manualshive.com logo in svg

Motorola WiNG 5.7.1, System Reference Manual

The Motorola WiNG 5.7.1 System Reference Manual is a comprehensive guide providing detailed instructions on operating and configuring the Motorola WiNG 5.7.1 system. Discover all the necessary information in this manual, available for free download at 88.208.23.73:8080, ensuring a seamless user experience for your Motorola WiNG 5.7.1 product.

Share
Download
background image

6 - 20 WiNG 5.7.1 Access Point System Reference Guide 

Frequent rotating of these keys is recommended so that a potential hacker would not have enough data using a single key 
to attack the deployed encryption scheme.

9. Define the

 Fast Roaming

 configuration used only with 802.1x EAP-WPA/WPA2 authentication.

802.11i can speed up the roaming process from one access point to another. Instead of doing a complete 802.1x 
authentication each time a client roams between access points, 802.11i allows a client to re-use previous PMK 
authentication credentials and perform a four-way handshake. This speeds up the roaming process. In addition to reusing 
PMKs on previously visited access points, Opportunistic Key Caching allows multiple access points to share PMKs amongst 
themselves. This allows a client to roam to an access point it has not previously visited and reuse a PMK to skip 802.1x 
authentication.

10. Set the following 

Advanced 

for the WPA2-CCMP encryption scheme:

Unicast Rotation Interval

Define a unicast key transmission interval from 30 - 86,400 seconds. Some clients have 
issues using unicast key rotation, so ensure you know which clients are impacted before 
using unicast keys. This value is disabled by default.

Broadcast Rotation 
Interval

When enabled, the key indices used for encrypting/decrypting broadcast traffic will be 
alternatively rotated based on the defined interval. Define a broadcast key transmission 
interval from 30 - 86,400 seconds. Key rotation enhances the broadcast traffic security on 
the WLAN. This value is disabled by default.

NOTE: 

Fast Roaming is available only when the authentication is 

EAP

 or 

EAP-PSK

 and 

the selected encryption is either 

TKIP

-CCMP or 

WPA2-CCMP.

Pre-Authentication

Selecting this option enables an associated client to carry out an 802.1x authentication 
with another access point before it roams to it. This enables a roaming client to send and 
receive data sooner by not having to conduct an 802.1x authentication after roaming. 
With pre-authentication, a client can perform an 802.1X authentication with other 
detected access points while still connected to its current access points. When a device 
roams to a neighboring access points, the device is already authenticated, thus providing 
faster re-association.

Pairwise Master Key 
(PMK) Caching

Pairwise Master Key

 (PMK) Caching is a technique for sidestepping the need to 

re-establish security each time a client roams to a different switch. Using PMK caching, 
clients and switches cache the results of 802.1X authentications. Therefore, access is 
much faster when a client roams back to a switch to which the client is already 
authenticated.

Opportunistic Key 
Caching

This option enables the access point to use a PMK derived with a client on one access 
point, with the same client when it roams over to another access point. Upon roaming, 
the client does not have to do 802.1x authentication and can start sending and receiving 
data sooner.

TKIP Countermeasure 
Hold Time

The 

TKIP Countermeasure Hold Time

 is the time a WLAN is disabled, if TKIP 

countermeasures have been invoked on the WLAN. Use the drop-down menu to define a 
value in either 

Hours

 (0-18), 

Minutes

 (0-1,092) or 

Seconds

 (0-65,535). The default setting 

is 1 minute.

Summary of Contents for WiNG 5.7.1

Page 1: ...WiNG 5 7 1 ACCESS POINT SYSTEM REFERENCE GUIDE ...

Page 2: ......

Page 3: ...WING 5 7 1 ACCESS POINT SYSTEM REFERENCE GUIDE MN001977A01 Revision A April 2015 ...

Page 4: ...ii WiNG 5 7 1 Access Point System Reference Guide ...

Page 5: ...ns 2 5 2 2 3 Table Icons 2 5 2 2 4 Status Icons 2 6 2 2 5 Configurable Objects 2 6 2 2 6 Configuration Objects 2 9 2 2 7 Configuration Operation Icons 2 9 2 2 8 Access Type Icons 2 10 2 2 9 Administrative Role Icons 2 10 2 2 10 Device Icons 2 11 Chapter 3 Quick Start 3 1 Using the Initial Setup Wizard 3 2 3 1 1 Typical Setup Wizard 3 5 3 1 1 1 Virtual Controller AP Mode 3 8 3 1 1 2 Standalone Mode...

Page 6: ...Chapter 5 Device Configuration 5 1 RF Domain Configuration 5 2 5 1 1 RF Domain Sensor Configuration 5 3 5 1 2 RF Client Name Configuration 5 4 5 1 3 RF Domain Alias Configuration 5 5 5 1 3 1 Network Basic Alias 5 7 5 1 3 2 Network Group Alias 5 10 5 1 3 3 Network Service Alias 5 12 5 2 System Profile Configuration 5 14 5 2 1 General Profile Configuration 5 15 5 2 2 Profile Radio Power 5 16 5 2 3 P...

Page 7: ...Deployment Considerations 5 158 5 2 8 Virtual Router Redundancy Protocol VRRP Configuration 5 159 5 2 9 Profile Critical Resources 5 162 5 2 10 Profile Services Configuration 5 166 5 2 10 1 Profile Services Configuration and Deployment Considerations 5 167 5 2 11 Profile Management Configuration 5 168 5 2 11 1 Upgrading AP6532 Firmware from 5 1 5 171 5 2 11 2 Profile Management Configuration and D...

Page 8: ...uthentication 6 11 6 1 2 3 PSK None 6 12 6 1 2 4 Captive Portal 6 12 6 1 2 5 Passpoint Policy 6 13 6 1 2 6 MAC Registration 6 13 6 1 2 7 External Controller 6 14 6 1 2 8 TKIP CCMP 6 14 6 2 TKIP CCMP Deployment Considerations 6 18 6 2 0 1 WPA2 CCMP 6 18 6 2 0 2 WEP 64 6 21 6 2 0 3 WEP 128 6 23 6 2 0 4 Keyguard 6 25 6 2 1 Configuring WLAN Firewall Settings 6 26 6 2 2 Configuring WLAN Client Settings...

Page 9: ...1 Setting an IPv4 or IPv6 Firewall Policy 8 16 8 2 2 Setting an IP SNMP ACL Policy 8 20 8 3 Device Fingerprinting 8 23 8 4 Configuring MAC Firewall Rules 8 30 8 5 Wireless IPS WIPS 8 33 8 6 Device Categorization 8 42 8 7 Security Deployment Considerations 8 44 Chapter 9 Services Configuration 9 1 Configuring Captive Portal Policies 9 2 9 1 1 Configuring a Captive Portal Policy 9 2 9 2 Setting the ...

Page 10: ...t 11 2 11 2 Crash Files 11 6 11 3 Advanced 11 7 11 3 1 UI Debugging 11 7 11 3 2 View UI Logs 11 8 11 3 3 View Sessions 11 9 Chapter 12 Operations 12 1 Devices 12 2 12 1 1 Managing Firmware and Configuration Files 12 2 12 1 1 1 Managing Running Configuration 12 3 12 1 1 2 Managing Startup Configuration 12 6 12 1 2 Rebooting the Device 12 8 12 1 3 Managing Crypto CMP Certificates 12 10 12 1 4 Upgrad...

Page 11: ...7 13 1 5 Offline Devices 13 8 13 1 6 Device Upgrade 13 9 13 1 7 Licenses 13 10 13 1 8 WIPS Summary 13 14 13 2 RF Domain Statistics 13 16 13 2 1 Health 13 16 13 2 2 Inventory 13 19 13 2 3 Devices 13 21 13 2 4 AP Detection 13 22 13 2 5 Wireless Clients 13 23 13 2 6 Device Upgrade 13 25 13 2 7 Wireless LANs 13 26 13 2 8 Radios 13 28 13 2 8 1 Status 13 28 13 2 8 2 RF Statistics 13 29 13 2 8 3 Traffic ...

Page 12: ... 3 14 PPPoE 13 95 13 3 15 OSPF 13 97 13 3 15 1 OSPF Summary 13 98 13 3 15 2 OSPF Neighbors 13 100 13 3 15 3 OSPF Area Details 13 101 13 3 15 4 OSPF Route Statistics 13 103 13 3 15 5 OSPF Interface 13 106 13 3 15 6 OSPF State 13 107 13 3 16 L2TPv3 Tunnels 13 109 13 3 17 VRRP 13 111 13 3 18 Critical Resources 13 113 13 3 19 LDAP Agent Status 13 115 13 3 20 Guest Users 13 117 13 3 21 GRE Tunnels 13 1...

Page 13: ...SA 13 155 13 3 26 2 IPSec 13 156 13 3 27 Certificates 13 158 13 3 27 1 Trustpoints 13 158 13 3 27 2 RSA Keys 13 160 13 3 28 WIPS 13 162 13 3 28 1 WIPS Client Blacklist 13 162 13 3 28 2 WIPS Events 13 163 13 3 29 Sensor Servers 13 165 13 3 30 Bonjour Services 13 166 13 3 31 Captive Portal 13 168 13 3 32 Network Time 13 170 13 3 32 1 NTP Status 13 170 13 3 32 2 NTP Association 13 171 13 3 33 Load Ba...

Page 14: ...U General Public License version 2 B 18 B 3 6 GNU Lesser General Public License 2 1 B 22 B 3 7 GNU General Public License version 3 B 27 B 3 8 ISC License B 35 B 3 9 GNU Lesser General Public License version 3 0 B 35 B 3 10 GNU General Public License 2 0 B 37 B 3 11 GNU Lesser General Public License version 2 0 B 42 B 3 12 GNU Lesser General Public License version 2 1 B 47 B 3 13 MIT License B 52 ...

Page 15: ...this guide AP6511 AP6521 AP6522 AP6522M AP6532 and AP6562 are collectively represented as AP65XX AP7131 AP7161 and AP7181 are collectively represented as AP71XX AP7502 AP7522 AP7532 and AP7562 are collectively represented as AP75XX AP8122 AP8132 and AP8163 are collectively represented as AP81XX AP8222 and AP8232 are collectively represented as AP82XX NOTE ES6510 is an Ethernet Switch managed by a ...

Page 16: ... documents Bullets indicate lists of alternatives lists of required steps that are not necessarily sequential action items Sequential lists those describing step by step procedures appear as numbered lists NOTE Indicates tips or special requirements CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in personal inj...

Page 17: ...ance by the end user then that agreement supersedes this End User License Agreement as to the end use of that particular Product 2 GRANT OF LICENSE 2 1 Subject to the provisions of this End User License Agreement Symbol Technologies grants to End User Customer a personal limited non transferable except as provided in Section 4 and non exclusive license under Symbol Technologies copyrights and conf...

Page 18: ...r each site at which End User Customer uses such Software End User Customer may make one additional copy for each computer owned or controlled by End User Customer at each such site End User Customer may temporarily use the Software on portable or laptop computers at other sites End User Customer must provide a written list of all sites where End User Customer uses or intends to use the Software 4...

Page 19: ...ch the Software and Documentation have been provided by Symbol Technologies unless End User Customer breaches this End User License Agreement in which case this End User License Agreement and End User Customer s right to use the Software and Documentation may be terminated immediately by Symbol Technologies In addition if Symbol Technologies reasonably believes that End User Customer intends to br...

Page 20: ...stomer 11 6 Causes of Action End User Customer must bring any action under this End User License Agreement within one year after the cause of action arises except that warranty claims must be brought within the applicable warranty period 11 7 Entire Agreement and Amendment This End User License Agreement contains the parties entire agreement regarding End User Customer s use of the Software and ma...

Page 21: ... best aspects of independent and dependent architectures to create a smart network that meets the connectivity quality and security needs of each user and their applications based on the availability of network resources including wired networks By distributing intelligence and control amongst access points a WiNG network can route directly via the best path as determined by factors including the ...

Page 22: ...hitectures are centralized models A wireless network administrator can retain and optimize legacy infrastructure while evolving to WiNG software as needed By distributing intelligence and control amongst access points a WiNG network can route data directly using the best path As a result the additional load placed on the wired network is significantly reduced as traffic does not require an unneces...

Page 23: ...alancing WAN traffic shaping and optimizations in dynamic host configuration protocol DHCP responses and Internet group management protocol IGMP snooping for multicast traffic flows in wired and wireless networks Thus users benefit from an extremely reliable network that adapts to meet their needs and delivers mixed media applications Firmware and configuration updates are supported from one acces...

Page 24: ...1 4 WiNG 5 7 1 Access Point System Reference Guide ...

Page 25: ...ess point can manage up to 24 other access points of the same model and share data amongst managed access points In Standalone mode an access point functions as an autonomous non adopted access point servicing wireless clients If adopted to controller an access point is reliant on its connected controller for its configuration and management For information on how to access and use the access poin...

Page 26: ... computer with a working Web browser 2 Set the computer to use an IP address between 192 168 0 10 and 192 168 0 250 on the connected port Set a subnet network mask of 255 255 255 0 3 To derive the access point s IP address using its MAC address 4 Open the Windows calculator be selecting Start All Programs Accessories Calculator This menu path may vary slightly depending on your version of Windows ...

Page 27: ...ect the Login button to load the management interface If this is the first time the management interface has been accessed the first screen to display will prompt for a change of the default access point password Then a dialogue displays to start the initial setup wizard For more information on using the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 28: ... Icons Used This section lists global icons available throughout the interface Logout Select this icon to log out of the system This icon is always available and is located at the top right hand corner of the UI Add Select this icon to add a row in a table When this icon is selected a new row is created in the table or a dialog box opens where you can enter values for that particular list Delete S...

Page 29: ...dit a policy select the policy and this icon Entry Updated Indicates a value has been modified from its last saved configuration Entry Update States that an override has been applied to a device s profile configuration Mandatory Field Indicates the control s value is a mandatory configuration item You will not be allowed to proceed further without providing all mandatory values in the dialog or th...

Page 30: ...rom completing Intervention might still be required to resolve subsequent warnings Success Indicates everything is well within the network or a process has completed successfully without error Information This icon always precedes information displayed to the user This may either be a message displaying progress for a particular process or may just be a message from the system Device Configuration...

Page 31: ...as been impacted A bridging policy defines which VLANs are bridged and how local VLANs are bridged between the wired and wireless sides of the network RF Domain States an RF Domain configuration has been impacted RF Domain implement location based security restrictions applicable to all VLANs in a particular physical location Firewall Policy Indicates a Firewall policy has been impacted Firewalls ...

Page 32: ...States a RADIUS user pool is being applied RADIUS user pools are a set of IP addresses that can be assigned to an authenticated RADIUS user RADIUS Server Policy Indicates a RADIUS server policy is being applied RADIUS server policy is a set of configuration attributes used when a RADIUS server is configured for AAA Smart Caching Policy Smart Caching enables NX4500 and NX6500 series service platfor...

Page 33: ...ds the status of all the processes and memory when a process fails Panic Snapshots Indicates a panic snapshot has been generated A panic snapshot is a file that records the status of all the processes and memory when a failure occurs UI Debugging Select this icon link to view current NETCONF messages View UI Logs Select this icon link to view the different logs generated by the user interface FLEX...

Page 34: ...s permission A user with this permission is permitted to access the access point using the device s serial console Superuser Indicates superuser privileges A superuser has complete access to all configuration aspects of the access point to which they are connected System Indicates system user privileges A system user is allowed to configure some general settings like boot parameters licenses auto ...

Page 35: ...e interacting at any one time Cluster This icon indicates a cluster A cluster is a set of access points that work collectively to provide redundancy and load sharing amongst its members Service Platform This icon indicates an NX45xx NX65xx or NX9000 series service platform that s part of the managed network RF Domain This icon indicates a RF Domain RF Domains allow administrators to assign configu...

Page 36: ...2 12 WiNG 5 7 1 Access Point System Reference Guide ...

Page 37: ...amline the process of initially accessing the wireless network The wizard defines the access point s operational mode deployment location basic security network and WLAN settings For instructions on how to use the initial setup wizard see Using the Initial Setup Wizard on page 3 2 ...

Page 38: ...the default username admin in the Username field 3 Enter the default password admin123 in the Password field 4 Select the Login button to load the management interface 5 If this is the first time the access point s management interface has been accessed the Initial Setup Wizard automatically displays NOTE When logging in for the first time you are prompted to change the password to enhance device ...

Page 39: ...configuration parameters A few more configuration screens are available for customization when the Advanced Setup wizard is used The first page of the Initial Setup Wizard displays the Navigation Panel and Function Highlights for the configuration activities comprising the access point s initial setup This page also displays options to select the typical or advanced mode for the wizard NOTE The In...

Page 40: ...d configuration parameters set correctly A red X defines the task as still requiring at least one parameter be defined correctly Figure 3 3 displays the navigation panel for the Typical Setup Wizard Figure 3 4 Initial Setup Wizard Navigation Panel Advanced Setup Wizard Figure 3 4 displays the navigation panel for the Advanced Setup Wizard NOTE Note the difference in the number of steps between the...

Page 41: ...nd creates a working network with the fewest steps The Typical Setup wizard consists of the following Network Topology Selection LAN Configuration WAN Configuration Wireless LAN Setup Summary And Commit Screen To configure the access point using the Typical Setup Wizard 1 Select Typical Setup from the Choose One type to Setup the Access Point field 2 Select Next The Initial Setup Wizard displays t...

Page 42: ...AP For more information see Virtual Controller AP Mode on page 3 8 Standalone AP Select this option to deploy this access point as an autonomous access point A standalone AP is not managed by a Virtual Controller AP or adopted by a RFS series wireless controller For more information see Standalone Mode on page 3 9 NOTE If designating the access point as a Standalone AP it is recommended that the a...

Page 43: ...ing the access point in the Adopted to Controller mode see Adopt to a controller on page 3 35 4 Select the Country Code where the access point is deployed Selecting a proper country of operation is a very critical task while configuring the access point as it defines the correct channels of operations and ensures compliance to the regulations for the selected country This field is only available f...

Page 44: ...4 access points can be connected to and managed by a single Virtual Controller AP of the same access point model These connected access points must be of the same model as the Virtual Controller AP To designate an access point as a Virtual Controller AP 1 From the Access Point Settings screen select Virtual Controller AP 2 Select Next The remainder of a Virtual Controller AP configuration is the s...

Page 45: ...reen select Standalone AP 2 Select Next The remainder of a Standalone AP configuration is the same as a Virtual Controller access point CAUTION If designating the access point as a Standalone AP it is recommended that the access point s UI be used exclusively to define its device configuration and not the CLI The CLI provides the ability to define more than one profile and the UI does not Conseque...

Page 46: ...ccess point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Typical Setup...

Page 47: ... DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Use on board DHCP server to assign IP addresses to wireless clients Select the check box to enable the access point s DHCP server to provide IP and DNS information to clients on the LAN interface Range Enter a starting and ending IP Address range for client assignments on the a...

Page 48: ...main Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s Wireless LAN interface configuration For more information see Wireless LAN Setup on page 3 ...

Page 49: ...ured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define Default Gateway information as the field will become enabled on the bottom portion of the screen The provided IP address is a...

Page 50: ...rface Select this option to enable Network Address Translation on the selected GE interface 2 Select Next The Typical Setup Wizard displays the Wireless LAN Setup screen to set the access point s wireless LAN configuration For more information see Wireless LAN Setup on page 3 15 ...

Page 51: ...e system WLANs can therefore be configured around the needs of specific user groups even when they are not in physical proximity Up to two 2 WLANs can be configured for the access point using the wizard Figure 3 9 Initial Setup Wizard Wireless LAN Setup screen for Typical Setup Wizard 1 Set the following WLAN1 configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure the en...

Page 52: ...splayed where additional updates can be made For more information on configuring the onboard RADIUS server see RADIUS Server Configuration on page 3 17 PSK authentication WPA2 encryption Configures a network that uses PSK authentication and WPA2 encryption Select this option to implement a pre shared key that must be correctly shared between the access point and requesting clients using this WLAN ...

Page 53: ... to configure the users for the onboard RADIUS server Use the screen to add modify and remove RADIUS users Figure 3 10 Initial Setup Wizard RADIUS Server Configuration screen for Typical Setup Wizard Use the Add User button to add a new RADIUS user A dialog displays where details about the user is entered ...

Page 54: ...ue with creating another user select Create To create the user and close this dialog click Create Close To close the dialog and abandon the operation select Cancel Use the Modify User button to modify the details for an existing user in the RADIUS user database Select the user to modify details for and then click Modify User The username for the user cannot be modified using this dialog Use the De...

Page 55: ...Commit screen is an additional means of validating the configuration before it is deployed Figure 3 12 Initial Setup Wizard Summary And Commit Screen of the Typical Setup Wizard If the configuration displays as intended select the Save Commit button to implement these settings to the access point s configuration If additional changes are warranted based on the summary either select the target page...

Page 56: ...ill also need to define whether the access point receives an IP address using DHCP or if IP resources are provided statically Up to two 2 controllers can be defined The access point will try to adopt to the controller defined in the Controller 1 field first Should the controller not be found then the access point tries to adopt to the controller defined in Controller 2 field When preferring layer ...

Page 57: ...wing Network Topology Selection LAN Configuration WAN Configuration Radio Configuration Wireless LAN Setup System Information Summary And Commit Screen To configure the access point using the Advanced Setup Wizard 1 Select Advanced Setup from the Choose One type to Setup the Access Point field 2 Select Next The Advanced Setup Wizard displays the Access Point Settings screen to define the access po...

Page 58: ... For more information see Virtual Controller AP Mode on page 3 8 Standalone AP Select this option to deploy this access point as an autonomous fat access point A standalone AP is not managed by a Virtual Controller AP or adopted by a RFS series wireless controller For more information see Standalone Mode on page 3 9 NOTE If designating the access point as a Standalone AP it is recommended that the...

Page 59: ... Any manual configuration changes are overwritten by the controller upon reboot For more information on configuring the access point in the Adopted to Controller mode see Adopt to a controller on page 3 35 4 Select the Next button to start configuring the access point in the selected mode If the Access Point Type is Virtual Controller AP or Standard AP see Network Topology Selection on page 3 24 I...

Page 60: ... single access point Bridge Mode In Bridge Mode the access point depends on an external router for routing LAN and WAN traffic Routing is generally used on one device whereas bridging is typically used in a larger density network Select Bridge Mode when deploying this access point with numerous peer access points supporting clients on both the 2 4 GHz and 5 0 GHz radio bands 1 Select Next The Adva...

Page 61: ...field is not available When selecting this option define the following DHCP Server and Domain Name Server DNS resources as those fields will become enabled on the bottom portion of the screen Default Gateway Define a default gateway address for use with the static IP address configuration This is a re quired parameter Use on board DHCP server to assign IP addresses to wireless clients Select the c...

Page 62: ... name into its corresponding IP address cannot locate the matching IP address Primary DNS Enter an IP Address for the main Domain Name Server providing DNS services for the access point s LAN interface Secondary DNS Enter an IP Address for the backup Domain Name Server providing DNS services for the access point s LAN interface 2 Select Next The Advanced Setup Wizard displays the Radio Configurati...

Page 63: ... DHCP servers An automatic IP address is configured to the access point s WAN port using DHCP servers located on the WAN side of the network Static IP Address Subnet Enter an IP Address and a subnet for the access point s WAN interface If Use DHCP is selected this field is not available When selecting this option define the following Default Gateway information as the field will become enabled on ...

Page 64: ...at is connected to the WAN Enable NAT on the WAN Interface Select this option to enable Network Address Translation on the selected GE interface 2 Select Next The Advanced Setup Wizard displays the Radio Configuration screen to set the access point s radios For more information see Radio Configuration on page 3 29 ...

Page 65: ...z radio band Radio Frequency Band Select the 2 4 GHz or 5 0 GHz radio band to use with the radio when selected as a Data Radio The selected band is used for WLAN client support Consider selecting one radio for 2 4 GHz and another for 5 0 GHz support if using a dual or three radio model when supporting clients in the 802 11bg 802 11n and 802 11ac bands NOTE The Radio Configuration screen displays s...

Page 66: ...interference Select Static to assign the access point a permanent channel and scan for noise and interference only when initialized Configure as a Sensor Radio Select this option to dedicate the radio to sensor support exclusively When functioning as a sensor the radio scans in sensor mode across all channels within the 2 4 and 5 0 GHz bands to identify potential threats If dedicating a radio as a...

Page 67: ...er groups even when they are not in physical proximity Use the Wireless LAN Setup screen to configure the WLAN parameters Up to two 2 WLANs can be configured for the access point Figure 3 19 Initial Setup Wizard WAN Configuration screen for Advanced Setup Wizard 1 Set the following WLAN1 Configuration parameters SSID Configure the SSID for the WLAN WLAN Type Configure the encryption and authentica...

Page 68: ...se the drop down to specify the type of key provided Select ASCII or HEX to specify the key type provided in the WPA Key field EAP Authentication and WPA2 Encryption Configures a network that uses EAP authentication and WPA2 encryption Select this option to authenticate clients within this WLAN through the exchange and verification of certificates External RADIUS Server When selected provide the I...

Page 69: ...prompts for the correct country code on the first login A warning message also displays stating an incorrect country setting may result in illegal radio operation Selecting the correct country is central to legal operation Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted This is a required parameter Tim...

Page 70: ...iguration before it is deployed However if a screen displays settings not intended as part of the initial configuration the screen can be selected from within the Navigation Panel and its settings modified accordingly Figure 3 21 Initial Setup Wizard Summary and Commit screen for the Advanced Setup Wizard If the configuration displays as intended select Save Commit to implement these settings to t...

Page 71: ...oller defined in Controller 2 field When preferring layer 3 adoption configure how an IP is assigned to this access point Select Use DHCP to use DHCP to assign an IP address to this access point If this access point requires a static IP select Static IP Address Subnet and provide the appropriate IP address and net mask For your convenience the netmask is automatically set to 24 Also assign the Def...

Page 72: ...3 36 WiNG 5 7 1 Access Point System Reference Guide ...

Page 73: ...int managed network Use the dashboard to review the current network topology assess the network s component health and diagnose problematic device behavior By default the Dashboard screen displays the System Dashboard which is the top level in the device hierarchy The dashboard provides the following tools and diagnostics Dashboard Network View ...

Page 74: ... 1 Select Dashboard Expand the System menu item on the upper left hand side of the UI and select either an access point or connected client The Dashboard screen displays the Health tab by default Figure 4 1 Dashboard Health tab 4 1 1 Dashboard Conventions The Dashboard screen displays device information using the following conventions Health Displays the state of the access point managed network I...

Page 75: ...zation data for the access point managed network Figure 4 2 Dashboard Health tab For more information see Device Details Radio RF Quality Index Radio Utilization Index Client RF Quality Index 4 1 1 1 1 Device Details Health The Device Details field displays model and version information ...

Page 76: ...ercentage of the overall effectiveness of the RF environment It is a function of the data rate in both directions the retry rate and the error rate Figure 4 4 Dashboard Health tab Radio RF Quality Index field RF Quality displays as the average quality index for the single RF Domain utilized by the access point The table lists the bottom five 5 RF quality values for the RF Domain The quality is mea...

Page 77: ...t Refer to the number or errors and dropped packets to assess radio performance relative to the number of packets both transmitted and received Periodically select Refresh at the bottom of the screen to update the radio utilization information displayed Figure 4 5 Dashboard Health tab Radio Utilization Index field 4 1 1 1 4 Client RF Quality Index Dashboard Conventions The Client RF Quality Index ...

Page 78: ...ectiveness of the RF environment as a percentage It is a function of the connect rate in both directions as well as the retry rate and the error rate The quality is measured as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Client MAC Displays the factory encoded MAC address assigned to each connected radio listed Use this information to assist in the identific...

Page 79: ... The Inventory screen affords a system administrator an overview of the number and state of managed devices The screen contains links to display more granular data specific to a radio Figure 4 7 Dashboard Inventory tab The Inventory tab is partitioned into the following fields Radio Types WLAN Utilization Wireless Clients Clients by Radio Type ...

Page 80: ...ventory The WLAN Utilization field displays the top 5 WLANs utilized by this access point in respect to client support The utilization index measures how efficiently the RF medium is utilized It is defined as a percentage of the current throughput relative to the maximum throughput possible The quality is measured as 0 20 Very low utilization 20 40 Low utilization 40 60 Moderate utilization 60 and...

Page 81: ...nventory tab Clients by Radio Type field For 5 0 GHz clients are displayed supporting the 802 11a and 802 11an radio bands For 2 4 GHz clients are displayed supporting the 802 11b 802 11bg and 802 11bgn radio bands Use this information to determine if all the access point s client radio bands are optimally supported for the access point s radio coverage area NOTE AP6522 AP6522 AP6532 AP6562 AP8132...

Page 82: ...device performance and utilization as well as the RF band channel and vendor For more information see Network View Display Options on page 4 11 To review a device s Network Topology select Dashboard Network View Figure 4 12 Network View Topology The left hand side of the Network View screen contains an expandable System Browser where access points can be selected and expanded to display connected ...

Page 83: ...vailable None Select this option to keep the Network View display as it currently appears without any additional color or device interaction adjustments Utilization Select this option to filter based on the percentage of current throughput relative to maximum throughput Utilization results include Red Bad Utilization Orange Poor Utilization Yellow Fair Utilization and Green Good Utilization Qualit...

Page 84: ...riables in blue within the Network View display 3 Select the Update button to update the display with the changes made to the filter options Select Close to close the options field and remove it from the Network View 4 2 2 Device Specific Information Network View A device specific information screen is available for individual devices selected from within the Network View not the System Browser Th...

Page 85: ...re as their general client support roles are quite similar However access point configurations may need periodic refinement and overrides from their original RF Domain administered design For more information see RF Domain Overrides on page 5 213 Profiles enable administrators to assign a common set of configuration parameters and policies to access points of the same model Profiles can be used to...

Page 86: ...nement from its original RF Domain designation Unlike a RFS series wireless controller an access point supports just a single RF domain Thus administrators should be aware that overriding an access point s RF Domain configuration results in a separate configuration that must be managed in addition to the RF Domain configuration Thus a configuration should only be overridden when needed For more in...

Page 87: ...lding or as generic as an entire site The location defines the physical area where a common set of access point configurations are deployed and managed by the RF Domain policy Contact Provide the name of the contact E mail or administrator assigned to respond to events created by or impacting the RF Domain Time Zone Set the geographic time zone for the RF Domain The RF Domain can contain unique co...

Page 88: ...t an existing Sensor Server Configuration and select the Delete icon to remove it 6 Use the spinner control to assign a numerical Server ID to each WIPS server defined The server with the lowest defined ID is the first reached by the access point The default ID is 1 7 Provide the numerical non DNS IP Address of each server used as a WIPS sensor server by the RF Domain 8 Use the spinner control to ...

Page 89: ...remote sites is a complex and time consuming operation Also this practice does not scale gracefully for quick growing deployments An alias enables an administrator to define a configuration item such as a hostname as an alias once and use the defined alias across different configuration items such as multiple ACLs Once a configuration item such as an ACL is utilized across remote locations the ali...

Page 90: ...n alias configuration changes made at a remote location override any updates at the management center For example if an Network Alias defines a network range as 192 168 10 0 24 for the entire network and at a remote deployment location the local network range is 172 16 10 0 24 the network alias can be overridden at the deployment location to suit the local requirement For the remote deployment loc...

Page 91: ...IP address A network alias configuration is utilized for an IP address on a particular network An address range alias is a configuration for a range of IP addresses A basic alias configuration can contain multiple instances for each of the five 5 alias types To edit or delete a basic alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3 Select RF Domain 4 Se...

Page 92: ...alias can be used to replace an IP address range in IP firewall rules 7 Select Add Row to define Host Alias settings Use the Host Alias field to create aliases for hosts that can be utilized at different deployments For example if a central network DNS server is set a static IP address and a remote location s local DNS server is defined this host can be overridden at the remote location At the rem...

Page 93: ...eld to create aliases for strings that can be utilized at different deployments For example if the main domain at a remote location is called loc1 domain com and at another deployment location it is called loc2 domain com the alias can be overridden at the remote location to suit the local but remote requirement At one remote location the alias functions with the loc1 domain com domain and at the ...

Page 94: ...sses range entries can be configured inside a network group alias A maximum of 32 network group alias entries can be created A network group alias is used in IP firewall rules to substitute hosts subnets and IP address ranges To edit or delete a network alias configuration 1 Select Configuration tab from the Web user interface 2 Select Devices 3 Select RF Domain 4 Select the Network Group Alias ta...

Page 95: ...o specify the Start IP address and End IP address for the alias range or double click on an existing an alias range entry to edit it NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addres...

Page 96: ...ries can be configured per network service alias Use a service alias to associate more than one IP address to a network interface providing multiple connections to a network from a single IP node Network Service Alias can be used in the following location to substitute protocols and ports IP Firewall Rules To edit or delete a service alias configuration 1 Select Configuration tab from the Web user...

Page 97: ...the drop down menu to select the protocol eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter Range button...

Page 98: ...points but not those who have had their configuration overridden from their previous profile designation These devices require careful administration as they no longer can be tracked and as profile members Their customized configurations overwrite their profile assignments until the profile can be re applied to the access point Each access point model is automatically assigned a default profile Th...

Page 99: ...3 Select System Profile from the options on left hand side of the UI General configuration options display by default with the profile activated for use with this access point model Figure 5 9 General Profile screen 4 Select Add Row below the Network Time Protocol NTP table to define the configurations of NTP server resources used to obtain system time Up to 3 NTP servers can be configured Set the...

Page 100: ...OE device and the budget available to the access point The CPLD also determines the access point hardware SKU model and the number of radios If the access point s POE resource cannot provide sufficient power to run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negative...

Page 101: ...e Use the drop down menu for each power mode to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is preferred over performa...

Page 102: ...At adoption an access point solicits and receives multiple adoption responses from Virtual Controller APs available on the network These adoption responses contain loading policy information the access point uses to select the optimum Virtual Controller AP for adoption To define the access point profile s adoption configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Sele...

Page 103: ...o consecutive hello keep alive messages exchanged between the access point and the adopting wireless controller These messages serve as a connection validation mechanism to ensure the availability of the adopting wireless controller Use the spinner to set a value from 1 120 seconds 9 Define the Adjacency Hold Time value This value sets the time after which the preferred controller group is conside...

Page 104: ...le from the options on left hand side of the UI 4 Select Wired 802 1x Host Use the drop down menu to specify whether the controller adoption resource is defined as a non DNS IP address or a hostname Once defined provide the numerical IP or hostname A hostname cannot exceed 64 characters and cannot contain an underscore Pool Use the spinner controller to set a pool of either 1 or 2 This is the pool...

Page 105: ...ilable for review prior to defining a configuration that could significantly impact the performance of the network For more information see WAN Backhaul Deployment Considerations on page 5 62 Dot1x Authentication Control Select this option to globally enable 802 1x authentication for the selected device This setting is disabled by default Dot1x AAA Policy Use the drop down menu to select an AAA po...

Page 106: ...LAN AP6562 GE1 POE LAN AP7131 GE1 POE LAN GE2 WAN AP7161 GE1 POE LAN GE2 WAN AP7181 GE1 POE LAN GE2 WAN AP7502 GE1 fe1 fe2 fe3 AP7522 GE1 POE LAN AP7532 GE1 POE LAN AP7562 GE1 POE LAN GE2 WAN AP8122 AP8132 AP8222 AP8232 AP8163 GE1 POE LAN GE2 WAN To define a profile s Ethernet port configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the option...

Page 107: ...t to Trunk the port allows packets from a list of VLANs added to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Native VLAN Lists the numerical VLAN ID 1 4094 set for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Additional...

Page 108: ...ed half duplex or full duplex transmission over the port These options are not available if Auto is selected Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis Automatic is the default setting Duple...

Page 109: ...packets only form the native VLANs Frames are forwarded out the port untagged with no 802 1Q header All frames received on the port are expected as untagged and are mapped to the native VLAN If the mode is set to Trunk the port allows packets from a list of VLANs you add to the trunk A port configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagge...

Page 110: ...uration Select Reset to revert to the last saved configuration 13 Select the Security tab Figure 5 15 Ethernet Ports Security tab 14 Refer to the Access Control field As part of the port s security configuration Inbound IP and MAC address firewall rules are required Use the Inbound MAC Firewall Rules drop down menus to select the firewall rules to apply to this profile s Ethernet port configuratio...

Page 111: ...tch check for the source MAC in both the ARP and Ethernet header The default value is disabled Trust 802 1p COS values Select this option to enable 802 1p COS values on this port The default value is enabled Trust IP DSCP Select this option to enable IP DSCP values on this port The default value is enabled NOTE Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physic...

Page 112: ...r groups of VLANs A MSTP supported deployment uses multiple MST regions with multiple MST instances MSTI Multiple regions and other STP bridges are interconnected using one single common spanning tree CST MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduc...

Page 113: ...tFast must only be enabled on ports on the wireless controller which are directly connected to a server workstation and not to another hub or controller PortFast can be left unconfigured on the access point Select this option to enable drop down menus for both the Enable PortFast BPDU Filter and Enable PortFast BPDU Guard options This setting is disabled by default Enable PortFast BPDU Filter MSTP...

Page 114: ...es attached to it or is directly connected to an user device Link Type Select either the Point to Point or Shared radio button Selecting Point to Point indicates the port should be treated as connected to a point to point link Selecting Shared means this port should be treated as having a shared connection A port connected to a hub is on a shared link while one connected to a access point is a poi...

Page 115: ...vices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Interface menu and select Virtual Interfaces Figure 5 17 Profile Interfaces Virtual Interfaces screen 5 Review the following parameters unique to each virtual interface configuration Name Displays the name of each listed Virtual Interface assigned when it was created The name is from 1 4094 and cannot be modifi...

Page 116: ... is being modified 7 If creating a new Virtual Interface use the Name spinner control to define a numeric ID from 1 4094 8 Define the following parameters from within the Properties field 9 Define the Network Address Translation NAT direction VLAN Displays the numerical VLAN ID associated with each listed interface IP Address Defines whether DHCP was used to obtain the primary IP address used by t...

Page 117: ...st information from the DHCPv6 server using stateless DHCPv6 DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configuration attributes required on an IPv6 network This setting is disabled by default Prefix Delegation Client Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface Devices us...

Page 118: ...Pv4 tab Accept Router Advertisement Enable this option to allow router advertisements over this virtual interface IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages When first connected to a network a host sends a link local router solicitation multicast request for its configuration paramet...

Page 119: ...ero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings Zero config can be used instead of a wireless network utility fro...

Page 120: ...dress Static Define up to 15 global IPv6 IP addresses that can created statically IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MAC is initially s...

Page 121: ...y providing support in IPv6 DHCP relays exchange messages between a DHCPv6 server and client A client and relay agent exist on the same link When A DHCP request is received from the client the relay agent creates a relay forward message and sends it to a specified server address If no addresses are specified the relay agent forwards the message to all DHCP server relay multicast addresses The serv...

Page 122: ...st information 28 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Address Enter an address for the DHCPv6 relay These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers The DHCPv6 server sends responses back to the relay and the relay then sends these responses t...

Page 123: ... address is only on the local link Valid Lifetime Type Set the lifetime for the prefix s validity Options include External fixed decrementing and infinite If set to External fixed just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity If set to decrementing use the lifetime date and time settings to refine the prefix expiry period If the value is set f...

Page 124: ...ry period If the value is set for infinite no additional date or time settings are required for the prefix and the prefix will not expire The default setting is External fixed Preferred Lifetime Sec If the administrator preferred lifetime type is set to External fixed set the Seconds Minutes Hours or Days value used to measurement criteria for the prefix s expiration 30 days 0 hours 0 minutes and ...

Page 125: ...latest revision of the Internet Protocol IP replacing IPv4 IPV6 provides enhanced identification and location information for systems routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons 34 Use the VPN Crypto Map drop down menu to select and assign a VPN crypto map entry to this virtual interface The VPN Crypto Map entry def...

Page 126: ... the port channel s numerical identifier assigned to it when it was created The numerical name cannot be modified as part of the edit process Type Displays whether the type is port channel Description Lists a a short description 64 characters maximum describing the port channel or differentiating it from others with similar configurations Admin Status A green check mark defines the listed port cha...

Page 127: ...tomatic as the duplex option Select Half duplex to send data over the port channel then immediately receive data from the same direction in which the data was transmitted Like a Full duplex transmission a Half duplex transmission can carry data in both directions just not at the same time Select Full duplex to transmit data to and from the port channel at the same time Using Full duplex the port c...

Page 128: ...elivery unlike TCP IPv4 hosts can use link local addressing to provide local connectivity Tag the Native VLAN Select this option to tag the native VLAN Access points support the IEEE 802 1Q specification for tagging frames and coordinating VLANs between devices IEEE 802 1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs If the upstream Ethernet dev...

Page 129: ...el and a DHCP server can be connected only to a DHCP trusted port The default value is enabled ARP header Mismatch Validation Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header The default value is enabled Trust 802 1p COS values Select this option to enable 802 1p COS values on this port channel The default value is enabled Trust IP DSCP Select th...

Page 130: ...the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs The default setting is Default Select Disable to disable this feature PortFast BPDU Guard Select Enable to invoke a BPDU guard for this PortFast enabled port channel Enabling the BPDU Guard feature means this port will shutdown on receiving a BPDU Thus no BPDUs are processed The default setting is Default Sele...

Page 131: ...her the Enable or Disable radio buttons This enables interoperability with Cisco s version of MSTP which is incompatible with standard MSTP This setting is disabled by default Force Protocol Version Sets the protocol version to either STP 0 Not Supported 1 RSTP 2 or MSTP 3 MSTP is the default setting Guard Determines whether the port channel enforces root bridge placement Setting the guard to Root...

Page 132: ... radio configuration data to determine whether a radio configuration requires modification to better support the network Name Displays whether the reporting radio is radio 1 radio 2 or radio 3 AP7131 models can have up to 3 radios depending on the SKU AP6522 AP6522M AP6532 AP6562 AP8132 AP8222 AP8232 AP7181 AP7161 AP7502 AP7522 AP7532 and AP7562 models have 2 radios while AP6521 and AP6511 models ...

Page 133: ...ttings tab Channel Lists the channel setting for the radio Smart is the default setting If set to Smart the access point scans non overlapping channels listening for beacons from other access points After the channels are scanned it selects the channel with the fewest access points In the case of multiple access points on the same channel it will select the channel with the lowest average power le...

Page 134: ... party access point and bridge frames to it Lock RF Mode Select this option to lock Smart RF operation for this radio The default setting is disabled as Smart RF utilization will impact throughput Channel Use the drop down menu to select the channel of operation for the radio Only a trained installation professional should define the radio channel Select Smart for the radio to scan non overlapping...

Page 135: ...hange the number of transmit chains This option is enabled by default Data Rates Once the radio band is provided the drop down menu populates with rate options depending on the 2 4 or 5 0 GHz band selected If the radio band is set to Sensor or Detector the Data Rates drop down menu is not enabled as the rates are fixed and not user configurable If 2 4 GHz is selected as the radio band select separ...

Page 136: ...sleep longer and preserve their battery life Decrease these settings shortening the time to support streaming multicast audio and video applications that are jitter sensitive RTS Threshold Specify a Request To Send RTS threshold from 1 65 536 bytes for use by the WLAN s adopted access point radios RTS is a transmitting station s signal that requests a Clear To Send CTS response from a receiving cl...

Page 137: ...tion for the radio to transmit using a short preamble Short preambles improve throughput However some devices SpectraLink phones require long preambles The default value is disabled Guard Interval Use the drop down menu to specify a Long or Any guard interval The guard interval is the space between symbols characters being transmitted The guard interval is there to eliminate inter symbol interfere...

Page 138: ...set a priority 1 6 for connection preference 20 Select the OK button located at the bottom right of the screen to save the changes to the Mesh configuration Select Reset to revert to the last saved configuration 21 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and then connect through...

Page 139: ...for the higher throughput clients A MPDU Modes Use the drop down menu to define the A MPDU mode supported Options include Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the dro...

Page 140: ...3 model access points only and is disabled by default Transmit Beamforming Enable beamforming to steer signals to peers in a specific direction to enhance signal strength and improve throughput amongst meshed devices not clients Each access point radio support up to 16 beamforming capable mesh peers When enabled a beamformer steers its wireless signals to its peers A beamformee device assists the ...

Page 141: ...f the host used to capture the re directed packets Channel to Capture Packets Use the drop down menu to specify the channel used to capture re directed packets The default value is channel 1 Off Channel Scan list for 5 GHz Use the drop down menu to select the channels to scan in the 5 GHz band when performing off channel scans Off Channel Scan list for 2 4 GHz Use the drop down menu to select the ...

Page 142: ...27 30 1 2 26 28 9 54 60 2 2 39 43 4 81 90 3 2 52 57 8 108 120 4 2 78 86 7 162 180 5 2 104 115 6 216 240 6 2 117 130 243 270 7 2 130 144 4 270 300 Table 5 3 MCS 3Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 3 19 5 21 7 40 5 45 1 3 39 43 3 81 90 2 3 58 5 65 121 5 135 3 3 78 86 7 162 180 4 3 117 130 7 243 270 5 3 156 173 3 324 360 6 3 175 5 195 364 5...

Page 143: ...MHz No SGI 40MHz With SGI 80 MHz No SGI 80MHz With SGI 0 6 5 7 2 13 5 15 29 3 32 5 1 13 14 4 27 30 58 5 65 2 19 5 21 7 40 5 45 87 8 97 5 3 26 28 9 54 60 117 130 4 39 43 3 81 90 175 5 195 5 52 57 8 108 120 234 260 6 58 5 65 121 5 135 263 3 292 5 7 65 72 2 135 150 292 5 325 8 78 86 7 162 180 351 390 9 n a n a 180 200 390 433 3 Table 5 3 MCS 3Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz Wi...

Page 144: ...oint to point communications PPP packages your system s TCP IP packets and forwards them to the serial device where they can be put on the network PPP is a full duplex protocol that can be used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation The following 3G cards are s...

Page 145: ...Select this option to enable 3G WAN card support on the access point A supported 3G card must be connected for this feature to work Username Provide username for authentication support by the cellular data carrier Password Provide password for authentication support by the cellular data carrier Access Point Name APN Enter the name of the cellular data provider if necessary This setting is needed i...

Page 146: ... to ensure these configuration are optimally effective If the WAN card does not connect after a few minutes after a no shutdown check the access point s syslog for a detected ttyUSB0 No such file event If this event has occurred linux didn t detect the card Re seat the card If the WAN card has difficulty connecting to an ISP syslog shows that it retries LCP ConfReq for a long time ensure the SIM c...

Page 147: ...he access point s Wired WAN were to fail When PPPoE client operation is enabled it discovers an available server and establishes a PPPoE link for traffic slow When a wired WAN connection failure is detected traffic flows through the WWAN interface in fail over mode if the WWAN network is configured and available When the PPPoE link becomes accessible again traffic is redirected back through the ac...

Page 148: ...ing the PPPoE protocol The default setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provi...

Page 149: ... Show option to view the actual characters comprising the password Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmission Unit MTU from 500 1 492 ...

Page 150: ...RP L2TPv3 Profile Configuration IGMP Snooping MLD Snooping Quality of Service QoS Spanning Tree Configuration Routing Dynamic Routing OSPF Forwarding Database Bridge VLAN Cisco Discovery Protocol Configuration Link Layer Discovery Protocol Configuration Miscellaneous Network Configuration Alias Before beginning any of the profile network configuration activities described in the sections above rev...

Page 151: ...series of numbers 123 123 123 123 instead of an easy to remember domain name www domainname com To define the DNS configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select DNS Figure 5 38 Network DNS screen 5 Provide a default Domain Name used when resolving DNS names The n...

Page 152: ...cial format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied To define an ARP supported configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Se...

Page 153: ...ch VLAN Interface Use the spinner control to select a VLAN for an address requiring resolution IP Address Define the IP address used to fetch a MAC Address MAC Address Displays the target MAC address that s subject to resolution This is the MAC used for mapping an IP address to a MAC address that s recognized on the network Device Type Specify the device type the ARP entry supports Host Router or ...

Page 154: ...ities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the psuedowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a ps...

Page 155: ... of a tunnelled peer UDP Listen Port Select this option to set the port used for listening to incoming traffic Select a port from 1 024 65 535 The default port is 1701 Tunnel Bridging Select this option to enable or disable bridge packets between two tunnel end points This setting is disabled by default Enable Logging Select this option to enable the logging of Ethernet frame events to and from br...

Page 156: ... bytes of the largest protocol data unit that the layer can pass between tunnel peers Use Tunnel Policy Lists the L2TPv3 tunnel policy assigned to each listed tunnel Local Hostname Lists the tunnel specific hostname used by each listed tunnel This is the hostname advertised in tunnel establishment messages Local Router ID Specifies the router ID sent in the tunnel establishment messages Establishm...

Page 157: ...nnel is not usable without a session and a subsequent session name The tunnel is closed when the last session tunnel session is closed Pseudowire ID Define a psuedowire ID for this session A pseudowire is an emulation of a layer 2 point to point connection over a packet switching network PSN A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer ...

Page 158: ...transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers Define a MTU between 128 1 460 bytes The default setting is 1 460 A larger MTU means processing fewer packets for the same amount of data Use Tunnel Policy Select the L2TPv3 tunnel policy The policy consists of user defined values for protocol specific parameters which can b...

Page 159: ...d When a tunnel is established the listed critical resources are checked for availability Tunnel establishment is started if the critical resources are available Similarly for incoming tunnel termination requests listed critical resources are checked and tunnel terminations are only allowed when the critical resources are available For more information on managing critical resources see Profile Cr...

Page 160: ...ary and secondary peer for tunnel failover If the peer is not specified tunnel establishment does not occur However if a peer tries to establish a tunnel with this access point it creates the tunnel if the hostname and or Router ID matches Peer IP Address Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the pee...

Page 161: ...d point address not the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed tunnel session This is...

Page 162: ...P Set the IP address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message to the L2TP peer MTU Define the session maximum transmission unit MTU as the size in bytes of the largest protocol data unit the layer can...

Page 163: ...e Type Select a VLAN as the virtual interface source type Source Value Define the Source Value range 1 4 094 to include in the tunnel Tunnel session data includes VLAN tagged frames Native VLAN Select this option to define the native VLAN that will not be tagged Cookie Size Set the size of the cookie field within each L2TP data packet Options include 0 4 and 8 The default setting is 0 Value 1 Set ...

Page 164: ... out for those links which do not require them To configure IGMP Snooping 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select IGMP Snooping Figure 5 47 IGMP Snooping screen 5 Set the following parameters to configure General IGMP Snooping values Enable IGMP Snooping Select this opt...

Page 165: ...on 1 2 or 3 The default IGMP version is 3 IGMP Query Interval Sets the IGMP query interval This parameter is used only when the querier functionality is enabled Define an interval value in Seconds 1 18000 seconds Minutes 1 300 minutes or Hours 1 5 hours up to maximum of 5 hours The default value is 60 seconds IGMP Robustness Variable Sets the IGMP robustness variable The robustness variable is a w...

Page 166: ...ving multicast group traffic The controller service platform or access point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces To set an IPv6 MLD snooping configuration for the profile 1 Select Configuration Profiles Network 2 Expand the Network menu to display its submenu options 3 Select MLD Snooping Figure 5 ...

Page 167: ...he interval in which query messages are sent to discover device multicast group memberships Set an interval in either Seconds 1 18 000 Minutes 1 300 or Hours 1 5 The default interval is 1 minute MLD Robustness Variable Set a MLD IGMP robustness value 1 7 used by the sender of a query The MLD robustness variable enables refinements to account for expected packet loss on a subnet Increasing the robu...

Page 168: ...een maps the 6 bit Differentiated Service Code Point DSCP code points to the older 3 bit IP Precedent field located in the Type of Service byte of an IP header DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence DSCP specifies a specific per hop behavior applied to a packet To define an QoS configuration for DSCP mappings 1 Select...

Page 169: ...his field are 0 7 Up to 64 entries are permitted The priority values are 0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control Traffic Class Devices that originate a packet must identify different classes or priorities for IPv6 packets Devices use the traffic class field in the IPv6 header to set this priority 802 1p Priority Assign a 802 1p prio...

Page 170: ...ion in a single Bridge Protocol Data Unit BPDU format BPDUs are used to exchange information bridge IDs and root path costs Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each...

Page 171: ...alid in the spanning tree topology The available range is from 7 127 The default setting is 20 MST Config Name Define a 64 character maximum name for the MST region to use as an identifier for the configuration MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the Enable or ...

Page 172: ...ugh the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinner control to set the maximum time in seconds to listen for the root bridge The root bridge is the spanning tree bridge with the smallest lowest bridge ID Each bridge has a unique ID and a configurable priority number the bridge ID...

Page 173: ...e space required to maintain address pools Both IPv4 and IPv6 routes are separately configurable using their appropriate tabs For IPv6 networks routing is the part of IPv6 that provides forwarding between hosts located on separate segments within a larger IPv6 network where IPv6 routers provide packet forwarding for other IPv6 hosts To create static routes 1 Select the Configuration tab from the W...

Page 174: ...y field and set the following parameters 11 Select the IPv6 Routing tab IPv6 networks are connected by IPv6 routers IPv6 routers pass IPv6 packets from one network segment to another Figure 5 52 Static Routes screen IPv6 Routing tab Static Default Route Priority Use the spinner control to set the priority value 1 8 000 for the default static route This is weight assigned to this route versus other...

Page 175: ...18 Select Add Row as needed within the IPv6 Routes table to add an additional 256 IPv6 route resources Figure 5 53 Static Routes screen Add IPv6 Route RA Convert milliseconds Select this option to convert multicast router advertisements RA to unicast router advertisements at the dot11 layer Unicast addresses identify a single network interface whereas a multicast address is used by multiple hosts ...

Page 176: ...Areas can defined as stub area A stub area is an area which does not receive route advertisements external to the autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes A default route is the only way to route traffic outside of the area When there is only one route out of the a...

Page 177: ...ve to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passive Removed If enabling Passive...

Page 178: ... VRRP State Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF resets permitted before the OSPF process is shut down The ...

Page 179: ...an existing configuration or Delete to remove a configuration Figure 5 56 Network OSPF Area Configuration screen Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 180: ...rtised if creating a stub Set a value from 1 16 777 215 Translate Type Define how messages are translated Options include translate candidate translate always and translate never The default setting is translate candidate Range Specify a range of addresses for routes matching address mask for OSPF summarization Name Displays the name defined for the interface configuration Type Displays the type o...

Page 181: ... radio buttons Inside The inside network is transmitting data over the network to its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Outside Packets passing through the NAT on the way back to the LAN are searched against the records kept by the NAT engine There the destination IP address is changed back to the specific inter...

Page 182: ...reside on link from those reachable using a router Request DHCPv6 Options Select this option to request DHCPv6 options on this virtual interface DHCPv6 options provide configuration information for a node that must be booted using the network rather than locally This setting is disabled by default Maximum Transmission Unit MTU Set the PPPoE client maximum transmission unit MTU from 500 1 492 The M...

Page 183: ... MTU options are sent This setting is disabled by default No Hop Count Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface This setting is disabled by default Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a w...

Page 184: ... respond to such a request with a router advertisement packet that contains Internet layer configuration parameters Figure 5 60 Network OSPF Virtual Interfaces Basic Configuration screen IPv6 tab 33 Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized Use DHCP to obtain Gateway DNS Servers Select this option to allow DHCP to obtain a default gateway address and DN...

Page 185: ...a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MAC is initially separated into two 24 bits with one being an OUI Organizationally Unique Identifier a...

Page 186: ...w DHCPv6 relay address and interface VLAN ID can be set Figure 5 63 Network OSPF Virtual Interfaces Basic Configuration screen IPv6 tab Add DHCPv6 Relay 41 Select OK to save the changes to the DHCPv6 relay configuration Select Exit to close the screen without saving the updates Delegated Prefix Name Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format Using EUI64 a hos...

Page 187: ... interface Router advertisements are periodically sent to hosts or sent in response to solicitation requests The advertisement includes IPv6 prefixes and other subnet and host information 44 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Figure 5 65 Network OSPF Virtual Interfaces Basic Configur...

Page 188: ...the prefix Valid Lifetime Time If the lifetime type is set to decrementing set the time for the prefix s validity Use the spinner controls to set the time in hours and minutes Use the AM PM radio buttons to set the appropriate hour Preferred Lifetime Type Set the administrator preferred lifetime for the prefix s validity Options include External fixed decrementing and infinite If set to External f...

Page 189: ...tion IPv4 hosts can use link local addressing to provide local connectivity Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profile s virtual interface configuration Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration IPv6 is the latest revision of ...

Page 190: ...tions on left hand side of the UI 4 Expand the Network menu and select Forwarding Database Figure 5 67 Network Forwarding Database screen 5 Define a Bridge Aging Time from 0 10 1 000 000 seconds The aging time defines the length of time an entry will remain in the bridge s forwarding table before it is deleted due to lack of activity If an entry replenishments a destination generating continuous t...

Page 191: ... the destination MAC is on a different network segment 9 Provide an Interface Name used as the target destination interface for the target MAC address 10 Select OK to save the changes Select Reset to revert to the last saved configuration ...

Page 192: ...l untag it When a data frame is received on a port the VLAN bridge determines the associated VLAN based on the port of reception Using forwarding database information the Bridge VLAN forwards the data frame on the appropriate port s VLANs are useful to set separate networks to isolate some computers from others without actually having to have separate cabling and Ethernet switches Another common u...

Page 193: ... IP spoof attacks IPv6 Firewall Lists whether IPv6 is enabled on this Bridge VLAN A green checkmark defines this setting as enabled A red X defines this setting as disabled IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons IPv6 hosts ...

Page 194: ...terfaces on a device When configured firewalls generate flow tables that store information on the traffic allowed to traverse through the firewall These flow tables occupy a large portion of the limited memory that could be used for other critical purposes With the per VLAN firewall feature enabled on an interface flow tables are only generated for that interface Flow tables are not generated for ...

Page 195: ... for outbound traffic from the drop down menu If an appropriate outbound MAC ACL is not available select the Create button Tunnel Over Level 2 Select this option to allow VLAN traffic to be tunneled over level 2 links This setting is disabled by default Mint Link Level Select the MINT link level from the drop down menu Rate Define a transmit rate limit between 50 1 000 000 kbps This limit constitu...

Page 196: ...snooping an IPv6 subnet for static wired captive portal clients Multiple rows can be added to this field To add an entry to this field select the Add Row button below this field 16 Select the IGMP Snooping tab Trust DHCP Responses Select this option to use DHCP packets from a DHCP server as trusted and permissible within the network DHCP packets update the DHCP Snoop Table to prevent IP spoof atta...

Page 197: ...ridge configuration are overridden Forward Unknown Multicast Packets Select this option to enable forwarding of multicast packets from unregistered multicast groups If disabled the unknown multicast forward feature is also disabled for this Bridge VLAN This setting is enabled by default Interface Names Select the interface used for IGMP snooping over a multicast router Multiple interfaces can be s...

Page 198: ...the wired port IGMP membership is also learnt on it and only if present then it is forwarded on that port Source IP Address Define an IP address applied as the source address in the IGMP query packet This address is used as the default VLAN querier IP address IGMP Version Use the spinner control to set the IGMP version compatibility to either version 1 2 or 3 The default setting is 3 Maximum Respo...

Page 199: ...re delivered using best effort reliability just like IPv6 unicast MLD snooping is enabled by default Forward Unknown Unicast Packets Use this option to either enable or disable IPv6 unknown multicast forwarding This setting is enabled by default Interface Names Select the ge or radio interfaces used for MLD snooping Multicast Router Learn Mode Set the pim dvmrp or static multicast routing learn mo...

Page 200: ... Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Cisco Discovery Protocol Figure 5 72 Network Cisco Discovery Protocol CDP screen 5 Enable disable CDP and set the following settings 6 Select the OK button located at the bottom right of the screen to save the changes to the CDP configuration Select Reset to revert to ...

Page 201: ...r Discovery Protocol Data Unit LLDP PDU A single LLDP PDU is transmitted in a single 802 3 Ethernet frame To set the LLDP configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Link Layer Discovery Protocol Figure 5 73 Network Link Layer Discovery Protocol LLDP screen 5 ...

Page 202: ...on tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Network menu and select Miscellaneous Figure 5 74 Network Miscellaneous screen 5 Select the Include Hostname in DHCP Request option to include a hostname in a DHCP lease for a requesting device This feature is enabled by default 6 Select the DHCP Persistent Lease option to reta...

Page 203: ...ble for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override alias values defined in a global alias profiles alias or RF Domain ali...

Page 204: ...twork and the VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN alias is used to replace VLANs in the following locations ...

Page 205: ...rk Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overridden at the remote location to suit their local but remote requirement At the remote location the ACL functions with the 172 16 10 0 24 network A new ACL ...

Page 206: ...68 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for Host Network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias A maximum of 32 Network Group Alias entries can be created A network group alias can ...

Page 207: ...w Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a blank column if no networ...

Page 208: ...te the network group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasi...

Page 209: ...e connections to a network from a single IP node A network service alias can be used to substitute protocols and ports in IP firewall rules To edit or delete a network service alias configuration 1 Select Configuration tab from the Web user interface 2 Select System Profiles 3 Select Network to expand it and display its sub menus 4 Select the Alias item the Basic Alias screen displays 5 Select the...

Page 210: ...ias has to be created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Sel...

Page 211: ...t the VLAN bridge determines the associated VLAN based on the port of reception Static routes while easy can be overwhelming within a large or complicated network Each time there is a change someone must manually make changes to reflect the new route If a link goes down even if there is a second path the router would ignore it and consider the link down Static routes require extensive planning and...

Page 212: ...icy wireless client role policy WEP shared key authentication and NAT policy applied For more information refer to the following Defining Profile VPN Settings Defining Profile Auto IPSec Tunnel Defining Profile Security Settings Setting the Certificate Revocation List CRL Configuration Setting the Profile s NAT Configuration Setting the Profile s Bridge NAT Configuration ...

Page 213: ...ec peer however for remote VPN deployments one crypto map is used for all the remote IPSec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional features flexibility and configuration simplicity for the IPSec standard IKE automatically negotiates IPSec SAs and enables secure communications without ti...

Page 214: ...o peers need not exactly agree on the lifetime though if they do not there is some clutter for a superseded connection on the peer defining the lifetime as longer DPD Retries Lists each policy s maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer This screen only appears when IKEv1 is selected Name If creating a new IKE policy assign it a name 3...

Page 215: ...n is defined as dead The available range is from 1 100 The default setting is 5 IKE LifeTime Set the lifetime defining how long a connection encryption authentication keys should last from successful key negotiation to expiration Set this value in either Seconds 600 86 400 Minutes 10 1 440 Hours 1 24 or Days 1 This setting is required for both IKEv1 and IKEV2 Name If creating a new IKE policy assi...

Page 216: ...n Type Lists whether the peer configuration has been defined to use pre shared key PSK or RSA Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s the first algorithm known to be suitable for signing as well as encryption If using IKEv2 this screen displays both local and remote authentication as both ends of the VPN connection require authentication LocalID Lists the acc...

Page 217: ...entication RSA is the default value for both local and remote authentication regardless of IKEv1 or IKEv2 Authentication Value or Local Authentication Value Define the authentication string shared secret that must be shared by both ends of the VPN tunnel connection The string must be from 8 21 characters long If using IKEv2 both a local and remote string must be specified for handshake validation ...

Page 218: ...name assigned to each listed transform set upon creation Again a transform set is a combination of security protocols algorithms and other settings applied to IPSec protected traffic Authentication Algorithm Lists each transform sets s authentication scheme used to validate identity credentials The authentication scheme is either HMAC SHA or HMAC MD5 Encryption Algorithm Displays each transform se...

Page 219: ...authentication scheme used to validate identity credentials Use the drop down menu to select either HMAC SHA or HMAC MD5 The default setting is HMAC SHA Encryption Algorithm Set the transform set encryption method for protecting transmitted traffic Options include DES 3DES AES AES 192 and AES 256 The default setting is AES 256 Mode Use the drop down menu to select either Tunnel or Transport as the...

Page 220: ...PSec Transform Set Displays the transform set encryption and has algorithms applied to each listed crypto map configuration Thus each crypto map can be customized with its own data protection and peer authentication schemes Sequence Each crypto map configuration uses a list of entries based on a sequence number Specifying multiple sequence numbers within the same crypto map provides the flexibilit...

Page 221: ...ion uses a list of entries based on a sequence number Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface based on this selected sequence number from 1 1 000 Type Define the site to site manual site to site auto or remote VPN configuration defined for each listed crypto map configuration ...

Page 222: ...al keys Options include None 2 5 and 14 The default setting is None Lifetime kB Select this option to define a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control to set the volume from 500 2 147 483 646 kilobytes Lifetime seconds Select this option to define a lifetime in...

Page 223: ...g on the selected IKE mode 30 Set the following IKEv1 or IKe v2 Settings Authentication Method Use the drop down menu to specify the authentication method used to validate the credentials of the remote VPN client Options include Local on board RADIUS resource if supported and RADIUS designated external RADIUS resource If selecting Local select the Add Row button and specify a User Name and Passwor...

Page 224: ...reen Selecting Reset reverts the screen to its last saved configuration 37 Select the Remote VPN Client tab The Remote VPN Client screen provides options for configuring the remote VPN client AAA Policy Select the AAA policy used with the remote VPN client AAA policies define RADIUS authentication and accounting parameters The access point can optionally use AAA server resources when using RADIUS ...

Page 225: ...hat needs to be protected Select the appropriate traffic set from the drop down menu or click the icon next to the drop down menu to create a new transform set IKEV2 Peer Use the drop down menu to select the remote IKE v2 peer Use the icon next to the drop down to create a new peer Priority Use the spinner to set the priority in which a remote peer is connected The lower the number the higher the ...

Page 226: ...CP peer local ID The ID cannot exceed 128 characters df bit Select the DF bit handling technique used for the ESP encapsulating header Options include clear set and copy The default setting is copy IPsec Lifetime kb Set a connection volume lifetime in kilobytes for the duration of an IPSec VPN security association Once the set volume is exceeded the association is timed out Use the spinner control...

Page 227: ...n Options include Seconds 10 3 600 Minutes 1 60 and Hours 1 The default setting is 30 seconds DPD Retries Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead The available range is from 1 100 The default number of messages is 5 NAT Keep Alive Define the interval or frequency of NAT keep alive messages for d...

Page 228: ...string used for IKE authentication String length can be between 1 64 characters Authentication Type Set the IPSec Authentication Type Options include PSK Pre Shared Key or rsa Authentication Key Set the common key for authentication between the remote tunnel peer Key length is between 8 21 characters IKE Version Configure the IKE version to use The available options are ikev1 main ikev1 aggr and i...

Page 229: ... by which this is accomplished varies but in principle a firewall can be thought of as mechanisms both blocking and permitting data traffic within the network If an existing Firewall policy does not meet your requirements select the Create icon to create a new firewall policy that can be applied to this profile An existing policy can also be selected and edited as needed using the Edit icon 6 Sele...

Page 230: ...ternet protocol to obtain and manage digital certificates in a Public Key Infrastructure PKI network A Certificate Authority CA issues the certificates using the defined CMP Use the drop down list to select a CMP policy to apply 9 Use the Web Filter drop down menu to select or override the URL Filter configuration applied to this virtual interface Web filtering is used to restrict access to resour...

Page 231: ...rofile Security Certificate Revocation List CRL Update Interval screen 5 Select the Add Row button to add a column within the Certificate Revocation List CRL Update Interval table to quarantine certificates from use in the network Additionally a certificate can be placed on hold for a user defined period If for instance a private key was found and nobody had access to it its status could be reinst...

Page 232: ... the purpose of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT can provide a profile outbound Internet access to wired and wireless hosts connected to an access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT all...

Page 233: ... configurations can be added or existing ones deleted as they become obsolete Static NAT creates a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual a...

Page 234: ...to the outside world when the translation address is used to interact with the remote destination NAT IP Enter the IP address of the matching packet to the specified value The IP address modified can be either source or destination based on the direction specified Network Select Inside or Outside NAT as the network direction The default setting is Inside Select Inside to create a permanent one to ...

Page 235: ...tatic NAT screen Destination tab 13 Select Add to create a new NAT destination configuration or Delete to permanently remove a NAT destination Existing NAT destination configurations are not editable Figure 5 99 NAT Destination Add screen ...

Page 236: ... UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadcast delivery not available from TCP The default setting is Any Destination IP Enter the address used at the source e...

Page 237: ...th the remote destination Network Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration Interface Lists the VLAN from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Overload Type Lists the Overload Type used with the listed IP ACL rule Options include NAT Pool One Global Address and Interface IP Add...

Page 238: ...tting Interface Use the drop down menu to select the VLAN ID from 1 4094 used as the communication medium between the source and destination points within the NAT configuration Ensure the VLAN selected represents the intended network traffic within the NAT supported configuration VLAN1 is available by default Optionally select the wwan1 radio button if the access point model supports a wwan interf...

Page 239: ...5 155 21 Select OK to save the changes made to the dynamic NAT configuration Select Reset to revert to the last saved configuration ...

Page 240: ...ternet Internet traffic is routed to the NoC and from there routed to the Internet This increases the access time for the end user on the client To resolve latency issues Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet Traffic towards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with a...

Page 241: ... is either the access point s pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP Lists the IP address used to represent a large number local addresses Overload Type Lists the overload type used wi...

Page 242: ...le s security configuration refer to the following deployment guidelines to ensure the profile configuration is optimally effective Ensure the contents of the certificate revocation list are periodically audited to ensure revoked certificates remained quarantined or validated certificates are reinstated NAT alone does not provide a firewall If deploying NAT on a profile add a firewall on the profi...

Page 243: ...r MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state they monitor the ...

Page 244: ...e attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Delete Virtual Router ID Lists a numerical index from 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a packet is reporting status for Description Disp...

Page 245: ...ined setting as criteria in selection of a virtual router master The higher the value the greater the likelihood of this virtual router ID being selected as the master Virtual IP Addresses Provide up to 8 IP addresses representing the Ethernet switches routers or security appliances defined as virtual router resources to the AP7131 access point Advertisement Interval Unit Select either seconds mil...

Page 246: ...n selected the Preempt Delay option becomes enabled to set the actual delay interval for pre emption This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority Preempt Delay If the Preempt option is selected use the spinner control to set the delay interval in seconds for preemption Interface Select this value to enable disable VR...

Page 247: ...re 5 108 Critical Resources screen List of Critical Resources tab The screen lists the destination IP addresses or interfaces VLAN WWAN or PPPoE used for critical resource connection IP addresses can be monitored directly by the access point or controller whereas a VLAN WWAN or PPPoE must be monitored behind an interface 5 Select the Add button at the bottom of the screen to add a new critical res...

Page 248: ...itors the critical resource The state of the critical resource is then updated to all the devices in the rf domain or to those managed by the cluster master if the Sync Adoptees option is enabled 8 Use the Sync Adoptees option to enable the rf domain manager or cluster master to indicate to the other devices in the rf domain cluster that the state of a monitored critical resource has changed Selec...

Page 249: ...for this purpose The IP address used for Port Limited Monitoring must be different from the IP address configured on the device 16 Select OK to save the changes to the critical resource configuration and monitor interval Select Reset to revert to the last saved configuration Mode Set the ping mode used when the availability of a critical resource is validated Select from arp only Use the Address R...

Page 250: ...ge where the user must enter valid credentials to access to the wireless network Once logged into the captive portal additional Agreement Welcome and Fail pages provide the administrator with a number of options on screen flow and user appearance Either select an existing captive portal policy use the default captive portal policy or select the Create link to create a new captive portal configurat...

Page 251: ...he profile s guest captive portal network and the services provided or if the profile should support guest access at all Profile configurations supporting a captive portal should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from guest devices DHCP s lack of an authentication mechanism means a...

Page 252: ...nfiguration tab from the Web UI 2 Select Devices 3 Select System Profile from the options on left hand side of the UI 4 Expand the Management menu item and select Settings Figure 5 112 Profile Management Settings screen 5 Refer to the Message Logging field to define how the profile logs system events It s important to log individual events to discern an overall pattern that may be negatively impac...

Page 253: ... Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency ...

Page 254: ... username on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Password for SMTP Server Specify the sender s username password on the outgoing SMTP server Many SMTP servers require users to authenticate with a username and password before sending E mail through the server Enable Configuration Update Select...

Page 255: ...E hub 1 Calculate the AP6532 s IP address The AP6532 has an IP of 169 254 last two digits of its MAC address in decimal with subnet mask of 255 255 0 0 For example if the MAC address is 00 23 68 86 48 18 the last two digits of its IP address will be 72 24 48 hexadecimal 72 decimal 18 hexadecimal 24 decimal So the IP address is 169 254 72 24 with subnet mask of 255 255 0 0 2 Configure the computer ...

Page 256: ...t guidelines to ensure the profile configuration is optimally effective Define profile management access configurations providing both encryption and authentication Management services like HTTPS SSH and SNMPv3 should be used when possible as they provide data privacy and authentication It is recommended that SNMPv3 be used for management profile configurations as it provides both encryption and a...

Page 257: ... mesh network Root Selection Method Displays the root selection method that determines if this meshpoint is a root or not Preferred Neighbor Displays the MAC address of the preferred neighbor A Preferred Neighbor is a node that this mesh point prefers to have a mesh connection with over other nodes in the mesh network Preferred Interface Displays the name of the preferred interface A Preferred Int...

Page 258: ...esh network Select False to indicate this access point is not a root node for this mesh network Root Selection Method Use the drop down menu to determine whether this mesh point is the root or non root mesh point Select either None the default setting or auto mint Set as Cost Root Select this option to set the mesh point as the cost root for mesh point root selection This setting is disabled by de...

Page 259: ... preferred interface for forming a mesh network Minimum Threshold Enter the minimum value for SNR above which a candidate for the next hop in a dynamic mesh network is considered for selection This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network Signal Strength Delta Enter a delta value in dB A candidate for sel...

Page 260: ...s are common for configuring the 2 4 GHZ and 5 0 4 9 GHz frequencies Channel Width Configure the channel width that mesh point automatic channel scan should assign to the selected radio The available options are Automatic Indicates the channel width is calculated automatically This is the default value 20 MHz Indicates the width between two adjacent channels is 20 MHz 40 MHz Indicates the width be...

Page 261: ... for the Off Channel Duration field This is the duration the scan dwells on each channel when performing an off channel scan The default value is 50 milliseconds Off channel Scan Frequency Configure the time duration in seconds between two consecutive Off Channel Scans Set a duration between 1 60 seconds Meshpoint Root Sample Count Configure the number of scans to be performed for data collection ...

Page 262: ...1ac Priority Meshpoint Configure the mesh point monitored for automatic channel scan This is the mesh point given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected SNR Delta Configure the signal to noise ratio delta value for path selection When path selection happens this value is considered ...

Page 263: ...efault value 20 MHz Indicates the width between two adjacent channels is 20 MHz 40 MHz Indicates the width between two adjacent channels is 40 MHz 80 MHz Indicates the width between tow adjacent channels is 80 MHz This is only available on access points that support 802 11ac Priority Meshpoint Configure the mesh point monitored for automatic channel scan This is the mesh point given priority over ...

Page 264: ...nfiguration on page 5 252 Disable A MPDU Aggregation if the intended vehicular speed is greater than 30 mph For more information see Radio Override Configuration on page 5 252 Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automatic channel selection for mesh point selection Set a value in between 800 65535 Meshpoint Tolerance Period Configure the time durati...

Page 265: ...he UI 4 Expand the Advanced menu item The following items are available as advanced access point profile configuration options Advanced Profile Client Load Balancing Configuring MINT Protocol Advanced Profile Miscellaneous Configuration 5 2 13 1 Advanced Profile Client Load Balancing Advanced Profile Configuration Use the screen to administer the client load across an access point s radios When a ...

Page 266: ...r weight to radio traffic on either the 2 4 or 5 0 GHz band This setting is enabled by default Use probes from common clients Select this option to use probes from shared clients in the neighbor selection process This feature is enabled by default to provide the best common group of available clients amongst access points in neighbor selection Use notifications from roamed clients Select this opti...

Page 267: ...GHz Use the spinner control to set a loading ratio from 0 10 the access point 2 4 GHz radio uses in respect to radio traffic load on the 2 4 GHz band This allows an administrator to weight the traffic load if wishing to prioritize client traffic on the 2 4 GHz radio band The higher the value set the greater the weight assigned to radio traffic load on the 2 4 GHz radio band The default setting is ...

Page 268: ...nnel designations The default is 5 Weightage given to Client Count Use the spinner control to assign a weight from 0 100 the access point uses to prioritize 2 4GHz radio client count in the 2 4GHz radio load calculation Assign this value higher this 2 4GHz radio is intended to support numerous clients and their throughput is secondary to maintaining association The default setting is 90 Weightage ...

Page 269: ...ered Equal Use the spinner control to set a value from 0 100 considered an adequate discrepancy or deviation when comparing access point radio load balances The default setting is 1 Thus using a default setting of 10 means 10 is considered inconsequential when comparing access point radio load balances Weightage given to Client Count Use the spinner control to assign a weight from 0 100 the access...

Page 270: ...res users know about certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MINT are such that these scenarios continue to function as e...

Page 271: ...ofile Configuration MINT Protocol screen IP tab 10 Select Add to create a new Link IP configuration or Edit to modify an existing MINT configuration Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting from 255 and 255 This is the value added to the base level DIS priority to influence the Designated IS DIS election A value of 1 or greater in...

Page 272: ... can be created by configuring a matching pair of links one on each end point However that is error prone and does not scale So UDP IP links can also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link as a forced link Link Cost Use the spinner control to define a link cost from 1 10 000 The default value is 1...

Page 273: ...MINT VLAN configuration NOTE If creating a mesh link between two access points in Standalone AP mode you will need to ensure a VLAN is available to provide the necessary MINT link between the two Standalone APs VLAN If adding a new VLAN define a VLAN ID from 1 4 094 used by peers for interoperation when supporting the MINT protocol Routing Level If adding a new VLAN use the spinner control to defi...

Page 274: ...to save the updates to the MINT Protocol configuration Select Reset to revert to the last saved configuration Adjacency Hold Time Set a hold time interval in either Seconds 2 600 or Minutes 1 10 for the transmission of hello packets The default interval is 13 seconds ...

Page 275: ... as they have been reported to disturb their patients this setting however is enabled by default Select the Flash Pattern radio button to enable the access point to blink in a manner that is different from its operational LED behavior Enabling this option allows an administrator to validate that the access point has received its configuration from its managing controller during staging In the stag...

Page 276: ...t saved configuration 5 2 14 Environmental Sensor Configuration System Profile Configuration An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point It provides a variety of sensing mechanisms allowing the monitoring and reporting of the AP8132 s radio coverage area The output of the sensor s detection mechanisms are viewable using the Environmental Sensor s...

Page 277: ...set threshold If enabled select All both AP8132 radios radio 1 or radio 2 Low Limit of Light Threshold Set the low threshold limit from 0 1 000 lux to determine whether the lighting is off in the AP8132 s deployment location The default is 100 High Limit of Light Threshold Set the upper threshold limit from 100 10 000 lux to determine whether the lighting is on in the AP8132 s deployment location ...

Page 278: ...Standalone APs of the same model can have their Virtual Controller AP designation changed 5 Either select an access point from those displayed and select Edit or use the device browser in the lower left hand side of the UI to select an access point NOTE If designating the access point as a Standalone AP it is recommended that the access point s UI be used exclusively to define its device configura...

Page 279: ... Virtual Controller AP to Standalone AP to compensate for a new Virtual Controller AP designation 7 Select the Adopt Unknown APs Automatically option to allow a Virtual Controller to adopt APs it does not recognize While this option may help in the administration and management of all the APs in the network it introduces the risk of allowing device association to a potential rogue device Consequen...

Page 280: ...nt location defined Additionally the number of permitted licenses needs to be accessed to determine whether new devices can be adopted if in Virtual Controller AP mode To override a managed device s basic configuration 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides 4 Select a target device MAC address from either the device browser in the lower left hand ...

Page 281: ...e Optionally provide the longitude coordinate where the device is located The valid value for this field is in the range 180 0000 degrees to 180 0000 degrees When provided this enables the device to be mapped on the geolocation map Area Assign the access point an Area representative of the location the access point is physically deployed The name cannot exceed 64 characters Assigning an area is he...

Page 282: ... by the CA s private key Depending on the public key infrastructure the digital certificate includes the owner s public key the certificate expiration date the owner s name and other public key owner information Each certificate is digitally signed by a trustpoint The trustpoint signing the certificate can be a certificate authority corporation or individual A trustpoint represents a CA identity p...

Page 283: ...t saved configuration HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop down menu where an existing certificate trustpoint can be leveraged To leverage an existing device certificate for use with this target device select the Launch Manager button For more information see Manage Certificates on page 5 200 SSH RSA Key Either use the default_rsa_ke...

Page 284: ...selected device an existing stored certificate can be leveraged from a different device Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices To configure trustpoints for use with certificates 1 Select Launch Manager from either the HTTPS Trustpoint SSH RSA Key or RADIUS Server Certificate parameters Figu...

Page 285: ...he Certificate Management screen with a CRL that CRL can be imported A certificate revocation list CRL is a list of revoked certificates or certificates no longer valid A certificate can be revoked if the CA improperly issued a certificate or if a private key is compromised The most common reason for revocation is the user no longer being in sole possession of the private key Import Select the typ...

Page 286: ...r or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root certificate deployment Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key If there are more than one RADIUS authentication servers export the certificate and do not generate a second key unless you want to deploy two root cer...

Page 287: ...he number of additional fields that populate the screen is dependent on the selected protocol This option is only available when the Basic link is clicked Protocol Select the protocol used for exporting the target trustpoint Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If using Advanced settings use the spinner control to set the port This option is not valid for cf usb...

Page 288: ...ew key or import or export an existing key to and from a remote location Rivest Shamir and Adleman RSA is an algorithm for public key cryptography It s an algorithm that can be used for certificate signing and encryption When a device trustpoint is created the RSA key is the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import exp...

Page 289: ... current RSA key configuration Each key can have its size and character syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select the Generate Key button to create a new key ...

Page 290: ...ertificate select the Import button from the RSA Keys screen Figure 5 137 Certificate Management Import New RSA Key screen 8 Define the following configuration parameters required to import a RSA key Key Name Enter the 32 character maximum name assigned to the RSA key Key Size Use the spinner control to set the size of the key from 2 048 or 4096 bits It is recommended leaving this value at the def...

Page 291: ...plete URL to the location of the RSA key This option is only available when the Basic link is clicked Protocol If selecting Advanced select the protocol used for importing the target key Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If selecting Advanced use the spinner control to set the port This option is not valid for cf usb1 usb2 usb3 and usb4 Host If selecting Adva...

Page 292: ...ect the Show option to expose the actual characters used in the passphrase Leaving the Show option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key This option is only available when the Basic link is clicked Protocol If selecting Advanced select the protocol used for exporting the RSA key Available options include tftp ftp sftp ht...

Page 293: ...cate signed by its own creator with the certificate creator responsible for its legitimacy To create a self signed certificate 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create Certificate tab from the menu on the Certificate Management screen Host If selecting Advanced provide the hostnam...

Page 294: ...to select the existing key used by both the device and the server or repository of the target RSA key Create New Select this option to create a new RSA key Provide a 32 character name to identify the RSA key Use the spinner control to set the size of the key from 2 048 or 4 096 bits It is recommended leaving this value at the default setting 2048 to ensure optimum functionality For more informatio...

Page 295: ...uccessful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select the Launch Manager button from either the SSH RSA Key or RADIUS Server Certificate parameters within the Certificate Management screen 2 Select Create CSR tab from the menu on the Certificate Management screen State ST Enter a State for the state or province name used in the cert...

Page 296: ... Existing Select this option to use an existing RSA key Use the drop down menu to select the existing key used by both the device and the server or repository of the target RSA key Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user configured to manually enter the credentials of the self signed certific...

Page 297: ... an AP6532 RF Domain override can only be applied to another AP6532 model access point To define a device s RF Domain override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select RF Domain Overrides Organizational Unit OU Ent...

Page 298: ...pplied To remove a device s override go to the Basic Configuration screen s Device Overrides field and then select the Clear Overrides button Location Set the deployment location for the access point as part of its RF Domain configuration Contact Set the administrative contact for the access point This should reflect the administrator responsible for the access point s configuration and wireless n...

Page 299: ...other data protection option to utilize with a device profile 802 1X is an IEEE standard for media level Layer 2 access control offering the capability to permit or deny network connectivity based on the identity of the user or device 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides from the options on left hand side of the UI 4 Select a target device from ...

Page 300: ...des to define configurations overriding the parameters set by the target device s original profile configuration To define a general profile override configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select Device Overrides from t...

Page 301: ... last saved configuration NOTE A blue override icon to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device AutoKey Select this option to enable an autokey configuration for the NTP resource This is a key randomly gener...

Page 302: ...ile Interface Override Configuration Overriding the Network Configuration Overriding a Security Configuration Overriding the Virtual Router Redundancy Protocol VRRP Configuration Profile Critical Resources Overriding a Services Configuration Overriding a Management Configuration Overriding Mesh Point Configuration Overriding an Advanced Configuration Overriding Environmental Sensor Configuration ...

Page 303: ... run the access point with all intended interfaces enabled some of the following interfaces could be disabled or modified The access point s transmit and receive algorithms could be negatively impacted The access point s transmit power could be reduced due to insufficient power The access point s WAN port configuration could be changed either enabled or disabled To define an access point s power c...

Page 304: ...nd the radio s 802 3at Power Mode Use the drop down menu to define a mode of either Range or Throughput Select Throughput to transmit packets at the radio s highest defined basic rate based on the radio s current basic rate settings This option is optimal in environments where the transmission range is secondary to broadcast multicast transmission performance Select Range when range is preferred o...

Page 305: ...ccess point solicits and receives adoption responses from Virtual Controllers available on the network To define an access point s Virtual Controller configuration or apply an override to an existing parameter 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand s...

Page 306: ... messages serve as a connection validation mechanism to keep the access point adopted to its wireless controller Set a value from 1 120 seconds 10 Define the Adjacency Hold Time value for this device This is the amount of time before the preferred controller group is considered down and unavailable to provide services Set a value from 2 600 seconds Auto Provisioning Policy Select an auto provision...

Page 307: ...name Once defined provide the numerical IP or hostname A hostname cannot exceed 64 characters Pool Use the spinner controller to set a pool of either 1 or 2 This is the pool the target Virtual Controller belongs to The default setting is 1 Routing Level Use the spinner controller to set the routing level for the Virtual Controller link The default setting is 1 IPSec Support Select to enable secure...

Page 308: ...ort Override Configuration Profile Interface Override Configuration Use an Ethernet Port override to change modify parameters of an access point s Ethernet Port configuration The following ports are available on supported access point models AP6511 fe1 fe2 fe3 fe4 up1 POE LAN AP6521 GE1 POE LAN AP6522 AP6522M GE1 POE LAN AP6532 GE1 POE LAN AP6562 GE1 POE LAN AP7131 GE1 POE LAN GE2 WAN AP7161 GE1 P...

Page 309: ...tive and currently enabled with the profile A red X defines the port as currently disabled and not available for use The interface status can be modified with the port configuration as required Mode Displays the profile s current switching mode as either Access or Trunk as defined within the Ethernet Port Basic Configuration screen If Access is selected the listed port accepts packets only from th...

Page 310: ...to the appropriate VLAN When a frame is received with no 802 1Q header the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802 1Q frame is included in the frame Allowed VLANs Displays the VLANs allowed to send packets over the listed port Allowed VLANs are only li...

Page 311: ...rtise its presence to neighbors Cisco Discover Protocol Transmit Select this option to allow the Cisco discovery protocol for transmitting data on this port If enabled the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors Link Layer Discovery Protocol Receive Select this option to allow the Link Layer discovery protocol to be received on this p...

Page 312: ...successful If Always is selected captive portal policies are enforced regardless of whether the client s MAC address is in the RADIUS server s user database 12 Optionally select the Port Channel Membership option and define or override a setting from 1 8 using the spinner control This sets the channel group for the port 13 Select OK to save the changes made to the Ethernet Port Basic Configuration...

Page 313: ...proper sequencing or duplicate delivery unlike TCP IPv4 hosts can use link local addressing to provide local connectivity Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profile s Ethernet port configuration IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPV6 provides enhanced identification and locati...

Page 314: ...ct existing Trust ND Requests Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this Ethernet port This setting is disabled by default Trust DHCPv6 Responses Select this option to enable the trust all DHCPv6 responses on this Ethernet port DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configurati...

Page 315: ... reauthentication attempts when a port tries to reauthenticate and fails Once this count exceeds the port is considered unauthorized Quiet Period Set the duration in seconds where no attempt is made to reauthenticate a controlled port Set a value from 0 65535 seconds Reauthenticate Period Set the duration after which a controlled port is forced to reauthenticate Set a value from 0 65535 seconds Po...

Page 316: ...TP provides an extension to RSTP to optimize the usefulness of VLANs MSTOP allows for a separate spanning tree for each VLAN group and blocks all but one of the possible alternate paths within each spanning tree topology If there is just one VLAN in the access point managed network a single spanning tree works fine However if the network contains more than one VLAN the network topology defined by ...

Page 317: ...e state is changed to Forwarding Select Root to enable this feature Select None to disable 27 Select the Enable Port Fast option to enable or disable PortFast PortFast enables reducing the time taken for a port to complete the MSTP state changes from Blocked to Forward PortFast must only be enabled on ports on the wireless controller which are directly connected to a Server Workstation and not to ...

Page 318: ...iew existing Virtual Interface configurations and either create a new Virtual Interface configuration modify override an existing configuration or delete an existing configuration 1 Select the Configuration tab from the Web UI 2 Select Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Select Interfa...

Page 319: ...he name of each listed Virtual Interface assigned when it was created The name is from 1 4094 and cannot be modified as part of a Virtual Interface edit Type Displays the type of Virtual Interface for each listed interface Description Displays the description defined for the Virtual Interface when it was either initially created or edited Admin Status A green check mark defines the listed Virtual ...

Page 320: ...N It allows users to set up a network without any configuration Services such as printers scanners and file sharing servers can be found using Bonjour Bonjour only works within a single broadcast domain However with special DNS configuration it can be extended to find services across broadcast domains From the drop down select the Bonjour Gateway discover policy Select the Create icon to define a ...

Page 321: ...smit Any messages larger than the MTU are divided into smaller packets before being sent A PPPoE client should be able to maintain its point to point connection for this defined MTU size The default MTU is 1 492 IPv6 MTU Set an IPv6 MTU for this virtual interface from 1 280 1 500 A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads such as he...

Page 322: ...nternet layer configuration parameters Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings...

Page 323: ...efine up to 15 global IPv6 IP addresses that can created statically IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MAC is initially separated into ...

Page 324: ...lay enhances an extended DHCP relay agent by providing support in IPv6 DHCP relays exchange messages between a DHCPv6 server and client A client and relay agent exist on the same link When A DHCP request is received from the client the relay agent creates a relay forward message and sends it to a specified server address If no addresses are specified the relay agent forwards the message to all DHC...

Page 325: ...ter an address for the DHCPv6 relay These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers The DHCPv6 server sends responses back to the relay and the relay then sends these responses to the client on the local network Interface Select this option to enable a spinner control to define a VLAN ID from 1 4 094 used as the virtual interface for the DHCPv6 relay The ...

Page 326: ... ISP to automate the process of providing and informing the prefixes used Prefix or ID Set the actual prefix or ID used with the IPv6 router advertisement Site Prefix The site prefix is added into a router advertisement prefix The site address prefix signifies the address is only on the local link Valid Lifetime Type Set the lifetime for the prefix s validity Options include External fixed decreme...

Page 327: ... fixed just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity If set to decrementing use the lifetime date and time settings to refine the prefix expiry period If the value is set for infinite no additional date or time settings are required for the prefix and the prefix will not expire The default setting is External fixed Preferred Lifetime Sec If th...

Page 328: ...ress autoconfiguration IPv4 hosts can use link local addressing to provide local connectivity Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profile s virtual interface configuration Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration IPv6 is the l...

Page 329: ...network by maintaining a complete topology table of the network and sends the updates to the other routers in the network using multicast Setting a high value increases the chance of this interface becoming a DR Setting this value to Zero 0 prevents this interface from being elected a DR Cost Select this option to enable or disable OSPF cost settings Use the spinner to configure a cost value from ...

Page 330: ...lect Devices from the Configuration tab 3 Select Device Overrides 4 Select a target device from the device browser in the lower left hand side of the UI 5 Expand the Interface menu and select Port Channels Figure 5 161 Device Overrides Port Channels screen 6 Refer to the following to review existing port channel configurations and their current status Key ID Set the unique MD5 Authentication key I...

Page 331: ...intended function Admin Status Select the Enabled radio button to define this port channel as active to the profile it supports Select the Disabled radio button to disable this port channel configuration within the profile It can be activated at any future time when needed The default setting is disabled Speed Select the speed at which the port channel can receive and transmit the data Select eith...

Page 332: ... to Trunk the port channel allows packets from a list of VLANs you add to the trunk A port channel configured as Trunk supports multiple 802 1Q tagged VLANs and one Native VLAN which can be tagged or untagged Access is the default setting Native VLAN Use the spinner control to define a numerical ID from 1 4094 The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no...

Page 333: ...ly to this profile s port channel configuration IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons If a firewall rule does not exist suiting the data prot...

Page 334: ...equests Select this option to enable the trust of neighbor discovery requests required on an IPv6 network This setting is disabled by default Trust DHCPv6 Responses Select this option to enable the trust all DHCPv6 responses DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configuration attributes required on an IPv6 network This setting is enabled ...

Page 335: ...on to define this port as an edge port Using an edge private port you can isolate devices to prevent connectivity over this port channel This setting is disabled by default Link Type Select either the Point to Point or Shared radio button Selecting Point to Point indicates the port should be treated as connected to a point to point link Selecting Shared means this port should be treated as having ...

Page 336: ...es 24 Select OK to save the changes made to the Ethernet Port Spanning Tree configuration Select Reset to revert to the last saved configuration 5 4 5 3 4 Radio Override Configuration Profile Interface Override Configuration Access points can have their radio profile configurations overridden if a portion of a profile is no longer relevant to the access point s deployment objective To define a rad...

Page 337: ... radio provided by the administrator when the radio s configuration was added or modified Admin Status Defines the radio as either enabled or disabled for client or sensor support RF Mode Displays whether each listed radio is operating in the 802 11a n or 802 11b g n radio band If the radio is a dedicated sensor it will be listed as a sensor to define the radio as not providing typical WLAN suppor...

Page 338: ... it unavailable Radio QoS Policy Use the drop down menu to specify an existing QoS policy to apply to the access point radio in respect to its intended radio traffic If there is no existing QoS policy suiting the radio s intended operation select the Create icon Association ACL Use the drop down menu to specify an existing Association ACL policy to apply to the radio An Association ACL is a policy...

Page 339: ...hen selected the radio can return back to its original channel of operation once the thirty minute period is over When not selected the radio cannot return back to its original channel of operation ever after the mandatory thirty minute evacuation period is over Transmit Power Set the transmit power of the selected access point radio If using a dual or a three radio model AP7131 each radio should ...

Page 340: ...y support basic MCS as well as non 11n basic rates For more information on 802 11n MCS rates see MCS Data Rates on page 5 57 Radio Placement Use the drop down menu to specify whether the radio is located Indoors or Outdoors The placement should depend on the selected country of operation and its regulatory domain requirements for radio emissions The default setting is Indoors Max Clients Use the s...

Page 341: ...es This consumes more bandwidth because of additional latency RTS CTS exchanges before transmissions can commence A disadvantage is the reduction in data frame throughput An advantage is quicker system recovery from electromagnetic interference and data collisions Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold A higher RTS thresho...

Page 342: ... buttons to assign WLANs and mesh points to the available BSSIDs Administrators can assign each WLAN its own BSSID If using a single radio AP6511 or AP6521 access point there are 8 BSSIDs available If using a dual radio model access point there are 16 BSSIDs for the 802 11b g n radio and 16 BSSIDs for the 802 11a n radio 14 Select OK to save the changes and overrides to the WLAN Mapping Select Res...

Page 343: ...changes to the Mesh configuration Select Reset to revert to the last saved configuration 20 Select the Advanced Settings tab Mesh Options include Client Portal and Disabled Select Client to scan for mesh portals or nodes that have connection to portals and connect through them Portal operation begins beaconing immediately and accepts connections from other mesh supported nodes In general the porta...

Page 344: ...lude Transmit Only Receive Only Transmit and Receive and None The default value is Transmit and Receive Using the default value long frames can be both sent and received up to 64 KB When enabled define either a transmit or receive limit or both Minimum Gap Between Frames Use the drop down menu to define the minimum gap between A MPDU frames in microseconds The default value is auto which indicates...

Page 345: ... do off channel scan 33 Use the Scan Interval spinner to set the time duration in DTIM period between 2 off channel scans 34 Use the Sniffer Redirect field to provide the IP address of the device to which the captured off channel scan packets are redirected to 35 Select OK to save or override the changes to the Advanced Settings screen Select Reset to revert to the last saved configuration Forward...

Page 346: ... on the network PPP is a full duplex protocol used on various physical media including twisted pair or fiber optic lines or satellite transmission It uses a variation of High Speed Data Link Control HDLC for packet encapsulation For a list of supported 3G cards see WAN Backhaul Configuration on page 5 60 To define a WAN Backhaul configuration override for a supported access point 1 Select Devices ...

Page 347: ... etc for access to high speed data and broadband networks Most DSL providers are currently supporting or deploying the PPPoE protocol PPPoE uses standard encryption authentication and compression methods as specified by the PPPoE protocol PPPoE enables WiNG supported controllers and access points to establish a point to point connection to an ISP over existing Ethernet interface To provide this po...

Page 348: ...he access point initiates a PPPoE session it first performs a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID In discovery the PPPoE client discovers a server to host the PPPoE connection To create a PPPoE point to point configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub ...

Page 349: ...ult setting is disabled Service Enter the 128 character maximum PPPoE client service name provided by the service provider DSL Modem Network VLAN Use the spinner control to set the PPPoE VLAN client local network connected to the DSL modem This is the local network connected to DSL modem The available range is 1 4 094 The default VLAN is VLAN1 Client IP Address Provide the numerical non hostname I...

Page 350: ... Authentication Type Use the drop down menu to specify authentication type used by the PPPoE client and whose credentials must be shared by its peer access point Supported authentication options include None PAP CHAP MSCHAP and MSCHAP v2 Maximum Transmission Unit MTU Set the PPPoE client Maximum Transmission Unit MTU from 500 1 492 The MTU is the largest physical packet size in bytes a network can...

Page 351: ...ation Overriding a Miscellaneous Network Configuration Overriding Alias Configuration 5 4 5 4 1 Overriding the DNS Configuration Overriding the Network Configuration Domain Naming System DNS DNS is a hierarchical naming system for resources connected to the Internet or a private network Primarily DNS resources translate domain names into IP addresses If one DNS server doesn t know how to translate...

Page 352: ...ation screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Enable Domain Lookup Select this option to enable DNS on the access point When enabled human friendly domain names can be converted into numerical IP destination addresses The radio button is selected by default Enable DNS Server Forwarding Select this option to enable the forwarding DNS...

Page 353: ...ght packet length and format and sent to the destination If no entry is found for the IP address ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows it has that IP address associated with it A machine that recognizes the IP address as its own returns a reply indicating as such ARP updates the ARP cache for future reference and then sends t...

Page 354: ...mmunicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID The working status of a pseudowire is reflected by the state of the L2TP V3 session If a L2TP V3 session is down the pseudowire associated with it must be shut down The L2TP V3 control connection keep alive mechanism...

Page 355: ...maximum hostname to specify the name of the host that sent tunnel messages Tunnel establishment involves exchanging 3 message types SCCRQ SCCRP and SCCN with the peer Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host Router ID Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages AVP messages assist in the identificatio...

Page 356: ...ter ID to capture and log L2TPv3 events Use Any to log all routers Name Displays the name of each listed L2TPv3 tunnel assigned upon creation Local IP Address Lists the IP address assigned as the local tunnel end point address not the interface IP address This IP is used as the tunnel source IP address If this parameter is not specified the source IP address is chosen automatically based on the tu...

Page 357: ...ddresses A critical resource if not available can result in the network suffering performance degradation A critical resource can be a gateway AAA server WAN interface or any hardware or service on which the stability of the network depends Critical resources are pinged regularly If there is a connectivity issue an event is generated stating a critical resource is unavailable Peer IP Address Displ...

Page 358: ...dress This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests MTU Set the maximum transmission unit MTU The MTU is the size in bytes of the largest protocol data unit the layer can pass between tunnel peers Define a MTU from 128 1 460 bytes The default setting is 1 460 A larger MTU means processing fewer packets for the same amount of data Use Tu...

Page 359: ...ave the direction burst size and traffic rate settings applied Direction Select the direction for L2TPv3 tunnel traffic rate limiting Egress traffic is outbound L2TPv3 tunnel data coming to the controller service platform or access point Ingress traffic is inbound L2TPv3 tunnel data coming to the controller service platform or access point Maximum Burst Size Set the maximum burst size for egress o...

Page 360: ...ary peer for tunnel failover If the peer is not specified tunnel establishment does not occur However if a peer tries to establish a tunnel with this access point it creates the tunnel if the hostname and or router ID matches Peer IP Address Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment Host Name Assign the peer a hostname t...

Page 361: ...omatically based on the tunnel peer IP address This parameter is applicable when establishing the session and responding to incoming requests Local Session ID Displays the numeric identifier assigned to each listed tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in a session establishment message to the L2TP peer MTU Displays each sessions s maximum transmission...

Page 362: ...tunnel When responding to incoming tunnel create requests it would use the IP address on which it had received the tunnel create request IP Set the IP address of an L2TP tunnel peer This is the peer allowed to establish the tunnel Local Session ID Set the numeric identifier for the tunnel session This is the pseudowire ID for the session This pseudowire ID is sent in session establishment message ...

Page 363: ...the Web UI 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Select IGMP Snooping Encapsulation Select either IP or UDP as the peer encapsulation protocol The default setting is IP UDP uses a simple transmission model without impli...

Page 364: ...e IGMP querier role An IGMP querier sends out periodic IGMP query packets Interested hosts reply with an IGMP report packet IGMP snooping is only conducted on wireless radios IGMP multicast packets are flooded on wired ports IGMP multicast packet are not flooded on the wired port IGMP membership is also learnt on it and only if present then forwarded on that port An AP71xx model access point can a...

Page 365: ... or access point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces To set an IPv6 MLD snooping configuration for the profile 1 Select the Configuration tab from the Web UI 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the low...

Page 366: ...st group address Multicast packets are delivered to a group using best effort reliability just like IPv6 unicast MLD snooping is disabled by default Forward Unknown Multicast Packets Use this option to either enable or disable IPv6 unknown multicast forwarding This setting is enabled by default Enable MLD Querier Select this option to enable MLD querier on the controller service platform or access...

Page 367: ... an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device DSCP Lists the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification 802 1p Priority Assign a 802 1p priority as a 3 bit IP precedence value in the Type of Service field of the IP header used to set the priori...

Page 368: ...educe the number of BPDUs required to communicate spanning tree information for each VLAN but it also ensures backward compatibility with RSTP MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigne...

Page 369: ...20 MST Config Name Define a 64 character maximum name for the MST region as an identifier MST Revision Level Set a numeric revision value ID for MST configuration information Set a value from 0 255 The default setting is 0 Cisco MSTP Interoperability Select either the Enable or Disable radio buttons to enable disable interoperability with Cisco s version of MSTP which is incompatible with standard...

Page 370: ...ttached to a port it does not immediately start to forward data It first processes BPDUs and determines the network topology When a host is attached the port always goes into the forwarding state after a delay of while it goes through the listening and learning states The time spent in the listening and learning states is defined by the forward delay 15 seconds by default Maximum Age Use the spinn...

Page 371: ...vided in the route table This option is enabled by default 7 Select the Policy Based Routing policy to apply to this profile Click the Create icon to create a policy based route or click the Edit to edit an existing policy after selecting it in the drop down list For more information on policy based routing see Policy Based Routing PBR on page 7 2 8 Select Add Row as needed to include single rows ...

Page 372: ... 14 Select Unique Local Address Reject Route to reject Unique Local Address ULA ULA is an IPv6 address block fc00 7 that is an approximate IPv6 counterpart to IPv4 private addresses When selected a reject entry is added to the IPv6 routing table to reject packets with Unique Local Address Static Default Route Priority Use the spinner control to set the priority value 1 8 000 for the default static...

Page 373: ...ert to the last saved configuration RA Convert Select this option to convert multicast router advertisements RA to unicast router advertisements at the dot11 layer Unicast addresses identify a single network interface whereas a multicast address is used by multiple hosts This setting is disabled by default Throttle Select this option to throttle RAs before converting to unicast Once enabled set th...

Page 374: ...ts external to the autonomous system AS and routing from within the area is based entirely on a default route totally stub A totally stubby area does not allow summary routes and external routes that is The only way for traffic to get routed outside of the area is A default route is the only way to route traffic outside of the area When there is only one route out of the area fewer routing decisio...

Page 375: ...does not have to be a part of any routable subnet in the network Auto Cost Select this option to specify the reference bandwidth in Mbps used to calculate the OSPF interface cost if OSPF is either STUB or NSSA The default setting is 1 Passive Mode on All Interfaces When selected all layer 3 interfaces are set as an OSPF passive interface This setting is disabled by default Passive Removed If enabl...

Page 376: ...e area Areas limit LSAs and encourage aggregate routes VRRP Mode Check Select this option to enable checking VRRP state If the interface s VRRP state is not Backup then the interface is published via OSPF Number of Routes Use the spinner controller to set the maximum number of OSPN routes permitted The available range is from 1 4 294 967 295 Retry Count Set the maximum number of retries OSPF reset...

Page 377: ... new OSPF configuration Edit to modify an existing configuration or Delete to remove a configuration Area ID Displays either the IP address or integer representing the OSPF area Authentication Type Lists the authentication schemes used to validate the credentials of dynamic route connections Type Lists the OSPF area type in each listed configuration ...

Page 378: ...ation Type Select either None simple password or message digest as credential validation scheme used with the OSPF dynamic route The default setting is None Type Set the OSPF area type as either stub totally stub nssa totally nssa or non stub Default Cost Select this option to set the default summary cost advertised if creating a stub Set a value from 1 16 777 215 Translate Type Define how message...

Page 379: ...iguration Type Displays the type of interface Description Lists each interface s 32 character maximum description Admin Status Displays whether Admin Status privileges have been enabled or disabled for the OSPF route s virtual interface connection VLAN Lists the VLAN IDs set for each listed OSPF route virtual interface IP Address Displays the IP addresses defined as virtual interfaces for dynamic ...

Page 380: ...rk to its intended destination On the way out the source IP address is changed in the header and replaced by the public IP address Outside Packets passing through the NAT on the way back to the LAN are searched against the records kept by the NAT engine There the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network None...

Page 381: ... advertisements contain prefixes used for link determination address configuration and maximum hop limits This setting is enabled by default Stateless DHCPv6 Client Select this option to request information from the DHCPv6 server using stateless DHCPv6 DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configuration attributes required on an IPv6 netw...

Page 382: ...llow router advertisements over this virtual interface IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages When first connected to a network a host sends a link local router solicitation multicast request for its configuration parameters routers respond to such a request with a router adverti...

Page 383: ...ero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface Zero configuration or zero config is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user s preferences and various default settings Zero config can be used instead of a wireless network utility fro...

Page 384: ... default IPv6 Address Static Define up to 15 global IPv6 IP addresses that can created statically IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons IPv6 Address Static using EUI64 Optionally set up to 15 global IPv6 IP addresses in the EUI 64 format that can created statically The IPv6 EUI 64 format address is obtained through a 48 bit MAC address The MA...

Page 385: ...terface of the DHCPv6 relay The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6 DHCP relays exchange messages between a DHCPv6 server and client A client and relay agent exist on the same link When A DHCP request is received from the client the relay agent creates a relay forward message and sends it to a specified server address If no addresses are specified the re...

Page 386: ...licitation requests The advertisement includes IPv6 prefixes and other subnet and host information 44 Review the configurations of existing IPv6 advertisement policies If needed select Add Row to define the configuration of an additional IPv6 RA prefix Address Enter an address for the DHCPv6 relay These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers The DHCPv6...

Page 387: ...ix signifies the address is only on the local link Valid Lifetime Type Set the lifetime for the prefix s validity Options include External fixed decrementing and infinite If set to External fixed just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity If set to decrementing use the lifetime date and time settings to refine the prefix expiry period If th...

Page 388: ...fine the prefix expiry period If the value is set for infinite no additional date or time settings are required for the prefix and the prefix will not expire The default setting is External fixed Preferred Lifetime Sec If the administrator preferred lifetime type is set to External fixed set the Seconds Minutes Hours or Days value used to measurement criteria for the prefix s expiration 30 days 0 ...

Page 389: ...t the Edit icon to modify an existing configuration IPv6 is the latest revision of the Internet Protocol IP replacing IPv4 IPV6 provides enhanced identification and location information for systems routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons 50 Select the VPN Crypto Map to use with this VLAN configuration Use the dr...

Page 390: ...ther similar device models To define or override a forwarding database configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options Priority Select to enable or disable OSPF priority set...

Page 391: ... filter it If it s determined the destination MAC is on a different network it forwards the packet to the segment If the destination MAC is on the same network segment the packet is dropped filtered 9 Define or override the target VLAN ID if the destination MAC is on a different network segment 10 Provide an Interface Name used as the target destination interface for the target MAC address 11 Sele...

Page 392: ...ctually having to have separate cabling and Ethernet switches To define a Bridge VLAN configuration or override for a device profile 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand its sub menu options 5 Sele...

Page 393: ...poof attacks IPv6 Firewall Lists whether IPv6 is enabled on this Bridge VLAN A green checkmark defines this setting as enabled A red X defines this setting as disabled IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons IPv6 hosts can c...

Page 394: ...ewall on this interface Firewalls generally are configured for all interfaces on a device When configured firewalls generate a large amount of flow tables that store information on the traffic allowed to traverse through the firewall These flow tables occupy a large portion of the limited memory on the device that could be used for other critical purposes With the Per VLAN firewall feature enabled...

Page 395: ... the drop down menu If an appropriate outbound IPv6 ACL is not available select the Create button MAC Outbound Tunnel ACL Select a MAC Outbound Tunnel ACL for outbound traffic from the drop down menu If an appropriate outbound MAC ACL is not available select the Create button Tunnel Over Level 2 Select this option to allow VLAN traffic to be tunneled over level 2 links This setting is disabled by ...

Page 396: ...ooping tab to set or override the IGMP snooping configuration Video Set the random early detection threshold in for video traffic Set a value from 1 100 The default is 25 Voice Set the random early detection threshold in for voice traffic Set a value from 1 100 The default is 25 Trust ARP Responses Select this option to use trusted ARP packets to update the DHCP snoop table to prevent IP spoof and...

Page 397: ...e access point to forward multicast packets from unregistered multicast groups If disabled the Unknown Multicast Forward feature is also disabled for the selected VLANs This setting is enabled by default Interface Name Select the interface used for IGMP snooping over a multicast router Multiple interfaces can be selected Multicast Router Learn Mode Set the learning mode to either pim dvmrp or stat...

Page 398: ...he wired port IGMP membership is also learnt on it and only if present then forwarded on that port Source IP Address Define an IP address applied as the source address in the IGMP query packet This address is used as the default VLAN querier IP address IGMP Version Use the spinner control to set the IGMP version compatibility to IGMP version 1 2 or 3 The default IGMP version is 3 Maximum Response ...

Page 399: ...D snooping to examine MLD packets and support content forwarding on this Bridge VLAN Packets delivered are identified by a single multicast group address Multicast packets are delivered using best effort reliability just like IPv6 unicast MLD snooping is enabled by default Forward Unknown Unicast Packets Use this option to either enable or disable IPv6 unknown multicast forwarding This setting is ...

Page 400: ...o networked neighbors and store information they discover from their peers LLDP is neighbor discovery protocol that defines a method for network access devices using Ethernet connectivity to advertise information about them to peer devices on the same physical LAN and store information about the network It allows a device to learn higher layer management and connection endpoint information from ad...

Page 401: ...en hostnames are used instead of devices To include a hostnames in DHCP request 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI Enable LLDP Select this option to enable LLDP on the access point LLDP is enabled by default When enabled a...

Page 402: ... alias once and use the defined alias across different configuration items such as multiple ACLs Once a configuration item such as an ACL is utilized across remote locations the alias used in the configuration item ACL is modified to meet local deployment requirement Any other ACL or other configuration items using the modified alias also get modified simplifying maintenance at the remote deployme...

Page 403: ...taking care of specific local deployment requirements Alias can be classified as Network Basic Alias Network Group Alias Network Service Alias 5 4 5 4 16Network Basic Alias Overriding Alias Configuration A basic alias is a set of configurations that consist of VLAN host network and address range alias configurations VLAN configuration is a configuration for optimal VLAN re use and management for l...

Page 404: ...yment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN alias can be used to replace VLANs in the following locations Bridge VLAN IP Firewall Rules L2TPv3 Switchport Wireless LANs 7 Select Add Row to define...

Page 405: ...s for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL can be overridden at the remote location to suit their local but remote requirement At the remote location the ACL functions with the 172 16 10 0 24 network A new ACL need not be created specificall...

Page 406: ...e IP address 192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 Host entries eight 8 Network entries and eight 8 IP addresses range entries can be configured inside a network group alias A maximum of 32 network group alias entries can be created A network group alias is used in IP firewall rules to substitute hosts subnet...

Page 407: ...eate a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a blank column if ...

Page 408: ...d to update the network group alias rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting netwo...

Page 409: ...service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Network to expand it and display its sub menus 5 ...

Page 410: ...d a configuration can have an override applied as needed to meet the changing data protection requirements of a NOTE The Network Service Alias Name always starts with a dollar sign Protocol Specify the protocol for which the alias has to be created Use the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protoc...

Page 411: ... to use the inbuilt wizards to override the VPN parameters The user interface provides two 2 wizards that provide different levels of configuration Figure 5 215 Security Configuration Wizard screen The following options are available Quick Setup Wizard Use this wizard to setup basic VPN Tunnel on the device This wizard is aimed at novice users and enables them to setup a basic VPN with minimum eff...

Page 412: ...ined for most of the parameters Figure 5 216 VPN Quick Setup Wizard 1 Provide the following information to configure a VPN tunnel Tunnel Name Provide a name for the tunnel Tunnel name must be such that it easily identifies the tunnel uniquely Tunnel Type Configure the tunnel type as one of the following Site to Site Provides a secured connection between two sites Remote Access Provides access to a...

Page 413: ...rce network along with its mask Destination Provide the destination network along with its mask Peer Configures the peer for this tunnel The peer device can be specified either by its hostname or by its IP address Authentication Configure the authentication used to identify peers The following can be configured Certificate Use a certificate to authenticate Pre Shared Key Use a pre shared key to au...

Page 414: ... tunnel between two remote sites as indicated in the image Remote Access is used to create a tunnel between an user device and a network as indicated in the image Interface Select the interface to use Interface can be a Virtual LAN VLAN or WWAN or PPPoE depending on the interfaces available on the device Traffic Selector ACL This field creates the Access Control List ACL that is used to control wh...

Page 415: ...nfigure the local identity for the VPN Tunnel IP Address The local identity is an IP address FQDN The local identity is a Fully Qualified Domain Name FQDN Email The local identity is an E mail address Remote Identity Configure the remote identity for the VPN Tunnel IP Address The remote identity is an IP address FQDN The remote identity is a Fully Qualified Domain Name FQDN Email The remote identi...

Page 416: ...ncryption The encryption to use for creating the tunnel Authentication The authentication used to identify tunnel peers Mode The mode of the tunnel This is how the tunnel will operate From the drop down select any pre configured Transform Set or click the Create New Policy to create a new transform set Encryption This field is enabled when Create New Policy is selected in Transform Set field This ...

Page 417: ...ntroller with minimum configuration pushed through DHCP option settings 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options Mode This field is enabled when Create New Policy is selected in Transform Set field The mode indicates how packets are transported through the tunnel Tunnel Use this mode when the tunnel is between two...

Page 418: ...n between the remote tunnel peer Key length is between 8 21 characters IKE Version Configure the IKE version to use The available options are ikev1 main ikev1 aggr and ikev2 Enable NAT after IPSec Select this option to enable NAT after IPSec Enable this if there are NATted networks behind VPN tunnels Use Unique ID In scenarios where different access points behind different NAT boxes routers have t...

Page 419: ...con to the left of a parameter defines the parameter as having an override applied To remove an override go to the Basic Configuration screen s Device Overrides field and select Clear Overrides This will remove all overrides from the device Firewall Policy Select the firewall policy used by devices with this profile Use the icons next to this field to create or add new firewall policies WEP Shared...

Page 420: ...ion is the user no longer being in sole possession of the private key To define a Certificate Revocation configuration or override 1 Select Devices from the Configuration tab 2 Select Device Overrides from the Device menu to expand it into sub menu options 3 Select a target device from the device browser in the lower left hand side of the UI 4 Select Security to expand its sub menu options 5 Selec...

Page 421: ...private IP addresses behind a single public facing IP address NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address NAT provides...

Page 422: ...AT policy or editing the configuration of an existing policy define the following parameters 9 Select the Add Row button as needed to append additional rows to the IP Address Range table Name If adding a new NAT policy provide a name to help distinguish it from others with similar configurations The length cannot exceed 64 characters IP Address Range Define a range of IP addresses hidden from the ...

Page 423: ...ress to a registered IP address Static address translation hides the actual address of the server from users on insecure interfaces Casual access by unauthorized users becomes much more difficult Static NAT requires a dedicated address on the outside network for each host Figure 5 226 Device Overrides Static NAT screen To map a source IP address from an internal network to a NAT IP address click t...

Page 424: ... a NAT destination Existing NAT destination configurations are not editable Network Select Inside or Outside NAT as the network direction The default setting is Inside Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to ...

Page 425: ...by an IP address and a TCP port number The User Datagram Protocol UDP offers only a minimal transport service non guaranteed datagram delivery and provides applications direct access to the datagram service of the IP layer UDP is used by applications not requiring the level of service of TCP or are using communications services multicast or broadcast delivery not available from TCP The default set...

Page 426: ...is the default setting Select Inside to create a permanent one to one mapping between an address on an internal network and a perimeter or external network To share a Web server on a perimeter interface with the Internet use static address translation to map the actual address to a registered IP address Static address translation hides the actual address of the server from users on insecure interf...

Page 427: ...he dynamic NAT configuration Overload IP If One Global IP Address is selected as the Overload Type define an IP address used as a filter address for the IP ACL rule ACL Precedence Lists the administrator assigned priority set for the listed source list ACL The lower the value listed the higher the priority assigned to this ACL rule Source List ACL Use the drop down menu to select an ACL name to de...

Page 428: ...et Traffic towards the NoC is allowed over the secure tunnel Traffic towards the Internet is switched to a local WLAN link with access to the Internet To define a Bridge NAT configuration that can be applied to a profile 1 Select the Configuration tab from the Web UI 2 Select Devices 3 Select Device Overrides from the options on left hand side of the UI 4 Expand the Security menu and select Bridge...

Page 429: ...utgoing layer 3 interface between source and destination points This is either the access point s pppoe1 or w wan1 interface or the VLAN used as the redirection interface between the source and destination NAT Pool Lists the names of existing NAT pools used with the Bridge NAT configuration This displays only when Overload Type is NAT Pool Overload IP Lists the IP address used to represent a large...

Page 430: ...table to configure IP addresses and address ranges that can used to access the Internet 10 Select Add Row to set the IP address range settings for the Bridge NAT configuration Interface Lists the outgoing layer 3 interface on which traffic is re directed The interface can be an access point WWAN or PPPoE interface Traffic can also be redirected to a designated VLAN NAT Pool Displays the NAT pool u...

Page 431: ... Figure 5 233 Profile Security Source Dynamic NAT screen Add Row field 11 Select OK to save the changes made within the Add Row and Dynamic NAT screens Select Reset to revert to the last saved configuration ...

Page 432: ...tion link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router if it is the IP address owner or accept mode is true Those nodes that lose the election process enter a backup state In the backup state the...

Page 433: ...D identifies the virtual router a packet is reporting status for Description Displays a description assigned to the VRRP configuration when it was either created or modified The description is implemented to provide additional differentiation beyond the numerical virtual router ID Virtual IP Addresses Lists the virtual interface IP address used as the redundant gateway address for the virtual rout...

Page 434: ...ietf org rfc rfc3768 txt version 2 and http www ietf org rfc rfc5798 txt version 3 7 From within the VRRP tab select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration If necessary existing VRRP configurations can be selected and permanently removed by selecting Delete Figure 5 236 Device Overrides VRRP screen 8 If creating a new VRRP configur...

Page 435: ...reempt a lower priority backup router resource The default setting is enabled When selected the Preempt Delay option becomes enabled to set the actual delay interval for pre emption This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority Preempt Delay If the Preempt option is selected use the spinner control to set the delay in...

Page 436: ...P configuration Select Reset to revert to the last saved configuration Network Monitoring Delta Priority Use this setting to decrement the configured priority by the set value when the monitored interface is down When critical resource monitoring the configured value is incremented by the value defined ...

Page 437: ...itical resource on the same subnet as the access point can be monitored by its IP address However a critical resource located on a VLAN must continue to monitored on that VLAN Critical resources can be configured for access points and wireless controllers using their respective profiles To define critical resources 1 Select the Configuration tab from the Web UI 2 Select Device Overrides from the D...

Page 438: ...main manager the current rf domain manager performs resource monitoring and the rest of the devices do not The RF domain manager updates any state changes to the rest of the devices in the RF Domain With the cluster master option the cluster master performs resource monitoring and updates the cluster members with state changes With a controller managed RF Domain Monitoring Criteria should be set t...

Page 439: ... used for this purpose The IP address used for Port Limited Monitoring must be different from the IP address configured on the device 15 Select OK to save the changes to the critical resource configuration and monitor interval Select Reset to revert to the last saved configuration Mode Set the ping mode used when the availability of a critical resource is validated Select from arp only Use the Add...

Page 440: ...aptive portal for use with this profile A captive portal is guest access policy for providing temporary and restrictive access to the network The primary means of securing such guest access is a captive portal A captive portal configuration provides secure authenticated access using a standard Web browser A captive portal provides authenticated access by capturing and re directing a user s Web bro...

Page 441: ...ts across VLANs to enable the Bonjour Gateway device to build a list of services and the VLANs where these services are available 9 Select OK to save the changes or overrides made to the profile s services configuration Select Reset to revert to the last saved configuration 5 4 5 9 Overriding a Management Configuration Device Overrides There are mechanisms to allow deny management access to the ne...

Page 442: ...the profile s logging configuration This option is disabled by default Remote Logging Host Use this table to define numerical non DNS IP addresses for up to three external resources where logged system events can be sent on behalf of the profile Select Clear as needed to remove an IP address Facility to Send Log Messages Use the drop down menu to specify the local server facility if used for the p...

Page 443: ... logging level is 4 Buffered Logging Level Event severity coincides with the buffered logging level defined for the profile Assign a numeric identifier to log events based on criticality Severity levels include 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info and 7 Debug The default logging level is 4 Time to Aggregate Repeated Messages Define the increment or interval system even...

Page 444: ...ure other associated devices are up and running and capable of effectively interoperating The Service Watchdog is enabled by default Enable Configuration Update Select this option to enable automatic configuration file updates for the controller profile from a location external to the access point If enabled the setting is disabled by default provide a complete path to the target configuration fil...

Page 445: ...network becomes unavailable the other nodes in the network are still able to communicate with each other either directly or through intermediate nodes Mesh Point is the name given to a device that is a part of a meshed network Use the Mesh Point screen to configure or override the parameters that set how this device behaves as a part of the mesh network To override Mesh Point configuration 1 Selec...

Page 446: ... Is Root From the drop down menu select the root behavior of this access point Select True to indicate this access point is a root node for this mesh network Select False to indicate this access point is not a root node for this mesh network A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network Root Selection Method Use the drop down...

Page 447: ...to noise ratio is always selected Minimum Threshold Enter the minimum value for SNR above which a candidate for the next hop in a dynamic mesh network is considered This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network The default setting is 0 dB Signal Strength Delta Enter a delta value in dB A candidate for sel...

Page 448: ...t the Dynamic Root Selection screen displays NOTE With this release of the WiNG software an AP7161 model access point can be deployed as a Vehicle Mounted Modem VMM to provide wireless network access to a mobile vehicle car train etc A VMM provides layer 2 mobility for connected devices VMM does not provide layer 3 services such as IP mobility For VMM deployment considerations see Vehicle Mounted ...

Page 449: ...t 802 11ac Priority Meshpoint Configure the mesh point to be monitored for automatic channel scan This is the mesh point that given priority over other available mesh points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected Off Channel Duration Configure the duration in the range of 20 250 milliseconds for the Off Channel Duration fie...

Page 450: ...between two adjacent channels is 40 MHz 80 MHz Indicates the width between tow adjacent channels is 80 MHz This is only available on access points that support 802 11ac Priority Meshpoint Configure the mesh point to be monitored for automatic channel scan This is the mesh point that given priority over other available mesh points When configured a mesh is created with this mesh point When not conf...

Page 451: ...e signal to noise threshold value for path selection When the signal strength of the next hop in the mesh network goes below this value a scan is triggered to select a better next hop The default is 65 dB Off channel Duration Configure the duration in the range of 20 250 milliseconds for the Off Channel Duration field This is the duration that the scan dwells on each channel when performing an off...

Page 452: ...points When configured a mesh is created with this mesh point When not configured a mesh point is automatically selected The default is none Meshpoint Path Minimum Configure the minimum path metric value for a mesh connection Set a value between 100 20 000 Meshpoint Path Metric Threshold Configure a minimum threshold value for triggering an automatic channel selection for mesh point selection Set ...

Page 453: ...t is Standard For more information on defining this setting see Radio Override Configuration Disable Dynamic Chain Selection radio setting The default value is enabled This setting is disabled from the Command Line Interface CLI using the dynamic chain selection command or in the UI refer Radio Override Configuration Disable A MPDU Aggregation if the intended vehicular speed is greater than 30 mph...

Page 454: ...ut certificates and PKI However administrators do not need to define security parameters for access points to be adopted secure WISPe being an exception but that isn t a commonly used feature Also users can replace any device on the network or move devices around and they continue to work Default security parameters for MiNT are such that these scenarios continue to function as expected with minim...

Page 455: ...g fields to configure or override it Using probes from common clients Select this option to enable neighbor selection using probe requests from common clients between the neighbor device and this device Using notifications from roamed clients Select this option to enable neighbor selection using notifications from clients roamed from other devices Using smart rf neighbor detection Select this opti...

Page 456: ...as secondary to maintaining client association The default setting is 90 Weightage given to Throughput Use the spinner control to assign a weight between 0 100 the access point uses to prioritize 2 4 and 5 GHz radio throughput in the overall access point load calculation Assign this value higher if throughput and radio performance are considered mission critical within the access point managed net...

Page 457: ...qual Use the spinner control to set a value between 0 100 considered an adequate discrepancy when comparing 2 4 and 5GHz radio band load balances on this access point The default setting is 10 Thus using a default setting of 1 means 1 is considered inconsequential when comparing 2 4 and 5 GHz load balances on this access point Band Ratio 2 4GHz Use the spinner control to set a loading ratio betwee...

Page 458: ... from 0 60 seconds The default setting has the option disabled Max confirmed Neighbors Use the spinner to set the maximum number of learned neighbors stored at this device Minimum signal strength for smart rf neighbors Use the spinner to set the minimum signal strength of neighbor devices that are learnt through Smart RF before being recognized as neighbors Level 1 Area ID Select this option to en...

Page 459: ... shared by the devices managed by the MINT configuration MLCP IP Select this option to enable MINT Link Creation Protocol MLCP by IP Address MINT Link Creation Protocol is used to create one UDP IP link from the device to a neighbor That neighboring device can be another AP MLCP IPv6 Select this option to enable MINT Link Creation Protocol MLCP by IPv6 Address MLCP by IPv6 is used to create one UD...

Page 460: ...displays the IP address Routing Level Listening Link Port Forced Link Link Cost Hello Packet Interval Adjacency Hold Time IPSec Secure and IPSec GW information that managed devices use to securely communicate amongst one another 26 Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration ...

Page 461: ...n also listen in the TCP sense and dynamically create connected UDP IP links when contacted Forced Link Select this option to specify the MiNT link as a forced link This setting is disabled by default Link Cost Use the spinner control to define or override a link cost from 1 10 000 The default value is 100 Hello Packet Interval Set or override an interval in either Seconds 1 120 or Minutes 1 2 for...

Page 462: ...Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another 30 Select Add to create a new VLAN link configuration or Edit to override an existing MINT configuration Figure 5 254 Device Overrides Advanced Profile MINT screen Add VLAN screen 31 Set the following VLAN parameters to complete the MINT configuration NOTE If creating a mesh link between t...

Page 463: ...mum rate sent or received per wireless client It prevents any single user from overwhelming the wireless network It can also provide differential service for service providers Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes Rate limits are extracted from the RADIUS server s response When such attributes are not present the settings defined...

Page 464: ...e the MINT configuration Level Select level2 to apply rate limiting for all links on level2 Protocol Select either mlcp or link as this configuration s rate limit protocol Mint Link Creation Protocol MLCP creates a UDP IP link from the device to a neighbor The neighboring device does not need to be a controller or service platform it can be an access point with a path to the controller or service ...

Page 465: ... 320 kbytes Background Configures the random early detection threshold as a percentage for low priority background traffic Background packets are dropped and a log message generated if the rate exceeds the set value Background traffic consumes the least bandwidth of any access category so this value can be set to a lower value once a general upstream rate is known by the network administrator usin...

Page 466: ...4 Use the drop down menu to configure the access point s Meshpoint Behavior This field configures the access point s mobility behavior The default is External fixed and indicates that the mesh point is fixed The value vehicle mounted indicates that the mesh point is mobile This feature is only available on an AP7161 model access point 45 Use the Root Path Monitor Interval to configure the interval...

Page 467: ...nvironmental Sensor screen 5 Override or set the following Light Sensor settings for the AP8132 s sensor module NOTE This feature is available on the AP8132 model only Enable Light Sensor Select this option to enable the light sensor on the module This setting is enabled by default Polling Time to Determine if Light is On Off Define an interval in Seconds 2 201 or Minutes 1 4 for the sensor module...

Page 468: ...t is 500 Enable Temperature Sensor Select this option to enable the module s temperature sensor Results are reported back to the access point s Environment screens within the Statistics node This setting is enabled by default Enable Motion Sensor Select this option to enable the module s motion sensor Results are reported back to the access point s Environment screens within the Statistics node Th...

Page 469: ...t notification configurations modified as device profile requirements warrant To define an access point event policy 1 Select Devices from the Configuration menu 2 Select Event Policy Figure 5 259 Event Policy screen 3 Ensure the Activate Event Policy option is selected to enable the screen for configuration This option needs to remain selected to apply the event policy configuration to the access...

Page 470: ...5 386 WiNG 5 7 1 Access Point System Reference Guide ...

Page 471: ...ccess control and asset tracking Each WLAN configuration contains encryption authentication and QoS policies and conditions for user connections Connected access point radios transmit periodic beacons for each BSS A beacon advertises the SSID security requirements supported data rates of the wireless network to enable clients to locate and connect to the WLAN WLANs are mapped to radios on each acc...

Page 472: ...6 2 WiNG 5 7 1 Access Point System Reference Guide Figure 6 1 Configuration Wireless menu ...

Page 473: ...pdate the SSID designation Description Displays the brief description assigned to each listed WLAN when it was either created or modified WLAN Status Lists each WLAN s status as either Active or Shutdown A green check mark defines the WLAN as available to clients on all radios where it has been mapped A red X defines the WLAN as shutdown meaning even if the WLAN is mapped to radios it s not availa...

Page 474: ...splays the name of the authentication scheme used by each listed WLAN to secure client transmissions None is listed if authentication is not used within a WLAN In case of no authentication refer to the Encryption Type column to verify if there is some sort of data protection used with the WLAN or risk using this WLAN with no protection at all Encryption Type Displays the name of the encryption sch...

Page 475: ...enable a WLAN and define its SSID client behavior and VLAN assignments 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select Edit to modify selected WLAN s properties WLANs can also be removed as they become obsolete by selecting Delete Figure 6 3 WLAN ...

Page 476: ...nformation on creating a QoS policy that can be applied to a WLAN see WLAN QoS Policy on page 6 54 Bridging Mode Use the drop down menu to specify the WLAN s bridging mode as either Local or Tunnel Select Local to Bridge VLAN traffic locally or Tunnel to use a shared tunnel for bridging the WLAN s VLAN traffic Local is the default setting DHCP Option 82 Select this option to enable DHCP Option 82 ...

Page 477: ...e Web Filter field to configure user access restrictions to resources in the Internet User access is controlled by defining URL Filters Use User Filter to select a preconfigured URL Filter To create a new URL Filter use the Create button To edit an existing URL Filter use the Edit button 11 Select OK when completed to update the WLAN s basic configuration Select Reset to revert the screen back to ...

Page 478: ...curity screen Authentication ensures only known and trusted users or devices access an access point managed WLAN Authentication is enabled per WLAN to verify the identity of both users and devices Authentication is a challenge and response procedure for validating user credentials such as user name password and secret key information A client must authenticate to an access point to receive resourc...

Page 479: ...next time the device is used to access the captive portal MAC Registration allows the device and the user to be authenticated faster Refer to MAC Registration on page 6 13 for information on enabling and configuring MAC Registration Encryption is essential for WLAN security as it provides data privacy for traffic forwarded over a WLAN When the 802 11 specification was introduced Wired Equivalent P...

Page 480: ...twork to one that supports EAP The only encryption types supported with this are TKIP CCMP and TKIP CCMP To configure EAP on a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify its security properties 5 Selec...

Page 481: ...nst an access point s local RADIUS server if supported or centrally from a datacenter For RADIUS server compatibility the format of the MAC address can be forwarded to the RADIUS server in non delimited and or delimited formats To configure MAC authentication on a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existin...

Page 482: ...WLAN see Configuring Captive Portal Policies on page 9 2 To assign a captive portal policy to a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify the properties of an existing WLAN 5 Select Security 6 Refer t...

Page 483: ...ive portal This information is stored on board the access point The next time the user accesses the captive portal service using the same device he she is authenticated immediately as the MAC address of the device is available in the access point s database along with the user s identification information The user saves time as identification information is not collected again speeding the logon T...

Page 484: ...n to configure the proxy mode for accessing remote resources 10 Select OK when completed to update the External Controller configuration Select Reset to revert the screen back to the last saved configuration 6 1 2 8 TKIP CCMP Configuring WLAN Security Settings The encryption method is Temporal Key Integrity Protocol TKIP TKIP addresses WEP s weaknesses with a re keying mechanism a per packet mixin...

Page 485: ...s own traffic to and from an access point and one broadcast key the common key for all clients in that subnet Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This p...

Page 486: ...cast traffic security on the WLAN This feature is disabled by default NOTE Fast Roaming is available only when the authentication is EAP or EAP PSK and the selected encryption is either TKIP CCMP or WPA2 CCMP Pre Authentication Selecting this option enables an associated client to carry out an 802 1x authentication with another access point before it roams to it This enables a roaming client to se...

Page 487: ...llows backwards compatibility for clients that support WPA TKIP and WPA2 TKIP but do not support WPA2 CCMP It is recommended to enable this feature if WPA TKIP or WPA2 TKIP supported clients operate in a WLAN populated by WPA2 CCMP enabled clients This feature is disabled by default Use SHA256 Select this option to enable SHA 256 authentication key management suite This suite consists of a set of ...

Page 488: ...Encryption Standard AES AES serves the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally different result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the p...

Page 489: ... its own traffic to and from an access point and one broadcast key the common key for clients in that subnet Pre Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share The alphanumeric string allows character spaces The access point converts the string to a numeric value This pa...

Page 490: ...y on the WLAN This value is disabled by default NOTE Fast Roaming is available only when the authentication is EAP or EAP PSK and the selected encryption is either TKIP CCMP or WPA2 CCMP Pre Authentication Selecting this option enables an associated client to carry out an 802 1x authentication with another access point before it roams to it This enables a roaming client to send and receive data so...

Page 491: ...o form the RC4 traffic key WEP 64 is a less robust encryption scheme than WEP 128 containing a shorter WEP algorithm for a hacker to potentially duplicate but networks that require more security are at risk from a WEP flaw WEP is only recommended if there are client devices incapable of using higher forms of security The existing 802 11 standard alone offers administrators no effective method to u...

Page 492: ... the Generate button The pass key can be any alphanumeric string The wireless controller other proprietary routers and WiNG clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without these WiNG adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 fields to specify key numbers For WEP 64 40 bit key the keys are 10...

Page 493: ...derivation and periodic key rotation 802 1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered If 802 1X support is not available on the legacy device MAC authentication should be enabled to provide device level authentication WEP 128 and KeyGuard use a 104 bit key which is concatenated with a 24 bit initialization vector IV to form the RC4 traffic k...

Page 494: ...elect the Generate button The pass key can be any alphanumeric string The access point other proprietary routers and WiNG clients use the algorithm to convert an ASCII string to the same hexadecimal number Clients without these WiNG adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key numbers For WEP 128 104 bit key the keys are 26 ...

Page 495: ...r for the WLAN to provide authentication and dynamic key derivation and rotation 6 2 0 4 Keyguard Configuring WLAN Security Settings Keyguard is a form of WEP and could be all a small business needs for the simple encryption of wireless data KeyGuard is an enhancement to the WEP encryption method and was developed before the finalization of WPA TKIP The Keyguard encryption implementation is based ...

Page 496: ...mechanism that blocks and permits data traffic For a Firewall overview see Wireless Firewall on page 8 2 WLANs use Firewalls like Access Control Lists ACLs to filter mark packets based on the WLAN from which they arrive as opposed to filtering packets on Layer 2 ports An ACL contains an ordered list of Access Control Entries ACEs Each ACE specifies an action and a set of conditions rules a packet ...

Page 497: ...ACL to the interface To review existing Firewall configurations create a new Firewall configuration or edit the properties of a WLAN s existing Firewall 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create a new WLAN or Edit to modify the properties of an existing wireless control...

Page 498: ...cters 7 Select the Add button Figure 6 11 WLAN Security IP Firewall Rules screen 8 IP Firewall rule configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update a Select the Edit Rule icon to the left of a particular IP Firewall rule configuration to update its parameters collectively Figur...

Page 499: ... proceed to its destination DNS Name Specify the DNS Name which may be a full domain name a portion of a domain name or a suffix This name is used for the DNS Match Type criteria DNS Match Type Specify the DNS matching criteria that the DNS Name can be matched against This can be configured as an exact match for a DNS domain name a suffix for the DNS name or a domain that contains a portion of the...

Page 500: ...rt If using either tcp or udp as the protocol define whether the destination port for incoming IP ACL rule application is any equals or an administrator defined range If not using tcp or udp this setting displays as N A This is the data local origination virtual port designated by the administrator Selecting equals invokes a spinner control for setting a single numeric port Selecting range display...

Page 501: ...ividually as their filtering attributes require a more refined update 13 Select the Edit Rule icon to the left of a particular IPv6 Firewall rule configuration to update its parameters collectively Mark Select this option to mark certain fields inside a packet before allowing them Mark is only applicable for Allow rules Mark sets the rule s 802 1p or dscp level from 0 7 Log Select this option to c...

Page 502: ... move down the table to reflect its lower priority The Precedence column sets the priority of a IPv6 Firewall rule within its rule set Allow Every IPv6 firewall rule is made up of matching criteria rules The action defines what to do with the packet if it matches the specified criteria The following actions are supported Deny Instructs the firewall to prohibit a packet from proceeding to its desti...

Page 503: ...ng displays as N A This is the data local origination virtual port designated by the administrator Selecting equals invokes a spinner control for setting a single numeric port Selecting range displays spinner controls for Low and High numeric range settings ICMP Type Selecting ICMP as the protocol for the IPv6 rule displays an additional set of ICMP specific options for ICMP type and code The Inte...

Page 504: ...a subnet mask if using a mask Actions The following actions are supported Log Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted Mark Modifies certain fields inside the packet and then permits them Therefore mark is an action with an implicit permit Mark Log Conducts both mark and log functions Traffic Class Sets a traffic classification value for the pa...

Page 505: ...r a MAC address to define the start of range This field is mandatory Ending MAC Address Enter a MAC address to define the end of range Allow Deny Every Association ACL rule consists of matching criteria rules The action defines what to do with the device if it matches the specified criteria The following actions are supported Deny Instructs the Firewall to not to allow the device to associate with...

Page 506: ...irewall DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses IP prefixes or other configuration attributes required on an IPv6 network This setting is disabled by default RA Guard Select this option to enable router advertisements or ICMPv6 redirects on this WLAN s firewall This setting is disabled by default Wireless Client Denied Traffic Threshold If enabled any associate...

Page 507: ...oint AP6511 and AP6521 models can support up to 128 clients per access point Client load balancing can be enforced for the WLAN as more and more WLANs are deployed 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create a new WLAN or select an existing WLAN and Edit to modify its pro...

Page 508: ... option to enable radio resource measurement capabilities IEEE 802 11k on this WLAN 802 11k improves how traffic is distributed In a WLAN each device normally connects to an access point with the strongest signal Depending on the number and locations of the clients this arrangement can lead to excessive demand on one access point and under utilization of others resulting in degradation of overall ...

Page 509: ...s services by users This information is of great assistance in partitioning local versus remote users and how to best accommodate each Remote user information can be archived to a remote location for periodic network and user permission administration Proxy ND Mode Use the drop down menu to define the proxy neighbor discovery ND mode for WLAN member clients as either Strict or Dynamic ND Proxy is ...

Page 510: ...f the external syslog host where accounting records are routed Use the drop down menu to select the host type from Hostname or IP Address A valid hostname cannot contain an underscore Syslog Port Use the spinner control to set the destination UDP port of the external syslog host where accounting records are routed The default port is 514 Proxy Mode Use the drop down menu to define how syslog accou...

Page 511: ... and devices 6 2 4 Configuring WLAN Service Monitoring Settings Wireless LANs Service Monitoring is a mechanism for administrating external AAA server captive portal server access point adoption and DHCP server activity for WLANs Service monitoring enables an administrator to better notify users of a service s availability and make resource substitutions Service monitoring can be enabled and appli...

Page 512: ...fault Adoption Monitoring Enable Select this option to verify access point s adoption status to its controller or service platform When the connection is lost captive portal users are automatically migrated to the VLAN defined in the Adoption Monitoring VLAN field This option is disabled by default Adoption Monitoring VLAN Use the spinner control to select the VLAN that users are migrated to when ...

Page 513: ...erver to monitor When this DHCP server becomes unavailable the device falls back to the VLAN configured in the DHCP Server Monitoring VLAN field This VLAN has a DHCP server that provides a pool of IP addresses with a lease time lesser than the main DHCP server DNS Server Monitoring Enable Select to enable monitoring of the configured DNS server When the connection to the DNS server is lost captive...

Page 514: ... 0 2 the access point uses to discover a client s band capabilities before associating The default is 10 seconds Capability Ageout Time Define a value in either Seconds 0 10 000 Minutes 0 166 or Hours 0 2 to ageout a client s capabilities from the access point s internal table The default is 1 hour Single Band Clients Select this option to enable single band client associations on the 2 4 GHz freq...

Page 515: ...ciations on the 5 0 GHz frequency even if load balancing is available This option is enabled by default Max Probe Requests Enter a value from 0 10 000 for the maximum number of probe requests for client associations on the 5 0 GHz frequency The default value is 60 Probe Request Interval Enter a value in seconds from 0 10 000 to set an interval for client probe requests beyond which association is ...

Page 516: ...ion and radio rate settings for a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Wireless LANs to display a high level display of existing WLANs 4 Select the Add button to create an additional WLAN or Edit to modify the properties of an existing WLAN 5 Select Advanced Figure 6 22 WLAN Advanced Configuration screen ...

Page 517: ...als and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates NAS Identifier Specify what is included in the RADIUS NAS Identifier field for authentication and accounting packets This is an optional setting and defaults are used if no values are provided NAS Port The profile database on the RADIUS server consists of user profiles for each connected...

Page 518: ...nel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates 802 11n MCS rates are defined as follows both with and without short guard intervals SGI Table 6 1 MCS 1Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40...

Page 519: ... 65 121 5 135 3 3 78 86 7 162 180 4 3 117 130 7 243 270 5 3 156 173 3 324 360 6 3 175 5 195 364 5 405 7 3 195 216 7 405 450 Table 6 4 MCS 802 11ac theoretical throughput for single spatial streams MCS Index 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 80 MHz No SGI 80MHz With SGI 0 6 5 7 2 13 5 15 29 3 32 5 1 13 14 4 27 30 58 5 65 2 19 5 21 7 40 5 45 87 8 97 5 3 26 28 9 54 60 117 130...

Page 520: ...ter Out Images Select this check box to filter images out of this WLAN s log files This option is disabled by default Filter Post Select this check box to filter posts out of this WLAN s log files This option is disabled by default Strip Query String Select this check box to filter query strings out of this WLAN s log files This option is disabled by default Enable Select the check box to forward ...

Page 521: ... network and its connection to the mesh is lost then all WLANs on the access point that have this option enabled are shut down Shutdown on Primary Port Link Loss When there is a loss of link on the primary wired link on the access point all the WLANs on the access point that have this option enabled are shut down Shutdown on Critical Resource Down If critical resource monitoring is enabled on the ...

Page 522: ...ess point s configured critical resources are not reachable or available This setting is disabled by default Shutdown on Unadoption Select to enable the WLAN to shutdown if the access point is unadopted from its wireless controller This setting is disabled by default Days Configure the days on which the WLAN is accessible Select from one of the following All Select this option to make the WLAN ava...

Page 523: ...ct Reset to revert to the last saved configuration Select Exit to exit the screen End Time Configures the ending time of day s that the WLAN will be disabled Use the spinner controls to select the hour and minute in a 12h time format Then use the radio button to choose AM or PM ...

Page 524: ...policies supports an ideal QoS configuration for the intended data traffic for this WLAN select the Add button to create new policy Select the radio button of an existing WLAN and select OK to map the QoS policy to the WLAN displayed in the banner of the screen Use the WLAN Quality of Service QoS screen to add a new QoS policy or edit an existing policy Each access point model supports up to 32 WL...

Page 525: ...N is low priority on the radio SVP Prioritization A green check mark defines the policy as having Spectralink Voice Prioritization SVP enabled to allow the access point to identify and prioritize traffic from Spectralink Polycomm phones using the SVP protocol Phones using regular WMM and SIP are not impacted by SVP prioritization A red X defines the QoS policy as not supporting SVP prioritization ...

Page 526: ... given access category packets are then added to one of four independent transmit queues one per access category voice video best effort or background in the client The client has a collision resolution mechanism to address collision among different queues which selects the frames with the highest priority to transmit The same mechanism deals with external collision to determine which client shoul...

Page 527: ...ows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic voice video etc The WMM classification is required to support the high throughput data rates required of 802 11n device support Voice Optimized for voice traffic Implies all traffic on this WLAN is prioritized as voice traffic on the radio Video Optimized for video traf...

Page 528: ... QBSS load information element in beacons and probe response packets This feature is enabled by default Configure Non WMM Client Traffic Use the drop down menu to specify how non WMM client traffic is classified on this access point WLAN if the Wireless Client Classification is set to WMM Options include Video Voice Normal and Low The default setting is Normal Transmit Ops Use the slider to set th...

Page 529: ...ected for the back off mechanism Higher values are used for lower priority traffic The available range is from 0 15 The default value is 4 ECW Max The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range From this range a random number is selected for the back off mechanism Higher values are used for lower priority traffic The available range is from...

Page 530: ...m the access point upstream and data transmitted from a WLAN s wireless clients back to their associated access point radios downstream AP6511 and AP6521 model access points do not support rate limiting on an individual client basis Before defining rate limit thresholds for WLAN upstream and downstream traffic it is recommended that you define the normal number of ARP broadcast multicast and unkno...

Page 531: ...ated clients on this WLAN Enabling this option does not invoke rate limiting for data traffic in the downstream direction This feature is disabled by default Rate Define an upstream rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum number of packets transmitted or received over the WLAN from all access categories Traffic exceeding the defined rate is dropped and ...

Page 532: ...ize for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the up...

Page 533: ...ropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for WLAN video traffic in the downstream direction This is a percentage of the maximum burst size for video traffic Vi...

Page 534: ...y traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general upstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage for client video traffic in the upstream direction Thi...

Page 535: ...ckground traffic consumes the least bandwidth of any access category so this value can be set to a lower value once a general downstream rate is known by the network administrator using a time trend analysis The default threshold is 50 Best Effort Traffic Set a percentage for client best effort traffic in the downstream direction This is a percentage of the maximum burst size for normal traffic Be...

Page 536: ...t mask an administrator can indicate which frames are transmitted immediately Setting masks is optional and only needed if there are traffic types requiring special handling Multicast Mask Secondary Set a secondary multicast mask for the WLAN QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval indicated in the 802 11 beacon frame when clients in po...

Page 537: ... rate limiting on a WLAN a baseline for each traffic type should be performed Once a baseline has been determined a minimum 10 margin should be added to allow for traffic bursts The bandwidth required for real time applications such as voice and video are very fairly easy to calculate as the bandwidth requirements are consistent and can be realistically trended over time Applications such as Web d...

Page 538: ... completely dominating the wireless medium thus ensuring lower priority traffic is still supported by connected radios IEEE 802 11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery U APSD that provides a mechanism for wireless clients to retrieve packets buffered by an access point U APSD reduces the amount of signaling frames sent from a client to retri...

Page 539: ...ccess point radio s QoS policy 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Radio QoS Policy to display a high level display of existing Radio QoS policies Figure 6 30 Radio Quality of Service QoS screen 4 Refer to the following information for a radio QoS policy Radio QoS Policy Displays the name of each radio QoS policy This is the name set for each listed policy whe...

Page 540: ...on of frames for any traffic class by looking at the amount of traffic the client is receiving and sending If a client sends more traffic than configured for an admission controlled traffic class the traffic is forwarded at the priority of the next non admission controlled traffic class This applies to clients that do not send TPSEC frames only Voice A green check mark indicates voice prioritizati...

Page 541: ...r the back off mechanism Lower values are used for higher priority traffic The available range is from 0 15 The default value is 3 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a low number The default value is 0 AIFSN Set the current AIFSN from 1 15 Higher prio...

Page 542: ...rm of a numerical range From this range a random number is selected for the back off mechanism Lower values are used for higher priority traffic like video The available range is from 0 15 The default value is 4 Transmit Ops Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity For higher priority traffic categories this value should be set to a lo...

Page 543: ...elect this check box to enable admission control for voice traffic Only voice traffic admission control is enabled not any of the other access categories each access category must be separately enabled and configured This feature is disabled by default Maximum Airtime Set the maximum airtime in the form of a percentage of the radio s bandwidth allotted to admission control for voice supported clie...

Page 544: ...igured This feature is disabled by default Maximum Airtime Set the maximum airtime in the form of a percentage of the radio s bandwidth allotted to admission control for normal background client traffic The available percentage range is from 0 150 with 150 being available to account for over subscription This value helps ensure the radio s bandwidth is available for lower bandwidth normal traffic ...

Page 545: ...nts The default value is 10 Reserved for Roam Set the roam utilization in the form of a percentage of the radio s bandwidth allotted to admission control for video supported clients who have roamed to a different managed radio The available percentage range is from 0 150 with 150 accounting for over subscription The default value is 10 Enable Background Select this check box to enable admission co...

Page 546: ...ceeds the maximum number set the radio to either Reject new wireless clients or to Revert existing clients to a non accelerated state The default setting is Reject Maximum multicast streams per client Specify the maximum number of multicast streams from 1 4 wireless clients can use The default value is 2 Packets per second for multicast flow for it to be accelerated Specify the threshold of multic...

Page 547: ...zation settings Select Reset to revert to the last saved configuration Smart Aggregation Select to enable Smart Aggregation and dynamically set the time when an aggregated frame is transmitted This option is disabled by default Max Delay for Best Effort Specify the maximum time in milliseconds to delay best effort traffic The default setting is 150 millisecond Max Delay for Background Specify the ...

Page 548: ...h non WMM clients on the same WLAN Non WMM clients are always assigned a best effort access category It is recommended that default WMM values be used for all deployments Changing these values can lead to unexpected traffic blockages and the blockages might be difficult to diagnose Overloading an access point radio with too much high priority traffic especially voice degrades the overall service q...

Page 549: ...ported access point model can support up to 32 Association ACLs with the exception of AP6511 and AP6521 models that support 16 WLAN Association ACLs To define an Association ACL deployable with a WLAN 1 Select the Configuration tab from the Web UI 2 Select Wireless 3 Select Association ACL to display a high level display of existing Association ACL policies The Association Access Control List ACL ...

Page 550: ...e the Association ACL settings Select Reset to revert to the last saved configuration Precedence The rules within a WLAN s ACL are applied to packets based on their precedence values Every rule has a unique sequential precedence value you define You cannot add two rules s with the same precedence value The default precedence is 1 so be careful to prioritize ACLs accordingly as they are added Start...

Page 551: ...L screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name ACLs after specific WLANs as individual ACL policies can be used by more than one WLAN You cannot apply more than one MAC based ACL to a Layer 2 interface If a MAC ACL is already configured on a Layer 2 interface and a new MAC ACL is applied to t...

Page 552: ...rt RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Smart RF policy is mapped the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped the radio selects a random channel If the radio is a dedicated sensor it stops termination on that channel if a neighboring access point detects radar The access point attempts t...

Page 553: ...en interference is detected Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the access point radio If a client s signal to noise value is above the threshold the transmit power is increased until the signal to noise rate falls below the threshold This option is enabled by default Coverage Hole Recovery Select this radio button to enabl...

Page 554: ... the configuration process by selecting Activate SMART RF Policy from the upper left hand side portion of the access point user interface 8 Select Channel and Power Ensure the Activate SMART RF Policy remains selected so the screen s parameters can be updated Use the Channel and Power screen to refine Smart RF power settings over both the 5 0 GHz and 2 4 GHz radio bands and select channel settings...

Page 555: ...ry channel the system is configured for dynamic 20 40 operation When 20 40 is selected clients can take advantage of wider channels 802 11n clients experience improved throughput using 40 MHz while legacy clients either 802 11a or 802 11b g depending on the radio selected can still be serviced without interruption using 20 MHz Select Automatic to enable the automatic assignment of channels to work...

Page 556: ...ecting the option The feature is enabled by default When enabled detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation 16 Set the following OCS Monitoring Awareness Settings for the Smart RF policy Channel List Use the Select drop down menu to select the channels used in Smart RF area based channe...

Page 557: ... compensate for coverage area losses within a RF Domain The default setting is 50 milliseconds for both 2 4 GHz and 5 0 GHz bands Frequency Set the scan frequency using the drop down menu Set a scan frequency in either Seconds 1 120 or Minutes 0 2 The default setting is 6 seconds for both 2 4 GHz and 5 0 GHz bands Extended Scan Frequency Use the spinner control to set an extended scan frequency fr...

Page 558: ...the Sensitivity setting from the Smart RF Basic Configuration screen 5 GHz Neighbor Power Threshold Use the spinner control to set a value from 85 to 55 dBm the access point s 5 0 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within the access point s radio coverage area The default value is 70 dBm 2 4 GH...

Page 559: ...o compensate for a potential coverage hole The default setting is 3 Dynamic Sample Threshold Use the spinner control to set the number of sample reports 1 30 used before dynamic sampling is invoked for a potential power change adjustment The default setting is 5 Interference Select this radio button to allow Smart RF to scan for excess interference from supported radio devices WLANs are susceptibl...

Page 560: ... client threshold from 1 255 If the threshold defined number of clients are connected to a radio the radio does not change its channel even though required based on the interference recovery determination made by the smart master The default setting is 50 5 GHz Channel Switch Delta Use the spinner to set a channel switch delta from 5 35 dBm for the 5 0 GHz radio This parameter is the difference be...

Page 561: ...del access points can support up to 128 clients per access point or radio The default setting is 1 SNR Threshold Use the spinner control to set a signal to noise SNR threshold from 1 75 dB This is the SNR threshold for an associated client as seen by its associated AP radio When exceeded the radio increases its transmit power to increase coverage for the associated client The default value is 20 d...

Page 562: ... RF is not a solution it s a temporary measure Administrators need to determine the root cause of RF deterioration and fix it Smart RF history events can assist If a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS it will switch channels if radar is detected If Smart RF is enabled the radio picks a channel defined in the Smart RF policy If Smart RF is disabled but a Sma...

Page 563: ...o MP link MeshConnex uses this data to dynamically form and continually maintain paths for forwarding network frames In MeshConnex systems a Mesh Point MP is a virtual mesh networking instance on a device similar to a WLAN AP On each device up to 4 MPs can be created and 2 can be created per radio MPs can be configured to use one or both radios in the device If the MP is configured to use both rad...

Page 564: ... status of each configured mesh point either Enabled or Disabled Description Displays any descriptive text entered for each of the configured mesh points Control VLAN Displays VLAN number for the control VLAN on each of the configured mesh points Allowed VLANs Displays the list of VLANs allowed on each of the configured mesh points Security Mode Displays the security for each of the configured mes...

Page 565: ...int style beacons select mesh point from the drop down menu The default value is mesh point Is Root Select this option to specify the mesh point as a root Control VLAN Use the spinner control to specify a VLAN to carry mesh point control traffic The valid range for control VLAN is from 1 4094 The default value is VLAN 1 Allowed VLANs Specify the VLANs allowed to pass traffic on the mesh point Sepa...

Page 566: ... shared key as the authentication for the mesh point If PSK is selected enter a pre shared key in the Key Settings field The default setting is None Pre Shared Key When the security mode is set as PSK enter a 64 character HEX or an 8 63 ASCII character passphrase used for authentication on the mesh point Unicast Rotation Interval Define an interval for unicast key transmission in seconds 30 86 400...

Page 567: ...the 2 4 GHz band If supporting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Mesh points can communicate as long as they support the same b...

Page 568: ...6 98 WiNG 5 7 1 Access Point System Reference Guide Figure 6 45 Advanced Rate Settings 2 4 GHz screen Figure 6 46 Advanced Rate Settings 5 GHz screen ...

Page 569: ...rting 802 11n select a Supported MCS index Set a MCS modulation and coding scheme in respect to the radio s channel width and guard interval A MCS defines based on RF channel conditions an optimal combination of 8 data rates bonded channels multiple spatial streams different guard intervals and modulation types Clients can associate as long as they support basic MCS as well as non 11n basic rates ...

Page 570: ...ts defined for each mesh point The Quality of Service screen displays a list of Mesh QoS policies available to mesh points Each Mesh QoS policy can be selected to edit its properties If none of the exiting Mesh QoS policies supports an ideal QoS configuration for the intended data traffic of this mesh point select the Add button to create new policy Select an existing Mesh QoS policy and select Ed...

Page 571: ...s that typically transmit and receive from each supported WMM access category If thresholds are defined too low normal network traffic required by end user devices will be dropped resulting in intermittent outages and performance problems A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction Mesh Rx Rate Limit Displays whether or not a Mesh R...

Page 572: ...ed neighbor Mesh Tx Rate Limit Select this option to enable rate limiting for all data received from any mesh point in the mesh This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received over the mesh point from all access categories Traffic that exceeds the defined rat...

Page 573: ...t size for normal priority traffic Best effort traffic exceeding the defined threshold is dropped and a log message is generated Best effort traffic consumes little bandwidth so this value can be set to a lower value once a general transmit rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for video traffic in th...

Page 574: ...ue can be set to a lower value once a general receive rate is known by the network administrator using a time trend analysis The default threshold is 50 Video Traffic Set a percentage value for video traffic in the receive direction This is a percentage of the maximum burst size for video traffic Video traffic exceeding the defined threshold is dropped and a log message is generated Video traffic ...

Page 575: ...rate limiting for data transmitted from connected wireless clients Enabling this option does not invoke rate limiting for data traffic in the transmit direction This feature is disabled by default Rate Define a receive rate limit from 50 1 000 000 kbps This limit constitutes a threshold for the maximum the number of packets transmitted or received by the client Traffic that exceeds the defined rat...

Page 576: ... Select this option to have bridged multicast packets converted to unicast to provide better overall airtime utilization and performance The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast or specify which multicast streams are to be converted to unicast When the stream is converted and being queued up for transm...

Page 577: ...n Only relevant information is presented to the client which enables it to decide with network to join To define a Passpoint Policy 1 Select Configuration 2 Select Wireless 3 Select Passpoint Policy to display existing Passpoint policies Figure 6 50 Wireless Passpoint Policy screen 4 Refer to the following configuration data for existing Passpoint policies Name Displays the name of the configured ...

Page 578: ... a friendly name for the operator running the hotspot service Enter a string not longer than 64 characters Venue Name Enter a friendly name for the venue in which this hotspot service is running Enter a string not longer than 252 characters Venue Name Lang Use this table to provide encoding information to display the Venue Name in other languages Use this table to provide the language Code and the...

Page 579: ... the network configuration options available to the access point refer to the following Policy Based Routing PBR L2TP V3 Configuration Crypto CMP Policy AAA Policy AAA TACACS Policy Alias IPv6 Router Advertisement Policy For configuration caveats specific to Configuration Network path refer to Network Deployment Considerations on page 7 45 ...

Page 580: ...f IP ACLs on a WLAN ports or SVI mark the packet the new marked DSCP value is used for matching Incoming WLAN Packets can be filtered by the incoming WLAN There are two ways to match the WLAN If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN then this WLAN is used for selection If the device doing policy based routing does not have an onboard ra...

Page 581: ...p the packet Fallback Fallback to destination based routing if none of the configured next hops are reachable or not configured This is enabled by default Mark IP DSCP Set IP DSCP bits for QoS using an ACL The mark action of the route maps takes precedence over the mark action of an ACL To define a PBR configuration 1 Select Configuration tab from the Web UI 2 Select Network 3 Select Policy Based ...

Page 582: ...priority assigned to each listed PBR configuration A route map consists of multiple entries each carrying a precedence value An incoming packet is matched against the route map with the highest precedence lowest numerical value DSCP Displays each policy s DSCP value used as matching criteria for the route map DSCP is the Differentiated Services Code Point field in an IP header and is for packet cl...

Page 583: ...s defined in the IP DSCP field One DSCP value can be configured per route map entry Role Policy Use the drop down to select a Role Policy to use with this route map Click the Create icon to create a new Role Policy To view and modify an existing policy click the Edit icon User Role Use the drop down menu to select a role defined in the selected Role Policy This user role is used while deciding the...

Page 584: ...ional considerations Next Hop secondary If the primary hop request were unavailable a second resource can be defined Set either the IP address of the virtual resource or select the Interface option and define either a wwan1 pppoe1 or a VLAN interface Default Next Hop If a packet subjected to PBR does not have an explicit route to the destination the configured default next hop is used This value i...

Page 585: ...l PBR Select this option to implement policy based routing for this access point s packet traffic This setting is enabled by default so the match and action clauses defined within the Route Maps tab are implemented until disabled using this setting Use CRM Select the Use CRM Critical Resource Management option to monitor access point link status Selecting this option determines the disposition of ...

Page 586: ...L2TP V3 tunnel needs to be established between the tunneling entities before creating a session For optimal pseudowire operation both the L2TP V3 session originator and responder need to know the pseudowire type and identifier These two parameters are communicated during L2TP V3 session establishment An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for...

Page 587: ...2TP V3 hello keep alive messages exchanged within the L2TP V3 control connection Reconnect Attempts Lists each policy s maximum number of reconnection attempts to reestablish a tunnel between peers Reconnect Interval Displays the duration set for each listed policy between two successive reconnection attempts Retry Count Lists the number of retransmission attempts set for each listed policy before...

Page 588: ...ce L2 Path Recovery Indicates if L2 Path Recovery is enabled to learn servers gateways and other network devices behind a L2TPV3 tunnel Cookie size L2TP V3 data packets contain a session cookie which identifies the session pseudowire corresponding to it Use the spinner control to set the size of the cookie field present within each L2TP V3 data packet Options include 0 4 and 8 The default setting ...

Page 589: ... Use the spinner control to define the interval in seconds before initiating a retransmission of a L2TP V3 signaling message The available range is from 1 250 with a default value of 5 Rx Window Size Specify the number of packets that can be received without sending an acknowledgement The available range is from 1 15 with a default setting of 10 Tx Window Size Specify the number of packets that ca...

Page 590: ... service platform or access point triggers a request for the configured CMS CA server Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manually created trustpoint for one service like HTTPs and use t...

Page 591: ...settings for the server resource 9 Set the following Trust Points settings Use the Add Row button to add a row to this table The trustpoint is used for various services as specifically set the controller service platform or access point Enable Use the drop down menu to set the CMS server as either the Primary first choice or Secondary secondary option CMP server resource IP Define the IP address f...

Page 592: ...P CA trust point message The range is 0 256 This field is mandatory Secret Specify the secret used for trustpoint authentication over the designated CMP server resource Sender Name Enter a sender name up to 512 characters for the trustpoint request This field is mandatory Recipient Name Enter a recipient name value of up to 512 characters for the trustpoint request CMP CA Path Provide a complete p...

Page 593: ...ser is authorized to perform These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user s actual capabilities and restrictions The database could be located locally on the access point or be hosted remotely on a RADIUS server Remote RADIUS servers authorize users by associating attribute value AV pairs with the appr...

Page 594: ...ting Start Stop Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process The start accounting record is sent in the background The requested process begins regardless of whether the start accounting notice is received by the accounting server Request Interval Lists the interval at which an access point sends a RADIUS accounting request to the RADIUS s...

Page 595: ... self or onboard controller Request Proxy Mode Displays whether a request is transmitted directly through the server or proxied through the Virtual Controller AP or RF Domain manager Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request ...

Page 596: ...l address or a fully qualified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Using NAI each ISP ne...

Page 597: ...cation session The available range is from 1 10 The default is 3 Request Timeout Specify the time from 1 60 seconds for the access point s re transmission of request packets If this time is exceeded the authentication session is terminated The default is 3 seconds Retry Timeout Factor Specify the time from 50 200 seconds between retry timeouts for the access points s re transmission of request pac...

Page 598: ... 1 to 65 535 The default port is 1813 Server Type Displays the type of AAA server in use either Host onboard self or onboard controller Request Attempts Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Displays the time from 1 60 seconds for...

Page 599: ...alid E mail address or a fully qualified domain name NAI can be used either in a specific or generic form The specific form which must contain the user portion and may contain the portion identifies a single user Each user still needs a unique security association but these associations can be stored on a AAA server The original purpose of NAI was to support roaming between dialup ISPs Using NAI e...

Page 600: ...n is terminated Retry Timeout Factor Specify the interval in seconds between two successive re transmission attempts of request packets Specify a value from 50 200 seconds The default is 100 seconds DSCP Displays the DSCP value as a 6 bit parameter in the header of every IP packet used for packet classification The valid range is from 0 63 with a default value of 34 NAI Routing Enable Displays NAI...

Page 601: ...Interval Set the periodicity of the interim accounting requests The default is 30 minutes Accounting Server Preference Select the server preference for RADIUS Accounting The options are Prefer Same Authentication Server Host Uses the authentication server hostname as the host used for RADIUS accounting This is the default setting Prefer Same Authentication Server Index Uses the same index as the a...

Page 602: ...tity Services Engine ISE to validate the compliance of a client to the network s policies such as the validity of the virus definition files for the antivirus software or the definition files for a anti spy ware software Accounting Delay Time Select this option to enable the support of an accounting delay time attribute within accounting requests This setting is disabled by default Accounting Mult...

Page 603: ... address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager Options include None and proxier default setting Proxy NAS IPv6 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager Options include None and proxier default setting ...

Page 604: ...arate accounting authentication and authorization services Some of the services provided by TACACS are Authorizing each command with the TACACS server before execution Accounting each session s logon and log off event Authenticating each user with the TACACS server before enabling access to network resources To define unique AAA TACACS configurations 1 Select the Configuration tab from the Web UI ...

Page 605: ...nue Click OK to proceed The Server Info tab displays by default AAA TACACS Policy Displays the name assigned to the AAA TACACS policy when it was initially created The name cannot be edited within a listed profile Accounting Access Method Displays the method used to access the AAA TACACS Accounting server Options include all SSH Console or Telnet Authentication Access Method Displays the method us...

Page 606: ...7 28 WiNG 5 7 1 Access Point System Reference Guide Figure 7 16 AAA TACACS Policy Server Info tab 7 Under the Authentication table select Add Row ...

Page 607: ... access point By default the secret is displayed as asterisks To see the secret being entered select the Show option Request Attempts Set the number of connection request attempts to the TACACS server before it times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Specify the time for the re transmission of request packets after an unsuccessful a...

Page 608: ...n Request Attempts Displays the number of connection attempts before the controller service platform or access point times out of the authentication session The available range is from 1 10 The default is 3 Request Timeout Specify the time for the re transmission of request packets after an unsuccessful attempt The default is 3 seconds If the set time is exceeded the authentication session is term...

Page 609: ... default is 3 seconds If the set time is exceeded the authentication session is terminated Retry Timeout Factor Set the scaling of retransmission attempts from 50 200 seconds The timeout at each attempt is the function of the retry timeout factor and the attempt number 100 the default value implies a constant timeout on each retry Smaller values indicate more aggressive shorter timeouts Larger num...

Page 610: ...performed for all types of access without prioritization Console Authorization is performed only for console access Telnet Authorization is performed only for access through Telnet SSH Authorization is performed only for access through SSH Allow Privileged Commands Select this option to enable privileged commands executed without command authorization Privileged commands are commands that can alte...

Page 611: ...7 33 20 Select OK to save the updates to the AAA TACACS policy Select Reset to revert to the last saved configuration NOTE A maximum or 5 entries can be made in the Service Protocol Settings table ...

Page 612: ...Configuration Devices RF Domain Alias screen These aliases are available for use for a site as a RF Domain is site specific RF Domain alias values override alias values defined in a global alias or a profile alias configuration Device aliases are defined from Configuration Devices Device Overrides Network Alias screen Device alias are utilized by a single device only Device alias values override a...

Page 613: ...ork and the VLAN is set at 26 at a remote location the VLAN can be overridden at the deployment location with an alias At the remote deployment location the network is functional with a VLAN ID of 26 but utilizes the name defined at the centrally managed network A new VLAN need not be created specifically for the remote deployment A VLAN Alias can be used to replace VLANs in the following location...

Page 614: ...irements A host alias can be used to replace hostnames in the following locations IP Firewall Rules DHCP 7 Select Add Row to define Network Alias settings Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments For example if a central network ACL defines a network as 192 168 10 0 24 and a remote location s network range is 172 16 10 0 24 the ACL...

Page 615: ...d network configurations Network configurations are complete networks in the form 192 168 10 0 24 or IP address range in the form 192 168 10 10 192 168 10 20 Host configuration is in the form of single IP address 192 168 10 23 A network group alias can contain multiple definitions for host network and IP address range A maximum of eight 8 host entries eight 8 network entries and eight 8 IP address...

Page 616: ...lect Add to create a new Network Group Alias Copy to copy an existing policy or Rename to rename an existing policy Name Displays the administrator assigned name of the Network Group Alias Host Displays all host aliases configured in this network group alias Displays a blank column if no host alias is defined Network Displays all network aliases configured in this network group alias Displays a bl...

Page 617: ...s rules Select Reset to revert the screen back to its last saved configuration NOTE The Network Group Alias Name always starts with a dollar sign Host Specify the Host IP address for up to eight IP addresses supporting network aliasing Select the down arrow to add the IP address to the table Network Specify the netmask for up to eight IP addresses supporting network aliasing Subnets can improve ne...

Page 618: ...an one IP address to a network interface providing multiple connections to a network from a single IP node A network service alias can be used in IP firewall rules to substitute protocols and ports To edit or delete a service alias configuration 1 Select Configuration tab from the Web user interface 2 Select Network 3 Select the Alias item the Basic Alias screen displays 4 Select the Network Servi...

Page 619: ...e the drop down to select the protocol from eigrp gre icmp igmp ip vrrp igp ospf tcp and udp Select other if the protocol is not listed When a protocol is selected its protocol number is automatically selected Source Port Low and High Note Use this field only if the protocol is tcp or udp Specify the source ports for this protocol entry A range of ports can be specified Select the Enter Range butt...

Page 620: ...ter the source receives the advertisement it can communicate with other devices Advertisement messages are also sent to indicate a change in link layer address for a node on the local link With such a change the multicast address becomes the destination address for advertisement messages To define a IPv6 router advertisement policy 1 Select Configuration Network IPv6 Router Advertisement Policy Fi...

Page 621: ... advertisements A lifetime of 0 indicates that the router is not a default router The router advertisement interval range is 0 9000 Seconds 0 150 Minutes or 0 2 5 Hours The default is 30 minutes Managed Address Configuration Flag Select this option to send the managed address configuration flag in router advertisements When set the flag indicates that the addresses are available via DHCP v6 The de...

Page 622: ...ting is disabled Override System ND Reachable Time in RA Set the period for sending neighbor reachable time in the router advertisements When unspecified the neighbor reachable time configured for the system is advertised The interval range is from 5 000 3 600 000 milliseconds The default is 5000 milliseconds Advertise NS Retransmit Timer in RA Select this option to not specify the neighbor solici...

Page 623: ...the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete In respect to L2TP V3 the control connection keep alive mechanism of L2TP V3 can serve as a monitoring mechanism for the pseudowires associated with a control connection Domain Name Lifetime Type Set the DNS Server Lifetime Type Options include expired External fixed and infinite The default is Ex...

Page 624: ...7 46 WiNG 5 7 1 Access Point System Reference Guide ...

Page 625: ...ion to protect and secure data at each vulnerable point in the network This security is offered at the most granular level with role and location based secure access available to users based on identity as well as the security posture of the client device There are multiple dimensions to consider when addressing the security of an access point managed wireless network including Wireless Firewall C...

Page 626: ...e from first to last When a rule matches the network traffic processed by an access point the firewall uses that rule s action to determine whether traffic is allowed or denied Rules comprise of conditions and actions A condition describes a packet traffic stream A condition defines constraints on the source and destination devices the service for example protocols and ports and the incoming inter...

Page 627: ...nd so slowly the device becomes unavailable in respect to its defined data rate DoS attacks are implemented by either forcing targeted devices to reset or consuming the device s resources so it can no longer provide service 4 Select the Activate Firewall Policy option on the upper left hand side of the screen to enable the screen s parameters for configuration Ensure this option stays selected to ...

Page 628: ...erator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services Fraggle The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port port 7 Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network For those that do not...

Page 629: ...solicitation multicasts onto the network and routers must respond as defined in RFC 1122 By sending ICMP Router Solicitation packets ICMP type 9 on the network and listening for ICMP Router Discovery replies ICMP type 10 hackers can build a list of all of the routers that exist on a network segment Hackers often use this scan to locate routers that do not reply to ICMP echo requests Smurf The Smur...

Page 630: ...lso configure the connection rate and threshold of outstanding connections Optionally operate TCP intercept in watch mode as opposed to intercept mode In watch mode the software passively watches the connection requests flowing through the router If a connection fails to get established in a configurable interval the software intervenes and terminates the connection attempt TCP IP TTL Zero The TCP...

Page 631: ... Header Fragment Enables the TCP Header Fragment denial of service check in the firewall Twinge The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes This can crash some Windows systems UDP Short Header Enables the UDP Short Header denial of service check in the firewall WINNUKE The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the Ne...

Page 632: ...se the drop down menu to define the traffic type for which the Storm Control configuration applies Options include ARP Broadcast Multicast and Unicast Interface Type Use the drop down menu to define the interface for which the Storm Control configuration is applied Only the specified interface uses the defined filtering criteria Options include Ethernet WLAN and Port Channel Interface Name Use the...

Page 633: ...d Settings tab Use the Advanced Settings tab to enable disable the firewall define application layer gateway settings flow timeout configuration and TCP protocol checks Figure 8 3 Wireless Firewall screen Advanced Settings tab 14 Refer to the Firewall Status radio buttons to define the firewall as either Enabled or Disabled The firewall is enabled by default If disabling the firewall a confirmatio...

Page 634: ...s to detect if the client is sending routed packets to the correct MAC address IPMAC Routing Conflict Logging Select enable logging for IPMAC Routing Conflict detection This feature is enabled by default and set to Warning IPMAC Routing Conflict Action Use the drop down menu to set the action taken when an attack is detected Options include Log Only Drop Only or Log and Drop The default setting is...

Page 635: ...is enabled by default SCCP ALG Select the check box to allow SCCP traffic through the firewall using its default ports This feature is enabled by default Signalling Connection Control Part SCCP is a network protocol that provides routing flow control and error correction in telecommunication networks FaceTime ALG Select the check box to allow Apple s FaceTime video calling traffic through the fire...

Page 636: ... setting is 30 seconds Any Other Flow Define a flow timeout value in either Seconds 1 32 400 Minutes 1 540 or Hours 1 9 The default setting is 30 seconds Check TCP states where aSYNpackettearsdown the flow Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow The default setting is enabled Check unnecessary resends of TCP p...

Page 637: ...ts separated by colons 23 Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet A flow is a sequence of packets from a particular source to a particular unicast or multicast destination The flow label helps keep packet streams from looking like one massive flow Flow label rewrites are disabled by default and must be manually enabled Flow label re writes enable the re c...

Page 638: ...dresses IPv6 MAC Routing Conflict Select to enable checking for IPv6 routing table next hop IPv6 address MAC address conflicts Option Strict Padding Select to enable strict checks for validating Pad1 and PadN options Option End Point Identification Select to enable end point identification This option is not enabled by default Option Network Service Access Point Select to enable Network Service Ac...

Page 639: ...dvanced Settings Select Reset to revert to the last saved configuration The firewall policy can be invoked at any point in the configuration process by selecting Activate Firewall Policy from the upper left hand side of the access point user interface ...

Page 640: ...IPv6 traffic With either IPv4 or IPv6 create access rules for traffic entering an access point interface because if you are going to deny specific types of packets it is recommended you do it before the access point spends time processing them since access rules are processed before other types of firewall rules IPv6 addresses are composed of eight groups of four hexadecimal digits separated by co...

Page 641: ...ng policy and select Edit to modify the attributes of the rule s configuration 5 Select the added row to expand it into configurable parameters for defining a new rule Figure 8 6 IP Firewall Rules screen Adding a new rule If adding a new rule enter a name up to 32 characters 6 Select Add to add a new firewall rule ...

Page 642: ...de of the screen and select IP filter values as needed to add criteria into the configuration of the IPv4 or IPv6 ACL Figure 8 8 WLAN Security IP Firewall Rules IP Firewall Rules Add Criteria screen Define the following parameters for the IP Firewall Rule NOTE Only those selected IP ACL filter attributes display Each value can have its current settings adjusted by selecting that IP ACL s column to...

Page 643: ...sed in this ACL Protocol Set a service alias as a set of configurations consisting of protocol and port mappings Both source and destination ports are configurable Set an alphanumeric service alias beginning with a and include the protocol as relevant Network Service Alias The service alias is a set of configurations consisting of protocol and port mappings Both source and destination ports are co...

Page 644: ...of ICMP specific options for ICMP type and code Many ICMP types have a corresponding code helpful for troubleshooting network issues 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable etc Start VLAN Select a Start VLAN icon within a table row to set apply a start VLAN range for this IP ACL filter The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must ...

Page 645: ...by highlighting them and selecting Delete Figure 8 10 IP SNMP ACL Add screen 4 Provide a new IP SNMP ACL a Name up to 32 characters in length to help distinguish this ACL from others with similar rules 5 Select Add Row to launch a sub screen where the ACL s permit deny and network type rules can be applied Allow Select this option to allow the SNMP MIB object traffic The default setting is to perm...

Page 646: ...ork access permissions 7 Select OK when completed to update the IP Firewall rules Select Reset to revert the screen back to its last saved configuration Type Define whether the permit or deny ACL rule applied to the ACL is specific to a Host IP address a Network address and subnet mask or is applied to Any The default setting is Network IP If Type is not any provide the IP address or host name in ...

Page 647: ...ting how and what these BYODs can access on and through the corporate network Device fingerprinting feature enables administrators to control how BYOD devices access the network and control their access permissions To configure device fingerprinting 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select Device Fingerprinting to display existing device fingerprinting conf...

Page 648: ...identities are included Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 12 Security Device Fingerprinting New Client Identity screen 5 Select Pre defined and use the drop down menu to select from a list of pre defined client identities Once a client identity is selected from the drop down menu the DHCP Match C...

Page 649: ...y and all Use this option to select the message type on which the fingerprint is matched request Indicates the fingerprint is only checked with any DHCP request message received from any device discover Indicates the fingerprint is only checked with any DHCP discover message received from any device any Indicates the fingerprint is checked with either the DHCP request or the DHCP discover message ...

Page 650: ...ure in the DHCP discover messages Match Option The Match Option field contains the following options Option Codes This indicates that the Option Codes passed in the DHCP request discover message is used for matching Options are passed in the DHCP discover request messages as Option Code Option Type Option Value sets When Option Codes is selected all the Option Code passed in the DHCP discover requ...

Page 651: ...rver The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices For example Apple devices have Match Type Use the drop down menu to select how the signatures are matched The available options are Exact The complete signature string completely matches the string specified in the Option Value fie...

Page 652: ...he signatures used to identify clients and then use these signatures to classify and assign permissions to them Click Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available Figure 8 16 Security Device Fingerprinting Client Identity Group New Client Identity Group 13 Provide a name in the Name field for the new client identity and c...

Page 653: ...ttons next to the drop down to manage and create new Client Identity policies 16 Use the Precedence control to set the precedence for the Client Identity This index sets the sequence the client identity in this Client Identity Group is checked or matched 17 Click Ok to save changes Click Reset to revert all changes made to this screen Click Exit to close the Client Identity Group screen ...

Page 654: ...ere the result is a typical allow deny or mark designation to packet traffic To add or edit a MAC based Firewall Rule policy 1 Select Configuration tab from the Web user interface 2 Select Security 3 Select MAC Firewall Rules to display existing MAC Firewall Rule policies Figure 8 18 MAC Firewall Rules screen 4 Select Add to create a new MAC Firewall Rule Select an existing policy and select Edit ...

Page 655: ... Destination MAC addresses Access points use the source IP address destination MAC address as basic matching criteria Provide a subnet mask if using a mask Action The following actions are supported Log Events are logged for archive and analysis Mark Modifies certain fields inside the packet and then permits them Therefore mark is an action with an implicit permit VLAN 802 1p priority DSCP bits in...

Page 656: ...ontrol to specify a traffic class Traffic class can be from 1 10 Match 802 1P Configures IP DSCP to 802 1p priority mapping for untagged frames Use the spinner control to define a setting from 0 7 Ethertype Use the drop down menu to specify an Ethertype of either other ipv4 arp rarp appletalk aarp mint wisp ipx 802 1q and ipv6 An Ethertype is a two octet field within an Ethernet frame It is used t...

Page 657: ...rise class security management features Threat Detection Threat detection is central to a wireless security solution Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless network Rogue Detection and Segregation A WIPS supported network distinguishes itself by both identifying and categorizing nearby access points WIPS identifies threatening versus...

Page 658: ...the following detection settings for this WIPS policy Enable Rogue AP Detection Select the check box to enable the detection of unsanctioned APs from this WIPS policy The default setting is disabled Wait Time to Determine AP Status Define a wait time in either Seconds 10 600 or Minutes 0 10 before a detected AP is interpreted as a rogue unsanctioned device and potentially removed The default inter...

Page 659: ...maly tabs also available Figure 8 21 Wireless IPS screen WIPS Events Excessive tab The Excessive tab lists events with the potential of impacting network performance An administrator can enable or disable event filtering and set the thresholds for the generation of the event notification and filtering action Air Termination Select this option to enable the termination of detected rogue AP devices ...

Page 660: ...of the excessive action event representing a potential threat to the network This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted Enable Displays whether tracking is enabled for each event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against its th...

Page 661: ...vent as excessive or permitted Enable Displays whether tracking is enabled for each MU Anomaly event Use the drop down menu to enable disable events as required A green checkmark defines the event as enabled for tracking against its threshold A red X defines the event as disabled and not tracked by the WIPS policy Each event is disabled by default Filter Expiration Set the duration a client is fil...

Page 662: ...on to enable all AP Anomaly Events Use Disable All button to disable all AP Anomaly Events 18 Select OK to save the updates to the AP Anomaly configuration used by the WIPS policy Select Reset to revert to the last saved configuration The WIPS policy can be invoked at any point in the configuration process by selecting Activate Wireless IPS Policy from the upper left hand side of the access point ...

Page 663: ...e to remove obsolete signatures from the list of those available Name Lists the name assigned to each signature when it was created A signature name cannot be modified as part of the edit process Signature Displays whether the signature is enabled A green checkmark defines the signature as enabled A red X defines the signature as disabled Each signature is disabled by default BSSID MAC Displays ea...

Page 664: ...SS ID MAC address used for matching and filtering with the signature Source MAC Define a source MAC address for the packet examined for matching filtering and potential device exclusion using the signature Destination MAC Set a destination MAC address for a packet examined for matching filtering and potential device exclusion using the signature Frame Type to Match Use the drop down menu to select...

Page 665: ...ave the updates to the WIPS Signature configuration Select Reset to revert to the last saved configuration The WIPS policy can be invoked and applied to the access point profile by selecting Activate Wireless IPS Policy from the upper left hand side of the access point user interface Wireless Client Threshold Specify the threshold limit per client that when exceeded signals the event The configura...

Page 666: ...ered to avoid jeopardizing the data managed by the access point and its connected clients Use the Device Categorization screen to apply neighboring and sanctioned approved filters on peer access points operating in this access point s radio coverage area Detected client MAC addresses can also be filtered based on their classification in this access point s coverage area To categorize access points...

Page 667: ...e to a list of devices sanctioned for network operation Select OK to save the updates to the Marked Devices List Select Reset to revert to the last saved configuration Classification Use the drop down menu to designate the target device as either Sanctioned or Neighboring Device Type Use the drop down menu to designate the target device as either an access point or client MAC Address Enter the fac...

Page 668: ...ion is optimally effective WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy Since an organization s security goals vary the security policy should document site specific concerns The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time Vuln...

Page 669: ...ication For more information refer to the following Configuring Captive Portal Policies Setting the DNS Whitelist Configuration Setting the DHCP Server Configuration Setting the Bonjour Gateway Configuration Setting the DHCPv6 Server Policy Setting the RADIUS Configuration Refer to Services Deployment Considerations on page 9 56 for tips on how to optimize the access point s configuration ...

Page 670: ...user data encryption but it can be used with static WEP WPA PSK or WPA2 PSK encryption Each supported access point model can support up to 32 captive portal policies with the exception of AP6511 and AP6521 models which can only support 16 captive portal policies 9 1 1 Configuring a Captive Portal Policy Configuring Captive Portal Policies To configure a captive portal policy 1 Select Configuration...

Page 671: ...ralized If the mode is Internal Self the access point maintains the captive portal internally while External centralized means the captive portal is running on the adopting wireless controller Hosting VLAN Interface When Centralized Server is selected as the Captive Portal Server Mode a VLAN is defined where the client can reach the controller 0 is the default value Connection Mode Lists each poli...

Page 672: ...ers Captive Portal Server Mode Set the mode as Internal Self Centralized or Centralized Controller Select Internal Self to maintain the captive portal configuration Web pages internally on the access point Select External Centralized if the captive portal is supported on an external server Select Centralized Controller for the captive portal to reside on the access point s connected Virtual Contro...

Page 673: ...rotection HTTP cannot provide The default value however is HTTP Simultaneous Users Select the check box and use the spinner control to set from 1 8192 users client MAC addresses allowed to simultaneously access and use the access point s captive portal Access Type Select the radio button for the authentication scheme applied to wireless clients using the captive portal for guest access Options inc...

Page 674: ...cters Use the Add Row button to populate the whitelist table with Host and IP Index parameters that must be defined for each whitelist entry Figure 9 3 Captive Portal DNS Whitelist screen b Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host in the whitelist A valid hostname cannot contain an underscore c Use the Match Suffix parameter ...

Page 675: ...ble RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting for the captive portal When the radio button is selected a AAA Policy field displays This setting is disabled by default Enable Syslog Accounting Select this option to log information about the use of remote access services by users using an external syslog resource This information is of great assistanc...

Page 676: ... portal service is temporarily unavailable due to technical reasons Once the services become available the captive portal user is automatically re connected to the portal 17 Select the location where the captive portal Login Terms and Conditions Welcome Fail and No Service web pages are hosted Available sources include Internal Advanced or Externally Hosted If Internal is selected provide the info...

Page 677: ...tion of each page and should be unique to each login terms welcome and fail function Header Text Provide header text unique to the function of each page Message Specify a message containing unique instructions or information for the users accessing each specific page In the case of the Terms and Conditions page the message can be the conditions requiring agreement before guest access is permitted ...

Page 678: ...less client access is provided Welcome URL Define the complete URL for the location of the Welcome page The Welcome page asserts the user has logged in successfully and can access resources via the captive portal Fail URL Define the complete URL for the location of the Fail page The Fail page asserts authentication attempt has failed and the client cannot access the captive portal and the client n...

Page 679: ...ains its own set of Advanced Web pages for custom captive portal creation Refer to Operations Devices File Transfers and use the Source and Target fields to move captive portal pages as needed to managed devices that may be displaying and hosting captive portal connections Select the Web Page Auto Upload check box to enable automatic upload of captive portal Web pages For more information refer to...

Page 680: ...Select DNS Whitelist The DNS Whitelist screen displays those existing whitelists available to a captive portal 4 Select Add to create a whitelist Edit to modify a selected whitelist or Delete to remove a whitelist a If creating a whitelist assign it a name up to 32 characters Use the Add Row button to populate the whitelist table with Host and IP Index parameters that must be defined for each whit...

Page 681: ...usive range of IP addresses DHCP clients are compared against classes If the client matches one of the classes assigned to the pool it receives an IP address from the range assigned to the class If the client doesn t match any of the classes in the pool it receives an IP address from a default pool range if defined Multiple IP addresses for a single VLAN allow the configuration of multiple IP addr...

Page 682: ...ration is obsolete it can be deleted Subnet Displays the network address and mask used by clients requesting DHCP resources Domain Name Displays the domain name used with this network pool Hostnames are not case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Boot Fi...

Page 683: ...e DHCP Server and DHCP clients The IP address and subnet mask of the pool are required to match the addresses of the layer 3 interface for the addresses to be supported through that interface Select Alias to use a network alias with the subnet configuration For more information see Alias on page 7 34 Domain Name Provide the domain name used with this pool Domain names are not case sensitive and ca...

Page 684: ...b Select Reset to revert to the last saved configuration 11 Select the Static Bindings tab from within the DHCP Pools screen A binding is a collection of configuration parameters including an IP address associated with or bound to a DHCP client Bindings are managed by DHCP servers DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses Static b...

Page 685: ... Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available Client Identifier Type Lists whether the reporting client is using a Hardware Address or Client Identifier as its identifier type Value Lists the hardware address or client identifier value assigned to the client when added or last modified IP Address Displays the IP address o...

Page 686: ... Name Provide a domain name of the current interface Domain names aren t case sensitive and can contain alphabetic or numeric letters or a hyphen A fully qualified domain name FQDN consists of a hostname plus a domain name For example computername domain com Select Alias to use a string alias with the domain name configuration For more information see Alias on page 7 34 Boot File Enter the name of...

Page 687: ...ias with the DNS server configuration For more information see Alias on page 7 34 Within the Network field define one or more DNS Servers and Default Routers to resolve routes to other parts of the network Up to 8 IP addresses can be provided for Default Routers Select Alias to use a network alias with the default routers configuration For more information see Alias on page 7 34 21 Select OK when ...

Page 688: ...h the BOOTP Next Server configuration For more information see Alias on page 7 34 Enable Unicast Unicast packets are sent from one location to another location there s just one sender and one receiver Select this option to forward unicast messages to just a single device within the network pool This setting is disabled by default NetBIOS Node Type Set the NetBIOS Node Type used with this pool The ...

Page 689: ...ays 27 Select the Add Row button to add individual options for Destination and Gateway addresses 28 Select OK to save the updates to the DHCP pool s Advanced settings Select Reset to revert the screen back to its last saved configuration 9 3 2 Defining DHCP Server Global Settings Setting the DHCP Server Configuration Setting a DHCP server global configuration entails defining whether BOOTP request...

Page 690: ...y used Criteria Select the Criteria option to invoke a drop down menu to determine when the DHCP daemon is invoked Options include vrrp master cluster master and rf domain manager A VRRP master responds to ARP requests forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address rejects packets addressed to the IP associated with the virtual router and a...

Page 691: ...ients based on user class option names Clients with a defined set of user class option names are identified by their user class name The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined...

Page 692: ...7 1 Access Point System Reference Guide Figure 9 15 DHCP Server Policy screen Class Policy tab 2 Select Add to create a new DHCP class policy Edit to update an existing policy or Delete to remove an existing policy ...

Page 693: ...internal DHCP server configuration refer to the following deployment guidelines to ensure the configuration is optimally effective DHCP option 189 is required when AP650 access points are deployed over a layer 3 network and require layer 3 adoption DHCP services are not required for AP650 access points connected to a VLAN that s local to the controller or service platform DHCP s lack of an authent...

Page 694: ...ters scanners and file sharing servers can be found using Bonjour Bonjour only works within a single broadcast domain However with special DNS configuration it can be extended to find services across broadcast domains The following options can be configured Configuring the Bonjour Discovery Policy Configuring the Bonjour Forwarding Policy 9 4 1 Configuring the Bonjour Discovery Policy Setting the ...

Page 695: ...dit it To add a new policy select Add Select an existing policy and click Delete to delete the policy or use Copy to create a copy of a policy for further modifications Figure 9 18 Bonjour Discovery Policy Add Edit Policy screen 6 Select the Add Row button to add a rule to the Bonjour Discovery Policy These are the services which can be discovered by the Bonjour Gateway ...

Page 696: ...onjour Discovery Policy information 1 Select Configuration 2 Select Services 3 Select Bonjour Gateway to expand its submenu 4 Select Forwarding Policy Service Name Configures the service that can be discovered by the Bonjour Gateway Predefined Use the drop down menu to select from a list of predefined Apple services Alias Use an existing alias to define a service that is not available in the prede...

Page 697: ...arding Policy screen This screen displays the name of the configured Bonjour forwarding policies 5 Select an existing policy and click Edit to edit it To add a new policy select Add Figure 9 20 Bonjour Gateway Forwarding Policy Add screen ...

Page 698: ...o save the updates to this Bonjour Gateway Forwarding Policy Select Reset to revert to the last saved configuration From VLANs From VLANs are VLANs where the Apple services are available Enter a VLAN ID or a range of VLANs Aliases can also be used To VLANs To VLANs are VLANs where clients for the services are available Enter a VLAN ID or a range of VLANs Aliases can also be used Rule ID Use the sp...

Page 699: ...addresses can be from one or multiple pools Additional options such as the default domain and DNS name server address can be passed back to the client Address pools can be assigned for use on a specific interface or on multiple interfaces or the server can automatically find the appropriate pool To access and review the local DHCPv6 server configuration 1 Select Configuration 2 Select Services 3 S...

Page 700: ...rk resources default gateway domain name DNS server and WINS server configuration An option exists to identify the vendor and functionality of a DHCPv6 client The information is a variable length string of characters or octets with a meaning specified by the vendor of the DHCPv6 client To set DHCPv6 options 1 Select Configuration 2 Select Services 3 Select DHCPv6 Server Policy Select Add to create...

Page 701: ...of the parameters to requesting clients from the pool To create a DHCPv6 pool configuration 1 Select Configuration 2 Select Services Name Enter a name to associate with the new DHCP option This name should describe the new option s function Code Use the spinner control to specify a DHCP option code from 0 254 for the option Only one code for each DHCPv6 option of the same value can be used in each...

Page 702: ...osed of eight groups of four hexadecimal digits separated by colons DNS Server Displays the address of the DNS server resource utilized with the DHCPv6 pool Domain Name Displays the hostname of the domain associated with the DHCPv6 pool Network Displays the IPv6 formatted address and mask utilized with the DHCPv6 address pool The address can be configured in the add or edit screen Refresh Time Dis...

Page 703: ... mask associated with the DHCPv6 pool Refresh Time Use the spinner control to set the time in seconds between refreshes of the DHCPv6 address pool The refresh time can be set from 600 4 294 967 295 seconds SIP Domain Name Configure the domain name or domain names associated with the Session Initiation Protocol SIP servers used to prioritize voice and video traffic on a network SIP is an applicatio...

Page 704: ...OK to save the changes Select Reset to revert to the last saved configuration Name Use the drop down menu to select an existing DHCP option name from the existing options configured in DHCPv6 Options If no suitable option is available click the create button to define a new option Value Enter or modify the numeric ID setting for the selected DHCP option ...

Page 705: ...ccess based on time of day The access point uses a default trustpoint A certificate is required for EAP TTLS PEAP and TLS RADIUS authentication configured with the RADIUS service Dynamic VLAN assignment is achieved based on the RADIUS server response A user who associates to WLAN1 mapped to VLAN1 can be assigned a different VLAN after authentication with the RADIUS server This dynamic VLAN assignm...

Page 706: ... s edit process Guest User Group Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server The terms of the guest access can be set uniquely for each group A red X designates the group as having permanent access to the local RADIUS server Guest user groups cannot be made management groups with unique access and role permissions Management Group A gre...

Page 707: ...fications or use Rename to rename the existing configuration VLAN Displays the VLAN ID used by the group The VLAN ID is representative of the shared SSID each group member user employs to interoperate within the access point managed network once authenticated by the local RADIUS server Time Start Specifies the time users within each listed group can access local RADIUS resources Time Stop Specifie...

Page 708: ...e to permanently remove a selected group Figure 9 26 RADIUS Group Policy Add screen 5 Define the following Settings to define the user group configuration RADIUS Group Policy If creating a new RADIUS group assign it a name to help differentiate it from others with similar configurations The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process Guest User Group Sele...

Page 709: ...to the members of the group using the Access drop down menu allowing varying levels of administrative rights This feature is disabled by default Access If a group is listed as a management group assign how the devices can be accessed Available access types are Web Web access through browser is permitted SSH SSH access through command line is permitted Telnet Telnet access through command line is p...

Page 710: ...r group of users To configure a RADIUS user pool and unique user IDs 1 Select Configuration tab from the Web user interface 2 Select Services 3 Expand the RADIUS menu option and select User Pools Figure 9 27 RADIUS User Pool screen 4 Select Add to create a new user pool Edit to modify the configuration of an existing pool or Delete to remove a selected pool 5 If creating a new pool assign it a nam...

Page 711: ...ach configured user ID is a member Email Id Displays the configured E mail ID for this user This is the address used when communicating with users in this pool Telephone Displays the configured telephone number for this user This is the number used when communicating with users in this pool Start Date Lists the month day and year the listed user ID can access the access point s internal RADIUS ser...

Page 712: ...olicy and exceeds the specified Data Limit their speed is throttled to the Reduced Downlink Rate Committed Uplink Rate kbps Displays the upload speed in KiloBytes allocated to the guest user When bandwidth is available the user can download data at the specified rate If a guest user has a bandwidth based policy and exceeds the specified Data Limit their speed is throttled to the Reduced Uplink Rat...

Page 713: ... as a guest with temporary access The guest user must be assigned unique access times to restrict their access Group If the user has been defined as a guest use the Group drop down menu to assign the user a group with temporary access privileges If the user is defined as a permanent user select a group from the group list If the groups listed are not relevant to the user s intended access select t...

Page 714: ...gabytes or MB Megabytes Committed Downlink Rate Use the spinner control to specify the download speed dedicated to the guest user When bandwidth is available the user can download data at the specified rate Once a value is configured select the measurement as either MBPS Megabytes per second or KBPS Kilobytes per second If a guest user has a bandwidth based policy and exceeds the specified Data Li...

Page 715: ...le RADIUS server policy is supported To manage the access point s RADIUS server policy 1 Select Configuration tab from the Web user interface 2 Select Services 3 Expand the RADIUS menu option and select RADIUS Server Figure 9 30 RADIUS Server Policy screen Server Policy tab The RADIUS Server Policy screen displays with the Server Policy tab displayed by default 4 Select the Activate RADIUS Server ...

Page 716: ...k Select this option to indicate that fall back from RADIUS to local is enabled incase RADIUS authentication is not available for any reason This option is only enabled when LDAP is selected as the Default Source Use the Add Row button to add fallback sources into the Sources table Provide the following information Source Select the type of fallback Select from LDAP or Local Fallback Select to ena...

Page 717: ...le CRL Validation Select this option to enable a Certificate Revocation List CRL check Certificates can be checked and revoked for a number of reasons including the failure or compromise of a device using a certificate a compromise of a certificate key pair or errors within an issued certificate This option is disabled by default Username Enter a128 character maximum username for the LDAP server s...

Page 718: ...US enabled device configured with the same shared secret Select the Show check box to expose the shared secret s actual character string Leave the option unselected to display the shared secret as a string of asterisks 15 Select OK to save the server policy s client configuration Select the Reset button to revert to the last saved configuration 16 Select the Proxy tab and ensure the Activate RADIU...

Page 719: ... the table 20 Enter a 50 character maximum Realm Name When the access point s RADIUS server receives a request for a user name the server references a table of realms If the realm is known the server proxies the request to the RADIUS server 21 Enter the Proxy server s IP Address This is the address of server checking the information in the user access request The proxy server either accepts or rej...

Page 720: ...d authorize users based on complex checks and logic There is no way to perform such complex authorization checks from a LDAP user database alone Figure 9 33 RADIUS Server Policy screen LDAP tab 27 Refer to the following to determine whether an LDAP server can be used as is a server configuration requires creation or modification or a configuration requires deletion Redundancy Displays whether the ...

Page 721: ...vailable IP Address Set the IP address of the external LDAP server acting as the data source for the RADIUS server Login Define a unique login name used for accessing the remote LDAP server resource Consider using a unique login name for each LDAP server to increase the security of the connection between the access point and remote LDAP resource Port Use the spinner control to set the physical por...

Page 722: ...ntifies an entry distinctly from any other entries that have the same parent Bind Password Enter a valid password for the LDAP server Select the Show check box to expose the password s actual character string Leave the option unselected to display the password as a string of asterisks The password cannot 32 characters Password Attribute Enter the LDAP server password attribute The password cannot ...

Page 723: ...t password If a shared secret is compromised only the one client poses a risk as opposed all the additional clients that potentially share that secret password Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location Designating at least one secondary server is a...

Page 724: ...9 56 WiNG 5 7 1 Access Point System Reference Guide ...

Page 725: ...ck footprint and free resources too To set Management Access administrative rights access control permissions authentication refer to the following Creating Administrators and Roles Setting the Access Control Configuration Setting the Authentication Configuration Setting the SNMP Configuration SNMP Trap Configuration Refer to Management Access Deployment Considerations on page 10 14 for tips on ho...

Page 726: ...plays by default Figure 10 1 Management Policy Administrators screen 4 Refer to the following to review existing administrators 5 Select Add to create a new administrator configuration Edit to modify an existing configuration or Delete to permanently remove an administrator User Name Displays the name assigned to the administrator upon creation The name cannot be modified when editing an administr...

Page 727: ... assigned Web UI Select this option to enable access to the access point s Web UI Telnet Select this option to enable access to the access point using TELNET SSH Select this option to enable access to the access point using SSH Console Select this option to enable access to the access point s console Superuser Select this option to assign complete administrative rights to this user This entails al...

Page 728: ...bleshoots and debugs reported problems The Help Desk manager typically runs troubleshooting utilities like a sniffer executes service commands views retrieves logs and reboots the access point Web User Select this option to assign privileges to add users for captive portal authentication For more information on captive portal access rights and configuration requirements see Configuring Captive Por...

Page 729: ... or other firewalls where you can specify and customize specific IPs to access specific interfaces The following table demonstrates some interfaces provide better security than others and are more desirable To set user access control configurations 1 Select Configuration 2 Select Management 3 Select Access Control from the list of Management Policy options in the upper left hand side of the UI Fig...

Page 730: ...ct the check box to enable HTTP device access HTTP provides limited authentication and no encryption Enable HTTPS Select the check box to enable HTTPS device access HTTPS Hypertext Transfer Protocol Secure is more secure than plain HTTP HTTPS provides both authentication and data encryption as opposed to just authentication NOTE If an AP6511 or AP6521 s external RADIUS server is not reachable HTTP...

Page 731: ...ne IP based firewalls function like Access Control Lists ACLs to filter mark packets based on the IP from which they arrive as opposed to filtering packets on layer 2 ports IP firewalls implement uniquely defined access control policies so if you do not have an idea of what kind of access to allow or deny a firewall is of little value and could provide a false sense of network security Source Host...

Page 732: ...esource will need to interoperate with a RADIUS and LDAP Server AAA Servers to provide user database information and user authentication data If there is no AAA policy suiting your RADIUS authentication requirements either select the Create icon to define a new AAA policy or select an existing policy from the drop down menu and select the Edit icon to update its configuration For more information ...

Page 733: ...e selected when Fallback is selected Fallback Select to enable fallback to use local authentication if TACACS authentication fails This option is not available when the Local field is set to enabled Also this option cannot be selected when Authentication is selected Accounting Select to enable TACACS accounting on login This option is not available when the Local field is set to enabled When selec...

Page 734: ...hentication mechanism to monitor and configure supported devices The read only community string is used to gather statistical data and configuration parameters from a supported wireless device The read write community string is used by a management server to set device parameters SNMP is generally used to monitor a system s performance and other parameters To define SNMP management values 1 Select...

Page 735: ...orts the concurrent use of different security access control and message processing techniques SNMPv3 is enabled by default Community Define a public or private community designation By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Access Control Set the access permission for each community stri...

Page 736: ...SNMP trap configuration for receiving events at a remote destination 1 Select Configuration Management 2 Select SNMP Traps from the list of Management Policy options in the upper left hand side of the UI Figure 10 6 Management Policy screen SNMP Traps tab 3 Select the Enable Trap Generation check box to enable trap creation using the trap receiver configuration defined in the lower portion of the ...

Page 737: ...id or password allowing access to access point resources If the community string is correct the access point provides with the requested information If the community string is incorrect the access point discards the request and does not respond Community strings are used only by devices which support SNMPv1 and SNMPv2c SNMPv3 uses username password authentication along with an encryption key The d...

Page 738: ...uthentication Management services like HTTPS SSH and SNMPv3 should be used when possible as they provide both data privacy and authentication By default SNMPv2 community strings on most devices are set to public for the read only community string and private for the read write community string Our legacy devices may use other community strings by default It is recommended that SNMPv3 be used for d...

Page 739: ...e Performance and diagnostic information is collected and measured for anomalies causing a key processes to potentially fail Numerous tools are available within the Diagnostics menu Some allow event filtering some enable log views and some allow you to manage files generated when hardware or software issues are detected Diagnostic capabilities include Fault Management Crash Files Advanced ...

Page 740: ...d By default all events are enabled and an administrator has to turn off events if they don t require tracking Figure 11 1 Fault Management Filter Events screen Use the Filter Events screen to create filters for managing events Events can be filtered based on severity module received source MAC of the event device MAC of the event and MAC address of the wireless client 3 Define the following Custo...

Page 741: ... 7 Refer to the following event parameters to assess nature and severity of the displayed event Module Select the module from which events are tracked When a single module is selected events from other modules are not tracked Remember this when interested in events generated by a particular module Individual modules can be selected such as TEST LOG FSM etc or all modules can be tracked by selectin...

Page 742: ...eld to filter events to display To filter messages further select a RF Domain from the Filter by RF Domain field 11 In the Access Point s tab select the RF Domain from the Select a RF Domain field to filter events to display To filter messages further select a device from the Filter by Device field Module Displays the module used to track the event Events detected by other modules are not tracked ...

Page 743: ...tracked Message Displays error or status message for each event Severity Displays event severity as defined for tracking from the Configuration screen Severity options include All Severities All events are displayed regardless of severity Critical Only critical events are display Error Only errors display Warning Only warnings display Informational Only informational events display no critical eve...

Page 744: ...from those displayed in the lower left hand side of the UI Figure 11 4 Crash Files screen The screen displays the following for each reported crash file 4 Select a listed crash file and select the Copy button to display a screen used to copy archive the file to an external location 5 To remove a listed crash file from those displayed select the file and select the Delete button File Name Displays ...

Page 745: ... Debugging View UI Logs View Sessions 11 3 1 UI Debugging Advanced Use the UI Debugging screen to view debugging information for a selected device To review device debugging information 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options By default NETCONF Viewer is selected Once a target ID is selected its debugging information displays within the NETCONF Viewer screen...

Page 746: ...ages area 11 3 2 View UI Logs Advanced Use the View UI Logs screen to view the log messages generated by the device Logs are classified as Flex Logs and Error Logs These logs provide a real time look into the state of the device and provide useful information for debugging and trouble shooting issues To display the logs 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu option...

Page 747: ...splays a list of all sessions associated with this device A session is created when a user name password combination is used to access the device to interact with it for any purpose Use the following to view a list of sessions associated with this device 1 Select Diagnostics 2 Select Advanced to display the UI Debugging menu options 3 Select the View Sessions menu item to display the users session...

Page 748: ...ore session then select Delete Cookie Displays the number of cookies created by this session From Displays the IP address of the device process initiating this session Role Displays the role assigned to the user name as displayed in the User column Start Time Displays the start time of this session This is the time at which the user successfully created this session User Displays the user name of ...

Page 749: ...pplication to other managed devices Self Monitoring At Run Time RF Management Smart RF is an innovation designed to simplify RF configurations for new deployments while over time providing on going deployment optimization and radio performance improvements The Smart RF functionality scans the RF network to determine the best channel and transmit power for each managed access point radio For more i...

Page 750: ...nd Configuration Files Rebooting the Device Locating a Device Upgrading Device Firmware Viewing Device Summary Information Adopted Device Upgrades File Management Adopted Device Restart Captive Portal Pages Re elect Controller These tasks can be performed on individual access points and wireless clients 12 1 1 Managing Firmware and Configuration Files Devices Firmware and configuration files are v...

Page 751: ...ion see Managing Running Configuration on page 12 3 Show Startup Config Select this option to display the startup configuration of the selected device The startup configuration is displayed in a separate window Select Execute to perform the function For more information on viewing and managing the startup configuration see Managing Startup Configuration on page 12 6 Reload Select this option to re...

Page 752: ...e 12 3 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 4 Device Browser Options for a device 3 Select Show Running Config to display the Running Configuration window ...

Page 753: ...the running configuration Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port Use the spinner control or manually enter the value to define the port used by the protocol for exporting the running configuration This option is not valid for cf usb1 usb2 usb3 and usb4 Host Enter IP address or the hostname of the server used to export the running configuration to This option is no...

Page 754: ...a set of operations that can be performed on the selected device Figure 12 7 Device Browser Options for a device Path File Specify the path to the folder to export the running configuration to Enter the complete relative path to the file on the server User Name Define the user name used to access either a FTP or SFTP server This field is only available if the selected protocol is ftp or sftp Passw...

Page 755: ...t Config field to configure the parameters required to export or import the startup configuration to or from an external server Refer to the following to configure the remote server parameters Protocol Select the protocol used for exporting or importing the startup configuration Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 local ...

Page 756: ...sb2 usb3 and usb4 Host Enter IP address or the hostname of the server used to export or import the startup configuration to This option is not valid for local cf usb1 usb2 usb3 and usb4 Use the drop down to select the type of host information Host can be one of Host Name or IP Address A valid hostname cannot contain an underscore Path File Specify the path to the folder to export or import the sta...

Page 757: ...pinner to configure a delay in seconds before the device is reloaded Set this value to 0 to reload the device immediately Description Use the text box to provide a brief description detailing the reason to reload this device Current Boot Displays the current running firmware Displays either primary or secondary Current Boot Version Displays the firmware version number for the running firmware Next...

Page 758: ... the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manually created trustpoint for one service like HTTPs and use the CMP generated trustpoint for RADIUS EAP certificate based authentication Use the Crypto CMP Certificate menu item to manage these certificates Figure 12 12 Crypto C...

Page 759: ...arget device from the left hand side of the UI 2 Select the down arrow next to the device to view a set of operations that can b performed on the selected device Figure 12 13 Device Browser Options for a device 3 Select the Firmware Upgrade button to upgrade the device s firmware Figure 12 14 Firmware Upgrade screen Trust Point Valid Until The expiration of the CMP certificate is checked once a da...

Page 760: ...b1 usb2 usb3 usb4 local Port Use the spinner control or manually enter the value to define the port used by the protocol for importing the firmware upgrade file This option is not valid for local cf usb1 usb2 usb3 and usb4 Host Enter IP address or the hostname of the server used to import the firmware file This option is not valid for local cf usb1 usb2 usb3 and usb4 Use the drop down to select th...

Page 761: ...when the device encounters a critical error that impairs the performance of the device When a critical error arises information about the state of the device at that moment is written to a text file This file is used by the Support Center to debug the issue and provide a solution to correct the error condition To view and manage the crash information files 1 Select a target device from the left ha...

Page 762: ... at the bottom to copy the selected file to a remote location Use the Delete button to delete the selected crash info file File Name Displays the full path to the crash file Size Displays the size of the crash information file in kilobytes Last Modified Displays the timestamp the crash information file was modified last Action Displays icons for the actions that can be performed on the selected cr...

Page 763: ...e error condition Use the Copy Crash Info screen to copy the crash files to a remote device using ftp or tftp To use the Copy Crash Info screen 1 Select a target device from the left hand side of the UI Figure 12 20 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 21 Device Browser Options for a device 3 Se...

Page 764: ...t use the spinner to select it Host IP Use this field to provide the hostname or the IP address of the FTP server User Use this field to provide the user credentials to authenticate on the FTP server Password Use this field to provide the authentication password for the user credentials provided in the User field Path Optional Optionally provide the complete path to the directory on the FTP server...

Page 765: ...pport Dump files do the following 1 Select a target device from the left hand side of the UI Figure 12 24 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 25 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 26 Device Browser Options for a device Troubleshooting s...

Page 766: ... to provide the hostname or the IP address of the FTP server User Use this field to provide the user credentials to authenticate on the FTP server Password Use this field to provide the authentication password for the user credentials provided in the User field Path Optional Optionally provide the complete path to the directory on the FTP server where the Tech Support Dump file is to be placed Tar...

Page 767: ...st all other deployed devices To locate a device 1 Select the target device from the left hand side of the UI Figure 12 28 Device Browser 2 Select the down arrow next to the device to view a set of operations that can be performed on the selected device Figure 12 29 Device Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 30 Device Browser Options for a device ...

Page 768: ...ormal operation Click Close to close this window 12 1 5 5 Debugging Wireless Clients Troubleshooting the Device Use the Debug Wireless Clients screen to assess whether a connection to a wireless client is proper and is working as intended To view the Debug Wireless Clients screen 1 Select the target device from the left hand side of the UI Figure 12 32 Device Browser 2 Select the down arrow next t...

Page 769: ... is selected the captured debug events are stored on a file and then saved to a remote location using either the FTP or TFTP protocols Use the screen to provide the appropriate information to save the file on the remote server 6 When in the RF Domain context use the Edit Devices List to select the device to view the debug information for 7 Refer to the following Select Debug Messages fields to con...

Page 770: ...hat can be selected are 802 11 Management Displays all 802 11 management debug messages EAP Displays all debug messages related to EAP Flow Migration Displays all debug messages related to flow migration RADIUS Displays all debug messages related to RADIUS server System Internal Displays all debug messages related to system internals WPA WPA2 Displays all debug messages related to WPA WPA2 All Wir...

Page 771: ... Browser Options for a device 3 Select Troubleshooting to expand its sub menu Figure 12 38 Device Browser Options for a device Troubleshooting sub menu 4 Select Packet Capture NOTE The maximum packet capture data limit is 15 MB ...

Page 772: ...Ethernet Bridge Select this to enable capture of packets traversing an ethernet bridge Dropped Select this to enable to capture dropped packets Interface Select this to enable capture packets on specific interfaces The interfaces can be select from the drop down list Select the interface number from the spinner control Use the Packet Direction drop down to configure the direction the packet traver...

Page 773: ... a device IP Protocol Select this to enable filtering the capture packets on specific protocols The protocols can be select from the drop down list The default protocol is TCP Port Select this option to enable filtering capture packets on specific ports Use the spinner to set the port number The default port number is 1 NOTE When displaying the Summary screen at the RF Domain level of the UI s hie...

Page 774: ...d Date Displays the date the Primary and Secondary firmware image was built for the selected device Install Date Displays the date the firmware was installed on the access point Fallback Lists whether fallback is currently enabled for the selected device When enabled the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade t...

Page 775: ...te to the device to manage the firmware and configuration files on and select it Figure 12 41 Device Summary screen 4 Select Adopted Device Upgrade tab NOTE AP upgrades can only be performed by access points in Virtual Controller AP mode and cannot be initiated by Standalone APs Additionally upgrades can only be performed on access points of the same model as the Virtual Controller AP ...

Page 776: ...pe and set the transfer pro tocol Device Type List Select the access point model to specify which model is available to upgrade by the Virtual Controller AP Upgrades can only be made to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed Scheduled Upgrade Time...

Page 777: ...nsures that the access point remains in operation with its current firmware This option is useful to ensure the access point remains operational until ready to take it offline for the required reboot Staggered Reboot Select this option to do a staggered rebooting of upgraded access points When selected upgraded access points are not rebooted simultaneously bringing down the network A few access po...

Page 778: ...des can only be made to the same access point model For example an AP6532 firmware image cannot be used to upgrade an AP7131 model access point For that reason the drop down menu will only display the model deployed URL Enter a URL pointing to the location of the image file Advanced Basic Select Advanced to list additional options for the image file location including protocol host and path Additi...

Page 779: ...er Protocol A hostname or IP address is required Port and path are optional A valid hostname cannot contain an underscore cf Select this option to specify a file location on a Compact Flash card installed on the device This option might not be available on all devices usb1 usb2 usb3 usb4 Select this option to specify the file location on one of the USB 1 USB 2 USB 3 or USB 4 ports of the device Th...

Page 780: ...eceive a firmware image from their provisioning access point Each device can have its own upgrade time defined so the upgrade queue could be staggered Number of devices waiting in queue to be rebooted Lists the number of devices waiting to reboot before actively utilizing its upgraded image The Device Upgrade List list allows an administrator to disable or stagger the reboot time so device reboots...

Page 781: ...administrator for a specific time This is helpful to ensure a sufficient number of devices remain in service at any given time Reboot Time Displays whether a reboot is immediate or time set by an administrator for a specific time Reboots render the device offline so planning reboots carefully is central to ensuring a sufficient number of devices remain in service Last Status Lists the last reporte...

Page 782: ...s include Waiting Downloading Updating Scheduled Reboot Rebooting Done Cancelled Done No Reboot Time Displays the time when the device was upgraded Retries Displays the number of retries if any during the upgrade If this number is more than a few the upgrade configuration should be revisited Upgraded By Displays the hostname of the device that upgraded this device Last Status Displays the time of ...

Page 783: ...12 35 Figure 12 46 Device Summary screen 4 Click File Management ...

Page 784: ...es File Management screen 5 The pane on the left of the screen displays the directory tree for the selected device Use this tree to navigate around the device s directory structure When a directory is selected all files in that directory is listed in the pane on the right ...

Page 785: ... the Refresh button to refresh the view in the screen 8 To delete a folder select the folder in the directory tree on the left Click Delete Folder button The following popup displays Figure 12 49 Devices File Management Delete Confirmation screen File Name Displays the name of the file Size Kb Displays the size of the file in kilobytes Last Modified Displays the timestamp for the last modification...

Page 786: ...ansfer files between the device and a remote location The transfer can be done as follows From remote server to the device From device to remote server From a location on the device to another location on the same device 10 Set the following file management source and target directions as well as the configuration parameters of the required file transfer activity Source Select Server to indicate t...

Page 787: ...nd usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field A valid hostname cannot contain an underscore Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file This parameter is required only when Server is selected as the Source User Name If Advanced is selec...

Page 788: ... points adopted by this AP To view the Adopted Device Restart screen 1 Select Operations from the main menu 2 Select Devices 3 Use the navigation pane on the left to navigate to the device to manage the files on and select it Figure 12 51 Device Summary screen 4 Select Adopted Device Restart NOTE The Adopted Device Restart tab is not available at the RF Domain level of the UI s hierarchal tree A R...

Page 789: ...ogged into the captive portal additional Terms and Conditions Welcome and Fail pages provide the administrator with a number of options on screen flow and appearance Captive portal authentication is used primarily for guest or visitor access to the network but is increasingly used to provide authenticated access to private network resources when 802 1X EAP is not a viable option Captive portal aut...

Page 790: ... Figure 12 53 Device Summary screen 4 Select Captive Portal Pages NOTE If selecting the Captive Portal Pages screen from the RF Domain level of the UI s hierarchal tree there is an additional Upload from Controller option to the right of the Captive Portal List drop down menu Select this option to upload captive portal page support from this device s managing controller ...

Page 791: ...diately start the process of the update Use the date hour fields to configure a specific date and time for upload 7 The All Devices table lists the hostname and MAC address of all devices adopted by this access point Use the arrow buttons to move selected devices from the All Devices table to the Upload List table The Upload List table lists the devices to which the captive portal pages are update...

Page 792: ...configuration parameters of the required file transfer activity Protocol If Advanced is selected choose the protocol for file management Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 This parameter is required only when Server is selected as the Source and Advanced is selected Port If Advanced is selected specify the port for transferring files This option is not available fo...

Page 793: ...me of the server transferring the file This option is not valid for cf usb1 usb2 usb3 and usb4 If a hostname is provided an IP Address is not needed This field is only available when Server is selected in the From field A valid hostname cannot contain an underscore Path File If Advanced is selected define the path to the file on the server Enter the complete relative path to the file User Name If ...

Page 794: ...s which are about to expire The CMP client on the controller service platform or access point triggers a request for the configured CMS CA server Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint During the creation of the CMP policy the trustpoint is assigned a name and client information An administrator can use a manu...

Page 795: ...he system or device levels of the hierarchal tree 3 Select the Re elect Controller tab Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server MAC Address Lists the hardware encoded MAC address of the CMP server resource Trust Point Name Lists the 32 character maximum name assigned to the target trustpoint A trustpoint represen...

Page 796: ...le for RF Domain Manager candidacy Use the button to move all listed access points into the Selected APs table The re election process can be achieved through the selection of an individual access point or through the selection of several access points with a specific Tunnel Controller Name matching the selected access points 5 Select Re elect to designate the Selected AP s as resources capable of...

Page 797: ...identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate SSH keys are a pair of cryptographic keys used to authenticate users instead of or in addition to a username password One key is private and the other is public key Secure Shell SSH public key authentication can be used by a client to access resources if pro...

Page 798: ...icate Management Trustpoints screen The Trustpoints screen displays for the selected MAC address 3 Refer to the Certificate Details to review certificate properties self signed credentials validity period and CA information 4 Select the Import button to import a certificate ...

Page 799: ... is the user no longer being in sole possession of the private key Signed certificates or root certificates avoid the use of public or private CAs A self signed certificate is an identity certificate signed by its own creator thus the certificate creator also signs off on its legitimacy The lack of mistakes or corruption in the issuance of self signed certificates is central Import Select the type...

Page 800: ...t This option is available by default Click the Advanced link next to this field to display more fields to provide detailed trustpoint location information Protocol If using Advanced settings select the protocol used for importing the target trustpoint Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If using Advanced settings use the spinner control to set the port This op...

Page 801: ...ded select Advanced to expand the dialog to display network address information to the location of the target trustpoint The number of additional fields that populate the screen is dependent on the selected protocol Protocol Select the protocol used for exporting the target trustpoint Available options include tftp ftp sftp http cf usb1 usb2 usb3 usb4 Port If using Advanced settings use the spinne...

Page 802: ...ption When a device trustpoint is created the RSA key is the private key used with the trustpoint To review existing device RSA key configurations generate additional keys or import export keys to and from remote locations 1 Select Operations 2 Select Certificates 3 Select RSA Keys Hostname Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to export the trustpoint...

Page 803: ...er syntax displayed Once reviewed optionally generate a new RSA key import a key from a selected device export a key to a remote location or delete a key from a selected device 4 Select Generate Key to create a new key with a defined size Figure 12 63 Certificate Management Generate RSA Key screen ...

Page 804: ...etween 1 024 2 048 bits It is recommended leaving this value at the default setting of 1024 to ensure optimum functionality Key Name Enter the 32 character maximum name assigned to identify the RSA key Key Passphrase Define the key used by the server or repository of the target RSA key Select the Show textbox to expose the actual characters used in the passphrase Leaving the option unselected disp...

Page 805: ... This option is not valid for cf and usb1 4 IP Address Enter IP address of the server used to import the RSA key This option is not valid for cf and usb1 4 Hostname Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to import the RSA key IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 a...

Page 806: ...hrase Leaving the option unselected displays the passphrase as a series of asterisks URL Provide the complete URL to the location of the key If needed select Advanced to expand the dialog to display network address information to the location of the target key The number of additional fields that populate the screen is also dependent on the selected protocol Protocol Select the protocol used for e...

Page 807: ...e 1 Select Operations 2 Select Certificates 3 Select Create Certificate IP Address If using Advanced settings enter IP address of the server used to export the RSA key This option is not valid for cf and usb1 4 Hostname Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the RSA key IPV6 provides enhanced identification and location information for computers...

Page 808: ...dio button to define 32 character name used to identify the RSA key Use the spinner control to set the size of the key between 2 048 4 096 bits Leave this value at the default setting of 2048 to ensure optimum functionality For more information on creating a new RSA key see RSA Key Management on page 12 54 RSA Key Use Existing Select the radio button and use the drop down menu to select the existi...

Page 809: ...maintains the right to contact the applicant for additional information If the request is successful the CA sends an identity certificate digitally signed with the private key of the CA To create a CSR 1 Select Operations 2 Select Certificates 3 Select Create CSR State ST Enter a State Prov for the state or province name used in the certificate This is a required field City L Enter a City to repre...

Page 810: ...t key length To use an existing key select Use Existing and select a key from the drop down menu For more information see RSA Key Management on page 12 54 Certificate Subject Name Select either the auto generate radio button to automatically create the certificate s subject credentials or select user configured to manually enter the credentials of the self signed certificate The default setting is...

Page 811: ...onal unit issuing the certificate enter it here Email Address Provide an E mail address used as the contact address for issues relating to this CSR Domain Name Enter a fully qualified domain name FQDN is an unambiguous domain name that specifies the node s position in the DNS tree hierarchy absolutely To distinguish an FQDN from a regular domain name a trailing period is added ex somehost example ...

Page 812: ...urations as the basis to conduct Smart RF calibration operations 12 3 1 Managing Smart RF for a RF Domain Smart RF When calibration is initiated Smart RF instructs adopted radios to beacon on a specific legal channel using a specific transmit power setting Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the neighbo...

Page 813: ...whether a new channel assignment was warranted to compensate for a coverage hole Channel Lists the current channel assignment for each listed access point as potentially updated by an Interactive Calibration Use this data to determine whether a channel assignment was modified as part of an Interactive Calibration If a revision was made to the channel assignment a coverage hole was detected on the ...

Page 814: ... the Interactive Calibration has calculated Write Writes the new channel and power values to the radios under their respective device configurations Discard Discards the results of the Interactive Calibration without applying them to their respective devices Commit Commits the Smart RF module Interactive Calibration results to their respective access point radios 6 Select the Run Calibration optio...

Page 815: ...ull functionality and utilization An access point must be rebooted to implement a firmware upgrade Take advantage of the reboot scheduling mechanisms available to the access point to ensure its continuously available during anticipated periods of heavy wireless traffic utilization Within a well planned RF Domain any associated radio should be reachable by at least one other radio Keep this in mind...

Page 816: ...12 68 WiNG 5 7 1 Access Point System Reference Guide ...

Page 817: ...eless clients associations adopted AP information rogue APs and WLANs Access point statistics can be exclusively displayed to validate connected access points their VLAN assignments and their current authentication and encryption schemes Wireless client statistics are available for an overview of client health Wireless client statistics includes RF quality traffic utilization and user details Use ...

Page 818: ... Adopted Devices Pending Adoptions Offline Devices Device Upgrade Licenses WIPS Summary 13 1 1 Health System Statistics The Health screen displays the overall performance of the managed network system This includes device availability overall RF quality resource utilization and network threat perception To display the health of the network 1 Select the Statistics menu from the Web UI 2 Select the ...

Page 819: ...sources The table displays the number of offline devices within each impacted RF Domain Assess whether the configuration of a particular RF Domain is contributing to an excessive number of offline devices The Device Types table displays the kinds of devices detected within the system Each device type displays the number currently online and offline 6 Use the RF Quality table to isolate poorly perf...

Page 820: ...e overall performance of wireless devices To display the inventory statistics 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select Inventory from the left hand side of the UI Worst 5 Displays five RF Domains with the lowest quality indices in the wireless controller managed network The value can be interpreted as 0 50 Poor quality 50 75 Mediu...

Page 821: ...the number of wireless clients adopted 7 Select Refresh to update the statistics counters to their latest values 13 1 3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the network entire system Use this screen to view a list of devices and their current status Top Radio Count Displays the radios index of each listed top radio RF Domain Displays th...

Page 822: ...isplay configuration and network address information in greater detail Model Number Lists the model number of each AP that s been adopted since this screen was last refreshed Config Status Displays the configuration file version in use by each listed adopted device Use this information to determine whether an upgrade would increase the functionality of the adopted device Config Errors Lists any er...

Page 823: ...Adoptions screen displays the following MAC Address Displays the MAC address of the device pending adoption Select the MAC address to view device configuration and network address information in greater detail Type Displays the AP type IP Address Displays the current IP Address of the device pending adoption VLAN Displays the VLAN the device pending adoption will use as a virtual interface with it...

Page 824: ...Add to Devices Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP Refresh Click the Refresh button to update the list of pending adoptions Hostname Lists the administrator assigned hostname provided when the device was added to the network MAC Address Displays the factory encoded MAC address of each listed offline device Type Displays the off...

Page 825: ...r Lists the administrator assigned deployment floor where the offline device has been detected Connected To Lists the offline s device s connected controller service platform or peer model access point Last Update Displays the date and time stamp of the last time the device was detected within the network Click the arrow next to the date and time to toggle between standard time and UTC Refresh Sel...

Page 826: ... the administrator assigned hostname of the device receiving an update History ID Displays a unique timestamp for the upgrade event Last Update Status Displays the initiation completion or error status of each listed upgrade operation Time Last Upgraded Lists the date and time of each upgrade operation Retries Count Displays the number of retries required in an update operation State Displays the ...

Page 827: ... or service platform to a cluster member to compensate for an access point s license deficiency Total AP Licenses Displays the total number of access point connection licenses currently available to this device AP License Usage Lists the number of access point connections currently utilized by this device out of the total available under the terms of the current license Remaining AP Licenses Lists...

Page 828: ...vice Cluster AP Adoption Licenses Displays the current number of access point adoption licenses utilized by controller or service platform connected access points within a cluster Cluster Total AP Licenses Displays the total number of access point adoption licenses available to controller or service platform connected access point within a cluster Cluster AAP Adoption Licenses Displays the current...

Page 829: ...ng number of AP licenses available from the pooled license capabilities of cluster members AAP Licenses Installed Lists the number of Adaptive Access Point connections available under the terms of current licenses Borrowed AAP Licenses Displays the number of Adaptive Access Point licenses temporarily borrowed from a cluster member to compensate for an AAP license deficiency Total AAP Licenses Disp...

Page 830: ...gate risks to the network To review and assess the impact of rogue and interfering access points as well as the occurrence of WIPS events within the controller or service platform s managed system 1 Select the Statistics menu from the Web UI 2 Select the System node from the left navigation pane 3 Select WIPS Summary from the left hand side of the UI Figure 13 8 System WIPS Summary screen 4 Refer ...

Page 831: ...hold from 100 to 10 dBm When a device exceeds this noise value it is defined as an interfering access point capable of disrupting the signal quality of other sanctioned devices operating below an approved RSSI maximum value Number of WIPS Events Lists the number of devices triggering a WIPS event within each listed RF Domain Each RF Domain utilizes a WIPS policy where excessive MU and AP events ca...

Page 832: ...es that determine Access SMART RF and WIPS configuration Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device Health Inventory Devices AP Detection Wireless Clients Device Upgrade Wireless LANs Radios Mesh Mesh Point SMART RF WIPS Captive Portal 13 2 1 Health RF Domain Statistics The Health...

Page 833: ...t depicts their status 6 The Radio Quality field displays information on the RF Domain s RF quality The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry and error rate This area also lists the worst 5 performing radios in the RF Domain The RF Quality Index can be interpreted as 0 20 Very poor quality 20 ...

Page 834: ...WLANs managed by RF Domain member access points Top 5 Displays the five RF Domain utilized WLANs with the highest average quality indices WLAN Name Displays the WLAN Name for each of the Top 5 WLANs in the access point RF Domain SSID Displays the SSID for the WLAN Max User Rate Displays the maximum recorded user rate in kbps Top 5 Radios Displays five radios with the best average quality in the RF...

Page 835: ...transmitted and received within the access point RF Domain User Data Rate Lists the average user data rate within the access point RF Domain Bcast Mcast Packets Displays the total number of broadcast multicast packets transmitted and received within the access point RF Domain Management Packets This is the total number of management packets processed within the access point RF Domain Tx Dropped Pa...

Page 836: ...rts One chart displays for 5 GHz channels and the other for 2 4 GHz channels The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members Total Wireless Clients Displays the total number of clients connected to RF Domain members AP Name Displays the clients connected and reporting access point The name displays as a link that can be selected t...

Page 837: ... address To display RF Domain member device statistics 1 Select the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select Devices from the RF Domain menu Figure 13 12 RF Domain Devices screen Device Displays the system assigned name of each device that s a member of the RF Domain The name displays as a link that can be sele...

Page 838: ...02 AP7522 AP7532 AP8122 AP8132 AP8222 AP8232 models have two radios AP6511 and AP6521 models have one radio An ES6510 is a controller or service platform manageable Ethernet Switch with no embedded device radios IP Address Displays the IP address each listed device is using a network identifier Refresh Select the Refresh button to update the statistics counters to their latest values Select AP Typ...

Page 839: ...rk coverage or add noise Is Interferer Lists whether the detected device exceeds the administrator defined RSSI threshold from 100 to 10 dBm determining whether a detected access point is classified as an interferer Is Rogue Displays whether the detected device has been classified as a rogue device whose detection threatens the interoperation of RF Domain member devices Termination Active Lists wh...

Page 840: ...t is using as a network identifier IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons Hostname Displays the unique administrator assigned hostname when the client s configuration was originally set Role Lists the role assigned to each controller service platform or access point ...

Page 841: ...reless client is currently using for its interoperation within the RF Domain VLAN Displays the VLAN ID the client s connected access point has defined for use as a virtual interface Last Active Displays the time when this wireless client was last detected by a RF Domain member RF Domain Name Lists each client s RF Domain membership as defined by its connected access point Disconnect All Clients Se...

Page 842: ...cess point receiving the update Device Hostname Lists the administrator assigned hostname of each device receiving an update from a RF Domain member History Id Lists the RF Domain member device s MAC address along with a history ID appended to it for each upgrade operation Last update Status Displays the last status message from the RF Domain member device performing the upgrade operation Time Las...

Page 843: ...ation and 60 and above high utilization Radio Count Displays the number of radios deployed in each listed WLAN by RF Domain member devices Tx Bytes Displays the average number of packets in bytes sent on each listed RF Domain member WLAN Tx User Data Rate Displays the average data rate per user for packets transmitted on each listed RF Domain member WLAN Rx Bytes Displays the average number of pac...

Page 844: ...m the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Expand Radios from the RF Domain menu and select Status Figure 13 17 RF Domain Radio Status screen The Radio Status screen displays the following Radio Displays the name assigned to each listed RF Domain member access point radio Each name displays as a link that can be selected to display radio ...

Page 845: ... Ethernet Switch with no embedded device radios AP Type Lists the model type of each RF Domain member access point State Displays the radio s current operational state Channel Current Config Displays the current channel each listed RF Domain member access point radio is broadcasting on Power Current Config Displays the current power level the radio is using for its transmissions Clients Displays t...

Page 846: ...mat reported by each listed RF Domain member access point SNR Displays the signal to noise ratio SNR of each listed RF Domain member radio Tx Physical Layer Rate Displays the data transmit rate for each RF Domain member radio s physical layer The rate is displayed in Mbps Rx Physical Layer Rate Displays the data receive rate for each RF Domain member radio s physical layer The rate is displayed in...

Page 847: ...ckets Rx Packets Displays the total number of packets received by each RF Domain member access point radio This includes all user data as well as any management overhead packets Tx User Data Rate Displays the rate in kbps user data is transmitted by each RF Domain member access point radio This rate only applies to user data and does not include any management overhead Rx User Data Rate Displays t...

Page 848: ...en 3 Select Mesh Figure 13 20 RF Domain Mesh screen The RF Domain Mesh screen displays the following 13 2 10 Mesh Point RF Domain Statistics To view Mesh Point statistics for RF Domain member access point and their connected clients Client Displays the configured hostname for each mesh client connected to a RF Domain member access point Client Radio MAC Displays the hardware encoded MAC address fo...

Page 849: ...erlaid This provides a geographical overview of the location of each RF Domain member device 4 Use the N E W and S buttons to move the map in the North East West and South directions respectively The slider next to these buttons enables zooming in and out of the view The available fixed zoom levels are World Country State Town Street and House 5 Use the Maximize button to maximize this view to occ...

Page 850: ...of devices with the root mesh at the centre and the other mesh device arranged around it In the Hierarchical arrangement the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such Use the Meshpoint Name drop down to select a mesh point to see the graphical representation of that mesh point The view can further be filtered based o...

Page 851: ...e screen displays tabs for General Path Root Multicast Path Neighbors Security and Proxy Refer to the following The General tab displays the following Mesh Point Name Displays the name of each configured mesh point in the RF Domain MAC Displays the MAC Address of each configured mesh point in the RF Domain Hostname Displays the administrator assigned hostname for each configured mesh point in the ...

Page 852: ...oint in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Destination The MAC Address used by the interface on the neighbor device to communicate with this device This may define a particular radio or Ethernet port that communicates with this device over the mesh Next Hop IFID The Interface ID of the mesh point that traffic is be...

Page 853: ...eferred Root Interface Index Neighbor Bias This field lists any bias applied because of Preferred Root Next Hop Neighbor IFID Root Bias This field lists any bias applied because of Preferred Root MPID Mesh Point Name Displays the name of each configured mesh point in the RF Domain Subscriber Name The identifier is used to distinguish between other mesh points both on the same device and on other d...

Page 854: ...e away a one of the resources for a wireless client device to be used for meshing Displays True when the device is resourced and False when the device is not Link Quality An abstract value depicting the quality of the mesh link between the device and the neighbor The range is from 0 weakest to 100 strongest Link Metric This value shows the computed path metric from the device to the neighbor mesh ...

Page 855: ...ndicates the link is available for communication Failed indicates the attempt to establish the link failed and cannot be retried yet In Progress indicates the link is being established but is not yet available Timeout Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out Keep Alive Yes indicates that the local MP will act as a supplicant ...

Page 856: ... Domain Mesh Point Name Displays the name of each configured mesh point in the RF Domain Hostname Displays the administrator assigned hostname for each configured mesh point in the RF Domain Configured as Root A root mesh point is defined as a mesh point connected to the WAN providing a wired backhaul to the network Yes No Is Root Indicates whether the current mesh point is a root mesh point Yes N...

Page 857: ...then you will get approximately half the performance every additional hop out Root MP ID Lists the interface ID of the interface on which the next hop for the mesh network can be found Root Bound time Displays the duration this mesh point has been connected to the mesh root IFID Count Displays the number of Interface IDs IFIDs associated with all the configured mesh points in the RF Domain Mesh Po...

Page 858: ...omain Recommended Displays the root that is recommended by the mesh routing layer Root MPID The MP identifier is used to distinguish between other mesh points both on the same device and on other devices This is used by a user to setup the preferred root configuration Next Hop IFID The IFID of the next hop The IFID is the MAC address on the destination device Radio Interface This indicates the int...

Page 859: ...bor is not a root mesh point Mobility Displays whether the mesh point is a mobile or static node Displays True when the device is mobile and False when the device is not mobile Radio Interface This indicates the interface that is used by the device to communicate with this neighbor The values are 2 4 and 5 0 indicating the frequency of the radio that is used to communicate with the neighbor Mesh R...

Page 860: ...plays the name of each configured mesh point in the RF Domain Destination Addr The destination is the endpoint of mesh path It may be a MAC address or a mesh point ID Radio Interface This indicates the interface that is used by the device to communicate with this neighbor The values are 2 4 and 5 0 indicating the frequency of the radio that is used to communicate with the neighbor Interface ID The...

Page 861: ...ce that is the neighbor Persistence Displays the persistence duration of the proxy connection for each of the mesh points in the RF Domain VLAN The VLAN ID used as a virtual interface with this proxy A value of 4095 indicates that there is no VLAN ID Data Bytes Bytes Transmitted Bytes Displays the total amount of data in Bytes that has been transmitted by mesh points in the RF Domain Data Bytes By...

Page 862: ... second for all data received and received by mesh points in the RF Domain Packets Rate pps Total Packet Rate Displays the average data packet rate in packets per second for all data transmitted and received by mesh points in the RF Domain Data Packets Dropped and Errors Tx Dropped Displays the total number of transmissions that were dropped mesh points in the RF Domain Data Packets Dropped and Er...

Page 863: ...ect the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Select SMART RF from the RF Domain menu 4 Expand the SMART RF menu and select Summary The summary screen enables administrators to assess the efficiency of RF Domain member device channel distributions sources of interference potentially requiring Smart RF adjustments t...

Page 864: ...ns versus their reported top performance WLAN Name Lists the WLANs whose member device radios are contributing to the highest levels of interference detected within the RF Domain Radio Count Displays the number of radios within each listed WLAN that are contributing to the RF Domain s high levels of detected interference These are the radios subject to Smart RF power compensations to reconcile the...

Page 865: ...rended for the RF Domain Trending periods include the Current Hour Last 24 Hours or the Last Seven Days Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods Power Changes Displays the number of Smart RF initiated power level changes needed for RF Domain member device...

Page 866: ...Attenuation is the opposite of amplification and is normal when a signal is sent from one point to another If the signal attenuates too much it becomes unintelligible Attenuation is measured in decibels The radio s current operating channel is also displayed as is the radio s hard coded MAC address transmit power level and administrator assigned ID Select Refresh at any time to update the Details ...

Page 867: ...es of Smart RF events impacting RF Domain member devices Figure 13 29 RF Domain Smart RF History screen The SMART RF History screen displays the following RF Domain member historical data Time Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain ...

Page 868: ... member access point radios To view the WIPS client blacklist 1 Select the Statistics menu from the Web UI 2 Select a RF Domain from under the System node on the top left hand side of the screen 3 Expand the WIPS menu item and select Client Blacklist Figure 13 30 RF Domain WIPS Client Blacklist screen Type Lists a high level description of the Smart RF activity initiated for a RF Domain member dev...

Page 869: ...eless intrusion event detected by a RF Domain member access point Blacklisted Client Displays the MAC address of the unauthorized blacklisted client intruding the RF Domain Time Blacklisted Displays the time when the wireless client was blacklisted by a RF Domain member access point Total Time Displays the time the unauthorized now blacklisted device remained in the RF Domain Time Left Displays th...

Page 870: ... menu Figure 13 32 RF Domain Captive Portal The screen displays the following Captive Portal data for requesting clients Detector Radio Displays access point radio number detecting the event AP7131N models can have from 1 3 radios depending on the SKU AP6532 AP6522 AP6562 AP7161 AP7181 AP7502 AP7522 AP7532 AP7562 AP8122 AP8132 AP8222 and AP8232 models have 2 radios while AP6511 and AP6521 models h...

Page 871: ...e composed of eight groups of four hexadecimal digits separated by colons Captive Portal Lists the name of the RF Domain captive portal currently being utilized by each listed client Port Name Lists the name of the virtual port used for captive portal session direction Authentication Displays the authentication status of requesting clients attempting to connect to the access point via the captive ...

Page 872: ...firewall WIPS sensor captive portal NTP and load information Access point statistics consists of the following Health Device Web Filtering Device Upgrade Adoption AP Detection Wireless Clients Wireless LANs Policy Based Routing Radios Mesh Interfaces RTLS PPPoE OSPF L2TPv3 Tunnels VRRP Critical Resources LDAP Agent Status Guest Users GRE Tunnels Dot1x Network DHCP Server Firewall VPN Certificates ...

Page 873: ...his screen should also be the starting point for troubleshooting an access point since it is designed to present a high level display of access point performance efficiency To view the access point health 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select...

Page 874: ...to show RF Domain utilization in greater detail Version Displays the access point s current firmware version Use this information to assess whether an upgrade is required for better compatibility Uptime Displays the cumulative time since the access point was last rebooted or lost power CPU Displays the processor core RAM Displays the free memory available with the RAM System Clock Displays the sys...

Page 875: ...e of the screen Expand a RF Domain and select one of its connected access points 3 Select Device Figure 13 34 Access Point Device screen The System field displays the following Client MAC Displays the MAC addresses of the clients with the lowest RF indices Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems Model Number Display...

Page 876: ...on the access point Total Memory MB Displays the access point s total memory Currently Free RAM Displays the access point s free RAM space If it is very low free up some space by closing some processes Recommended Free RAM Displays the recommended RAM required for routine operation Current File Descriptors Displays the access point s current file descriptors Maximum File Descriptors Displays the a...

Page 877: ...splays the primary version string Secondary Build Date Displays the build date when this version was created Secondary Install Date Displays the date this secondary version was installed Secondary Version Displays the secondary version string FPGA Version Displays whether a FPGA supported firmware load is being utilized PoE Firmware Version Displays whether a PoE supported firmware load is being u...

Page 878: ...oller s Web filter statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Web Filtering Figure 13 35 Access Point Web Filtering screen The Web Filtering Requests field displays the following information Total Blocks Lists the number of Web request ...

Page 879: ...ories and URL lists defined in the whitelist The blacklist allows all sites except the categories and URL lists defined in the blacklist Top Categories Approved Lists those Web content categories approved most often on behalf of requesting clients managed by this access point Periodically review this information to assess whether this cached and available Web content still adhere s to your organiz...

Page 880: ...d By Device Displays the device that performed the upgrade Type Displays the model of the access point The updating access point must be of the same model as the access point receiving the update Device Hostname Displays the administrator assigned hostname of the device receiving the update History ID Displays a unique timestamp for the upgrade event Last Update Status Displays the error status of...

Page 881: ...ected access point their RF Domain memberships and network service information To view adopted access point statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Adoption menu item 4 Select Adopted APs Figure 13 37 Access Point Adopted APs scr...

Page 882: ...hip An access point can only share RF Domain membership with other access points of the same model Model Number Displays each listed access point s numeric model AP6532 AP6511 etc Status Displays each listed access point s configuration status to help determine its service role Errors Lists any configuration errors that may be hindering a clean adoption Adopted By Lists the adopting access point A...

Page 883: ...g Adoptions screen displays a list of devices yet to be adopted to this peer access point or access points in the process of adoption To view pending access point statistics 1 Select the Statistics menu from the Web UI Event Time Displays day date and time for each access point adoption attempt Refresh Select the Refresh button to update the screen s statistics counters to their latest values Even...

Page 884: ...l type IP Address Displays the current network IP Address of the device pending adoption VLAN Displays the current VLAN used as a virtual interface by device pending adoption Reason Displays the status as to why the device is still pending adoption and has not yet successfully connected to this access point Discovery Option Displays the discovery option code for each access point listed pending ad...

Page 885: ... AP Detection screen displays the following Unsanctioned AP Displays the MAC address of a detected access point that is yet to be authorized for interoperability within the access point managed network Reporting AP Displays the hardware encoded MAC address of the radio used by the detecting access point Select an access point to display configuration and network address information in greater deta...

Page 886: ...unsanctioned access point Last Seen Displays the time in seconds the unsanctioned access point was last seen on the network Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 887: ...on in greater detail IP Address Displays the unique IP address of the client Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval IPv6 Address Displays the current IPv6 formatted IP address a listed wireless client is using as a network identifier IPv6 is the latest revision of the Internet Protocol IP designed to replace IPv4 IPv6 address...

Page 888: ...signment best suits its intended deployment in respect to the WLAN s QoS objective VLAN Displays the VLAN ID each listed client is currently mapped to as a virtual interface for access point interoperability Last Active Displays the time when this wireless client was last seen or detected by a device within the access point managed network Disconnect Client Select a specific client MAC address and...

Page 889: ...creen displays the following WLAN Name Displays the name of the WLAN the access point is currently using for client transmissions SSID Displays each listed WLAN s Service Set ID SSID used as the WLAN s network identifier Traffic Index Displays the traffic utilization index which measures how efficiently the WLAN s traffic medium is used It is defined as the percentage of current throughput relativ...

Page 890: ...ved on each listed WLAN Rx User Data Rate Displays the received user data rate on each listed WLAN Disconnect All Clients Select an WLAN then Disconnect All Clients to terminate the client connections within that WLAN Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 891: ...of the screen Expand a RF Domain and select one of its connected access points 3 Select Policy Based Routing Figure 13 44 Access Point Policy Based Routing screen The Policy Based Routing screen displays the following Precedence Lists the numeric precedence priority assigned to each listed PBR configuration A route map consists of multiple entries each carrying a precedence value An incoming packe...

Page 892: ...hop is used This is either the IP address of the next hop or the outgoing interface Only one default next hop is available The difference between the next hop and the default next hop is in case of former PBR occurs first then destination based routing In case of the latter the order is reverse DefaultNext Hop State Displays whether the default hop is being applied to incoming routed packets Refre...

Page 893: ...ubleshoot issues related to the following three areas Status RF Statistics Traffic Statistics Individual access point radios display as selectable links within each of the three access point radio screens To review a radio s configuration in greater detail select the link within the Radio column of either the Status RF Statistics or Traffic Statistics screens Additionally navigate the Traffic WMM ...

Page 894: ...s the name assigned to the radio as its unique identifier The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data Radio MAC Displays the factory encoded hardware MAC address assigned to the radio Radio Type Displays the radio as either supporting the 2 4 or 5 GHZ radio band State Lists a radio s On Off operational designation Channe...

Page 895: ...cal layer The rate is displayed in Mbps Avg Retry Number Displays the average number of retries per packet A high number indicates possible network or hardware problems Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal Error Rate Displays the total number of received packets which contained errors for the li...

Page 896: ...selected to launch a detailed screen containing radio throughout data Tx Bytes Displays the total number of bytes transmitted by each listed radio This includes all user data as well as any management overhead data Rx Bytes Displays the total number of bytes received by each listed radio This includes all user data as well as any management overhead data Tx Packets Displays the total number of pac...

Page 897: ...lization index of each listed radio which measures how efficiently the traffic medium is used It is defined as the percentage of current throughput relative to the maximum possible throughput Traffic indices are 0 20 very low utilization 20 40 low utilization 40 60 moderate utilization and 60 and above high utilization Refresh Select the Refresh button to update the screen s statistics counters to...

Page 898: ...e Mesh screen describes the following Client Displays the system assigned name of each member of the mesh network Client Radio MAC Displays the MAC address of each client radio in the mesh network Portal Mesh points connected to an external network and forward traffic in and out are mesh portals Mesh points must find paths to a portal to access the Internet When multiple portals exist the mesh poi...

Page 899: ...ongst supported access point models To review access point interface statistics 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Interfaces 4 The General tab displays by default Figure 13 49 Access Point General Interface screen Interface Statistics sup...

Page 900: ... Access VLAN Displays the tag assigned to the native VLAN Access Setting Displays the VLAN mode as either Access or Trunk Administrative Status Displays whether the interface is currently UP or DOWN Operational Status Displays whether the interface is currently operational Indicate UP or DOWN IPv6 Mode Displays the IPv6 mode for this interface IPv6 MTU Displays the IPv6 MTU value for this interfac...

Page 901: ...erface Bcast Pkts Sent Displays the number of broadcast packets sent through the interface Bcast Pkts Received Displays the number of broadcast packets received through the interface Packet Fragments Displays the number of packet fragments transmitted or received through the interface Jabber Pkts Displays the number of packets transmitted through the interface larger than the MTU Bad Pkts Received...

Page 902: ...s insufficient space to store an incoming packet Rx Over Errors Displays the number of overflow errors received Overflows occur when a packet size exceeds the allocated buffer size Tx Errors Displays the number of packets with errors transmitted on the interface Tx Dropped Displays the number of transmitted packets dropped from the interface Tx Aborted Errors Displays the number of packets aborted...

Page 903: ...nd side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Interfaces menu from the left hand side of the UI 4 Select IPv6 Address Figure 13 50 Access Point Interface IPv6 Address screen 5 The IPv6 Addresses table displays the following IPv6 Addresses Lists the IPv6 formatted addresses currently utilized by the controller or service platform in the selected...

Page 904: ...rred lifetime must always be less than or equal to the valid lifetime Valid Lifetime seconds Displays the time in seconds relative to when the packet is sent the IPv6 formatted address remains in a valid state on the selected interface The valid lifetime must always be greater than or equal to the preferred lifetime Address Lists the IPv6 local link address IPv6 requires a link local address assig...

Page 905: ...selected interface since the screen was last refreshed Bad Packets Received Displays the number of bad packets received on the selected interface since the screen was last refreshed Bad CRC Displays the number of packets with bad CRC received on the selected interface since the screen was last refreshed Collission Displays the number of packet collisions detected on the selected interface since th...

Page 906: ...he selected interface 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Interfaces menu from the left hand side of the UI 4 Select Multicast Groups Joined Transmit Errors Displays the number of transmit errors in the packets sent on the selected inte...

Page 907: ...ers to their latest values Group Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation Users Lists the number of devices currently interoperating on this interface in each listed multicast group Any single device can be a member of more then one group at a time ...

Page 908: ... within the graph To view a detailed graph for an interface select an interface and drop it on to the graph The graph displays Port Statistics as the Y axis and the Polling Interval as the X axis Use the Polling Interval from down menu to define the increment data is displayed on the graph To view the Interface Statistics graph 1 Select the Statistics menu from the Web UI 2 Select System from the ...

Page 909: ...s 3 Select RTLS Figure 13 54 Access Point RTLS screen The access point RTLS screen displays the following for Aeroscout tags Engine IP Lists the IP address of the Aeroscout locationing engine Engine Port Displays the port number of the Aeroscout engine Send Count Lists the number location determination packets sent by the locationing engine Recv Count Lists the number location determination packet...

Page 910: ... Notifications Displays a count of the number of notifications sent to access points that may be available to provide RTLS support Send Errors Lists the number of send errors received by the RTLS initiating access point Error Message Count Displays a cumulative count of error messages received from RTLS enabled access point radios Tag Reports Displays the number of tag reports received from locati...

Page 911: ... Point PPPoE screen The Configuration Information field screen displays the following Shutdown Displays whether a high speed client mode point to point connection has been enabled using the PPPoE protocol Service Lists the 128 character maximum PPPoE client service name provided by the service provider DSLModemNetwork VLAN Displays the PPPoE VLAN client local network connected to the DSL modem Thi...

Page 912: ... point s Wired WAN were to fail 5 Select the Refresh button to update the screen s statistics counters to their latest values Client Idle Timeout The access point uses the listed timeout so it does not sit idle waiting for input from the PPPoE client and the server that may never come Keep Alive If a keep alive is utilized the point to point connect to the PPPoE client is continuously maintained a...

Page 913: ...information from neighbor routers and constructs a network topology The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen OSPF Summary OSPF Neighbors OSPF Area Details OSPF Route Sta...

Page 914: ... connection RFC compliance information and LSA data OSPF version 2 was originally defined within RFC versions 1583 and 2328 The general field displays whether compliance to these RFCs have been satisfied The OSPF Link State Advertisement LSA Throttling feature provides a dynamic mechanism to slow down link state advertisement updates in OSPF during times of network instability It also allows faste...

Page 915: ...om other external ASs throughout its own autonomous system Routers in other areas use ABR as next hop to access external addresses Then the ABR forwards packets to the ASBR announcing the external addresses SPF Refer to the SPF field to assess the status of the shortest path forwarding SPF execution last SPF execution SPF delay SPF due in SPF hold multiplier SPF hold time SPF maximum hold time and...

Page 916: ...SPF 4 Select the Neighbor Info tab Figure 13 57 Access Point OSPF Neighbor Info tab The Neighbor Info tab describes the following Router ID Displays the router ID assigned for this OSPF connection The router is a level three Internet Protocol packet switch This ID must be established in every OSPF instance If not explicitly configured the highest logical IP address is duplicated as the router iden...

Page 917: ...select an access point for statistical observation 3 Select OSPF 4 Select the Area Details tab Request Count Lists the connection request count hello packets to connect to the router interface discover neighbors and elect a designated router Retransmit Count Lists the connection retransmission count attempted in order to connect to the router interface discover neighbors and elect a designated rou...

Page 918: ...e listed area ID Router LSA Lists the Link State Advertisements of the router supporting each listed area ID The router LSA reports active router interfaces IP addresses and neighbors Network LSA Displays which routers are joined together by the designated router on a broadcast segment e g Ethernet Type 2 LSAs are flooded across their own area only The link state ID of the type 2 LSA is the IP int...

Page 919: ... to an ABR or Autonomous System Boundary Router ASBR Border routers maintain an LSDB for each area supported They also participate in the backbone 5 Refer to External Routes tab NSSA LSA Routers in a Not so stubby area NSSA do not receive external LSAs from Area Border Routers but are allowed to send external routing information for redistribution They use type 7 LSAs to tell the ABRs about these ...

Page 920: ...tional information between routers Each external route can also be tagged by the advertising router enabling the passing of additional information between routers on the boundary of the autonomous system The External Routes tab displays a list of external routes the area impacted cost path type tag and type 2 cost Cost factors may be the distance of a router round trip time network throughput of a...

Page 921: ...of broadcast capability An OSPF network route makes further use of multicast capabilities if they exist Each pair of routers on the network is assumed to communicate directly The Network Routes tab displays the network name impacted OSPF area cost destination and path type 7 Select the Router Routes tab Figure 13 61 Access Point OSPF Router Routes tab An internal or router route connects to one si...

Page 922: ...pand the default node and select an access point for statistical observation 3 Select OSPF 4 Select the OSPF Interface tab Figure 13 62 Access Point OSPF Interface tab The OSPF Interface tab describes the following Interface Name Displays the IP addresses and mask defined as the virtual interface for dynamic OSPF routes Zero config and DHCP can be used to generate route addresses or a primary and ...

Page 923: ...Point OSPF State tab The OSPF State tab describes the following OSPF Enabled Lists whether OSPF has been enabled for each listed interface OSPF is disabled by default UP DOWN Displays whether the OSPF interface the dynamic route is currently up or down for each listed interface An OSPF interface is the connection between a router and one of its attached networks OSPF state Displays the OSPF link s...

Page 924: ...nore state timeout Displays the timeout value that the access point remains in the ignore state OSPF max ignore state count Displays whether an OSPF state timeout is being ignored and not utilized in the transmission of state update requests amongst neighbors within the OSPF topology OSPF max routes States the maximum number of routes negotiated amongst neighbors within the OSPF topology OSPF rout...

Page 925: ...ion data specific to that tunnel The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used The number of transmitted received and dropped packets also display to provide a throughput assessment of the tunnel connection Each listed ses...

Page 926: ...ing is IP UDP uses a simple transmission model without implicit handshakes Tunneling is also called encapsulation Tunneling works by encapsulating a network protocol within packets carried by the second network Critical Resource Lists critical resources for this tunnel Critical resources are device IP addresses on the network gateways routers etc These IP addresses are critical to the health of th...

Page 927: ...lid packet checksums invalid packet types invalid virtual route IDs TTL errors packet length errors and invalid non matching VRRP versions 5 Refer to the Router Operations Summary for the following status VRID Lists a numerical index 1 254 used to differentiate VRRP configurations The index is assigned when a VRRP configuration is initially defined This ID identifies the virtual router a packet is...

Page 928: ...lover and support services over virtual IP State Displays the current state of each listed virtual router ID Clear Router Status Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections Clear Global Error Status Select the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data...

Page 929: ...ess Point Critical Resources screen 4 Refer to the General field to assess the Monitor Interval used to poll for updates from critical resources and the Source IP For Port Limited Monitoring of critical resources The access point Critical Resource screen displays the following Critical Resource Name Lists the name of the critical resource monitored by the access point Critical resources are device...

Page 930: ... Provides an error status as to why the critical resource is not available over its designated VLAN Mode Displays the operational mode of each listed critical resource Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 931: ...Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select LDAP Agent Status Figure 13 67 Access Point LDAP Agent Status screen The LDAP Agent Status screen displays the following LDAP Agent Primary Lists the primary IP address of a remote LDAP server resource used by the acc...

Page 932: ...ide Status Displays whether the access point has successfully joined the remote LDAP server domain designated to externally validate PEAP MS CHAP v2 authentication requests Refresh Select Refresh to update the statistics counters to their latest values ...

Page 933: ...tem from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Guest Users from the left hand side of the UI Figure 13 68 Access Point Guest Users screen The Guest Users screen describes the following Name Lists the administrator assigned name of the client utilizing the controller or service platform for guest access to t...

Page 934: ...ink Rate kbps Displays the current download rate for the guest user in Kilobytes per seconds This value should not exceed the configured downlink rate Current Uplink Rate kbps Displays the current upload rate for the guest user in Kilobytes per seconds This value should not exceed the configured uplink rate Refresh Select the Refresh button to update the screen s statistics counters to their lates...

Page 935: ...cess points 3 Select GRE Tunnels Figure 13 69 Access Point GRE Tunnels screen The access point GRE Tunnels screen displays the following GRE State Displays the current operational state of the GRE tunnel Peer IP Address Displays the IP address of the peer device on the remote end of the GRE tunnel Tunnel Id Displays the session ID of an established GRE tunnel This ID is only viable while the tunne...

Page 936: ...13 120 WiNG 5 7 1 Access Point System Reference Guide Refresh Select the Refresh button to update the screen s statistics counters to their latest value ...

Page 937: ...one of its connected access points 3 Select Dot1x from the left hand side of the UI Figure 13 70 Access Point Dot1x screen 4 Refer to the following Dot1xAuth statistics AAA Policy Lists the AAA policy currently being utilized for authenticating user requests Guest Vlan Control Lists whether guest VLAN control has been allowed or enabled This is the VLAN traffic is bridged on if the port is unautho...

Page 938: ...the listed port Guest VLAN Lists the guest VLAN utilized for the listed port This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled Host Lists whether the host is a single entity or not Pstatus Lists whether the listed port has been authorized for Dot1x network authentication Name Lists the access point ge ports subject to automatic connection and MAC au...

Page 939: ...its long In an Ethernet local area network however addresses for attached devices are 48 bits long The physical machine address is also known as a MAC address A table usually called the ARP cache is used to maintain a correlation between each MAC address and its corresponding IP address ARP provides the protocol rules for making this correlation and providing address conversion in both directions ...

Page 940: ... Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Route Entries IP Address Displays the IP address of the client resolved on behalf of the access point ARP MAC Address Displays the MAC addr...

Page 941: ...lect System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Network menu from the left hand side of the UI Destination Displays the IP address of the destination route address FLAGS The flag signifies the condition of the direct or indirect route A direct route is where the destination is directly connected ...

Page 942: ...ently installed and utilized Metric The metric or cost could be the distance of a router round trip time link throughput or link availability Monitor Mode Displays where in the network the route is monitored for utilization status Source Lists whether the route is static or an administrator defined default route Static routes are manually configured Static routes work adequately in simple networks...

Page 943: ... Installed A green checkmark defines the listed IPv6 default route as currently installed on the controller or service platform A red X defines the route as not currently installed and utilized Interface Name Displays the interface on which the IPv6 default route is being utilized Lifetime Lists the lifetime representing the valid usability of the default IPv6 route Preference Displays the adminis...

Page 944: ...ct System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Bridge Figure 13 75 Access Point Network Bridge screen 5 Review the following bridge configuration attributes 6 Select Refresh to update the counters to their latest values Bridge Name Disp...

Page 945: ...ected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select IGMP Figure 13 76 Access Point Network IGMP screen The Group field displays the following The Multicast Router MRouter field displays the following VLAN Displays the group VLAN where the multicast transmission is conducted Group Address Displays the Multicast Group ID supporting the statistics displayed ...

Page 946: ...eivers instead of flooding traffic to all interfaces To view network MLD configuration options 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Expand the Network menu from the left hand side of the UI 4 Select MLD Port Members Displays the ports on which mult...

Page 947: ...ress Displays the Multicast Group ID supporting the statistics displayed This group ID is the multicast address hosts are listening to Port Members Displays the ports on which MLD multicast clients have been discovered For example ge1 radio1 etc Ports can vary somewhat amongst supported controller service platform access point models Version Displays each listed group s version compatibility as ei...

Page 948: ...and the menu to reveal its sub menu items 4 Select DHCP Options VLAN Displays the group VLAN where the multicast transmission is conducted MiNT IDs Lists MiNT IDs for each listed VLAN MiNT provides the means to secure communications at the transport layer Using MiNT a controller or service platform can be configured to only communicate with other authorized MiNT enabled devices Learn Mode Displays...

Page 949: ...and the menu to reveal its sub menu items 4 Select Cisco Discovery Protocol Server Information Displays the DHCP server hostname used on behalf of the access point Image File Displays the image file name BOOTP or the bootstrap protocol can be used to boot diskless clients An image file is sent from the boot server The image file contains the image of the operating system the client will run DHCP s...

Page 950: ...eft hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Network and expand the menu to reveal its sub menu items 4 Select Link Layer Discovery Capabilities Displays the capabilities code for the device Device ID Displays the configured device ID or name for each listed device Local Port Displays the local port name access point physical port for each C...

Page 951: ...NA includes the link layer address of the node sending the neighbor advertisement Capabilities Displays the capabilities code for the device as either Router Trans Bridge Source Route Bridge Host IGMP or Repeater Device ID Displays the configured device ID or name for each device in the table Enabled Capabilities Displays which device capabilities are currently enabled Local Port Displays the loca...

Page 952: ...the screen Expand a RF Domain and select one of its connected access points 3 Expand the Network menu from the left hand side of the UI 4 Select IPv6 Neighbor Figure 13 81 Access Point Network IPv6 Neighbor screen The IPv6 Neighbor screen displays the following IPv6 Address Lists an IPv6 IP address for neighbor discovery IPv6 hosts can configure themselves automatically when connected to an IPv6 n...

Page 953: ...tions are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor Options include Host Router and DHCP Server VLAN Lists the virtual interface from 1 4094 used for the required neighbor advertisements and solicitation messages used for neighbor discovery Refresh Select the Refresh button to update the screen s statistics counters...

Page 954: ...ormation after the standard RSTP BPDU as well as a number of MSTI messages Each MSTI messages conveys spanning tree information for each instance Each instance can be assigned a number of configured VLANs The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region To avoid conveying their entire VLAN to spanning tree mapping in each BPDU the ac...

Page 955: ...e assigned to the MSTP configuration its digest format ID name and revision The MST Bridge field lists the filters and guards that have been enabled and whether CISCO interoperability is enabled The MST Bridge Port Detail field lists specific access point port status and their current state ...

Page 956: ...ent on the local link To assess the DHCPv6 relay configuration 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select DHCP Relay Client from the left hand side of the UI Figure 13 83 Access Point DHCP Relay Client screen 4 The DHCPv6 Status tables defines the...

Page 957: ...left hand side of the UI Client Identifier Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server Server Identifier Displays the server identifier supporting client DHCPv6 relay message reception DNS Servers Lists the DNS server resources supporting relay messages received from clients Domain Name Lists the do...

Page 958: ...CPv6 resource for IP address provisioning State Displays the current operational state of the DHCPv4 or DHCPv6 server to assess its availability as a viable IP provisioning resource IP Address Displays the IP address assigned to the requesting client Name Displays the domain name mapping corresponding to the listed IP address IP Address Displays the IP address for clients requesting DHCP provision...

Page 959: ...pool of IP addresses and client configuration parameters default gateway domain name name servers etc On receiving a valid client request the server assigns the computer an IP address a lease the validity of time and other IP configuration parameters Expiry Time Displays the expiration of the lease used by a requesting client for DHCP resources IP Address Displays the IP address for each DHCP reso...

Page 960: ...d the a RF Domain and select one of its connected access points 3 Select DHCP Server and expand the menu to reveal its sub menu items 4 Select Networks The Network Pool screen displays the following Figure 13 86 Access Point DHCP Server Networks screen Name Displays the name of the DHCP pool Subnet Address Displays the subnet addresses of the DHCP Pool Used Addresses Number of addresses that have ...

Page 961: ...packet flow utilization The chart represents the different protocol flows supported and displays a proportional view of the flows in respect to their percentage of data traffic utilized The Total Active Flows graph displays the total number of flows supported Other bar graphs display for each individual packet type 1 To view access point packet flows statistics 2 Select the Statistics menu from th...

Page 962: ...ine with external communications requests so it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable DoS attacks are implemented by either forcing the targeted computer s to reset or consume its resources so it can t provide its intended service The DoS screen displays the types of attack number of times it occurred and the time of last occurrence To...

Page 963: ...To view the IP firewall rules 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select IP Firewall Rules Attack Type Displays the Denial of Service DoS attack type Count Displays the number of t...

Page 964: ...that contains Internet layer configuration parameters Allow an IPv6 formatted connection Allow a connection only if it is secured through the use of IPv6 security Block a connection and exchange of IPv6 formatted packets To view existing IPv6 firewall rules 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain a...

Page 965: ...f the screen Expand a RF Domain and select one of its connected access points 3 Select Firewall and expand the menu to reveal its sub menu items 4 Select MAC Firewall Rules Precedence Displays the precedence priority applied to IPV6 formatted packets Unlike IPv4 IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet IPv6 address...

Page 966: ... access point Many to one NAT is the most common NAT technique for outbound Internet access Many to one NAT allows an access point to translate one or more internal private IP addresses to a single public facing IP address assigned to a 10 100 1000 Ethernet port or 3G card To view the Firewall s NAT translations 1 Select the Statistics menu from the Web UI Precedence Displays a precedence value wh...

Page 967: ...rotocol as either TCP UDP or ICMP Forward Source IP Displays the source IP address for the forward NAT flow Forward Source Port Displays the source port for the forward NAT flow contains ICMP ID if it is an ICMP flow Forward Dest IP Displays the destination IP address for the forward NAT flow Forward Dest Port Destination port for the forward NAT flow contains ICMP ID if it is an ICMP flow Reverse...

Page 968: ...very and requests between the DHCP server and DHCP clients VLAN Displays the VLAN used as a virtual interface for the newly created DHCP configuration Lease Time When a DHCP server allocates an address for a DHCP client the client is assigned a lease which expires after a designated interval defined by the administrator The lease time is the time an IP address is reserved for re connection after i...

Page 969: ...avigation pane 3 Expand the Firewall menu from the left hand side of the UI 4 Select IPv6 Neighbor Snooping Figure 13 94 Access Point Firewall IPv6 Neighbor Snooping screen The IPv6 Neighbor Snooping screen displays the following MAC Address Displays the hardware encoded MAC address of an IPv6 client reporting to the controller or service platform Node Type Displays the NetBios node type from an I...

Page 970: ... conducted by the controller or service platform Time Elapsed Since Last Update Displays the amount of time elapsed since the DHCPv6 server was last updated Clear Neighbors Select Clear Neighbors to revert the counters to zero and begin a new data collection Refresh Select the Refresh button to update the screen s counters to their latest values ...

Page 971: ...bination of security protocols algorithms and other settings applied to IPSec protected traffic One crypto map is utilized for each IPsec peer however for remote VPN deployments one crypto map is used for all the remote IPsec peers Internet Key Exchange IKE protocol is a key management protocol standard used in conjunction with IPSec IKE enhances IPSec by providing additional features flexibility ...

Page 972: ... sees a sensitive packet it creates a secure tunnel and sends the packet through the tunnel to its destination Version Displays each peer s IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms State Lists the state of each listed peer s security association whether established or not Lifetime Displays the lifetime for the duration ...

Page 973: ...nidirectional existing in each direction and established per security protocol Options include ESP and AH State Lists the state of each listed peer s security association SPI In Lists stateful packet inspection SPI status for incoming IPSec tunnel packets SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid SPI Out Lists SPI status for outgoing IPSec tunnel packets...

Page 974: ... Keys 13 3 27 1 Trustpoints Certificates Each certificate is digitally signed by a trustpoint The trustpoint signing the certificate can be a certificate authority corporate or individual A trustpoint represents a CA identity pair containing the identity of the CA CA specific configuration parameters and an association with an enrolled identity certificate 1 Select the Statistics menu from the Web...

Page 975: ...he information specified under the Subject Name field Issuer Name Displays the name of the organization issuing the certificate Serial Number The unique serial number of the certificate issued RSA Key Used Displays the name of the key pair generated separately or automatically when selecting a certificate IS CA Indicates whether this certificate is an authority certificate Yes No Is Self Signed Di...

Page 976: ... access points 3 Select Certificates and expand the menu to reveal its sub menu items 4 Select RSA Keys Server Certificate Present Displays whether a server certification is present or not Yes No CRL Present Displays whether a Certificate Revocation List CRL is present Yes No A CRL contains a list of subscribers paired with digital certificate status The list displays revoked certificates along wi...

Page 977: ...ield displays the size in bits of the desired key If not specified a default key size of 1024 is used The RSA Public Key field lists the public key used for encrypting messages 5 Periodically select the Refresh button to update the screen s statistics counters to their latest values ...

Page 978: ...tails include the name of the blacklisted client the time when the client was blacklisted the total time the client remained in the network etc The screen also provides WIPS event details For more information see WIPS Client Blacklist WIPS Events 13 3 28 1 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by this access point using WIPS Blacklisted clients are ...

Page 979: ...t s radio coverage area Time Blacklisted Displays the time when the client was blacklisted by this access point Total Time Displays the time the unauthorized now blacklisted device remained in this access point s WLAN Time Left Displays the time the blacklisted client remains on the list Refresh Select the Refresh button to update the statistics counters to their latest values Event Name Displays ...

Page 980: ...ystem Reference Guide Clear All Select the Clear All button to clear the screen of its current status and begin a new data collection Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 981: ...nd side of the screen Expand a RF Domain and select one of its connected access points 3 Select Sensor Servers Figure 13 101 Access Point Sensor Servers screen The Sensor Servers screen displays the following IP Address Hostname Displays a list of sensor server IP addresses or administrator assigned hostnames These are the server resources available to the access point for the management of data u...

Page 982: ...gle broadcast domain However with special DNS configuration it can be extended to find services across broadcast domains To view the available Bonjour Services 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain and select one of its connected access points 3 Select Bonjour Services Figure 13 102 Access Point ...

Page 983: ... to refresh the displayed statistics VLAN Type Displays local if the VLAN on which a service is advertised is local to this network Displays tunneled otherwise Expiry Displays the time at which the advertised service expires ...

Page 984: ...ne of its connected access points 3 Select Captive Portal Figure 13 103 Access Point Captive Portal screen The Captive Portal screen displays the following Client MAC Displays the MAC address of requesting wireless clients The client address displays as a link that can be selected to display configuration and network address information in greater detail Client IP Displays the IP addresses of capt...

Page 985: ...irtual interface for captive portal sessions Remaining Time Displays the time after which the client is disconnected from the captive portal hosted Internet and access point connectivity Refresh Select the Refresh button to update the screen s statistics counters to their latest values ...

Page 986: ...en provides detailed statistics of an associated NTP Server of an access point Use this screen to review the statistics for each access point The Network Time statistics screen consists of two tabs NTP Status NTP Association 13 3 32 1 NTP Status Network Time To view the Network Time statistics of an access point 1 Select the Statistics menu from the Web UI 2 Select System from the navigation pane ...

Page 987: ...n Precision Displays the precision of the time clock in Hz The values that normally appear in this field range from 6 for mains frequency clocks to 20 for microsecond clocks Reference Time Displays the time stamp the access point s clock was last synchronized or corrected Reference Displays the address of the time source the access point is synchronized to Root Delay The total round trip delay in ...

Page 988: ...but never completely reduces its offset to zero Poll Displays the maximum interval between successive messages in seconds to the nearest power of two Reach Displays the status of the last eight SNTP messages If an SNTP packet is lost the lost packet is tracked over the next eight SNTP messages Reference IP Address Displays the address of the time source the access point is synchronized to Server I...

Page 989: ...tion displays the load percentages for each of the selected variables over a period of time which can be altered using the slider below the upper graph Client Requests Events The Client Request Events displays the Time Client Capability State WLAN and Requested Channels for all client request events on the access point Remember AP6532 and AP71xx models can support up to 256 clients per access poin...

Page 990: ...and side of the screen Expand a RF Domain and select one of its connected AP8132 access points 3 Select Environment Figure 13 107 Access Point Environmental Sensor screen Light tab The Light tab displays by default with additional Temperature Motion and Humidity tabs available for unique sensor reporting Each of these sensor measurements helps the administrator determine whether the immediate depl...

Page 991: ...e AP8132 can be upgraded or powered off during specific hours of the day 7 Select the Temperature tab Figure 13 108 Access Point Environmental Sensor screen Temperature tab 8 Refer to the Temperature table to assess the sensor s detected temperature within the AP8132 s immediate deployment area Temperature is measured in centigrade The table displays the Current Temperature centigrade and a 20 Min...

Page 992: ...nterval and a 20 Minute Average Motion count per interval Compare these two items to determine whether the AP8132 s deployment location remains consistently occupied by client users For more information on enabling the sensor see Environmental Sensor Configuration on page 5 192 13 Refer to the Motion Trend Over Last Hour graph to assess the fluctuation in user movement over the last hour Use this ...

Page 993: ...d often a by product of temperature For more information on enabling the sensor see Environmental Sensor Configuration on page 5 192 5 Refer to the Humidity Trend Over Last Hour graph to assess the fluctuation in humidity over the last hour Use this graph in combination with the Temperature and Motions graphs in particular to assess the deployment area s activity levels 6 Refer to the Humidity Tre...

Page 994: ...s are required to improve client performance Wireless clients statistics can be assessed using the following criteria Health Details Traffic WMM TSPEC Association History Graph 13 4 1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client To view the health of a wireless client 1 Select the Statistics menu from the Web UI 2...

Page 995: ...isted IP Address Displays the IP address the selected wireless client is currently utilizing as a network identifier WLAN Displays the client s connected access point WLAN membership This is the WLAN whose QoS settings should account for the clients s radio traffic objective Radio MAC Displays the access point radio MAC address the wireless client is connected to on the network VLAN Displays the V...

Page 996: ...the retry and error rate RF quality index can be interpreted as 0 20 Very poor quality 20 40 Poor quality 40 60 Average quality 60 100 Good quality Retry Rate Displays the average number of retries per packet A high number indicates possible network or hardware problems SNR Displays the signal to noise SNR ratio of the connected wireless client Signal Displays the power of the radio signals in dBm...

Page 997: ... bytes processed by the access point s connected wireless client Total Packets Displays the total number of packets processed by the wireless client User Data Rate Displays the average user data rate in both directions Physical Layer Rate Displays the average packet rate at the physical layer in both directions Tx Dropped Packets Displays the number of packets dropped during transmission Rx Errors...

Page 998: ...client is a member via its connected access point controller or service platform The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail OS Lists the client s operating system Android etc Browser Displays the browser type used by the client to facilitate its wireless connection Type Lists the client manufacturer or vendor Rol...

Page 999: ...e Mode Displays whether this feature is enabled on the wireless client The spatial multiplexing SM power save mode allows an 802 11n client to power down all but one of its radios This power save mode has two sub modes of operation static operation and dynamic operation Power Save Mode Displays whether this feature is enabled or not To prolong battery life the 802 11 standard defines an optional P...

Page 1000: ...ze with a client A client begins the association process by sending an association request to an access point This association request is sent as a frame This frame carries information about the client and the SSID of the network it wishes to associate After receiving the request the access point considers associating with the client and reserves memory space for establishing an AID for the client...

Page 1001: ...ssed in both directions by the access point s connected wireless client User Data Rate Displays the average user data rate Packets per Second Displays the packets processed per second Physical Layer Rate Displays the data rate at the physical layer level Bcast Mcast Packets Displays the total number of broadcast multicast packets processed by the client Management Packets Displays the number of ma...

Page 1002: ...s per packet A high number indicates possible network or hardware problems SNR Displays the connected client s signal to noise ratio SNR A high SNR could warrant a different access point connection to improve performance Signal Displays the power of the radio signals in dBm Noise Displays the disturbing influences on the signal in dBm Error Rate Displays the number of received bit rates altered du...

Page 1003: ...3 Select WMM TPSEC Figure 13 114 Wireless Client WMM TPSEC screen The top portion of the screen displays the TSPEC stream type and whether the client has roamed The Ports Stats field displays the following Sequence Number Lists a sequence number that s unique to this WMM TPSEC uplink or downlink data stream Direction Type Displays whether the WMM TPSEC data stream is in the uplink or downlink dire...

Page 1004: ...e Web UI 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select Association History Figure 13 115 Wireless Client Association History screen Refer to the following to discern this client s access point association history 7 Select Refresh to update the screen to its latest values Access Point Lists the access...

Page 1005: ...I 2 Select System from the navigation pane on the left hand side of the screen Expand a RF Domain an access point then a connected client 3 Select Graph 4 Use the Parameters drop down menu to define from 1 3 variables assessing client signal noise transmit or receive values 5 Use the Polling Interval drop down menu to define the interval the chart is updated Options include 30 seconds 1 minute 5 m...

Page 1006: ...13 190 WiNG 5 7 1 Access Point System Reference Guide ...

Page 1007: ...notification settings defined and saved as part of an event policy Thus policies can be configured and administrated in respect to specific sets of client association authentication encryption and performance events Once policies are defined they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices By default there s no enabled event policy and...

Page 1008: ...PT SERVICE TUT_LINE_POWER_ALARM_RAISED 5 IPX str Line power alarm raised on id str Line power alarm raised ADOPT SERVICE TUT_LINE_POWER_ALARM_CLEARED 5 IPX str Line power alarm cleared on id str Line power alarm cleared ADOPT SERVICE TUT_WLAN_CLIENT_ASSOC 6 IPX str Client str on interface index str associated Client associated ADOPT SERVICE TUT_WLAN_CLIENT_DISASSOC 6 IPX str Client str on interfac...

Page 1009: ...Radios Count str Bss str Access point unadopted AP ADOPTED_TO_CONTROLLER Joined successfully with controller qstr str Access point adopted to controller AP ONLINE Access Point dev is now online Offline Reason is str Offline count is int Access point online AP OFFLINE Access Point dev is now offline Offline Reason is str Offline count is int Access point offline AP OFFLINE Device dev str is offline...

Page 1010: ...S Deauthentication attack ADV WIPS ADV WIPS EVENT 2 4 Detected DoS Disassociation attack against mac str DoS disassociation attack ADV WIPS ADV WIPS EVENT 3 4 Detected DoS EAP failure spoof attack by mac str EAP failure spoof attack ADV WIPS ADV WIPS EVENT 10 4 Detected ID Theft out of sequence attack for mac str ID theft out of sequence attack ADV WIPS ADV WIPS EVENT 11 4 Detected possible ID The...

Page 1011: ...t traffic ADV WIPS ADV WIPS EVENT 118 4 Multicast IGMP traffic found from mac str Multicast IGMP traffic ADV WIPS ADV WIPS EVENT 119 4 Detected NETBIOS traffic from mac str Detected NETBIOS traffic ADV WIPS ADV WIPS EVENT 120 4 Detected STP traffic from mac str Detected STP traffic ADV WIPS ADV WIPS EVENT 113 4 Multicast RIP 2 Routers traffic found from mac str Multicast RIP 2 routers traffic ADV ...

Page 1012: ...flood attack ADV WIPS ADV WIPS EVENT 222 4 Detected Invalid Channel Advertisement for mac str Invalid channel advertisement ADV WIPS ADV WIPS EVENT 63 4 Detected Windows ZERO Configuration Memory Leak on mac str Windows ZERO configuration memory leak ADV WIPS ADV WIPS EVENT 220 4 Detected Unauthorized Bridge mac str Unauthorized bridge AP SW_CONN_LOST 0 Lost connectivity with controller after conf...

Page 1013: ..._CRE_FAILED3 Page creation failed for policy qstr file qstr Error qstr Page creation failure CAPTIVE PORTAL DATA_LIMIT_EXCEED6 Data limit exceed Usage int KBytes Action str client mu ip Client data limit exceeded CAPTIVE PORTAL VLAN_SWITCH6 Client mu ip switching from vlan int to vlan int Client VLAN switch CAPTIVE PORTAL SERVER_MONITOR_STATE_CHANGE6 Captive portal policy qstr service monitor str ...

Page 1014: ..._TRUSTPOINT 6 Export of Trustpoint str str Export of trustpoint CERTMGR CERT_EXPIRY 4 str certificate for trustpoint str str Certificate expiration CERTMGR CA_KEY_ACTIONS_SUCCESS 6 str of CA private key for trustpoint str successful Successful completion of CA private key actions CERTMGR CA_KEY_ACTIONS_FAILURE 3 str of CA private key for trustpoint str failed str Failure of CA private key actions ...

Page 1015: ...ssword provided RSA key cannot be decrypted with provided password CERTMGR LITE CERTIMPORTED 6 str Certificate imported for the trustpoint str Certificate imported for trustpoint CERTMGR LITE CERTKEYIMPORTED 6 Private key imported for the trustpoint str Private key imported for trustpoint CERTMGR LITE RSAKEYIMPORTED 6 Rsakey imported with the name str RSA key imported CERTMGR LITE DELETETRUSTPOINT...

Page 1016: ...t 0 1 Memory usage detected as too high DIAG BUF_USAGE 6 uint byte buffer usage greater than expected uint used warning level uint Log buffer usage greater than anticipated DIAG HEAD_CACHE_USAGE 6 socket buffer head cache usage is greater than expected usage uint warning level uint Log head cache usage greater than anticipated DIAG IP_DEST_USAGE 6 IP destination cache usage is greater than expecte...

Page 1017: ...ay interface DHCPSVR RELAY_START 6 DHCP relay agent started on str DHCP relay agent started DHCPSVR RELAY_STOP 6 DHCP relay agent stopped DHCP relay agent stopped DHCPSVR DHCPSVR_START 6 DHCP server is started DHCP server started DIAG FAN_UNDERSPEED 4 Fan str under speed uint RPM is under limit uint RPM Fan speed under set RPM limit DIAG ELAPSED_TIME 7 Elapsed time since last diag run appears to b...

Page 1018: ...X_FAILED 5 Client qstr failed 802 1x EAP authentication on interface qstr 802 1x authentication failure 802 1X authentication failed DOT11 COUNTRY_CODE 5 Country of operation configured to str Country of operation configured DOT11 COUNTRY_CODE_ERROR 1 Error setting country of operation str Error setting country of operation DOT11 CLIENT_ASSOCIATED 6 Client qstr associated to wlan qstr ssid qstr on...

Page 1019: ...CHED_KEYS 6 Key Cache used for client qstr on wlan qstr radio qstr Skipping 802 1x Key cache used for authentication DOT11 EAP_OPP_CACHED_KEYS 6 Opportunistic Key Cache used for client qstr on wlan qstr radio qstr Skipping 802 1x Opportunistic key caching used for authentication DOT11 EAP_PREAUTH_SUCCESS 6 Client qstr 802 1x EAP type str pre authentication success on wlan qstr bss mac EAP pre auth...

Page 1020: ...ul system cmd failed FWU FWUBADCONFIG 3 Firmware update unsuccessful unable to read configuration file Update unsuccessful unable to read config file FWU FWUSERVERUNDEF 3 Firmware update unsuccessful update server undefined Update unsuccessful server undefined FWU FWUFILEUNDEF 3 Firmware update unsuccessful update file undefined Update unsuccessful update file undefined FWU FWUSERVERUNREACHABLE 3 ...

Page 1021: ... license installed count int License count LICMGR LIC_REMOVED 6 str license removed License removed LICMGR LIC_INVALID 3 str license invalid Error str License installation failed MESH MESH_LINK_UP 5 Mesh link up between radio qstr and radio qstr Mesh link up MESH MESH_LINK_DOWN 5 Mesh link down between radio qstr and radio qstr Mesh link down MGMT LOG_KEY_DELETED 4 Rsakey str associated with ssh i...

Page 1022: ...P 6 Interface str acquired IP address ip uint via DHC Interface assigned DHCP IP address NSM DHCPDEFRT 6 Default route with gateway ip learnt via DHC Default route learnt via DHCP NSM DHCPIPCHG 5 Interface str changed DHCP IP old IP ip uint new IP ip uint DHCP Interface IP changed NSM DHCPNODEFRT 5 Interface str lost its DHCP default route Interface no default route NSM IFIPCFG 3 Interface str IP ...

Page 1023: ...RESP 4 Process str is not responding uint uint Process is not responding RADCONF RADIUSDSTART 6 Radius Server Started RADIUS server started RADCONF RADIUSDSTOP 6 Radius Server Stopped RADIUS server stopped RADCONF COULD_NOT_STOP_RADIUSD 3 radiusd could not be stopped RADIUS server failed to stop RADIO RADIO_STATE_CHANGE 5 Radio qstr changing state from qstr to qstr Radio state changed RADIO RADAR_...

Page 1024: ...em warm start recovery SYSTEM COLD_START 6 System Cold start System came up at str System cold start SYSTEM SERVER_UNREACHABLE 5 Server not reachable trying authentication using local database Authentication using the local database SYSTEM PERIODIC_HEART_BEAT 3 Periodic Heart Beat Interval int Ip address str Periodic heartbeat detected SYSTEM CONFIG_COMMIT 6 Configuration commit by user qstr str f...

Page 1025: ...ip does not overlap with any of the interface addresses VRRP IP not overlapping with interface addresses VRRP VRRP_MONITOR_CHANGE 5 str VRRP Group uint monitored str state change to str priority change from uint to uint VRRP monitor link state change WIPSUNSANCTIONED_AP_ACTIVE6UnsanctionedAP mac vendor str on channel int with rssi int active from str Unsanctioned AP active WIPS UNSANCTIONED_AP_INA...

Page 1026: ...14 20 WiNG 5 7 1 Access Point System Reference Guide ...

Page 1027: ...me Software type and version number If you have a problem with your equipment contact support for your region Support and issue resolution is provided for products under warranty or that are covered by an services agreement Contact information and Web self service is available by visiting http www zebra com support Customer Support Web Site The Support web site located http www zebra com support p...

Page 1028: ...A 2 WiNG 5 7 1 Access Point System Reference Guide ...

Page 1029: ...r more information visit http www zebra com support B 2 Open Source Software Used Symbol Technologies Support Central Web site located at http www zebra com support provides information and online assistance including developer tools software downloads product manuals support contact information and online repair requests Name Version URL License Apache Web Server 1 3 41 http www apache org Apache...

Page 1030: ... General Public License version 2 czjson 1 0 8 https pypi python org pypi czjson 1 0 8 GNU Lesser General Public License 2 1 dash 0 5 7 http gondor apana org au herbert dash The BSD License dhcp 3 0 3 http www isc org software dhcp ISC License diffutils 2 8 1 http www gnu org software diffutils GNU General Public License version 2 dmalloc 5 5 2 http dmalloc com None dmidecode 2 11 http savannah no...

Page 1031: ...ense version 2 hdparm 9 38 http sourceforge net projects hdparm GNU General Public License version 2 hostapd 0 6 9 http hostap epitest fi hostapd GNU General Public License version 2 hotplug 1 3 http sourceforge net projects linux hotplug GNU General Public License version 2 hotplug2 0 9 http isteve bofh cz isteve hotplug2 GNU General Public License version 2 i2ctools 3 0 3 http www lm sensors org...

Page 1032: ...lic License version 3 0 libgnutls 3 0 19 ftp ftp gnupg org GnuPG gnutls v3 0 GNU Lesser General Public License version 3 0 libgpg error 1 6 ftp ftp gnupg org GnuPG libgpg error GNU Lesser General Public License 2 1 libharu 2 1 0 http libharu org MIT License libhttp parser None None MIT License libiconv 1 14 http savannah gnu org projects libiconv GNUGeneralPublic License 2 0 libjson 0 10 http sour...

Page 1033: ...lic License version 2 ltp 20060717 http ltp sourceforge net GNU General Public License version 2 lxml 2 3beta1 http lxml de The BSD License lzma 4 32 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzma 4 57 http www 7 zip org sdk html GNU Lesser General Public License version 2 0 lzo 2 03 http www oberhumer com opensource lzo GNU General Public License version 2 M2Crypto...

Page 1034: ... BSD License Open Scales 2 2 http openscales org GNU Lesser General Public License version 3 0 OpenStreetMap http www openstreetmap org Creative Commons Attribution ShareAlike License version 3 0 openldap 2 4 25 http www openldap org foundation The Open LDAP Public License openllpd 0 0 3alpha http openlldp sourceforge net GNU General Public License version 2 openssh 5 4p1 http www openssh com The ...

Page 1035: ...re ftpd 1 0 22 http www pureftpd org project pure ftpd The BSD License pychecker 0 8 18 http pychecker sourceforge net The BSD License pyparsing 1 5 1 http sourceforge net projects pyparsing The BSD License pyxapi 0 1 http www pps jussieu fr 7Eylg PyXAPI GNU General Public License version 2 qdbm 1 8 77 http qdbm sourceforge net GNU General Public License version 2 quagga 0 99 16 http www quagga ne...

Page 1036: ...c License version 2 stunnel 4 31 http www stunnel org GNU General Public License version 2 sysstat 9 0 5 http sebastien godard pagesperso orange fr GNU General Public License version 2 tar 1 17 http www gnu org software tar GNU General Public License version 2 tcpdump 4 0 0 http www tcpdump org The BSD License u boot trunk 2010 03 30 http www denx de wiki U Boot GNU General Public License version ...

Page 1037: ...lic License version 2 wpa_supplicant 2 0 http hostap epitest fi wpa_supplicant The BSD License wuftpd 1 0 21 http wu ftpd therockgarden ca WU FTPD Software License XenAPI None http docs vmd citrix com XenServer 4 0 1 api client examples python index html GNU General Public License version 2 xen 4 1 2 http www xen org GNU General Public License version 2 xen crashdump a nalyser 20130505 http xenbit...

Page 1038: ... For the purposes of this License Derivative Works shall not include works that remain separable from or merely link or bind by name to the interfaces of the Work and Derivative Works thereof Contribution shall mean any work of authorship including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof that is intentionally submitted to Licenso...

Page 1039: ...d distribution of the Work otherwise complies with the conditions stated in this License 5 Submission of Contributions Unless You explicitly state otherwise any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License without any additional terms or conditions Notwithstanding the above nothing herein shall superse...

Page 1040: ...ISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT...

Page 1041: ... 6 Licensor means the individual individuals entity or entities that offer s the Work under the terms of this License 7 Original Author means in the case of a literary or artistic work the individual individuals entity or entities who created the Work or if no individual or entity can be identified the publisher and in addition i in the case of a performance the actors singers musicians dancers an...

Page 1042: ...he right to collect royalties through any statutory or compulsory licensing scheme can be waived the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License and 3 Voluntary License Schemes The Licensor waives the right to collect royalties whether individually or in the event that the Licensor is a member of a collecting societ...

Page 1043: ...y journal for attribution Attribution Parties in Licensor s copyright notice terms of service or by other reasonable means the name of such party or parties ii the title of the Work if supplied iii to the extent reasonably practicable the URI if any that Licensor specifies to be associated with the Work unless such URI does not refer to the copyright notice or licensing information for the Work an...

Page 1044: ...er this License 2 Each time You Distribute or Publicly Perform an Adaptation Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License 3 If any provision of this License is invalid or unenforceable under applicable law it shall not affect the validity or enforceability of the emainder of the terms of this Licen...

Page 1045: ...ted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above ...

Page 1046: ...A 02110 1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its use...

Page 1047: ...nd give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Library or any portion of it thus forming a work based on the Library and copy and distribute such modifications or work under t...

Page 1048: ... a header file that is part of the Library the object code for the work may be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data ...

Page 1049: ... with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License since you have not signed it However nothing else grants you permission to modify o...

Page 1050: ...of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF AN...

Page 1051: ... a free program by obtaining a restrictive license from a patent holder Therefore we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license Most GNU software including some libraries is covered by the ordinary GNU General Public License This license the GNU Lesser General Public License applies to certain desig...

Page 1052: ...t the Library does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warran...

Page 1053: ... program that contains no derivative of any portion of the Library but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses the Library with the Library creates an executable that is a deri...

Page 1054: ...u may place library facilities that are a work based on the Library side by side in a single library together with other library facilities not covered by this License and distribute such a combined library provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted and provided that you do these two things a Accompany the com...

Page 1055: ...iven a distinguishing version number If the Library specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Library does not specify a license version number you may choose any version ever published by the Free Softw...

Page 1056: ...ents the same freedoms that you received You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights Developers that use the GNU GPL protect your rights with two steps 1 assert copyright on the software and 2 offer you this License giving you legal permission to copy distribute and or modify it For the developers and authors prot...

Page 1057: ... source code for a work means the preferred form of the work for making modifications to it Object code means any non source form of a work A Standard Interface means an interface that either is an official standard defined by a recognized standards body or in the case o interfaces specified for a particular programming language one that is widely used among developers working in that language The...

Page 1058: ...ights under this License with respect to the covered work and you disclaim any intention to limit operation or modification of the work as a means of enforcing against the work s users your or third parties legal rights to forbid circumvention of echnological measures 4 Conveying Verbatim Copies You may convey verbatim copies of the Program s source code as you receive it in any medium provided th...

Page 1059: ... a different server operated by you or a third party that supports equivalent copying facilities provided you maintain clear directions next to the object code saying where to find the Corresponding Source Regardless of what server hosts the Corresponding Source you remain obligated to ensure that it is available for as long as needed to satisfy these requirements e Convey the object code using pe...

Page 1060: ...a Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License or b Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it or c Prohibiting misrepresentation of the origin of that material or requiring that modified versions of such mater...

Page 1061: ...ould give under the previous paragraph plus a right to possession of the Corresponding Source of the work from the predecessor in interest if the predecessor has it or can get it with reasonable efforts You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License For example you may not impose a license fee royalty or other charge for exercise of...

Page 1062: ...icense they do not excuse you from the conditions of this License If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not convey it at all For example if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program the on...

Page 1063: ...tribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT ...

Page 1064: ...e with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License b Accompany the object code with a copy of the GNU GPL and this license document 4 Combined Works You may convey a Combined Work under terms of your choice that taken together effectively do not restrict modification of the portions of the Library contained in the Combine...

Page 1065: ...ber of the GNU Lesser General Public License you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply that proxy s public statement of acceptance of any version is permanent authorization for you t...

Page 1066: ...ftware sharing because most developers did not use the libraries We concluded that weaker conditions might promote sharing better However unrestricted linking of non free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves This Library General Public License is intended to permit developers of non free programs to use free libraries wh...

Page 1067: ...tion Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Library and can be reasonably considered independent and sep...

Page 1068: ...e Sections above you may also combine or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that ...

Page 1069: ...ms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties with this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or...

Page 1070: ...ARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS ...

Page 1071: ...brary and is analogous to running a utility program or application program However in a textual and legal sense the linked executable is a combined work a derivative of the original library and the ordinary General Public License treats it as such Because of this blurred distinction using the ordinary General Public License for libraries did not effectively promote software sharing because most de...

Page 1072: ...urpose remains meaningful For example a function in a library to compute square roots has a purpose that is entirely well defined independent of the application Therefore Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply...

Page 1073: ...compile or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Library is used in it and ...

Page 1074: ...granted herein You are not responsible for enforcing compliance by third parties to this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of t...

Page 1075: ...L SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES B 3 12 GNU Lesser General Pub...

Page 1076: ...rivative of the original library The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom The Lesser General Public License permits more lax criteria for linking other code with the library We call this license the Lesser General Public License because it does Less to protect the user s freedom than the ordinary General Public L...

Page 1077: ...distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a The modified work must itself be a software library b You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change c You must cause the whole of the work to be licensed at no charge to all third parties under th...

Page 1078: ... even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ten lines or less in length then th...

Page 1079: ...blicense link with or distribute the Library is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 9 You are not required to accept this License since you have not signed it However nothing else grants you permiss...

Page 1080: ...r free software and of promoting the sharing and reuse of software generally NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NO...

Page 1081: ... to deletion from or modification of the contents of Covered Software or 2 any new file in Source Code Form that contains any Covered Software 1 11 Patent Claims of a Contributor means any patent claim s including without limitation method process and apparatus claims in any patent Licensable by such Contributor that would be infringed but for the grant of the License by the making using selling o...

Page 1082: ...the combination of its Contributions with other software except as part of its Contributor Version or 3 under Patent Claims infringed by Covered Software in the absence of its Contributions This License does not grant any rights in the trademarks service marks or logos of any Contributor except as may be necessary to comply with the notice requirements in Section 3 4 2 4 Subsequent Licenses No Con...

Page 1083: ...ty or limitations of liability contained within the Source Code Form of the Covered Software except that You may alter any license notices to the extent required to remedy known factual inaccuracies 3 5 Application of Additional Terms You may choose to offer and to charge a fee for warranty support indemnity or liability obligations to one or more recipients of Covered Software However You may do ...

Page 1084: ...d above be liable to You for any direct indirect special incidental or consequential damages of any character including without limitation damages for lost profits loss of goodwill work stoppage computer failure or malfunction or any and all other commercial damages or losses even if such party shall have been informed of the possibility of such damages This limitation of liability shall not apply...

Page 1085: ... the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version number You may use this Software under terms of this license revision or under the terms of any subsequent revision of th...

Page 1086: ...BILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes oftware written by Tim Hudson tjh cryptsoft com B 3 17 WU FTPD Software License WU FTPD SOFTWARE LICENSE Use modification or redistribution inc...

Page 1087: ...S SOFTWARE IS PROVIDED BY THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE WU FTPD DEVELOPMENT GROUP THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT NDIRECT INCIDENTAL SPECIAL ...

Page 1088: ...Access Point System Reference Guide 3 This notice may not be removed or altered from any source distribution Jean loup Gailly Mark Adler jloup gzip org madler alumni caltech edu jloup gzip org madler alumni caltech edu ...

Page 1089: ......

Page 1090: ...MN001977A01 Revision A April 2015 ...

Reviews:

No comments

Related manuals for WiNG 5.7.1

Daikin EKRACPUR1PA Security Instructions preview
EKRACPUR1PA
Brand: Daikin Pages: 2
4IPNET HSG260 User Manual preview
HSG260
Brand: 4IPNET Pages: 194
Waxess DM1000C User Manual preview
DM1000C
Brand: Waxess Pages: 27
3onedata IAP3600S-225-2GT-PDP12 48 Quick Installation Manual preview
IAP3600S-225-2GT-PDP12 48
Brand: 3onedata Pages: 4
Billion BIPAC 6500W User Manual preview
BIPAC 6500W
Brand: Billion Pages: 61
Linksys E7350 User Manual preview
E7350
Brand: Linksys Pages: 155
CreatComm TB5F User Manual preview
TB5F
Brand: CreatComm Pages: 40
Sanoxy WR-M3GU12 Quick Installation Manual preview
WR-M3GU12
Brand: Sanoxy Pages: 12
Air Live N450R Quick Start Manual preview
N450R
Brand: Air Live Pages: 3
Nortel 7220 Installing Manual preview
7220
Brand: Nortel Pages: 34
AvaLAN AW58300HTA User Manual preview
AW58300HTA
Brand: AvaLAN Pages: 16
Westermo 3623-077001 User Manual preview
3623-077001
Brand: Westermo Pages: 32
AirLive G.DUO User Manual preview
G.DUO
Brand: AirLive Pages: 139
Delta DVW SERIES User Manual preview
DVW SERIES
Brand: Delta Pages: 108
WURM CAN-APM Manual preview
CAN-APM
Brand: WURM Pages: 4
NETGEAR MBR1310 User Manual preview
MBR1310
Brand: NETGEAR Pages: 103
ViewSonic LB-WIFI-001 Quick Start Manual preview
LB-WIFI-001
Brand: ViewSonic Pages: 10
ViewSonic VS10276 User Manual preview
VS10276
Brand: ViewSonic Pages: 66

Brands by name

Popular brands

Load more brands