Planex CQW-AP108AG, Installation And Configuration Manual

Page 1: ...munications Head Quarters Japan PCI Building 12 7 Nihombashi Odemma cho Chuo ku Tokyo 103 0011 www planex co jp Published July 2004 Installation and Configuration Guide 108 Mbps Wireless Access Point CQW AP108AG ...

Page 2: ......

Page 3: ...ample Wireless Network Installation 9 Assessing Coverage and Capacity Requirements 10 Site Surveys 11 Assessing Security Needs and Architecture 11 Selecting a Network Management Method 13 Planning Network Features 14 Example Deployment Scenarios 16 Example 1 Small office single AP possible future growth 16 Example 2 Small to mid size business with wireless backhaul 18 Example 3 Mid size business m...

Page 4: ...6 Navigating the Web Interface 37 The Home Panel 37 Quick Start Panels 39 Other Panels 45 NM Portal Access 45 Configuration Wizards 45 User Security Wizard 45 Guest Access Wizard 50 4 Configuring Radio Settings 55 Introduction 55 Configuring Radio Parameters 56 Global Configuration 57 Admin State Configuration 63 Channel Configuration 65 Performance 67 Admission 69 Setting the Advanced Radio Confi...

Page 5: ... Configuring IP Routes 105 Configuring VLANs 107 VLAN Table 108 Interface VLAN 109 User VLAN 110 VLAN Statistics 112 Configuring Quality of Service 113 Ingress QOS 115 Egress COS 116 QoS Stats 117 Configuring Advanced QoS 117 Class Order 118 IP DSCP 119 IP Protocol 120 IP Precedence 121 Configuring Packet Filters 121 Filter Table 121 Filter Statistics 123 Configuring Interfaces 123 Interface Table...

Page 6: ...or Security 146 External RADIUS Server Settings 147 Viewing Security Statistics 148 Authentication Statistics 148 Supplicant Statistics 149 Authentication Diagnostics 151 Configuring Advanced Parameters 152 8 Configuring Guest Access 155 Overview 155 Internal Landing Page 156 External Landing Page 157 Open Subnet 158 Configuring Guest Access 158 Guest Access Services Panel 160 Guest Access Securit...

Page 7: ... IP Configuration 212 Syslog Configuration 213 License Management 214 NMS Configuration 214 Hardware Options 215 Managing the AP Configuration 216 Secure Backup 216 Configuration Reports 217 Reset Configuration 219 TFTP Backup 220 Upgrading Software 221 Software Image File 222 Upgrading the AP Software 222 Canceling a Distribution 225 Download Status 225 Image Recovery 226 Common Problems and Solu...

Page 8: ...C check 255 Security STA attempting WPA PSK no Pre shared Key is set for SSID 256 Security Auth Server Improperly configured on this SSID 257 Security STA failed to send EAPOL Start 258 Security RADIUS sent a bad response 259 Security RADIUS timeout too short 259 Security STA authentication did not complete in time 260 Security Upstream AP is using an untrusted auth server 261 Security Upstream AP...

Page 9: ...Installation and Configuration Guide CQW AP108AG ix Security EAPOL Key exchange message 2 timeout 274 Security EAPOL Group 2 key exchange timeout 275 Glossary 277 Index 283 ...

Page 10: ...o the glossary at the end of the guide just before the index Organization of this Guide This guide consists of the following chapters Chapter 1 Overview provides a high level overview of the 108 Mbps Wireless Access Point products Chapter 2 Planning Your Installation describes various deployment scenarios and helps determine how many 108 Mbps Wireless Access Points will be needed and the appropria...

Page 11: ...uide This guide uses the following conventions for instructions and information Notes Cautions and Warnings Notes cautions and time saving tips use the following conventions and symbols Command Conventions Table 1 describes the command syntax used in this document NOTE Notes contain helpful suggestions or information that may be of importance to the task at hand CAUTION Caution indicates that ther...

Page 12: ...㪠㫅㫊㫋㪸㫃㫃㪸㫋㫀㫆㫅㩷㪸㫅㪻㩷㪬㫊㪼㫉㫊㩷㪞㫌㫀㪻㪼 㪠㫅㫊㫋㪸㫃㫃㪸㫋㫀㫆㫅㩷㪸㫅㪻㩷㪬㫊㪼㫉㫊㩷㪞㫌㫀㪻㪼㩷 Explains how to install and configure the PLANEX Wireless LAN Client Adapter which provides PC laptop and desktop users with access to the PLANEX Access Point products PLANEX Wireless LAN Network Management Software Installation and Configuration Guide Explains how to use PLANEX Wireless LAN Network Management Software to manage an enterpr...

Page 13: ...Preface xiii Installation and Configuration Guide CQW AP108AG ...

Page 14: ... PLANEX product suite comprises these wireless networking products 108 Mbps Wireless Access Point 108Mbps Wireless LAN PC Card PLANEX Professional Network Management System Wireless LAN Network Management Software 108 Mbps Wireless Access Points 108 Mbps Wireless Access Points 108 Mbps Wireless AP provide network connectivity for wireless client stations Incorporating the latest technological adva...

Page 15: ...ss equipment while also supporting the latest network security and management features All 108 Mbps Wireless Access Point models include the following features Dual radios each operating in 802 11b g or 802 11a mode Optional PLANEX enhanced data rates up to 108 Mbps Automated frequency management Cell size and range management Support for all current IEEE 802 11 standards and draft versions of 802...

Page 16: ...ps Wireless AP supports management of radio channels cell size and range Channel management features include automatic channel selection support for international channel sets dynamic channel changes in response to network conditions and the ability to assign channels manually to fine tune channel quality Cell size and range capabilities enable you to optimize equipment placement eliminate dead sp...

Page 17: ...ment NM Portal services provide network management functionality for small to mid size wireless networks Each 108 Mbps Wireless AP configured as an NM Portal can operate in stand alone mode to provide network management for the entire network or as a location or branch manager working in conjunction with Wireless LAN Network Management Software the PLANEX Professional Network Management System Sec...

Page 18: ...mance encryption Support for installations ranging from the small office home office SOHO to multi site enterprises Command line access using SSH secure shell Web based management interface and policy based management using HTTPS SSL SNMP management interface through SNMPv3 IEEE 802 11i standards User authentication using EAP TLS EAP PEAP WPA PSK WEP Rogue AP detection Rogue client detection VLANs...

Page 19: ...rding to user or application based rules The COS approach does not guarantee bandwidth but it does give best effort priority according to the assigned level A flexible approach to service quality it scales easily and accommodates a variety of mapping rules MAC layer mappings for COS levels and COS to IP layer mappings are supported and priority settings can be assigned for different COS mapping ru...

Page 20: ...11 Mbps 802 11a OFDM 6 9 12 18 24 36 48 54 Mbps 802 11g OFDM 6 9 12 18 24 36 48 54 Mbps PLANEX also offers enhanced data rates of 72 96 and 108 Mbps for enhanced performance Integration With the Existing Wired Network PLANEX wireless networking solutions are standards compliant to ensure seamless integration with existing wired network infrastructures The following integration features are include...

Page 21: ...asks using the web browser interface NM Explorer A built in NM Portal web interface is available to manage multiple APs For details on using NM Portal see Chapter 9 Managing the Network Command Line Interface CLI The command line interface CLI for the 108 Mbps Wireless AP is accessible through a local 9 pin serial console port or over SSH For more information on using the CLI to configure the AP s...

Page 22: ...placement Security needs Choose a security architecture and features Network management Choose a method to manage the network and monitor its health Network features Determine VLAN assignment user groups services and privileges If planned properly a wireless network can be easily expanded and adjusted to changing conditions and requirements while preserving effective security and enabling network ...

Page 23: ...ates the contrast between typical wireless coverage and PLANEX wireless coverage Each 108 Mbps Wireless AP can service a wider area or provide higher data rates than alternative solutions Precise coverage and capacity vary considerably depending on factors such as the specific 802 11 protocol being used antenna placement and location building construction materials and local obstructions Enterpris...

Page 24: ...lly for installations with a variety of buildings and building materials radio signal conditions and restrictions on equipment placement Thanks to the dramatic improvements in capacity and coverage provided by 108 Mbps Wireless APs many small to mid size companies can forgo the traditional site survey process and rely instead on general guidelines Assessing Security Needs and Architecture The late...

Page 25: ...ption Standard AES adopted by the Wi Fi Alliance as part of the IEEE 802 11i working group efforts and grouped under the heading Wi Fi Protected Access WPA The new IEEE 802 11i standard provides financial grade security with extremely strong AES over the air encryption The keys used for every user session are unique and are established automatically using the IEEE 802 1x protocol Unless your wirel...

Page 26: ...mit network administrators to obtain access from any designated client station For more information see the PLANEX Wireless LAN Network Management Software Installation and Configuration Guide Wireless LAN Network Management Software can be installed as a stand alone network management solution or it can be used in conjunction with NM Portal APs to create an efficient distribution system for netwo...

Page 27: ...tal Authentication Determine how to verify the identity of users requesting access to the network An authentication scheme is required for all except Open access Pre shared key PSK authentication uses matching keys assigned prior to the authentication session and stored on the AP and in the client With PSK no external authentication server is required This approach is useful for small to mid size ...

Page 28: ...l obtain the needed priority QoS is implemented by way of class of service COS mappings Accept the default mappings or define custom mappings to create special high or low priority classes of service Default and custom mappings are compatible with other feature selections Service Profile Service profiles specify the services available for an SSID or for designated user groups within an SSID Accept...

Page 29: ...nagement structure will be in place in the event that the business expands and additional APs are required Since the user base is small there is no need for a RADIUS authentication infrastructure The security mode is WPA with pre shared keys PSK and AES encryption A single SSID is in place and the default VLAN QoS and service profiles are used Figure 6 Example 1 Feature Decisions A0037C AP NM Port...

Page 30: ...with the AP available 3 Bootstrap the AP as an NM Portal Defaults are acceptable for most settings 4 Choose an SSID wireless network name 5 Choose an administrative password and WPA pre shared key 6 Configure clients with compatible WPA security using the same pre shared key References Initializing a Normal AP on page 33 Initializing the Portal AP on page 36 Confirm that the network is up Open the...

Page 31: ... provides authentication for the backhaul AP The security mode is WPA with pre shared keys PSK A single SSID is in place and the default VLAN QoS and service profiles are used Figure 8 Example 2 Feature Decisions A0042E SSID Corp SSID Corp 10 100 Switched Ethernet A0036B Physical Network One AP Multiple APs Wireless Backhaul Network Management NM Portal Default VLAN Single SSID default Default COS...

Page 32: ...from the main corporate network traffic Two RADIUS servers are configured each in its own authentication zone To separate Finance department traffic from the overall network traffic a Finance VLAN is created A Finance service profile is also created and bound to the Finance SSID The service profile is configured to include the Finance VLAN high security and higher than normal COS Once this structu...

Page 33: ...Zones on page 145 Set up VLANs 1 Choose the VLAN structure for the network 2 Configure the VLANs Reference Configuring VLANs on page 107 Add VLANs to the service profiles 1 Define or modify service profiles to include VLAN selection 2 Bind each profile to an SSID with an existing or new user group Reference Profile Table on page 85 and SSID Details on page 83 A0036A Physical Network One AP Multipl...

Page 34: ...ble on the guest VLAN As additional needs arise the network administrator can easily add new VLANs and service profiles and change the available levels of service New VLANs are created to segregate traffic for the Manufacturing and Engineering departments and new service profiles are created to accommodate members of those departments Special classes of service are assigned for applications sensit...

Page 35: ...ired COS and open security Reference Profile Table on page 85 and SSID Details on page 83 Configure landing page 1 Choose an internal or external landing page 2 Assign guest password Reference Configuring Guest Access on page 158 A0036A Physical Network One AP Multiple APs Wireless Backhaul Network Management NM Portal Default VLAN Single SSID default Default COS Mappings Custom COS Mappings Defau...

Page 36: ...ntralized monitoring and fault management The campus buildings and branch offices lend themselves to a hierarchical management structure in which an NM Portal AP is configured in each building Each NM Portal AP handles policy distribution and software upgrades at its location as directed by Wireless LAN Network Management Software The NM Portal AP also serves as a backup security portal in the eve...

Page 37: ...167 or the Wireless LAN Network Management Software Installation and Configuration Guide Create and distribute policies Use Wireless LAN Network Management Software to create configuration policies and distribute them to APs across the network Reference Wireless LAN Network Management Software Installation and Configuration Guide A0036A Physical Network One AP Multiple APs Wireless Backhaul Networ...

Page 38: ...wing are required to connect to the 108 Mbps Wireless Access Point For web browser or network management portal access a computer with a web browser capable of secure HTTP connections HTTPS For SSH connection a computer with an SSH utility the PuTTY application meets this requirement and is available as freeware 10 100 Ethernet cable to connect to the AP The computer designated for AP access shoul...

Page 39: ...console Network Information Requirements Have the following information accessible before configuring the AP IP address assigned to the AP fixed IP address or DHCP reserved address IP addresses for the default gateway DNS Server and NTP Server if DHCP is not used to provide IP addresses IP address of the SMTP email server if the AP is to send alerts to a specified email address Email address of th...

Page 40: ...used at the same time then failover takes place automatically in the event that one of the power sources is lost For failover the following rules apply The AP uses the power source with the highest voltage Unplugging either cable causes power to switch automatically to the other source Placement and Orientation Make sure that the 108 Mbps Wireless AP is positioned in an upright position for airflo...

Page 41: ...us LED red or green If not check the power connections and whether or not the AC outlet has power For wired AP installations Is the Ethernet connection LED on If not check the Ethernet cable to make sure it is seated securely in both the AP and the network port Interpreting the LEDs Refer to Figure 17 and Table 7 for LED definition Figure 17 108 Mbps Wireless AP LEDs Reset Default LEDs Console por...

Page 42: ...ctivity AP STAT There are two AP status LEDs that indicate the AP status When the AP is reset or powered on the bottom LED turns red and then the top LED blinks green Once the AP successfully boots up the top LED turns green and stays green When the AP is reset to defaults the LEDs light up in the same sequence as described above If the AP has a buzzer installed two short beeps indicate that the A...

Page 43: ... the command sequence config system reset to defaults factory defaults Reset buttons on the AP This is useful if the administrative password is lost however before performing the reset make sure to have the original factory assigned AP password available Follow these steps 1 Make sure the AP is connected to power power adaptor or Power over Ethernet 2 On the side of the AP hold down both the Reset...

Page 44: ...en the web interface The factory default for administrator access is user name admin If the AP has not been initialized the user name field is grayed out The factory default password is shipped with the AP on a paper insert Use the password from the insert to log in 4 The system response at this point depends upon whether the AP has already been initialized a If the AP has been initialized the Hom...

Page 45: ...following additional functions are available Configuration of the PLANEX wireless network using secure AP enrollment and policy based configuration of APs Authentication of wireless users via built in RADIUS server and certificate based identity management system Monitoring of PLANEX network for faults configuration alerts performance and security FCAPS Upgrade of the 108 Mbps Wireless AP network ...

Page 46: ...ls If you log out prior to completing the set up process then settings are not saved Field Description AP Hostname Alphanumeric name for the AP The factory default for this field is AP followed by the MAC address of the AP s Ethernet interface eth0 Enable DHCP Assigned IP Address Checkbox that indicates whether DHCP is used to obtain an IP address If the box is cleared the static Management IP Add...

Page 47: ...tained automatically to provide complete network access The default is the DNS server for the existing network Date Current date in MM DD YYYY format Time Current time in HH MM SS format hours 0 23 Time Zone US zone or GMT option For US zone click the radio button and select a time zone For GMT click the radio button and select an offset in HH MM format Field Description SSID Name Service set iden...

Page 48: ...ctivated if WEP is selected as the security mode Enter a WEP key A WEP 64 key is 10 hex characters and a WEP 128 key is 26 hex characters required if security mode is WEP Field Description Select Radio Interface Specific radio to be configured on the AP wlan0 or wlan1 These correspond to the WLAN0 and WLAN1 LEDs on the front of the AP Select Operating Band and Mode 802 11b mode in the 2 4 GHz band...

Page 49: ...nish to complete the initialization process and bring up the AP Explorer Home panel The process takes approximately two minutes When the process is complete the Home panel opens NOTE The defaults for radio configuration have been selected for the best operational radio behavior across a variety of environments Modifying these parameters alters radio behavior which may have an impact on network per...

Page 50: ...ion is displayed in the Detail panel which takes up most of the browser window shown for the Home panel in Figure 25 The Home Panel The Home panel Figure 25 opens when you first log in to the web interface or if Home is selected from the menu tree The Home screen contains top level summary information about the AP To access detailed information click More for any of the following sections AP Summa...

Page 51: ...3 Using the Configuration Interfaces 38 Installation and Configuration Guide CQW AP108AG Figure 25 Home Panel ...

Page 52: ...fig tab opens when you choose Bootstrap Configuration is selected from the AP Quick Start menu Figure 26 Use this tab to configure addresses for the bootstrap configuration Figure 26 AP Quick Start Bootstrap Configuration IP Config This tab contains the following settings Field Description DHCP Assigned IP Address Indicate whether to use DHCP to obtain an IP address for the AP If the box is cleare...

Page 53: ...e DNS IP Address field is empty then all manually configured DNS server addresses will be removed If you delete DNS servers only those added manually are deleted DHCP assigned DNS servers continue to be available Management IP Address Maskbits Enter the IP address and subnet prefix for this AP This is required if the IP address is not obtained automatically The default is 192 168 1 254 24 Gateway ...

Page 54: ...paced APs that can support high data rates select the high density option For maximum coverage at lower data rates selection the low density option The default setting is Low Multi Domain Support Enable or disable 802 11d operation If Enable is selected the radio advertises country channel and associated maximum transmit power information in beacons and probes responses to stations or clients in t...

Page 55: ...ign Fixed Channel options Auto Select Select At Start up to automatically determine the channel when the AP is booted or Periodic to auto select the channel at the specified number of minutes The default is Periodic and 30 minutes Assign Fixed Channel Select a static channel In both of these cases the channel set used for auto scanning can also be restricted Field Description Date Current date in ...

Page 56: ...dress of the server in the space provided If an NTP is currently assigned the address of the server is displayed as shown in Figure 28 Multiple NTP servers may be specified space separated If more than one server is specified they are contacted in the order given If the Synchronize Clock is empty then all manually configured NTP servers will be deleted If the AP is configured to receive an IP addr...

Page 57: ...ion Guide CQW AP108AG Figure 30 AP Quick Start Bootstrap Configuration Admin Email Version Table The Version Table panel Figure 25 lists model number serial number and hardware and software version information Figure 31 AP Quick Start Version Table rjones acmeworks com ...

Page 58: ...For information on using portal services see Chapter 9 Managing the Network Configuration Wizards The 108 Mbps Wireless AP web interface includes wizards that enable fast configuration of user security and guest access User Security Wizard The User Security wizard provides a one stop interface for configuring user security parameters You can use the wizard to configure security or make changes to ...

Page 59: ...internal RADIUS server included in the AP or an external RADIUS server 5 Click Finish Option Description WPA EAP with AES encryption Configures the AP to work with RADIUS authentication servers The wizard prompts for selection of the internal RADIUS server included in the AP or an external RADIUS server WPA PSK Configures the AP to work with pre shared key authentication The wizard prompt for the ...

Page 60: ...To configure WPA PSK 1 In the User Security Wizard select Using WPA PSK 2 Click Next to open the next User Security wizard panel Figure 34 Figure 34 User Security Wizard WPA PSK 3 Enter the pre shared key to use for network authentication and confirm your entry 4 Click Finish ...

Page 61: ...on Guide CQW AP108AG To configure WEP 1 Select Using WEP and click Next to open the next User Security wizard panel Figure 35 Figure 35 User Security Wizard WEP 2 Select the WEP key length 3 Enter up to four WEP keys and indicate which will be the default 4 Click Finish ...

Page 62: ...ide CQW AP108AG 49 To configure open access 1 Select Open Access and click Next to open the next User Security wizard panel Figure 36 Figure 36 User Security Wizard Open Access 2 Confirm that you want to configure the AP without user security 3 Click Finish ...

Page 63: ...ecting the network from unauthorized use For a complete description of guest access rules and options see Chapter 8 Configuring Guest Access To open the Guest Access wizard Click Guest Access Wizard under AP Quick Start on the side menu The wizard Figure 37 provides options to configure an internal landing page or an external landing page for users who open a web browser while on site Figure 37 Gu...

Page 64: ...3 Enter and confirm a guest password Figure 38 The password must be from 1 to 63 characters in length and may be manually distributed to guests who visit your corporate facility Figure 38 Guest Access Wizard Internal Landing Page 4 Indicate whether the guest users will be able to access a subnet before they are authenticated as guest users If yes enter the IP address of the subnet 5 Click Next ...

Page 65: ...S includes only those that support open access Figure 39 Guest Access Wizard VLAN Entry 7 Click Finish Guest access is now configured When guests access the external landing page they follow an externally determined process to log in to the network If a subnet has been specified then guests can access the subnet even if they are not able to log in For further information about guest access or to m...

Page 66: ... web server The code must be from 1 to 63 characters in length 5 Indicate whether the guest users will be able to access a subnet before they are authenticated as guest users If yes enter the IP address of the subnet 6 Click Next 7 Select an existing VLAN in which to place authenticated guest users or create a new VLAN by entering a numeric VLAN ID and VLAN name Figure 39 on page 52 The list of ex...

Page 67: ...3 Using the Configuration Interfaces 54 Installation and Configuration Guide CQW AP108AG ...

Page 68: ...Performing Radio Diagnostics Introduction The 108 Mbps Wireless Access Point can be configured with one or two radios each of which forms a distinct wireless cell or basic service set BSS as shown in Figure 41 Each radio can operate in either of the following modes In normal mode the AP is connected to the wired network and the radio directly services downstream client stations or access points or...

Page 69: ...Configuration from the Wireless Services menu to open the AP Radio Configuration panel The panel contains the following tabs Global Configuration Set parameters that apply to both of the AP radios Persona Configuration Set the radio mode or persona for normal AP operation or wireless backhaul BP Menu Item Description Radio Configuration General radio parameters Advanced Configuration 802 11 mode f...

Page 70: ... configuration to prevent user actions from adversely affecting radio performance This is especially true of dual radio APs due to the proximity of the two radios If you attempt to make configuration changes that are not accepted by the AP an error message may or may not appear Consult the appropriate section in this chapter to determine which parameters are in conflict Global Configuration Use th...

Page 71: ...AP and whether or not the AP has active Ethernet connectivity If Any is selected then the 108 Mbps Wireless AP is allowed to change between wireless and wired mode based on a change in Ethernet status The Wired Only setting means that the 108 Mbps Wireless AP operates only as wired node The node is disabled if the Ethernet link is not active All radios take on the AP persona unless explicitly conf...

Page 72: ...use for scanning and the maximum radio transmit power If the country or environment is changed the following occur The channel selection setting is reset to auto select channel at startup To configure a radio on a specific channel apply the country configuration and then specify the channel using the Channel Configuration tab see Channel Configuration on page 65 The channel set configuration is se...

Page 73: ...57 161 Brazil Outdoor 5 149 153 157 161 Countries listed under the leading Europe include major European countries not explicitly listed by name in this table Europe Any 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 Europe Indoor 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 Europe Outdoor 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 Europe Any 5 100 104 108 112 116 120 124 128 132 126 140 Europe Indoor 5 36 40 44 48 52 56 60 64 10...

Page 74: ...2 3 4 5 6 7 8 9 10 11 12 13 Switzerland Outdoor 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 Switzerland Any 5 Not allowed Switzerland Indoor 5 36 40 44 48 Switzerland Outdoor 5 Not Allowed Japan Any 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Japan Indoor 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Japan Outdoor 2 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Japan Any 5 34 38 42 46 Japan Indoor 5 34 38 42 46 Japan Outdoor 5 34 38 ...

Page 75: ... 62 Installation and Configuration Guide CQW AP108AG Israel Indoor 5 36 40 44 48 52 56 60 64 149 153 157 161 Israel Outdoor 5 52 56 60 64 149 153 157 161 Table 8 World Modes continued Country Environment Band Valid Channel Numbers ...

Page 76: ...AP radio wlan0 or wlan1 Admin State of Selected Radio Enable or disable the selected radio When the AP radio is in the disabled state all valid configuration settings are saved When the AP radio is enabled the latest configuration is applied It is not possible to disable the BP radio by administrative intervention AP radio only Persona of Selected Radio Select whether the AP radio is to operate as...

Page 77: ...ettings for Network Connectivity and Persona Numberof Radios Wired Connectiona a Wired Connection means that the AP has Ethernet connectivity and that the connection is active Network Connectivity Setting Persona Setting Resulting radio persona or mode One Yes Any Any or AP AP One Yes Any BP BP Two Yes Any All combinations of Any and AP Both radios AP Two Yes Any All combinations that specify a BP...

Page 78: ...e same AP each radio operates in a different band 2 4 GHz for one radio and 5 GHz for the other Figure 44 Radio Configuration Channel Config Set the following values in the Radio Interface Selection and Channel Configuration areas of the tab Feature Description Select Radio Interface Select the AP radio wlan0 or wlan1 Channel Number Select a valid channel for radio operation or accept the Automati...

Page 79: ...econd radio in the AP If the radio is in AP mode then the node selects the best channel across both bands If the radio is in BP mode then the BP radio scans on both bands If the 108 Mbps Wireless AP is configured with two AP radios and Auto Selection is chosen for both then the preferred band configuration for both radios is System Determined If both radios are in AP mode then one operates in the ...

Page 80: ...Data Rates Enable or disable the PLANEX enhanced data rates of 72 96 and 108 Mbps This setting is rejected if the enhanced Dot11 extensions are disabled and an attempt is made to configure enhanced data rates It is recommended to accept the default of Enabled Rate Adaptation Enables or disables automatic data rate adaptation in the system To use auto adaptation select the Auto Adapt button and sel...

Page 81: ...s on the Performance tab you must enable the standard Dot 11 extensions on the 802 11 Policy tab see 802 11 Policy on page 70 Ack Mode Determines the acknowledgement policy for data packets The following selections are available Immediate Ack Acknowledgement is sent for every packet received This is the default setting No Ack No acknowledgement is sent when data packets are received To enable high...

Page 82: ...Selecting 802 11g only keeps 802 11b stations from degrading BSS performance 802 11b and g is the default setting Multi Vendor STA Admission Criteria Multi Vendor Station Accept allows all stations to associate Reject restricts association to compatible client stations excluding non compatible or non PLANEX stations Backhaul Admission Criteria Accept Association From Indicates whether to accept as...

Page 83: ...AC configuration for each radio To configure settings on these tabs select each in sequence or step through the tabs using the Go links at the bottom of the panel Figure 47 802 11 Policy Use the 802 11 tab Figure 47 to set the 802 11 modes and data rates for each AP radio Figure 47 Advanced Configuration 802 11 Policy Set the following values on this panel Feature Description Select Radio Interfac...

Page 84: ... flag needs to be set Proprietary burst ack Advanced rate adaptation Wireless backhaul AP name in beacon if not enabled the AP name in beacon is suppressed 802 11G Protection Select to enable 802 11g protection mode short slot time and short preamble if the radio is operating in 802 11g mode If the checkbox is selected all 3 aspects are enabled if not all 3 aspects are disabled The default setting...

Page 85: ... 48 under special circumstances if it is necessary to tune low level operational parameters of the radio MAC Medium Access Control layer Figure 48 MAC Configuration Tab NOTE Changes on the MAC Configuration tab should only be made by trained network personnel The AP radio restarts automatically when these parameter changes are applied ...

Page 86: ...nds It is recommended to accept the default of 100 ms required DTIM Delivery Traffic Indication Message Period Enter the interval between the times that the radio forwards multicast and broadcast packets to client stations It is recommended to accept the default of 1 beacon period required Fragmentation Threshold Enter the maximum packet size that can be transmitting as a single unit A low setting...

Page 87: ...etween radios This tab contains the following information Field Description Radio Persona Mode of the radio AP or BP Radio MAC Address MAC address of radio Radio Admin State Administrative status of the radio enabled or disabled Radio Operation State Operational status of the radio enabled or disabled Operating Band Current band of operation ...

Page 88: ...for class of service mapping Load Balanced Number of stations that are load balanced AP persona only CFP Period Number of DTIM intervals between the start of Contention Free Periods CFPs CFP Max Duration Maximum duration of the CFP in time units that may be generated by the AP Privacy Option Implemented Security setting Basic Rate Set Set of basic rates for BSS AP persona only Operational Rate Set...

Page 89: ...llowing information Field Description Transmitted Fragment Count Number of transmitted fragments MAC Protocol Data Units that have been acknowledged since last power up or last Clear Statistics request Transmitted Multicast Frame Count Number of transmitted multicast frames MAC Service Data Units Failed Count Count of MSDU not transmitted successfully due to the number of transmit attempts exceedi...

Page 90: ...duplicate frame Ack Failure Count Count of expected acks not received RTS Success Count Count of successful CTS received in response to a RTS RTS Fail Count Count of RTS for which a CTS response is not received Transmitted Frame Count Count for successfully transmitted MSDUs WEP Undecryptable Count Number of times a frame is received with the WEP subfield of the Frame Control field set to one and ...

Page 91: ...e The AP radio wlan0 or wlan1 BSSID The MAC address of the neighboring AP radio which determines the BSS SSID The name of the network ESS in which the AP is operating BSS Type Infrastructure or ad hoc network arrangement Channel Current channel of operation for the neighboring BSS AP Beacon Name Name of the neighboring AP in the beacon frame Compatibility Status Indication of whether or not the ne...

Page 92: ...Ps each advertising the same Corporate SSID Figure 52 Example Corporate Network Each 108 Mbps Wireless AP is shipped with a default SSID which must be replaced during the bootstrap process see Using AP Quick Start to Initialize the Access Point on page 31 or from the SSID Configuration panel as explained in this section Multiple SSIDs are also supported Multiple SSIDs on page 86 explains how to en...

Page 93: ...ation panels you can define service profiles for user groups and then bind the profiles to the SSID A user who requests access to the network is authenticated and placed into the appropriate user group and the AP software automatically applies the privileges and restrictions defined in the service profile for that group Each user group can be assigned to just one service profile but multiple group...

Page 94: ...d in the Backhaul Configuration Link Criteria tab see Chapter 6 Max stations The maximum number of stations that can be associated to this SSID on this AP The range is 1 512 If the maximum number of stations is reached and a new client tries to associate to the AP the association attempt is rejected Association is also rejected if the number of clients is less than the maximum but exceeds the numb...

Page 95: ...multiple SSID is enabled 1 Click Add and enter the following information SSID name This name is used only by the radio in AP mode For a radio in backhaul point mode enter the SSID name in the Backhaul Configuration Link Criteria tab see Chapter 6 Max Number of Stations Enter a maximum number of clients stations if desired The range of values is 1 512 If the maximum number of stations is reached an...

Page 96: ...cription User Group User group linked to the service profile If this entry is empty the user group is null The null user group is automatically assigned to the default service profile unless it is explicitly bound to another service profile RADIUS authentication must be active in order for user groups to be effective The user group for a given client is passed to the AP as a RADIUS attribute for e...

Page 97: ...RADIUS group names to associate with the profile or select New Group and enter a new user group name 4 Click Apply Change service profile binding 1 Select the checkbox for the user group and profile and click Modify to open the Bind Service Profile to SSID entry panel Figure 56 in modify mode 2 Select a profile to bind to the SSID or click Add New Profile to create a new profile according to the i...

Page 98: ...y enforcement VLAN ID and COS value Binding a service profile to an SSID determines the privileges and restrictions that apply to user groups associated with the profile Figure 57 SSID Configuration Profile Table NOTE Changes made to SSID or service profiles cause affected users to be automatically disassociated from the AP The AP then attempts to reassociate them automatically This causes a momen...

Page 99: ... is 0 7 For more information see Configuring Quality of Service on page 113 5 Select an enforcement level for data encryption to apply to the profile This setting provides fine grained security options at the user group level Default enforcement refers to the encryption settings that prevail in the network at large The security enforcement applies after authentication is complete 6 Enter a descrip...

Page 100: ...o associate with the 108 Mbps Wireless AP configured for multiple SSIDs a profile for each target SSID must be created on the client workstation using the Windows Zero Config WZC Add function or the PLANEX Client Utility Create function Figure 59 SSID Configuration Multiple SSID Managing Client Stations Select Station Management from the Wireless Services menu to open the Station Associations pane...

Page 101: ...ddress MAC address of the client station User Name User name assigned through the RADIUS server If MAC ACL is used then the user name is the MAC address of the client station Encryption Type of encryption used by client station AES TKIP WEP or no encryption Authentication Type of authentication used by the client station Open Shared Key EAP or MAC ACL SSID SSID to which the client station is assoc...

Page 102: ...ation from the Station Associations table and click Link Stats to display the following information Item Description Disassociate Detach the station from the AP and remove station related information Link Stats Display information about the link strength and quality between the AP and station Security Stats Display current security statistics Field Description Station MAC address The MAC address t...

Page 103: ...ate Average downlink data rate on uplink Mbps Received Bytes Bytes received from the station Transmitted Bytes Bytes transmitted to station Transmitted Fragments Count of transmitted MPDUs Failed Transmitted Packets Number of MSDUs that were not transmitted successfully since retries exceeded short or long retry limit Single Retry Packets Number of packets that were successfully transmitted after ...

Page 104: ...g notifications sent and received move notification and response details and details on Intra AP moves Field Description Station MAC address The MAC address that identifies the station Auth Type Authentication used by station Open Shared key EAP or MAC ACL Encryption Encryption used by station AES TKIP WEP or open access AES Transmitted Blocks Number of AES transmitted blocks Valid only if encrypt...

Page 105: ...iscovery and communicate with other APs Click Apply to save changes Figure 63 IAPP Configuration IAPP Service IAPP Topology The read only IAPP Topology tab Figure 64 displays information about all the neighboring APs this AP has discovered including the BSSID IP address and Compatibility whether the IAPP protocol can be established with the neighboring AP Figure 64 IAPP Configuration IAPP Topology...

Page 106: ...t domain Move Notifications Sent Number of move notifications sent to other APs where the stations were previously associated Move Notifications Received Number of move notifications received from other APs to which the stations are currently associated Move Responses Sent Number of move responses sent to other APs when stations have reassociated with the other APs Move Responses Received Number o...

Page 107: ...bs Link Test Test the radio link between the AP and a client station Walk Test Advanced parameters regarding rate and range performance testing Move Response Failures Sent Number of move responses with a FAILURE status sent to other APs during the station reassociating process Move Response Failures Received Number of move responses with a FAILURE status received from other APs during the station ...

Page 108: ...ink Test The Link Test tab includes the following information for each defined link test Field Description Interface Select the AP radio Station MAC Select the MAC address of the station included in the link test Packet Size Specify the size of each link packet in bytes Duration Period during which the which the test runs Average Interval Sampling interval Status Current status of the link test Cl...

Page 109: ...y momentary glitches in the wireless link Generate traffic such as ping traffic to the station when performing the link test If rate adaptation is active this helps the uplink and downlink data rates settle at the maximum sustainable rates for that link A maximum of 10 link tests can be active on an AP at one time The collected link test data is retained even after the link test is retained until ...

Page 110: ...th Strength of the signal sent from the AP to the client station percentage Uplink signal strength Strength of the signal sent from the client station to the AP percentage Downlink signal quality Quality of the signal sent from the AP to the client station percentage Uplink signal quality Quality of the signal sent from the client station to the AP percentage Downlink data rate Transmission rate f...

Page 111: ...Parameter Parameter Description Range Units WNI_CFG_CURRENT_TX_ANTENNA of TX chains 1 to 2 WNI_CFG_CURRENT_RX_ANTENNA of RX chains 1 to 3 WNI_CFG_DEFER_THRESHOLD Packet Detection Threshold 0 254 dBm 130 WNI_CFG_ACK_TIMEOUT_11A Ack Timeout 802 11a 0 100 Micro seconds WNI_CFG_ACK_TIMEOUT_11B Ack Timeout 802 11b 0 100 Micro seconds WNI_CFG_MAX_ACK_RATE_11A Max Ack Rate 802 11a MAC rate encoding Rate ...

Page 112: ...I_CFG_CWMIN_0_11B Min Contention Window Size for 802 11b TC0 0 1023 slots WNI_CFG_CWMIN_0_11G Min Contention Window Size for 802 11g TC0 0 1023 slots WNI_CFG_CWMAX_0_11A Max Contention Window Size for 802 11a TC0 0 1023 slots WNI_CFG_CWMAX_0_11B Max Contention Window Size for 802 11b TC0 0 1023 slots WNI_CFG_CWMAX_0_11G Max Contention Window Size for 802 11g TC0 0 1023 slots WNI_CFG_PROXIMITY Used...

Page 113: ...4 Configuring Radio Settings 100 Installation and Configuration Guide CQW AP108AG ...

Page 114: ...vices menu assign interfaces define quality of service configure VLANs and define packet filters Statistics are also available to monitor network activity Interfaces Figure 70 illustrates the physical and logical elements of an PLANEX wireless network Each 108 Mbps Wireless Access Point has virtual interfaces that correspond to specific communications functions as listed in Table 10 The interfaces...

Page 115: ...g from the Networking Services menu to open the Bridge STP tab Figure 71 The tab displays how bridging is currently configured and lists the interfaces and MAC addresses Table 10 AP Interfaces Interface Description eth0 Wired Ethernet interface wlan0 Wireless interface radio 0 wlan1 Wireless interface radio 1 wlan0 tkx Backhaul x created on wlan0 Each radio can support multiple backhauls wlan1 tkx...

Page 116: ...sed for the Spanning Tree Protocol see Spanning Tree Protocol STP on page 103 The Bridge table on the Summary tab lists each bridge and its associated interfaces or ports The Bridge Forwarding table located at the bottom of the panel lists each bridge and interface and specifies which MAC addresses are learned at the interface Spanning Tree Protocol STP The Summary tab also provides an option for ...

Page 117: ...atistics to return the collected values to zero and start collecting statistics again Figure 72 Bridge Configuration Bridge Stats ARP Table The Address Resolution Protocol ARP tab Figure 73 displays the current mapping of IP addresses to MAC addresses associated with the listed interface During normal operations the ARP table is updated automatically based on the number of MAC entities in the netw...

Page 118: ...e 73 to explicitly address subnets that are not local If a destination subnet is not entered into this panel then default network routing applies Figure 74 IP Routing The Route table shows the static route entries currently configured on the AP and bound to bridging interfaces To create a new route click Add enter the following information and click Save Field Description Destination IP Enter the ...

Page 119: ... CQW AP108AG Gateway IP Enter the IP address of the gateway that will route traffic between this AP and the destination subnet Interface Name Enter the name of the bridging interface Use the br prefix as described in Configuring Bridging Services on page 102 Field Description ...

Page 120: ...ransparent to normal corporate users Figure 75 Example Use of VLANs to Manage Enterprise Traffic The 108 Mbps Wireless AP supports up to 16 VLANs including the default VLAN Use the VLAN Configuration panel accessible from the Networking Services menu to add new VLANs and map VLANs to specific AP interfaces The VLAN panel contains a list of users assigned to user VLANs to make user VLAN assignments...

Page 121: ...ier for the VLAN In bridging notation this is the numeric ID that follows the br prefix Name Alphanumeric name of the VLAN The field is optional unless it is the default VLAN The maximum length of VLAN Name is 80 characters IP Address The IP address and subnet prefix assigned to the VLAN Assigning an IP address enables the VLAN to be managed from this AP Management VLAN Indication of whether this ...

Page 122: ...n it is sent on a tagged interface If the received packet is untagged the packet is classified as belonging to the interface VLAN If the VLAN interface is not tagged then the AP drops any VLAN tagged packet When the packet is transmitted from the interface it is be untagged Field Description VLAN Name Enter an alphanumeric name for the VLAN The maximum length of VLAN name is 80 characters optional...

Page 123: ...rface to the specified VLAN User VLAN The read only User VLAN tab Figure 79 lists the client stations mapped to each VLAN by way of bound service profiles The tab contains the following information See Configuring SSID Parameters on page 79 for information on service profiles Field Description Select Interface Select the AP interface VLAN ID Enter the VLAN ID required Default Select to assign this...

Page 124: ...Configuring VLANs Installation and Configuration Guide CQW AP108AG 111 Figure 79 VLAN User VLAN ...

Page 125: ...ovides a summary of transmit receive statistics for each VLAN The statistics are calculated from the last time that the AP was rebooted or the Clear Statistics button was selected Click Refresh to update the statistics or Clear Statistics to return the collected values to zero and start collecting statistics again Figure 80 VLAN Stats ...

Page 126: ...fferent traffic types but does assure that high COS traffic will be given preference For example when Acme Works wanted to set up a video conference center it was important to provide a higher quality of service for the video conference application The company accordingly set up a structure of multiple SSIDs in which a higher COS value was assigned to the service profile for the Video SSID Figure ...

Page 127: ...rity to the 802 11 packets leaving the AP QOS Stats Display QoS statistics for each of the AP interfaces IP Precedence Defines a mapping based on the first 3 bits in the Type of Service TOS byte of the IP header Incoming packets that have an IP Precedence value can be mapped to COS DiffServ Code point DSCP to COS Defines a mapping based on the first 6 bits in the TOS byte of the IP header Incoming...

Page 128: ...COS values to incoming 802 11 packets If a packet has a COS value in the VLAN tag when it arrives at the AP then its COS value is honored by the AP If the packet is not VLAN tagged then it can be classified at the ingress interface by way of a COS map defined on the Ingress QOS tab Figure 82 Figure 82 QOS Configuration Ingress QOS ...

Page 129: ...maps to 7 If your network supports fewer than 8 priority levels you can map multiple COS levels to a single TCID value Figure 83 QOS Configuration Egress COS Function Steps Define TCID to COS mapping 1 Select the radio interface for the mapping 2 Select a COS value for each TCID value or select Default to accept the default mapping 3 Click Apply Define VLAN to COS mapping 1 Click Add 2 Select the ...

Page 130: ...k Clear Statistics to return the values to zero and restart the collection process Figure 84 QOS Configuration QOS Stats Configuring Advanced QoS Use the Advanced QoS panel to assign COS values to packets entering the AP based on IP layer information and choose the QoS class order The panel contains the following tabs Class Order Determine the order in which to apply all the QoS rules IP DSCP Defi...

Page 131: ...acket If not the AP checks whether a mapping exists for the second rule If so that mapping is applied If not the AP continues down the class order list The default class order is TCID IP Protocol DSCP IP Precedence MAC VLAN Interface Figure 85 Advanced QOS Configuration Class Order Configure the following fields on the Class Order tab Field Description Select Radio Interface Select the AP interfac...

Page 132: ... all the changes on the tab IP DSCP Use the IP DSCP tab Figure 86 to map DiffServ Code point DSCP values to COS and to view the current DSCP to COS maps DSCP uses the first 6 bits in the TOS byte of the IP header so the possible values range from 0 to 63 Figure 86 Advanced QOS Configuration IP DSCP ...

Page 133: ... www iana org Figure 87 Advanced QOS Configuration IP Protocol Configure the following fields to define the IP Protocol to COS map Click Apply to save all the changes on the tab Field Description Select Radio Interface Select the AP interface Default Select to use the default mapping DSCP String If Default is not chosen enter up to eight DSCP values that you want to map to a specific COS value COS...

Page 134: ...ng load on the wireless side of the network The panel contains the following tabs Filter Table View currently defined packet filters and add or edit filters Filter Stats View counts of packets that match the filter criteria Filter Table Choose Filter Configuration from the Networking Services menu to open the Filter Table tab Figure 89 By default an incoming and outgoing filter is defined for each...

Page 135: ...cription Interface Name If creating a new filter select an interface from the pull down list Filter Direction Specify whether the filter is for incoming ingress or outgoing egress communications It is necessary to create a separate filter for each Accept Discard Indicate whether the filtering rule is to accept or discard the packet Select Match Indicate if the filter rule is satisfied when a packe...

Page 136: ...the interface with the defined filter Click Refresh to update the statistics or Clear Statistics to return the collected values to zero and start collecting statistics again Figure 91 Filter Configuration Stats Tab Configuring Interfaces Use the Interface Configuration panel accessible from the Networking Services menu to configure the physical AP interfaces wlan0 wlan1 eth0 The panel contains the...

Page 137: ... IP address assigned to an interface by selecting the interface entry and clicking Enable Disable or Delete IP To assign an IP address to an interface enter the following values under IP Address Configuration and click Apply Use the Encapsulation Configuration section at the bottom of the tab to ensure that the AP can operate with older equipment that is not fully 802 11 compatible 802 1h is the c...

Page 138: ...ndard protocol used to manage interactions with the 108 Mbps Wireless APs The protocol works through message passing between SNMP managers and agents which are devices that comply with the SNMP protocol The information of interest to the SNMP manager is stored in the agents management information bases MIBs and sent to the SNMP manager upon request SNMP communities restrict access to the MIBs to a...

Page 139: ...panel contains a table of currently defined traps To delete a trap select it in the SNMP Agent Table and click Delete Field Description Community String Enter the alphanumeric community string required Community Read Write Status Indicate the read or read write status of the community Trap Sink IP Address Enter the IP address where SNMP traps should be sent required Trap Community Enter the commun...

Page 140: ...AG 127 Ping Test Use the Ping Test panel to execute an ICMP Echo Request to check network connectivity to a remote IP host Enter the hostname or IP address of the remote host Figure 95 shows the Ping Test panel with test results presented Figure 95 Ping Test ...

Page 141: ...5 Configuring Networking Settings 128 Installation and Configuration Guide CQW AP108AG ...

Page 142: ...relay wireless signals from clients to the APs that are connected to the wired network Wireless backhaul interconnects multiple 108 Mbps Wireless Access Points to form a wireless distribution system in which an 802 11x network covers large areas such as a campus or open area with relatively few wired access points Figure 96 Figure 96 Wireless Backhaul Network Applications of wireless backhaul incl...

Page 143: ...twork or an access point explicitly configured in the BP mode tries to establish a wireless trunk connection to another access point A succession of trunks established between access points provides a path from client stations through the wireless network to the wired network If a trunk connection fails or a backhaul link goes down then the access point that established the trunk re scans the wire...

Page 144: ...Ps to use for the uplink Trunk Table View the list of current backhaul trunks Trunk Stats View statistics for the backhaul trunks Link Criteria Use the Link Criteria tab Figure 97 to set up the network parameters for the wireless backhaul These parameters specify the rules that apply to the backhaul point BP radios which form uplink backhaul trunks by associating to normal radios AP These rules ar...

Page 145: ...riteria Choose the criterion for selecting the best wireless backhaul route from the following three options Lowest Weighted Cost Candidate parent APs are selected in ascending order of path cost The candidate parent with lowest path cost to the wired network is the one with highest priority Path cost is a cumulative metric in which each hop contributes to the path cost value The calculation facto...

Page 146: ...le of uplink candidate APs shows the following information If no uplink candidate APs are available the table is empty Trunk Table Select the Trunk Table tab Figure 99 to view the list of current backhaul trunks The backhaul is established if the MAC address of the backhaul trunk is listed in the table Figure 99 Backhaul Configuration Trunk Table Feature Description Interface Radio interface of up...

Page 147: ... to uplink and downlink trunks For the uplink trunk the band is the operating band of the BP radio For downlink trunks the band is the operating band of the AP radio Trunk Dest MAC MAC address BSSID of the remote backhaul destination For Uplink trunks this is the MAC address of the parent AP for downlink trunks it is the MAC address of the BPs children associated with the AP radio Applies to uplin...

Page 148: ...ick Clear Statistics to return the counts in this tab to zero and begin collecting statistics again Tx Bytes Number of packets transmitted by this AP Tx Packets Number of packets transmitted by this AP Rx Multicast Packets Number of multicast packets received by this AP Field Description ...

Page 149: ...6 Configuring a Wireless Backhaul 136 Installation and Configuration Guide CQW AP108AG ...

Page 150: ...ord to fully verify the identity of the AP By clearly identifying which APs belong to the authorized set the enrollment process can also help identify unauthorized or rogue APs Administrator security authorizes designated users to access the configuration and management capabilities of the AP using HTTPS SSH or SNMPv3 for the web interface CLI or network management system User security encompasses...

Page 151: ...Management Software network management system offered as a separate product operates as a complete enrollment solution for the enterprise In addition to supporting manual AP enrollment Wireless LAN Network Management Software includes automatic AP pre enrollment by way of a bar code reader interface For information on using Wireless LAN Network Management Software see the Wireless LAN Network Mana...

Page 152: ...hod based on the TLS protocol The RADIUS security services within the 108 Mbps Wireless AP provide EAP TLS for user authentication PLANEX also supports integration with RADIUS servers that support EAP TLS or EAP PEAP In addition to the EAP based authentication methods PLANEX supports WEP based encryption for legacy clients PLANEX also supports the option of no user authentication Data Encryption T...

Page 153: ...y Services menu to configure the protocols for data encryption and user authentication The Wireless Security panel contains two tabs Security Mode Configure WPA WEP or open encryption and authentication SSID Auth Identify the authentication server for the SSID Security Mode Use the Security Mode tab Figure 102 to assign the encryption and authentication methods including WPA WEP or Open Allowing m...

Page 154: ...y to save the configuration or Reset to return to the previously saved values WPA provides strong encryption support with the AES and TKIP algorithms Field Description WPA Security Mode WPA EAP For RADIUS based networking keying WPA PSK For pre shared keys Encryption Type AES TKIP AES and TKIP NOTE Some early versions of WPA capable client software may not permit a client to associate to the AP wh...

Page 155: ...ess AP security portal or an external RADIUS server Each SSID can be configured with the RADIUS servers used for EAP authentication and the WPA pre shared key if applicable MAC ACL lookups can be enabled for clients that associate with WPA PSK manual WEP keys or with no security MAC ACL is not applicable if per user authentication is done where user name is available NOTE Selecting WPA EAP or WPA ...

Page 156: ...ect from the SSID pull down list Click SSID Details to view more SSID related information enable multiple SSIDs or change other SSID attributes WPA Pre Shared Key Enter the pre shared key for WPA if appropriate This field is grayed out if WPA PSK is not the selected authentication type Authentication Server Configuration Select the Security Portal or External Authentication Server radio button For...

Page 157: ...teroperability 2 The RADIUS server can use these attributes to enforce policies such that EAP based authentication is mandatory for Wireless 3 The RADIUS server may optionally send back the Session Timeout attribute to override the AP default session timeout Attribute Description User Name MAC address User Password MAC address Message Authenticator RADIUS extension providing enhanced authenticatio...

Page 158: ...servers Configure the servers first and then include them in zones The Authentication Zone panel contains two tabs Auth Zones Define zones for RADIUS authentication Auth Servers Add RADIUS servers Authentication Zones On the Authentication Zones tab Figure 104 you can create new authentication zones or modify existing ones Select check boxes for authentication zones you want to modify or delete or...

Page 159: ...ntication Servers Open the Authentication Servers tab Figure 106 to view the current authentication servers and add or delete servers This table shows the list of both internal security portals and external auth servers The servers that do not have a check box against them are security portals Figure 106 Authentication Zones Auth Servers Configuring Administrator Security Choose Administrator Secu...

Page 160: ...dministrative to indicate that the user to be authenticated has requested access to an administrative interface on the AP If the user authentication is successful the RADIUS server must send back an PLANEX vendor specific attribute defined as follows vendor id 13586 vendor sub type 3 integer value 1 Field Description Change Local Admin Password Enter the old password and the new password and confi...

Page 161: ...lected AP radio Suppl Stats Supplicant Statistics View statistics on 802 1x requests for each selected BP radio Auth Diag View authentication diagnostics statistics including back end data Each of the tabs includes a Reset button to return the statistics to zero and begin collecting them again Authentication Statistics The Authentication Statistics tab Figure 108 contains EAPOL statistics which co...

Page 162: ...POL based EAP Response ID frames received by the AP This count increments as stations or BPs present their user id or device id information to the AP at the start of the authentication sequence RX EAPOL Response The total number of EAPOL based EAP Response frames received by the AP that do not contain an EAP Response ID This count increments as the AP receives authentication credentials derived fr...

Page 163: ...by the BP RX EAPOL Request ID The total number of EAPOL based EAP Request ID frames received by this BP This count increments as the AP sends authentication frames to the BP requesting it to its device id information at the very start of the authentication sequence RX EAPOL Request The total number of EAPOL based EAP Request frames received by the BP that do not contain an EAP Request ID This coun...

Page 164: ...he BP This count will not increment as the BP does not send this 8021 x frame for security reasons TX EAPOL Response ID The total number of EAPOL based EAP Response ID frames transmitted by this BP This count increments as the BP sends authentication frames to the AP with its device id information at the very start of the authentication sequence TX EAPOL Response The total number of EAPOL based EA...

Page 165: ...uthentication packets that contained an ACCESS ACCEPT These are sent by the RADIUS server when the authentication sequence succeeds Auth Failures The total number of RADIUS authentication packets that contained an ACCESS REJECT These are sent by the RADIUS server when the authentication sequence fails Field Description Field Description Session Timeout Time in seconds after which a station is re a...

Page 166: ... the entries on the panel to their previous values RADIUS Retries Number of retransmit attempts after which the RADIUS request is marked a failure External RADIUS Group Key Attribute for User Group ID RADIUS attribute used by the AP to determine the user group see SSID Details on page 83 When a wireless user is authenticated by a RADIUS server the server can optionally send the AP the User Group f...

Page 167: ...7 Managing Security 154 Installation and Configuration Guide CQW AP108AG ...

Page 168: ...directed to a controlled landing page the captive portal The landing page allows the guest user to login using a web based password scheme The page can inform unauthenticated users of the network access policies and provide instructions on obtaining the guest password Following successful authentication the guest user is released from the captive pages and allowed to access any resource on the gue...

Page 169: ...rd is acceptable the guest user is authenticated and receives the privileges specified in the guest service profile Figure 112 shows how Acme Works configured guest access with an internal guest landing page The company has two VLANs Corporate and Guest Corporate and guest users belong to the Enterprise and Guest user groups respectively with appropriate service profiles assigned and bound to the ...

Page 170: ...ccessful or unsuccessful guest authentication 1 Figure 113 shows a network configuration with an external guest landing page The external landing page is made accessible over the Internet through an external web server As in the previous example authenticated guest users are given access to the guest VLAN Figure 113 Guest Access External Landing Page 1 An example external landing page is shipped w...

Page 171: ...s A Guest Access wizard is also available for easy configuration of the major guest access parameters See Guest Access Wizard on page 50 for instructions on using the Guest Access wizard Internet VLAN Switch Open Subnet Open Subnet Address Range No Direct Internet Access Until Authenticated GUEST VLAN A0035B Open Access Server User Group GUEST Task Steps Confirm that open access is supported as a ...

Page 172: ... address and maskbits of the captive portal server or select the DHCP option 5 Select the eth0 interface and mark it as tagged Only eth0 should be tagged 6 Click Add For additional information on configuring VLANS see Configuring VLANs on page 107 Create or confirm definition of a corporate service profile 1 Choose SSID Configuration from the Wireless Services menu to open the SSID table SSIDs and...

Page 173: ...ecret code which is the shared secret code for communication between the AP and web server 5 Click Apply For the internal landing page set a guest password for an external landing page use the RADIUS shared secret code 1 If Internal is selected as the landing page type click Security to enter the guest password 2 Enter and confirm the password and then click Apply Set up optional auto generation o...

Page 174: ...ired enter the address and maskbits for a subnet optionally reserved for unauthenticated guest access 5 Select an internal or external landing page If the external page is selected enter the full URL and the shared secret code used for communicating with the RADIUS server 6 Click Apply Modify an entry 1 Select the entry you wish to modify and click Modify 2 Confirm the SSID 3 Select the service pr...

Page 175: ...Security The Security tab of the Guest Access Configuration panel Figure 116 provides an interface to set the guest password for an internal landing page Figure 116 Guest Access Configuration Security Delete an entry 6 Select the entry and click Delete 7 Click OK to confirm Function Description ...

Page 176: ...nfiguration Guide CQW AP108AG 163 Auto Generating Guest Passwords For optional generation of guest passwords automatically at set intervals use the Guest User tab within the security area of NM Portal Figure 117 Figure 117 Security Portal Guest User ...

Page 177: ...8 Configuring Guest Access 164 Installation and Configuration Guide CQW AP108AG ...

Page 178: ...ement PLANEX offers the unique advantage of a network management capability built into the 108 Mbps Wireless Access Point When configured as an NM Portal the 108 Mbps Wireless AP can provide network management services for up to five subnetworks For small to mid size networks this eliminates the need for an external network management application For mid to large size enterprise networks NM Portal...

Page 179: ...browser window Figure 118 Figure 118 NM Portal Web Interface This interface is similar to that of the standard 108 Mbps Wireless AP web interface The menu tree on the left contains a set of menus to access application features Use the detail panels on the right to set the configuration and monitor the state of the network The alarm panel in the lower left portion of the window shows the number of ...

Page 180: ...ortal and the other managed 108 Mbps Wireless APs Each access point must trust the identity of the NM Portal AP and the NM Portal must trust that each access point is fully authenticated Figure 119 Enrollment is the process used to establish this mutual trust The process consists of several steps NM Portal automatically discovers all the 108 Mbps Wireless Access Points and presents those that are ...

Page 181: ...68 Installation and Configuration Guide CQW AP108AG Figure 119 AP Enrollment Figure 120 Network Topology AP Enrollment Not Enrolled A0028A NM Portal Manage and Monitor the Network Other APs Enrollment Portal Verify AP Identity ...

Page 182: ...en the web interface for the AP and reset it to the factory default configuration 2 After verifying the information on the panel Table 13 enter the correct password and click Enroll It takes a couple of minutes to enroll the AP Delete an AP Select an AP and click Delete to remove it from the list Refresh Click to update the display Rediscover Now Scan the network to discover APs and update the Not...

Page 183: ...l Topology panel in NM Portal to view all the backhaul paths defined for the network Choose Backhaul Topology from the Network Topology menu to display this information Figure 123 NOTE If DHCP is used for address assignment for enrolled 108 Mbps Wireless APs the AP address may change periodically When that occurs there is no interruption to service and all security credentials remain intact Functi...

Page 184: ...plink backhaul trunk The Source AP link opens the web interface for the AP in a new browser window Source Radio MAC address of the radio used for the uplink wlan0 or wlan1 Destination AP MAC address of the radio that ends the backhaul trunk Destination Radio Radio used for the destination wlan0 or wlan1 Retrunk Count The number of times a functioning backhaul radio reestablishes a trunk A new back...

Page 185: ...overy process and required for AP enrollment The device ID is included in the paperwork shipped with the AP Operation State Indication of whether the AP can be reached from the NM Portal AP The operation state is updated once every 5 minutes MAC Address MAC addresses assigned to each of the AP radios The address of the wlan0 radio is listed first and the wlan1 radio is listed second Auto Manual In...

Page 186: ...overed Radio table Figure 125 accessible from the Discovered Radios item under Network Topology menu in the menu tree Use the Discovered Radios list to characterize the wireless network neighborhood and detect possible rogue APs Portal Services Indication of which portal services are configured on the AP enrollment and security Possible values Factory Default AP has not yet been enrolled or bootst...

Page 187: ...ted on a previous scan but not the most recent one Time Reported The time of the last scan that detected the AP Time Discovered The time of day that the presence of the device was discovered by the reporting AP Class Indication of whether the discovered node is just a Radio Neighbor or a Radio and IP Neighbor Radio and IP neighbors are part of the internal network they are reachable by way of IP a...

Page 188: ...ing AP be able to determine the IP address of the discovered AP through an IP SNMP connectivity check and establish IP level communications with it NM Portal then performs a series of consistency checks and certification to determine whether the AP is a recognized part of the network After an AP is successfully discovered and authenticated the system checks to see whether it is enrolled and places...

Page 189: ...mation for each unclassified AP Figure 126 IP Rogue AP Unclassified Field Description Device ID Unique identifier for the AP Node Name Name of the AP advertised in the beacon frame Rejection Reason Failure that prevented the AP from passing authentication Time Discovered Time of the last IP scan that detected the AP This value is updated each time the AP is detected Thumbprint Factory generated id...

Page 190: ...base and presented on the Classified tab Figure 128 This information is retained upon AP reboot Delete an AP from the rogue list Click Delete and click OK to confirm If an AP is deleted from the list and then discovered in a subsequent scan it is added to the list again Delete from the list all APs classified as IP rogues Click Delete all IP Unclassified Rogues and click OK to confirm Field Descri...

Page 191: ...m the Rogue AP menu to open the table of unclassified wireless rogue APs This panel Figure 129 lists the following information for each IP rogue Field Description MAC Address MAC address of the unclassified rogue AP Reporting AP The device ID of the AP or APs that identified the rogue AP If this field is empty that means that the rogue device was detected in a previous scan but not in the most rec...

Page 192: ...assify the AP as known within your wireless network Select Neighbor Network to classify the AP as known in a neighboring network 4 Click Apply The AP is now classified The classification information is retained in the NM Portal database and presented on the Classified tab Figure 131 This information is retained upon AP reboot Delete an AP from the rogue list Click Delete and click OK to confirm If...

Page 193: ...signated as known through wireless classification It contains the following information for each AP Figure 131 Wireless Rogue AP Classified Field Description MAC Address Name of the detected AP by default the MAC address Reporting AP IP address of the AP that reported the detected AP Detection Time Time of the scan that last detected the AP Class Category used to classify the AP ...

Page 194: ...n to the network of enrolled APs The panel contains the following tabs Policy Table View existing policies Define Policy Specify a policy for bootstrapping other APs in the network Distribute Policy Send a policy to other APs in the network Policy Table The policy table Figure 132 lists policies that exist on this AP and are available for distribution to the network of enrolled APs Figure 132 NM S...

Page 195: ...pushed automatically to newly enrolled APs Use the Define Policy tab Figure 134 to choose the default policy Perform the following functions from this tab NOTE The Portal AP requires two radios in order to construct a default policy for 2 radio APs Function Description Generate a default policy from a pre defined policy Select a policy from the pull down list and click Apply Not currently supporte...

Page 196: ...istribute Policy tab Figure 135 to direct how policies are shared across the network Figure 135 NM Services Policy Management Distribute Policy Configure the following fields on this tab Field Description Select Policy to Distribute Select an existing policy from the pull down list Select All Policies to Distribute Select to distribute all the existing policies ...

Page 197: ...y to specified subnetworks or IP address ranges Rogue AP Enable or disable rogue AP discovery Configuration Select Network Discovery from the NM Services menu to open the Configuration panel Figure 136 Figure 136 NM Services Discovery Configuration Configure the following values on this tab Target AP Name Select the APs to receive the policy or policies or select Target AP Name to distribute to al...

Page 198: ...scovery Limit Restrict discovery to a number of APs Once this limit is reached the discover process stops The range is 1 50 for default is 50 APs AP IP Address Specify the IP address of an AP that you want to manage but which is not part of the managed subnetwork specified in the discovery scope AP s added to the managed network this way are termed manually added and can be managed by NM Portal Th...

Page 199: ...ery of rogue access points The default is Enabled Click Apply to save the setting If enabled NM Portal automatically scans the network to detect IP and wireless rogue access points For more information see Managing Rogue Access Points on page 175 Field Description Discovery Scope Enter the IP address of the subnet that you want to discover Discovery Scope Subnet Maskbits Enter the subnet prefix le...

Page 200: ...discovered and permits addition of a standby security portal to ensure that the wireless user authentication service remains available even if the NM Portal AP temporarily loses its connection The panel contains two tabs Portal Table Add a redundant security portal and synchronize the portal databases Secure Backup Use https to perform a secure backup of the NM Portal AP configuration Portal Backu...

Page 201: ...P can be configured to be a redundant security portal Portal Table View the list of currently identified NM Portal APs The listing includes the IP address of the AP its device ID and whether the AP is currently enrolled To delete an entry from the table select the radio button to the left of the entry and click Delete All Portals shown in this table as unenrolled are currently not managed by this ...

Page 202: ...etween the portals The sync frequency represents the duration in minutes at which NM Portal cross checks the portals in the network to make sure their databases synchronized with the NM Portal database Click Apply to save the settings or click Reset to return to the default values autonomous selected period 5 minutes It is recommended to accept the default value to make sure that synchronization t...

Page 203: ...required Figure 141 NM Services Portal Configuration Backup Restore Configuring the DHCP Server NM Portal includes an internal DCHP server which can be activated to support IP address assignments in the network if a DHCP server is not in place Choose DHCP from the NM Services menu to open the DHCP panel The panel contains four tabs DHCP Options Activate and configure the DHCP server IP Range Enter...

Page 204: ...d by the DHCP server may be large Maximum Leases Specify the maximum number of available leases There is no default Gateway Enter the IP address of the gateway There is no default DNS Server IP Address Enter the IP address of the server or servers that provide domain name resolution There is no default More than one DNS IP address may be specified space separated If the field is left blank then an...

Page 205: ...pecified space separated If you delete NTP servers only those added manually are deleted DHCP assigned NTP servers continue to be available Field Description Interface Name Confirm the alphanumeric name of the AP interface The default is br1 which is the default bridge IP Address Range Select a radio button to specify the range of addresses available for assignment Choose either of the following I...

Page 206: ...lect the interface in the DHCP IP Address Range table and click Delete Leases The Leases tab Figure 144 lists each network computer serviced by DHCP and its lease information Figure 144 NM Services DHCP Configuration Leases This table contains the following information Field Description MAC Address Address that uniquely defines the DHCP client Leased IP Address IP address assigned by the DCHP serv...

Page 207: ... AP can store up to 260 alarms locally When the number of alarms exceeds this limit the oldest alarms are deleted as needed Use the Fault Management panels to view the system alarms and syslog entries Alarms are raised as SNMP Traps which are forwarded to the SNMP Sink Host or Primary NMS Viewing Alarms Choose Alarm Summary from the Fault Management menu to view counts and descriptions of alarms t...

Page 208: ...ms and enables filtering of the alarm table for easy viewing and searching A description of all the alarms is provided in 108Mbps Wireless LAN Access Point Alarms on page 198 and additional details are presented in Appendix C Alarms The Alarm Table includes the following information NOTE The alarm count in the lower left corner of the Network Management Explorer window is the same as that given on...

Page 209: ...ogged From Module The subsystem that is the source of the alarm Modules include Authentication Networking Distribution Configuration Wireless Discovery NM Portal SW Download NOTE The filtering function on the Alarm Table tab only affects the information that is displayed in the Alarm Table at the bottom of the tab To remove some event types completely from the alarm list use the Alarm Filter tab F...

Page 210: ...ter to the alarm table or Reset to clear the selected values Field Description Alarm ID Select an alarm from the list to view only those specific alarms Logging Module Name Select from the list to filter all the alarms from a specific system logging module Alarms From Host Address Select an AP to view only the alarms generated by that AP Logging Period Enter a date range to show events during a sp...

Page 211: ...ed when an 108 Mbps Wireless AP has been successfully rejected un enrolled Policy Download Successful Generated when a policy is successfully downloaded to an AP Policy Download Failed Generated when policy downloaded to an AP is unsuccessful due to an error in the policy software version mismatch or other error Image download succeeded Generated when an image is successfully downloaded and applie...

Page 212: ...SID or multiple SSIDs being configured and station is associating with AP with a different SSID 7 Authentication and encryption requested by station does not match security policy of the AP 8 Multi Vendor Station are not allowed to associate based on AP Admission Criteria 9 802 11b stations are not allowed to associate based on AP Admission Criteria 10 Station is not allowed to associate and trans...

Page 213: ...y Guest Authentication Succeeded Generated when a guest station is authenticated and indicates the successful start of a guest access communications session The guest user is offered the communications services specified in the guest profile for the specified SSID Guest Authentication Failed Generated when a guest station fails authentication User Reject by RADIUS Server Generated when user authen...

Page 214: ...uthentication is negotiated or when WEP is enabled on the AP and no manual WEP keys are configured RADIUS sent a bad response Generated during authentication when the RADIUS server sends a bad or unexpected response This would occur if the cryptographic signature check failed or an attribute is missing or badly encoded RADIUS timeout too short Generated when the AP receives a late response from th...

Page 215: ... BP radio on an incoming multicast or broadcast packet from the AP where the packet is encrypted with the group multicast broadcast key STA detected Bad TKIP MIC on Incoming Unicast Generated when a bad TKIP MIC is detected by an station associated with this AP on an incoming unicast packet from the AP where the packet is encrypted with the pairwise unicast key STA detected Bad TKIP MIC on Incomin...

Page 216: ...P responses are WPA EAP and legacy 8021 x for dynamic WEP This alarm may mean that a user prompt is not attended to on the client side It may also indicate that the client silently rejected a EAP request sent from the RADIUS server perhaps because it did not trust the RADIUS server s credentials EAPOL Key exchange message 2 timeout Generated when a station fails to send the WPA EAPOL Key Pairwise ...

Page 217: ...lt Management menu to view syslog messages used for network troubleshooting The most recent messages are in the default message file Messages with the latest messages at the top To view older messages select the appropriate message x file from the list on the SYSLOG panel Figure 149 See Syslog Configuration on page 213 for instructions on configuring the syslog message output ...

Page 218: ... Users Manage users who seek access to the wireless network Admin Users Manage administrators responsible for the wireless network MAC ACLs Identify and manage users using the MAC addresses of their computers Guest User Set up automatic password generation for guest users For a description of this tab see Configuring Guest Access on page 155 Adding Wireless Users Choose User Management from the Se...

Page 219: ... the panel or Cancel to return to the Wireless tab without saving the record When a wireless user is added to the database a unique certificate is generated for that user The certificate must be installed on the user s PC This can be done in one of two ways Field Description Login Name Assign a login name for network access required User Group Select a user group as defined in the RADIUS server Fi...

Page 220: ...d Download To download the certificate a Click the Wireless Users tab to display the list of users b Click the login name link for the user or highlight the checkbox to the left of the Login Name and click Details This opens the View Wireless User panel Figure 152 c Click the link entitled Click Here to Download Certificate A security certificate pop up opens with a prompt to open or save the cert...

Page 221: ... identify and authenticate users by the MAC address of the computer rather than by login This type of authentication is generally used to accommodate legacy equipment that does not support user based authentication MAC addresses are checked when the SSID has MAC ACL enabled and open access static WEP keys or WPA PSK encryption are used For more information on security options see Chapter 7 Managin...

Page 222: ...ntering the requested information From the user list you can delete an existing MAC ACL user modify user information or view the details in a read only table Field Description MAC Address Enter the MAC address that uniquely identifies the device Use the tab key to move between the successive two character fields required User Group Select a group from the list or create a new group User First Name...

Page 223: ...9 Managing the Network 210 Installation and Configuration Guide CQW AP108AG ...

Page 224: ... and may take additional time if the AP is currently used for wireless backhaul service Figure 157 System Configuration Reboot AP Managing the System Configuration Choose System Configuration from the System Services menu to access the network related configuration features of the 108 Mbps Wireless AP and set up syslog parameters The panel includes the following tabs IP Configuration Configure IP ...

Page 225: ...escription DHCP Assigned IP address Enables the AP to obtain an IP address for the AP from the network DHCP server DNS IP Address Enter the IP address of the DNS server required Management IP address Maskbits Enter the IP address and subnet prefix of the management server required Gateway IP address Enter the IP address of the network gateway required Host Name Enter a unique name for the AP The d...

Page 226: ... viewing and analysis The top area of the Syslog panel Figure 159 provides controls to set the logging level and scope for a variety of functional areas or modules Figure 159 System Configuration Syslog Configuration CAUTION Only an authorized administrator should change syslog levels or enable or disable syslog capabilities Arbitrary changes to syslog can adversely affect the AP ...

Page 227: ...eceive fault and event notifications Field Description Syslog Level Select the activity level that triggers a syslog entry Choose from several levels Emergency Alert Critical Error Warning Notice Info or Debug required Syslog Level Module Select whether to record a specific type of activity or include all the activities in the list required Remote Syslog Logging Indicate whether to enable a remote...

Page 228: ...eal time clock RTC which keeps track of the date and time in the event that the AP loses power This feature is not required if the AP is always connected to the Internet Field Description Primary Manager IP Enter the IP address of the NM Portal or Wireless LAN Network Management Software server responsible for managing the AP required Auxiliary Manager IP If applicable enter the IP address of the ...

Page 229: ...he AP configuration to the factory defaults Configuration Reports View configuration reports for the AP Reset Configuration Revert to the factory default configuration or reset specify subsystems to default configuration Secure Backup Perform the following functions on the Secure Backup tab Figure 166 Field Description Enable Real Time Clock Use the real time clock RTC Enable Buzzer Activate the A...

Page 230: ...he AP must be reenrolled and have a new configuration created Generate support logs 1 Click Generate Support Logs 2 When the configuration is generated a hyperlink is displayed Right click and select Save As to save the configuration locally 3 After the support logs file is saved click Delete to remove the file from the AP The file takes up space on the AP disk so it is recommended to remove it Re...

Page 231: ...10 Maintaining the Access Point 218 Installation and Configuration Guide CQW AP108AG Click Refresh to update the selected report Figure 164 Configuration Management Configuration Reports ...

Page 232: ...n and Configuration Guide CQW AP108AG 219 Reset Configuration Use the Reset Configuration tab to reset the AP configuration or revert to the defaults for individual subsystems Figure 165 Figure 165 Configuration Management Reset Configuration ...

Page 233: ...s to reset 2 Click Apply to reboot the AP with the selected defaults Task Steps Save configuration 1 Indicate whether to save the AP configuration each time a save operation is done 2 Click Apply Click Save Configuration to save the current settings on demand Back up the configuration to a TFTP server 1 Enter the IP address of the TFTP server 2 Enter or confirm the configuration file name 3 Click ...

Page 234: ...interface is used for both situations however access to the interface is different for an NM Portal than for a non portal AP If the AP is an NM Portal click Manage Wireless Network to open the NM Portal interface and then choose Admin Tools Software Upgrade to open the Software Upgrade panel Figure 167 If the AP is a non portal AP choose Admin Tools Software Upgrade to open the Software Upgrade pa...

Page 235: ...rocess that cannot be interrupted once it begins If you use the Software Image Upgrade selection in NM Portal then staging selection and distribution are separate steps that can be monitored and canceled if needed Software Image File The AP software image file conforms to an PLANEX defined format that uses the filename extension img During download the filename extension and structure are verified...

Page 236: ...g asks you to confirm the software download 4 Click OK The system verifies the filename extension and header information When successful the Software Download Status panel opens Figure 168 Staging is now complete 5 Select the APs to receive the upgrade 6 Click Distribute A confirmation dialog asks you to confirm that the upgrade should now begin 7 Click OK NOTE It is important to perform software ...

Page 237: ...TFTP Download To upgrade an NM Portal or non portal AP using TFTP download 1 Choose Software Upgrade from the Admin Tools menu 2 Enter the IP address of the TFTP server 3 Enter the name of the image file on the TFTP server The default file is target ppc ani img under the boot directory of the TFTP server Relative paths can be used when specifying the file name 4 Click Apply A pop up message asks f...

Page 238: ...ware update Scheduled The update has been ordered for this AP but has not yet begun Canceling A request has been made to cancel the distribution however the request is not complete For example this message is displayed if a request has been made to cancel distribution to an AP waiting its turn in the distribution list Canceled Distribution to the AP is canceled AP Unreachable The enrolled AP is no...

Page 239: ...nd Ethernet Link LEDs are off Power is off or unconnected Check the power connection to make sure it is plugged in Also check the power outlet If necessary plug some other appliance into the outlet to verify power AP power LED is on but the Ethernet Link LED is off Ethernet cable is unconnected or unable to access the LAN Check the Ethernet cable connection between the AP and network port Make sur...

Page 240: ...nnected properly The Access Point and or its external antenna should not be in an obstructed location Metallic objects such as equipment racks and some construction materials can block wireless signals If this is the case reposition the Access Point s and or any external antennae to be free of these obstructions If using an external antenna also make sure that it is connected securely to the Acces...

Page 241: ...10 Maintaining the Access Point 228 Installation and Configuration Guide CQW AP108AG ...

Page 242: ...admin AP IP address using the AP IP address assigned to the Access Point or 192 168 1 254 by default and press Return When connected a screen opens similar to the one shown in Figure 169 Figure 169 Access Point Serial Console Login Screen 3 Enter your login ID and press Return When prompted next enter your password The factory default for administrator access is user name admin If the AP has not b...

Page 243: ... Microsoft Windows operating systems the Microsoft provided application HyperTerminal will work fine This is accessed usually through Programs Accessories Communications HyperTerminal The remainder of this procedure assumes the use of HyperTerminal Modify the procedures accordingly if using another application 3 Create a terminal connection profile if one does not already exist Enter a descriptive...

Page 244: ...console access one is show mode and the other is config mode In show mode examine the AP s configuration settings and status Use config mode to change values To go into either mode from the main command prompt type either show or config Toggle between show and config modes by pressing Ctrl P Leave a mode and return to the top level command prompt by typing exit To log out and close your connection...

Page 245: ...A Using the Command Line Interface 232 Installation and Configuration Guide CQW AP108AG ...

Page 246: ...ss Point hardware and software Table 16 Regulatory and License Compliance ID Access Point Requirement Details CERT1 Safety UL 1950 third edition TUV approval UL 2043 Fire and Smoke Compliance CERT2 EMC EMC Directive 89 336 EEC CE Mark CERT3 Radio Approvals FCC CFR47 Part 15 section 15 247 FCC 47CFR Part 15B Class B Emissions Canada IC RSS210 Japan MPT Radio Regulations Europe ETS 300 328 ...

Page 247: ...B Regulatory and License Information 234 Installation and Configuration Guide CQW AP108AG ...

Page 248: ...stname or IP address of the access point that generated the alarm Description The alarm details Use the 108 Mbps Wireless AP CLI to display the alarm table as follows Examples system show alarm table event id 102 log level 2 log time Tue Jan 4 16 14 01 2000 module WSM source ip AP_00 0A F5 00 02 1F description Device ID AP_00 0A F5 00 02 1F radio 6 is enabled its operational state is 2 operating o...

Page 249: ...n page 255 Security STA attempting WPA PSK no Pre shared Key is set for SSID on page 256 Security Auth Server Improperly configured on this SSID on page 257 Security STA failed to send EAPOL Start on page 258 Security RADIUS sent a bad response on page 259 Security RADIUS timeout too short on page 259 Security STA authentication did not complete in time on page 260 Security Upstream AP is using an...

Page 250: ...rom the Portal network Syntax DeviceId s Node Ip s persona d deleted from database Description This alarm is generated when the a discovered node is deleted from the system When a node is deleted all information about that node is erased from the Portal If the node s IP address falls within the discovery scope then the node will be re discovered and added back to the set of the discovered nodes on...

Page 251: ...arm occurs then the discovery server will not discover nor track any new nodes once this limit is reached In such case delete unwanted nodes and manually add the nodes to the discovery database so that they may be managed Examples On Device AP_00 0A F5 00 02 1F Node Ip 192 168 74 245 managed node limit exceeded Current managed nodes limit is 10 See Also Enrollment Node Enrolled Alarm generated whe...

Page 252: ...rolled the remote node having ApDeviceId s NodeIp s and Persona d Description This alarm is generated when the 108 Mbps Wireless AP has bee successfully rejected un enrolled from the network Usage Informational log Examples NMPortal with DeviceId AP_00 0A F5 00 01 77 has successfully enrolled a remote node having DeviceIdId AP_00 0A F5 00 01 7A NodeIp 172 16 12 4 and persona 2 See Also Node Enroll...

Page 253: ...at time Thu Jan 6 04 27 45 2000 See Also Policy Download Failed Policy Policy Download Failed Alarm generated when a policy is download to an AP failed Syntax For accesspoint Node s the policy s from s could not be downloaded due to error d at time s Alarm Parameters Node The device ID of the remote AP policy The policy name from The device ID of the source of the policy time The time at which the...

Page 254: ...sfully downloaded at time s Description This alarm is when an image is successfully downloaded and applied to an AP Usage Informational log Examples For accesspoint Node AP_00 0A F5 00 01 77 The software image 1 1 0 build 3278 AGN1dev PLANEX Inc from AP_00 0A F5 00 01 77 was successfully downloaded at time Fri Jan 7 06 04 47 2000 See Also Image Download Failed Software Distribution Succeeded Softw...

Page 255: ...me s Description This alarm is when an image distribution is completed Image distribution is Usage Informational log Examples On DeviceId AP_00 0A F5 00 01 77 the Software image 0 7 0 build A 2286 AGN1dev PLANEX Inc distribution request from portal AP_00 0A F5 00 01 77 using the Distribution TaskId 000000 and with status 172 16 12 4 0 947304168 947304183 invalid image file completed at time Tue Ja...

Page 256: ...Disabled BSS disabled Notification which indicates that the AP radio has been disabled Syntax Device Id s radio d disabled Description Notification which indicates that AP has been disabled Usage The AP radio can be disabled for several reasons such as a User Triggered administrative disabling Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP Radio Identifies Radio by interface I...

Page 257: ... Usage The AP radio enabling can fail for reasons which are indicated by the Cause code parameter 0 Unspecified reason 1 System timeout attempting to enable BSS Examples Bss enabling failed for Device Id AP_00 0A F5 00 01 B6 radio 4 Cause Code 1 See Also List of other alarms Wireless Frequency Changed Notification which indicates that the frequency of operation changed on the AP Syntax Frequency c...

Page 258: ...ion failed for a 802 11 station Syntax Station association failed for DeviceId s radio d station MAC s station status d CauseCode Description This is a notification generated when a association from a 802 11 station fails with the AP radio The reasons for the failure are encapsulated in the cause code parameter and are as follows Radio Identifies Radio by interface ID on the Access Point Channel I...

Page 259: ... 9 802 11b stations are not allowed to associate based on AP Admission Criteria 10 Station is not allowed to associate and transferred to another AP Radio due to Load Balancing 11 Station is not allowed to associate because node does not have network connectivity Usage The reason for the association failure can be used to determine any configuration issue in the system which may be causing the ass...

Page 260: ...isassociated Syntax Station disassociated from AP for DeviceId s radio d station MAC s CauseCode d Description This is a notification generated when a 802 11 station is disassociated either by the network or the station Reason Code Description 0 STA initiated disassociation 1 Station has handed off to another AP 2 Disassociation triggered due to authentication failure after ULAP timeout 3 Disassoc...

Page 261: ...ed relevant only on BP side Usage This can be used to track any losses in connectivity of network Examples WDS trunk brought down for Device ID AP_00 0A F5 00 01 B6 radio 4 remote MAC 00 0a f5 00 3a fb CauseCode 0 See Also Wireless WDS Up Notification which indicates successful formation of wireless backhaul Syntax WDS trunk established for DeviceId s radio d remote mac s TrunkPort count d CauseCo...

Page 262: ...k brought down for DeviceId s radio d remote MAC s CauseCode d Description This is a notification generated when a wireless backhaul has gone down The remote end s MAC address is provided Reason Code Description 0 System Reason unspecified Radio Identifies Radio by interface ID on the Access Point Remote MAC Address MAC address of remote end of backhaul link Backhaul Count Number of backhauls whic...

Page 263: ...is generated when a Guest Station is authenticated Usage This indicates the successful start of a Guest Access Stations communications session This Guest STA will be offered the communications services specified in the Guest Profilethat has been configured for the specified SSID Examples For device id AP_00 0A F5 00 01 89 Guest authentication succeeded for STA 00 0a f5 00 05 f0 on radio 0 with SSI...

Page 264: ...using captive portal Internal and guest mode 4 due to 0 See Also Security Guest Authentication Succeeded Security User rejected by RADIUS Server Notification which indicates that the AP has determined that a User has been rejected by RADIUS Syntax For device id s the RADIUS SERVER s d from auth zone s rejected the STA s on radio d with user id s and SSID s Alarm Parameters DeviceId The Device ID o...

Page 265: ...thentication attempt Syntax For device id s the RADIUS SERVER s d from auth zone s rejected the node s on radio d with device id s and SSID s Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIUS server Auth Zone The name of the Auth Zone on this AP that this RADIUS server is a member ...

Page 266: ...device id AP_00 0A F5 00 01 89 and SSID NewYorkRm See Also Security RADIUS Server timeout Notification which indicates that the AP has determined that a RADIUS server has failed to respond within the RADIUS timeout Syntax For device id s the RADIUS server s d from auth zone s failed to respond within d seconds and d attempts while authenticating STA s on radio d with user id s and SSID s Node MAC ...

Page 267: ...0a f5 00 05 f0 on radio 0 with user id paul and SSID NewYorkRm See Also Security Management User login success Notification which indicates that the AP has determined that a Management user login has succeeded Syntax For device id s the management user s with privilege level d logged in succesfully via d Description This notification is generated whenever a management User tries to login to the lo...

Page 268: ...ying to break into your AP Examples For device id AP_00 0A F5 00 01 89 the management user admin failed to login successfully via 1 See Also Security STA failed EAPOL MIC check Notification which indicates that the AP has determined that a STA has failed a MIC check during the EAPOL authentication exchange Syntax For device id s the STA s d on radio d with user id s and SSID s failed an EAPOL MIC ...

Page 269: ...Security STA attempting WPA PSK no Pre shared Key is set for SSID Notification which indicates that the AP has determined that a STA is attemping WPA PSK authentication but no Pre shared Key has been configured for the SSID Syntax For device id s the STA s on radio d attempted to do WPA PSK based auth on the SSID s but no pre shared key is set Description This notification is sent when a Station a...

Page 270: ...the SSID s and are needed for authenticating STA s on radio d with RADIUS usage d Description This notification is sent when authentication servers are improperly configured for a given SSID Usage This indicates that the AP has determined that a STA requires authentication servers configured and there are none configured on this SSID Generally authentication servers are needed for EAP based authen...

Page 271: ...n type is deemed to be EAP based This can happen when WPA EAP authentication is negotiated or when WEP is enabled on the AP and no manual WEP keys are configured Examples For device id AP_00 0A F5 00 01 89 the STA 00 0a f5 00 05 f0 on radio 0 and SSID NewYorkRm failed to send an EAPOL Start in order to begin auth of type 4 See Also Security RADIUS sent a bad response Notification which indicates t...

Page 272: ... a late response This indicates that the APs RADIUS timeout might need to be increased Syntax For device id s the RADIUS server s d sent a late response you might need to increase your RADIUS timeout of d seconds Description This notification is generated when the AP receives a late response from the RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIU...

Page 273: ...uence of authentication exchanges in a timely manner Syntax For device id s the STA s d on radio d with user s and SSID s did not complete its auth sequence in time with auth type d and enc type d due to reason code d Description This notification is generated when the station authentication sequence did not complete in time Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP AP Th...

Page 274: ...is using an un trusted auth server Usage This indicates that the local BP has determined that the upstream AP is using an un trusted auth server This may indicate that the upstream AP is a rogue AP It is safe to say that the upstream AP and the downstream AP are not enrolled in the same network If the downstream AP was previously enrolled elsewhere then reset it and re enroll it in the new network...

Page 275: ... enrollment databases are out of sync on the downstream AP and the upstream AP Examples For device id AP_00 0A F5 00 01 89 the upstream AP 00 0a f5 00 06 22 with SSID NewYorkRm authenticating via local BP radio 0 is using a non portal node 00 0a f5 00 01 45 with certificate SHA 1 thumbprint 98 72 a8 6d 56 f8 92 a8 f3 97 ec 3f fa 0b 66 4e as its auth server YOUR ENROLLMENT DATABASE MIGHT BE OUT OF ...

Page 276: ...e local BP has recevied an EAP Success BEFORE authentication has completed Syntax For device id s the upstream AP s with SSID s authenticating via local BP radio d sent EAP Sucess before authentication completed IT MIGHT BE A ROGUE AP Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP AP The MAC address of the upstream AP SSID Identifies the SSID on this AP that the STA has associ...

Page 277: ...onfigured in this SSID Syntax For device id s the STA s on radio d with user s is in group s but SSID s has no profile configured for that group Description This notification is generated during Station authentication when no service profile has been configured for a given Group Usage This indicates that the AP has detected a STA is authenticating which is a member of a group for which no service ...

Page 278: ...t different STAs might be restricted to different subsets of encryption capabilities based on their service profiles Examples For device id AP_00 0A F5 00 01 89 the STA 00 0a f5 00 05 cc on radio 0 with user paul and SSID NewYorkRm of group employee failed the security enforcement check with auth type 4 and enc type 5 at enforcement level 1 See Also Alarm Parameters DeviceId The Device ID of the 1...

Page 279: ...wYorkRoom using captive portal Internal and guest mode 4 See Also Security Guest Authentication Failed Security Guest Authentication Failed Notification which indicates that a Guest Access Station has failed authentication Syntax For device id s Guest authentication failed for STA s on radio d with SSID s using captive portal s and guest mode d due to d Alarm Parameters DeviceId The Device ID of t...

Page 280: ...ast packet from STA s on radio d Description This notification is generated when a bad TKIP MIC is detected on an incoming frame from a STA that is ecrypted with the pairwise unicast key Usage This indicates that the AP has detected an invalid TKIP MIC value on an incoming Station MAC address of the Guest STAtion Radio Identifies Radio by interface ID on the Access Point SSID Identifies the SSID o...

Page 281: ...where the packet is encrypted with the pairwise unicast key Usage This indicates that the BP has detected an invalid TKIP MIC value on an incoming frame encrypted with the pairwise unicast key Examples For device id AP_00 0A F5 00 01 89 a bad TKIP MIC was detected by local BP radio 0 on an incoming unicast packet from the AP 00 0a f5 00 06 22 See Also BP Detected Bad TKIP MIC on Incoming Multicast...

Page 282: ...t received from the AP encrypted with the pairwise unicast key Syntax For device id s a bad TKIP MIC was detected by STA s on radio d on an incoming unicast packet from the AP Description This notification is generated when a bad TKIP MIC is detected by an STA associated with this AP on an incoming unicast packet from the AP where the packet is encrypted with the pairwise unicast key Usage This in...

Page 283: ...e group multicast broadcast key Usage This indicates that the STA has detected an invalid TKIP MIC value on a received multicast frame Examples For device id AP_00 0A F5 00 01 89 a bad TKIP MIC was detected by STA 00 0a f5 00 05 f0 on radio 0 on an incoming multicast broadcast packet from the AP See Also STA Detected Bad TKIP MIC on Incoming Unicast Security TKIP counter measures lockout period st...

Page 284: ... Description This notification is generated when an STA fails to send its user id in time to complete its authentication sequence using the specified authentication type Usage This indicates the failure of a STA to complete the EAP authentication exchange in a timely fashion The two authentication modes that require the STA to send its user id are WPA EAP and legacy 8021 x for dynamic WEP This tra...

Page 285: ...legacy 8021 x for dynamic WEP This trap might indicate that a user prompt is not attended to on the client side It may also indicate that the client silently rejected a EAP request sent from the RADIUS server perhaps because it did not trust the RADIUS server s credentials Examples For device id AP_00 0A F5 00 01 89 the STA 00 0a f5 00 05 f0 0 on radio 0 with user paul and SSID NewYorkRm did not s...

Page 286: ...ailure of a STA to complete the EAPOL 4 way key exchange in a timely fashion Examples For device id AP_00 0A F5 00 01 89 the STA 00 0a f5 00 05 f0 0 on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL Key Pairwise Messg 2 in time where auth type 4 and enc type 6 See Also Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP Station MAC address of the Station bpInd...

Page 287: ...f5 00 05 f0 0 on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL Key Pairwise Messg 4 in time where auth type 4 and enc type 6 See Also Security EAPOL Group 2 key exchange timeout Notification which indicates that the STA has failed to respond in a timely manner with EAPOL Group key exchange message number 2 Syntax For device id s the STA s d on radio d with user s and SSID s ...

Page 288: ...the STA 00 0a f5 00 05 f0 0 on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL Key Group Messg 2 in time where auth type 4 and enc type 6 See Also Alarm Parameters DeviceId The Device ID of the 108 Mbps Wireless AP Station MAC address of the Station bpIndicator Identifies if the supplicant is a BP 1 or a STA 0 Radio Identifies Radio by interface ID on the Access Point User Use...

Page 289: ...C Alarms 276 Installation and Configuration Guide CQW AP108AG ...

Page 290: ...shing an Extended Service Set 802 11 network Advanced Encryption Standard AES An encryption algorithm developed for use by U S Government agencies and now incorporated into encryption standards for commercial transactions Ad Hoc network A group of nodes or systems communicating with each other without an intervening Access Point Many wireless network cards support ad hoc networking modes Authentic...

Page 291: ...ered manually for each and every device on the network Dynamic Frequency Selection DFS A method for selecting the least intrusive and noisy available frequency for operation part of the 802 11 specification Dynamic IP Address A TCP IP network address assigned temporarily or dynamically by a central server also known as a DHCP server A node set to accept dynamic IPs is said to be a DHCP client Exte...

Page 292: ...to the Internet Protocol standard Local Area Network LAN A group of computers servers printers and other devices connected to one another with the ability to share data between them Maskbits Number of bits in the subnet prefix for an IP address provides the same information as subnet mask Each triplet of digits in an IP address consists of 8 bits To specify the subnet in maskbits count the number ...

Page 293: ... utility which determines whether a specific IP address is accessible and the amount of network time measured in milliseconds for response Ping is used primarily to troubleshoot Internet connections PLANEX Client Utility ACU Application that executes on a client station and provides management and diagnostics functionality for the 802 11 network interfaces Policy based Networking The management of...

Page 294: ... SSID The SSID is a unique identifier attached to all packets sent over a wireless network identifying one or more wireless network adapters as belonging to a common group Some Access Points can support multiple SSIDs allowing for varying privileges and capabilities based on user roles Secure Sockets Layer SSL A common protocol for message transmission security on the Internet Existing as a progra...

Page 295: ...bnet 255 255 255 0 Transport Layer Security TLS Protocol that provides privacy protection for applications that communicate with each other and their users on the Internet TLS is a successor to the Secure Sockets Layer SSL Trunk In telecommunications a communications channel between two switching systems In a wireless network a trunk is a wireless connection from one access point to another Type o...

Page 296: ...ount 195 filter 203 ID 195 panel 37 summary 194 195 table 194 195 alarms list and description 235 logging time 195 total 195 AP hostname 33 AP security 137 assigning IP address to interface 124 association status 88 type 88 association status 89 association type 89 asterisk next to field name 30 authentication 5 diagnostics 148 151 server 143 277 timeout 152 type 88 user 12 139 zones 145 authentic...

Page 297: ...apacity requirements 10 D data encryption 5 139 overview 12 data rates supported 7 date setting 34 42 default gateway 33 SSID 79 VLAN 107 assigned to interface 109 default gateway 34 defer threshold 70 delivery traffic indication message DTIM 73 deployment environment 41 59 destination AP 171 radio 171 detection time 174 device ID 138 169 172 DHCP server activating 191 configuring 190 diagnostics ...

Page 298: ...ces 101 configuring 123 interface to COS mapping 113 internal landing page 51 156 internet protocol IP 279 IP address 279 assigning to interface 124 link for AP 170 of AP 33 IP configuration 212 IP Precedence tab 121 IP precedence to COS mapping 114 IP Protocol tab 120 IP protocol to COS mapping 114 IP rogue discovery 175 IP routing 6 configuration 105 IP subnet criteria 132 IP topology 171 IP DSC...

Page 299: ...s and solutions 226 product features 2 product suite 1 profile table 85 protocols data rates and coverage 10 Q quality of service QoS 6 113 280 advanced features 117 class order 114 118 features 113 statistics 117 task overview 15 user group based 6 Quick Start 31 panels 39 R radio advanced configuration 70 channel configuration 65 configuration panel 56 diagnostics 94 discovered 173 interface 35 ...

Page 300: ...ported 7 start discovery 185 static IP address 282 station 281 link statistics 89 MAC address 89 management 87 statistics supplicant 149 subnet 282 subnet mask 282 supplicant statistics 148 149 supported standards and data rates 7 syslog configuration 213 viewing 204 system configuration managing 211 system determined band 66 system requirements 25 T tagged VLAN 108 task roadmaps 14 Telnet 25 temp...

Page 301: ...282 wired equivalent privacy WEP 5 12 139 282 key 35 keys 142 quick start options 35 security 142 statistics 91 wireless network 9 security 140 users 205 wireless backhaul 129 131 AP and BP radios 130 applications 129 candidate APs 133 link criteria 131 security 130 trunk 130 trunks 133 uplink criteria 132 viewing topology 170 wireless LAN adapter 1 wireless local area network WLAN 282 wireless ro...