Accton Technology 2555WAG2 Dual Band Access Point User Manual WA6102 17
Accton Technology Corp Dual Band Access Point WA6102 17
Users Manual
WA6102X-2 2.4 GHz / 5 GHz Wireless Access Point User Guide www.edge-core.com User Guide 2.4 GHz / 5 GHz Wireless Access Point IEEE 802.11g and 802.11a Dual-band Access Point with 1 10/100BASE-TX (RJ-45) Port WA6102X-2AG-17 F4.3.2.0 E012006-R01 149100033300E COMPLIANCES Federal Communication Commission Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures: • Reorient or relocate the receiving antenna • Increase the separation between the equipment and receiver • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected • Consult the dealer or an experienced radio/TV technician for help FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. IMPORTANT NOTE: FCC Radiation Exposure Statement This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters (8 inches) between the radiator and your body. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. Wireless 5 GHz Band Statements: As the Access Point can operate in the 5150-5250 MHz frequency band it is limited by the FCC, Industry Canada and some other countries to indoor use only so as to reduce the potential for harmful interference to co-channel Mobile Satellite systems. COMPLIANCES High power radars are allocated as primary users (meaning they have priority) of the 5250-5350 MHz and 5650-5850 MHz bands. These radars could cause interference and /or damage to the access point when used in Canada. The term “IC” before the radio certification number only signifies that Industry Canada technical specifications were met. Industry Canada - Class B This digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of Industry Canada. Cet appareil numérique respecte les limites de bruits radioélectriques applicables aux appareils numériques de Classe B prescrites dans la norme sur le matérial brouilleur: “Appareils Numériques,” NMB-003 édictée par l’Industrie. Japan VCCI Class B Australia/New Zealand AS/NZS 4771 ACN 066 352010 ii COMPLIANCES EC Conformance Declaration Marking by the above symbol indicates compliance with the Essential Requirements of the R&TTE Directive of the European Union (1999/5/ EC). This equipment meets the following conformance standards: • • • • EN 60950-1 (IEC 60950-1) - Product Safety EN 301 893 - Technical requirements for 5 GHz radio equipment EN 300 328 - Technical requirements for 2.4 GHz radio equipment EN 301 489-1 / EN 301 489-17 - EMC requirements for radio equipment Countries of Operation & Conditions of Use in the European Community This device is intended to be operated in all countries of the European Community. Requirements for indoor vs. outdoor operation, license requirements and allowed channels of operation apply in some countries as described below: Note: The user must use the configuration utility provided with this product to ensure the channels of operation are in conformance with the spectrum usage rules for European Community countries as described below. • This device requires that the user or installer properly enter the current country of operation in the command line interface as described in the user guide, before operating this device. • This device will automatically limit the allowable channels determined by the current country of operation. Incorrectly entering the country of operation may result in illegal operation and may cause harmful interference to other systems. The user is obligated to ensure the device is operating according to the channel limitations, indoor/outdoor restrictions and license requirements for each European Community country as described in this document. • This device employs a radar detection feature required for European Community operation in the 5 GHz band. This feature is automatically enabled when the country of operation is correctly configured for any European Community country. The presence of nearby radar operation may result in temporary interruption of operation of this device. The radar detection feature will automatically restart operation on a channel free of radar. iii COMPLIANCES • The 5 GHz Turbo Mode feature is not allowed for operation in any European Community country. The current setting for this feature is found in the 5 GHz 802.11a Radio Settings Window as described in the user guide. • The 5 GHz radio's Auto Channel Select setting described in the user guide must always remain enabled to ensure that automatic 5 GHz channel selection complies with European requirements. The current setting for this feature is found in the 5 GHz 802.11a Radio Settings Window as described in the user guide. • This device is restricted to indoor use when operated in the European Community using the 5.15 - 5.35 GHz band: Channels 36, 40, 44, 48, 52, 56, 60, 64. See table below for allowed 5 GHz channels by country. • This device may be operated indoors or outdoors in all countries of the European Community using the 2.4 GHz band: Channels 1 - 13, except where noted below. - In Italy the end-user must apply for a license from the national spectrum authority to operate this device outdoors. - In Belgium outdoor operation is only permitted using the 2.46 2.4835 GHz band: Channel 13. - In France outdoor operation is only permitted using the 2.4 - 2.454 GHz band: Channels 1 - 7. iv COMPLIANCES Operation Using 5 GHz Channels in the European Community The user/installer must use the provided configuration utility to check the current channel of operation and make necessary configuration changes to ensure operation occurs in conformance with European National spectrum usage laws as described below and elsewhere in this document. Allowed 5GHz Channels in Each European Community Country Allowed Frequency Bands Allowed Channel Numbers Countries 5.15 - 5.25 GHz* 36, 40, 44, 48 Austria, Belgium 5.15 - 5.35 GHz* 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland, Liechtenstein 5.15 - 5.35* & 5.470 - 5.725 GHz 36, 40, 44, 48, 52, 56, 60, 64, Denmark, Finland, 100, 104, 108, 112, 116, 120, Germany, Iceland, 124, 128, 132, 136, 140 Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden, U.K. 5 GHz Operation Not Allowed None Greece * Outdoor operation is not allowed using 5.15-5.35 GHz bands (Channels 36 64). COMPLIANCES Declaration of Conformity in Languages of the European Community English Hereby, SMC, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Finnish Valmistaja SMC vakuuttaa täten että Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen. Dutch Hierbij verklaart SMC dat het toestel Radio LAN device in overeenstemming is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG Bij deze SMC dat deze Radio LAN device voldoet aan de essentiële eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la présente SMC déclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE Swedish Härmed intygar SMC att denna Radio LAN device står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG. Danish Undertegnede SMC erklærer herved, at følgende udstyr Radio LAN device overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF German Hiermit erklärt SMC, dass sich dieser/diese/dieses Radio LAN device in Übereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi) Hiermit erklärt SMC die Übereinstimmung des Gerätes Radio LAN device mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. (Wien) vi Greek με την παρουσα SMC δηλωνει οτι radio LAN device συμμορφωνεται προσ τισ ουσιωδεισ απαιτησεισ και τισ λοιπεσ σΧετικεσ διαταξεισ τησ οδηγιασ 1999/5/εκ Italian Con la presente SMC dichiara che questo Radio LAN device è conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. COMPLIANCES Spanish Por medio de la presente Manufacturer declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE Portuguese Manufacturer declara que este Radio LAN device está conforme com os requisitos essenciais e outras disposições da Directiva 1999/5/CE. Safety Compliance Power Cord Safety Please read the following safety information carefully before installing the access point: WARNING: Installation and removal of the unit must be carried out by qualified personnel only. • The unit must be connected to an earthed (grounded) outlet to comply with international safety standards. • Do not connect the unit to an A.C. outlet (power supply) without an earth (ground) connection. • The appliance coupler (the connector to the unit and not the wall plug) must have a configuration for mating with an EN 60320/IEC 320 appliance inlet. • The socket outlet must be near to the unit and easily accessible. You can only remove power from the unit by disconnecting the power cord from the outlet. • This unit operates under SELV (Safety Extra Low Voltage) conditions according to IEC 60950. The conditions are only maintained if the equipment to which it is connected also operates under SELV conditions. France and Peru only This unit cannot be powered from IT† supplies. If your supplies are of IT type, this unit must be powered by 230 V (2P+T) via an isolation transformer ratio 1:1, with the secondary connection point labelled Neutral, connected directly to earth (ground). † Impédance à la terre vii COMPLIANCES Important! Before making connections, make sure you have the correct cord set. Check it (read the label on the cable) against the following: Power Cord Set U.S.A. and Canada The cord set must be UL-approved and CSA certified. The minimum specifications for the flexible cord are: - No. 18 AWG - not longer than 2 meters, or 16 AWG. - Type SV or SJ - 3-conductor The cord set must have a rated current capacity of at least 10 A The attachment plug must be an earth-grounding type with NEMA 5-15P (15 A, 125 V) or NEMA 6-15P (15 A, 250 V) configuration. Denmark The supply plug must comply with Section 107-2-D1, Standard DK2-1a or DK2-5a. Switzerland The supply plug must comply with SEV/ASE 1011. U.K. The supply plug must comply with BS1363 (3-pin 13 A) and be fitted with a 5 A fuse which complies with BS1362. The mains cord must beor marked and be of type HO3VVF3GO.75 (minimum). Europe The supply plug must comply with CEE7/7 (“SCHUKO”). The mains cord must be or marked and be of type HO3VVF3GO.75 (minimum). IEC-320 receptacle. viii COMPLIANCES Veuillez lire à fond l'information de la sécurité suivante avant d'installer le access point: AVERTISSEMENT: L’installation et la dépose de ce groupe doivent être confiés à un personnel qualifié. • Ne branchez pas votre appareil sur une prise secteur (alimentation électrique) lorsqu'il n'y a pas de connexion de mise à la terre (mise à la masse). • Vous devez raccorder ce groupe à une sortie mise à la terre (mise à la masse) afin de respecter les normes internationales de sécurité. • Le coupleur d’appareil (le connecteur du groupe et non pas la prise murale) doit respecter une configuration qui permet un branchement sur une entrée d’appareil EN 60320/IEC 320. • La prise secteur doit se trouver à proximité de l’appareil et son accès doit être facile. Vous ne pouvez mettre l’appareil hors circuit qu’en débranchant son cordon électrique au niveau de cette prise. • L’appareil fonctionne à une tension extrêmement basse de sécurité qui est conforme à la norme IEC 60950. Ces conditions ne sont maintenues que si l’équipement auquel il est raccordé fonctionne dans les mêmes conditions. France et Pérou uniquement: Ce groupe ne peut pas être alimenté par un dispositif à impédance à la terre. Si vos alimentations sont du type impédance à la terre, ce groupe doit être alimenté par une tension de 230 V (2 P+T) par le biais d’un transformateur d’isolement à rapport 1:1, avec un point secondaire de connexion portant l’appellation Neutre et avec raccordement direct à la terre (masse). Cordon électrique - Il doit être agréé dans le pays d’utilisation Etats-Unis et Canada: Le cordon doit avoir reçu l’homologation des UL et un certificat de la CSA. Les spécifications minimales pour un cable flexible sont AWG No. 18, ou AWG No. 16 pour un cable de longueur inférieure à 2 mètres. - type SV ou SJ - 3 conducteurs Le cordon doit être en mesure d’acheminer un courant nominal d’au moins 10 A. La prise femelle de branchement doit être du type à mise à la terre (mise à la masse) et respecter la configuration NEMA 5-15P (15 A, 125 V) ou NEMA 6-15P (15 A, 250 V). Danemark: La prise mâle d’alimentation doit respecter la section 107-2 D1 de la norme DK2 1a ou DK2 5a. ix COMPLIANCES Cordon électrique - Il doit être agréé dans le pays d’utilisation Suisse: La prise mâle d’alimentation doit respecter la norme SEV/ ASE 1011. Europe La prise secteur doit être conforme aux normes CEE 7/7 (“SCHUKO”) LE cordon secteur doit porter la mention ou et doit être de type HO3VVF3GO.75 (minimum). Bitte unbedingt vor dem Einbauen des Access Point die folgenden Sicherheitsanweisungen durchlesen (Germany): WARNUNG: Die Installation und der Ausbau des Geräts darf nur durch Fachpersonal erfolgen. • Das Gerät sollte nicht an eine ungeerdete Wechselstromsteckdose angeschlossen werden. • Das Gerät muß an eine geerdete Steckdose angeschlossen werden, welche die internationalen Sicherheitsnormen erfüllt. • Der Gerätestecker (der Anschluß an das Gerät, nicht der Wandsteckdosenstecker) muß einen gemäß EN 60320/IEC 320 konfigurierten Geräteeingang haben. • Die Netzsteckdose muß in der Nähe des Geräts und leicht zugänglich sein. Die Stromversorgung des Geräts kann nur durch Herausziehen des Gerätenetzkabels aus der Netzsteckdose unterbrochen werden. • Der Betrieb dieses Geräts erfolgt unter den SELV-Bedingungen (Sicherheitskleinstspannung) gemäß IEC 60950. Diese Bedingungen sind nur gegeben, wenn auch die an das Gerät angeschlossenen Geräte unter SELV-Bedingungen betrieben werden. • COMPLIANCES Stromkabel. Dies muss von dem Land, in dem es benutzt wird geprüft werden: U.S.A und Kanada Der Cord muß das UL gepruft und war das CSA beglaubigt. Das Minimum spezifikation fur der Cord sind: - Nu. 18 AWG - nicht mehr als 2 meter, oder 16 AWG. - Der typ SV oder SJ - 3-Leiter Der Cord muß haben eine strombelastbarkeit aus wenigstens 10 A Dieser Stromstecker muß hat einer erdschluss mit der typ NEMA 5-15P (15A, 125V) oder NEMA 6-15P (15A, 250V) konfiguration. Danemark Dieser Stromstecker muß die ebene 107-2-D1, der standard DK2-1a oder DK2-5a Bestimmungen einhalten. Schweiz Dieser Stromstecker muß die SEV/ASE 1011Bestimmungen einhalten. Europe Das Netzkabel muß vom Typ HO3VVF3GO.75 (Mindestanforderung) sein und die Aufschrift oder tragen. Der Netzstecker muß die Norm CEE 7/7 erfüllen (”SCHUKO”). xi COMPLIANCES xii Table of Contents Chapter 1: Introduction Package Checklist Hardware Description Component Description Features and Benefits Applications System Defaults 1-1 1-2 1-2 1-3 1-5 1-6 1-6 Chapter 2: Hardware Installation 2-1 Chapter 3: External Antennas 3-1 Instalation Procedures Chapter 4: Network Configuration Network Topologies Ad Hoc Wireless LAN (no Access Point) Infrastructure Wireless LAN Infrastructure Wireless LAN for Roaming Wireless PCs Infrastructure Wireless Bridge Infrastructure Wireless Repeater 3-1 4-1 4-2 4-2 4-3 4-4 4-5 4-6 Chapter 5: Initial Configuration 5-1 Initial Setup through the CLI Required Connections Initial Configuration Steps Logging In 5-1 5-1 5-2 5-3 Chapter 6: System Configuration Advanced Configuration System Identification TCP / IP Settings RADIUS SSH Settings Authentication 6-1 6-2 6-3 6-5 6-7 6-11 6-12 xiii Contents Filter Control VLAN WDS Settings AP Management Administration System Log RSSI SNMP Configuring SNMP and Trap Message Parameters Configuring SNMPv3 Users Configuring SNMPv3 Trap Filters Configuring SNMPv3 Targets Radio Interface Radio Settings A (802.11a) Radio Settings G (802.11g) Security Status Information Access Point Status Station Status Event Logs Chapter 7: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups General Commands configure end exit ping xiv 6-17 6-19 6-21 6-27 6-28 6-33 6-37 6-37 6-38 6-42 6-44 6-46 6-48 6-49 6-63 6-66 6-84 6-84 6-87 6-90 7-1 7-1 7-1 7-1 7-1 7-2 7-2 7-2 7-3 7-3 7-4 7-4 7-4 7-4 7-5 7-5 7-6 7-6 7-7 7-8 7-8 7-8 7-9 Contents reset show history show line System Management Commands country prompt system name username password ip ssh-server enable ip ssh-server port ip telnet-server enable ip http port ip http server ip https port ip https server web-redirect APmgmtIP APmgmtUI show apmanagement show system show version show config show hardware System Logging Commands logging on logging host logging console logging level logging facility-type logging clear show logging show event-log System Clock Commands sntp-server ip sntp-server enable sntp-server date-time sntp-server daylight-saving sntp-server timezone show sntp DHCP Relay Commands dhcp-relay enable dhcp-relay show dhcp-relay SNMP Commands 7-10 7-10 7-11 7-11 7-12 7-14 7-14 7-15 7-15 7-16 7-16 7-17 7-17 7-18 7-18 7-19 7-20 7-21 7-22 7-22 7-23 7-24 7-24 7-28 7-28 7-29 7-29 7-30 7-30 7-31 7-32 7-32 7-33 7-33 7-34 7-34 7-35 7-36 7-36 7-37 7-38 7-38 7-39 7-39 7-40 xv Contents snmp-server community snmp-server contact snmp-server location snmp-server enable server snmp-server host snmp-server trap snmp-server engine-id snmp-server user snmp-server targets snmp-server filter snmp-server filter-assignments show snmp groups show snmp users show snmp group-assignments show snmp target show snmp filter show snmp filter-assignments show snmp Flash/File Commands bootfile copy delete dir show bootfile RADIUS Client radius-server address radius-server port radius-server key radius-server retransmit radius-server timeout radius-server port-accounting radius-server timeout-interim radius-server radius-mac-format radius-server vlan-format show radius 802.1X Authentication 802.1x 802.1x broadcast-key-refresh-rate 802.1x session-key-refresh-rate 802.1x session-timeout 802.1x-supplicant enable 802.1x-supplicant user show authentication MAC Address Authentication address filter default xvi 7-41 7-41 7-42 7-42 7-43 7-44 7-45 7-46 7-48 7-49 7-50 7-50 7-51 7-51 7-52 7-52 7-53 7-54 7-55 7-55 7-56 7-57 7-58 7-58 7-59 7-59 7-60 7-60 7-61 7-61 7-62 7-62 7-63 7-63 7-64 7-65 7-65 7-66 7-67 7-67 7-68 7-68 7-69 7-70 7-70 Contents address filter entry address filter delete mac-authentication server mac-authentication session-timeout Filtering Commands filter local-bridge filter ap-manage filter ethernet-type enable filter ethernet-type protocol show filters WDS Bridge Commands bridge role (WDS) bridge-link parent bridge-link child bridge dynamic-entry age-time show bridge aging-time show bridge filter-entry show bridge link Spanning Tree Commands bridge stp enable bridge stp forwarding-delay bridge stp hello-time bridge stp max-age bridge stp priority bridge-link path-cost bridge-link port-priority show bridge stp Ethernet Interface Commands interface ethernet dns server ip address ip dhcp speed-duplex shutdown show interface ethernet Wireless Interface Commands interface wireless vap speed turbo multicast-data-rate channel transmit-power radio-mode preamble 7-71 7-71 7-72 7-72 7-73 7-73 7-74 7-74 7-75 7-76 7-76 7-77 7-77 7-78 7-78 7-79 7-80 7-80 7-82 7-82 7-83 7-83 7-84 7-84 7-85 7-85 7-86 7-87 7-87 7-88 7-88 7-89 7-90 7-91 7-91 7-92 7-94 7-94 7-95 7-95 7-96 7-96 7-97 7-98 7-98 xvii Contents antenna control antenna id antenna location beacon-interval dtim-period fragmentation-length rts-threshold super-a super-g description ssid closed-system max-association assoc-timeout-interval auth-timeout-value shutdown show interface wireless show station Rogue AP Detection Commands rogue-ap enable rogue-ap authenticate rogue-ap duration rogue-ap interval rogue-ap scan show rogue-ap Wireless Security Commands auth encryption key transmit-key cipher-suite mic_mode wpa-pre-shared-key pmksa-lifetime pre-authentication Link Integrity Commands link-integrity ping-detect link-integrity ping-host link-integrity ping-interval link-integrity ping-fail-retry link-integrity ethernet-detect show link-integrity IAPP Commands iapp VLAN Commands xviii 7-99 7-100 7-100 7-101 7-101 7-102 7-103 7-104 7-104 7-105 7-105 7-106 7-106 7-107 7-107 7-107 7-109 7-110 7-111 7-111 7-112 7-113 7-113 7-114 7-115 7-115 7-116 7-118 7-119 7-120 7-121 7-122 7-123 7-123 7-124 7-125 7-126 7-126 7-127 7-127 7-127 7-128 7-129 7-129 7-130 Contents vlan management-vlanid vlan-id WMM Commands wmm wmm-acknowledge-policy wmmparam 7-130 7-131 7-131 7-132 7-133 7-133 7-134 Appendix A: Troubleshooting A-1 Appendix B: Cables and Pinouts B-1 Twisted-Pair Cable Assignments 10/100BASE-TX Pin Assignments Straight-Through Wiring Crossover Wiring Console Port Pin Assignments Wiring Map for Serial Cable B-1 B-1 B-2 B-3 B-3 B-4 Appendix C: Specifications C-1 General Specifications Sensitivity Transmit Power Operating Range C-1 C-4 C-5 C-6 Glossary Index xix Contents xx Chapter 1: Introduction The 2.4 GHz/5 GHz Wireless Access Point is an IEEE 802.11a/g access point that provides transparent, wireless high-speed data communications between the wired LAN and fixed or mobile devices equipped with an 802.11a, 802.11b, or 802.11g wireless adapter. This solution offers fast, reliable wireless connectivity with considerable cost savings over wired LANs (which include long-term maintenance overhead for cabling). Using 802.11a and 802.11g technology, this access point can easily replace a 10 Mbps Ethernet connection or seamlessly integrate into a 10/100 Mbps Ethernet LAN. The access point supports up to eight Virtual Access Points per physical radio interface, that is eight on the 802.11a radio and eight on the 802.11g radio. This allows traffic to be separated for different user groups using an access point that services one area. For each VAP, different security settings, VLAN assignments, and other parameters can be applied. Each radio interface on the access point can operate in one of four modes: • • • • Access Point – Providing conectivity to wireless clients in the service area. Repeater – Providing an extended link to a remote access point from the wired LAN. In this mode, the access point does not have a cable connection to the wired Ethernet LAN. Bridge – Providing links to access points operating in “Bridge” or “Root Bridge” mode and thereby connecting other wired LAN segments. Root Bridge – Providing links to other access points operating in “Bridge” mode and thereby connecting other wired LAN segments. Only one unit in the wireless bridge network can be set to “Root Bridge” mode. In addition, the access point offers full network management capabilities through an easy to configure web interface, a command line interface for initial configuration and troubleshooting, and support for Simple Network Management Protocol tools. Radio Characteristics – The IEEE 802.11a/g standard uses a radio modulation technique known as Orthogonal Frequency Division Multiplexing (OFDM), and a shared collision domain (CSMA/CA). It operates at the 5 GHz Unlicensed National Information Infrastructure (UNII) band for connections to 802.11a clients, and at 2.4 GHz for connections to 802.11g clients. IEEE 802.11g includes backward compatibility with the IEEE 802.11b standard. IEEE 802.11b also operates at 2.4 GHz, but uses Direct Sequence Spread Spectrum (DSSS) and Complementary Code Keying (CCK) modulation technology to achieve a communication rate of up to 11 Mbps. The access point supports a 54 Mbps half-duplex connection to Ethernet networks for each active channel (or up to 108 Mbps when using turbo mode on the 802.11a interface). 1-1 1 Introduction Package Checklist The 2.4 GHz/5 GHz Wireless Access Point package includes: • • • • • • One 2.4 GHz/5 GHz Wireless Access Point One Category 5 network cable One RS-232 console cable One AC power adapter and power cord Four rubber feet User Guide CD Inform your dealer if there are any incorrect, missing or damaged parts. If possible, retain the carton, including the original packing materials. Use them again to repack the product in case there is a need to return it. Hardware Description Top Panel Antennas LED Indicators PWR 1-2 Link 11a 11g 1 Hardware Description Rear Panel Lock Security Slot DC 5V 5 VDC Power Socket POE In Reset Console Console Port Reset Button RJ-45 Port, PoE Connector Component Description Antennas The access point includes integrated diversity antennas for wireless communications. A diversity antenna system uses two identical antennas to receive and transmit signals, helping to avoid multipath fading effects. When receiving, the access point checks both antennas and selects the one with the strongest signal. When transmitting, it will continue to use the antenna previously selected for receiving. The access point never transmits from both antennas at the same time. The antennas transmit the outgoing signal as a toroidal sphere (doughnut shaped), with the coverage extending most in a direction perpendicular to the antenna. The antenna should be adjusted to an angle that provides the appropriate coverage for the service area. For further information, see “Positioning the Antennas” on 2-2. LED Indicators The access point includes four status LED indicators, as described in the following figure and table. PWR Power Link Ethernet Link/Activity 11a 802.11a Wireless Link/Activity 11g 802.11b/g Wireless Link/Activity 1-3 1 Introduction LED Status PWR On Description Indicates that the system is working normally. Flashing Indicates running a self-test or loading the software program. Flashing (Prolonged) Indicates system errors. Link 11a 11g On Indicates a valid 10/100 Mbps Ethernet cable link. Flashing Indicates that the access point is transmitting or receiving data on a 10/100 Mbps Ethernet LAN. Flashing rate is proportional to network activity. On Indicates that the 802.11a radio is enabled. Flashing Indicates that the access point is transmitting or receiving data through wireless links. Flashing rate is proportional to network activity. Off Indicates that the 802.11a radio is disabled. On Indicates that the 802.11b/g radio is enabled. Flashing Indicates that the access point is transmitting or receiving data through wireless links. Flashing rate is proportional to network activity. Off Indicates that the 802.11b/g radio is disabled. Security Slot The access point includes a Kensington security slot on the rear panel. You can prevent unauthorized removal of the access point by wrapping the Kensington security cable (not provided) around an unmovable object, inserting the lock into the slot, and turning the key. Console Port This port is used to connect a console device to the access point through a serial cable. This connection is described under “Console Port Pin Assignments” on page B-3. The console device can be a PC or workstation running a VT-100 terminal emulator, or a VT-100 terminal. Ethernet Port The access point has one 10BASE-T/100BASE-TX RJ-45 port that can be attached directly to 10BASE-T/100BASE-TX LAN segments. These segments must conform to the IEEE 802.3 or 802.3u specifications. This port uses an MDI (i.e., internal straight-through) pin configuration. You can therefore use straight-through twisted-pair cable to connect this port to most network interconnection devices such as a switch or router that provide MDI-X ports. However, when connecting the access point to a workstation or other device that does not have MDI-X ports, you must use crossover twisted-pair cable. The access point appears as an Ethernet node and performs a bridging function by moving packets from the wired LAN to remote workstations on the wireless infrastructure. 1-4 Features and Benefits Note: The RJ-45 port also supports Power over Ethernet (PoE) based on the IEEE 802.3af standard. Refer to the description for the “Power Connector” for information on supplying power to the access point’s network port from a network device, such as a switch, that provides Power over Ethernet (PoE). Reset Button This button is used to reset the access point or restore the factory default configuration. If you hold down the button for less than 5 seconds, the access point will perform a hardware reset. If you hold down the button for 5 seconds or more, any configuration changes you may have made are removed, and the factory default configuration is restored to the access point. Power Connector The access point does not have a power switch. It is powered on when connected to the AC power adapter, and the power adapter is connected to a power source. The power adapter automatically adjusts to any voltage between 100-240 volts at 50 or 60 Hz. No voltage range settings are required. The access point may also receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard. Note that if the access point is connected to a PoE source device and also connected to a local power source through the AC power adapter, PoE will be disabled. Features and Benefits • • • • • • Local network connection via 10/100 Mbps Ethernet ports or 54 Mbps wireless interface (supporting up to 128 mobile users) IEEE 802.11a, 802.11b, and 802.11g compliant Interoperable with multiple vendors based on the IEEE 802.11f protocol Advanced security through 64/128/152-bit Wired Equivalent Protection (WEP) encryption, IEEE 802.1X authentication via a RADIUS server, Wi-Fi Protected Access (WPA), and MAC address filtering features to protect your sensitive data and authenticate only authorized users to your network Provides seamless roaming within the IEEE 802.11a, 802.11b and 802.11g WLAN environment Scans all available channels and selects the best channel for each client based on the signal-to-noise ratio 1-5 1 Introduction Applications Wireless network products offer a high speed, reliable, cost-effective solution for wireless Ethernet client access to the network in applications such as: • Remote access to corporate network information – E-mail, file transfer, and terminal emulation. Difficult-to-wire environments – Historical or old buildings, asbestos installations, and open areas where wiring is difficult to employ. Frequently changing environments – Retailers, manufacturers, and banks that frequently rearrange the workplace or change location. Temporary LANs for special projects or peak times – Trade shows, exhibitions and construction sites that need temporary setup for a short time period. Retailers, airline and shipping companies that need additional workstations for a peak period. Auditors who require workgroups at customer sites. Access to databases for mobile workers – Doctors, nurses, retailers, or white-collar workers who need access to databases while being mobile in a hospital, retail store, or an office campus. SOHO users – SOHO (Small Office and Home Office) users who need easy and quick installation of a small computer network. • • • • • System Defaults The following table lists some of the access point’s basic system defaults. To reset the access point defaults, use the CLI command “reset configuration” from the Exec level prompt. Table 1-1. System Defaults Feature Parameter Default Identification System Name SMC Administration User Name admin Password null General 1-6 HTTP Server Enabled HTTP Server Port 80 HTTPS Server Enabled HTTPS Server Port 443 Web Redirect Disabled System Defaults Table 1-1. System Defaults Feature Parameter Default TCP/IP DHCP Enabled RADIUS (Primary and Secondary) SSH IP Address 192.168.1.1 Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 Primary DNS IP 0.0.0.0 Secondary DNS IP 0.0.0.0 IP Address 0.0.0.0 Port 1812 Key DEFAULT Timeout 5 seconds Retransmit attempts Accounting Port 0 (Disabled) Interim Update Timeout 3600 seconds Server Status Enabled Server Port 22 PPPoE PPPoE Status Disabled MAC Authentication MAC Disabled 802.1X Authentication VLAN QoS Authentication Session Timeout 0 minutes (disabled) Local MAC System Default Allowed Local MAC Permission Allowed Status Disabled Broadcast Key Refresh 0 minutes (disabled) Session Key Refresh 0 minutes (disabled) Reauthentication Refresh Rate 0 seconds (disabled) Supplicant Disabled Management VLAN ID VLAN ID (VAP Interface) VLAN Tag Support Disabled QoS Mode Off SVP (SpectraLink Voice Priority) Disabled 1-7 1 Introduction Table 1-1. System Defaults Feature Parameter Default Filter Control Local Bridge Disabled SNMP System Logging System Clock Ethernet Interface 1-8 AP Management Enabled Ethernet Type Disabled Status Enabled Location null Contact null Community (Read Only) Public Community (Read/Write) Private Traps Enabled Trap Destination (1-4) Disabled Trap Destination IP Address null Trap Destination Community Name Public SNMP v3 Groups RO RWAuth RWPriv SNMP v3 Users none Syslog Disabled Logging Host Disabled Logging Console Disabled IP Address / Host Name 0.0.0.0 Logging Level Informational Logging Facility Type 16 SNTP Server Status Enabled SNTP Server 1 IP 137.92.140.80 SNTP Server 2 IP 192.43.244.18 Date and Time 00:00, Jan 1, 1970 (when there is no time server) Daylight Saving Time Disabled Time Zone GMT-5 (Eastern Time, US and Canada) Speed and Duplex Auto System Defaults Table 1-1. System Defaults Feature Parameter Default Wireless Interface 802.11a IAPP Enabled SSID VAP_TEST_11A (0 to 7) Turbo Mode Disabled Status Disabled Auto Channel Select Enabled Closed System Disabled Transmit Power Full Max Station Data Rate 54 Mbps Multicast Data Rate 6 Mbps Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 1 beacon Wireless Security 802.11a RTS Threshold 2347 bytes Association Timeout Interval 30 minutes Authentication Timeout Interval 60 minutes Rogue AP Detection Disabled Antenna Control Method Diversity Antenna ID 0x0000 Antenna Location Indoor Authentication Type Open System Data Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number WEP Keys null WPA Configuration Mode WEP Only (Disabled) WPA Key Management WPA Pre-shared Key WPA PSK Type Alphanumeric Multicast Cipher WEP 1-9 1 Introduction Table 1-1. System Defaults Feature Parameter Default Wireless Interface 802.11b/g IAPP Enabled SSID VAP_TEST_11G (0 to 7) Radio Mode b+g Status Disabled Auto Channel Select Enabled Closed System Disabled Transmit Power Full Max Station Data Rate 54 Mbps Multicast Data Rate 5.5 Mbps Preamble Length Long Beacon Interval 100 TUs Data Beacon Rate (DTIM Interval) 1 beacon RTS Threshold Wireless Security 802.11b/g 1-10 2347 bytes Association Timeout Interval 30 minutes Authentication Timeout Interval 60 minutes Rogue AP Detection Disabled Antenna Control Method Diversity Antenna ID 0x0000 Antenna Location Indoor Authentication Type Open System Data Encryption Disabled WEP Key Length 128 bits WEP Key Type Hexadecimal WEP Transmit Key Number WEP Keys null WPA Configuration Mode WEP Only (Disabled) WPA Key Management WPA Pre-shared Key WPA PSK Type Alphanumeric Multicast Cipher WEP System Defaults Table 1-1. System Defaults Feature Parameter Default Link Integrity Status Disabled Ping Interval 30 seconds Fail Retry Count 1-11 1 Introduction 1-12 Chapter 2: Hardware Installation 1. Select a Site – Choose a proper place for the access point. In general, the best location is at the center of your wireless coverage area, within line of sight of all wireless devices. Try to place the access point in a position that can best cover its Basic Service Set (refer to “Infrastructure Wireless LAN” on page 4-3). For optimum performance, consider these points: • Mount the access point as high as possible above any obstructions in the coverage area. • Avoid mounting next to or near building support columns or other obstructions that may cause reduced signal or null zones in parts of the coverage area. • Mount away from any signal absorbing or reflecting structures (such as those containing metal). 2. Mount the Access Point – The access point can be mounted on any horizontal surface. Mounting on a horizontal surface – To keep the access point from sliding on the surface, attach the four rubber feet provided in the accessory kit to the marked circles on the bottom of the access point. Lock the Access Point in Place – To prevent unauthorized removal of the access point, you can use a Kensington Slim MicroSaver security cable (not included) to attach the access point to a fixed object. 3. Connect the Power Cord – Connect the power adapter to the access point, and the power cord to an AC power outlet. Otherwise, the access point can derive its operating power directly from the RJ-45 port when connected to a device that provides IEEE 802.3af compliant Power over Ethernet (PoE). Note: If the access point is connected to both a PoE source device and an AC power source, PoE will be disabled. Caution: Use ONLY the power adapter supplied with this access point. Otherwise, the product may be damaged. 2-1 2 Hardware Installation 4. Observe the Self Test – When you power on the access point, verify that the PWR indicator stops flashing and remains on, and that the other indicators start functioning as described under “LED Indicators” on page 1-3. If the PWR LED does not stop flashing, the self test has not completed correctly. Refer to “Troubleshooting” on page A-1. 5. Connect the Ethernet Cable – The access point can be wired to a 10/100 Mbps Ethernet through a network device such as a hub or a switch. Connect your network to the RJ-45 port on the back panel with category 3, 4, or 5 UTP Ethernet cable. When the access point and the connected device are powered on, the Ethernet Link LED should light indicating a valid network connection. If this LED fails to turn on refer to “Troubleshooting” on page A-1. Note: The RJ-45 port on the access point uses an MDI pin configuration, so you must use straight-through cable for network connections to switches that only have MDI-X ports, and crossover cable for network connections to PCs, servers or other devices that only have MDI ports. However, if the connected device supports auto-MDI/MDI-X operation, you can use either straight-through or crossover cable. 6. Position the Antennas – Each antenna emits a radiation pattern that is toroidal (doughnut shaped), with the coverage extending most in the direction perpendicular to the antenna. Therefore, the antennas should be oriented so that the radio coverage pattern fills the intended horizontal space. Also, the diversity antennas should both be positioned along the same axes, providing the same coverage area. For example, if the access point is mounted on a horizontal surface, both antennas should be positioned pointing vertically up to provide optimum coverage. 7. Connect the Console Port – Connect the console cable (included) to the RS-232 console port for accessing the command-line interface. You can manage the access point using the console port (Chapter 6), the web interface (Chapter 5), or SNMP management software such as HP’s OpenView. 2-2 Chapter 3: External Antennas The SMC WA6102X-2AG provides a variety of external antenna options for extending the radio range and shaping the coverge area. These antennas offer a number of different mounting locations, including indoor or outdoor, wall, ceiling, or radio mast. This chapter shows you how to install an external antenna for your WA6102X-2AG. Only the SMC antennas listed in this guide are permitted to be connected to the WA6102X-2AG. You must use the appropriate antennas, cables, and where applicable, surge arrestors, for your given region. You are responsible for verifying local regulations or legislation that may impose restrictions on the use of specific antenna and cable combinations. For this reason, SMC recommends that you consult with a professional installer who is trained in RF installation and knowledgeable in the local regulations prior to connecting an external antenna to your wireless radio product. It is the responsibility of the end user to ensure that the antenna installation complies with the local radio regulations. Instalation Procedures Follow these steps to install an external antenna and connect it to the WA6102X-2AG. Caution: Never mount the access point outdoors to be near an external antenna. The access point must always be installed indoors. 1. Plan the Installation • Pigtail Cables - Use the coax pigtail cable attached to the antenna to connect to the access point. Because most pigtail cables are a relatively short length (83 cm or 33 inches), be sure to find a suitable mounting position for the antenna that is not too far from the access point. If an extension cable is required, please contact a professional installer who is trained in RF installation and knowledgeable in the local regulations. • Installation Location - Plan the antenna’s position and orientation. Warning: The radiated output power of this device is below the FCC radio exposure limits. Nevertheless, the device should be used in such a manner that the potential for human contact during normal operation is minimized. To avoid the possibility of exceeding the FCC radio frequency exposure limits, human proximity to the antennas should not be less than 20 cm (8 inches) during normal operation. 3-1 3 External Antennas Consider these points: • Use the antenna’s mounting bracket or other hardware, if included. • For optimum performance, mount antennas as high as possible above any obstructions, and away from any signal absorbing or reflecting structures (such as those containing metal) • Be sure there are no other radio antennas mounted within 2 m (6 ft). • Consider the antenna’s radio coverage pattern so that it can properly cover the intended service area. • Omnidirectional Antennas - Consider these factors when selecting a location for these antennas: • Always mount the antenna in a vertical orientation so that the radio coverage pattern fills the intended horizontal space. • For optimum coverage, mount the antenna at the center of the area with a line-of-sight path to all points within the area. • Avoid mounting next to or near building support columns or other obstructions that may cause reduced signal or null zones in parts of the coverage area. • When mounting outdoors using a mast, make sure that the antenna extends beyond the top of the mast. • Directional Antennas - Consider these factors when selecting a location for these antennas: • For optimum coverage, mount the antenna above any obstructions, directed at the center of the coverage area sector. • High-gain directional antennas provide a flattened radio coverage pattern in the horizontal plane. Use the tilting or articulated mounts to point the antennas towards the coverage area. • Outdoor Installation - When installing an antenna outdoors, be sure to consider these additional factors: • Always place the antenna away from power and telephone lines • Make sure that the antenna, any supporting structure, and cables are all properly grounded. • For lightning protection, consider using a lightning arrestor immediately before the cable enters the building. Warning: 2. Never install an antenna or construct a radio mast near overhead power lines. Mount the Antenna Install the antenna in its planned location using the brackets, clips, or other hardware included in the antenna package. Refer to documentation included with the antenna for specific information and installation instructions. 3-2 3 Instalation Procedures 3. Connect Pigtail Cables to the Access Point Use the pigtail cables that are attached to the antenna, or are included in the antenna package. If an extension cable is required, please contact a professional installer who is trained in RF installation and knowledgeable in the local regulations. Note that diversity antennas have two pigtail cables. A diversity antenna includes two internal antenna elements that are identical. Both antenna pigtail cables must be connected to the access point for correct operation. Other non-diversity antennas, which have only one pigtail cable, attach to the access point’s right antenna connector. The access point’s right antenna is the one on the side closest to the LED indicators. When using a non-diversity antenna, a 50-ohm terminator (included with the antenna) must be connected to the access point’s left antenna connector. To connect pigtail cables to the access point, follow these steps: 1. Disable the access point radio using the web browser interface, CLI, or SNMP. 2. Remove power to the access point. 3. Remove both of the access point’s antennas by unscrewing them at their base. Right antenna Unscrew antenna to remove 4. For diversity antennas, connect the antenna pigtail cables to the exposed Reverse SMA connectors on both sides of the access point. For non-diversity antennas, be sure to connect the single pigtail cable to the Reverse SMA connector on the access point’s right side. When using a non-diversity antenna, you must also connect the 50-ohm terminator (5092-0933), included with the antenna, to the access point’s left-side Reverse SMA connector. 3-3 3 External Antennas Screw onto access point’s 5. Antenna pigtail cable Reconnect power to the access point. Note: Before enabling the radio with an external antenna attached, be sure to first configure the access point’s antenna mode and transmit power settings. 3-4 Chapter 4: Network Configuration Wireless networks support a stand-alone configuration as well as an integrated configuration with 10/100 Mbps Ethernet LANs. The 2.4 GHz/5 GHz Wireless Access Point also provides repeater and bridging services that can be configured independently on either the 5 GHz or 2.4 GHz radio interfaces. Access points can be deployed to support wireless clients and connect wired LANs in the following configurations: • • • • • Ad hoc for departmental, SOHO or enterprise LANs Infrastructure for wireless LANs Infrastructure wireless LAN for roaming wireless PCs Infrastructure wireless bridge to connect wired LANs Infrastructure wireless repeater for extended range The 802.11b and 802.11g frequency band which operates at 2.4 GHz can easily encounter interference from other 2.4 GHz devices, such as other 802.11b or g wireless devices, cordless phones and microwave ovens. If you experience poor wireless LAN performance, try the following measures: • • • • Limit any possible sources of radio interference within the service area Increase the distance between neighboring access points Decrease the signal strength of neighboring access points Increase the channel separation of neighboring access points (e.g. up to 5 channels of separation for 802.11b and 802.11g) 4-1 4 Network Configuration Network Topologies Ad Hoc Wireless LAN (no Access Point) An ad hoc wireless LAN consists of a group of computers, each equipped with a wireless adapter, connected via radio signals as an independent wireless LAN. Computers in a specific ad hoc wireless LAN must therefore be configured to the same radio channel. An ad hoc wireless LAN can be used for a branch office or SOHO operation. Ad Hoc Wireless LAN Notebook with Wireless USB Adapter Notebook with Wireless PC Card PC with Wireless PCI Adapter 4-2 Network Topologies Infrastructure Wireless LAN The access point also provides access to a wired LAN for wireless workstations. An integrated wired/wireless LAN is called an Infrastructure configuration. A Basic Service Set (BSS) consists of a group of wireless PC users, and an access point that is directly connected to the wired LAN. Each wireless PC in this BSS can talk to any computer in its wireless group via a radio link, or access other computers or network resources in the wired LAN infrastructure via the access point. The infrastructure configuration not only extends the accessibility of wireless PCs to the wired LAN, but also increases the effective wireless transmission range for wireless PCs by passing their signal through one or more access points. A wireless infrastructure can be used for access to a central database, or for connection between mobile workers, as shown in the following figure. Wired LAN Extension to Wireless Clients Server Desktop PC Switch Access Point Notebook PC Desktop PC 4-3 4 Network Configuration Infrastructure Wireless LAN for Roaming Wireless PCs The Basic Service Set (BSS) defines the communications domain for each access point and its associated wireless clients. The BSS ID is a 48-bit binary number based on the access point’s wireless MAC address, and is set automatically and transparently as clients associate with the access point. The BSS ID is used in frames sent between the access point and its clients to identify traffic in the service area. The BSS ID is only set by the access point, never by its clients. The clients only need to set the Service Set Identifier (SSID) that identifies the service set provided by one or more access points. The SSID can be manually configured by the clients, can be detected in an access point’s beacon, or can be obtained by querying for the identity of the nearest access point. For clients that do not need to roam, set the SSID for the wireless card to that used by the access point to which you want to connect. A wireless infrastructure can also support roaming for mobile workers. More than one access point can be configured to create an Extended Service Set (ESS). By placing the access points so that a continuous coverage area is created, wireless users within this ESS can roam freely. All wireless network cards and adapters and wireless access points within a specific ESS must be configured with the same SSID. Seamless Roaming Between Access Points Server Desktop PC Switch Switch Access Point Notebook PC Notebook PC Access Point Desktop PC 4-4 4 Network Topologies Infrastructure Wireless Bridge The IEEE 802.11 standard defines a WIreless Distribution System (WDS) for bridge connections between BSS areas (access points). The access point uses WDS to forward traffic on links between units. The access point supports WDS bridge links on either the 5 GHz (802.11a) or 2.4 GHz (802.11b/g) bands and can be used with various external antennas to offer flexible deployment options. Up to six WDS bridge links can be specified for each unit in the wireless bridge network. One unit only must be configured as the “root bridge” in the wireless network. The root bridge should be the unit connected to the main core of the wired LAN. Other bridges must configure one “parent” link to the root bridge or to a bridge connected to the root bridge. The other five available WDS links can be specified as “child” links to other bridges. This forms a tiered-star topology for the wireless bridge network. When using WDS on a radio band, only wireless bridge units can associate to each other. Wireless clients can only associate with the access point using a radio band set to access point or repeater mode. Network Core 802.11g Radio AP Link Root Bridge 802.11a Radio Bridge Link Wireless Bridge Links Between Access Points 802.11a Radio Bridge Link 802.11g Radio AP Link Bridge 802.11a Radio Bridge Link 802.11g Radio AP Link Bridge 802.11g Radio AP Link Bridge 4-5 4 Network Configuration Infrastructure Wireless Repeater The access point can also operate in a bridge “repeater” mode to extend the range of links to wireless clients. The access point uses WDS to forward traffic between the repeater bridge and the root bridge. The access point supports up to six WDS repeater links. In repeater mode, the access point does not support an Ethernet link to a wired LAN. Note that when the access point operates in this mode only half the normal throughput is possible. This is because the access point has to receive and then re-transmit all data on the same channel. Network Core Wireless Repeater Links Between Access Points Root Bridge 802.11g Radio Repeater Link 802.11g Radio Repeater Link Repeater 802.11g Radio AP Link 802.11g Radio AP Link 4-6 Repeater Chapter 5: Initial Configuration The 2.4 GHz/5 GHz Wireless Access Point offers a variety of management options, including a web-based interface, a direct connection to the console port, Telnet, Secure Shell (SSH), or using SNMP software. The initial configuration steps can be made through the web browser interface or CLI. The access point requests an IP address via DHCP by default. If no response is received from the DHCP server, then the access point uses the default address 192.168.1.1. If this address is not compatible with your network, you can first use the command line interface (CLI) as described below to configure a valid address. Note: Units sold in countries outside the United States are not configured with a specific country code. You must use the CLI to set the country code and enable wireless operation (page 5-3). Initial Setup through the CLI Required Connections The access point provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuration. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the access point. You can use the console cable provided with this package, or use a cable that complies with the wiring assignments shown on page B-3. To connect to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. 2. Connect the other end of the cable to the RS-232 serial port on the access point. 3. Make sure the terminal emulation software is set as follows: • • • • • • Select the appropriate serial port (COM port 1 or 2). Set the data rate to 9600 baud. Set the data format to 8 data bits, 1 stop bit, and no parity. Set flow control to none. Set the emulation mode to VT100. When using HyperTerminal, select Terminal keys, not Windows keys. 5-1 5 Initial Configuration Note: When using HyperTerminal with Microsoft® Windows® 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation. See www.microsoft.com for information on Windows 2000 service packs. 4. Once you have set up the terminal correctly, press the [Enter] key to initiate the console connection. The console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 7-1. For a list of all the CLI commands and detailed information on using the CLI, refer to “Command Groups” on page 7-6. Initial Configuration Steps Logging In – Enter “admin” for the user name. The default password is null, so just press [Enter] at the password prompt. The CLI prompt appears displaying the access point’s name. Username: admin Password: Enterprise AP# Setting the IP Address – By default, the access point is configured to obtain IP address settings from a DHCP server. If a DHCP server is not available, the IP address defaults to 192.168.1.1, which may not be compatible with your network. You will therefore have to use the command line interface (CLI) to assign an IP address that is compatible with your network. Type “configure” to enter configuration mode, then type “interface ethernet” to access the Ethernet interface-configuration mode. Enterprise AP#configure Enterprise AP(config)#interface ethernet Enterprise AP(config-if)# First type “no ip dhcp” to disable DHCP client mode. Then type “ip address ip-address netmask gateway,” where “ip-address” is the access point’s IP address, “netmask” is the network mask for the network, and “gateway” is the default gateway router. Check with your system administrator to obtain an IP address that is compatible with your network. Enterprise AP(if-ethernet)#no ip dhcp Enterprise AP(if-ethernet)#ip address 192.168.2.2 255.255.255.0 192.168.2.254 Enterprise AP(if-ethernet)# 5-2 5 Logging In After configuring the access point’s IP parameters, you can access the management interface from anywhere within the attached network. The command line interface can also be accessed using Telnet from any computer attached to the network. Setting the Country Code – Units sold in the United States are configured by default to use only radio channels 1-11 in 802.11b or 802.11g mode as defined by FCC regulations. Units sold in other countries are configured by default without a country code (i.e., 99). You must use the CLI to set the country code. Setting the country code restricts operation of the access point to the radio channels and transmit power levels permitted for wireless networks in the specified country. Type “exit” to leave configuration mode. Then type “country ?” to display the list of countries. Select the code for your country, and enter the country command again, following by your country code (e.g., tw for Taiwan). Enterprise AP#country tw Enterprise AP# Note: Command examples shown later in this manual abbreviate the console prompt to “AP” for simplicity. Logging In There are only a few basic steps you need to complete to connect the access point to your corporate network, and provide network access to wireless clients. The access point can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the default IP address: http://192.168.1.1 Logging In – Enter the username “admin,” the password is null, so just press just leave it blank and click LOGIN. For information on configuring a user name and password, see page 6-28. 5-3 5 Initial Configuration The home page displays the Main Menu. 5-4 Chapter 6: System Configuration Before continuing with advanced configuration, first complete the initial configuration steps described in Chapter 4 to set up an IP address for the access point. The access point can be managed by any computer using a web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Enter the configured IP address of the access point, or use the default address: http://192.168.1.1 To log into the access point, enter the default user name “admin”, leave the password blank, and press “LOGIN”. When the home page displays, click on Advanced Setup. The following page will display. The information in this chapter is organized to reflect the structure of the web screens for easy reference. However, it is recommended that you configure a user name and password as the first step under advanced configuration to control management access to this device (page 6-28). 6-1 6 System Configuration Advanced Configuration The Advanced Configuration pages include the following options. Table 6-2. Menu Menu System Description Page Configures basic administrative and client access 6-3 Identification Specifies the host name 6-3 TCP / IP Settings Configures the IP address, subnet mask, gateway, and domain name servers 6-5 RADIUS Configures the RADIUS server for wireless client authentication and accounting 6-7 SSH Settings Configures Secure Shell management access 6-11 Authentication Configures 802.1X client authentication, with an option for MAC address authentication 6-12 Filter Control Filters communications between wireless clients, access to the management interface from wireless clients, and traffic matching specific Ethernet protocol types 6-17 VLAN Enables VLAN support and sets the management VLAN ID 6-19 WDS Settings Configures bridge or repeater modes for each radio interface and sets spanning tree parameters 6-21 AP Management Configures access to management interfaces 6-27 Administration Configures user name and password for management access; upgrades software from local file, FTP or TFTP server; resets configuration settings to factory defaults; and resets the access point 6-28 System Log Controls logging of error messages; sets the system clock via SNTP server or manual configuration 6-33 Mesh Settings Configures meshing functions. 6-37 SNMP Configures SNMP settings 6-37 SNMP Controls access to this access point from management stations using SNMP, as well as the hosts that will receive trap messages 6-37 SNMP Trap Filters Defines trap filters for SNMPv3 users 6-44 SNMP Targets Specifies SNMPv3 users that will receive trap messages 6-46 Radio Interface A Configures the IEEE 802.11a interface 6-48 Radio Settings Configures common radio signal parameters and other settings for each VAP interface 6-49 Security Enables each virtual access point (VAP) interface, sets the Service Set Identifier (SSID), and configures wireless security 6-66 Radio Interface G Radio Settings 6-2 Configures the IEEE 802.11g interface 6-48 Configures common radio signal parameters and other settings for each VAP interface 6-63 Advanced Configuration Table 6-2. Menu Menu Security Description Page Enables each VAP interface, sets the SSID, and configures wireless security 6-66 Displays information about the access point and wireless clients 6-84 AP Status Displays configuration settings for the basic system and the wireless interface 6-84 Station Station Shows the wireless clients currently associated with the access point 6-87 Event Logs Shows log messages stored in memory 6-90 Mesh Status Displays information on the mesh configuration settings and current network topology 6-91 Status System Identification The system name for the access point can be left at its default setting. However, modifying this parameter can help you to more easily distinguish different devices in your network. System Name – An alias for the access point, enabling the device to be uniquely identified on the network. (Default: SMC; Range: 1-32 characters) 6-3 6 System Configuration CLI Commands for System Identification – Enter the global configuration mode, and use the system name command to specify a new system name. Then return to the Exec mode, and use the show system command to display the changes to the system identification settings. Enterprise Enterprise Enterprise Enterprise AP#config AP(config)#system name R&D AP(config)#end AP#show system Enterprise AP#config Enter configuration commands, one per line. Enterprise AP(config)#system name R&D Enterprise AP(config)#end Enterprise AP#show system System Information ============================================================== Serial Number System Up time : 0 days, 0 hours, 32 minutes, 22 seconds System Name : R&D System Location System Contact : Contact System Country Code : US - UNITED STATES MAC Address : 00-12-CF-12-34-60 Radio A MAC Address : 00-12-CF-12-34-61 Radio G MAC Address : 00-12-CF-12-34-65 IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v1.1.5 Software Version : v4.3.2.0b01 SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED ============================================================== Enterprise AP# 6-4 7-14 7-87 7-23 7-8 7-14 7-87 7-23 6 Advanced Configuration TCP / IP Settings Configuring the access point with an IP address expands your ability to manage the access point. A number of access point features depend on IP addressing to operate. Note: You can use the web browser interface to access IP addressing only if the access point already has an IP address that is reachable through your network. By default, the access point will be automatically configured with IP settings from a Dynamic Host Configuration Protocol (DHCP) server. However, if you are not using a DHCP server to configure IP addressing, use the CLI to manually configure the initial IP values (see page 5-2). After you have network access to the access point, you can use the web browser interface to modify the initial IP configuration, if needed. Note: If there is no DHCP server on your network, or DHCP fails, the access point will automatically start up with a default IP address of 192.168.1.1. DHCP Client (Enable) – Select this option to obtain the IP settings for the access point from a DHCP (Dynamic Host Configuration Protocol) server. The IP address, subnet mask, default gateway, and Domain Name Server (DNS) address are dynamically assigned to the access point by the network DHCP server. (Default: Enabled) DHCP Client (Disable) – Select this option to manually configure a static address for the access point. • IP Address: The IP address of the access point. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. 6-5 6 System Configuration • Subnet Mask: The mask that identifies the host address bits used for routing to specific subnets. • Default Gateway: The default gateway is the IP address of the router for the access point, which is used if the requested destination address is not on the local subnet. If you have management stations, DNS, RADIUS, or other network servers located on another subnet, type the IP address of the default gateway router in the text field provided. Otherwise, leave the address as all zeros (0.0.0.0). • Primary and Secondary DNS Address: The IP address of Domain Name Servers on the network. A DNS maps numerical IP addresses to domain names and can be used to identify network hosts by familiar names instead of the IP addresses. If you have one or more DNS servers located on the local network, type the IP addresses in the text fields provided. Otherwise, leave the addresses as all zeros (0.0.0.0). CLI Commands for TCP/IP Settings – From the global configuration mode, enter the interface configuration mode with the interface ethernet command. Use the ip dhcp command to enable the DHCP client, or no ip dhcp to disable it. To manually configure an address, specify the new IP address, subnet mask, and default gateway using the ip address command. To specify DNS server addresses use the dns server command. Then use the show interface ethernet command from the Exec mode to display the current IP settings. Enterprise AP(config)#interface ethernet Enter Ethernet configuration commands, one per line. Enterprise AP(if-ethernet)#no ip dhcp Enterprise AP(if-ethernet)#ip address 192.168.1.2 255.255.255.0 192.168.1.253 Enterprise AP(if-ethernet)#dns primary-server 192.168.1.55 Enterprise AP(if-ethernet)#dns secondary-server 10.1.0.55 Enterprise AP(config)#end Enterprise AP#show interface ethernet Ethernet Interface Information ======================================== IP Address : 192.168.1.2 Subnet Mask : 255.255.255.0 Default Gateway : 192.168.1.253 Primary DNS : 192.168.1.55 Secondary DNS : 10.1.0.55 Speed-duplex : 100Base-TX Full Duplex Admin status : Up Operational status : Up ======================================== Enterprise AP# 6-6 7-87 7-89 7-88 7-88 7-88 7-8 7-91 6 Advanced Configuration RADIUS Remote Authentication Dial-in User Service (RADIUS) is an authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of user credentials for each user that requires access to the network. A primary RADIUS server must be specified for the access point to implement IEEE 802.1X network access control and Wi-Fi Protected Access (WPA) wireless security. A secondary RADIUS server may also be specified as a backup should the primary server fail or become inaccessible. In addition, the configured RADIUS server can also act as a RADIUS Accounting server and receive user-session accounting information from the access point. RADIUS Accounting can be used to provide valuable information on user activity in the network. Note: This guide assumes that you have already configured RADIUS server(s) to support the access point. Configuration of RADIUS server software is beyond the scope of this guide, refer to the documentation provided with the RADIUS server software. 6-7 6 6-8 System Configuration 6 Advanced Configuration Primary Radius Server Setup – Configure the following settings to use RADIUS authentication on the access point. • IP Address: Specifies the IP address or host name of the RADIUS server. • Port: The UDP port number used by the RADIUS server for authentication messages. (Range: 1024-65535; Default: 1812) • Key: A shared text string used to encrypt messages between the access point and the RADIUS server. Be sure that the same text string is specified on the RADIUS server. Do not use blank spaces in the string. (Maximum length: 255 characters) • Timeout: Number of seconds the access point waits for a reply from the RADIUS server before resending a request. (Range: 1-60 seconds; Default: 5) • Retransmit attempts: The number of times the access point tries to resend a request to the RADIUS server before authentication fails. (Range: 1-30; Default: 3) • Interim Update Timeout: The interval between transmitting accounting updates to the RADIUS server. (Range: 60-86400; Default: 3600 seconds) Note: For the Timeout and Retransmit attempts fields, accept the default values unless you experience problems connecting to the RADIUS server over the network. Secondary Radius Server Setup – Configure a secondary RADIUS server to provide a backup in case the primary server fails. The access point uses the secondary server if the primary server fails or becomes inaccessible. Once the access point switches over to the secondary server, it periodically attempts to establish communication again with primary server. If communication with the primary server is re-established, the secondary server reverts to a backup role. 6-9 6 System Configuration CLI Commands for RADIUS – From the global configuration mode, use the radius-server address command to specify the address of the primary or secondary RADIUS servers. (The following example configures the settings for the primary RADIUS server.) Configure the other parameters for the RADIUS server. Then use the show show radius command from the Exec mode to display the current settings for the primary and secondary RADIUS servers. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#radius-server AP(config)#radius-server AP(config)#radius-server AP(config)#radius-server AP(config)#radius-server AP(config)#radius-server AP(config)#radius-server AP(config)#exit AP#show radius address 192.168.1.25 port 181 key green timeout 10 retransmit 5 port-accounting 1813 timeout-interim 500 Radius Server Information ======================================== IP : 192.168.1.25 Port : 181 Key : ***** Retransmit : 5 Timeout : 10 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== Radius Secondary Server Information ======================================== IP : 0.0.0.0 Port : 1812 Key : ***** Retransmit : 3 Timeout : 5 Radius MAC format : no-delimiter Radius VLAN format : HEX ======================================== Enterprise AP# 6-10 7-59 7-60 7-60 7-61 7-61 7-62 7-62 7-64 Advanced Configuration SSH Settings Telnet is a remote management tool that can be used to configure the access point from anywhere in the network. However, Telnet is not secure from hostile attacks. The Secure Shell (SSH) can act as a secure replacement for Telnet. The SSH protocol uses generated public keys to encrypt all data transfers passing between the access point and SSH-enabled management station clients and ensures that data traveling over the network arrives unaltered. Clients can then securely use the local user name and password for access authentication. Note that SSH client software needs to be installed on the management station to access the access point for management via the SSH protocol. Notes: 1. The access point supports only SSH version 2.0. 2. After boot up, the SSH server needs about two minutes to generate host encryption keys. The SSH server is disabled while the keys are being generated. SSH Settings • SSH Server Status: Enables or disables the SSH server. (Default: Enabled) • SSH Server Port: Sets the UDP port for the SSH server. (Range: 1-65535; Default: 22) CLI Commands for SSH – To enable the SSH server, use the ip ssh-server enable command from the CLI Ethernet interface configuration mode. To set the SSH server UDP port, use the ip ssh-server port command. To view the current settings, use the show system command from the CLI Exec mode (not shown in the following example). Enterprise Enterprise Enterprise Enterprise AP(if-ethernet)#ip ssh-server enable AP(if-ethernet)#ip ssh-server port 1124 AP(if-ethernet)#exit AP(if-ethernet)#configure 7-16 7-16 6-11 6 System Configuration Authentication Wireless clients can be authenticated for network access by checking their MAC address against the local database configured on the access point, or by using a database configured on a central RADIUS server. Alternatively, authentication can be implemented using the IEEE 802.1X network access control protocol. A client’s MAC address provides relatively weak user authentication, since MAC addresses can be easily captured and used by another station to break into the network. Using 802.1X provides more robust user authentication using user names and passwords or digital certificates. You can configure the access point to use both MAC address and 802.1X authentication, with client station MAC authentication occurring prior to IEEE 802.1X authentication. However, it is better to choose one or the other, as appropriate. Take note of the following points before configuring MAC address or 802.1X authentication: • Use MAC address authentication for a small network with a limited number of users. MAC addresses can be manually configured on the access point itself without the need to set up a RADIUS server, but managing a large number of MAC addresses across many access points is very cumbersome. A RADIUS server can be used to centrally manage a larger database of user MAC addresses. • Use IEEE 802.1X authentication for networks with a larger number of users and where security is the most important issue. When using 802.1X authentication, a RADIUS server is required in the wired network to centrally manage the credentials of the wireless clients. It also provides a mechanism for enhanced network security using dynamic encryption key rotation or W-Fi Protected Access (WPA). Note: If you configure RADIUS MAC authentication together with 802.1X, RADIUS MAC address authentication is performed prior to 802.1X authentication. If RADIUS MAC authentication succeeds, then 802.1X authentication is performed. If RADIUS MAC authentication fails, 802.1X authentication is not performed. • The access point can also operate in a 802.1X supplicant mode. This enables the access point itself to be authenticated with a RADIUS server using a configured MD5 user name and password. This prevents rogue access points from gaining access to the network. Note: The 802.1X supplicant mode is only configurable using the CLI. 6-12 Advanced Configuration MAC Authentication – You can configure a list of the MAC addresses for wireless clients that are authorized to access the network. This provides a basic level of authentication for wireless clients attempting to gain access to the network. A database of authorized MAC addresses can be stored locally on the access point or remotely on a central RADIUS server. (Default: Disabled) • Disabled: No checks are performed on an associating station’s MAC address. • Local MAC: The MAC address of the associating station is compared against the local database stored on the access point. Use the Local MAC Authentication section of this web page to set up the local database, and configure all access points in the wireless network service area with the same MAC address database. • Radius MAC: The MAC address of the associating station is sent to a configured RADIUS server for authentication. When using a RADIUS authentication server for MAC address authentication, the server must first be configured in the Radius window (see “RADIUS” on page 6-7). The database of MAC addresses and filtering policy must be defined in the RADIUS server. Note: MAC addresses on the RADIUS server can be entered in four different formats (see “radius-server radius-mac-format” on page 7-63). 6-13 6 System Configuration MAC Authentication Session Timeout – Sets the interval at which associated clients will be re-authenticated with the RADIUS server. (Range: 0-1440 minutes; Default: 0, that is, disabled) WEB Redirect – Enables web-based authentication of wireless clients. This feature supports billing for a public access wireless network without requiring 802.1X or MAC authentication. After successful association to an access point, a client is “redirected” to an access point login web page as soon as Internet access is attempted. The client is then authenticated by entering a user name and password on the web page. Authentication is determined by checking these credentials against a database of user names and passwords stored n a RADIUS server that is attached to the wired network. For information on configuring the RADIUS server’s details on the access point, see “RADIUS Client” on page 6-54. (Default: Disabled) Note: Enabling Web Redirect will cause the system to reboot after 5 seconds. Local MAC Authentication – Configures the local MAC authentication database. The MAC database provides a mechanism to take certain actions based on a wireless client’s MAC address. The MAC list can be configured to allow or deny network access to specific clients. • System Default: Specifies a default action for all unknown MAC addresses (that is, those not listed in the local MAC database). • Deny: Blocks access for all MAC addresses except those listed in the local database as “Allow.” • Allow: Permits access for all MAC addresses except those listed in the local database as “Deny.” • MAC Authentication Settings: Enters specified MAC addresses and permissions into the local MAC database. • MAC Address: Physical address of a client. Enter six pairs of hexadecimal digits separated by hyphens; for example, 00-90-D1-12-AB-89. • Permission: Select Allow to permit access or Deny to block access. If Delete is selected, the specified MAC address entry is removed from the database. • Update: Enters the specified MAC address and permission setting into the local database. • MAC Authentication Table: Displays current entries in the local MAC database. 6-14 Advanced Configuration CLI Commands for Local MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable local MAC authentication. Use the mac-authentication session-timeout command to set the authentication interval, and web-redirect command to enable web-based authentication for service billing. Set the default action for MAC addresses not in the local table using the address filter default command, then enter MAC addresses in the local table using the address filter entry command. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show authentication command from the Exec mode. Enterprise AP(config)#mac-authentication server local Enterprise AP(config)#mac-authentication session-timeout 5 Enterprise AP(config)#web-redirect Enterprise AP(config)#address filter default denied Enterprise AP(config)#address filter entry 00-70-50-cc-99-1a denied Enterprise AP(config)#address filter entry 00-70-50-cc-99-1b allowed Enterprise AP(config)#address filter entry 00-70-50-cc-99-1c allowed Enterprise AP(config)#address filter delete 00-70-50-cc-99-1c Enterprise AP(config)#exit Enterprise AP#show authentication 7-72 7-72 7-20 7-70 7-71 7-71 7-68 Authentication Information =========================================================== MAC Authentication Server : LOCAL MAC Auth Session Timeout Value : 0 min 802.1x supplicant : DISABLED 802.1x supplicant user : EMPTY 802.1x supplicant password : EMPTY Address Filtering : DENIED System Default : ALLOW addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= Enterprise AP# 6-15 6 System Configuration CLI Commands for RADIUS MAC Authentication – Use the mac-authentication server command from the global configuration mode to enable remote MAC authentication. Set the timeout value for re-authentication using the macauthentication session-timeout command. Be sure to also configure connection settings for the RADIUS server (not shown in the following example). To display the current settings, use the show authentication command from the Exec mode. Enterprise AP(config)#mac-authentication server remote Enterprise AP(config)#mac-authentication session-timeout 300 Enterprise AP(config)#exit Enterprise AP#show authentication 7-72 7-72 7-68 Authentication Information =========================================================== MAC Authentication Server : REMOTE MAC Auth Session Timeout Value : 300 min 802.1x supplicant : DISABLED 802.1x supplicant user : EMPTY 802.1x supplicant password : EMPTY Address Filtering : DENIED System Default : DENY addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= Enterprise AP# CLI Command for Web Redirect – To configure the access point to use web redirect, first use the web-redirect command under global configuration mode. To display the current settings, use the show system command from the Exec mode (not shown in the following example). Enterprise AP(config)#web-redirect Enterprise AP(config)# 7-68 CLI Command for 802.1x Supplicant – To configure the access point to operate as a 802.1X supplicant, first use the 802.1X supplicant user command to set a user name and password for the access point, then use the 802.1X supplicant command to enable the feature. To display the current settings, use the show authentication command from the Exec mode (not shown in the following example) Enterprise AP(config)#802.1X supplicant user WA6102 dot1xpass Enterprise AP(config)#802.1X supplicant Enterprise AP(config)# 6-16 7-68 7-68 Advanced Configuration Filter Control The access point can employ network traffic frame filtering to control access to network resources and increase security. You can prevent communications between wireless clients and prevent access point management from wireless clients. Also, you can block specific Ethernet traffic from being forwarded by the access point. IAPP – Enables roaming between multi-vendor access points. Local Bridge Filter – Controls wireless-to-wireless communications between clients through the access point. However, it does not affect communications between wireless clients and the wired network. (Default: Enabled) • Disabled: Allows wireless-to-wireless communications between clients through the access point. • Enabled: Blocks wireless-to-wireless communications between clients through the access point. AP Management Filter – Controls management access to the access point from wireless clients. Management interfaces include the web, Telnet, or SNMP. (Default: Disabled) • Disabled: Allows management access from wireless clients. • Enabled: Blocks management access from wireless clients. 6-17 6 System Configuration Ethernet Type Filter – Controls checks on the Ethernet type of all incoming and outgoing Ethernet packets against the protocol filtering table. (Default: Disabled) • Disabled: Access point does not filter Ethernet protocol types. • Enabled: Access point filters Ethernet protocol types based on the configuration of protocol types in the filter table. If the status of a protocol is set to “ON,” the protocol is filtered from the access point. Note: Ethernet protocol types not listed in the filtering table are always forwarded by the access point. CLI Commands for Bridge Filtering – Use the filter local-bridge command from the global configuration mode to prevent wireless-to-wireless communications through the access point. Use the filter ap-manage command to restrict management access from wireless clients. To configure Ethernet protocol filtering, use the filter ethernet-type enable command to enable filtering and the filter ethernet-type protocol command to define the protocols that you want to filter. To remove an entry from the table, use the address filter delete command. To display the current settings, use the show filters command from the Exec mode. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#filter AP(config)#filter AP(config)#filter AP(config)#filter AP(config)#exit AP#show filters local-bridge ap-manage ethernet-type enable ethernet-type protocol ARP Protocol Filter Information ========================================================= Local Bridge :ENABLED AP Management :ENABLED Ethernet Type Filter :ENABLED Enabled Protocol Filters --------------------------------------------------------Protocol: ARP ISO: 0x0806 ========================================================= Enterprise AP# 6-18 7-73 7-74 7-74 7-75 7-76 Advanced Configuration VLAN The access point can employ VLAN tagging support to control access to network resources and increase security. VLANs separate traffic passing between the access point, associated clients, and the wired network. There can be a VLAN assigned to each associated client, a default VLAN for each VAP (Virtual Access Point) interface, and a management VLAN for the access point. Note the following points about the access point’s VLAN support: • The management VLAN is for managing the access point through remote management tools, such as the web interface, SSH, SNMP, or Telnet. The access point only accepts management traffic that is tagged with the specified management VLAN ID. • All wireless clients associated to the access point are assigned to a VLAN. If IEEE 802.1X is being used to authenticate wireless clients, specific VLAN IDs can be configured on the RADIUS server to be assigned to each client. If a client is not assigned to a specific VLAN or if 802.1X is not used, the client is assigned to the default VLAN for the VAP interface with which it is associated. The access point only allows traffic tagged with assigned VLAN IDs or default VLAN IDs to access clients associated on each VAP interface. • When VLAN support is enabled on the access point, traffic passed to the wired network is tagged with the appropriate VLAN ID, either an assigned client VLAN ID, default VLAN ID, or the management VLAN ID. Traffic received from the wired network must also be tagged with one of these known VLAN IDs. Received traffic that has an unknown VLAN ID or no VLAN tag is dropped. • When VLAN support is disabled, the access point does not tag traffic passed to the wired network and ignores the VLAN tags on any received frames. Note: Before enabling VLAN tagging on the access point, be sure to configure the attached network switch port to support tagged VLAN frames from the access point’s management VLAN ID, default VLAN IDs, and other client VLAN IDs. Otherwise, connectivity to the access point will be lost when you enable the VLAN feature. Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs can be mapped to specific wireless clients, allowing users to remain within the same VLAN as they move around a campus site. This feature can also be used to control access to network resources from clients, thereby improving security. A VLAN ID (1-4094) can be assigned to a client after successful IEEE 802.1X authentication. The client VLAN IDs must be configured on the RADIUS server for each user authorized to access the network. If a client does not have a configured VLAN ID on the RADIUS server, the access point assigns the client to the configured default VLAN ID for the VAP interface. Note: When using IEEE 802.1X to dynamically assign VLAN IDs, the access point must have 802.1X authentication enabled and a RADIUS server configured. Wireless clients must also support 802.1X client software. 6-19 6 System Configuration When setting up VLAN IDs for each user on the RADIUS server, be sure to use the RADIUS attributes and values as indicated in the following table. Number RADIUS Attribute Value 64 Tunnel-Type VLAN (13) 65 Tunnel-Medium-Type 802 81 Tunnel-Private-Group-ID VLANID (1 to 4094 as hexadecimal or string) VLAN IDs on the RADIUS server can be entered as hexadecimal digits or a string (see “radius-server vlan-format” on page 7-63). Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software. Management Native VLAN ID – The VLAN ID that traffic must have to be able to manage the access point. (Range 1-4094; Default: 1) System VLAN status (forces AP reboot) – Enables or disables VLAN tagging support on the access point. Changing this parameter automatically reboots the access point. (Default: Disable) 6-20 Advanced Configuration WDS Settings Each access point radio interface can be configured to operate in a bridge or repeater mode, which allows it to forward traffic directly to other access point units. To set up bridge links between access point units, you must configure the WIreless Distribution System (WDS) forwarding table by specifying the wireless MAC address of all units to which you want to forward traffic. Up to six WDS bridge or repeater links can be specified for each unit in the wireless bridge network. The Spanning Tree Protocol (STP) can be used to detect and disable network loops, and to provide backup links between bridges. This allows a wireless bridge to interact with other bridging devices (that is, an STP-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. WDS Bridge – Up to six WDS bridge or repeater links (MAC addresses) per radio interface can be specified for each unit in the wireless bridge network. One unit only must be configured as the “root bridge” in the wireless network. The root bridge is the unit connected to the main core of the wired LAN. Other bridges need to specify one “Parent” link to the root bridge or to a bridge connected to the root bridge. The other five WDS links are available as “Child” links to other bridges. • Bridge Role – Each radio interface can be set to operate in one of the following four modes: (Default: AP) • AP (Access Point): Operates as an access point for wireless clients, providing connectivity to a wired LAN. 6-21 6 System Configuration • Bridge: Operates as a bridge to other access points. The “Parent” link to the root bridge must be configured. Up to five other ”Child” links are available to other bridges. • Repeater: Operates as a wireless repeater, extending the range for remote wireless clients and connecting them to the root bridge. The “Parent” link to the root bridge must be configured. In this mode, traffic is not forwarded to the Ethernet port from the radio interface. • Root Bridge: Operates as the root bridge in the wireless bridge network. Up to six ”Child” links are available to other bridges in the network. • Bridge Parent – The physical layer address of the root bridge unit or the bridge unit connected to the root bridge. (12 hexadecimal digits in the form “xx-xx-xx-xx-xx-xx”) • Bridge Child – The physical layer address of other bridge units for which this unit serves as the bridge parent or the root bridge. Note that the first entry under the list of child nodes is reserved for the root bridge, and can only be configured if the role is set to “Root Bridge.” (12 hexadecimal digits in the form “xx-xx-xx-xx-xx-xx”) • Bridge Link Timer – Sets the maximum time the bridge waits to receive a link message from the parent bridge. (Range: 0 -100; Default: 0, that is disabled) Child bridges periodically send requests for link information from the parent bridge. The Parent bridge responds with the information and checks that it was received by the child bridge. The message includes link information on the connection path to the root bridge and confirms that the link is valid. If a link is detected as down, the bridge restarts the association process to try and recover the link. 6-22 Advanced Configuration Spanning Tree Protocol – STP uses a distributed algorithm to select a bridging device (STP-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device. Then it selects a designated bridging device from each LAN which incurs the lowest path cost when forwarding a packet from that LAN to the root device. All ports connected to designated bridging devices are assigned as 6-23 6 System Configuration designated ports. After determining the lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the root bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology. • Bridge – Enables/disables STP on the wireless bridge or repeater. (Default: Disabled) • Bridge Priority – Used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STP root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) • Range: 0-65535 • Default: 32768 • Bridge Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STP information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (Range: 6-40 seconds) • Default: 20 • Minimum: The higher of 6 or [2 x (Hello Time + 1)]. • Maximum: The lower of 40 or [2 x (Forward Delay - 1)] • Bridge Hello Time – Interval (in seconds) at which the root device transmits a configuration message. (Range: 1-10 seconds) • Default: 2 • Minimum: 1 • Maximum: The lower of 10 or [(Max. Message Age / 2) -1] • Bridge Forwarding Delay – The maximum time (in seconds) this device waits before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. (Range: 4-30 seconds) • Default: 15 • Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] • Maximum: 30 • Link Path Cost – This parameter is used by the STP to determine the best path 6-24 Advanced Configuration between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Range: 1-65535 • Default: Ethernet interface: 19; Wireless interface: 40 • Link Port Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the spanning tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. • Default: 128 • Range: 0-240, in steps of 16 CLI Commands for WDS Settings – To set the role of the access point radio interface, use the bridge role command from the CLI wireless interface configuration mode. If the role of the radio interface is set to “Bridge” or “Repeater,” the MAC address of the parent node must also be configured using the bridge-link parent command. If the role is set to anything other than “Access Point,” then you should also configure the MAC addresses of the child nodes using the bridge-link child command. You can also use the bridge-link link-timer command to adjust the interval at which a node will wait for a spanning-tree message from it’s parent before trying to recover. To view the current bridge link settings, use the show bridge link command. Enterprise AP(if-wireless Enterprise AP(if-wireless 00-08-3e-84-bc-6d Enterprise AP(if-wireless 00-08-3e-85-13-f2 Enterprise AP(if-wireless 00-08-3e-84-79-31 Enterprise AP(if-wireless 00-08-2d-69-3a-51 Enterprise AP(if-wireless Enterprise AP#show bridge a)#bridge role bridge a)#bridge-link child 2 6-96 6-98 a)#bridge-link child 3 a)#bridge-link child 4 a)#bridge-link parent 6-97 a)#exit link wireless a 6-101 Interface Wireless A WDS Information ==================================== AP Role: Bridge Parent: 00-08-2d-69-3a-51 Child: Child 2: 00-08-3e-84-bc-6d Child 3: 00-08-3e-85-13-f2 Child 4: 00-08-3e-84-79-31 Child 5: 00-00-00-00-00-00 Child 6: 00-00-00-00-00-00 STAs: No WDS Stations. Enterprise AP# 6-25 6 System Configuration CLI Commands for STP Settings – If the role of a radio interface is set to Repeater, Bridge or Root Bridge, STP can be enabled on the access point to maintain a valid network topology. To globally enable STP, use the bridge stp enable command from the CLI configuration mode. Then configure the other global STP parameters for the bridge. The path cost and priority for each bridge link can be set using the bridge-link path-cost and bridge-link port-priority command from the Wireless Interface configuration mode. The path cost and priority can also be set for the Ethernet port from the Ethernet Interface configuration mode. To view the current STP settings, use the show bridge stp command. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#bridge stp enable AP(config)#bridge stp forwarding-delay 2500 AP(config)#bridge stp hello-time 500 AP(config)#bridge stp max-age 4000 AP(config)#bridge stp priority 40000 AP(config)#interface wireless a AP(if-wireless a)#bridge-link path-cost 2 40 AP(if-wireless a)#bridge-link port-priority 2 64 AP(if-wireless a)#exit AP#show bridge stp Bridge MAC Status priority desiginated-root root-path-cost root-Port-no Hold Time Hello Time Maximum Age Forward Delay bridge Hello Time bridge Maximum Age bridge Forward Delay : time-since-top-change: topology-change-count: Enterprise AP# 6-26 00:30:F1:F0:9A:9C Disabled 32768 priority = 0, MAC = 00:00:00:00:00:00 0 Seconds 0 Seconds 0 Seconds 0 Seconds 2 Seconds 20 Seconds 5 Seconds 3168 Seconds 6-104 6-105 6-106 6-107 6-108 6-109 6-110 6-111 Advanced Configuration AP Management The Web, Telnet, and SNMP management interfaces are enabled and open to all IP addresses by default. To provide more security for management access to the access point, specific interfaces can be disabled and management restricted to a single IP address or a limited range of IP addresses. Once you specify an IP address or range of addresses, access to management interfaces is restricted to the specified addresses. If anyone tries to access a management interface from an unauthorized address, the access point will reject the connection. UI Management – Enables or disables management access through Telnet, the Web (HTTP), or SNMP interfaces. (Default: Enabled) Note: Secure Web (HTTPS) connections are not affected by the UI Management or IP Management settings. IP Management – Restricts management access to Telnet, Web, and SNMP interfaces to specified IP addresses. (Default: Any IP) • Any IP: Indicates that any IP address is allowed management access. • Single IP: Specifies a single IP address that is allowed management access. • Multiple IP: Specifies an address range as defined by the entered IP address and subnet mask. For example, IP address 192.168.1.6 and subnet mask 255.255.255.0, defines all IP addresses from 192.168.1.1 to 192.168.1.254. 6-27 6 System Configuration CLI Commands for AP Management features. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#apmgmtip multiple 192.168.1.50 255.255.255.0 7-21 AP(config)#apmgmtui SNMP enable 7-22 7-18 AP(config)#ip http server AP(config)#ip http port 769 7-17 AP(config)#ip https server 7-18 AP(config)#ip https port 1234 7-18 Administration Changing the Password Management access to the web and CLI interface on the access point is controlled through a single user name and password. You can also gain additional access security by using control filters (see “Filter Control” on page 6-17). To protect access to the management interface, you need to configure an Administrator’s user name and password as soon as possible. If the user name and password are not configured, then anyone having access to the access point may be able to compromise access point and network security. Once a new Administrator has been configured, you can delete the default “admin” user name from the system. Note: Pressing the Reset button on the back of the access point for more than five seconds resets the user name and password to the factory defaults. For this reason, we recommend that you protect the access point from physical access by unauthorized persons. Username – The name of the user. The default name is “admin.” (Length: 3-16 characters, case sensitive) New Password – The password for management access. (Length: 3-16 characters, case sensitive) Confirm New Password – Enter the password again for verification. 6-28 Advanced Configuration CLI Commands for the Administrator’s User Name and Password – Use the username and password commands from the CLI configuration mode. Enterprise AP(config)#username bob Enterprise AP(config)#password admin Enterprise AP# 7-15 7-15 Upgrading Firmware You can upgrade new access point software from a local file on the management workstation, or from an FTP or TFTP server. New software may be provided periodically from your distributor. After upgrading new software, you must reboot the access point to implement the new code. Until a reboot occurs, the access point will continue to run the software it was using before the upgrade started. Also note that new software that is incompatible with the current configuration automatically restores the access point to the factory default settings when first activated after a reboot. 6-29 6 System Configuration Before upgrading new software, verify that the access point is connected to the network and has been configured with a compatible IP address and subnet mask. If you need to download from an FTP or TFTP server, take the following additional steps: • Obtain the IP address of the FTP or TFTP server where the access point software is stored. • If upgrading from an FTP server, be sure that you have an account configured on the server with a user name and password. 6-30 Advanced Configuration • If VLANs are configured on the access point, determine the VLAN ID with which the FTP or TFTP server is associated, and then configure the management station, or the network port to which it is attached, with the same VLAN ID. If you are managing the access point from a wireless client, the VLAN ID for the wireless client must be configured on a RADIUS server. Current version – Version number of runtime code. Firmware Upgrade Local – Downloads an operation code image file from the web management station to the access point using HTTP. Use the Browse button to locate the image file locally on the management station and click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Firmware Upgrade Remote – Downloads an operation code image file from a specified remote FTP or TFTP server. After filling in the following fields, click Start Upgrade to proceed. • New firmware file: Specifies the name of the code file on the server. The new firmware file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the FTP/TFTP server is 255 characters or 32 characters for files on the access point. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • IP Address: IP address or host name of FTP or TFTP server. • Username: The user ID used for login on an FTP server. • Password: The password used for login on an FTP server. Restore Factory Settings – Click the Restore button to reset the configuration settings for the access point to the factory defaults and reboot the system. Note that all user configured information will be lost. You will have to re-enter the default user name (admin) to re-gain management access to this device. Reboot Access Point – Click the Reset button to reboot the system. Note: If you have upgraded system software, then you must reboot the access point to implement the new operation code. New software that is incompatible with the current configuration automatically restores the access point to default values when first activated after a reboot. 6-31 6 System Configuration CLI Commands for Downloading Software from a TFTP Server – Use the copy tftp file command from the Exec mode and then specify the file type, name, and IP address of the TFTP server. When the download is complete, the dir command can be used to check that the new file is present in the access point file system. To run the new software, use the reset board command to reboot the access point. Enterprise AP#copy tftp file 1. Application image 2. Config file 3. Boot block image Select the type of download<1,2,3>: TFTP Source file name:img.bin TFTP Server IP:192.168.1.19 Enterprise AP#dir File Name -------------------------dflt-img.bin img.bin syscfg syscfg_bak 7-56 [1]:1 7-58 Type ---2 File Size ----------1319939 1629577 17776 17776 262144 byte(s) available Enterprise AP#reset board Reboot system now? : y 6-32 7-10 Advanced Configuration System Log The access point can be configured to send event and error messages to a System Log Server. The system clock can also be synchronized with a time server, so that all the messages sent to the Syslog server are stamped with the correct time and date. Enabling System Logging The access point supports a logging process that can control error messages saved to memory or sent to a Syslog server. The logged messages serve as a valuable tool for isolating access point and network problems. System Log Setup – Enables the logging of error messages. (Default: Disable) Server (1-4) – Enables the sending of log messages to a Syslog server host. Up to four Syslog servers are supported on the access point. (Default: Disable) Server Name/IP – The IP address or name of a Syslog server. (Default: 0.0.0.0) UDP Port – The UDP port used by a Syslog server. (Range: 514 or 11024-65535; Default: 514) Logging Console – Enables the logging of error messages to the console. (Default: Disable) 6-33 6 System Configuration Logging Level – Sets the minimum severity level for event logging. (Default: Informational) The system allows you to limit the messages that are logged by specifying a minimum severity level. The following table lists the error message levels from the most severe (Emergency) to least severe (Debug). The message levels that are logged include the specified minimum level up to the Emergency level. Error Level Description Emergency System unusable Alerts Immediate action needed Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) Error Error conditions (e.g., invalid input, default used) Warning Warning conditions (e.g., return false, unexpected return) Notice Normal but significant condition, such as cold start Informational Informational messages only Debug Debugging messages Note: The access point error log can be viewed using the Event Logs window in the Status section (page 6-90). The Event Logs window displays the last 128 messages logged in chronological order, from the newest to the oldest. Log messages saved in the access point’s memory are erased when the device is rebooted. Logging Facility Type – Sets the facility type for remote logging of syslog messages. The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database. (Range: 16-23; Default: 16) 6-34 Advanced Configuration CLI Commands for System Logging – To enable logging on the access point, use the logging on command from the global configuration mode. The logging level command sets the minimum level of message to log. Use the logging console command to enable logging to the console. Use the logging host command to specify up to four Syslog servers. The CLI also allows the logging facility-type command to set the facility-type number to use on the Syslog server. To view the current logging settings, use the show logging command. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#logging AP(config)#logging AP(config)#logging AP(config)#logging AP(config)#logging AP(config)#logging AP(config)#exit AP#show logging on level alert console host 1 IP 10.1.0.3 514 host 1 Port 514 facility-type 19 7-29 7-30 7-30 7-29 7-29 7-31 7-32 Logging Information ============================================ Syslog State : Enabled Logging Console State : Enabled Logging Level : Alert Logging Facility Type : 19 Servers 1: 10.1.0.3, UDP Port: 514, State: Enabled 2: 0.0.0.0, UDP Port: 514, State: Disabled 3: 0.0.0.0, UDP Port: 514, State: Disabled 4: 0.0.0.0, UDP Port: 514, State: Disabled ============================================= Enterprise AP# Configuring SNTP Simple Network Time Protocol (SNTP) allows the access point to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the access point enables the system log to record meaningful dates and times for event entries. If the clock is not set, the access point will only record the time from the factory default set at the last bootup. The access point acts as an SNTP client, periodically sending time synchronization requests to specific time servers. You can configure up to two time server IP addresses. The access point will attempt to poll each server in the configured sequence. SNTP Server – Configures the access point to operate as an SNTP client. When enabled, at least one time server IP address must be specified. • Primary Server: The IP address of an SNTP or NTP time server that the access point attempts to poll for a time update. • Secondary Server: The IP address of a secondary SNTP or NTP time server. The access point first attempts to update the time from the primary server; if this fails it attempts an update from the secondary server. 6-35 6 System Configuration Note: The access point also allows you to disable SNTP and set the system clock manually. Set Time Zone – SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours your time zone is located before (east) or after (west) UTC. Enable Daylight Saving – The access point provides a way to automatically adjust the system clock for Daylight Savings Time changes. To use this feature you must define the month and date to begin and to end the change from standard time. During this period the system clock is set back by one hour. CLI Commands for SNTP – To enable SNTP support on the access point, from the global configuration mode specify SNTP server IP addresses using the sntp-server ip command, then use the sntp-server enable command to enable the service. Use the sntp-server timezone command to set the time zone for your location, and the sntp-server daylight-saving command to set daylight savings. To view the current SNTP settings, use the show sntp command. Enterprise AP(config)#sntp-server ip 1 10.1.0.19 Enterprise AP(config)#sntp-server enable Enterprise AP(config)#sntp-server timezone +8 Enterprise AP(config)#sntp-server daylight-saving Enter Daylight saving from which month<1-12>: 3 and which day<1-31>: 31 Enter Daylight saving end to which month<1-12>: 10 and which day<1-31>: 31 Enterprise AP(config)#exit Enterprise AP#show sntp SNTP Information ========================================================= Service State : Enabled SNTP (server 1) IP : 10.1.10.19 SNTP (server 2) IP : 192.43.244.18 Current Time : 19 : 35, Oct 10th, 2003 Time Zone : +8 (TAIPEI, BEIJING) Daylight Saving : Enabled, from Mar, 31st to Oct, 31st ========================================================= Enterprise AP# 6-36 7-34 7-34 7-36 7-36 7-37 SNMP CLI Commands for the System Clock – The following example shows how to manually set the system time when SNTP server support is disabled on the access point. Enterprise AP(config)#no sntp-server enable Enterprise AP(config)#sntp-server date-time Enter Year<1970-2100>: 2003 Enter Month<1-12>: 10 Enter Day<1-31>: 10 Enter Hour<0-23>: 18 Enter Min<0-59>: 35 Enterprise AP(config)# 7-34 7-35 RSSI The RSSI page displays the ambient noise floor for both radios A and G. These values only apply to external used antennas. The displayed values are non-configurable. dBm – Decibel referenced to milliwatts. SNMP Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems. Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. 6-37 6 System Configuration The access point includes an onboard agent that supports SNMP versions 1, 2c, and 3 clients. This agent continuously monitors the status of the access point, as well as the traffic passing to and from wireless clients. A network management station can access this information using SNMP management software that is compliant with MIB II. To implement SNMP management, the access point must first have an IP address and subnet mask, configured either manually or dynamically. Access to the onboard agent using SNMP v1 and v2c is controlled by community strings. To communicate with the access point, the management station must first submit a valid community string for authentication. Access to the access point using SNMP v3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling notifications that are sent to specified user targets. Configuring SNMP and Trap Message Parameters The access point SNMP agent must be enabled to function (for versions 1, 2c, and 3 clients). Management access using SNMP v1 and v2c also requires community strings to be configured for authentication. Trap notifications can be enabled and sent to up to four management stations. 6-38 SNMP SNMP – Enables or disables SNMP management access and also enables the access point to send SNMP traps (notifications). (Default: Disable) Location – A text string that describes the system location. (Maximum length: 255 characters) Contact – A text string that describes the system contact. (Maximum length: 255 characters) Community Name (Read Only) – Defines the SNMP community access string that has read-only access. Authorized management stations are only able to retrieve MIB objects. (Maximum length: 23 characters, case sensitive; Default: public) Community Name (Read/Write) – Defines the SNMP community access string that has read/write access. Authorized management stations are able to both retrieve and modify MIB objects. (Maximum length: 23 characters, case sensitive; Default: private) Trap Destination (1 to 4) – Enables recipients (up to four) of SNMP notifications. • Trap Destination IP Address – Specifies the recipient of SNMP notifications. Enter the IP address or the host name. (Host Name: 1 to 63 characters, case sensitive) • Trap Destination Community Name – The community string sent with the notification operation. (Maximum length: 23 characters, case sensitive; Default: public) Engine ID – Sets the engine identifier for the SNMPv3 agent that resides on the access point. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. A default engine ID is automatically generated that is unique to the access point. (Range: 10 to 64 hexadecimal characters) Note: If the local engine ID is deleted or changed, all SNMP users will be cleared. All existing users will need to be re-configured. If you want to change the default engine ID, change it first before configuring other SNMP v3 parameters. 6-39 6 System Configuration Trap Configuration – Allows selection of specific SNMP notifications to send. The following items are available: • sysSystemUp - The access point is up and running. • sysSystemDown - The access point is about to shutdown and reboot. • sysRadiusServerChanged - The access point has changed from the primary RADIUS server to the secondary, or from the secondary to the primary. • sysConfigFileVersionChanged - The access point’s configuration file has been changed. • dot11StationAssociation - A client station has successfully associated with the access point. • dot11StationReAssociation - A client station has successfully re-associated with the access point. • dot11StationAuthentication - A client station has been successfully authenticated. • dot11StationRequestFail - A client station has failed association, re-association, or authentication. • dot11InterfaceBFail - The 802.11b interface has failed. • dot11InterfaceAGFail - The 802.11a or 802.11g interface has failed. • dot1xMacAddrAuthSuccess - A client station has successfully authenticated its MAC address with the RADIUS server. 6-40 SNMP • dot1xMacAddrAuthFail - A client station has failed MAC address authentication with the RADIUS server. • dot1xAuthNotInitiated - A client station did not initiate 802.1X authentication. • dot1xAuthSuccess - A 802.1X client station has been successfully authenticated by the RADIUS server. • dot1xAuthFail - A 802.1X client station has failed RADIUS authentication. • localMacAddrAuthSuccess - A client station has successfully authenticated its MAC address with the local database on the access point. • localMacAddrAuthFail - A client station has failed authentication with the local MAC address database on the access point. • iappStationRoamedFrom - A client station has roamed from another access point (identified by its IP address). • iappStationRoamedTo - A client station has roamed to another access point (identified by its IP address). • iappContextDataSent - A client station’s Context Data has been sent to another access point with which the station has associated. • sntpServerFail - The access point has failed to set the time from the configured SNTP server. • Enable All Traps - Click the button to enable all the available traps. • Disable All Traps - Click the button to disable all the available traps. CLI Commands for SNMP and Trap Configuration – Use the snmp-server enable server command from the global configuration mode to enable the SNMP agent. Use the snmp-server location and snmp-server contact commands to indicate the physical location of the access point and define a system contact. To set the read-only and read/write community names, use the snmp-server community command. Use the snmp-server host command to define a trap receiver host and the snmp-server trap command to enable or disable specific traps. Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise Enterprise AP(config)#snmp-server AP(config)#snmp-server AP(config)#snmp-server AP(config)#snmp-server AP(config)#snmp-server AP(config)#snmp-server AP(config)#snmp-server AP(config)# enable server community alpha rw community beta ro location WC-19 contact Paul host 192.168.1.9 alpha trap dot11StationAssociation 7-42 7-41 7-42 7-41 7-43 7-44 6-41 6 System Configuration To view the current SNMP settings, use the show snmp command. 7-54 Enterprise AP#show snmp SNMP Information ============================================== Service State : Enable Community (ro) : ***** Community (rw) : ***** Location : WC-19 Contact : Paul EngineId :80:00:07:e5:80:00:00:2e:62:00:00:00:18 EngineBoots:1 Trap Destinations: 1: 192.168.1.9, 2: 0.0.0.0, 3: 0.0.0.0, 4: 0.0.0.0, Community: Community: Community: Community: dot11InterfaceAGFail dot11StationAssociation dot11StationReAssociation dot1xAuthFail dot1xAuthSuccess dot1xMacAddrAuthSuccess iappStationRoamedFrom localMacAddrAuthFail pppLogonFail configFileVersionChanged systemDown *****, *****, *****, *****, State: State: State: State: Enabled Disabled Disabled Disabled Enabled dot11InterfaceBFail Enabled dot11StationAuthentication Enabled dot11StationRequestFail Enabled dot1xAuthNotInitiated Enabled dot1xMacAddrAuthFail Enabled iappContextDataSent Enabled iappStationRoamedTo Enabled localMacAddrAuthSuccess Enabled sntpServerFail Enabled radiusServerChanged Enabled systemUp Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled ============================================= Enterprise AP# Configuring SNMPv3 Users The access point allows up to 10 SNMP v3 users to be configured. Each user must be defined by a unique name, assigned to one of three pre-defined security groups, and configured with specific authentication and encryption settings. User – The SNMPv3 user name. (32 characters maximum) Group – The SNMPv3 group name. (Options: RO, RWAuth, or RWPriv; Default: RO) • RO – Read-only access. • RWAuth – Read/write access with user authentication. • RWPriv – Read/write access with both user authentication and data encryption. Auth Type – The authentication type used for the SNMP user; either MD5 or none. When MD5 is selected, enter a password in the corresponding Passphrase field. Priv Type – The data encryption type used for the SNMP user; either DES or none. When DES is selected, enter a key in the corresponding Passphrase field. 6-42 SNMP Passphrase – The password or key associated with the authentication and privacy settings. A minimum of eight plain text characters is required. Action – Click the Add button to add a new user to the list. Click the edit button to change details of an existing user. Click the Del button to remove a user from the list. Note: Users must be assigned to groups that have the same security levels. For example, a user who has “Auth Type” and “Priv Type” configured to MD5 and DES respectively (that it, uses both authentication and data encryption) must be assigned to the RWPriv group. If this same user were instead assigned to the read-only (RO) group, the user would not be able to access the database. CLI Commands for Configuring SNMPv3 Users – Use the snmp-server engine-id command to define the SNMP v3 engine before assigning users to groups. Use the snmp-server user command to assign users to one of the three groups and set the appropriate authentication and encryption types to be used. To view the current SNMP v3 engine ID, use the show snmp command. To view SNMP users and group settings, use the show snmp users or show snmp group-assignments commands. Enterprise AP(config)#snmp-server engine-id 1a:2b:3c:4d:00:ff Enterprise AP(config)#snmp-server user User Name<1-32> :chris Group Name<1-32> :RWPriv Authtype(md5, none):md5 Passphrase<8-32>:a good secret Privacy(des, none) :des Passphrase<8-32>:a very good secret Enterprise AP(config)#exit Enterprise AP#show snmp users ============================================= UserName :chris GroupName :RWPriv AuthType :MD5 Passphrase:**************** PrivType :DES Passphrase:**************** ============================================= Enterprise AP#show snmp group-assignments 7-45 7-46 7-51 7-51 GroupName :RWPriv UserName :chris Enterprise AP# 6-43 6 System Configuration Configuring SNMPv3 Trap Filters SNMP v3 users can be configured to receive notification messages from the access point. An SNMP Target ID is created that specifies the SNMP v3 user, IP address, and UDP port. A user-defined notification filter can be created so that specific notifications can be prevented from being sent to particular targets. The access point allows up to 10 notification filters to be created. Each filter can be defined by up to 20 MIB subtree ID entries. To configure a new notification filter, click the New button. A new page opens to configure the filter (see below). To edit an existing filter, select the radio button next to the entry in the table and then click the Edit button. To delete a filter, select the radio button next to the entry in the table and then click the Delete button. When you click on the New button in the SNMP Trap Filters page, a new page opens where the filter parameters are configured. Define a filter name, subtree ID to be filtered, and a mask if required. Select the filter type, include or exclude, from the drop-down list. Click Apply to create the filter. To add more subtree IDs to the filter, return to the SNMP Trap Filters page and click the Edit button. In the Edit page, click the New button to access the Add SNMP Notification Subtree page and configure a new subtree ID to be filtered. 6-44 SNMP Note: Only the New Filter page allows the Filter ID to be configured. Filter ID – A user-defined name that identifies the filter. (Maximum length: 32 characters) Subtree OID – Specifies MIB subtree to be filtered. The MIB subtree must be defined in the form “.1.3.6.1” and always start with a “.”. Subtree Mask – A hexadecimal value with each bit masking the corresponding ID in the MIB subtree. A “1” in the mask indicates an exact match and a “0” indicates a “wild card.” For example, a mask value of 0xFFBF provides a bit mask “1111 1111 1011 1111.” If applied to the subtree “1.3.6.1.2.1.2.2.1.1.23,” the zero corresponds to the 10th subtree ID. When there are more subtree IDs than bits in the mask, the mask is padded with ones. Filter Type – Indicates if the filter is to “include” or “exclude” the MIB subtree objects from the filter. Note that MIB objects included in the filter are not sent to the receiving target and objects excluded are sent. By default all traps are sent, so you can first use an “include” filter entry for all trap objects. Then use “exclude” entries for the required trap objects to send to the target. Note that the filter entries are applied in the sequence that they are defined. 6-45 6 System Configuration CLI Commands for Configuring SNMPv3 Trap Filters – To create a notification filter, use the snmp-server filter command from the CLI configuration mode. Use the command more than once with the same filter ID to build a filter that includes or excludes multiple MIB objects. To view the current SNMP filters, use the show snmp filter command from the CLI Exec mode. Enterprise include Enterprise exclude Enterprise Enterprise AP(config)#snmp-server filter trapfilter .1 AP(config)#snmp-server filter trapfilter .1.3.6.1.2.1.2.2.1.1.23 AP(config)#exit AP#show snmp filter 7-49 7-52 Filter: trapfilter Type: include Subtree: iso Type: exclude Subtree: iso.3.6.1.2.1.2.2.1.1.23 ============================= Enterprise AP# Configuring SNMPv3 Targets An SNMP v3 notification Target ID is specified by the SNMP v3 user, IP address, and UDP port. A user-defined filter can also be assigned to specific targets to limit the notifications received to specific MIB objects. (Note that the filter must first be configured. see “Configuring SNMPv3 Trap Filters” on page 6-44) To configure a new notification receiver target, click the New button. A new page opens to configure the settings (see below). To edit an existing target, select the radio button next to the entry in the table and then click the Edit button. To delete targets, select the radio button next to the entry in the table and then click the Delete button. When you click on the New or Edit button in the SNMP Targets page, a new page opens where the target parameters are configured. Define the parameters and select a filter, if required. Note that the SNMP v3 user name must first be defined (see “Configuring SNMPv3 Users” on page 6-42). Click Apply. 6-46 SNMP Note: The Target ID cannot be changed in the Edit Target page. Only the New Target page allows the Target ID to be configured. Target ID – A user-defined name that identifies a receiver of notifications. The access point supports up to 10 target IDs. (Maximum length: 32 characters) IP Address – Specifies the IP address of the receiving management station. UDP Port – The UDP port that is used on the receiving management station for notification messages. SNMP User – The defined SNMP v3 user that is to receive notification messages. Assigned Filter – The name of a user-defined notification filter that is applied to the target. CLI Commands for Configuring SNMPv3 Targets – To create a notification target, use the snmp-server targets command from the CLI configuration mode. To assign a filter to a target, use the snmp-server filter-assignment command. To view the current SNMP targets, use the show snmp target command from the CLI Exec mode. To view filter assignment to targets, use the show snmp filter-assignments command. 6-47 6 System Configuration Enterprise AP(config)#snmp-server targets mytraps 192.168.1.33 chris Enterprise AP(config)#snmp-server filter-assignment mytraps trapfilter Enterprise AP(config)#exit Enterprise AP#show snmp target Host ID : mytraps User : chris IP Address : 192.168.1.33 UDP Port : 162 ============================= Enterprise AP#show snmp filter-assignments HostID mytraps 7-48 7-50 7-52 7-53 FilterID trapfilter Enterprise AP# Radio Interface The IEEE 802.11a and 802.11g interfaces include configuration options for radio signal characteristics and wireless security features. The configuration options are nearly identical, and are therefore both covered in this section of the manual. The access point can operate in three modes, IEEE 802.11a only, 802.11b/g only, or a mixed 802.11a/b/g mode. Also note that 802.11g is backward compatible with 802.11b. These interfaces are configured independently under the following web pages: • Radio Interface A: 802.11a • Radio Interface G: 802.11b/g Each radio supports up to four virtual access point (VAP) interfaces numbered 0 to 3. Each VAP functions as a separate access point, and can be configured with its own Service Set Identification (SSID) and security settings. However, most radio signal parameters apply to all four VAP interfaces. The VAPs function similar to a VLAN, with each VAP mapped to its own VLAN ID. Traffic to specific VAPs can segregated based on user groups or application traffic. Each VAP can have up to 64 wireless clients, whereby the clients associate with these VAPs the same as they would with a physical access point. Note: The radio channel settings for the access point are limited by local regulations, which determine the number of channels that are available. Refer to “General Specifications” on page C-1 for additional information on the maximum number channels available. 6-48 Radio Interface Radio Settings A (802.11a) The IEEE 802.11a interface operates within the 5 GHz band, at up to 54 Mbps in normal mode or up to 108 Mbps in Turbo mode. First configure the radio settings that apply to the individual VAPs (Virtual Access Point) and the common radio settings that apply to the overall system. After you have configured the radio settings, go to the Security page under the 802.a Interface (see “Security” on page 6-66), enable the radio service for any of the VAP interfaces, and then set an SSID to identify the wireless network service provided by each VAP. Remember that only clients with the same SSID can associate with a VAP. Note: You must first enable VAP interface 0 before the other interfaces can be enabled. Configuring VAP Radio Settings To configure VAP radio settings, select the Radio Settings page. 6-49 6 System Configuration Default VLAN ID – The VLAN ID assigned to wireless clients associated to the VAP interface that are not assigned to a specific VLAN by RADIUS server configuration. (Default: 1) Closed System – When enabled, the VAP interface does not include its SSID in beacon messages. Nor does it respond to probe requests from clients that do not include a fixed SSID. (Default: Disable) Authentication Timeout Interval – The time within which the client should finish authentication before authentication times out. (Range: 5-60 minutes; Default: 60 minutes) Association Timeout Interval – The idle time interval (when no frames are sent) after which a client is disassociated from the VAP interface. (Range: 5-60 minutes; Default: 30 minutes) WPA2 PMKSA Life Time – WPA2 provides fast roaming for authenticated clients by retaining keys and other security settings in a cache for each VAP. In this way, when clients roam back into a VAP they had previously been using, re-authentication is not required. When a WPA2 client is first authenticated, it receives a Pairwise Master Key (PMK) that is used to generate the other keys used for unicast data encryption. This key and other client information form a client Security Association (SA) that the VAP holds in a cache. When the lifetime expires, the security association and keys are deleted from the cache. If the client returns to an access point after the association has been deleted, it will require full re-authentication. (Range: 1-1440 minutes; Default: 720 minutes) 6-50 Radio Interface CLI Commands for the Configuring the VAPs – From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. From the 802.11a interface mode, you can access radio settings that apply to all VAP interfaces. To access a specific VAP interface (numbered 0 to 3), use the vap command. You can configure a name for each interface using the description command. You can also use the closed-system command to stop sending the SSID in beacon messages. Set any other VAP parameters and radio setting as required before enabling the VAP interface (with the no shutdown command). To view the current 802.11a radio settings for the VAP interface, use the show interface wireless a 0 command as shown on 7-94. Enterprise AP(if-wireless Enterprise AP(if-wireless Enterprise AP(if-wireless Enterprise AP(if-wireless Enterprise AP(if-wireless interval 30 Enterprise AP(if-wireless interval 20 Enterprise AP(if-wireless Enterprise AP(if-wireless Enterprise AP(if-wireless a)#vap 0 a: VAP[0])#description RD-AP#3 a: VAP[0])#vlan-id 1 a: VAP[0])#closed-system a: VAP[0])#authentication-timeout- 7-94 7-105 7-131 7-106 7-107 a: VAP[0])#association-timeouta: VAP[0])#max-association 32 a: VAP[0])#pmksa-lifetime 900 a: VAP[0])# 7-107 7-106 7-123 Configuring Rogue AP Detection To configure Rouge AP detection, select the Radio Settings page, and scroll down to the “Rouge AP” section. Rogue AP – A “rogue AP” is either an access point that is not authorized to participate in the wireless network, or an access point that does not have the correct security configuration. Rogue APs can allow unauthorized access to the network, or fool client stations into mistakenly associating them and thereby blocking access to network resources. 6-51 6 System Configuration The access point can be configured to periodically scan all radio channels and find other access points within range. A database of nearby access points is maintained where any rogue APs can be identified. During a scan, Syslog messages (see “Enabling System Logging” on page 6-33) are sent for each access point detected. Rogue access points can be identified by unknown BSSID (MAC address) or SSID configuration. • AP Detection – Enables the periodic scanning for other access points. (Default: Disable) • AP Scan Interval – Sets the time between each rogue AP scan. (Range: 30 -10080 minutes; Default: 720 minutes) • AP Scan Duration – Sets the length of time for each rogue AP scan. A long scan duration time will detect more access points in the area, but causes more disruption to client access. (Range: 100 -1000 milliseconds; Default: 350 milliseconds) • Rogue AP Authenticate – Enables or disables RADIUS authentication. Enabling RADIUS Authentication allows the access point to discover rogue access points. With RADIUS authentication enabled, the access point checks the MAC address/ Basic Service Set Identifier (BSSID) of each access point that it finds against a RADIUS server to determine whether the access point is allowed. With RADIUS authentication disabled, the access point can identify its neighboring access points only; it cannot identify whether the access points are allowed or are rogues. If you enable RADIUS authentication, you must configure a RADIUS server for this access point (see “RADIUS” on page 6-7). • Scan AP Now – Starts an immediate rogue AP scan on the radio interface. (Default: Disable) Note: While the access point scans a channel for rogue APs, wireless clients will not be able to connect to the access point. Therefore, avoid frequent scanning or scans of a long duration unless there is a reason to believe that more intensive scanning is required to find a rogue AP. CLI Commands for Rogue AP Detection – From the global configuration mode, enter the interface wireless command to access the 802.11a or 802.11g radio interface. From the wireless interface mode, use the rogue-ap enable command to enable rogue AP detection. Set the duration and interval times with the rogue-ap duration and rogue-ap interval commands. If required, start an immediate scan 6-52 Radio Interface using the rogue-ap scan command. To view the database of detected access points, use the show rogue-ap command from the Exec level. Enterprise AP(config)#interface wireless g 7-87 Enter Wireless configuration commands, one per line. 7-111 Enterprise AP(if-wireless g)#rogue-ap enable configure either syslog or trap or both to receive the rogue APs detected. Enterprise AP(if-wireless g)#rogue-ap duration 200 7-113 Enterprise AP(if-wireless g)#rogue-ap interval 120 7-113 Enterprise AP(if-wireless g)#rogue-ap scan 7-114 Enterprise AP(if-wireless g)#rogueApDetect Completed (Radio G) : 5 APs detected rogueAPDetect (Radio G): refreshing ap database now Enterprise AP(if-wireless g)#exit Enterprise AP#show rogue-ap 7-115 802.11a Channel : Rogue AP Status AP Address(BSSID) SSID Channel(MHz) RSSI ======================================================= 802.11g Channel : Rogue AP Status AP Address(BSSID) SSID Channel(MHz) RSSI ======================================================= 00-04-e2-2a-37-23 WLAN1AP 11(2462 MHz) 17 00-04-e2-2a-37-3d ANY 7(2442 MHz) 42 00-04-e2-2a-37-49 WLAN1AP 9(2452 MHz) 42 00-90-d1-08-9d-a7 WLAN1AP 1(2412 MHz) 12 00-30-f1-fb-31-f4 WLAN 6(2437 MHz) 16 Enterprise AP# 6-53 6 System Configuration Configuring Common Radio Settings To configure Rouge AP detection, select the Radio Settings page, and scroll down to the “Rouge AP” section. Turbo Mode – The normal 802.11a wireless operation mode provides connections up to 54 Mbps. Turbo Mode is an enhanced mode (not regulated in IEEE 802.11a) that provides a higher data rate of up to 108 Mbps. Enabling Turbo Mode allows the access point to provide connections up to 108 Mbps. (Default: Disabled) Note: Note: In normal mode, the access point provides a channel bandwidth of 20 MHz, and supports the maximum number of channels permitted by local regulations (e.g., 13 channels for the United States). In Turbo Mode, the channel bandwidth is increased to 40 MHz to support the increased data rate. However, this reduces the number of channels supported (e.g., 5 channels for the United States). Note: Check your country’s regulations to see if Turbo Mode is allowed. 6-54 Radio Interface Radio Channel – The radio channel that the access point uses Normal Mode to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least four channels apart to avoid interference with each other. For example, in the United States you can deploy up to four access points in the same area (e.g., channels 36, 56, 149, 165). Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked. (Default: Channel 60 for normal mode, and channel 42 for Turbo mode) Auto Channel Select – Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled) Turbo Mode Note: Check your country’s regulations to see if Auto Channel can be disabled. Transmit Power – Adjusts the power of the radio signals transmitted from the access point. The higher the transmission power, the farther the transmission range. Power selection is not just a trade off between coverage area and maximum supported clients. You also have to ensure that high-power signals do not interfere with the operation of other radio devices in the service area. (Options: 100%, 50%, 25%, 12%, minimum; Default: 100%) Note: When operating the access point using 5 GHz channels in a European Community country, the end user and installer are obligated to operate the device in accordance with European regulatory requirements for Transmit Power Control (TPC). Maximum Supported Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Options: 54, 48, 36, 24 Mbps; Default: 54 Mbps) Maximum Associated Clients – Sets the maximum number of clients that can be associated with a VAP interface at the same time. (Range: 1-64 per VAP interface: Default: 64) Antenna ID – Selects the antenna to be used by the access point; either the integrated diversity antennas (the "Default Antenna") or an optional external antenna. The optional external antennas (if any) that are certified for use with the access point are listed in the drop-down menu. Selecting the correct antenna ID ensures that the access point's radio transmissions are within regulatory power limits for the country of operation. When an external antenna is selected, the Antenna Control Method must be set to "Right." (Default: Default Antenna) Note: The Antenna ID must be selected in conjunction with the Antenna Control Method to configure proper use of any of the antenna options. 6-55 6 System Configuration Antenna Control Method - Selects the use of both fixed antennas operating in diversity mode or a single antenna. (Default: Diversity) • Diversity: The radio uses both antennas in a diversity system. Select this method when the Antenna ID is set to "Default Antenna" to use the access point's integrated antennas. The access point does not support external diversity antennas. • Right: The radio only uses the antenna on the right side (the side closest to the access point LEDs). Select this method when using an optional external antenna that is connected to the right antenna connector. • Left: The radio only uses the antenna on the left side (the side farthest from the access point LEDs). The access point does not support an external antenna connection on its left antenna. Therefore, this method is not valid for the access point. Antenna Location – Selects the mounting location of the antenna in use; either “Indoor” or “Outdoor.” Selecting the correct location ensures that the access point only uses radio channels that are permitted in the country of operation. (Default: Indoor) MIC Mode – The Michael Integrity Check (MIC) is part of the Temporal Key Integrity Protocol (TKIP) encryption used in Wi-Fi Protected Access (WPA) security. The MIC calculation is performed in the access point for each transmitted packet and this can impact throughput and performance. The access point supports a choice of software or hardware MIC calculation. The performance of the access point can be improved by selecting the best method for the specific deployment. (Default: Software) • Hardware: Provides best performance when the number of supported clients is less than 27. • Software: Provides the best performance for a large number of clients on one radio interface. Throughput may be reduced when both 802.11a and 802.11g interfaces are supporting a high number of clients simultaneously. Super A – The Atheros proprietary Super A performance enhancements are supported by the access point. These enhancements include bursting, compression, and fast frames. Maximum throughput ranges between 40 to 60 Mbps for connections to Atheros-compatible clients. (Default: Disabled) Beacon Interval – The rate at which beacon signals are transmitted from the access point. The beacon signals allow wireless clients to maintain contact with the access point. They may also carry power-management information. (Range: 20-1000 TUs; Default: 100 TUs) Data Beacon Rate – The rate at which stations in sleep mode must wake up to receive broadcast/multicast transmissions. Known also as the Delivery Traffic Indication Map (DTIM) interval, it indicates how often the MAC layer forwards broadcast/multicast traffic, which is necessary to wake up stations that are using Power Save mode. The default value of 2 indicates that the access point will save all broadcast/multicast frames for the Basic Service Set 6-56 Radio Interface (BSS) and forward them after every second beacon. Using smaller DTIM intervals delivers broadcast/multicast frames in a more timely manner, causing stations in Power Save mode to wake up more often and drain power faster. Using higher DTIM values reduces the power used by stations in Power Save mode, but delays the transmission of broadcast/multicast frames. (Range: 1-255 beacons; Default: 1 beacon) Multicast Data Rate – The maximum data rate at which the access point transmits multicast and broadcast packets on the wireless interface. (Options: 24, 12, 6 Mbps; Default: 6 Mbps) Fragmentation Length – Configures the minimum packet size that can be fragmented when passing through the access point. Fragmentation of the PDUs (Package Data Unit) can increase the reliability of transmissions because it increases the probability of a successful transmission due to smaller frame size. If there is significant interference present, or collisions due to high network utilization, try setting the fragment size to send smaller fragments. This will speed up the retransmission of smaller frames. However, it is more efficient to set the fragment size larger if very little or no interference is present because it requires overhead to send multiple frames. (Range: 256-2346 bytes; Default: 2346 bytes) RTS Threshold – Sets the packet size threshold at which a Request to Send (RTS) signal must be sent to a receiving station prior to the sending station starting communications. The access point sends RTS frames to a receiving station to negotiate the sending of a data frame. After receiving an RTS frame, the station sends a CTS (clear to send) frame to notify the sending station that it can start sending data. If the RTS threshold is set to 0, the access point always sends RTS signals. If set to 2347, the access point never sends RTS signals. If set to any other value, and the packet size equals or exceeds the RTS threshold, the RTS/CTS (Request to Send / Clear to Send) mechanism will be enabled. The access points contending for the medium may not be aware of each other. The RTS/CTS mechanism can solve this “Hidden Node Problem.” (Range: 0-2347 bytes: Default: 2347 bytes) 6-57 6 System Configuration CLI Commands for the Common Radio Settings – From the global configuration mode, enter the interface wireless a command to access the 802.11a radio interface. From the 802.11a interface mode, you can access radio settings that apply to all VAP interfaces. Use the turbo command to enable this feature before setting the radio channel with the channel command. Set any other radio setting as required before enabling the VAP interface (with the no shutdown command). To view the current 802.11a radio settings for the VAP interface, use the show interface wireless a [0~3] command as shown on 7-94. Enterprise AP(config)#interface wireless a Enter Wireless configuration commands, one per line. Enterprise AP(if-wireless a)#turbo Enterprise AP(if-wireless a)#channel 42 Enterprise AP(if-wireless a)#transmit-power full Enterprise AP(if-wireless a)#speed 9 Enterprise AP(if-wireless a)#antenna id 0000 Enterprise AP(if-wireless a)#antenna control right Enterprise AP(if-wireless a)#antenna location indoor Enterprise AP(if-wireless a)#mic_mode hardware Enterprise AP(if-wireless a)#super-a Enterprise AP(if-wireless a)#beacon-interval 150 Enterprise AP(if-wireless a)#beacon-interval 150 Enterprise AP(if-wireless a)#dtim-period 5 Enterprise AP(if-wireless a)#multicast-data-rate 6 Enterprise AP(if-wireless a)#fragmentation-length 512 Enterprise AP(if-wireless a)#rts-threshold 256 Enterprise AP(if-wireless a)# 7-87 7-95 7-96 7-97 7-95 7-100 7-99 7-100 7-122 7-104 7-101 7-101 7-101 7-96 7-102 7-103 Configuring Wi-Fi Multimedia Wireless networks offer an equal opportunity for all devices to transmit data from any type of application. Although this is acceptable for most applications, multimedia applications (with audio and video) are particularly sensitive to the delay and throughput variations that result from this “equal opportunity” wireless access method. For multimedia applications to run well over a wireless network, a Quality of Service (QoS) mechanism is required to prioritize traffic types and provide an “enhanced opportunity” wireless access method. The access point implements QoS using the Wi-Fi Multimedia (WMM) standard. Using WMM, the access point is able to prioritize traffic and optimize performance when multiple applications compete for wireless network bandwidth at the same time. WMM employs techniques that are a subset of the developing IEEE 802.11e QoS standard and it enables the access point to inter operate with both WMMenabled clients and other devices that may lack any WMM functionality. Access Categories — WMM defines four access categories (ACs): voice, video, best effort, and background. These categories correspond to traffic priority levels and are mapped to IEEE 802.1D priority tags (see Table 6-1). The direct mapping of the four ACs to 802.1D priorities is specifically intended to facilitate inter operability with other wired network QoS policies. While the four ACs are specified for specific 6-58 Radio Interface types of traffic, WMM allows the priority levels to be configured to match any network-wide QoS policy. WMM also specifies a protocol that access points can use to communicate the configured traffic priority levels to QoS-enabled wireless clients. Table 6-1. WMM Access Categories Access Category WMM Designation Description 802.1D Tags AC_VO (AC3) Voice Highest priority, minimum delay. Time-sensitive data such as VoIP (Voice over IP) calls. 7, 6 AC_VI (AC2) Video High priority, minimum delay. Time-sensitive data 5, 4 such as streaming video. AC_BE (AC0) Best Effort Normal priority, medium delay and throughput. 0, 3 Data only affected by long delays. Data from applications or devices that lack QoS capabilities. AC_BK (AC1) Background Lowest priority. Data with no delay or throughput 2, 1 requirements, such as bulk data transfers. WMM Operation — WMM uses traffic priority based on the four ACs; Voice, Video, Best Effort, and Background. The higher the AC priority, the higher the probability that data is transmitted. When the access point forwards traffic, WMM adds data packets to four independent transmit queues, one for each AC, depending on the 802.1D priority tag of the packet. Data packets without a priority tag are always added to the Best Effort AC queue. From the four queues, an internal “virtual” collision resolution mechanism first selects data with the highest priority to be granted a transmit opportunity. Then the same collision resolution mechanism is used externally to determine which device has access to the wireless medium. For each AC queue, the collision resolution mechanism is dependent on two timing parameters: • AIFSN (Arbitration Inter-Frame Space Number), a number used to calculate the minimum time between data frames • CW (Contention Window), a number used to calculate a random backoff time After a collision detection, a backoff wait time is calculated. The total wait time is the sum of a minimum wait time (Arbitration Inter-Frame Space, or AIFS) determined from the AIFSN, and a random backoff time calculated from a value selected from zero to the CW. The CW value varies within a configurable range. It starts at CWMin and doubles after every collision up to a maximum value, CWMax. After a successful transmission, the CW value is reset to its CWMin value. 6-59 6 System Configuration Tim CWMin riority CWMax AIFS Random Backoff Minimum Wait Time Random Wait Time CWMin riority AIFS Random Backoff Minimum Wait Time Random Wait Time Figure 6-1. WMM Backoff Wait Times For high-priority traffic, the AIFSN and CW values are smaller. The smaller values equate to less backoff and wait time, and therefore more transmit opportunities. To configure WMM, select the Radio Settings page, and scroll down to the WMM configuration settings. 6-60 Radio Interface WMM – Sets the WMM operational mode on the access point. When enabled, the parameters for each AC queue will be employed on the access point and QoS capabilities are advertised to WMM-enabled clients. (Default: Support) • Disable: WMM is disabled. • Support: WMM will be used for any associated device that supports this feature. Devices that do not support this feature may still associate with the access point. • Required: WMM must be supported on any device trying to associated with the access point. Devices that do not support this feature will not be allowed to associate with the access point. WMM Acknowledge Policy – By default, all wireless data transmissions require the sender to wait for an acknowledgement from the receiver. WMM allows the acknowledgement wait time to be turned off for each Access Category (AC). Although this increases data throughput, it can also result in a high number of errors when traffic levels are heavy. (Default: Acknowledge) WMM BSS Parameters – These parameters apply to the wireless clients. WMM AP Parameters – These parameters apply to the access point. • logCWMin (Minimum Contention Window) – The initial upper limit of the random backoff wait time before wireless medium access can be attempted. The initial wait time is a random value between zero and the CWMin value. Specify the CWMin value in the range 0-15 microseconds. Note that the CWMin value must be equal or less than the CWMax value. • logCWMax (Maximum Contention Window) – The maximum upper limit of the random backoff wait time before wireless medium access can be attempted. The contention window is doubled after each detected collision up to the CWMax value. Specify the CWMax value in the range 0-15 microseconds. Note that the CWMax value must be greater or equal to the CWMin value. • AIFS (Arbitration Inter-Frame Space) – The minimum amount of wait time before the next data transmission attempt. Specify the AIFS value in the range 0-15 microseconds. • TXOP Limit (Transmit Opportunity Limit) – The maximum time an AC transmit queue has access to the wireless medium. When an AC queue is granted a transmit opportunity, it can transmit data for a time up to the TxOpLimit. This data bursting greatly improves the efficiency for high data-rate traffic. Specify a value in the range 0-65535 microseconds. • Admission Control – The admission control mode for the access category. When enabled, clients are blocked from using the access category. (Default: Disabled) Key Type – See “Wired Equivalent Privacy (WEP)” on page 6-71. CLI Commands for WMM – Enter interface wireless mode and type wmm required for clients that want to associate with the access point. The wmm-acknowledge-policy command is used to enable or disable a policy for each access category. The wmmparms command defines detailed WMM parameters. 6-61 6 System Configuration Enterprise AP(if-wireless a)#wmm required Enterprise AP(if-wireless a)#wmm-acknowledge-policy 0 noack Enterprise AP(if-wireless a)#wmmparams ap 0 4 6 3 1 1 To view the current 802.11a radio settings for the VAP interface, use the show interface wireless a 0 command. Enterprise AP#show interface wireless a 0 Wireless Interface Information ============================================================= --------------------Identification--------------------------Description : SMC 802.11g Access Point SSID : SMC_A 0 Turbo Mode : DISABLED Channel : 36 (AUTO) Status : DISABLED MAC Address : 00:12:cf:05:95:0c ----------------802.11 Parameters--------------------------Transmit Power : FULL (16 dBm) Max Station Data Rate : 54Mbps Multicast Data Rate : 6Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs Authentication Timeout Interval : 60 Mins Association Timeout Interval : 30 Mins DTIM Interval : 1 beacon Maximum Association : 64 stations MIC Mode : Software Super A : Disabled VLAN ID : 1 ----------------Security------------------------------------Closed System : Disabled Multicast cipher : WEP WPA clients : TKIP and AES WPA Key Mgmt Mode : PRE SHARED KEY WPA PSK Key Type : PASSPHRASE Encryption : DISABLED Default Transmit Key : 1 Common Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Authentication Type : OPEN ----------------802.1x--------------------------------------802.1x Broadcast Key Refresh Rate : 30 min Session Key Refresh Rate : 30 min 802.1x Session Timeout Value : 0 min ----------------Antenna-------------------------------------Antenna Control method : Diversity Antenna ID : 0x0000(Default Antenna) Antenna Location : Indoor 6-62 7-109 Radio Interface ----------------Quality of Service--------------------------WMM Mode : SUPPORTED WMM Acknowledge Policy AC0(Best Effort) : Ack AC1(Background) : Acknowledge AC2(Video) : Acknowledge AC3(Voice) : Acknowledge WMM BSS Parameters AC0(Best Effort) : logCwMin: 4 logCwMax: 10 AIFSN: Admission Control: No TXOP Limit: 0.000 ms AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: Admission Control: No TXOP Limit: 0.000 ms AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: Admission Control: No TXOP Limit: 3.008 ms AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: Admission Control: No TXOP Limit: 1.504 ms WMM AP Parameters AC0(Best Effort) : logCwMin: 4 logCwMax: 6 AIFSN: Admission Control: No TXOP Limit: 0.000 ms AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: Admission Control: No TXOP Limit: 0.000 ms AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: Admission Control: No TXOP Limit: 3.008 ms AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: Admission Control: No TXOP Limit: 1.504 ms ============================================================= Enterprise AP# Radio Settings G (802.11g) The IEEE 802.11g standard operates within the 2.4 GHz band at up to 54 Mbps. Also note that because the IEEE 802.11g standard is an extension of the IEEE 802.11b standard, it allows clients with 802.11b wireless network cards to associate to an 802.11g access point. First configure the radio settings that apply to the individual VAPs (Virtual Access Point) and the common radio settings that apply to the overall system. After you have configured the radio settings, go to the Security page under the 802.a Interface (see “Security” on page 6-66), enable the radio service for any of the VAP interfaces, and then set an SSID to identify the wireless network service provided by each VAP. Remember that only clients with the same SSID can associate with a VAP. Note: You must first enable VAP interface 0 before the other interfaces can be enabled. 6-63 6 System Configuration Most of the 802.11g commands are identical to those used by the 802.11a interface. For information on the these command, refer to the following sections: • • • • “Configuring VAP Radio Settings” on page 6-49 “Configuring Rogue AP Detection” on page 6-51 “Configuring Common Radio Settings” on page 6-54 “Configuring Wi-Fi Multimedia” on page 6-58 Only the radio settings unique to the 802.11g interface are included in this section. To configure the 802.11g radio settings, select the Radio Settings page. Radio Mode – Selects the operating mode for the 802.11g wireless interface. (Default: 802.11b+g) • 802.11b+g: Both 802.11b and 802.11g clients can communicate with the access point (up to 54 Mbps). • 802.11b only: Both 802.11b and 802.11g clients can communicate with the access point, but 802.11g clients can only transfer data at 802.11b standard rates (up to 11 Mbps). • 802.11g only: Only 802.11g clients can communicate with the access point (up to 54 Mbps). 6-64 Radio Interface Radio Channel – The radio channel that the access point uses to communicate with wireless clients. When multiple access points are deployed in the same area, set the channel on neighboring access points at least five channels apart to avoid interference with each other. For example, in the United States you can deploy up to three access points in the same area (e.g., channels 1, 6, 11). Also note that the channel for wireless clients is automatically set to the same as that used by the access point to which it is linked. (Range: 1-11; Default: 1) Auto Channel Select – Enables the access point to automatically select an unoccupied radio channel. (Default: Enabled) Maximum Station Data Rate – The maximum data rate at which the access point transmits unicast packets on the wireless interface. The maximum transmission distance is affected by the data rate. The lower the data rate, the longer the transmission distance. (Default: 54 Mbps) Super G – The Atheros proprietary Super G performance enhancements are supported by the access point. These enhancements include bursting, compression, fast frames and dynamic turbo. Maximum throughput ranges between 40 to 60 Mbps for connections to Atheros-compatible clients. (Default: Disabled) Preamble – Sets the length of the signal preamble that is used at the start of a data transmission. (Default: Long) • Long: Sets the preamble to long (192 microseconds). Using a long preamble ensures the access point can support all 802.11b and 802.11g clients. • Short or Long: Sets the preamble according to the capability of clients that are currently asscociated. Uses a short preamble (96 microseconds) if all associated clients can support it, otherwise a long preamble is used. The access point can increase data throughput when using a short preamble, but will only use a short preamble if it determines that all associated clients support it. 6-65 6 System Configuration CLI Commands for the 802.11g Wireless Interface – From the global configuration mode, enter the interface wireless g command to access the 802.11g radio interface. The 802.11g radio can be forced to an 802.11g-only, 802.11b-only, or mixed 802.11b/g operating mode using the radio-mode command. You should set the desired operating mode before configuring channel settings (the default is mixed 802.11b/g operation). Select a radio channel or set selection to Auto using the channel command. Set any other radio settings as required before enabling the VAP interface (with the no shutdown command). To view the current 802.11g radio settings for the VAP interface, use the show interface wireless g [0~3] command as shown on 7-94. Enterprise AP(config)#interface wireless g Enter Wireless configuration commands, one per line. Enterprise AP(if-wireless g)#radio-mode g Enterprise AP(if-wireless g)#channel auto Enterprise AP(if-wireless a)#transmit-power full Enterprise AP(if-wireless a)#super-g Enterprise AP(if-wireless g)#preamble short Enterprise AP(if-wireless g)# 7-87 7-98 7-96 7-97 7-104 7-98 Security The access point is configured by default as an “open system,” which broadcasts a beacon signal including the configured SSID. Wireless clients with an SSID setting of “any” can read the SSID from the beacon and automatically set their SSID to allow immediate connection to the nearest access point. To improve wireless network security, you have to implement two main functions: • Authentication: It must be verified that clients attempting to connect to the network are authorized users. • Traffic Encryption: Data passing between the access point and clients must be protected from interception and eavesdropping. For a more secure network, the access point can implement one or a combination of the following security mechanisms: • • • • Wired Equivalent Privacy (WEP) IEEE 802.1X Wireless MAC address filtering Wi-Fi Protected Access (WPA or WPA2) page 6-67 page 5-15 page 6-13 page 6-75 Both WEP and WPA security settings are configurable separately for each virtual access point (VAP) interface. MAC address filtering, IEEE 802.1X, and RADIUS server settings are global and apply to all VAP interfaces. The security mechanisms that may be employed depend on the level of security required, the network and management resources available, and the software support provided on wireless clients. 6-66 Radio Interface A summary of wireless security considerations is listed in the following table. Table 6-2. Wireless Security Considerations Security Mechanism Client Support Implementation Considerations WEP Built-in support on all 802.11a and 802.11g devices • Provides only weak security • Requires manual key management WEP over 802.1X Requires 802.1X client support • Provides dynamic key rotation for improved WEP in system or by add-in software security (support provided in Windows • Requires configured RADIUS server 2000 SP3 or later and Windows • 802.1X EAP type may require management of XP) digital certificates for clients and server MAC Address Filtering Uses the MAC address of client • Provides only weak user authentication network card • Management of authorized MAC addresses • Can be combined with other methods for improved security • Optionally configured RADIUS server WPA over 802.1X Requires WPA-enabled system • Provides robust security in WPA-only mode Mode and network card driver (i.e., WPA clients only) (native support provided in • Offers support for legacy WEP clients, but with Windows XP) increased security risk (i.e., WEP authentication keys disabled) • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server WPA PSK Mode Requires WPA-enabled system • Provides good security in small networks and network card driver • Requires manual management of pre-shared key (native support provided in Windows XP) WPA2 with 802.1X Requires WPA-enabled system • Provides the strongest security in WPA2-only and network card driver (native mode support provided in Windows • Provides robust security in mixed mode for WPA XP) and WPA2 clients • Offers fast roaming for time-sensitive client applications • Requires configured RADIUS server • 802.1X EAP type may require management of digital certificates for clients and server • Clients may require hardware upgrade to be WPA2 compliant WPA2 PSK Mode Requires WPA-enabled system • Provides robust security in small networks and network card driver (native • Requires manual management of pre-shared key support provided in Windows • Clients may require hardware upgrade to be WPA2 XP) compliant Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, or AES) in the access point. 6-67 6 System Configuration The access point can simultaneously support clients using various different security mechanisms. The configuration for these security combinations are outlined in the following table. Note that MAC address authentication can be configured independently to work with all security mechanisms and is indicated separately in the table. Required RADIUS server support is also listed. Table 6-3. Security Combinations Client Security Combination Configuration Summarya MAC Auth.b RADIUS Server Static WEP only (with or without shared key authentication) 802.1X: Disable Enter 1 to 4 WEP keys Select a WEP transmit key VAP interface settings: Authentication Type: Shared Key or Open System Data Encryption: Enable WPA Clients: WEP only Local or RADIUS Yesc Dynamic WEP (802.1X) only 802.1X: Required Set 802.1X key refresh rates VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: WEP only Local or RADIUS Yesc 802.1X WPA only 802.1X: Required Set 802.1X key refresh rates VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: Required WPA Key Mode: WPA over 802.1X WPA Multicast Cipher: TKIP or AES Local only Yes WPA Pre-Shared Key only 802.1X: Disable VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: Required WPA Key Mode: WPA Pre-shared Key Enter a WPA Pre-shared key WPA Multicast Cipher: TKIP or AES Local only No Static and dynamic (802.1X) WEP keys 802.1X: Supported Set 802.1X key refresh rates Enter 1 to 4 WEP keys Select a WEP transmit key VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA clients: WEP only Local or RADIUS Yes 6-68 Radio Interface Table 6-3. Security Combinations Client Security Combination Configuration Summarya MAC Auth.b RADIUS Server Static WEP and WPA Pre-Shared Key 802.1X: Disable Enter 1 to 4 WEP keys Select a WEP transmit key VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: Supported WPA Key Mode: WPA Pre-shared Key Enter a WPA Pre-shared key WPA Multicast Cipher: WEP Local only No Dynamic WEP and 802.1X WPA 802.1X: Required Set 802.1X key refresh rates VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: Supported WPA Key Mode: WPA over 802.1X WPA Multicast Cipher: WEP Local only Yes Static and dynamic (802.1X) WEP keys and 802.1X WPA 802.1X: Supported Set 802.1X key refresh rates Enter 1 to 4 WEP keys Select a WEP transmit key VAP interface settings: Authentication Type: Open System Data Encryption: Enable WPA Clients: Supported WPA Key Mode: WPA over 802.1X WPA Multicast Cipher: WEP Local only Yes a. The configuration summary does not include the setup for MAC authentication (see page 6-12) or RADIUS server (see page 6-7). b. The configuration of RADIUS MAC authentication together with 802.1X WPA or WPA Pre-shared Key is not supported. c. RADIUS server required only when RADIUS MAC authentication is configured. Note: If you choose to configure RADIUS MAC authentication together with 802.1X, the RADIUS MAC address authentication occurs prior to 802.1X authentication. Only when RADIUS MAC authentication succeeds is 802.1X authentication performed. When RADIUS MAC authentication fails, 802.1X authentication is not performed. 6-69 6 System Configuration Enabling the VAPs Before enabling the Virtual Access Point (VAP) radio interfaces, first configure all of the relevant raido settings (see “Radio Settings A (802.11a)” on page 6-49 or “Radio Settings G (802.11g)” on page 6-63.) After you have configured the radio settnings, select Security under Radio A or Radio G, set an SSID to identify the wireless network service provided by each VAP you want to use, and then click Apply to save your settings. Before enabling the radio service for any VAP, first configure the WEP, WPA, and 802.1X security settings described in the following sections. After you have finished configuring the security settings, return to the main Security page shown below, start the required VAP interfaces by clicking the Enable checkbox, and then click Apply. Enable – Enables radio communications on the VAP interface. (Default: Disabled) Note: You must first enable VAP interface 0 before you can enable other VAP interfaces. SSID – The name of the basic service set provided by a VAP interface. Clients that want to connect to the network through the access point must set their SSID to the same as that of an access point VAP interface. (Default: SMC_A # (0 to 3); Range: 1-32 characters) 6-70 Radio Interface Wired Equivalent Privacy (WEP) WEP provides a basic level of security, preventing unauthorized access to the network, and encrypting data transmitted between wireless clients and the access point. WEP uses static shared keys (fixed-length hexadecimal or alphanumeric strings) that are manually distributed to all clients that want to use the network. WEP is the security protocol initially specified in the IEEE 802.11 standard for wireless communications. Unfortunately, WEP has been found to be seriously flawed and cannot be recommended for a high level of network security. For more robust wireless security, the access point provides Wi-Fi Protected Access (WPA) for improved data encryption and user authentication. Setting up shared keys enables the basic IEEE 802.11 Wired Equivalent Privacy (WEP) on the access point to prevent unauthorized access to the network. If you choose to use WEP shared keys instead of an open system, be sure to define at least one static WEP key for user authentication and data encryption. Also, be sure that the WEP shared keys are the same for each client in the wireless network. Note that all clients share the same keys, which are used for user authentication and data encryption. Up to four keys can be specified. These four keys are used for all VAP interfaces on the same radio. To set up WEP shared keys, click Radio Settings under Radio A or Radio G. Key Type – Select the preferred method of entering WEP encryption keys on the access point and enter up to four keys: • Hexadecimal: Enter keys as 10 hexadecimal digits (0-9 and A-F) for 64 bit keys, 26 hexadecimal digits for 128 bit keys, or 32 hexadecimal digits for 152 bit keys (802.11a radio only). This is the default setting. • Alphanumeric: Enter keys as 5 alphanumeric characters for 64 bit keys, 13 alphanumeric characters for 128 bit keys, or 16 alphanumeric characters for 152 bit keys (802.11a radio only). 6-71 6 System Configuration Key Number – Selects the key number to use for encryption for each VAP interface. If the clients have all four keys configured to the same values, you can change the encryption key to any of the four settings without having to update the client keys. (Default: Key 1) Shared Key Setup – Select 64 Bit, 128 Bit, or 152 Bit key length. Note that the same size of encryption key must be supported on all wireless clients. (Default: None) Note: Key index and type must match that configured on the clients. Note: In a mixed-mode environment with clients using static WEP keys and WPA, select WEP transmit key index 2, 3, or 4. The access point uses transmit key index 1 for the generation of dynamic keys. To enable WEP shared keys for a VAP interface, click Security under Radio A or Radio G. Then, select the VAP interface that will use WEP keys by clicking More, and configure the Authentication Type Setup and Data Encryption fields. Authentication Type Setup – Sets the access point to communicate as an open system that accepts network access attempts from any client, or with clients using pre-configured static shared keys. (Default: Open System) • Open System: Select this option if you plan to use WPA or 802.1X as a security mechanism. If you don’t set up any other security mechanism on the access point, the network has no protection and is open to all users. This is the default setting. • Shared Key: Sets the access point to use WEP shared keys. If this option is selected, you must configure at least one key on the access point and all clients. Note: To use 802.1X on wireless clients requires a network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows 2000 SP3 or later and Windows XP provide 802.1X client support. Windows XP also provides native WPA support. Other systems require additional client software to support 802.1X and WPA. 6-72 Radio Interface Data Encryption – Enable or disable the access point to use data encryption (WEP, TKIP, or AES). If this option is selected when using static WEP keys, you must configure at least one key on the access point and all clients. (Default: Disabled) Note: You must enable data encryption through the web or CLI in order to enable all types of encryption (WEP, TKIP, or AES) in the access point. CLI Commands for WEP Shared Key Security – For static WEP shared keys, be sure to first disable 802.1X port authentication using the 802.1X command from the configuration mode. Then, from the 802.11a or 802.11g interface configuration mode, use the key command to define up to four WEP keys that can be used for all VAP interfaces on the radio. Then use the vap command to access each VAP interface to configure other security settings. From the VAP interface configuration mode, use the authentication command to enable WEP shared-key authentication and the encryption command to enable data encryption. Then set one key as the transmit key for the VAP interface using the transmit-key command. To view the current security settings, use the show interface wireless a 0 or show interface wireless g 0 command from the Exec mode. Enterprise AP(config)#no 802.1X 7-65 Enterprise AP(config)#interface wireless g 7-87 Enter Wireless configuration commands, one per line. 7-119 Enterprise AP(if-wireless g)#key 1 128 ascii abcdeabcdeabc Enterprise AP(if-wireless g)#vap 0 7-94 Enterprise AP(if-wireless g: VAP[0])#authentication shared 7-119 Enterprise AP(if-wireless g: VAP[0])#encryption 7-118 Enterprise AP(if-wireless g: VAP[0])#transmit-key 1 7-120 Enterprise AP(if-wireless g: VAP[0])#exit 7-109 Enterprise AP#show interface wireless g 0 Wireless Interface Information ======================================================================== ----------------Identification-----------------------------------------Description : SMC 802.11g Access Point SSID : SMC_G 0 Channel : 11 (AUTO) Status : DISABLED MAC Address : 00:12:cf:05:95:08 ----------------802.11 Parameters---------------------------------------Radio Mode : b & g mixed mode Transmit Power : FULL (5 dBm) Max Station Data Rate : 54Mbps Multicast Data Rate : 5.5Mbps Fragmentation Threshold : 2346 bytes RTS Threshold : 2347 bytes Beacon Interval : 100 TUs Authentication Timeout Interval : 60 Mins Association Timeout Interval : 30 Mins DTIM Interval : 1 beacon Preamble Length : SHORT-OR-LONG Maximum Association : 64 stations MIC Mode : Software Super G : Disabled VLAN ID : 1 6-73 6 System Configuration ----------------Security-----------------------------------------------Closed System : Disabled Multicast cipher : WEP Unicast cipher : TKIP and AES WPA clients : DISABLED WPA Key Mgmt Mode : PRE SHARED KEY WPA PSK Key Type : PASSPHRASE WPA PSK Key : EMPTY PMKSA Lifetime : 720 minutes Encryption : DISABLED Default Transmit Key : 1 Common Static Keys : Key 1: EMPTY Key 2: EMPTY Key 3: EMPTY Key 4: EMPTY Pre-Authentication : DISABLED Authentication Type : OPEN ----------------802.1x-------------------------------------------------802.1x : DISABLED Broadcast Key Refresh Rate : 30 min Session Key Refresh Rate : 30 min 802.1x Session Timeout Value : 0 min ----------------Antenna------------------------------------------------Antenna Control method : Diversity Antenna ID : 0x0000(Default Antenna) Antenna Location : Indoor ----------------Quality of Service--------------------------------------WMM Mode : SUPPORTED WMM Acknowledge Policy AC0(Best Effort) : Acknowledge AC1(Background) : Acknowledge AC2(Video) : Acknowledge AC3(Voice) : Acknowledge WMM BSS Parameters AC0(Best Effort) : logCwMin: 4 logCwMax: 10 AIFSN: 3 Admission Control: No TXOP Limit: 0.000 ms AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7 Admission Control: No TXOP Limit: 0.000 ms AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 2 Admission Control: No TXOP Limit: 3.008 ms AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 2 Admission Control: No TXOP Limit: 1.504 ms WMM AP Parameters AC0(Best Effort) : logCwMin: 4 logCwMax: 6 AIFSN: 3 Admission Control: No TXOP Limit: 0.000 ms AC1(Background) : logCwMin: 4 logCwMax: 10 AIFSN: 7 Admission Control: No TXOP Limit: 0.000 ms AC2(Video) : logCwMin: 3 logCwMax: 4 AIFSN: 1 Admission Control: No TXOP Limit: 3.008 ms AC3(Voice) : logCwMin: 2 logCwMax: 3 AIFSN: 1 Admission Control: No TXOP Limit: 1.504 ms ======================================================================== Enterprise AP# 6-74 Radio Interface CLI Commands for WEP over 802.1X Security – First set 802.1X to required using the 802.1X command and set the 802.1X key refresh rates. Then, from the 802.11a or 802.11g interface configuration mode, use the vap command to access each VAP interface to configure other security settings. From the VAP interface configuration mode, use the authentication command to select open system authentication and the encryption command to enable data encryption. Be sure that WPA is disabled by using the wpa-clients wep-only command. To view the current security settings, use the show interface wireless a 0 or show interface wireless g 0 command (not shown in example). Enterprise AP(if-wireless g)#vap 0 Enterprise AP(if-wireless g: VAP[0])#802.1X required Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300 Enterprise AP(if-wireless g: VAP[0])#interface wireless g Enter Wireless configuration commands, one per line. Enterprise AP(if-wireless g: VAP[0])#authentication open Enterprise AP(if-wireless g: VAP[0])#encryption Enterprise AP(if-wireless g: VAP[0])# 7-65 7-66 7-67 7-67 7-87 7-119 7-118 Wi-Fi Protected Access (WPA) WPA employs a combination of several technologies to provide an enhanced security solution for 802.11 wireless networks. The access point supports the following WPA components and features: IEEE 802.1X and the Extensible Authentication Protocol (EAP): WPA employs 802.1X as its basic framework for user authentication and dynamic key management. The 802.1X client and RADIUS server should use an appropriate EAP type—such as EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled TLS), or PEAP (Protected EAP)—for strongest authentication. Working together, these protocols provide “mutual authentication” between a client, the access point, and a RADIUS server that prevents users from accidentally joining a rogue network. Only when a RADIUS server has authenticated a user’s credentials will encryption keys be sent to the access point and client. Note: To implement WPA on wireless clients requires a WPA-enabled network card driver and 802.1X client software that supports the EAP authentication type that you want to use. Windows XP provides native WPA support, other systems require additional software. Temporal Key Integrity Protocol (TKIP): WPA specifies TKIP as the data encryption method to replace WEP. TKIP avoids the problems of WEP static keys by dynamically changing data encryption keys. Basically, TKIP starts with a master (temporal) key for each user session and then mathematically generates other keys 6-75 6 System Configuration to encrypt each data packet. TKIP provides further data encryption enhancements by including a message integrity check for each packet and a re-keying mechanism, which periodically changes the master key. WPA Pre-Shared Key Mode (WPA-PSK, WPA2-PSK): For enterprise deployment, WPA requires a RADIUS authentication server to be configured on the wired network. However, for small office networks that may not have the resources to configure and maintain a RADIUS server, WPA provides a simple operating mode that uses just a pre-shared password for network access. The Pre-Shared Key mode uses a common password for user authentication that is manually entered on the access point and all wireless clients. The PSK mode uses the same TKIP packet encryption and key management as WPA in the enterprise, providing a robust and manageable alternative for small networks. Mixed WPA and WEP Client Support: WPA enables the access point to indicate its supported encryption and authentication mechanisms to clients using its beacon signal. WPA-compatible clients can likewise respond to indicate their WPA support. This enables the access point to determine which clients are using WPA security and which are using legacy WEP. The access point uses TKIP unicast data encryption keys for WPA clients and WEP unicast keys for WEP clients. The global encryption key for multicast and broadcast traffic must be the same for all clients, therefore it restricts encryption to a WEP key. When access is opened to both WPA and WEP clients, no authentication is provided for the WEP clients through shared keys. To support authentication for WEP clients in this mixed mode configuration, you can use either MAC authentication or 802.1X authentication. WPA2 – WPA was introduced as an interim solution for the vulnerability of WEP pending the ratification of the IEEE 802.11i wireless security standard. In effect, the WPA security features are a subset of the 802.11i standard. WPA2 includes the now ratified 802.11i standard, but also offers backward compatibility with WPA. Therefore, WPA2 includes the same 802.1X and PSK modes of operation and support for TKIP encryption. The main differences and enhancements in WPA2 can be summarized as follows: • Advanced Encryption Standard (AES): WPA2 uses AES Counter-Mode encryption with Cipher Block Chaining Message Authentication Code (CBC-MAC) for message integrity. The AES Counter-Mode/CBCMAC Protocol (AES-CCMP) provides extremely robust data confidentiality using a 128-bit key. The AES-CCMP encryption cipher is specified as a standard requirement for WPA2. However, the computational intensive operations of AES-CCMP requires hardware support on client devices. Therefore to implement WPA2 in the network, wireless clients must be upgraded to WPA2-compliant hardware. • WPA2 Mixed-Mode: WPA2 defines a transitional mode of operation for networks moving from WPA security to WPA2. WPA2 Mixed Mode allows both WPA and WPA2 clients to associate to a common SSID interface. In mixed mode, the unicast encryption cipher (TKIP or AES-CCMP) is negotiated for each client. The access point advertises its supported encryption ciphers in beacon frames and probe 6-76 Radio Interface responses. WPA and WPA2 clients select the cipher they support and return the choice in the association request to the access point. For mixed-mode operation, the cipher used for broadcast frames is always TKIP. WEP encryption is not allowed. • Key Caching: WPA2 provides fast roaming for authenticated clients by retaining keys and other security information in a cache, so that if a client roams away from an access point and then returns, re-authentication is not required. When a WPA2 client is first authenticated, it receives a Pairwise Master Key (PMK) that is used to generate other keys for unicast data encryption. This key and other client information form a Security Association that the access point names and holds in a cache. • Preauthentication: Each time a client roams to another access point it has to be fully re-authenticated. This authentication process is time consuming and can disrupt applications running over the network. WPA2 includes a mechanism, known as pre-authentication, that allows clients to roam to a new access point and be quickly associated. The first time a client is authenticated to a wireless network it has to be fully authenticated. When the client is about to roam to another access point in the network, the access point sends pre-authentication messages to the new access point that include the client’s security association information. Then when the client sends an association request to the new access point, the client is known to be already authenticated, so it proceeds directly to key exchange and association. 6-77 6 System Configuration To configure WPA, click Security under Radio A or Radio G. Select one of the VAP interfaces by clicking More. Select one of the WPA options in the Authentication Setup table, and then configure the parameters displayed beneath the table. The WPA configuration parameters are described below: Data Encryption Mode – You must enable data encryption in order to enable all types of encryption (WEP, TKIP, or AES) in the access point. Pre-Authentication – When using WPA2 over 802.1X, pre-authentication can be enabled, which allows clients to roam to a new access point and be quickly associated without performing full 802.1X authentication. (Default: Disabled) Authentication Setup – To use WPA or WPA2, set the access point to one of the following options. If a WPA/WPA2 mode that operates over 802.1X is selected (WPA, WPA2, WPA-WPA2-mixed, or WPA-WPA2-PSK-mixed), the 802.1X settings and RADIUS server details need to be configured. Be sure you have also configured a RADIUS server on the network before enabling authentication. If a WPA/WPA2 Pre-shared Key mode is selected (WPA-PSK or WPA2-PSK), be sure to specify the key string. 6-78 Radio Interface • WPA: Clients using WPA over 802.1X are accepted for authentication. • WPA-PSK: Clients using WPA with a Pre-shared Key are accepted for authentication. • WPA2: Clients using WPA2 over 802.1X are accepted for authentication. • WPA2-PSK: Clients using WPA2 with a Pre-shared Key are accepted for authentication. • WPA-WPA2-mixed: Clients using WPA or WPA2 over 802.1X are accepted for authentication. • WPA-WPA2-PSK-mixed: Clients using WPA or WPA2 with a Pre-shared Key are accepted for authentication. WPA Configuration – Each VAP interface can be configured to allow only WPA-enabled clients to access the network (Required), or to allow access to both WPA and WEP clients (Supported). (Default: Required) Cipher Suite – Selects an encryption method for the global key used for multicast and broadcast traffic, which is supported by all wireless clients. • WEP: WEP is used as the multicast encryption cipher. You should select WEP only when both WPA and WEP clients are supported. • TKIP: TKIP is used as the multicast encryption cipher. • AES-CCMP: AES-CCMP is used as the multicast encryption cipher. AES-CCMP is the standard encryption cipher required for WPA2. WPA Pre-Shared Key Type – If the WPA or WPA2 pre-shared-key mode is used, all wireless clients must be configured with the same key to communicate with the access point. • Hexadecimal – Enter a key as a string of 64 hexadecimal numbers. • Alphanumeric – Enter a key as an easy-to-remember form of letters and numbers. The string must be from 8 to 63 characters, which can include spaces. 6-79 6 System Configuration The configuration settings for WPA are summarized below: Table 6-4. WPA Configuration Settings WPA and WPA2 pre-shared key only WPA and WPA2 over 802.1X Authentication Type: Open System Data Encryption: Enabled Key Source: Authentication Server Authentication Setup: WPA-PSK or WPA2-PSK Authentication Type: Open System Data encryption: Enabled Key Source: Authentication Server Authentication Setup: WPA, WPA2, WPA-WPA2-mixed, or WPA-WPA2-PSK-mixed WPA Key Management: WPA/WPA2 over 802.1x WPA Cipher Mode: WEP/TKIP/AES-CCMP Key Type: Hex/ASCII Shared Key: 64/128/152 bits Transmit Key: 1/2/3/4 (requires RADIUS server to be specified) WPA Key Management: WPA/WPA2 pre-shared key WPA Cipher Mode: WEP/TKIP/AES-CCMP WPA Pre-shared Key Type: Hex/ASCII 1: You must enable data encryption in order to enable all types of encryption in the access point. 2: Select Auto or TKIP when any WPA clients do not support AES. Select AES only if all clients support AES. CLI Commands for WPA Using Pre-shared Key Security – Be sure to first disable 802.1X port authentication using the 802.1X command from the configuration mode. Then, from the 802.11a or 802.11g interface configuration mode, use the vap command to access each VAP interface to configure other security settings. From the VAP interface configuration mode, use the authentication command to set the access point to “Open System.” Use the encryption command to enable data encryption. To enable WPA to be required for all clients, use the wpa-clients command. Set the broadcast and multicast key encryption using the multicast-cipher command. Use the wpa-mode command to enable the Pre-shared Key mode. To enter a key value, use the wpa-psk-type command to specify a hexadecimal or alphanumeric key, and then use the wpa-preshared-key command to define the key. To view the current security settings, use the show interface wireless a 0 or show interface wireless g 0 command (not shown in example). Enterprise AP(config)#interface wireless g Enter Wireless configuration commands, one per line. Enterprise AP(if-wireless g)#vap 0 Enterprise AP(if-wireless g: VAP[0])#no 802.1X Enterprise AP(if-wireless g: VAP[0])#authentication open Enterprise AP(if-wireless g: VAP[0])#encryption Enterprise AP(if-wireless g: VAP[0])#wpa-clients required Enterprise AP(if-wireless g: VAP[0])#multicast-cipher TKIP Enterprise AP(if-wireless g: VAP[0])#wpa-preshared-key ASCII agoodsecret Enterprise AP(if-wireless g: VAP[0])# 6-80 7-87 7-65 7-119 7-118 7-123 7-121 7-123 Radio Interface CLI Commands for WPA Over 802.1X Security – First set 802.1X to required using the 802.1X command and set the 802.1X key refresh rates. Then, from the 802.11a or 802.11g interface configuration mode, use the vap command to access each VAP interface to configure other security settings. From the VAP interface configuration mode, use the authentication command to select open system authentication and the encryption command to enable data encryption. Use the wpa-clients command to set WPA to be required or supported for clients. Use the wpa-mode command to enable WPA dynamic keys over 802.1X. Set the broadcast and multicast key encryption using the multicast-cipher command. To view the current security settings, use the show interface wireless a 0 or show interface wireless g 0 command (not shown in example). Enterprise AP(config)#interface wireless g Enter Wireless configuration commands, one per line. Enterprise AP(if-wireless g)#vap 0 Enterprise AP(if-wireless g: VAP[0])#802.required Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300 Enterprise AP(if-wireless g: VAP[0])#authentication open Enterprise AP(if-wireless g: VAP[0])#encryption Enterprise AP(if-wireless g: VAP[0])#wpa-clients required Enterprise AP(if-wireless g: VAP[0])#multicast-cipher TKIP Enterprise AP(if-wireless g: VAP[0])# 7-87 7-65 7-66 7-67 7-67 7-119 7-118 7-123 7-121 Configuring 802.1X IEEE 802.1X is a standard framework for network access control that uses a central RADIUS server for user authentication. This control feature prevents unauthorized access to the network by requiring an 802.1X client application to submit user credentials for authentication. The 802.1X standard uses the Extensible Authentication Protocol (EAP) to pass user credentials (either digital certificates, user names and passwords, or other) from the client to the RADIUS server. Client authentication is then verified on the RADIUS server before the access point grants client access to the network. The 802.1X EAP packets are also used to pass dynamic unicast session keys and static broadcast keys to wireless clients. Session keys are unique to each client and are used to encrypt and correlate traffic passing between a specific client and the access point. You can also enable broadcast key rotation, so the access point provides a dynamic broadcast key and changes it at a specified interval. 6-81 6 System Configuration Open the Security page, and click More for one of the VAP interfaces. You can enable 802.1X as optionally supported or as required to enhance the security of the wireless network. (Default: Disable) • Disable: The access point does not support 802.1X authentication for any wireless client. After successful wireless association with the access point, each client is allowed to access the network. • Supported: The access point supports 802.1X authentication only for clients initiating the 802.1X authentication process (i.e., the access point does not initiate 802.1X authentication). For clients initiating 802.1X, only those successfully authenticated are allowed to access the network. For those clients not initiating 802.1X, access to the network is allowed after successful wireless association with the access point. The 802.1X supported mode allows access for clients not using WPA or WPA2 security. • Required: The access point enforces 802.1X authentication for all associated wireless clients. If 802.1X authentication is not initiated by a client, the access point will initiate authentication. Only those clients successfully authenticated with 802.1X are allowed to access the network. Note: If 802.1X is enabled on the access point, then RADIUS setup must be completed (see “RADIUS” on page 6-7). When 802.1X is enabled, the broadcast and session key rotation intervals can also be configured. • Broadcast Key Refresh Rate: Sets the interval at which the broadcast keys are refreshed for stations using 802.1X dynamic keying. (Range: 0-1440 minutes; Default: 0 means disabled) • Session Key Refresh Rate: The interval at which the access point refreshes unicast session keys for associated clients. (Range: 0-1440 minutes; Default: 0 means disabled) 6-82 Radio Interface • 802.1X Reauthentication Refresh Rate: The time period after which a connected client must be re-authenticated. During the re-authentication process of verifying the client’s credentials on the RADIUS server, the client remains connected the network. Only if re-authentication fails is network access blocked. (Range: 0-65535 seconds; Default: 0 means disabled) CLI Commands for 802.1X Authentication – Use the 802.1X supported command from the VAP interface mode to enable 802.1X authentication. Set the session and broadcast key refresh rate, and the re-authentication timeout. To display the current settings, use the show authentication command from the Exec mode. Enterprise AP(if-wireless g: VAP[0])#802.1X supported Enterprise AP(if-wireless g: VAP[0])#802.1X broadcast-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-key-refresh-rate 5 Enterprise AP(if-wireless g: VAP[0])#802.1X session-timeout 300 Enterprise AP(if-wireless g: VAP[0])#exit Enterprise AP#show authentication 7-65 7-66 7-67 7-67 7-68 Authentication Information =========================================================== MAC Authentication Server : DISABLED MAC Auth Session Timeout Value : 0 min 802.1x supplicant : DISABLED 802.1x supplicant user : EMPTY 802.1x supplicant password : EMPTY Address Filtering : ALLOWED System Default : ALLOW addresses not found in filter table. Filter Table MAC Address Status -------------------------00-70-50-cc-99-1a DENIED 00-70-50-cc-99-1b ALLOWED ========================================================= Enterprise AP# 6-83 6 System Configuration Status Information The Status page includes information on the following items: Menu Description Page AP Status Displays configuration settings for the basic system and the wireless interface 6-84 Station Status Shows the wireless clients currently associated with the access point 6-87 Event Logs Shows log messages stored in memory 6-90 Access Point Status The AP Status window displays basic system configuration settings, as well as the settings for the wireless interface. 6-84 Status Information AP System Configuration – The AP System Configuration table displays the basic system configuration settings: • • • • • • System Up Time: Length of time the management agent has been up. MAC Address: The physical layer address for this device. System Name: Name assigned to this system. System Contact: Administrator responsible for the system. IP Address: IP address of the management interface for this device. IP Default Gateway: IP address of the gateway router between this device and management stations that exist on other network segments. 6-85 6 System Configuration • HTTP Server: Shows if management access via HTTP is enabled. • HTTP Server Port: Shows the TCP port used by the HTTP interface. • Version: Shows the version number for the runtime code. AP Wireless Configuration – The AP Wireless Configuration tables display the radio and VAP interface settings listed below. Note that Interface Wireless A refers to the 802.11a radio and Interface Wireless G refers the 802.11b/g radio. • SSID: The service set identifier for the VAP interface. • Radio Channel: The radio channel through which the access point communicates with wireless clients. • Encryption: The key size used for data encryption. • Authentication Type: Shows the type of authentication used. • 802.1X: Shows if IEEE 802.1X access control for wireless clients is enabled. CLI Commands for Displaying System Settings – To view the current access point system settings, use the show system command from the Exec mode. To view the current radio interface settings, use the show interface wireless a 0 or show interface wireless g 0 command (see page 7-109). Enterprise AP#show system System Information ========================================================== Serial Number : A123456789 System Up time : 0 days, 4 hours, 33 minutes, 29 seconds System Name : SMC System Location System Contact System Country Code : US - UNITED STATES MAC Address : 00-30-F1-F0-9A-9C IP Address : 192.168.1.1 Subnet Mask : 255.255.255.0 Default Gateway : 0.0.0.0 VLAN State : DISABLED Management VLAN ID(AP): 1 IAPP State : ENABLED DHCP Client : ENABLED HTTP Server : ENABLED HTTP Server Port : 80 HTTPS Server : ENABLED HTTPS Server Port : 443 Slot Status : Dual band(a/g) Boot Rom Version : v3.0.7 Software Version : v4.3.2.2 SSH Server : ENABLED SSH Server Port : 22 Telnet Server : ENABLED WEB Redirect : DISABLED DHCP Relay : DISABLED ========================================================== Enterprise AP# 6-86 7-23 Status Information Station Status The Station Status window shows the wireless clients currently associated with the access point. The Station Configuration page displays basic connection information for all associated stations as described below. Note that this page is automatically refreshed every five seconds. • Station Address: The MAC address of the wireless client. 6-87 6 System Configuration • Authenticated: Shows if the station has been authenticated. The two basic methods of authentication supported for 802.11 wireless networks are “open system” and “shared key.” Open-system authentication accepts any client attempting to connect to the access point without verifying its identity. The shared-key approach uses Wired Equivalent Privacy (WEP) to verify client identity by distributing a shared key to stations before attempting authentication. • Associated: Shows if the station has been successfully associated with the access point. Once authentication is completed, stations can associate with the current access point, or reassociate with a new access point. The association procedure allows the wireless system to track the location of each mobile client, and ensure that frames destined for each client are forwarded to the appropriate access point. • Forwarding Allowed: Shows if the station has passed 802.1X authentication and is now allowed to forward traffic to the access point. • Encryption: The data encryption method used for this client. • Authentication Type: The authentication method used for this client; including WEP (Open System or Pre-Shared Key), WPA, WPA2, or some combination. • SSID: The Service Set Identifier this client used to associate with the VAP. • Channel: The radio channel this client is using to communicate with the VAP. • Data Rate: The data rate at which this client is communicating with the VAP. 6-88 Status Information CLI Commands for Displaying Station Status – To view status of clients currently associated with the access point, use the show station command from the Exec mode. Enterprise AP#show station 7-110 Station Table Information =========================================================== if-wireless A VAP [0] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless A VAP [1] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless A VAP [2] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless A VAP [3] 802.11a Channel : Auto No 802.11a Channel Stations. if-wireless G VAP [0] 802.11g Channel : Auto No 802.11g Channel Stations. if-wireless G VAP [1] 802.11g Channel : Auto No 802.11g Channel Stations. if-wireless G VAP [2] 802.11g Channel : Auto No 802.11g Channel Stations. if-wireless G VAP [3] 802.11g Channel : Auto No 802.11g Channel Stations. =========================================================== Enterprise AP# 6-89 6 System Configuration Event Logs The Event Logs window shows the log messages generated by the access point and stored in memory. The Event Logs table displays the following information: • Log Time: The time the log message was generated. • Event Level: The logging level associated with this message. For a description of the various levels, see “logging level” on page 6-33. • Event Message: The content of the log message. Error Messages – An example of a logged error message is: “Station Failed to authenticate (unsupported algorithm).” This message may be caused by any of the following conditions: • Access point was set to “Open Authentication”, but a client sent an authentication request frame with a “Shared key.” • Access point was set to “Shared Key Authentication,” but a client sent an authentication frame for “Open System.” • WEP keys do not match: When the access point uses “Shared Key Authentication,” but the key used by client and access point are not the same, the frame will be decrypted incorrectly, using the wrong algorithm and sequence number. 6-90 Status Information CLI Commands for Displaying the Logging Status – From the global configuration mode, use the show logging command. 7-32 Enterprise AP#show loggging Logging Information ============================================ Syslog State : Enabled Logging Console State : Enabled Logging Level : Alert Logging Facility Type : 16 Servers 1: 192.168.1.19, UDP Port: 514, State: Enabled 2: 0.0.0.0, UDP Port: 514, State: Disabled 3: 0.0.0.0, UDP Port: 514, State: Disabled 4: 0.0.0.0, UDP Port: 514, State: Disabled ============================================= Enterprise AP# CLI Commands for Displaying Event Logs – To view the access point log entries, use the show event-log command from the Exec mode. To clear all log entries from the access point, use the logging clear command from the Global Configuration mode. Enterprise AP#show event-log Mar 09 11:57:55 Information: Mar 09 11:57:55 Information: Mar 09 11:57:34 Information: Mar 09 11:57:18 Information: Mar 09 11:56:35 Information: Mar 09 11:55:52 Information: Mar 09 11:55:52 Information: Mar 09 11:55:52 Information: Mar 09 11:55:40 Information: Mar 09 11:55:40 Information: Press next.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Count : 304 Page Mode : UseOutlines XMP Toolkit : XMP toolkit 2.9.1-13, framework 1.6 About : uuid:c3f8914f-71fd-4154-b17b-0e548c66b895 Producer : Acrobat Distiller 7.0.5 (Windows) Create Date : 2006:01:13 11:48:56Z Creator Tool : FrameMaker 7.0 Modify Date : 2006:04:14 22:59:59+08:00 Metadata Date : 2006:04:14 22:59:59+08:00 Document ID : uuid:d2f6ef60-91b9-45a9-aef7-dd8b62752546 Instance ID : uuid:54c67d58-8364-4584-99d6-2f68fe1adcf6 Format : application/pdf Title : WA6102-17.book Creator : david Author : davidEXIF Metadata provided by EXIF.tools