destination MAC Enter both Source MAC and Destination MAC addresses Access points use the source IP address destination MAC address as basic matching criteria Provide a subnet mask if using a mask Action The following actions are supported Log Events are log...

Page 646: ...he network once authenticated by the RADIUS server The VLAN ID can be from 1 4094 Traffic Class Select the option to enable filtering using Traffic Class Use the spinner control to specify a traffic class Traffic class can be from 1 10 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu...

Page 647: ...owing enterprise class security management features Threat Detection Threat detection is central to a wireless security solution Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network Rogue Detection and Segregation A WIPS supported network distinguishes itself by both identifying and categorizing nearby access points WIPS identifies threat...

Page 648: ...he following detection settings for this WIPS policy Enable Rogue AP Detection Select the check box to enable the detection of unsanctioned APs from this WIPS policy The default setting is disabled Wait Time to Determine AP Status Define a wait time in either Seconds 10 600 or Minutes 0 10 before a detected AP is interpreted as a rogue unsanctioned device and potentially removed The default interv...

Page 649: ...to remain selected to apply the WIPS configuration to the access point profile The Excessive tab displays by default with additional MU Anomaly and AP Anomaly tabs also available Air Termination Select this option to enable the termination of detected rogue AP devices Air termination lets you terminate the connection between your wireless LAN and any access point or client associated with it If th...

Page 650: ...ctions Events table to select and configure the action taken when events are triggered 11 Set the following Excessive Action Event configurations Name Displays the name of the excessive action event representing a potential threat to the network This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether ...

Page 651: ...tab MU Anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network Use the MU Anomaly screen to set the intervals clients can be filtered upon the generation of each event Filter Expiration Set the duration an event generating client is filtered This creates a special ACL entry and frames coming from the client are dropped The default sett...

Page 652: ... the network This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against its threshold A red X defines the event as disabled and not...

Page 653: ...oint user interface 19 Select the WIPS Signatures tab Ensure the Activate Wireless IPS Policy option remains selected to enable the screen s configuration parameters A WIPS signature is the set or parameters or pattern used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them Name Displays the name of the excessive action event representing a potential t...

Page 654: ...ted A signature name cannot be modified as part of the edit process Signature Displays whether the signature is enabled A green checkmark defines the signature as enabled A red X defines the signature as disabled Each signature is disabled by default BSSID MAC Displays each BSS ID MAC address used for matching purposes Source MAC Displays each source packet MAC address for matching purposes Destin...

Page 655: ...dress used for matching and filtering with the signature Source MAC Define a source MAC address for the packet examined for matching filtering and potential device exclusion using the signature Destination MAC Set a destination MAC address for a packet examined for matching filtering and potential device exclusion using the signature Frame Type to Match Use the drop down menu to select a frame typ...

Page 656: ...ture 27 Select OK to save the updates to the WIPS Signature configuration Select Reset to revert to the last saved configuration The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Wireless Client Threshold Specify the threshold limit per client that when exceeded signals t...

Page 657: ...d jeopardizing the data managed by the access point and its connected clients Use the Device Categorization screen to apply neighboring and sanctioned approved filters on peer access points operating in this access point s radio coverage area Detected client MAC addresses can also be filtered based on their classification in this access point s coverage area To categorize access points and clients...

Page 658: ...ameters to add a device to a list of devices sanctioned for network operation Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification Use the drop down menu to designate the target device as either Sanctioned or Neighboring Device Type Use the drop down menu to designate the target device as either an access point or client MAC...

Page 659: ...ive WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy Since an organization s security goals vary the security policy should document site specific concerns The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time Vulnerability and activity ...

Page 660: ...8 46 WiNG 5 6 Access Point System Reference Guide ...

Page 661: ...authentication For more information refer to the following Configuring Captive Portal Policies Setting the DNS Whitelist Configuration Setting the DHCP Server Configuration Setting the Bonjour Gateway Configuration Setting the DHCPv6 Server Policy Setting the RADIUS Configuration Refer to Services Deployment Considerations on page 9 55 for tips on how to optimize the access point s configuration ...

Page 662: ...data encryption but it can be used with static WEP WPA PSK or WPA2 PSK encryption Each supported access point model can support up to 32 captive portal policies with the exception of AP6511 and AP6521 models which can only support 16 captive portal policies 9 1 1 Configuring a Captive Portal Policy Configuring Captive Portal Policies To configure a captive portal policy 1 Select Configuration tab ...

Page 663: ...ive portal internally while External centralized means the captive portal is being supported on an external server Hosting VLAN Interface When Centralized Server is selected as the Captive Portal Server Mode a VLAN is defined where the client can reach the controller 0 is the default value Connection Mode Lists each policy s connection mode as either HTTP or HTTPS Motorola Solutions recommends the...

Page 664: ...9 4 WiNG 5 6 Access Point System Reference Guide Figure 9 2 Captive Portal Policy screen Basic Configuration tab ...

Page 665: ... the controller 0 is the default value Captive Portal Server Set a numeric IP address non DNS hostname for the server validating guest user permissions for the captive portal policy This option is only available if hosting the captive portal on an External Centralized server resource Connection Mode Select either HTTP or HTTPS to define the connection medium Motorola Solutions recommends the use o...

Page 666: ...aracters Use the Add Row button to populate the whitelist table with Host and IP Index parameters that must be defined for each whitelist entry Terms and Conditions page Select this option with any access type to include terms that must be adhered to for captive portal access These terms are included in the Terms and Conditions page when No authentication required is selected as the access type ot...

Page 667: ...ormation for billing auditing and reporting user data such as captive portal start and stop times executed commands such as PPP number of packets and number of bytes Accounting enables wireless network administrators to track captive portal services users are consuming Enable RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting for the captive portal When the ...

Page 668: ...he Login page displays by default Syslog Host When syslog accounting is enabled use the drop down menu to determine whether an IP address or a host name is used as a syslog host The IP address or hostname of an external server resource is required to route captive portal syslog events to that destination Syslog Port When syslog accounting is enabled define the numerical syslog port to route traffi...

Page 669: ... page asserts the authentication attempt has failed and the user is not allowed access using this captive portal policy and must provide the correct login information again to access the Internet The No Service page asserts that the captive portal service is temporarily unavailable due to technical reasons Once the services become available the captive portal user is automatically re connected to ...

Page 670: ...or the users accessing each specific page In the case of the Terms and Conditions page the message can be the conditions requiring agreement before guest access is permitted Footer Text Provide a footer message displayed on the bottom of each page The footer text should be any concluding message unique to each page before accessing the next page in the succession of captive portal Web pages Main L...

Page 671: ...access is provided Welcome URL Define the complete URL for the location of the Welcome page The Welcome page asserts the user has logged in successfully and can access resources via the captive portal Fail URL Define the complete URL for the location of the Fail page The Fail page asserts authentication attempt has failed and the client cannot access the captive portal and the client needs to prov...

Page 672: ... The access point maintains its own set of Advanced Web pages for custom captive portal creation Refer to Operations Devices File Transfers and use the Source and Target fields to move captive portal pages as needed to managed devices that may be displaying and hosting captive portal connections Select the Web Page Auto Upload check box to enable automatic upload of captive portal Web pages For mo...

Page 673: ...Services 3 Select DNS Whitelist The DNS Whitelist screen displays those existing whitelists available to a captive portal 4 Select Add to create a whitelist Edit to modify a selected whitelist or Delete to remove a whitelist a If creating a whitelist assign it a name up to 32 characters Use the Add Row button to populate the whitelist table with Host and IP Index parameters that must be defined fo...

Page 674: ...to each pool Each class in a pool is assigned an exclusive range of IP addresses DHCP clients are compared against classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a si...

Page 675: ...solete it can be deleted Subnet Displays the network address and mask used by clients requesting DHCP resources Domain Name Displays the domain name used with this network pool Hostnames are not case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Boot File Boot file...

Page 676: ...used for DHCP discovery and requests between the DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Select Alias to use a network alias with the subnet configuration For more information see Alias on page 7 34 Domain Name Provide the domain name used with this ...

Page 677: ...t to revert to the last saved configuration 10 Select the Static Bindings tab from within the DHCP Pools screen A binding is a collection of configuration parameters including an IP address associated with or bound to a DHCP client Bindings are managed by DHCP servers DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses Static bindings provi...

Page 678: ...c binding configuration Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client is using a Hardware Address or Client Identifier as its identifier type Value Lists the hardware address or client identifier value assigned to the client when added or last modified IP Address Di...

Page 679: ...e a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Select Alias to use a string alias with the domain name configuration For more information see Alias on page 7 34 Boot File Enter the name of the boot fi...

Page 680: ...elect Alias to use a network alias with the DNS server configuration For more information see Alias on page 7 34 Within the Network field define one or more Default Routers to resolve routes to other parts of the network Up to 8 IP addresses can be provided for Default Routers Select Alias to use a network alias with the default routers configuration For more information see Alias on page 7 34 20 ...

Page 681: ... Next Server configuration For more information see Alias on page 7 34 Enable Unicast Unicast packets are sent from one location to another location there s just one sender and one receiver Select this option to forward unicast messages to just a single device within the network pool This setting is disabled by default NetBIOS Node Type Set the NetBIOS Node Type used with this pool The following t...

Page 682: ...t destination and gateways 26 Select the Add Row button to add individual options for Destination and Gateway addresses 27 Select OK to save the updates to the DHCP pool s Advanced settings Select Reset to revert the screen back to its last saved configuration 9 3 2 Defining DHCP Server Global Settings Setting the DHCP Server Configuration Setting a DHCP server global configuration entails definin...

Page 683: ...ria Select the Criteria option to invoke a drop down menu to determine when the DHCP daemon is invoked Options include vrrp master cluster master and rf domain manager A VRRP master responds to ARP requests forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address rejects packets addressed to the IP associated with the virtual router and accepts packe...

Page 684: ...CP enabled wireless clients based on user class option names Clients with a defined set of user class option names are identified by their user class name The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addr...

Page 685: ...Services Configuration 9 25 Figure 9 14 DHCP Server Policy screen Class Policy tab 2 Select Add to create a new DHCP class policy Edit to update an existing policy or Delete to remove an existing policy ...

Page 686: ...ning an internal DHCP server configuration refer to the following deployment guidelines to ensure the configuration is optimally effective Motorola Solutions DHCP option 189 is required when AP650 access points are deployed over a layer 3 network and require layer 3 adoption DHCP services are not required for AP650 access points connected to a VLAN that s local to the controller or service platfor...

Page 687: ...s and file sharing servers can be found using Bonjour Bonjour only works within a single broadcast domain However with special DNS configuration it can be extended to find services across broadcast domains The following options can be configured Configuring the Bonjour Discovery Policy Configuring the Bonjour Forwarding Policy 9 4 1 Configuring the Bonjour Discovery Policy Setting the Bonjour Gate...

Page 688: ...he configured Bonjour discovery policies 5 Select an existing policy and click Edit to edit it To add a new policy select Add Figure 9 17 Bonjour Discovery Policy Add Edit Policy screen 6 Select the Add Row button to add a rule to the Bonjour Discovery Policy These are the services which can be discovered by the Bonjour Gateway ...

Page 689: ...very Policy information 1 Select Configuration 2 Select Services 3 Select Bonjour Gateway to expand its submenu 4 Select Forwarding Policy Service Name Configures the service that can be discovered by the Bonjour Gateway Predefined Use the drop down menu to select from a list of predefined Apple services Alias Use an existing alias to define a service that is not available in the predefined list V...

Page 690: ...18 Bonjour Gateway Forwarding Policy screen This screen displays the name of the configured Bonjour forwarding policies 5 Select an existing policy and click Edit to edit it To add a new policy select Add Figure 9 19 Bonjour Gateway Forwarding Policy Add screen ...

Page 691: ...ve the updates to this DHCP class policy Select Reset to revert to the last saved configuration From VLANs From VLANs are VLANs where the Apple services are available Enter a VLAN ID or a range of VLANs Aliases can also be used To VLANs To VLANs are VLANs where clients for the services are available Enter a VLAN ID or a range of VLANs Aliases can also be used Rule ID Use the spinner to set a uniqu...

Page 692: ... is connected Assigned addresses can be from one or multiple pools Additional options such as the default domain and DNS name server address can be passed back to the client Address pools can be assigned for use on a specific interface or on multiple interfaces or the server can automatically find the appropriate pool To access and review the local DHCPv6 server configuration 1 Select Configuratio...

Page 693: ... default gateway domain name DNS server and WINS server configuration An option exists to identify the vendor and functionality of a DHCPv6 client The information is a variable length string of characters or octets with a meaning specified by the vendor of the DHCPv6 client To set DHCPv6 options 1 Select Configuration 2 Select Services 3 Select DHCPv6 Server Policy Select Add to create a new polic...

Page 694: ...olling the assignment of the parameters to requesting clients from the pool To create a DHCPv6 pool configuration 1 Select Configuration 2 Select Services Name Enter a name to associate with the new DHCP option This name should describe the new option s function Code Use the spinner control to specify a DHCP option code from 0 254 for the option Only one code for each DHCPv6 option of the same val...

Page 695: ...lons DNS Server Displays the address of the DNS server resource utilized with the DHCPv6 pool Domain Name Displays the hostname of the domain associated with the DHCPv6 pool Network Displays the IPv6 formatted address and mask utilized with the DHCPv6 address pool The address can be configured in the add or edit screen Refresh Time Displays the time in seconds between refreshes of the DHCPv6 addre...

Page 696: ... formatted address and mask associated with the DHCPv6 pool Refresh Time Use the spinner control to set the time in seconds between refreshes of the DHCPv6 address pool The refresh time can be set from 600 4 294 967 295 seconds SIP Domain Name Configure the domain name or domain names associated with the Session Initiation Protocol SIP servers used to prioritize voice and video traffic on a networ...

Page 697: ...he changes Select Reset to revert to the last saved configuration Name Use the drop down menu to select an existing DHCP option name from the existing options configured in DHCPv6 Options If no suitable option is available click the create button to define a new option Value Enter or modify the numeric ID setting for the selected DHCP option ...

Page 698: ...ser based policies User policies include dynamic VLAN assignment and access based on time of day The access point uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS RADIUS authentication configured with the RADIUS service Dynamic VLAN assignment is achieved based on the RADIUS server response A user who associates to WLAN1 mapped to VLAN1 can be assigned a different VLAN...

Page 699: ...he group name or identifier assigned to each listed group when it was created The name cannot exceed 32 characters or be modified as part of the group s edit process Guest User Group Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each group A red X designates the group as having permane...

Page 700: ...ss helpdesk Helpdesk support access network admin Wired and wireless access security admin Grants full read write access system admin System administrator access VLAN Displays the VLAN ID used by the group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the access point managed network once authenticated by the local RADIUS server Time Start S...

Page 701: ...ntly remove a selected group Figure 9 25 RADIUS Group Policy Add screen 5 Define the following Settings to define the user group configuration RADIUS Group Policy If creating a new RADIUS group assign it a name to help differentiate it from others with similar configurations The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process Guest User Group Select this opti...

Page 702: ...members of the group using the Access drop down menu allowing varying levels of administrative rights This feature is disabled by default Access If a group is listed as a management group assign how the devices can be accessed Available access types are Web Web access through browser is permitted SSH SSH access through command line is permitted Telnet Telnet access through command line is permitte...

Page 703: ...temporary or permanent A pool can contain a single user or group of users To configure a RADIUS user pool and unique user IDs 1 Select Configuration tab from the Web user interface 2 Select Services 3 Expand the RADIUS menu option and select User Pools Figure 9 26 RADIUS User Pool screen 4 Select Add to create a new user pool Edit to modify the configuration of an existing pool or Delete to remove...

Page 704: ... guest access can be set uniquely for each user A red X designates the user as having permanent access to the local RADIUS server Group Displays the group name each configured user ID is a member Email Id Displays the configured E mail ID for this user This is the address used when communicating with users in this pool Telephone Displays the configured telephone number for this user This is the nu...

Page 705: ...e time is only relevant to the range defined by the start and expiry date Access Duration Lists the total duration of allowed access for guest users Upto 356 days can be configured User Id Assign a unique alphanumeric string identifying this user The ID cannot exceed 64 characters Password Provide a password unique to this user The password cannot exceed 32 characters Select the Show check box to ...

Page 706: ...ion of a single RADIUS server policy is supported To manage the access point s RADIUS server policy 1 Select Configuration tab from the Web user interface 2 Select Services 3 Expand the RADIUS menu option and select RADIUS Server Group If the user has been defined as a guest use the Group drop down menu to assign the user a group with temporary access privileges If the user is defined as a permane...

Page 707: ... during which the access point will not contact its LDAP server resource A dead period is only implemented when additional LDAP servers are configured and available LDAP Groups Use the drop down menu to select LDAP groups to apply the server policy configuration Select the Create or Edit icons as needed to either create a new group or modify an existing group Use the arrow icons to add and remove ...

Page 708: ...ner to select the precedence for selection of fallback Authentication Type Use the drop down menu to select the EAP authentication scheme for local and LDAP authentication The following EAP authentication types are supported All Enables all authentication schemes TLS Uses TLS as the EAP type TTLS and MD5 The EAP type is TTLS with default authentication using MD5 TTLS and PAP The EAP type is TTLS w...

Page 709: ...he user is authenticated If the client receives a verified access reject message the username and password are considered incorrect and the user is not authenticated Username Enter a128 character maximum username for the LDAP server s domain administrator This is the username defined on the LDAP server for RADIUS authentication requests Password Enter and confirm the 32 character maximum password ...

Page 710: ...he last saved configuration 16 Select the Proxy tab and ensure the Activate RADIUS Server Policy button remains selected A user s access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources The proxy server checks the information in the user access request and either accepts or rejects the request If the proxy server accepts the request it returns configuration...

Page 711: ...oint s RADIUS server receives a request for a user name the server references a table of realms If the realm is known the server proxies the request to the RADIUS server 21 Enter the Proxy server s IP Address This is the address of server checking the information in the user access request The proxy server either accepts or rejects the request on behalf of the RADIUS server 22 Enter the TCP IP Por...

Page 712: ...orize users based on complex checks and logic There s no way to perform such complex authorization checks from a LDAP user database alone Figure 9 32 RADIUS Server Policy screen LDAP tab 27 Refer to the following to determine whether an LDAP server can be used as is a server configuration requires creation or modification or a configuration requires deletion 28 Select Add to add a new LDAP server ...

Page 713: ...rver acting as the data source for the RADIUS server Login Define a unique login name used for accessing the remote LDAP server resource Consider using a unique login name for each LDAP server to increase the security of the connection between the access point and remote LDAP resource Port Use the spinner control to set the physical port used by the RADIUS server to secure a connection with the re...

Page 714: ...d password for the LDAP server Select the Show check box to expose the password s actual character string Leave the option unselected to display the password as a string of asterisks The password cannot 32 characters Password Attribute Enter the LDAP server password attribute The password cannot exceed 64 characters Group Attribute LDAP systems have the facility to poll dynamic groups In an LDAP d...

Page 715: ...nt shared secret password If a shared secret is compromised only the one client poses a risk as opposed all the additional clients that potentially share that secret password Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location Designating at least one second...

Page 716: ...9 56 WiNG 5 6 Access Point System Reference Guide ...

Page 717: ...y reduce an attack footprint and free resources too To set Management Access administrative rights access control permissions authentication refer to the following Creating Administrators and Roles Setting the Access Control Configuration Setting the Authentication Configuration Setting the SNMP Configuration SNMP Trap Configuration Refer to Management Access Deployment Considerations on page 10 1...

Page 718: ...Management from the top menu 3 Select Administrators The Administrators screen displays by default Figure 10 1 Management Policy Administrators screen 4 Refer to the following to review existing administrators User Name Displays the name assigned to the administrator upon creation The name cannot be modified when editing an administrator s configuration Access Type Lists the Web UI Telnet SSH or C...

Page 719: ...or the user s unique permissions If required all four options can be selected and invoked simultaneously 9 Select an Administrator Role Only one role can be assigned Web UI Select this option to enable access to the access point s Web UI Telnet Select this option to enable access to the access point using TELNET SSH Select this option to enable access to the access point using SSH Console Select t...

Page 720: ...ption to assign permissions without administrative rights The Monitor option provides read only permissions Help Desk Assign this option to someone who typically troubleshoots and debugs reported problems The Help Desk manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the access point Web User Select this option to assign pri...

Page 721: ...tion as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better security than others and are more desirable To set user access control configurations 1 Select Configuration 2 Select Management 3 Select Access Control from the list of Management Policy options in the upper lef...

Page 722: ...ice access HTTP provides limited authentication and no encryption Enable HTTPS Select the check box to enable HTTPS device access HTTPS Hypertext Transfer Protocol Secure is more secure than plain HTTP HTTPS provides both authentication and data encryption as opposed to just authentication NOTE If an AP6511 or AP6521 s external RADIUS server is not reachable HTTPS or SSH management access to the a...

Page 723: ...e a new one IP based firewalls function like Access Control Lists ACLs to filter mark packets based on the IP from which they arrive as opposed to filtering packets on layer 2 ports IP firewalls implement uniquely defined access control policies so if you do not have an idea of what kind of access to allow or deny a firewall is of little value and could provide a false sense of network security So...

Page 724: ...ource will need to interoperate with a RADIUS and LDAP Server AAA Servers to provide user database information and user authentication data If there is no AAA policy suiting your RADIUS authentication requirements either select the Create icon to define a new AAA policy or select an existing policy from the drop down menu and select the Edit icon to update its configuration For more information on...

Page 725: ...ate the configuration Select Reset to revert to the last saved configuration Authentication Select to enable TACACS authentication on login Accounting Select to enable TACACS accounting on login Fallback Select to enable fallback to use local authentication if TACACS authentication fails Authorization Select to enable TACACS authorization on login Authorization Fallback Select to enable fallback o...

Page 726: ...entication mechanism to monitor and configure supported devices The read only community string is used to gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to monitor a system s performance and other parameters To define SNMP management values 1 Select ...

Page 727: ... supports the concurrent use of different security access control and message processing techniques SNMPv3 is enabled by default Community Define a public or private community designation By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Access Control Set the access permission for each community...

Page 728: ...te destination 1 Select Configuration Management 2 Select SNMP Traps from the list of Management Policy options in the upper left hand side of the UI Figure 10 6 Management Policy screen SNMP Traps tab 3 Select the Enable Trap Generation check box to enable trap creation using the trap receiver configuration defined in the lower portion of the screen This feature is disabled by default 4 Refer to ...

Page 729: ...services like HTTPS SSH and SNMPv3 should be used when possible as they provide both data privacy and authentication By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Legacy Motorola Solutions devices may use other community strings by default Motorola Solutions recommends SNMPv3 be used for devi...

Page 730: ...10 14 WiNG 5 6 Access Point System Reference Guide ...

Page 731: ...e Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail Numerous tools are available within the Diagnostics menu Some allow event filtering some enable log views and some allow you to manage files generated when hardware or software issues are detected Diagnostic capabilities include Fault Management Crash Files Advanced ...

Page 732: ... By default all events are enabled and an administrator has to turn off events if they don t require tracking Figure 11 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing events Events can be filtered based on severity module received source MAC of the event device MAC of the event and MAC address of the wireless client 3 Define the following Custom...

Page 733: ...creen 7 Refer to the following event parameters to assess nature and severity of the displayed event Module Select the module from which events are tracked When a single module is selected events from other modules are not tracked Remember this when interested in events generated by a particular module Individual modules can be selected such as TEST LOG FSM etc or all modules can be tracked by sel...

Page 734: ...ld to filter events to display To filter messages further select a RF Domain from the Filter by RF Domain field 11 In the Access Point s tab select the RF Domain from the Select a RF Domain field to filter events to display To filter messages further select a device from the Filter by Device field Module Displays the module used to track the event Events detected by other modules are not tracked M...

Page 735: ...e not tracked Message Displays error or status message for each event Severity Displays event severity as defined for tracking from the Configuration screen Severity options include All Severities All events are displayed regardless of severity Critical Only critical events are display Error Only errors display Warning Only warnings display Informational Only informational events display no critic...

Page 736: ...rom those displayed in the lower left hand side of the UI Figure 11 4 Crash Files screen The screen displays the following for each reported crash file 4 Select a listed crash file and select the Copy button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button File Name Displays t...

Page 737: ...enu UI Debugging View UI Logs View Sessions 11 3 1 UI Debugging Advanced Use the UI Debugging screen to view debugging information for a selected device To review device debugging information 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options By default NETCONF Viewer is selected Once a target ID is selected its debugging information displays within the NETCONF Viewer ...

Page 738: ...ges area 11 3 2 View UI Logs Advanced Use the View UI Logs screen to view the log messages generated by the device Logs are classified as Flex Logs and Error Logs These logs provide a real time look into the state of the device and provide useful information for debugging and trouble shooting issues To display the logs 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options...

Page 739: ...een displays a list of all sessions associated with this device A session is created when a user name password combination is used to access the device to interact with it for any purpose Use the following to view a list of sessions associated with this device 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View Sessions menu item to display the users s...

Page 740: ...re session then select Delete Cookie Displays the number of cookies created by this session From Displays the IP address of the device process initiating this session Role Displays the role assigned to the user name as displayed in the User column Start Time Displays the start time of this session This is the time at which the user successfully created this session User Displays the user name of t...

Page 741: ...n to other managed devices Self Monitoring At Run Time RF Management Smart RF is a Motorola Solutions innovation designed to simplify RF configurations for new deployments while over time providing on going deployment optimization and radio performance improvements The Smart RF functionality scans the RF network to determine the best channel and transmit power for each managed access point radio F...

Page 742: ...ging Firmware and Configuration Files Rebooting the Device Locating a Device Upgrading Device Firmware Viewing Device Summary Information Adopted Device Upgrades File Management Adopted Device Restart Captive Portal Pages Re elect Controller These tasks can be performed on individual access points and wireless clients 12 1 1 Managing Firmware and Configuration Files Devices Firmware and configurat...

Page 743: ...guration see Managing Running Configuration on page 12 3 Show Startup Config Select this option to display the startup configuration of the selected device The startup configuration is displayed in a separate window Select Execute to perform the function For more information on viewing and managing the startup configuration see Managing Startup Configuration on page 12 6 Reload Select this option ...

Page 744: ... 12 3 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 4 Device Browser Options for a device 3 Select Show Running Config to display the Running Configuration window ...

Page 745: ... Refer to the following to configure the export parameters Protocol Select the protocol used for exporting the running configuration Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting the running configuration This option is not valid for cf usb1 usb2 usb3 and usb4 ...

Page 746: ...d device Host Enter IP address or the hostname of the server used to export the running configuration to This option is not valid for local cf usb1 usb2 usb3 and usb4 Path File Specify the path to the folder to export the running configuration to Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server This field is only a...

Page 747: ...Operations 12 7 Figure 12 7 Device Browser Options for a device 3 Select Show Startup Config to display the Startup Configuration window Figure 12 8 Operations Manage Startup Configuration ...

Page 748: ...e value to define the port used by the protocol for exporting or importing the startup configuration This option is not valid for cf usb1 usb2 usb3 and usb4 Host Enter IP address or the hostname of the server used to export or import the startup configuration to This option is not valid for local cf usb1 usb2 usb3 and usb4 Use the drop down to select the type of host information Host can be one of...

Page 749: ...2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 10 Device Browser Options for a device 3 To reboot the device select the Reload item Figure 12 11 Device Reload screen ...

Page 750: ...the CA server it is saved on the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manually created trustpoint for one service like HTTPs and use the CMP generated trustpoint for RADIUS EAP certificate based authentication Use the Crypto CMP Certificate menu item to manage these certif...

Page 751: ...hand side of the UI 2 Select the down arrow next to the device to view a set of operations that can b performed on the selected device Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server MAC Address Lists the hardware encoded MAC address of the CMP server resource Trust Point Name Lists the 32 character maximum name assigne...

Page 752: ...ollowing information to accurately define the location of the target device s firmware file Protocol Select the protocol used for updating the firmware Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 local Port Use the spinner control or manually enter the value to define the port used by the protocol for importing the firmware upgrade file This option is not valid for local cf...

Page 753: ...Crash Dump Files Troubleshooting the Device Crash files are generated when the device encounters a critical error that impairs the performance of the device When a critical error arises information about the state of the device at that moment is written to a text file This file is used by Motorola Solutions Support Center to debug the issue and provide a solution to correct the error condition Hos...

Page 754: ...16 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 17 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 18 Device Browser Options for a device Troubleshooting sub menu 4 Select Clear Crash Info to display the Clear Crash Info window ...

Page 755: ...delete the selected crash info file File Name Displays the full path to the crash file Size Displays the size of the crash information file in kilobytes Last Modified Displays the timestamp the crash information file was modified last Action Displays icons for the actions that can be performed on the selected crash information file Use the icon to delete the selected crash info file Use the Copy i...

Page 756: ...ovide a solution to correct the error condition Use the Copy Crash Info screen to copy the crash files to a remote device using ftp or tftp To use the Copy Crash Info screen 1 Select a target device from the left hand side of the UI Figure 12 20 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 21 Device Bro...

Page 757: ...to select it Host IP Use this field to provide the hostname or the IP address of the FTP server User Use this field to provide the user credentials to authenticate on the FTP server Password Use this field to provide the authentication password for the user credentials provided in the User field Path Optional Optionally provide the complete path to the directory on the FTP server where the crash f...

Page 758: ...To retrieve the Tech Support Dump files do the following 1 Select a target device from the left hand side of the UI Figure 12 24 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 25 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 26 Device Browser Options for a d...

Page 759: ...stname or the IP address of the FTP server User Use this field to provide the user credentials to authenticate on the FTP server Password Use this field to provide the authentication password for the user credentials provided in the User field Path Optional Optionally provide the complete path to the directory on the FTP server where the Tech Support Dump file is to be placed Target This is the pr...

Page 760: ...to be identified amongst all other deployed devices To locate a device 1 Select the target device from the left hand side of the UI Figure 12 28 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 29 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 30 Device Browser...

Page 761: ...ick Close to close this window 12 1 5 5 Debugging Wireless Clients Troubleshooting the Device Use the Debug Wireless Clients screen to assess whether a connection to a wireless client is proper and is working as intended To view the Debug Wireless Clients screen 1 Select the target device from the left hand side of the UI Figure 12 32 Device Browser 2 Select the down arrow next to the device to vi...

Page 762: ...reen or File When File is selected the captured debug events are stored on a file and then saved to a remote location using either the FTP or TFTP protocols Use the screen to provide the appropriate information to save the file on the remote server 6 When in the RF Domain context use the Edit Devices List to select the device to view the debug information for 7 Refer to the following Select Debug ...

Page 763: ...d are 802 11 Management Displays all 802 11 management debug messages EAP Displays all debug messages related to EAP Flow Migration Displays all debug messages related to flow migration RADIUS Displays all debug messages related to RADIUS server System Internal Displays all debug messages related to system internals WPA WPA2 Displays all debug messages related to WPA WPA2 All Wireless Clients Sele...

Page 764: ...de Figure 12 37 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 38 Device Browser Options for a device Troubleshooting sub menu 4 Select Packet Capture NOTE The maximum packet capture data limit is 15 MB ...

Page 765: ...lect this to enable capture of packets traversing an ethernet bridge Dropped Select this to enable to capture dropped packets Interface Select this to enable capture packets on specific interfaces The interfaces can be select from the drop down list Select the interface number from the spinner control Use the Packet Direction drop down to configure the direction the packet traverses On a Radio 802...

Page 766: ...ased on the IP address of a device IP Protocol Select this to enable filtering the capture packets on specific protocols The protocols can be select from the drop down list The default protocol is TCP Port Select this option to enable filtering capture packets on specific ports Use the spinner to set the port number The default port number is 1 NOTE When displaying the Summary screen at the RF Dom...

Page 767: ...e date the Primary and Secondary firmware image was built for the selected device Install Date Displays the date the firmware was installed on the access point Fallback Lists whether fallback is currently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render t...

Page 768: ... on the left to navigate to the device to manage the firmware and configuration files on and select it Figure 12 41 Device Summary screen 4 Select Adopted Device Upgrade tab NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode and cannot be initiated by Standalone APs Additionally upgrades can only be performed on access points of the same model as the Virtual Cont...

Page 769: ...sfer pro tocol Device Type List Select the access point model to specify which model is available to upgrade by the Virtual Controller AP Upgrades can only be made to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed Scheduled Upgrade Time To perform the upg...

Page 770: ...m being rebooted This ensures that the access point remains in operation with its current firmware This option is useful to ensure the access point remains operational until ready to take it offline for the required reboot Staggered Reboot Select this option to do a staggered rebooting of upgraded access points When selected upgraded access points are not rebooted simultaneously bringing down the ...

Page 771: ...de to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed URL Enter a URL pointing to the location of the image file Advanced Basic Select Advanced to list additional options for the image file location including protocol host and path Additional options displ...

Page 772: ...er Protocol A hostname or IP address is required Port and path are optional cf Select this option to specify a file location on a Compact Flash card installed on the device This option might not be available on all devices usb1 usb2 usb3 usb4 Select this option to specify the file location on one of the USB 1 USB 2 USB 3 or USB 4 ports of the device This option might not be available on all device...

Page 773: ...raded Lists the number of devices waiting to receive a firmware image from their provisioning access point Each device can have its own upgrade time defined so the upgrade queue could be staggered Number of devices waiting in queue to be rebooted Lists the number of devices waiting to reboot before actively utilizing its upgraded image The Device Upgrade List list allows an administrator to disabl...

Page 774: ... for a reboot etc Upgrade Time Displays whether the upgrade is immediate or set by an administrator for a specific time This is helpful to ensure a sufficient number of devices remain in service at any given time Reboot Time Displays whether a reboot is immediate or time set by an administrator for a specific time Reboots render the device offline so planning reboots carefully is central to ensuri...

Page 775: ...Downloading Updating Scheduled Reboot Rebooting Done Cancelled Done No Reboot Time Displays the time when the device was upgraded Retries Displays the number of retries if any during the upgrade If this number is more than a few the upgrade configuration should be revisited Upgraded By Displays the hostname of the device that upgraded this device Last Status Displays the time of the last status up...

Page 776: ...12 36 WiNG 5 6 Access Point System Reference Guide Figure 12 46 Device Summary screen 4 Click File Management ...

Page 777: ... screen 5 The pane on the left of the screen displays the directory tree for the selected device Use this tree to navigate around the device s directory structure When a directory is selected all files in that directory is listed in the pane on the right ...

Page 778: ...te the new folder Click the Refresh button to refresh the view in the screen 8 To delete a folder select the folder in the directory tree on the left Click Delete Folder button The following popup displays Figure 12 49 Devices File Management Delete Confirmation screen File Name Displays the name of the file Size Kb Displays the size of the file in kilobytes Last Modified Displays the timestamp fo...

Page 779: ...en the device and a remote location The transfer can be done as follows From remote server to the device From device to remote server From a location on the device to another location on the same device 10 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity Source Select Server to indicate the source of the f...

Page 780: ...is option is not valid for cf usb1 usb2 usb3 and usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file This parameter is required only when Server is selected as the Source User Name If Advanced is selec...

Page 781: ... this AP To view the Adopted Device Restart screen 1 Select Operations from the main menu 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Figure 12 51 Device Summary screen 4 Select Adopted Device Restart NOTE The Adopted Device Restart tab is not available at the RF Domain level of the UI s hierarchal tree A RF Domain must be s...

Page 782: ...ireless network Once logged into the captive portal additional Terms and Conditions Welcome and Fail pages provide the administrator with a number of options on screen flow and appearance Captive portal authentication is used primarily for guest or visitor access to the network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable opt...

Page 783: ...ce Summary screen 4 Select Captive Portal Pages NOTE If selecting the Captive Portal Pages screen from the RF Domain level of the UI s hierarchal tree there s an additional Upload from Controller option to the right of the Captive Portal List drop down menu Select this option to upload captive portal page support from this device s managing controller ...

Page 784: ...ect Now option to immediately start the process of the update Use the date hour fields to configure a specific date and time for upload 7 The All Devices table lists the hostname and MAC address of all devices adopted by this access point Use the arrow buttons to move selected devices from the All Devices table to the Upload List table The Upload List table lists the devices to which the captive p...

Page 785: ...meters of the required file transfer activity Protocol If Advanced is selected choose the protocol for file management Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 This parameter is required only when Server is selected as the Source and Advanced is selected Port If Advanced is selected specify the port for transferring files This option is not available for cf usb1 usb2 usb...

Page 786: ... required Hostname If needed specify a Hostname of the server transferring the file This option is not valid for cf usb1 usb2 usb3 and usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file User Name If A...

Page 787: ...to expire The CMP client on the controller service platform or access point triggers a request for the configured CMS CA server Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manually created trust...

Page 788: ...not display at either the system or device levels of the hierarchal tree 3 Select the Re elect Controller tab Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server MAC Address Lists the hardware encoded MAC address of the CMP server resource Trust Point Name Lists the 32 character maximum name assigned to the target trustpoin...

Page 789: ...anager candidacy Use the button to move all listed access points into the Selected APs table The re election process can be achieved through the selection of an individual access point or through the selection of several access points with a specific Tunnel Controller Name matching the selected access points 5 Select Re elect to designate the Selected AP s as resources capable of tunnel establishm...

Page 790: ...point represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication can be used by a client to a...

Page 791: ...rustpoints screen The Trustpoints screen displays for the selected MAC address 3 Refer to the Certificate Details to review certificate properties self signed credentials validity period and CA information 4 Select the Import button to import a certificate ...

Page 792: ...12 52 WiNG 5 6 Access Point System Reference Guide Figure 12 60 Certificate Management Import New Trustpoint screen ...

Page 793: ...e Trustpoint from a location on the network To do so select From Network and provide the following information Import Select the type of Trustpoint to import The following Trustpoints can be imported Import Select to import any trustpoint Import CA Select to import a Certificate Authority CA certificate on to the access point Import CRL Select to import a Certificate Revocation List CRL CRLs are u...

Page 794: ...ort it in to an Active Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there s more than one RADIUS authentication server export the certificate and don t generate a second key unless you want to deploy two root certificates Figure 12 61 Certificate Management Export T...

Page 795: ...nal keys or import export keys to and from remote locations Trustpoint Name Enter the 32 character maximum name assigned to the target trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual URL Provide the complete URL to the location of the trustpoint If needed select Advanced to expand the dialog to display network address information to the lo...

Page 796: ...2 62 Certificate Management RSA Keys screen Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select Generate Key to create a new key with a defined size ...

Page 797: ...y import a RSA Key select the Import button from the RSA Keys screen Figure 12 64 Certificate Management Import New RSA Key screen Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality ...

Page 798: ... option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the RSA key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is dependent on the selected protocol Protocol Select the protocol used for importing the targe...

Page 799: ...option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is also dependent on the selected protocol Protocol Select the protocol used for exporting the RSA k...

Page 800: ...es do not use public or private CAs A self signed certificate is a certificate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate that can be applied to a device 1 Select Operations 2 Select Certificates 3 Select Create Certificate IP Address If using Advanced settings enter IP address of the server used to export the RSA key T...

Page 801: ...name used to identify the RSA key Use the spinner control to set the size of the key between 1 024 2 048 bits Motorola Solutions recommends leaving this value at the default setting of 1024 to ensure optimum functionality For more information on creating a new RSA key see RSA Key Management on page 12 55 RSA Key Use Existing Select the radio button and use the drop down menu to select the existing...

Page 802: ...nd the certificate authority maintains the right to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operations 2 Select Certificates 3 Select Create CSR State ST Enter a State Prov for the state or province name used in the certificate This is a required field...

Page 803: ...mends leaving this value at the default setting of 1024 to ensure optimum functionality For more information see RSA Key Management on page 12 55 Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user defined to manually enter the credentials of the self signed certificate The default setting is auto genera...

Page 804: ...r the organizational unit issuing the certificate enter it here Email Address Provide an E mail address used as the contact address for issues relating to this CSR Domain Name Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy absolutely To distinguish an FQDN from a regular domain name a trailing period is added ex s...

Page 805: ...as the basis to conduct Smart RF calibration operations 12 3 1 Managing Smart RF for a RF Domain Smart RF When calibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the neighboring radi...

Page 806: ...he table to determine whether a new channel assignment was warranted to compensate for a coverage hole Channel Lists the current channel assignment for each listed access point as potentially updated by an Interactive Calibration Use this data to determine whether a channel assignment was modified as part of an Interactive Calibration If a revision was made to the channel assignment a coverage hol...

Page 807: ...alibration has calculated Write Writes the new channel and power values to the radios under their respective device configurations Discard Discards the results of the Interactive Calibration without applying them to their respective devices Commit Commits the Smart RF module Interactive Calibration results to their respective access point radios 6 Select the Run Calibration option to initiate a ca...

Page 808: ...ng to the latest firmware version for full functionality and utilization An access point must be rebooted to implement a firmware upgrade Take advantage of the reboot scheduling mechanisms available to the access point to ensure its continuously available during anticipated periods of heavy wireless traffic utilization Within a well planned RF Domain any associated radio should be reachable by at ...

Page 809: ...eless clients associations adopted AP information rogue APs and WLANs Access point statistics can be exclusively displayed to validate connected access points their VLAN assignments and their current authentication and encryption schemes Wireless client statistics are available for an overview of client health Wireless client statistics includes RF quality traffic utilization and user details Use ...

Page 810: ...Adopted Devices Pending Adoptions Offline Devices Device Upgrade Licenses WIPS Summary 13 1 1 Health System Statistics The Health screen displays the overall performance of the managed network system This includes device availability overall RF quality resource utilization and network threat perception To display the health of the network 1 Select the Statistics menu from the Web UI 2 Select the S...

Page 811: ...ffline devices 6 The Traffic Utilization table displays the top 5 RF Domains with the most effective resource utilization Utilization is dependent on the number of devices connected to the RF Domain 7 The Device Types table displays the kinds of devices detected within the system Each device type displays the number currently online and offline Top 5 Displays the top 5 RF Domains in terms of usage...

Page 812: ...tory screen displays information about the physical hardware managed within the system by its members Use this information to assess the overall performance of wireless devices To display the inventory statistics 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select Inventory from the left hand side of the UI Worst 5 Displays five RF Domains w...

Page 813: ...n terms of the number of wireless clients adopted 7 Select Refresh to update the statistics counters to their latest values 13 1 3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the network entire system Use this screen to view a list of devices and their current status Top Radio Displays the radios index of each listed top radio RF Domain Displa...

Page 814: ...splay configuration and network address information in greater detail Model Number Lists the model number of each AP that s been adopted since this screen was last refreshed Config Status Displays the configuration file version in use by each listed adopted device Use this information to determine whether an upgrade would increase the functionality of the adopted device Config Errors Lists any err...

Page 815: ...ing Adoptions screen displays the following MAC Address Displays the MAC address of the device pending adoption Select the MAC address to view device configuration and network address information in greater detail Type Displays the AP type IP Address Displays the current IP Address of the device pending adoption VLAN Displays the VLAN the device pending adoption will use as a virtual interface wit...

Page 816: ...dd to Devices Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP Refresh Click the Refresh button to update the list of pending adoptions Hostname Lists the administrator assigned hostname provided when the device was added to the network MAC Address Displays the factory encoded MAC address of each listed offline device Type Displays the offl...

Page 817: ... Floor Lists the administrator assigned deployment floor where the offline device has been detected Connected To Lists the offline s device s connected controller service platform or peer model access point Last Update Displays the date and time stamp of the last time the device was detected within the network Click the arrow next to the date and time to toggle between standard time and UTC Refres...

Page 818: ...the administrator assigned hostname of the device receiving an update History ID Displays a unique timestamp for the upgrade event Last Update Status Displays the initiation completion or error status of each listed upgrade operation Time Last Upgraded Lists the date and time of each upgrade operation Retries Count Displays the number of retries required in an update operation State Displays the d...

Page 819: ...ntroller or service platform to a cluster member to compensate for an access point s license deficiency Total AP Licenses Displays the total number of access point connection licenses currently available to this device AP License Usage Lists the number of access point connections currently utilized by this device out of the total available under the terms of the current license Remaining AP Licens...

Page 820: ...ice Cluster AP Adoption Licenses Displays the current number of access point adoption licenses utilized by controller or service platform connected access points within a cluster Cluster Total AP Licenses Displays the total number of access point adoption licenses available to controller or service platform connected access point within a cluster Cluster AAP Adoption Licenses Displays the current ...

Page 821: ...Installed Lists the number of access point connections available to this peer access point under the terms of the current license Borrowed AP Licenses Displays the number of access point licenses temporarily borrowed from a cluster member to compensate for an AP license deficiency Total AP Licenses Displays the total number of access point connection licenses currently available to clustered devic...

Page 822: ...nctioned devices are those devices detected within the listed RF Domain but have not been deployed by a administrator as a known and approved controller or service platform managed device Number of Interfering APs Displays the number of devices exceeding the interference threshold in each listed RF Domain Each RF Domain utilizes a WIPS policy with a set interference threshold from 100 to 10 dBm Wh...

Page 823: ...WIPS data or just select Only Rogue APs Only Interferer APs for All APs to refine event reporting to a specific type of WIPS activity Select Generate Report to compile and archive the results of the query 6 Select Refresh to update the screen s statistics counters to their latest values ...

Page 824: ...s that determine Access SMART RF and WIPS configuration Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device Health Inventory Devices AP Detection Wireless Clients Device Upgrade Wireless LANs Radios Mesh Mesh Point SMART RF WIPS Captive Portal 13 2 1 Health RF Domain Statistics The Health ...

Page 825: ...chart depicts their status 6 The Radio Quality field displays information on the RF Domain s RF quality The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry and error rate This area also lists the worst 5 performing radios in the RF Domain The RF Quality Index can be interpreted as 0 20 Very poor quality...

Page 826: ... Domain member access points Top 5 Displays the five RF Domain utilized WLANs with the highest average quality indices WLAN Name Displays the WLAN Name for each of the Top 5 WLANs in the access point RF Domain Radio Type Displays the radio type as either 5 GHz or 2 4 GHz Max User Rate Displays the maximum recorded user rate in kbps Top 5 Radios Displays five radios with the best average quality in...

Page 827: ...st Mcast Packets Displays the total number of broadcast multicast packets transmitted and received within the access point RF Domain Management Packets This is the total number of management packets processed within the access point RF Domain Tx Dropped Packets Lists total number of dropped data packets within the access point RF Domain Rx Errors Displays the number of errors encountered during da...

Page 828: ...arts One chart displays for 5 GHz channels and the other for 2 4 GHz channels 7 The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members Total Wireless Clients Displays the total number of clients connected to RF Domain members AP Name Displays the clients connected and reporting access point The name displays as a link that can be selecte...

Page 829: ...work IP address To display RF Domain member device statistics 1 Select the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select Devices from the RF Domain menu Figure 13 12 RF Domain Devices screen Device Displays the system assigned name of each device that s a member of the RF Domain The name displays as a link that can ...

Page 830: ...dels can support from 1 3 radios depending on the hardware SKU AP6532 AP6522 AP6562 AP71xx AP8132 and AP8232 models have two radios AP6511 and AP6521 models have one radio An ES6510 is a controller or service platform manageable Ethernet Switch with no embedded device radios IP Address Displays the IP address each listed device is using a network identifier Refresh Select the Refresh button to upd...

Page 831: ...SI Displays the Received Signal Strength Indicator RSSI of the detected access point Use this variable to help determine whether a device connection would improve network coverage or add noise Reported by Displays the MAC address of the RF Domain member reporting the access point Clear All Select Clear All to reset the statistics counters to zero and begin a new data collection Refresh Select the ...

Page 832: ...lient is currently utilizing with its connected access point within the RF Domain AP Hostname Displays the administrator assigned hostname of the access point to which the client is connected Radio MAC Lists the hardware encoded MAC address of the access point radio to which the client is currently connected within the RF Domain WLAN Displays the name of the WLAN the wireless client is currently u...

Page 833: ...g with a history ID appended to it for each upgrade operation Last update Status Displays the last status message from the RF Domain member device performing the upgrade operation Time Last Upgrade Displays a timestamp for the last successful upgrade Retries Count Lists the number of retries needed for each listed RF Domain member update operation State Lists whether the upgrade operation is compl...

Page 834: ... Displays the Service Set ID SSID assigned to the WLAN upon its creation within the network Traffic Index Displays the traffic utilization index of each listed WLAN which measures how efficiently the traffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 modera...

Page 835: ...t Status Figure 13 17 RF Domain Radio Status screen The Radio Status screen displays the following Rx User Data Rate Displays the average data rate per user for packets received on each listed RF Domain member WLAN Disconnect All Clients Select the Disconnect All Clients button to terminate each listed client s WLAN membership from this RF Domain Refresh Select the Refresh button to update the sta...

Page 836: ...asting on Configured Channel Lists each radio s defined operating channel to help assess if the radio is no longer transmitting on its configured channel Neighbor radios are often required to assist non functioning peers in the same coverage area Power Current Config Displays the current power level the radio is using for its transmissions Configured Power Lists each radio s defined transmit power...

Page 837: ...the level of noise in X dbm format reported by each listed RF Domain member access point SNR Displays the signal to noise ratio SNR of each listed RF Domain member radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data receive rate for each RF Domain member radio s physical...

Page 838: ...y radio information in greater detail Tx Bytes Displays the total number of bytes transmitted by each RF Domain member access point radio This includes all user data as well as any management overhead data Rx Bytes Displays the total number of bytes received by each RF Domain member access point radio This includes all user data as well as any management overhead data Tx Packets Displays the total...

Page 839: ...ure 13 20 RF Domain Mesh screen The RF Domain Mesh screen displays the following Tx Dropped Displays the total number of transmitted packets which have been dropped by each RF Domain member access point radio This includes all user data as well as any management overhead packets that were dropped Rx Errors Displays the total number of received packets which contained errors for each RF Domain memb...

Page 840: ...n of each RF Domain member device 4 Use the N W S and E buttons to move the map in the North East West and South directions respectively The slider next to these buttons enables zooming in and out of the view The available fixed zoom levels are World Country State Town Street and House 5 Use the Maximize button to maximize this view to occupy the complete screen Use the Refresh button to update th...

Page 841: ...e root mesh at the centre and the other mesh device arranged around it In the Hierarchical arrangement the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such Use the Meshpoint Name drop down to select a mesh point to see the graphical representation of that mesh point The view can further be filtered based on the values Neigh...

Page 842: ...e bottom portion of the screen displays tabs for General Path Root Multicast Path Neighbors Security and Proxy Refer to the following The General tab displays the following Mesh Point Name Displays the name of each configured mesh point in the RF Domain MAC Displays the MAC Address of each configured mesh point in the RF Domain Hostname Displays the administrator assigned hostname for each configu...

Page 843: ...RF Domain Meshpoint Identifier The identifier is used to distinguish between other mesh points both on the same device and on other devices This is used by a user to setup the preferred root configuration Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Next Hop IFID The Interface ID of the mesh point that traffic is being directed to Is Root...

Page 844: ...ric between the neighbor and their root mesh point Interface Bias This field lists any bias applied because of Preferred Root Interface Index Neighbor Bias This field lists any bias applied because of Preferred Root Next Hop Neighbor IFID Root Bias This field lists any bias applied because of Preferred Root MPID Mesh Point Name Displays the name of each configured mesh point in the RF Domain Subsc...

Page 845: ...g the frequency of the radio that is used to communicate with the neighbor Mesh Root Hops The number of devices between the neighbor and its root mesh point If the neighbor is a root mesh point this value will be 0 If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point this value will be 1 Each mesh point between the neighbor and its root mesh point is counted as ...

Page 846: ...his neighbor Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Radio Interface This indicates the interface that is used by the device to communicate with this neighbor The values are 2 4 and 5 0 indicating the frequency of the radio that is used to communicate wi...

Page 847: ... the mesh point Age Displays the age of the proxy connection for each of the mesh points in the RF Domain Proxy Owner The owner s MPID is used to distinguish the neighbor device Persistence Displays the persistence duration of the proxy connection for each of the mesh points in the RF Domain VLAN The VLAN ID used as a virtual interface with this proxy A value of 4095 indicates that there is no VLA...

Page 848: ...igured as Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Yes No Is Root A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Yes No Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Interface ID Uniquel...

Page 849: ...ric A measure of the quality of the path A lower value indicates a better path State Indicates whether the path is currently Valid of Invalid Binding Indicates whether the path is bound or unbound Timeout The timeout interval in seconds The interpretation this value will vary depending on the value of state If the state is Init or In Progress the timeout duration has no significance If the state i...

Page 850: ...the amount of time left before the security validity check is initiated If the state is Failed the timeout duration is the amount of time after which the system will retry Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Neighbor MP ID The MAC Address that the de...

Page 851: ...condary next hop to the recommended root to has a good potential route metric 6 A next hop to an alternate root node 5 A downstream node currently hopping through to get to the root 4 A downstream node that could hop through to get to the root but is currently not hopping through any node look at authentication as this might be an issue 3 A downstream node that is currently hopping through a diffe...

Page 852: ... Keep Alive Yes indicates the local MP acts as a supplicant to authenticate the link and not let it expire if possible No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP Mesh Point Name Displays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or...

Page 853: ...by mesh points in the RF Domain Data Bytes Bytes Total Bytes Displays the total amount of data in Bytes that has been transmitted and received by mesh points in the RF Domain DataPacketsThroughput Kbps Transmitted Packets Displays the total amount of data in packets transmitted by mesh points in the RF Domain DataPacketsThroughput Kbps Received Packets Displays the total amount of data in packets ...

Page 854: ...ve errors from mesh points in the RF Domain Broadcast Packets Tx Bcast Mcast Pkts Displays the total number of broadcast and multicast packets transmitted from mesh points in the RF Domain Broadcast Packets Rx Bcast Mcast Pkts Displays the total number of broadcast and multicast packets received from mesh points in the RF Domain Broadcast Packets Total Bcast Mcast Pkts Displays the total number of...

Page 855: ... the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu 4 Expand the SMART RF menu and select Summary The summary screen enables administrators to assess the efficiency of RF Domain member device channel distributions sources of interference potentially requiring Smart RF adjustments top performing RF Domain memb...

Page 856: ...art RF initiated power level changes reported for this top performing RF Domain member radio Channel Changes Displays the number of Smart RF initiated channel changes reported for this top performing RF Domain member radio Coverage Changes Displays the number of Smart RF initiated coverage changes reported for this top performing RF Domain member radio Time Period Lists the frequency Smart RF acti...

Page 857: ...dual access point hostnames can selected and the RF Domain member radio can reviewed in greater detail Attenuation is a measure of the reduction of signal strength during transmission Attenuation is the opposite of amplification and is normal when a signal is sent from one point to another If the signal attenuates too much it becomes unintelligible Attenuation is measured in decibels The radio s c...

Page 858: ...he descriptions and types of Smart RF events impacting RF Domain member devices Figure 13 29 RF Domain Smart RF History screen The SMART RF History screen displays the following RF Domain member historical data Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain ...

Page 859: ...in member device Description Provides a more detailed description of the Smart RF event in respect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference Refresh Select the Refresh button to update the statistics counters to their latest values ...

Page 860: ...enu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Expand the WIPS menu item and select Client Blacklist Figure 13 30 RF Domain WIPS Client Blacklist screen The WIPS Client Blacklist screen displays the following Event Name Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member access point Blackliste...

Page 861: ...cted by a RF Domain member access point Reporting AP Displays the MAC address of the RF Domain member access point reporting the event Originating Device Displays the MAC address of the device generating the event Detector Radio Displays Access Point radio number detecting the event AP7131N models can have from 1 3 radios depending on the SKU AP6532 AP6522 AP6562 AP71xx AP8132 and AP8232 models ha...

Page 862: ...elect Captive Portal from the RF Domain menu Figure 13 32 RF Domain Captive Portal The screen displays the following Captive Portal data for requesting clients Client MAC Displays the MAC address of each listed client requesting captive portal access to the controller or service platform managed network This address can be selected to display client information in greater detail Hostname Lists the...

Page 863: ...se as a virtual interface for captive portal operation with the access point Remaining Time Displays the time after which a connected client is disconnected from the captive portal Refresh Select the Refresh button to update the statistics counters to their latest values ...

Page 864: ...WIPS sensor captive portal NTP and load information Access point statistics consists of the following Health Device Device Upgrade Adoption AP Detection Wireless Clients Wireless LANs Policy Based Routing Radios Mesh Interfaces RTLS PPPoE OSPF L2TPv3 Tunnels VRRP Critical Resources LDAP Agent Status GRE Tunnels Dot1x Network DHCP Server Firewall VPN Certificates WIPS Sensor Servers Captive Portal ...

Page 865: ...n Expand a RF Domain and select one of its connected access points 3 Select Health Figure 13 33 Access Point Health screen The Device Details field displays the following information Hostname Displays the AP s unique name as assigned within the network A hostname is assigned to a device connected to a computer network Device MAC Displays the MAC address of the AP This is factory assigned and canno...

Page 866: ...th the RAM System Clock Displays the system clock information RF Quality Index Displays access point radios having very low quality indices RF quality index indicates the overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Radio Id Displays a radio s hardware encoded MAC address The ID appears as a link that can be selected to show radio utilization in greater deta...

Page 867: ...o help distinguish its exact SKU and country of operation Serial Number Displays the numeric serial number set for the access point Version Displays the software firmware version on the access point Boot Partition Displays the boot partition type Fallback Enabled Displays whether this option is enabled This method enables a user to store a known legacy version and a new version in device memory Th...

Page 868: ...access point s current file description Maximum File Description Displays the access point s maximum file description CPU Load 1 Minute Lists this access point s CPU utilization over a 1 minute span CPU Load 5 Minutes Lists this access point s CPU utilization over a 5 minute span CPU Load 15 Minutes Lists this access point s CPU utilization over a 15 minute span Number Displays the number of fans ...

Page 869: ...ion string Secondary Build Date Displays the build date when this version was created Secondary Install Date Displays the date this secondary version was installed Secondary Version Displays the secondary version string FPGA Version Displays whether a FPGA supported firmware load is being utilized PoE Firmware Version Displays whether a PoE supported firmware load is being utilized Upgrade Status ...

Page 870: ...g Refresh Select Refresh to update the statistics counters to their latest values Upgraded By Device Displays the device that performed the upgrade Type Displays the model of the access point The updating access point must be of the same model as the access point receiving the update Device Hostname Displays the administrator assigned hostname of the device receiving the update History ID Displays...

Page 871: ...cess point their RF Domain memberships and network service information To view adopted access point statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select Adopted APs Figure 13 36 Access Point Adopted APs screen The ...

Page 872: ...isted access point type adopted by this access point RF Domain Name Displays each access point s RF Domain membership An access point can only share RF Domain membership with other access points of the same model Model Number Displays each listed access point s numeric model AP6532 AP6511 etc Status Displays each listed access point s configuration status to help determine its service role Errors ...

Page 873: ...access points AP MAC Address Displays the MAC address of each access point this access point has attempted to adopt Reason Displays the reason code for each event listed Event Time Displays day date and time for each access point adoption attempt Refresh Select the Refresh button to update the screen s statistics counters to their latest values Event History Displays the self adoption status of ea...

Page 874: ...en provides the following MAC Address Displays the MAC address of the device pending adoption Type Displays the access point s model type IP Address Displays the current network IP Address of the device pending adoption VLAN Displays the current VLAN used as a virtual interface by device pending adoption Reason Displays the status as to why the device is still pending adoption and has not yet succ...

Page 875: ...n The AP Detection screen displays the following Unsanctioned AP Displays the MAC address of a detected access point that is yet to be authorized for interoperability within the access point managed network Reporting AP Displays the hardware encoded MAC address of the radio used by the detecting access point Select an access point to display configuration and network address information in greater...

Page 876: ... and perhaps unsanctioned access point Last Seen Displays the time in seconds the unsanctioned access point was last seen on the network Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection Refresh Select the Refresh button to update the screen s statistics counters to their latest values Client MAC Displays the hardcoded MAC address assig...

Page 877: ...er Band Displays the 802 11 radio band on which the listed wireless client operates AP Hostname Displays the administrator assigned hostname of the access point to which this access point is adopted Radio MAC Displays the MAC address of the radio which the wireless client is using WLAN Displays the name of the WLAN the access point s using with each listed client Use this information to determine ...

Page 878: ...are 0 20 very low utilization 20 40 low utilization 40 60 moderate utilization 60 and above high utilization Radio Count Displays the cumulative number of peer access point radios deployed within each listed WLAN Tx Bytes Displays the average number of transmitted bytes sent on each listed WLAN Tx User Data Rate Displays the transmitted user data rate in kbps for each listed WLAN Rx Bytes Displays...

Page 879: ... side of the screen Expand a RF Domain and select one of its connected access points 3 Select Policy Based Routing Figure 13 43 Access Point Policy Based Routing screen The Policy Based Routing screen displays the following Precedence Lists the numeric precedence priority assigned to each listed PBR configuration A route map consists of multiple entries each carrying a precedence value An incoming...

Page 880: ...os display as selectable links within each of the three access point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Additionally navigate the Traffic WMM TSPEC Wireless LANs and Graph options available on the upper left hand side of the screen to review radio traffic utilizat...

Page 881: ...ation Radio Displays the name assigned to the radio as its unique identifier The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Radio MAC Displays the factory encoded hardware MAC address assigned to the radio Radio Type Displays the radio as either supporting the 2 4 or 5 GHZ radio band State Lists a radio s On Off operational...

Page 882: ...displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Signal Displays the radio s current power level in dBm SNR Displays the signal to noise ratio of the radio s associated wireless clients Tx Physical Layer Rate Displays the data transmit rate for the radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays th...

Page 883: ...tion index of the radio This is expressed as an integer value 0 20 indicates very low utilization and 60 and above indicate high utilization Quality Index Displays an integer that indicates overall RF performance The RF quality indices are 0 50 poor 50 75 medium 75 100 good Refresh Select the Refresh button to update the screen s statistics counters to their latest values Radio Displays the name a...

Page 884: ...Rx Packets Displays the total number of packets received by each listed radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps user data is transmitted by each listed radio This rate only applies to user data and does not include management overhead Rx User Data Rate Displays the rate in kbps user data is received by the radio This ...

Page 885: ...eneral tab displays by default Figure 13 48 Access Point General Interface screen Interface Statistics support the following Client Displays the system assigned name of each member of the mesh network Client Radio MAC Displays the MAC address of each client radio in the mesh network Portal Mesh points connected to an external network and forward traffic in and out are mesh portals Mesh points must...

Page 886: ...ce is currently UP or DOWN Media Type Displays the physical connection type of the interface Medium types include Copper Used on RJ 45 Ethernet ports Optical Used on fibre optic gigabit Ethernet ports Protocol Displays the routing protocol used by the interface MTU Displays the maximum transmission unit MTU setting configured on the interface The MTU value represents the largest packet size that c...

Page 887: ...he interface Collisions Displays the number of collisions over the selected interface Late Collisions A late collision is any collision that occurs after the first 64 octets of data have been sent Late collisions are not normal and usually the result of out of specification cabling or a malfunctioning device Excessive Collisions Displays the number of excessive collisions Excessive collisions occu...

Page 888: ...g packet Rx Over Errors Displays the number of overflow errors received Overflows occur when a packet size exceeds the allocated buffer size Tx Errors Displays the number of packets with errors transmitted on the interface Tx Dropped Displays the number of transmitted packets dropped from the interface Tx Aborted Errors Displays the number of packets aborted on the interface because a clear to sen...

Page 889: ...3 Select Interfaces 4 Select Network Graph Figure 13 49 Access Point Interface Network Graph screen 13 3 12 RTLS Access Point Statistics The real time locationing system RTLS enables accurate location determination and presence detection capabilities for Wi Fi based devices Wi Fi based active RFID tags and passive RFID tags While the operating system does not support locationing locally it does re...

Page 890: ...the number of Nack no acknowledgement frames received from RTLS supported radio devices providing locationing services Acks Displays the number of Ack acknowledgment frames received from RTLS supported radio devices providing locationing services Lbs Displays the number of location based service LBS frames received from RTLS supported radio devices providing locationing services AP Status Provides...

Page 891: ... on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select PPPoE Figure 13 51 Access Point PPPoE screen The Configuration Information field screen displays the following Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS Refresh Select the Refresh button to update the screen s statistic...

Page 892: ...ly on the destination IP address found in IP packets Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen OSPF Summary OSPF Neighbors OSPF Area Details OSPF Route Statistics OSPF Route Statistics OSPF State Authentication Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer access point Supported au...

Page 893: ...mpliance information and LSA data OSPF version 2 was originally defined within RFC versions 1583 and 2328 The general field displays whether compliance to these RFCs have been satisfied The OSPF Link State Advertisement LSA Throttling feature provides a dynamic mechanism to slow down link state advertisement updates in OSPF during times of network instability It also allows faster OSPF convergence...

Page 894: ...bute routes received from other external ASs throughout its own autonomous system Routers in other areas use ABR as next hop to access external addresses Then the ABR forwards packets to the ASBR announcing the external addresses SPF Refer to the SPF field to assess the status of the shortest path forwarding SPF execution last SPF execution SPF delay SPF due in SPF hold multiplier SPF hold time SP...

Page 895: ...ighbor Info tab Figure 13 53 Access Point OSPF Neighbor Info tab The Neighbor Info tab describes the following Router ID Displays the router ID assigned for this OSPF connection The router is a level three Internet Protocol packet switch This ID must be established in every OSPF instance If not explicitly configured the highest logical IP address is duplicated as the router identifier However sinc...

Page 896: ... the default node and select an access point for statistical observation 3 Select OSPF 4 Select the Area Details tab Request Count Lists the connection request count hello packets to connect to the router interface discover neighbors and elect a designated router Retransmit Count Lists the connection retransmission count attempted in order to connect to the router interface discover neighbors and ...

Page 897: ...outer LSA Lists the Link State Advertisements of the router supporting each listed area ID The router LSA reports active router interfaces IP addresses and neighbors Network LSA Displays which routers are joined together by the designated router on a broadcast segment e g Ethernet Type 2 LSAs are flooded across their own area only The link state ID of the type 2 LSA is the IP interface address of ...

Page 898: ...outing table entries to an ABR or Autonomous System Boundary Router ASBR Border routers maintain an LSDB for each area supported They also participate in the backbone 5 Refer to External Routes tab NSSA LSA Routers in a Not so stubby area NSSA do not receive external LSAs from Area Border Routers but are allowed to send external routing information for redistribution They use type 7 LSAs to tell t...

Page 899: ... between routers Each external route can also be tagged by the advertising router enabling the passing of additional information between routers on the boundary of the autonomous system The External Routes tab displays a list of external routes the area impacted cost path type tag and type 2 cost Cost factors may be the distance of a router round trip time network throughput of a link or link avai...

Page 900: ...tocol takes advantage of broadcast capability An OSPF network route makes further use of multicast capabilities if they exist Each pair of routers on the network is assumed to communicate directly The Network Routes tab displays the network name impacted OSPF area cost destination and path type 7 Select the Router Routes tab Figure 13 57 Access Point OSPF Router Routes tab An internal or router ro...

Page 901: ... node and select an access point for statistical observation 3 Select OSPF 4 Select the OSPF Interface tab Figure 13 58 Access Point OSPF Interface tab The OSPF Interface tab describes the following Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes Zero config and DHCP can be used to generate route addresses or a primary and secondary addres...

Page 902: ...b Figure 13 59 Access Point OSPF State tab The OSPF State tab describes the following OSPF Enabled Lists whether OSPF has been enabled for each listed interface OSPF is disabled by default UP DOWN Displays whether the OSPF interface the dynamic route is currently up or down for each listed interface An OSPF interface is the connection between a router and one of its attached networks OSPF state Di...

Page 903: ...b UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select L2TPv3 Figure 13 60 Access Point L2TPv3 screen OSPF ignore state monitor timeout Displays the timeout that when exceeded prohibits the access point from detecting changes to the OSPF link state OSPF max ignore state count Displays whether an OS...

Page 904: ...ession This is the peer pseudowire ID for the session This source and destination IDs are exchanged in session establishment messages with the L2TP peer CTRL Connection ID Displays the router ID s sent in tunnel establishment messages with a potential peer device Up Time Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection Up Time...

Page 905: ... invalid packet checksums invalid packet types invalid virtual route IDs TTL errors packet length errors and invalid non matching VRRP versions 5 Refer to the Router Operations Summary for the following status VRID Lists a numerical index 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a pack...

Page 906: ...Expand a RF Domain and select one of its connected access points 3 Select Critical Resources Figure 13 62 Access Point Critical Resources screen Interface Name Displays the interfaces selected on the access point to supply VRRP redundancy failover support Version Display VRRP version 3 RFC 5798 or 2 RFC 3768 as selected to set the router redundancy Version 3 supports sub second centisecond VRRP fa...

Page 907: ... Server on page 9 46 To view access point LDAP agent statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select LDAP Agent Status Critical Resource Name Lists the name of the critical resource monitored by the access point Critical resources are device...

Page 908: ...imary Lists the primary IP address of a remote LDAP server resource used by the access point to validate PEAP MS CHAP v2 authentication requests When a RADIUS server policy s data source is set to LDAP this is the first resource for authentication requests LDAP Agent Secondary Lists the secondary IP address of a remote LDAP server resource used by the access point to validate PEAP MS CHAP v2 authe...

Page 909: ...plays the current operational state of the GRE tunnel Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel Tunnel Id Displays the session ID of an established GRE tunnel This ID is only viable while the tunnel is operational Total Packets Received Displays the total number of packets received from a peer at the remote end of the GRE tunnel Total Packets Se...

Page 910: ...Lists whether guest VLAN control has been allowed or enabled This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled A green checkmark designates guest VLAN control as enabled A red X defines guest VLAN control as disabled System Auth Control Lists whether Dot1x authorization is globally enabled for the access point A green checkmark designates Dot1x auth...

Page 911: ...ed to maintain a BESM Lists whether an authentication request is pending on the listed port Client MAC Lists the MAC address of requesting clients seeking authentication over the listed port Guest VLAN Lists the guest VLAN utilized for the listed port This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled Host Lists whether the host is a single entity or...

Page 912: ...Entries Network The Route Entries screen displays the destination subnet gateway and interface for routing packets to a defined destination When an existing destination subnet does not meet the needs of the network add a new destination subnet subnet mask and gateway To view route entries 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of...

Page 913: ...ides details about the Integrate Gateway Server IGS which is a router connected to an access point The IGS performs the following Issues IP addresses Throttles bandwidth Destination Displays the IP address of the destination route address FLAGS The flag signifies the condition of the direct or indirect route A direct route is where the destination is directly connected to the forwarding host With ...

Page 914: ...d expand the menu to reveal its sub menu items 4 Select Bridge Figure 13 68 Access Point Network Bridge screen 5 Review the following bridge configuration attributes 6 Select Refresh to update the counters to their latest values 13 3 21 4 IGMP Network Internet Group Management Protocol IGMP is a protocol used for managing members of IP multicast groups The access point listens to IGMP network traf...

Page 915: ...ast Router MRouter field displays the following VLAN Displays the group VLAN where the multicast transmission is conducted Group Address Displays the Multicast Group ID supporting the statistics displayed This group ID is the multicast address that hosts are listening to Port Members Displays the ports on which multicast clients have been discovered by the access point For example ge1 radio1 etc V...

Page 916: ...hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select DHCP Options Figure 13 70 Access Point Network DHCP Options screen MiNT IDs Lists MiNT IDs for each listed VLAN MiNT provides the means to secure access point profile communications at the transport layer Using MiNT an access point can ...

Page 917: ...from the boot server The image file contains the image of the operating system the client will run DHCP servers can be configured to support BOOTP Configuration Displays the name of the configuration file on the DHCP server Legacy Adoption Displays historical device adoption information on behalf of the access point Adoption Displays adoption information on behalf of the access point Refresh Selec...

Page 918: ...en The Cisco Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each listed device Local Port Displays the local port name access point physical port for each CDP capable device Supported access point models have un...

Page 919: ...covery Figure 13 72 Access Point Network LLDP screen The Link Layer Discovery Protocol screen displays the following Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each device in the table Enabled Capabilities Displays which device capabilities are currently e...

Page 920: ... allocation and delivery of host specific configuration parameters IP address network mask gateway etc from a DHCP server to a host To view DHCP server statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select DHCP and expand the menu to reveal its su...

Page 921: ...onal state of the DHCP server to assess its availability as a viable IP provisioning resource IP Address Displays the IP address assigned to the requesting client Name Displays the domain name mapping corresponding to the listed IP address IP Address Displays the IP address for clients requesting DHCP provisioning resources Client Id Displays the client s ID used to differentiate requesting client...

Page 922: ...ngs Figure 13 74 Access Point DHCP Server Bindings screen The DHCP Bindings screen displays the following Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources IP Address Displays the IP address for each DHCP resource requesting client DHCP MAC Address Displays the hardware encoded MAC address client Id of each DHCP resource requesting client Clear Select ...

Page 923: ...ork s DHCP Networks 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand the a RF Domain and select one of its connected access points 3 Select DHCP and expand the menu to reveal its sub menu items 4 Select Networks The DHCP Networks screen displays the following Figure 13 75 Access Point DHCP Network screen Name Displays ...

Page 924: ...k unauthorized access while permitting authorized communications It s a device or set of devices configured to permit or deny access to the controller or service platform managed network based on a defined set of rules This screen is partitioned into the following Packet Flows Denial of Service IP Firewall Rules MAC Firewall Rules NAT Translations DHCP Snooping ...

Page 925: ...play for each individual packet type To view access point packet flows statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Packet Flows 5 Periodically select Refresh to update th...

Page 926: ...he types of attack number of times it occurred and the time of last occurrence To view access point DoS attack information 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select Denial of Serv...

Page 927: ...ide of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select IP Firewall Rules Figure 13 78 Access Point Firewall IP Firewall Rules screen The IP Firewall Rules screen displays the following Precedence Displays the precedence value applied to packets The rules within an Access Control Entries ACL list...

Page 928: ...t System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select MAC Firewall Rules Figure 13 79 Access Point Firewall MAC Firewall Rules screen The MAC Firewall Rules screen displays the following information Precedence Displays a precedence value which...

Page 929: ...acing IP address assigned to a 10 100 1000 Ethernet port or 3G card To view the Firewall s NAT translations 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select NAT Translations Figure 13 80...

Page 930: ...ation port for the forward NAT flow contains ICMP ID if it is an ICMP flow Reverse Source IP Displays the source IP address for the reverse NAT flow Reverse Source Port Displays the source port for the reverse NAT flow contains ICMP ID if it is an ICMP flow Reverse Dest IP Displays the destination IP address for the reverse NAT flow Reverse Dest Port Displays the destination port for the reverse N...

Page 931: ...dress is reserved for re connection after its last use Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses This is useful for example in education and customer environments where client users change frequently Use longer leases if there are fewer users Time Elapsed Since Last Updated Displays the time the server ...

Page 932: ...transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic One crypto map is utilized for each IPsec peer however for remote VPN deployments one crypto map is used for all the remote IPsec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional...

Page 933: ...packet it creates a secure tunnel and sends the packet through the tunnel to its destination Version Displays each peer s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms State Lists the state of each listed peer s security association whether established or not Lifetime Displays the lifetime for the duration of each listed pee...

Page 934: ...addresses for peers sharing security associations SAs for tunnel interoperability When a peer sees a sensitive packet it creates a secure tunnel and sends the packet through the tunnel to its destination Local IP Address Displays each listed peer s local tunnel end point IP address This address represents an alternative to an interface IP address Protocol Lists the security protocol used with the ...

Page 935: ...y Used Displays the name of the key pair generated separately or automatically when selecting a certificate IS CA Indicates whether this certificate is an authority certificate Yes No Is Self Signed Displays whether the certificate is self signed Yes No Server Certificate Present Displays whether a server certification is present or not Yes No CRL Present Displays whether a Certificate Revocation ...

Page 936: ... in the selected access point RSA Keys are generally used for establishing a SSH session and are a part of the certificate set used by RADIUS VPN and HTTPS To view the RSA Key details 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Certificates and exp...

Page 937: ...name of the blacklisted client the time when the client was blacklisted the total time the client remained in the network etc The screen also provides WIPS event details For more information see WIPS Client Blacklist WIPS Events 13 3 26 1 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by this access point using WIPS Blacklisted clients are not allowed to ass...

Page 938: ...listed Displays the time when the client was blacklisted by this access point Total Time Displays the time the unauthorized now blacklisted device remained in this access point s WLAN Time Left Displays the time the blacklisted client remains on the list Refresh Select the Refresh button to update the statistics counters to their latest values Event Name Displays the name of the detected wireless ...

Page 939: ... select one of its connected access points 3 Select Sensor Servers Figure 13 88 Access Point Sensor Servers screen The Sensor Servers screen displays the following Refresh Select the Refresh button to update the screen s statistics counters to their latest values IP Address Hostname Displays a list of sensor server IP addresses or administrator assigned hostnames These are the server resources ava...

Page 940: ...gle broadcast domain However with special DNS configuration it can be extended to find services across broadcast domains To view the available Bonjour Services 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Bonjour Services Figure 13 89 Access Point B...

Page 941: ...aptive Portal Figure 13 90 Access Point Captive Portal screen The Captive Portal screen displays the following VLAN Type Displays local if the VLAN on which a service is advertised is local to this network Displays tunneled otherwise Expiry Displays the time at which the advertised service expires Client MAC Displays the MAC address of requesting wireless clients The client address displays as a l...

Page 942: ...Guide Remaining Time Displays the time after which the client is disconnected from the captive portal hosted Internet and access point connectivity Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 943: ...ed statistics of an associated NTP Server of an access point Use this screen to review the statistics for each access point The Network Time statistics screen consists of two tabs NTP Status NTP Association 13 3 30 1 NTP Status Network Time To view the Network Time statistics of an access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand s...

Page 944: ...een Precision Displays the precision of the time clock in Hz The values that normally appear in this field range from 6 for mains frequency clocks to 20 for microsecond clocks Reference Time Displays the time stamp the access point s clock was last synchronized or corrected Reference Displays the address of the time source the access point is synchronized to Root Delay The total round trip delay i...

Page 945: ...ly reduces its offset to zero Poll Displays the maximum interval between successive messages in seconds to the nearest power of two Reach Displays the status of the last eight SNTP messages If an SNTP packet is lost the lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server IP Address Displays...

Page 946: ... Channel The graph section displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Request Events displays the Time Client Capability State WLAN and Requested Channels for all client request events on the access point Remember AP6532 and AP71xx models can support up to 256 c...

Page 947: ...reen Expand a RF Domain and select one of its connected AP8132 access points 3 Select Environment Figure 13 94 Access Point Environmental Sensor screen Light tab The Light tab displays by default with additional Temperature Motion and Humidity tabs available for unique sensor reporting Each of these sensor measurements helps the administrator determine whether the immediate deployment area is occu...

Page 948: ...lp determine whether the AP8132 can be upgraded or powered off during specific hours of the day 7 Select the Temperature tab Figure 13 95 Access Point Environmental Sensor screen Temperature tab 8 Refer to the Temperature table to assess the sensor s detected temperature within the AP8132 s immediate deployment area Temperature is measured in centigrade The table displays the Current Temperature c...

Page 949: ...inute Average Motion count per interval Compare these two items to determine whether the AP8132 s deployment location remains consistently occupied by client users For more information on enabling the sensor see Environmental Sensor Configuration on page 5 192 13 Refer to the Motion Trend Over Last Hour graph to assess the fluctuation in user movement over the last hour Use this graph in combinati...

Page 950: ...ins consistently humid often a by product of temperature For more information on enabling the sensor see Environmental Sensor Configuration on page 5 192 17 Refer to the Humidity Trend Over Last Hour graph to assess the fluctuation in humidity over the last hour Use this graph in combination with the Temperature and Motions graphs in particular to assess the deployment area s activity levels 18 Re...

Page 951: ...improve client performance Wireless clients statistics can be assessed using the following criteria Health Details Traffic WMM TSPEC Association History Graph 13 4 1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client To view the health of a wireless client 1 Select the Statistics menu from the Web UI 2 Select System fro...

Page 952: ...g associated or blacklisted IP Address Displays the IP address the selected wireless client is currently utilizing as a network identifier WLAN Displays the client s connected access point WLAN membership This is the WLAN whose QoS settings should account for the clients s radio traffic objective Radio MAC Displays the access point radio MAC address the wireless client is connected to on the netwo...

Page 953: ...ty index can be interpreted as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems SNR Displays the signal to noise SNR ratio of the connected wireless client Signal Displays the power of the radio signals in dBm Noise Displays the disturbing in...

Page 954: ...etails Total Bytes Displays the total bytes processed by the access point s connected wireless client Total Packets Displays the total number of packets processed by the wireless client User Data Rate Displays the average user data rate in both directions Physical Layer Rate Displays the average packet rate at the physical layer in both directions Tx Dropped Packets Displays the number of packets ...

Page 955: ... via its connected access point controller or service platform The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail OS Lists the client s operating system Android etc Browser Displays the browser type used by the client to facilitate its wireless connection Type Lists the client manufacturer or vendor Role Lists the client...

Page 956: ...by the wireless client without it being dis associated from the access point SM Power Save Mode Displays whether this feature is enabled on the wireless client The spatial multiplexing SM power save mode allows an 802 11n client to power down all but one of its radios This power save mode has two sub modes of operation static operation and dynamic operation Power Save Mode Displays whether this fe...

Page 957: ...ion request to an access point This association request is sent as a frame This frame carries information about the client and the SSID of the network it wishes to associate After receiving the request the access point considers associating with the client and reserves memory space for establishing an AID for the client Max AMSDU Size Displays the maximum size of AMSDU AMSDU is a set of Ethernet f...

Page 958: ...measures how efficiently the traffic medium is used It s defined as the percentage of current throughput relative to the maximum possible throughput This screen also provides the following Total Bytes Displays the total bytes processed in both directions by the access point s connected client Total Packets Displays the total number of data packets processed in both directions by the access point s...

Page 959: ... holds any network packet to be sent to this radio RF Quality Index Displays information on the RF quality of the selected wireless client The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error rate The RF quality index value can be interpreted as 0 20 Very low utilization 20 40 Low util...

Page 960: ...ireless Client WMM TPSEC screen The top portion of the screen displays the TSPEC stream type and whether the client has roamed The Ports Stats field displays the following R Value R value is a number or score used to quantitatively express the quality of speech in communications systems This is used in digital networks that carry Voice over IP VoIP traffic The R value can range from 1 worst to 100...

Page 961: ... screen Expand a RF Domain an access point then a connected client 3 Select Association History Figure 13 102 Wireless Client Association History screen Refer to the following to discern this client s access point association history Direction Type Displays whether the WMM TPSEC data stream is in the uplink or downlink direction Request Time Lists each sequence number s request time for WMM TPSEC ...

Page 962: ...ected client 3 Select Graph 4 Use the Parameters drop down menu to define from 1 3 variables assessing client signal noise transmit or receive values 5 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 minutes 20 minutes or 1 hour 30 seconds is the default value Figure 13 103 Wireless Client Graph Select an available point in ...

Page 963: ...notification settings defined and saved as part of an event policy Thus policies can be configured and administrated in respect to specific sets of client association authentication encryption and performance events Once policies are defined they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices By default there s no enabled event policy and...

Page 964: ...T SERVICE TUT_LINE_POWER_ALARM_RAISED 5 IPX str Line power alarm raised on id str Line power alarm raised ADOPT SERVICE TUT_LINE_POWER_ALARM_CLEARED 5 IPX str Line power alarm cleared on id str Line power alarm cleared ADOPT SERVICE TUT_WLAN_CLIENT_ASSOC 6 IPX str Client str on interface index str associated Client associated ADOPT SERVICE TUT_WLAN_CLIENT_DISASSOC 6 IPX str Client str on interface...

Page 965: ...pted Radios Count str Bss str Access point unadopted AP ADOPTED_TO_CONTROLLER Joined successfully with controller qstr str Access point adopted to controller AP ONLINE Access Point dev is now online Offline Reason is str Offline count is int Access point online AP OFFLINE Access Point dev is now offline Offline Reason is str Offline count is int Access point offline AP OFFLINE Device dev str is of...

Page 966: ... Deauthentication attack ADV WIPS ADV WIPS EVENT 2 4 Detected DoS Disassociation attack against mac str DoS disassociation attack ADV WIPS ADV WIPS EVENT 3 4 Detected DoS EAP failure spoof attack by mac str EAP failure spoof attack ADV WIPS ADV WIPS EVENT 10 4 Detected ID Theft out of sequence attack for mac str ID theft out of sequence attack ADV WIPS ADV WIPS EVENT 11 4 Detected possible ID Thef...

Page 967: ...P agent traffic ADV WIPS ADV WIPS EVENT 118 4 Multicast IGMP traffic found from mac str Multicast IGMP traffic ADV WIPS ADV WIPS EVENT 119 4 Detected NETBIOS traffic from mac str Detected NETBIOS traffic ADV WIPS ADV WIPS EVENT 120 4 Detected STP traffic from mac str Detected STP traffic ADV WIPS ADV WIPS EVENT 113 4 Multicast RIP 2 Routers traffic found from mac str Multicast RIP 2 routers traffi...

Page 968: ...lood attack ADV WIPS ADV WIPS EVENT 222 4 Detected Invalid Channel Advertisement for mac str Invalid channel advertisement ADV WIPS ADV WIPS EVENT 63 4 Detected Windows ZERO Configuration Memory Leak on mac str Windows ZERO configuration memory leak ADV WIPS ADV WIPS EVENT 220 4 Detected Unauthorized Bridge mac str Unauthorized bridge AP SW_CONN_LOST 0 Lost connectivity with controller after confi...

Page 969: ...L PAGE_CRE_FAILED3 Page creation failed for policy qstr file qstr Error qstr Page creation failure CAPTIVE PORTAL DATA_LIMIT_EXCEED6 Data limit exceed Usage int KBytes Action str client mu ip Client data limit exceeded CAPTIVE PORTAL VLAN_SWITCH6 Client mu ip switching from vlan int to vlan int Client VLAN switch CAPTIVE PORTAL SERVER_MONITOR_STATE_CHANGE6 Captive portal policy qstr service monito...

Page 970: ...TRUSTPOINT 6 Export of Trustpoint str str Export of trustpoint CERTMGR CERT_EXPIRY 4 str certificate for trustpoint str str Certificate expiration CERTMGR CA_KEY_ACTIONS_SUCCESS 6 str of CA private key for trustpoint str successful Successful completion of CA private key actions CERTMGR CA_KEY_ACTIONS_FAILURE 3 str of CA private key for trustpoint str failed str Failure of CA private key actions C...

Page 971: ...the password provided RSA key cannot be decrypted with provided password CERTMGR LITE CERTIMPORTED 6 str Certificate imported for the trustpoint str Certificate imported for trustpoint CERTMGR LITE CERTKEYIMPORTED 6 Private key imported for the trustpoint str Private key imported for trustpoint CERTMGR LITE RSAKEYIMPORTED 6 Rsakey imported with the name str RSA key imported CERTMGR LITE DELETETRUS...

Page 972: ... 0 1 Memory usage detected as too high DIAG BUF_USAGE 6 uint byte buffer usage greater than expected uint used warning level uint Log buffer usage greater than anticipated DIAG HEAD_CACHE_USAGE 6 socket buffer head cache usage is greater than expected usage uint warning level uint Log head cache usage greater than anticipated DIAG IP_DEST_USAGE 6 IP destination cache usage is greater than expected...

Page 973: ... DHCP relay interface DHCPSVR RELAY_START 6 DHCP relay agent started on str DHCP relay agent started DHCPSVR RELAY_STOP 6 DHCP relay agent stopped DHCP relay agent stopped DHCPSVR DHCPSVR_START 6 DHCP server is started DHCP server started DIAG FAN_UNDERSPEED 4 Fan str under speed uint RPM is under limit uint RPM Fan speed under set RPM limit DIAG ELAPSED_TIME 7 Elapsed time since last diag run app...

Page 974: ..._FAILED 5 Client qstr failed 802 1x EAP authentication on interface qstr 802 1x authentication failure 802 1X authentication failed DOT11 COUNTRY_CODE 5 Country of operation configured to str Country of operation configured DOT11 COUNTRY_CODE_ERROR 1 Error setting country of operation str Error setting country of operation DOT11 CLIENT_ASSOCIATED 6 Client qstr associated to wlan qstr ssid qstr on ...

Page 975: ...EAP_CACHED_KEYS 6 Key Cache used for client qstr on wlan qstr radio qstr Skipping 802 1x Key cache used for authentication DOT11 EAP_OPP_CACHED_KEYS 6 Opportunistic Key Cache used for client qstr on wlan qstr radio qstr Skipping 802 1x Opportunistic key caching used for authentication DOT11 EAP_PREAUTH_SUCCESS 6 Client qstr 802 1x EAP type str pre authentication success on wlan qstr bss mac EAP pr...

Page 976: ...l system cmd failed FWU FWUBADCONFIG 3 Firmware update unsuccessful unable to read configuration file Update unsuccessful unable to read config file FWU FWUSERVERUNDEF 3 Firmware update unsuccessful update server undefined Update unsuccessful server undefined FWU FWUFILEUNDEF 3 Firmware update unsuccessful update file undefined Update unsuccessful update file undefined FWU FWUSERVERUNREACHABLE 3 F...

Page 977: ... 6 str license installed count int License count LICMGR LIC_REMOVED 6 str license removed License removed LICMGR LIC_INVALID 3 str license invalid Error str License installation failed MESH MESH_LINK_UP 5 Mesh link up between radio qstr and radio qstr Mesh link up MESH MESH_LINK_DOWN 5 Mesh link down between radio qstr and radio qstr Mesh link down MGMT LOG_KEY_DELETED 4 Rsakey str associated with...

Page 978: ... 6 Interface str acquired IP address ip uint via DHC Interface assigned DHCP IP address NSM DHCPDEFRT 6 Default route with gateway ip learnt via DHC Default route learnt via DHCP NSM DHCPIPCHG 5 Interface str changed DHCP IP old IP ip uint new IP ip uint DHCP Interface IP changed NSM DHCPNODEFRT 5 Interface str lost its DHCP default route Interface no default route NSM IFIPCFG 3 Interface str IP a...

Page 979: ...ROCNORESP 4 Process str is not responding uint uint Process is not responding RADCONF RADIUSDSTART 6 Radius Server Started RADIUS server started RADCONF RADIUSDSTOP 6 Radius Server Stopped RADIUS server stopped RADCONF COULD_NOT_STOP_RADIUSD 3 radiusd could not be stopped RADIUS server failed to stop RADIO RADIO_STATE_CHANGE 5 Radio qstr changing state from qstr to qstr Radio state changed RADIO R...

Page 980: ...m wam start recovery SYSTEM COLD_START 6 System Cold start System came up at str System cold start SYSTEM SERVER_UNREACHABLE 5 Server not reachable trying authentication using local database Authentication using the local database SYSTEM PERIODIC_HEART_BEAT 3 Periodic Heart Beat Interval int Ip address str Periodic heartbeat detected SYSTEM CONFIG_COMMIT 6 Configuration commit by user qstr str fro...

Page 981: ... VIP ip does not overlap with any of the interface addresses VRRP IP not overlapping with interface addresses VRRP VRRP_MONITOR_CHANGE 5 str VRRP Group uint monitored str state change to str priority change from uint to uint VRRP monitor link state change WIPSUNSANCTIONED_AP_ACTIVE6UnsanctionedAP mac vendor str on channel int with rssi int active from str Unsanctioned AP active WIPS UNSANCTIONED_A...

Page 982: ...14 20 WiNG 5 6 Access Point System Reference Guide ...

Page 983: ...d version number If you have a problem with your equipment contact support for your region Support and issue resolution is provided for products under warranty or that are covered by an services agreement Contact information and Web self service is available by visiting https portal motorolasolutions com Support US EN Customer Support Web Site The Support Central Web site located athttps portal mo...

Page 984: ...A 2 WiNG 5 6 Access Point System Reference Guide ...

Page 985: ...egarding licenses acknowledgments and required copyright notices for open source packages used in these Motorola Solutions products Access Points AP8232 AP8132 AP7181 AP7161 AP7131 AP6562 AP6532 AP6522 AP6521 AP6511 AP5181 AP5131 AP650 AP622 AP621 Wireless Switches NX9510 NX9500 NX9000 NX6524 NX6500 ...

Page 986: ...se of open source B 2 Open Source Software Used Motorola s Support Central Web site located at http supportcentral motorolasolutions com provides information and online assistance including developer tools software downloads product manuals support contact information and online repair requests Name Version URL License Apache Web Server 1 3 41 http www apache org Apache License Version 2 0 Asteris...

Page 987: ...re dhcp ISC License diffutils 2 8 1 http www gnu org software diffutils GNU General Public License version 2 dmalloc 5 5 2 http dmalloc com None dmidecode 2 11 http savannah nongnu org projects dmidecod e GNU General Public License version 2 dnsmasq 2 47 http www thekelleys org uk dnsmasq doc htm l GNU General Public License version 2 dosfstools 2 11 http www daniel baumann ch software dosfst ools...

Page 988: ... Public License version 2 hotplug 1 3 http sourceforge net projects linux hotplug GNU General Public License version 2 hotplug2 0 9 http isteve bofh cz isteve hotplug2 GNU General Public License version 2 i2ctools 3 0 3 http www lm sensors org wiki I2CTools GNU General Public License version 2 ipaddr 2 1 0 http code google com p ipaddr py Apache License Version 2 0 ipkg utils 1 7 http www handheld...

Page 989: ...pg error 1 6 ftp ftp gnupg org GnuPG libgpg error GNU Lesser General Public License 2 1 libharu 2 1 0 http libharu org MIT License libhttp parser None None MIT License libiconv 1 14 http savannah gnu org projects libiconv GNU General Public License 2 0 libjson 0 10 http sourceforge net projects libjson The BSD License libkerberos 0 1 http web mit edu kerberos dist The BSD License libncurses 5 4 ht...

Page 990: ...p 20060717 http ltp sourceforge net GNU General Public License version 2 lxml 2 3beta1 http lxml de The BSD License lzma 4 32 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzma 4 57 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzo 2 03 http www oberhumer com opensource lzo GNU General Public License version 2 M2Crypto 0 21 1 http chandlerpro...

Page 991: ...se Open Scales 2 2 http openscales org GNU Lesser General Public License version 3 0 OpenStreetMap http www openstreetmap org Creative Commons Attribution ShareAlike License version 3 0 openldap 2 4 25 http www openldap org foundation The Open LDAP Public License openllpd 0 0 3alpha http openlldp sourceforge net GNU General Public License version 2 openssh 5 4p1 http www openssh com The BSD Licens...

Page 992: ... projects psmisc GNU General Public License version 2 pure ftpd 1 0 22 http www pureftpd org project pure ftpd The BSD License pychecker 0 8 18 http pychecker sourceforge net The BSD License pyparsing 1 5 1 http sourceforge net projects pyparsing The BSD License pyxapi 0 1 http www pps jussieu fr 7Eylg PyXAPI GNU General Public License version 2 qdbm 1 8 77 http qdbm sourceforge net GNU General Pu...

Page 993: ...e strongswan 4 4 0 http www strongswan org GNU General Public License version 2 stunnel 4 31 http www stunnel org GNU General Public License version 2 sysstat 9 0 5 http sebastien godard pagesperso orange fr GNU General Public License version 2 tar 1 17 http www gnu org software tar GNU General Public License version 2 tcpdump 4 0 0 http www tcpdump org The BSD License u boot trunk 2010 03 3 0 htt...

Page 994: ...om personal Jean_Tourrilh es Linux Tools html GNU General Public License version 2 wpa_supplicant 2 0 http hostap epitest fi wpa_supplicant The BSD License wuftpd 1 0 21 http wu ftpd therockgarden ca WU FTPD Software License XenAPI None http docs vmd citrix com XenServer 4 0 1 api client examples python index html GNU General Public License version 2 xen 4 1 2 http www xen org GNU General Public L...

Page 995: ...purposes of this License Derivative Works shall not include works that remain separable from or merely link or bind by name to the interfaces of the Work and Derivative Works thereof Contribution shall mean any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licensor for inc...

Page 996: ...ur use reproduction and distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License without any additional terms or conditions Notwithstanding the above nothin...

Page 997: ... IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE U...

Page 998: ... Attribution ShareAlike 6 Licensor means the individual individuals entity or entities that offer s the Work under the terms of this License 7 Original Author means in the case of a literary or artistic work the individual individuals entity or entities who created the Work or if no individual or entity can be identified the publisher and in addition i in the case of a performance the actors singe...

Page 999: ...to collect royalties through any statutory or compulsory licensing scheme can be waived the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License and 3 Voluntary License Schemes The Licensor waives the right to collect royalties whether individually or in the event that the Licensor is a member of a collecting society that ad...

Page 1000: ...itute publishing entity journal for attribution Attribution Parties in Licensor s copyright notice terms of service or by other reasonable means the name of such party or parties ii the title of the Work if supplied iii to the extent reasonably practicable the URI if any that Licensor specifies to be associated with the Work unless such URI does not refer to the copyright notice or licensing infor...

Page 1001: ...icense 2 Each time You Distribute or Publicly Perform an Adaptation Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License 3 If any provision of this License is invalid or unenforceable under applicable law it shall not affect the validity or enforceability of the emainder of the terms of this License and wi...

Page 1002: ...mission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following...

Page 1003: ...01 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This Ge...

Page 1004: ...ence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Library or any portion of it thus forming a work based on the Library and copy and distribute such modific...

Page 1005: ...file that is part of the Library the object code for the work may be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure ...

Page 1006: ... modify sublicense link with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License since you have not signed it However nothing else grants you...

Page 1007: ...ving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EI...

Page 1008: ... restrict the users of a free program by obtaining a restrictive license from a patent holder Therefore we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the GNU Lesser General Public License ap...

Page 1009: ...rary does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and di...

Page 1010: ...ith the object code 5 A program that contains no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses the Library with the Library creates an ex...

Page 1011: ...e library facilities that are a work based on the Library side by side in a single library together with other library facilities not covered by this License and distribute such a combined library provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted and provided that you do these two things a Accompany the combined libr...

Page 1012: ...erns Each version is given a distinguishing version number If the Library specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Library does not specify a license version number you may choose any version ever publi...

Page 1013: ...same freedoms that you received You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights Developers that use the GNU GPL protect your rights with two steps 1 assert copyright on the software and 2 offer you this License giving you legal permission to copy distribute and or modify it For the developers and authors protection th...

Page 1014: ...erion 1 Source Code The source code for a work means the preferred form of the work for making modifications to it Object code means any non source form of a work A Standard Interface means an interface that either is an official standard defined by a recognized standards body or in the case o interfaces specified for a particular programming language one that is widely used among developers worki...

Page 1015: ...r this License with respect to the covered work and you disclaim any intention to limit operation or modification of the work as a means of enforcing against the work s users your or third parties legal rights to forbid circumvention of echnological measures 4 Conveying Verbatim Copies You may convey verbatim copies of the Program s source code as you receive it in any medium provided that you con...

Page 1016: ...onding Source may be on a different server operated by you or a third party that supports equivalent copying facilities provided you maintain clear directions next to the object code saying where to find the Corresponding Source Regardless of what server hosts the Corresponding Source you remain obligated to ensure that it is available for as long as needed to satisfy these requirements e Convey t...

Page 1017: ...ing warranty or limiting liability differently from the terms of sections 15 and 16 of this License or b Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it or c Prohibiting misrepresentation of the origin of that material or requiring that modified versions of such material be mar...

Page 1018: ...r in interest had or could give under the previous paragraph plus a right to possession of the Corresponding Source of the work from the predecessor in interest if the predecessor has it or can get it with reasonable efforts You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License For example you may not impose a license fee royalty or other ...

Page 1019: ...ey do not excuse you from the conditions of this License If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not convey it at all For example if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program the only way yo...

Page 1020: ... copy modify and or distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY S...

Page 1021: ...ch copy of the object code that the Library is used in it and that the Library and its use are covered by this License b Accompany the object code with a copy of the GNU GPL and this license document 4 Combined Works You may convey a Combined Work under terms of your choice that taken together effectively do not restrict modification of the portions of the Library contained in the Combined Work an...

Page 1022: ...t specify a version number of the GNU Lesser General Public License you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply that proxy s public statement of acceptance of any version is permanent ...

Page 1023: ...aring because most developers did not use the libraries We concluded that weaker conditions might promote sharing better However unrestricted linking of non free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves This Library General Public License is intended to permit developers of non free programs to use free libraries while prese...

Page 1024: ...pendent of the application Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Library and can be reasonably consider...

Page 1025: ... above you may also combine or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Librar...

Page 1026: ...y subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties with this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by co...

Page 1027: ...ING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR...

Page 1028: ...se simply using the library and is analogous to running a utility program or application program However in a textual and legal sense the linked executable is a combined work a derivative of the original library and the ordinary General Public License treats it as such Because of this blurred distinction using the ordinary General Public License for libraries did not effectively promote software s...

Page 1029: ...ains meaningful For example a function in a library to compute square roots has a purpose that is entirely well defined independent of the application Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the mo...

Page 1030: ...ns above you may also compile or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Libr...

Page 1031: ...rein You are not responsible for enforcing compliance by third parties to this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this Licens...

Page 1032: ...S INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES B 3 12 ...

Page 1033: ...of the original library The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public License It...

Page 1034: ... Library and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a The modified work must itself be a software library b You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change c You must cause the whole of the work to be licensed at no charge to all ...

Page 1035: ...gh the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ten lines or less in length then the use of t...

Page 1036: ...rwise to copy modify sublicense link with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 9 You are not required to accept this License since you have not signed it However nothing ...

Page 1037: ...ftware and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED...

Page 1038: ...sults from an addition to deletion from or modification of the contents of Covered Software or 2 any new file in Source Code Form that contains any Covered Software 1 11 Patent Claims of a Contributor means any patent claim s including without limitation method process and apparatus claims in any patent Licensable by such Contributor that would be infringed but for the grant of the License by the ...

Page 1039: ...nation of its Contributions with other software except as part of its Contributor Version or 3 under Patent Claims infringed by Covered Software in the absence of its Contributions This License does not grant any rights in the trademarks service marks or logos of any Contributor except as may be necessary to comply with the notice requirements in Section 3 4 2 4 Subsequent Licenses No Contributor ...

Page 1040: ... disclaimers of warranty or limitations of liability contained within the Source Code Form of the Covered Software except that You may alter any license notices to the extent required to remedy known factual inaccuracies 3 5 Application of Additional Terms You may choose to offer and to charge a fee for warranty support indemnity or liability obligations to one or more recipients of Covered Softwa...

Page 1041: ... liable to You for any direct indirect special incidental or consequential damages of any character including without limitation damages for lost profits loss of goodwill work stoppage computer failure or malfunction or any and all other commercial damages or losses even if such party shall have been informed of the possibility of such damages This limitation of liability shall not apply to liabil...

Page 1042: ... list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version number You may use this Software under terms of this license revision or under the terms of any su...

Page 1043: ...TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes oftware written by Tim Hudson tjh cryptsoft com B 3 17 WU FTPD Software License WU FTPD SOFTWARE LICENSE Use modification or redistribution including dis...

Page 1044: ...ation of Liability THIS SOFTWARE IS PROVIDED BY THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT NDIRE...

Page 1045: ...y Available Software B 61 3 This notice may not be removed or altered from any source distribution Jean loup Gailly Mark Adler jloup gzip org madler alumni caltech edu jloup gzip org madler alumni caltech edu ...

Page 1046: ...B 62 WiNG 5 6 Access Point System Reference Guide ...

Page 1047: ......

Page 1048: ...TOROLA MOTO MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings LLC and are used under license All other trademarks are the property of their respective owners 2014 Motorola Solutions Inc All Rights Reserved MN000335A01 Revision A March 2014 ...