Airgo Networks AGN1201AP0000 True MIMO Access Point User Manual 4

Airgo Networks Inc. True MIMO Access Point 4

UserManual.wiki >

Airgo Networks >

AGN1201AP0000 User Manual >

Contents

User manual 4

10 Maintaining the Access Point258 Installation and User Guide: Airgo Access Point

Installation and User Guide: Airgo Access Point 259AUsing the Command Line InterfaceThis appendix explains how to access and interact with the command line interface (CLI). For detailed information on specific commands, see the CLI Reference Manual.Using the Command Line InterfaceTo connect to the AP for command line interface access using Secure Shell (SSH), do the following:1Launch your SSH client application.2Type ssh admin@<AP IP address>, using the AP IP address assigned to the Access Point (or 192.168.1.254 by default) and press Return.When connected, a screen opens similar to the one shown in Figure 188.Figure 188: Access Point Serial Console Login Screen3Enter your login ID and press Return. When prompted next, enter your password. The factory default for administrator access is username: admin. The factory default password is shipped with the AP on a paper insert. Use the password from the insert to log in.NOTE: SSH Communications provides an SSH client, http://www.ssh.com.

Using the Console Port for CLI AccessInstallation and User Guide: Airgo Access Point 2619To see the list of available commands, type a question mark. For a list of hot keys (short cuts for console functions, press Ctrl-H.There are two important modes in console access, one is show mode and the other is config mode. In show mode, examine the AP’s configuration settings and status. Use config mode to change values. To go into either mode from the main command> prompt, type either show or config.Toggle between show and config modes by pressing Ctrl-P. Leave a mode and return to the top level command prompt by typing exit.To log out and close your connection to the command line interface, type logout at any prompt.

A Using the Command Line Interface262 Installation and User Guide: Airgo Access Point

Installation and User Guide: Airgo Access Point 263BRegulatory and License InformationThis appendix contains the regulatory and license information specific to the Airgo Access Point hardware and software.FCC Certifications This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: •Reorient or relocate the receiving antenna. •Increase the separation between the equipment and receiver. •Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. •Consult the dealer or an experienced radio/TV technician for help. ID Access Point Requirement DetailsCERT1 Safety UL 1950 third edition TUV approvalUL-2043 (Fire and Smoke) ComplianceCERT2 EMC EMC Directive 89/336/EEC (CE Mark)CERT3 Radio Approvals FCC CFR47 Part 15, section 15.247FCC (47CFR) Part 15B, Class B EmissionsCanada IC RSS210Japan MIC Radio RegulationsEurope: ETS 300.328CAUTION: Any changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.

B Regulatory and License Information264 Installation and User Guide: Airgo Access PointThe Airgo AP is suitable for use in environmental air space in accordance with Section 300-22(c) of the National Electrical Code, and Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code, Part 1, CSA C22.1.This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. FCC RF Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20cm between the radiator and your body.

Installation and User Guide: Airgo Access Point 265CExternal Landing Page APIThis appendix is a supplement to Chapter 8, “Configuring Guest Access,” which describes the process of authenticating and isolating guest user stations. Guest authentication is a web-based process that requires the user to open a web browser, which then automatically redirects the user to an authentication web page. Two approaches are available:•Internal Landing Page that is present inside the AP•External Landing PageIntroductionThis appendix documents the application programming interface (API) between the AP and the External Landing Page Server (ELPS). Case Studies1Enterprise Guest Access Scenario: An enterprise will typically support multiple VLANs. Enterprise users are generally strongly authenticated and have direct access to the enterprise VLAN. Untrusted guest users are blocked from enterprise resources by use of an HTTP captive portal. After authenticating to the captive portal, the guest users are allowed on a specific VLAN with access to the Internet, but not to enterprise resources.2Hotspot Deployment Scenario: All user web browser traffic is initially redirected to a captive portal (walled garden) that allows them to either login or purchase services to obtain a valid login identity. Subsequently, the entitled users are allowed full Internet access through AP association. Connection services may be constrained to a specific duration before reauthentication is required. The ELPS service may also track usage by connection.AP ConfigurationAs described in Chapter 8, “Configuring Guest Access,”configuring an AP to support Guest Access using an external authentication web server, requires specifying two configuration parameters:•The fully qualified URL (IP format) of a page on the external authentication web server, the “landing page.”•A shared secret code known to both the external authentication web server and the AP. This information is entered into the Guest Access Wizard or the Guest Access Service Panel.This information is entered into the Guest Access Wizard or the Guest Access Service Panel.System DescriptionThree principle entities are involved in user authentication with an external authentication web server.•The station (STA)•The Access Point (AP)•The External Landing Page Server (ELPS)

C External Landing Page API266 Installation and User Guide: Airgo Access PointThe station associates to the AP. The AP allows the station to obtain a DHCP based IP address and allows ARP and DNS queries. All other traffic is blocked. Web traffic is blocked and redirected to the ELPS. The ELPS provides web pages to authenticate users and subsequently signals the AP to allow the station access to a broader set of IP addresses (the Internet).The web server (ELPS) is also able to disconnect any of the previously connected stations. The signaling from the web server to the AP includes a disconnect request. The disconnect request can be used to stop billed connection time at a hot spot. This is often implemented by providing a status web window that displays the users time on-line with a button to provide the logout. The disconnect can also be sent directly from the server to the AP to provide a forced disconnection of the user based on the management functionality in the web server.The process to enable access (from the ELPS to the AP) is analogous to purchasing a ticket and then entering a theater. The guest station represents the theater patron, the external authentication web server represents the box office, and the AP represents the ticket taker.Upon entering the theater, the patron is first directed to the box office and presents credentials in order to collect tickets (money or identification for pre-ordered tickets). The patron then takes the ticket to the ticket taker, who validates the ticket and permits entrance. Correct validation includes a check of the timestamp (date and time of performance) and confirmation of the type of performance. In effect, the ticket taker verifies that the ticket has been issued by the box office.Detailed Signaling Description and APIThe application programming interface (API) between the ELPS and the AP supports the following uses:•Connect Sequence: Capture unauthenticated users and subsequently connect them after a valid authentication •User Initiated Disconnect: Disconnect a station based on a user request to logout (STA Disconnect)•Station Forced Disconnect: Force a disconnect from the ELPS (STA Forced Disconnect)Connect SequenceThe signaling flow for a station associating with the network for the first time is illustrated in Figure 1.

Detailed Signaling Description and APIInstallation and User Guide: Airgo Access Point 267Figure 189: User authentication using the External Landing Page ServerThe HTTP filter in the AP allows the station to obtain an IP address, but redirects any HTTP traffic to the web server. The URL used in the redirection provides the server with the MAC address of the station, the SSID used for the association, the IP address of the AP, and the original requested URL. This data is used by the web server to create a connect request to the AP after successful authentication. Redirected URL generated by an AP:http://1.2.3.4/cgi/ l?gpm=192.168.254.249&origpage=www.google.com&ssid=myHotspot&stamac=00:af:50:00:00:00The URL prefix (http://1.2.3.4/cgi-bin/l) was the URL entered in the AP configuration.The field names and description in the redirected URL are described in Table 18.Table 18: Fields in the STA-ELPS-to-AP Connection RequestField Descriptiongpm The IP address of the APorigpage The URL originally submitted by the user before the redirectionssid The SSID used by the station to associate to the APstamac The MAC address of the station.(ELPS)(Captive Portal)

C External Landing Page API268 Installation and User Guide: Airgo Access PointOnce redirected to the web server, the user is able to browser only in the walled garden. This restricted set of web pages should provide a means to login into the network and optionally a means to obtain an account for first-time users. When a user is successfully authenticated, the ELPS returns a redirection URL that signals the AP to allow unrestricted access for the specific station (a Connection Request). Redirection URL generated by the ELPS:https://192.168.254.249/Forms/ExtCmd_html_1?Xnp=www.google.com&Xcmd=crq&Xts=0410280335&Xssid=myHotspot&Xmac=00%3Aaf%3A50%3A00%3A00%3A00&Xcv=f4eb6692aeffe839&Xdata=480&Xid=bobThe base portion of the URL was formed using the IP address originally passed to the web server as the gpm field (AP IP address). The URL is protected from modification, spoofing, or reuse by the use of a timestamp and a cryptographic check value. The URL must always have the form: https://<AP IP Address>/Forms/ExtCmd_html_1?<parameters>The URL that signals the AP to permit access for a particular station uses parameters that are passed in the URL. These form a connection request. The following parameters are supported:Upon successful opening of the AP HTTP filter, the user’s browser is redirected back to the web server. This permits positive indication of user access for billing purposes on the ELPS. The redirected URL contains the following parameters:Table 19: Fields in the STA-ELPS-to-AP Connection RequestField DescriptionXcmd The command type (connect for this example) For a connect this value MUST be 'crq'Xnp Not usedXid Optional, the login user id (included in logs)Xip Optional, not used for the connect command.Xssid The SSID.Xmac The MAC address of the station that has been authenticated. Xdata Command data. For the connect request should contain the duration of the permitted user connectivity in minutes.Xts A time stamp of the form yymmddhhMM, where yy=year, mm=month, dd=day, hh=hours, MM=minutes. To be valid, the time value (in UTC) must be within plus or minus 5 minutes of the AP’s time.Xcv A SHA1 hash using the shared password.Table 20: Fields in the STA-AP-to-ELPS Connection ResponseField DescriptionXcmd This MUST be 'crs' for the connection response.Xnp Not usedXid Not used.

Detailed Signaling Description and APIInstallation and User Guide: Airgo Access Point 269After the user is redirected to the ELPS, the server can redirect the user’s browser to the originally requested URL, or start a status/tracking window to inform the user of their time on-line.User Initiated Disconnect Figure 2 illustrates the flow of the signaling for a user initiated disconnect. The user typically will have a status browser window open that includes a log out button. Figure 190: User initiated Disconnect Request SequenceThe log out takes the user’s browser to the ELPS. At the ELPS a redirected URL sends the user’s browser back to the AP. The redirected URL includes all parameters required to disconnect the station. https://192.168.254.249/Forms/ExtCmd_html_1?Xcmd=drq&Xnp=www.hotspot.com&Xts=0410280408&Xmac=00A0AAF5A00A00A00&Xssid=myHotSpot&Xcv=92fbed6322fbd017 Xip Not used.Xssid The SSID.Xmac The MAC address of the station that has been authenticated. Xdata Should have a value of '3' for a successful connection. Xts A time stamp of the form yymmddhhMM, where yy=year, mm=month, dd=day, hh=hours, MM=minutes. To be valid, the time value (in UTC) must be within plus or minus 5 minutes of the AP's time.Xcv A SHA1 hash using the shared password.Table 20: Fields in the STA-AP-to-ELPS Connection Response (continued)Field Description(ELPS)(Captive Portal)(Captive Portal)

C External Landing Page API270 Installation and User Guide: Airgo Access PointThe prefix portion of the URL was formed using the IP address originally passed to the web server as the gpm field (AP IP address). The URL is protected from modification, spoofing or reuse by the use of a timestamp and a cryptographic check value. The URL must always have the form:https://<AP IP Address>/Forms/ExtCmd_html_1?<parameters>Note that the disconnect request will send the user to a “next page” that can put the user’s browser back into the web servers walled garden. The disconnect leaves the station associated, but returns the station to the unauthenticated state. The HTTP filter in the AP will now redirect any HTTP traffic back to the configured walled garden. Table 21 lists the parameters.Upon successfully closing of the AP HTTP filter, the user's browser is redirected back to the web server to signal a Disconnect Response. This allows the user to be smoothly transitioned from browsing the Internet back to a known page in the walled garden web. Table 22 lists the parameters in the URL.Table 21: Fields in the STA-ELPS-to-AP Disconnect RequestField DescriptionXcmd The command type (connect for this example) For a connect this value MUST be 'drq'Xnp The next page to send the Users browserXid Optional, the login user id (included in logs)Xip Optional, not used for the connect command.Xssid The SSID (required).Xmac The MAC address of the station that has been authenticated. Required to specify the station to disconnect.Xdata Not used for a disconnect command.Xts A time stamp of the form yymmddhhMM, where yy=year, mm=month, dd=day, hh=hours, MM=minutes. To be valid, the time value (in UTC) must be within plus or minus 5 minutes of the AP's time.Xcv A SHA1 hash using the shared password.Table 22: Fields in the STA-AP-to-ELPS Disconnect ResponseField DescriptionXcmd The command type (connect for this example) For a connect this value MUST be 'drs'Xnp The next page to send the Users browserXid Optional, the login user id (included in logs)Xip Optional Fields in the STA-AP-to-ELPS Disconnect Response, not used for the connect command.Xssid The SSID.Xmac The MAC address of the station that has been authenticated. Required to specify the station to disconnect.

Check Value AlgorithmInstallation and User Guide: Airgo Access Point 271Station Forced DisconnectThe web server can directly signal the AP to disconnect a station. Figure 3 illustrates the signal flow for this scenario.Figure 191: Web server initiated forced disconnect of userThe construction of the disconnect URL is identical to the URL for the user initiated station disconnect. The only difference is that the HTTP request is initiated from the web server to the AP rather than from the station.Check Value Algorithm The check value carried in the Xcv field is calculated using the SHA-1 algorithm (FIPS 180-1 standard). The server must create the appropriate time stamp and check value in server side active web pages. The check value will typically be created using active pages on the web server (asp, cgi,.net, etc.). This check value is produced using the following procedure:1Create a timestamp of the form yymmddhhMM, where yy=year, mm=month, dd=day, hh=hours, MM=minutes. For example, the string '0407041355' corresponds to 2004 July 7 1:55pm. This string must always be 10 characters long and all fields must be zero filled.2Obtain the parameters from the original redirect URL sent to the server. These are most easily retained as a cookie. The following parameters are required:aThe STAs MAC address (e.g. '00:0A:F5:00:09:99')Xdata This should have a value of 8 for a successful disconnect.Xts A time stamp of the form yymmddhhMM, where yy=year, mm=month, dd=day, hh=hours, MM=minutes. To be valid, the time value (in UTC) must be within plus or minus 5 minutes of the AP's time.Xcv A SHA1 hash using the shared password.Table 22: Fields in the STA-AP-to-ELPS Disconnect ResponseField Description(ELPS)(Captive Portal)

C External Landing Page API272 Installation and User Guide: Airgo Access PointbThe SSID that the station used to associate to the AP cThe IP address of the AP3Have available the server key that is shared with the AP. This secret key authenticates the server to the AP.4Create the partial URL using the URL parameters of the form:Xcmd=<cmd>&Xnp=<nextUrl>&Xid=<userId>&Xip=<ipAddress>&Xssid=<ssid>&Xmac=<staMac>&Xdata=<data>&Xts=<timeStamp>Any of the unused option parameters should be included, but the strings should be set to null. The Order of these parameters MUST be the exactly as shown - else the check value will not match.For example:Xcmd=crq&Xnp=www.hotspot.com&Xid=smith&Xip=&Xssid=coffeeShop&Xmac=00:0A:F5:00:00:00&Xdata=60&Xts=04102804085Calculate the SHA1 has algorithm over the string formed by placing the server key before and after the partial URL:hash = SHA1(server key | partial URL | server key)6Take only the first 8 octets of the hash and convert these octets to hex-ascii. This is the Xcv parameter value.7Create the full URL by appending all of the above parameters to the base URL of the AP. Unused parameters do NOT have to be included in the final URL sent to the AP. The base URL is always of the form: https://<AP IP Address>/Forms/ExtCmd_html_1?https://1.2.3.4/Forms/ExtCmd_html_1?Xcmd=crq&Xnp=www.hotspot.com&Xid=smith&Xssid=coffeeShop&Xmac=00:0A:F5:00:00:00&Xdata=60&Xts=0410280408&Xcv=92fbed6322fbd017Response Return CodesThe Connect Response (crs) and the Disconnect Response (drs) carry result values to indicate success or possible error conditions. The following response codes are supported:Response Code Usage0 Not used.1 Invalid command.2 Login success, filters removed for the station.3 Digest check value error.4 Time stamp error.5 Duration value failure.6 Connection request failure. Typically caused by station roaming to a different AP.7 Disconnect succeeded, filters reinstalled for the station.8 Disconnect failed. Typically caused by the station already being disassociated.9 Not used.

Installation and User Guide: Airgo Access Point 273DAlarmsAlarms generated by the Airgo Access Point are stored persistently on the AP. The Airgo AP can store approximately 130 * 2 = 260 alarms in total. When the number of alarms exceeds this limit, the oldest alarm set is discarded. All alarms generated by the Airgo Access Point have the following parameters:•Event ID: The internal event number that uniquely identifies the event.• Log-level: The criticality of the event. All alarms are logged at the same criticality. • Log-time: The time as determined by the clock on the Access point, when the alarm was logged. All forwarded alarms have the log-time set to the clock time on the originating Access point.• Module: The subsystem on the Access point that generated the alarm.•Source: The hostname or IP address of the access point that generated the alarm.• Description: The alarm details. Use the Airgo AP CLI to display the alarm table as follows:Examples: system(show)> alarm-table event-id : 102log-level : 2log-time : Tue Jan 4 16:14:01 2000module : WSMsource-ip : AP_00-0A-F5-00-02-1Fdescription : Device ID AP_00-0A-F5-00-02-1F radio 6 is enabled, its operational state is 2 operating on 11--------------------------------------------------------------------------------event-id : 103log-level : 2log-time : Tue Jan 4 17:04:28 2000module : WSMsource-ip : AP_00-0A-F5-00-02-1Fdescription : Device Id AP_00-0A-F5-00-02-1F radio 4 disabled--------------------------------------------------------------------------------The following section describes in detail the alarm syntax and alarm parameters. The alarm and its parameters together are shown as “description” above. The following alarms are described:•“Discovery: Discovered new node” on page 275•“Discovery: Node deleted from network” on page 275•“Discovery: Managed nodes limit exceeded” on page 276•“Enrollment: Node enrolled” on page 277•“Enrollment: Node un-enrolled” on page 278•“Policy: Policy download successful” on page 278

Discovery: Discovered new nodeInstallation and User Guide: Airgo Access Point 275•“Security: EAPOL key exchange – message 2 timeout” on page 315•“Security: EAPOL key exchange – message 4 timeout” on page 316•“Security: EAPOL Group 2 key exchange timeout” on page 317•“L3 Mobility: Peer Mobility Agent Up” on page 318•“L3 Mobility: Peer Mobility Agent Down” on page 318Discovery: Discovered new nodeAlarm generated when a new Airgo AP is discovered in the networkSyntaxDeviceId %s discovered node [deviceId=%s, IP=%s, Subnet=%s].DescriptionThis alarm is generated when an Airgo AP is discovered by the NM Portal the first time. Usage GuidelinesInformational logExamplesDeviceId AP_00-0A-F5-00-02-1F discovered node [deviceId=AP_00-0A-F5-00-01-B0, IP=192.168.75.244, Subnet=255.255.254.0].See Also<Node deleted from network>Discovery: Node deleted from networkGenerated when a node is deleted from the Portal networkSyntaxDeviceId %s Node [Ip=%s, persona=%d] deleted from database.Alarm ParametersDeviceID The Portal’s device IDdeviceId The discovered node’s device IDIP The discovered node’s IP addressSubnet The subnet to which the discovered node belongsAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the NM Portal

D Alarms276 Installation and User Guide: Airgo Access PointDescriptionThis alarm is generated when the discovered node is deleted from the system. When a node is deleted, all information about that node is erased from the Portal. If the node’s IP address falls within the discovery scope, then the node will be re-discovered and added back to the set of the discovered nodes on the next discovery sweep.Usage GuidelinesInformational logExamplesDeviceId AP_00-0A-F5-00-02-1F Node [Ip=192.168.74.210, persona=6] deleted from database.See Also<Discovered new node>Discovery: Managed nodes limit exceededGenerated when the number of nodes discovered exceeds the predefined limit on the NM portal.SyntaxOn Device %s Node[Ip=%s] managed node limit exceeded. Current managed nodes limit is %d.DescriptionThis alarm is generated when the number of discovered nodes exceeds the predefined limit. The current limit on the number of access points discovered is 50. This limit can be configured to be lower. Ip The IP address of the node being deletedPersona The persona of the node being deleted.Alarm SeveritySeverity CriticalAlarm ParametersDevice The device ID of the NM PortalIP The IP address of the node being deletedNode Limit The current limit imposed on the discovery serverAlarm SeveritySeverity Critical

Enrollment: Node enrolledInstallation and User Guide: Airgo Access Point 277Usage GuidelinesIf this alarm occurs, the discovery server will not discover nor track any new nodes once this limit is reached. In such a case, delete unwanted nodes and manually add the nodes to the discovery database so they may be managed.ExamplesOn Device AP_00-0A-F5-00-02-1F Node[Ip=192.168.74.245] managed node limit exceeded. Current managed nodes limit is 10.See AlsoEnrollment: Node enrolledAlarm generated when an Airgo AP is enrolled into the networkSyntaxNMPortal with DeviceId %s has successfully enrolled a remote node having ApDeviceId=%s NodeIp=%s and Persona=%dDescriptionThis alarm is generated when the Airgo AP has been successfully enrolled into the network.Usage GuidelinesInformational logExamplesNMPortal with DeviceId AP_00-0A-F5-00-01-77 has successfully enrolled a remote node having DeviceIdId=AP_00-0A-F5-00-01-7A NodeIp=172.16.12.4 and persona=2See Also<Node Unenrolled>Alarm ParametersDeviceId The device ID of the NMPortalApDeviceId The device ID of the remote APNodeIp The IP address of the remote APPersona The persona of the remote AP 6 = Security Portal 2 = Normal APAlarm SeveritySeverity Critical

D Alarms278 Installation and User Guide: Airgo Access PointEnrollment: Node un-enrolledAlarm generated when the Airgo AP is rejected (un-enrolled) from the networkSyntaxNMPortal with DeviceId %s has successfully unenrolled the remote node having ApDeviceId=%s NodeIp=%s and Persona=%dDescriptionThis alarm is generated when the Airgo AP has been successfully rejected (un-enrolled) from the network.Usage GuidelinesInformational logSee AlsoNMPortal with DeviceId AP_00-0A-F5-00-01-77 has successfully enrolled a remote node having DeviceIdId=AP_00-0A-F5-00-01-7A NodeIp=172.16.12.4 and persona=2See Also<Node Enrolled>Policy: Policy download successfulAlarm generated when a policy is successfully downloaded to an APSyntaxFor accesspoint Node %s The policy [%s] from [%s] was successfully downloaded at time[%s]Alarm ParametersDeviceId The device ID of the NMPortalApDeviceId The device ID of the remote APNodeIp The IP address of the remote APPersona The persona of the remote AP 6 = Security Portal 2 = Normal APAlarm SeveritySeverity CriticalAlarm ParametersNode The device ID of the remote APpolicy The policy name

Policy: Policy Download FailedInstallation and User Guide: Airgo Access Point 279DescriptionThis alarm is generated when a policy is successfully downloaded to an AP.Usage GuidelinesInformational logExamplesFor accesspoint Node AP_00-0A-F5-00-01-77 The policy [security.xml] from [TrustedManager] was successfully downloaded at time[Thu Jan 6 04:27:45 2000 ]See Also<Policy Download Failed>Policy: Policy Download FailedAlarm generated when a policy download to an AP has failedSyntaxFor accesspoint Node %s the policy [%s] from [%s] could not be downloaded due to error %d at time[%s]DescriptionThis alarm is sent when a policy downloaded to an AP could not be consumed correctly due to an error in the policy, software version mismatch, or another error.Usage GuidelinesInformational logfrom The device ID of the source of the policytime The time at which the policy was consumedAlarm SeveritySeverity CriticalAlarm ParametersNode The device ID of the remote APpolicy The policy namefrom The device ID of the source of the policyerror The failure error code time The time at which the policy was consumedAlarm SeveritySeverity Critical

D Alarms280 Installation and User Guide: Airgo Access PointExamplesFor accesspoint Node AP_00-0A-F5-00-01-7D The policy [defaultpolicy.xml] from [TrustedManager] could not be downloaded due to error 22549 at time[Wed Feb 11 17:28:38 2004 ]See Also<Policy Download Successful>Software Download: Image download succeededAlarm generated when an image is successfully downloaded and applied to an APSyntaxFor accesspoint Node %s the software image [%s] from [%s] was successfully downloaded at time[%s]DescriptionThis alarm is generated when an image is successfully downloaded and applied to an AP.Usage GuidelinesInformational logExamplesFor accesspoint Node AP_00-0A-F5-00-01-77 The software image [1.1.0, build 3278, AGN1dev, Airgo Networks Inc., ] from [AP_00-0A-F5-00-01-77 ] was successfully downloaded at time[Fri Jan 7 06:04:47 2000 ]See Also<Image Download Failed, Software Distribution Succeeded>Software Download: Image download failedAlarm generated when an image is unsuccessfully downloaded and applied to an APSyntaxFor accesspoint Node %s The software image [%s] from [%s] could not be downloaded due to error %d at time[%s]Alarm ParametersNode The device ID of the remote APimage The image version informationfrom The device ID of the source of the imagetime The time at which the image was consumedAlarm SeveritySeverity Critical

Software Download: Software distribution succeededInstallation and User Guide: Airgo Access Point 281DescriptionThis alarm indicates that an image is unsuccessfully downloaded and applied to an AP.Usage GuidelinesImage download failures can happen due to corrupted images, invalid length images or connectivity failures. ExamplesFor accesspoint Node AP_00-0A-F5-00-01-77 The software image [] from [AP_00-0A-F5-00-01-77 ] could not be downloaded due to error 24581 at time[Fri Jan 7 04:12:35 2000 ]See Also<Image Download Succeeded, Software Distribution Succeeded>Software Download: Software distribution succeededAlarm generated when an image distribution is completedSyntaxOn DeviceId %s, the Software image [%s] distribution request from portal[%s] using the Distribution TaskId=%s and with status=%s completed at time[%s]Alarm ParametersNode The device ID of the remote APimage The image versionfrom The device ID of the source of the imageerror The failure error codetime The time at which the error occurredAlarm SeveritySeverity CriticalAlarm ParametersDeviceId The device ID of the remote APimage The image versionportal The device ID of the source of the image (NMS or NMPortal)TaskId The task ID of the distributionstatus The distribution status (success or failure) of the selected APstime The time at which the distribution was done

D Alarms282 Installation and User Guide: Airgo Access PointDescriptionThis alarm is when an image distribution is completed.Usage GuidelinesInformational logExamplesOn DeviceId AP_00-0A-F5-00-01-77 , the Software image [0.7.0, build A.2286, AGN1dev, Airgo Networks Inc., ] distribution request from portal[AP_00-0A-F5-00-01-77 ] using the Distribution TaskId=000000 and with status=172.16.12.4, , 0, 947304168, 947304183, invalid image file. completed at time[Tue Jan 6 21:32:18 1970 ]See Also<Image Download Failed, Image Download Succeeded>Wireless: Radio enabled (BSS enabled)Notification that an AP radio has been enabledSyntax"Device ID %s radio %d is enabled, its operational state is %d operating on %d" DescriptionThis notification is generated when an AP radio (BSS) is enabled.Usage GuidelinesThis indicates the successful start of a BSS and also provides the channel on which the AP radio will be operating.Alarm SeveritySeverity CriticalAlarm ParametersDeviceId The device ID of the Airgo APRadio Identifies radio by interface ID on the APOperational Mode This indicates the operational mode of the radio whether it is 802.11a, 802.11b, or 802.11g.Channel ID This indicates the channel on which the AP is operating.Alarm SeveritySeverity Critical

Wireless: Radio disabled (BSS disabled)Installation and User Guide: Airgo Access Point 283ExamplesDevice ID AP_00-0A-F5-00-01-B6 radio 4 is enabled, its operational mode is 1 and operating on 64See AlsoWireless: Radio disabled (BSS disabled)Notification that an AP radio has been disabledSyntax"Device Id %s radio %d disabled"DescriptionThis notification indicates that an AP radio has been disabled.Usage GuidelinesThe AP radio can be disabled for several reasons such as:a. User triggered (administrative disabling)b. Radio reset caused due to application of wireless specific configurationc. Radio reset triggered by hardwared. Radio reset due to change in SSIDExamplesDevice Id AP_00-0A-F5-00-01-B6 radio 4 disabledSee Also<List of other alarms>Wireless: BSS enabling failedNotification that indicates the AP radio (BSS) enabling failedSyntax“Bss enabling failed for DeviceId %s radio %d CauseCode %d” Alarm Parameters DeviceId The device ID of the Airgo APRadio Identifies radio by interface ID on the access pointAlarm SeveritySeverity Critical

D Alarms284 Installation and User Guide: Airgo Access PointDescriptionThis notification indicates that AP rado enabling has failed.Usage GuidelinesThe AP radio enabling can fail for reasons that are indicated by the Cause code parameter:0 Unspecified reason1 System timeout attempting to enable BSSExamplesBss enabling failed for Device Id AP_00-0A-F5-00-01-B6 radio 4 Cause Code 1See Also<List of other alarms>Wireless: Frequency changedNotification that indicates the frequency of operation changed on the APSyntax"Frequency changed for DeviceId %s radio %d channelId %d CauseCode %d"Alarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface on the APCause Code Reason for AP radio enabling failureAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the Airgo APRadio Radio identified by interface ID on the APChannel ID Channel on which the AP is operatingCause Code Reason why frequency changedAlarm SeveritySeverity Critical

Wireless: STA association failedInstallation and User Guide: Airgo Access Point 285DescriptionThis is a notification generated when operating frequency is changed for an AP radio due to either user triggers or events such as peridic DFS. The reason code can have a value of 0m, indicating that the reason is unspecified. The new channel ID is also provided.Reason Code Description0 Triggered due to DFS1 User triggeredUsage GuidelinesInformational logExamplesFrequency Changed for Device ID AP_00-0A-F5-00-01-B6 radio 4 channelId 64 CauseCode 0See AlsoWireless: STA association failedNotification that indicates the association failed for an 802.11 stationSyntax"Station association failed for DeviceId %s radio %d station MAC %s station status %d CauseCode"DescriptionThis is a notification generated when an association from an 802.11 station fails with the AP radio. The reasons for the failure are encapsulated in the cause code parameter and are as follows:1 - Invalid parameters received from station in association request2 - Only stations are allowed to associate with this AP based on current configuration3 - Only backhauls can be formed with this AP based on current configuration4 - Maximum backhaul limit is reached based on the 'Max Trunks' configuration for AP admission Alarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface ID on the APSTA MAC Address MAC address of 802.11 stationSTA status Association or reassociationCause Code Reason why station association failedAlarm SeveritySeverity Critical

D Alarms286 Installation and User Guide: Airgo Access Pointcriteria5 - Maximum station limit is reached based on the 'Max Stations' configuration for SSID6 - SSID received in association request does not match SSID in AP configuration. This can occur more often when the AP is not broadcasting SSID in beacon (either due to SSID being surpressed or multiple SSIDs being configured) and station is associating with an AP with a different SSID. 7 - Authentication and encryption requested by station does not match security policy of the AP8 - Multi Vendor Station are not allowed to associate based on AP admission criteria9 - 802.11b stations are not allowed to associate based on AP admission criteria10 - Station is not allowed to associate and transferred to another AP Radio due to Load Balancing11 - Station is not allowed to associate because node does not have network connectivityUsage GuidelinesThe reason for the association failure can be used to determine any configuration issue in the system that may be causing the association failures.ExamplesStation association failed for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe CauseCode 2See AlsoWireless: STA associatedNotification that indicates the association and authentication was successful for an 802.11 stationSyntax"Station associated for DeviceId %s radio %d station MAC %s, Station status %d userId %s station count %d"Alarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface ID on the APSTA MAC Address MAC address of 802.11 stationSTA status Association or reassociationUser ID Identifies user by user name or MAC addressStation Count Current count of associated users with APAlarm SeveritySeverity Critical

Wireless: STA disassociatedInstallation and User Guide: Airgo Access Point 287DescriptionThis is a notification generated when an association and authentication from an 802.11 station succeeds with the AP radio. In addition, count of current associated stations, type of association, and user ID is provided. User ID is user name if RADIUS authentication is used and MAC address otherwise.Usage GuidelinesInformational logExamplesStation associated for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe, Station status 1 userId John Doe station count 10See AlsoWireless: STA disassociatedNotification that indicates an 802.11 station disassociatedSyntax"Station disassociated from AP for DeviceId %s radio %d station MAC %s CauseCode %d"DescriptionThis is a notification generated when an 802.11 station is disassociated either by the network or the station.DescriptionAlarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface on the APSTA MAC Address MAC address of 802.11 stationCause Code Reason Code for disassociationAlarm SeveritySeverity CriticalReason Code Description0STA initiated disassociation1Station has handed off to another AP2Disassociation triggered due to authentication failure after ULAP timeout

D Alarms288 Installation and User Guide: Airgo Access PointUsage GuidelinesInformational logExamplesStation disassociated for Device ID AP_00-0A-F5-00-01-B6 radio 4 station MAC 00:0a:f5:00:3a:fe, CauseCode 0See AlsoWireless: WDS failedNotification that indicates a failure in formation of wireless backhaul Syntax"WDS trunk brought down for DeviceId %s radio %d remote MAC %s CauseCode %d"DescriptionThis is a notification generated when a wireless backhaul formation fails. The remote end’s MAC address is provided. This notification is generated by AP node.Usage GuidelinesThis can be used to track any losses in connectivity of network.3Disassociation triggered due to user actionReason Code DescriptionAlarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface ID on the APRemote MAC Address MAC address of remote end of backhaul linkCause Code Reason code for WDS formation failureAlarm SeveritySeverity CriticalReason Code Description0 System failure1Maximum BP count has been reached (this relevant only for AP)2 Join attempt to the uplink AP failed (relevant only on BP side)

Wireless: WDS upInstallation and User Guide: Airgo Access Point 289ExamplesWDS trunk brought down for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb, CauseCode 0See AlsoWireless: WDS upNotification that indicates successful formation of wireless backhaulSyntax"WDS trunk established for DeviceId %s radio %d remote mac %s TrunkPort count %d CauseCode %d”DescriptionThis is a notification generated when a wireless backhaul formation succeeds. The remote end’s MAC address is provided.Reason Code Description0 Trunk has been established1 Trunk has been optimized (re-established based on better connectivity)Usage GuidelinesInformational logExamplesWDS trunk established for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb TrunkPort count 2 CauseCode 0See AlsoAlarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface on the APRemote MAC Address MAC address of remote end of backhaul link Backhaul Count Number of backhauls that are formed to this AP radioCause Code Indicates whether backhaul was a retrunk or notAlarm SeveritySeverity Critical

D Alarms290 Installation and User Guide: Airgo Access PointWireless: WDS downNotification that indicates a wireless backhaul link has gone downSyntax"WDS trunk brought down for DeviceId %s radio %d remote MAC %s CauseCode %d"DescriptionThis is a notification generated when a wireless backhaul has gone down. The remote end’s MAC address is provided.Reason Code Description0 System reason (unspecified)1 Loss of link (applies to BP side only)2 Trunk brought down by uplink AP (applies to BP side only)3 User retrunk issued (this can occur due to new backhaul configura-tion being applied on BP)4 Trunk has reformed with another AP (AP side only)5 Trunk brought down by BP (applies to AP side only)Usage GuidelinesInformational logExamplesWDS trunk brought down for Device ID AP_00-0A-F5-00-01-B6 radio 4 remote MAC 00:0a:f5:00:3a:fb CauseCode 0See AlsoAlarm Parameters DeviceId The device ID of the Airgo APRadio Radio interface on the APRemote MAC Address MAC address of remote end of backhaul link Cause Code Indicates why backhaul link was bought downAlarm SeveritySeverity Critical

D Alarms292 Installation and User Guide: Airgo Access PointDescriptionThis notification is generated when a guest station fails authentication.Usage GuidelinesThis indicates that a guest station did not present the appropriate “credentials” (currently simple password) upon request. ExamplesFor device-id AP_00-0A-F5-00-01-89 , Guest authentication failed for STA 00:0a:f5:00:05:f0 on radio 0 with SSID NewYorkRoom using captive portal Internal and guest mode 4 due to 0See AlsoSecurity: Guest Authentication SucceededSecurity: User rejected by RADIUS serverNotification that indicates the AP has determined a user has been rejected by RADIUS Syntax"For device-id %s, the RADIUS SERVER %s:%d from auth zone %s rejected the STA %s on radio %d with user-id %s and SSID %s"Alarm Parameters DeviceId The device ID of the AP Station MAC address of the Guest StationRadio Radio interface on the APSSID SSID on the AP with which the guest has associatedCaptive Portal Landing page that has accomplished authentication of the Guest STA, either the internal landing page, or a URL identifying the external landing page that performed the authenticationGuest Mode Currently, always set to 4.Reason code Currently, always set to 0Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the AP RADIUS server IP address of the RADIUS server

Security: BP rejected by RADIUS serverInstallation and User Guide: Airgo Access Point 293DescriptionThis notification is generated when user authentication fails. The context of the AP radio and the RADIUS server that rejected the User are also provided.Usage GuidelinesThis indicates that the AP has determined that RADIUS has rejected a user authentication attempt. ExamplesFor device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne rejected rejected the STA 00:0a:f5:00:05:cc on radio 0 with user-id paul and SSID NewYorkRmSee AlsoSecurity: BP rejected by RADIUS serverNotification that indicates the AP has determined that a RADIUS server has rejected this BP’s authentication attemptSyntax"For device-id %s, the RADIUS SERVER %s:%d from auth zone %s rejected the node %s on radio %d with device-id %s and SSID %s" Port The port used to communicate with the RADIUS server Auth Zone The name of the Auth Zone on this AP of which this RADIUS server is a member Station MAC address of the Station Radio Radio interface on the AP User ID The Username SSID SSID on this AP with which the station has associatedAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the AP RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIUS server Auth Zone The name of the Auth Zone on this AP of which this RADIUS server is a member

D Alarms294 Installation and User Guide: Airgo Access PointDescriptionThis notification is generated when a Bridge Portal (radio) authentication fails. The context of the BP radio and the RADIUS server that rejected the BP radio are also provided. A BP attempts authentication when a wireless backhaul is being established.Usage GuidelinesThis indicates that a security portal has rejected a BP authentication attempt with this AP. Usually it means that the BP is not enrolled in the same network as the AP. It may also mean that the BP was just enrolled, and the enrollment database has not yet been synced across the network to all security portals.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne rejected the node 00:0a:f5:00:06:22 on radio 0 with device-id AP_00-0A-F5-00-01-89 and SSID NewYorkRm See AlsoSecurity: RADIUS server timeoutNotification that indicates the AP has determined that a RADIUS server has failed to respond within the RADIUS timeoutSyntax"For device-id %s, the RADIUS server %s:%d from auth zone %s failed to respond within %d seconds and %d attempts while authenticating STA %s on radio %d with user-id %s and SSID %s" Node The MAC address of the BP node Radio Radio interface on the AP Device ID The device ID of the BP node SSID SSID on the AP to which the station has associatedAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the Airgo AP RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIUS server. Auth Zone The name of the Auth Zone on this AP of which this RADIUS server is a member

Security: Management user login successInstallation and User Guide: Airgo Access Point 295DescriptionThis notification is generated when the RADIUS server fails to respond within a certain timeout period.Usage GuidelinesThis indicates that the AP has determined that a RADIUS server has failed to respond within the RADIUS timeout. This may mean that the RADIUS server is unreachable over the network, or the shared secret with the RADIUS server is mis-configured on the AP. Usually, RADIUS servers do not respond when clients attempt to communicate with bad shared secrets. If multiple RADIUS servers are configured in this auth zone, the AP will switch to using the next one in the list.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 from auth zone BldgOne failed to respond within 5 seconds and 3 attempts while authenticating STA 00:0a:f5:00:05:f0 on radio 0 with user-id paul and SSID NewYorkRm See AlsoSecurity: Management user login successNotification that indicates the AP has determined that a management user login has succeeded Syntax"For device-id %s, the management user '%s' with privilege level %d logged in succesfully via %d" RADIUS timeout The current setting of the RADIUS timeout RADIUS retries The number of retries performed Station MAC address of the station Radio Radio interface on the AP User Supplicant user ID established during EAPOL Authentication exchange SSID SSID on the AP to which the station has associatedAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the Airgo AP

D Alarms296 Installation and User Guide: Airgo Access PointDescriptionThis notification is generated whenever a management user tries to log in to the local AP.Usage GuidelinesThis indicates that the AP has determined that a management user login has succeeded. ExamplesFor device-id AP_00-0A-F5-00-01-89 , the management user 'admin' with privilege level 1 logged in succesfully via 1See AlsoSecurity: Management User login failureNotification that indicates the AP has determined that a management user login has failed Syntax"For device-id %s, the management user '%s' failed to login successfully via %d”DescriptionThis notification is generated when a management user login attempt is unsuccessful.Usage GuidelinesThis indicates that the AP has determined that a management user login has failed. Too many failed logins in succession might indicate that someone is trying to break into your AP.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the management user 'admin' failed to login successfully via 1 Management User Username of management user Privilege Level The privilege level of the management user (ignore in this release) Login access Type of access, console, or SSH (iognore in this release)Alarm SeveritySeverity Critical DeviceId The device ID of the Airgo AP Management User Username of management user. Login access Type of access, console, or SSH (ignore in this release)Alarm SeveritySeverity Critical

Security: STA failed EAPOL MIC checkInstallation and User Guide: Airgo Access Point 297See AlsoSecurity: STA failed EAPOL MIC checkNotification that indicates the AP has determined that a STA has failed a MIC check during the EAPOL authentication exchangeSyntax"For device-id %s, the STA %s[%d] on radio %d with user-id %s and SSID %s failed an EAPOL-MIC check with auth-type %d during key exchange %d. (If using WPA-PSK, check the PSK on the STA.)" DescriptionThis notification is generated when the MIC fails during EAPOL key exchange process. Usage GuidelinesThis indicates that the AP has determined that a STA has failed a MIC check during the EAPOL authentication exchange. If the authentication type is WPA PSK and the failure happened during the pairwise key exchange, this is most likely due to a misconfiguration of the WPA pre-shared key on the station. Otherwise, it might mean that an attacker’s station is attempting to masquerade as a legal station.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm failed an EAPOL-MIC check with auth-type 4 during key exchange 2. (If using WPA-PSK, check the PSK on the STA.)See Also DeviceId The device ID of the Airgo AP Station The MAC address of the station bpIndicator BP (1) or a STA (0) supplicant Radio Radio interface on the AP User Supplicant user ID established during EAPOL authentication exchange SSID SSID on the AP to which the station has associated Authentication Type The valid types include: WPA PSK (3), WPA EAP (4) Key Exchange 0 for pairwise key exchange, and 1 for group key exchangeAlarm SeveritySeverity Critical

D Alarms298 Installation and User Guide: Airgo Access PointSecurity: STA attempting WPA PSK – no pre-shared key is set for SSIDNotification that indicates the AP has determined that a STA is attempting WPA-PSK authentication, but no Pre-shared Key has been configured for the SSIDSyntax"For device-id %s, the STA %s on radio %d attempted to do WPA-PSK based auth on the SSID %s but no pre-shared key is set." DescriptionThis notification is sent when a Station attempts to do a WPA-PSK based authentication on a given SSID, but no WPA pre-shared key is set up for that SSID.Usage GuidelinesThis indicates that the AP has determined that a station is attempting to perform WPA-PSK authentication, but no WPA pre-shared key has been configured on this AP for that SSID. Recall that WPA-PSK is configured per SSID.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 on radio 0 attempted to do WPA-PSK based auth on the SSID NewYorkRm but no pre-shared key is set.See AlsoSecurity: Auth server Improperly configured on this SSID Notification that indicates the AP has determined that a STA requires authentication servers and these are not configured properly on this SSIDSyntax"For device-id %s, Auth servers are improperly configured for the SSID %s and are needed for authenticating STA %s on radio %d with RADIUS usage %d" Alarm Parameters DeviceId The device ID of the Airgo AP Station The MAC address of the station Radio Radio interface on the AP SSID SSID on the AP to which the station has associatedAlarm SeveritySeverity Critical

Security: STA failed to send EAPOL-startInstallation and User Guide: Airgo Access Point 299DescriptionThis notification is sent when authentication servers are improperly configured for a given SSID.Usage GuidelinesThis indicates that the AP has determined that a STA requires authentication servers to be configured and there are none configured on this SSID. Generally authentication servers are needed for EA-based authentication, or for MAC address based ACL lookups.ExamplesFor device-id AP_00-0A-F5-00-01-89 , Auth servers are improperly configured for the SSID NewYorkRm and are needed for authenticating STA 00:0a:f5:00:05:f0 on radio 0 with RADIUS 2See AlsoSecurity: STA failed to send EAPOL-startNotification that indicates the STA has failed to send an EAPOL-Start even though it was expected for EAP based authenticationSyntax"For device-id %s, the STA %s on radio %d and SSID %s failed to send an EAPOL-Start in order to begin auth of type %d" Alarm Parameters DeviceId The device ID of the Airgo AP SSID SSID on the AP to which the station has associated Station The MAC address of the station Radio Radio interface on the AP RADIUS Usage The RADIUS server required for: Legacy 8021.x for dynamic WEP (1), WPA EAP athentication (2), MAC address based ACL lookup (3)Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the Airgo AP Station The MAC address of the station Radio Radio interface on the AP

D Alarms300 Installation and User Guide: Airgo Access PointDescriptionThis notification is sent during authentication when the station fails to send an EAPOL-Start in order to begin the authentication using WPA-EAP or legacy 802.1X protocols.Usage GuidelinesThis indicates that the AP has determined that a STA has failed to send an EAPOL-Start. This might indicate a misconfiguration on the STA. The AP expects the STA to send an EAPOL-Start if the authentication type is deemed to be EAP based. This can happen when WPA EAP authentication is negotiated, or when WEP is enabled on the AP and no manual WEP keys are configured.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 on radio 0 and SSID NewYorkRm failed to send an EAPOL-Start in order to begin auth of type 4See AlsoSecurity: RADIUS sent a bad responseNotification that indicates the AP has determined that a RADIUS server has sent a bad responseSyntax"For device-id %s, the RADIUS server %s:%d sent back a bad response due to %d" SSID SSID on the AP to which the station has associated Authentication Type LEGACY 8021.x (2) or WPA EAP (4)Alarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the AP RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIUS server. Response Reason codes: BAD SIGNATURE BASED ON SHARED SECRET (0), UNEXPECTED RESPONSE TYPE WHEN DOING EAP AUTH (1), UNEXPECTED RESPONSE TYPE WHEN DOING MAC-ACL LOOKUP (2), LEGAL MS-MPPE KEYS NOT PRESENT (3), BAD ENCODING FOR USER GROUP ATTRIBUTE (5)Alarm SeveritySeverity Critical

Security: RADIUS timeout too shortInstallation and User Guide: Airgo Access Point 301DescriptionThis notification is sent during authentication, when the RADIUS server sends a bad response. The aniNotifCauseCode identifies the reason associated with this bad response.Usage GuidelinesThis indicates that the AP has determined that a RADIUS server has sent a bad or unexpected response. The response could be bad because the cryptographic signature check might have failed or because an attribute might be missing or badly encoded.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 sent back a bad response due to 7 See AlsoSecurity: RADIUS timeout too shortNotification that indicates the AP has determined that a RADIUS server has sent a late response. This indicates that the AP RADIUS timeout might need to be increasedSyntax"For device-id %s, the RADIUS server %s:%d sent a late response - you might need to increase your RADIUS timeout of %d seconds" DescriptionThis notification is generated when the AP receives a late response from the RADIUS server, as opposed to not receiving any response at all. The AP may have attempted multiple retries or may have switched to another RADIUS server by this time. This indicates that due to higher latencies in the network, it might be better to increase the timeout associated with the authentication server.Usage GuidelinesThis indicates that the AP has determined that a RADIUS server has sent a late response. Alarm Parameters DeviceId The device ID of the AP RADIUS server The IP address of the RADIUS server Port The port used to communicate with the RADIUS server RADIUS timeout The current setting of the RADIUS timeoutAlarm SeveritySeverity Critical

D Alarms302 Installation and User Guide: Airgo Access PointExamplesFor device-id AP_00-0A-F5-00-01-89 , the RADIUS server 192.168.75.230:1812 sent a late response - you might need to increase your RADIUS timeout of 4 seconds See AlsoSecurity: STA authentication did not complete in timeNotification that indicates the AP has determined that a station has failed to complete the proper sequence of authentication exchanges in a timely mannerSyntax"For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not complete its auth sequence in time with auth-type %d and enc-type %d due to reason code %d" DescriptionThis notification is generated when the station authentication sequence did not complete in time.Usage GuidelinesThis indicates that the AP has determined the station authentication sequence did not complete in time.Alarm Parameters DeviceId The device ID of the Airgo AP AP The MAC address of the upstream AP Station The MAC address of the station bpIndicator BP (1) or a STA (0) supplicant Radio Radio interface on the AP User Supplicant User ID, if exchanged the during EAPOL authentication SSID SSID on the AP to which the station has associated Authentication Type LEGACY 802.1x (2), WPA PSK (3), or WPA EAP (4) Encryption Type WEP-64 (1), WEP-128 (2), TKIP (5), or AES (6) Reason Code The reason for the failure: EAP-REQUEST NOT RECEIVED FROM AUTHENTICATION SERVER (2)Alarm SeveritySeverity Critical

Security: Upstream AP is using an untrusted auth serverInstallation and User Guide: Airgo Access Point 303ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not complete its auth sequence in time with auth-type 4 and enc-type 6 due to reason code 6 See AlsoEAP User-ID timeout, EAP Response TimeoutSecurity: Upstream AP is using an untrusted auth serverNotification that indicates the local BP has determined that the upstream AP is using an un-trusted auth serverSyntax"For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d is using an untrusted auth server %s with certificate SHA-1 thumbprint %s : IT MIGHT BE A ROGUE AP” DescriptionThis notification is generated when the local BP has determined that the upstream AP is using an untrusted auth server.Usage GuidelinesThis indicates that the local BP has determined the upstream AP is using an un-trusted auth server. This may indicate that the upstream AP is a rogue AP. It is safe to say that the upstream AP and the downstream AP are not enrolled in the same network. If the downstream AP was previously enrolled elsewhere, then reset it and re-enroll it in the new network.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 is using an untrusted auth server 00:0a:f5:00:01:45 with certificate SHA-1 thumbprint 98:72:a8:6d:56:f8:92:a8:f3:97:ec:3f:fa:0b:66:4e : IT MIGHT BE A ROGUE AP Alarm Parameters DeviceId The device ID of the AP AP The MAC address of the upstream AP SSID SSID on the AP to which the station has associated Radio Radio interface on the AP Node The device ID (X.509 Certificate CN) of the entity used by the upstream AP as an auth server Thumbprint The SHA-1 thumbprint of the certificate for this purported portalAlarm SeveritySeverity Critical

D Alarms304 Installation and User Guide: Airgo Access PointSee AlsoSecurity: Upstream AP is using a non-portal node as its auth serverNotification that indicates the local BP has determined that the upstream AP is using a non-portal node as an auth serverSyntax"For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d is using a non portal node %s with certificate SHA-1 thumbprint %s as its auth server: YOUR ENROLLMENT DATABASE MIGHT BE OUT OF SYNC." DescriptionThis notification is generated when the local BP has determined that the upstream AP is using a node that is not a security portal as its auth server. This indicates that the BP knows about the other Airgo Networks node, but does not believe it is authorized to be a Security Portal.Usage GuidelinesThis indicates that the local BP has determined that the upstream AP is out-of-sync with respect to the identity of legitimate portal APs and the enrollment databases are out of sync on the downstream AP and the upstream AP.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 is using a non portal node 00:0a:f5:00:01:45 with certificate SHA-1 thumbprint 98:72:a8:6d:56:f8:92:a8:f3:97:ec:3f:fa:0b:66:4e as its auth server: YOUR ENROLLMENT DATABASE MIGHT BE OUT OF SYNC See AlsoAlarm Parameters DeviceId The device ID of the Airgo AP AP The MAC address of the upstream AP SSID SSID on the AP to which the station has associated Radio Radio interface on the AP Node The device ID (X.509 Certificate CN) of the entity used by the upstream AP as an auth server Thumbprint The SHA-1 thumbprint of the certificate for this purported portalAlarm SeveritySeverity Critical

Security: Upstream AP failed MIC check during BP authenticationInstallation and User Guide: Airgo Access Point 305Security: Upstream AP failed MIC check during BP authenticationNotification that indicates the local BP has determined that the upstream AP has failed a MIC check on a received frameSyntax"For device-id %s, the upstream AP %s with SSID %s authenticating via local BP radio %d failed an EAPOL-MIC check with auth-type %d during key exchange %d" DescriptionThis notification is generated when the MIC fails during EAPOL key exchange process via a BP radio.Usage GuidelinesThis indicates that a frame with a MIC failure has been received during the EAPOL Key exchange process. ExamplesFor device-id AP_00-0A-F5-00-01-89 , the upstream AP 00:0a:f5:00:06:22 with SSID NewYorkRm authenticating via local BP radio 0 failed an EAPOL-MIC check with auth-type 4 during key exchange 3 See AlsoAlarm Parameters DeviceId The device ID of the AP AP The MAC address of the upstream AP SSID SSID on the AP to which the station has associated Radio Radio interface on the AP Authentication Type RSN PSK (3) or RSN EAP (4) Key Exchange Pairwise key exchange (0) or group key exchange (1)Alarm SeveritySeverity Critical

Security: BP detected bad TKIP MIC on incoming unicastInstallation and User Guide: Airgo Access Point 309DescriptionThis notification is generated when a bad TKIP MIC is detected on an incoming frame from a STA that is encrypted with the pairwise/unicast key.Usage GuidelinesThis indicates that the AP has detected an invalid TKIP MIC value on an incoming frame. All packets received by the AP are always encrypted with the pairwise/unicast key.ExamplesFor device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected on an incoming unicast packet from STA 00:0a:f5:00:05:cc on radio 0See AlsoSecurity: BP detected bad TKIP MIC on incoming unicastNotification that indicates the BP has detected a BAD TKIP MIC value in an incoming frame from the AP that is encrypted with the pairwise/unicast keySyntax"For device-id %s, a bad TKIP MIC was detected by local BP radio %d on an incoming unicast packet from the AP %s" DescriptionThis notification is generated when a bad TKIP MIC is detected by a local BP radio, identified by aniApRadioIndex, on an incoming unicast packet from the AP, where the packet is encrypted with the pairwise/unicast key.Usage GuidelinesThis indicates that the BP has detected an invalid TKIP MIC value on an incoming frame encrypted with the pairwise/unicast key. Radio Radio interface on the APAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the AP Radio Radio interface on the AP AP MAC address The MAC address of the source APAlarm SeveritySeverity Critical

D Alarms310 Installation and User Guide: Airgo Access PointExamplesFor device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by local BP radio 0 on an incoming unicast packet from the AP 00:0a:f5:00:06:22See AlsoBP Detected Bad TKIP MIC on Incoming Multicast/BroadcastSecurity: BP detected bad TKIP MIC on incoming multicast/broadcastNotification that indicates the BP has detected a BAD TKIP MIC value in an incomng frame from the AP that is encrypted with the group/multicast/broadcast keySyntax"For device-id %s, a bad TKIP MIC was detected by local BP radio %d on an incoming multicast/broadcast packet from the AP %s" DescriptionThis notification is generated when a bad TKIP MIC is detected by a local BP radio, identified by aniApRadioIndex, on an incoming multicast or broadcast packet from the AP where the packet is encrypted with the group/multicast/broadcast key.Usage GuidelinesThis indicates that the BP has detected an invalid TKIP MIC value on a received multicast/broadcast frame.ExamplesFor device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by local BP radio 0 on an incoming multicast/broadcast packet from the AP 00:0a:f5:00:06:22See AlsoBP Detected Bad TKIP MIC on Incoming UnicastAlarm Parameters DeviceId The device ID of the AP Radio Radio interface on the AP AP MAC address The MAC address of the source APAlarm SeveritySeverity Critical

Security: STA detected bad TKIP MIC on incoming unicastInstallation and User Guide: Airgo Access Point 311Security: STA detected bad TKIP MIC on incoming unicastNotification that indicates a STA associated with this AP has detected a BAD TKIP MIC value in a frame it received from the AP encrypted with the pairwise/unicast keySyntax"For device-id %s, a bad TKIP MIC was detected by STA %s on radio %d on an incoming unicast packet from the AP" DescriptionThis notification is generated when a bad TKIP MIC is detected by an STA associated with this AP on an incoming unicast packet from the AP, where the packet is encrypted with the pairwise/unicast key.Usage GuidelinesThis indicates that the STA has detected an invalid TKIP MIC value on an incoming frame encrypted with the pairwise/unicast key.ExamplesFor device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by STA 00:0a:f5:00:05:f0 on radio 0 on an incoming unicast packet from the APSee AlsoSTA Deteted Bad TKIP MIC on Incoming Multicast/BroadcastSecurity: STA detected bad TKIP MIC on incoming multicast/BroadcastNotification that indicates a STA associated with this AP has detected a BAD TKIP MIC value in a multicast/broadcast frame it received from the APSyntax"For device-id %s, a bad TKIP MIC was detected by STA %s on radio %d on an incoming multicast/broadcast packet from the AP" Alarm Parameters DeviceId The device ID of the AP Station The MAC address of the station Radio Radio interface on the APAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the Airgo AP

D Alarms312 Installation and User Guide: Airgo Access PointDescriptionThis notification is generated when a bad TKIP MIC is detected by an STA associated with a radio, identified by aniApRadioIndex, on an incoming multicast or broadcast packet from the AP where the packet is encrypted with the group/multicast/broadcast key.Usage GuidelinesThis indicates that the STA has detected an invalid TKIP MIC value on a received, multicast frame.ExamplesFor device-id AP_00-0A-F5-00-01-89 , a bad TKIP MIC was detected by STA 00:0a:f5:00:05:f0 on radio 0 on an incoming multicast/broadcast packet from the APSee AlsoSTA Detected Bad TKIP MIC on Incoming UnicastSecurity: TKIP counter-measures lockout period startedNotification that indicates the AP is taking active counter measures against an attempted compromise of TKIP.Syntax"For device-id %s, the TKIP counter-measures lockout period has started for 60 seconds." DescriptionThis notification is generated when a TKIP counter measures lockout period for 60 seconds is started.Usage GuidelinesThis indicates that the AP has determined that an attempt is underway to compromise the secure operation of TKIP. This happens if two MIC failures are detected within a 60 second Station The MAC address of the station Radio Radio interface on the APAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the APAlarm SeveritySeverity Critical

Security: EAP user-ID timeoutInstallation and User Guide: Airgo Access Point 313interval. If this happens, the AP disassociates all STAs and prevents new STAs from associating for a period of 60 seconds.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the TKIP counter-measures lockout period has started for 60 seconds.See AlsoSecurity: EAP user-ID timeoutNotification that indicates the STA has failed to respond in a timely manner with its user ID during the authentication exchangeSyntax"For device-id %s, the STA %s[%d] on radio %d and SSID %s did not send its user-id in time to complete its auth sequence with auth-type %d and enc-type %d." DescriptionThis notification is generated when an STA fails to send its user ID in time to complete its authentication sequence using the specified authentication type.Usage GuidelinesThis indicates the failure of a STA to complete the EAP authentication exchange in a timely fashion. The two authentication modes that require the STA to send its user ID are WPA EAP and legacy 8021.x for dynamic WEP. This trap might indicate that a user prompt is not attended to on the client side.Alarm Parameters DeviceId The device ID of the Airgo AP Station The MAC address of the station bpIndicator BP (1) or STA (0) supplicantRadio Radio interface on the APSSID SSID on the AP to which the station has associatedAuthentication type TLEGACY 8021.x (2) or WPA EAP (4)Encryption Type WEP-64 (1), WEP-128 (2), TKIP (5), or AES (6)Alarm SeveritySeverity Critical

D Alarms314 Installation and User Guide: Airgo Access PointExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 and SSID NewYorkRm did not send its user-id in time to complete its auth sequence with auth-type 4 and enc-type 6See AlsoEAP Response Timeout, STA Authentication TimeoutSecurity: EAP response timeoutNotification that indicates the STA has failed to respond in a timely manner with an EAP response during the authentication exchangeSyntax"For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send an EAP-Response in time to complete its auth sequence with auth-type %d and enc-type %d" DescriptionThis notification is generated when an STA fails to send an EAP response in time to complete its authentication sequence using the specified authentication type and encryption. This is an EAP response other that the User-ID.Usage GuidelinesThis indicates the failure of a STA to complete its EAP authentication exchange in a timely fashion.The two authentication modes that require the STA to send EAP responses are WPA EAP and legacy 8021.x for dynamic WEP. This trap might indicate that a user prompt is not attended to on the client side. It may also indicate that the client silently rejected a EAP request Alarm Parameters DeviceId The device ID of the Airgo AP Station The MAC address of the station bpIndicator BP (1) or STA (0) supplicantRadio Radio interface on the APUser Supplicant user ID established during EAPOL Authentication exchangeSSID SSID on the AP to which the station has associated.Authentication type LEGACY 802.1x (2) or WPA EAP (4)Encryption Type WEP-64 (1), WEP-128 (2), TKIP (5), or AES (6)Alarm SeveritySeverity Critical

Security: EAPOL key exchange – message 2 timeoutInstallation and User Guide: Airgo Access Point 315sent from the RADIUS server – perhaps because it did not trust the RADIUS server’s credentials.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send an EAP-Response in time to complete its auth sequence with auth-type 4 and enc-type 6See AlsoEAP User-ID Timeout, STA Authentication TimeoutSecurity: EAPOL key exchange – message 2 timeoutNotification that indicates the STA has failed to respond in a timely manner with EAPOL 4-way handshake message number 2Syntax"For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Pairwise Messg #2 in time where auth-type %d and enc-type %d" DescriptionThis notification is generated when an STA fails to send the WPA EAPOL-key Pairwise Message #2 in time to complete the pairwise key exchange.Usage GuidelinesThis indicates the failure of a STA to complete the EAPOL 4-way key exchange in a timely fashion.Alarm Parameters DeviceId The device ID of the AP Station The MAC address of the station bpIndicator BP (1) or STA (0) supplicantRadio Radio interface on the APUser User ID established during EAPOL Authentication exchange (if applicable)SSID SSID on the AP to which the station has associatedAuthentication type WPA PSK (3) or WPA EAP (4)Encryption Type TKIP (5) or AES (6)Alarm SeveritySeverity Critical

D Alarms316 Installation and User Guide: Airgo Access PointExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Pairwise Messg #2 in time where auth-type 4 and enc-type 6See AlsoSecurity: EAPOL key exchange – message 4 timeoutNotification that indicates the STA has failed to respond in a timely manner with EAPOL 4-way handshake message number 4Syntax"For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Pairwise Messg #4 in time where auth-type %d and enc-type %d" DescriptionThis notification is generated when an STA fails to send the WPA EAPOL-key Pairwise Message #4 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.Usage GuidelinesThis indicates the failure of a STA to complete the EAPOL 4-way key exchange in a timely fashion.Alarm Parameters DeviceId The device ID of the AP Station The MAC address of the station bpIndicator BP (1) or STA (0) supplicantRadio Radio interface on the APUser User ID established during EAPOL Authentication exchange (if applicable)SSID SSID on the AP to which the station has associated.Authentication type WPA PSK (3) or WPA EAP (4)Encryption Type TKIP (5) or AES (6)Alarm SeveritySeverity Critical

Security: EAPOL Group 2 key exchange timeoutInstallation and User Guide: Airgo Access Point 317ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Pairwise Messg #4 in time where auth-type 4 and enc-type 6See AlsoSecurity: EAPOL Group 2 key exchange timeoutNotification that indicates the STA has failed to respond in a timely manner with EAPOL Group key exchange message number 2Syntax“For device-id %s, the STA %s[%d] on radio %d with user %s and SSID %s did not send the WPA EAPOL-Key Group Messg #2 in time where auth-type %d and enc-type %d”DescriptionThis notification is generated when an STA fails to send the WPA EAPOL-key group message #2 in time to complete its authentication sequence with a radio, using the specified authentication type and encryption.Usage GuidelinesThis indicates the failure of a STA to complete the group key exchange in a timely fashion.ExamplesFor device-id AP_00-0A-F5-00-01-89 , the STA 00:0a:f5:00:05:f0 [0] on radio 0 with user paul and SSID NewYorkRm did not send the WPA EAPOL-Key Group Messg #2 in time where auth-type 4 and enc-type 6Alarm Parameters DeviceId The device ID of the AP Station The MAC address of the stationbpIndicator BP (1) or STA (0) supplicantRadio Radio interface on the APUser User ID established during EAPOL Authentication exchange (if applicable)SSID SSID on the AP to which the station has associated.Authentication type WPA PSK (3) or WPA EAP (4)Encryption Type TKIP (5) or AES (6)Alarm SeveritySeverity Critical

D Alarms318 Installation and User Guide: Airgo Access PointL3 Mobility: Peer Mobility Agent UpNotification which indicates that the local Mobility Agent has established contact with a peer Mobility AgentSyntaxDevice %s detected Layer-3 Mobility Agent %s/%d is upDescriptionThis notification is generated when a peer Mobility Agent responds to keep-alives in a timely fashion.Usage GuidelinesThis indicates that the local Mobility Agent is able to communicate with the peer Mobility Agent.ExamplesDevice AP_00-0A-F5-00-01-89 detected Layer-3 Mobility Agent 192.168.75.23/24 is upSee AlsoL3 Mobility: Peer Mobility Agent DownL3 Mobility: Peer Mobility Agent DownNotification that indicates that the local Mobility Agent has lost contact with a peer Mobility AgentSyntaxDevice %s detected Layer-3 Mobility Agent %s/%d is downAlarm Parameters DeviceId The device ID of the AP MA IP Address The IP Address of the peer Mobility AgentMA IP Maskbits The number of bits in the Mobility Agent’s subnet maskAlarm SeveritySeverity CriticalAlarm Parameters DeviceId The device ID of the AP MA IP Address The IP Address of the peer Mobility AgentMA IP Maskbits The number of bits in the Mobility Agent’s subnet mask

L3 Mobility: Peer Mobility Agent DownInstallation and User Guide: Airgo Access Point 319DescriptionThis notification is generated when a peer Mobility Agent fails to respond to keep-alives in a timely fashion.Usage GuidelinesThis indicates that the local Mobility Agent is no longer able to communicate with the peer Mobility Agent.ExamplesDevice AP_00-0A-F5-00-01-89 detected Layer-3 Mobility Agent 192.168.75.23/24 is downSee AlsoL3 Mobility: Peer Mobility Agent UpAlarm SeveritySeverity Critical

D Alarms320 Installation and User Guide: Airgo Access Point

Installation and User Guide: NMS Pro 321GlossaryThis glossary defines terms that apply to wireless and networking technology in general and Airgo Networks products in particular. 802.1xStandard for port-based authentication in LANs. Identifies each user and allows connectivity based on policies in a centrally managed server.802.11Refers to the set of WLAN standards developed by IEEE. The three commonly in use today are 802.11a, 802.11b, and 802.11g, sometimes referred to collectively as Dot11.access control list (ACL)A list of services used for security of programs and operating systems. Lists users and groups together with the access awarded for each.access point (AP)An inter-networking device that connects wired and wireless networks together. Also, an 802.11x capable device that may support one or more 802.11 network interfaces in it and coordinates client stations to establish an Extended Service Set 802.11 network.Advanced Encryption Standard (AES)An encryption algorithm developed for use by U.S. government agencies; now incorporated into encryption standards for commercial transactions.ad-hoc networkA group of nodes or systems communicating with each other without an intervening access point. Many wireless network cards support ad-hoc networking modes.authentication serverA central resource that verifies the identity of prospective network users and grants access based on predefined policies.authentication zoneA administrative grouping of resources for user authentication.backhaulThe process of getting data from a source and sending it for distribution over the main backbone network. Wireless backhaul refers to the process of delivering data from a node on the wireless network back to the wired network. Also referred to as WDS.x.Basic Service Set (BSS)The set of all wireless client stations controlled by a single access point. bridgeA connection between two (or more) LANs using the same protocol. Virtual bridges are used as a means of defining layer 2 domains for broadcast messages. Each virtual bridge uniquely defines a virtual local area network (VLAN).Class of Service (COS)A method of specifying and grouping applications into various QoS groups or categories.

Glossary322 Installation and User Guide: NMS Proclient utilityThis application executes on a station and provides management and diagnostics functionality for the 802.11 network interfaces.Differentiated Services Code Point (DSCP)A system of assigning Quality of Service “Class of Service” tags.Domain Name Service (DNS)A standard methodology for converting alphanumeric Internet domain names to IP addresses.Dynamic Host Configuration Protocol (DHCP)A communications protocol enabling IP address assignments to be managed both dynamically and centrally. With DHCP enabled on a node (a system, device, network card, or access point), when it boots or is connected to a network, an address is automatically assigned. Each assigned address is considered to be “leased” to a specific node; when the lease expires, a new IP can be requested and/or automatically reassigned. Without DHCP, IP addresses would need to be entered manually for each and every device on the network.dynamic IP addressA TCP/IP network address assigned temporarily (or dynamically) by a central server, also known as a DHCP server. A node set to accept dynamic IPs is said to be a “DHCP client.”Extensible Authentication Protocol (EAP)Standard that specifies the method of communication between an authentication server and the client, or supplicant, requesting access to the network. EAP supports a variety of authentication methods.Extensible Authentication Protocol Over LAN (EAPOL)Protocol used for 802.1x authentication.EAP-TLSEAP using Transport Layer Security. EAP-based authentication method based on X.509 certificates, which provides mutual, secure authentication. Certificates must be maintained in the authentication server and supplicant.EAP-PEAPProtected EAP-based authentication method based on X.509 certificates. Uses a two-phase approach in which the server is first authenticated to the supplicant. This establishes a secure channel over which the supplicant can be authenticated to the server.Extended Service Set (ESS)A set of multiple connected BSSs. From the perspective of network clients, the ESS functions as one wireless network; clients are able to roam between the BSSs within the ESS. ESSIDName or identifier of the ESS used in network configuration.hostnameThe unique, fully qualified name assigned to a network computer, providing an alternative to the IP address as a way to identify the computer for networking purposes.Hypertext Transfer Protocol (HTTP)Protocol governing the transfer of data on the World Wide Web between servers and browser (and browser enabled software applications).

GlossaryInstallation and User Guide: NMS Pro 323Hypertext Transfer Protocol over SSL (HTTPS)A variant of HTTP that uses Secure Sockets Layer (SSL) encryption to secure data transmissions. HTTPS uses port 443, while HTTP uses port 80.Independent Basic Service Set (IBSS)A set of clients communicating with each other or with a network via an access point.Internet Protocol (IP)The network layer protocol for routing packets through the Internet.IP address32-bit number, usually presented as a period-separated (dotted decimal) list of three-digit numbers, which identifies an entity on the Internet according to the Internet Protocol standard. local area network (LAN)A group of computers, servers, printers, and other devices connected to one another, with the ability to share data between them.management information bases (MIBs)A database of objects that can be monitored by a network management system. Both SNMP and RMON use standardized MIB formats that allows any SNMP and RMON tools to monitor any device defined by a MIB.maskbitsNumber of bits in the subnet prefix for an IP address, (provides the same information as subnet mask). Each triplet of digits in an IP address consists of 8 bits. To specify the subnet in maskbits, count the number of bits in the prefix. To specify using a subnet mask, indicate the masked bits as an IP address. Example: subnet mask 255.255.255.0 is equivalent to 24 maskbits, which is the total number of bits in the 255.255.255 prefix.Media Access Control (MAC) addressA unique hardware-based equipment identifier, set during device manufacture. The MAC address uniquely identifies each node of a network. Access points can be configured with MAC access lists, allowing only certain specific devices to connect with the LAN through them, or to allow certain MAC-identified network cards or devices access only to certain resources. MAC address authenticationMethod of authenticating clients by using the MAC address of the client station rather than a user ID.Network Address Translation (NAT)The translation of one IP address used within a network to another address used elsewhere. One frequent use of NAT is the translation of IPs used inside a company, versus the IP addresses visible to the outside world. This feature helps increase network security to a small degree, because when the address is translated, it is an opportunity to authenticate the request and/or to match it to known, authorized types of requests. NAT is also used sometimes to map multiple nodes to a single outwardly visible IP address.Network Interface Card (NIC)Generic term for network interface hardware that includes wired and wireless LAN adapter cards, PC Cardbus PCMCIA cards, and USB-to-LAN adapters.network management system (NMS)Software application that controls a network of multiple access points and clients.

Glossary324 Installation and User Guide: NMS PronodeGeneric term for a network entity. Includes an access point, network adapter (wireless or wired), or network appliance (such as a print server or other non-computer device).Network Time Protocol (NTP) NTP servers are used to synchronize clocks on computers and other devices. Airgo APs have the capability to connect automatically to NTP servers to set their own clocks on a regular basis.Packet INternet Groper (PING)A utility that determines whether a specific IP address is accessible, and the amount of network time (measured in milliseconds) needed for response. PING is used primarily to troubleshoot Internet connections.policy-based networkingThe management of a network with rules (or policies) governing the priority and availability of bandwidth and resources, based both on the type of data being transmitted and the privileges assigned to a given user or group of users. This allows network administrators to control how the network is used in order to help maximize efficiency.Power over Ethernet (PoE)Power supplied to a device by way of the Ethernet network data cable instead of an electrical power cord.preamble typeThe preamble defines the length of the cyclic redundancy check (CRC) block for communication between the access point and a roaming network adapter. All nodes on a given network should use the same preamble type.Quality of Service (QoS)QoS is a term encompassing the management of network performance, based on the notion that transmission speed, signal integrity, and error rates can be managed, measured, and improved. In a wireless network, QoS is commonly managed through the use of policies.Remote Authentication Dial-In User Service (RADIUS)A client/server protocol and software that enables remote access servers to communicate with a central server in order to authenticate users and authorize service or system access. RADIUS permits maintenance of user profiles in a central repository that all remote servers can share. Radio Frequency (RF)The electromagnetic wave frequency radio used for communications applications.roamingAnalogous to the way cellular phone roaming works, roaming in the wireless networking environment is the ability to move from one AP coverage area to another without interruption in service or loss in connectivity.rogue APAn access point that connects to the wireless network without authorization.Secure Shell (SSH)Also known as the Secure Socket Shell, SSH is a UNIX-based command line interface for secure access to remote systems. Both ends of a communication are secured and authenticated using a digital certificate, and any passwords exchanged are encrypted.Service Set Identifier (SSID)The SSID is a unique identifier attached to all packets sent over a wireless network, identifying

GlossaryInstallation and User Guide: NMS Pro 325one or more wireless network adapters as “belonging” to a common group. Some access points can support multiple SSIDs, allowing for varying privileges and capabilities based on user roles.Secure Sockets Layer (SSL)A common protocol for message transmission security on the Internet. Existing as a program layer between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers, SSL is a standard feature in Internet Explorer, Netscape, and most web server products.Simple Mail Transfer Protocol (SMTP)Protocol used to transfer email messages between email servers.Simple Network Management Protocol (SNMP)An efficient protocol for network management and device monitoring.SNMP trapA process that filers SNMP messages and saves or drops them, depending upon how the system is configured.Spanning Tree Protocol (STP)A protocol that prevents bridging loops from forming due to incorrectly configured networks.Station (STA)An 802.11-capable device that supports only one 802.11 network interface, capable of establishing a Basic Service Set 802.11 network (i.e., peer-to-peer network).static IP addressA permanent IP address assigned to a node in a TCP/IP network.subnetA portion of a network, designated by a particular set of IP addresses. Provides a hierarchy for addressing in LANs. Also called a subnetwork.subnet maskA TCP/IP addressing method for dividing IP-based networks into subgroups or subnets (compare with maskbits). Each triplet of digits in an IP address consists of 8 bits. To specify using a subnet mask, indicate the masked bits as an IP address. To specify the subnet in maskbits, count the number of bits in the prefix. Example: subnet mask 255.255.255.0 is equivalent to 24 maskbits, which is the total number of bits in the 255.255.255 prefix.Temporal Key Integrity Protocol (TKIP)Part of the IEEE 802.11i encryption standard, TKIP provides improvements to WEP encryption, including per-packet key mixing, message integrity check, and a re-keying mechanism.Traffic Class Identifier (TCID)Part of the standard 802.11 frame header. The 3-bit TCID is used for mapping to class-of-service values.Transmission Control Protocol/Internet Protocol (TCP/IP)One of the most commonly used communication protocols in modern networking. Addresses used in TCP/IP usually consist of four triplets of digits, plus a subnet mask (for example, 192.168.25.3, subnet 255.255.255.0).Transport Layer Security (TLS)A protocol that provides privacy protection for applications that communicate with each other and their users on the Internet. TLS is a successor to the Secure Sockets Layer (SSL).

Glossary326 Installation and User Guide: NMS ProTrue MIMO™The Airgo Networks, Inc. implementation of the data multiplexing technique known as Multiple Input Multiple Output (MIMO). MIMO uses multiple spatially-separated antennas to increase wireless throughput, range, and spectral efficiency by simultaneously transmitting multiple data streams on the same frequency channel.TrunkIn telecommunications, a communications channel between two switching systems. In a wireless network, a trunk is a wireless connection from one Access Point to another.Type of Service (ToS)Sometimes also called IP Precedence, ToS is a system of applying QoS methodologies, based on headers placed into transmitted IP packets.User Datagram Protocol (UDP)A connectionless protocol similar to TCP/IP, but without the same level of error checking. UDP is commonly used when some small degree of error and packet loss can be tolerated without losing program integrity, such as for online games.Virtual LAN (VLAN)A local area network with a definition that addresses network nodes on some basis other than physical location or even whether the systems are wired together or operating using the same local equipment. VLANs are, on average, much easier to manage than a physically implemented LAN. In other words, moving a user from one VLAN to another is a simple change in software, whereas on a regular LAN, the computer or device would need to be connected physically to a different switch or router to accomplish the same thing. Network management software of some sort is used to configure and manage the VLANs on a given network. Wired Equivalent Privacy (WEP)Security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. Uses dynamically or manually assigned keys for encryption and authentication, as dictated by the capabilities of the client station. The WEP algorithms are vulnerable to compromise; therefore, WEP security is only recommended for legacy clients that do not support the newer generation security standards.Windows Internet Name Server (WINS)The Windows implementation of DNS, which maps IP addresses to computer names (NetBIOS names). This allows users to access resources by computer name instead of by IP address. Wi-Fi A play on the term “HiFi,” Wi-Fi stands for Wireless Fidelity, a term for wireless networking technologies.Wireless Local Area Network (WLAN)A type of local area network that employs radio frequencies to transmit data (usually encrypted), much like LANs transmit data over wires and fiber optic cables.

Installation and User Guide: NMS Pro 327IndexNumerics128-bit encryption 14764-bit encryption 147802.11802.11a,802.11b,802.11g 7definition 321extensions 74mode in 2.4 GHz band 74policy configuration 74802.11i 12802.1p 8802.1Q 8802.1x 12, 147, 321Aaccess control list (ACL) 321access points (APs)beacon name 63, 141candidate 141components 27configuration management 245definition 321description 1enrollment 181hostname 35interfaces 105introduction 1mode, selecting 66placement 29rebooting 239rogue 190security 145access, open 152accessingaccess points (APs) 33NM Portal 47, 180ack mode 71activating DHCP server 207add to discovery database 201address resolution protocol (ARP) table 108ad-hoc network 321Admin State 66administrative users 223administratorauthentication 157email address 39password 39, 157security 145, 157, 158admissionbackhaul criteria 73criteria 215, 286multi-vendor criteria 73advancedradio configuration 74RADIUS parameters 163advanced encryption standard (AES)definition 321description 12statistics 95with WPA 151alarmscount 211filter 219ID 211list and description 273logging time 211panel 40summary 210, 211table 210, 211total 211AP. see access points (APs)ARP. see address resolution protocol (ARP) tableassigning IP address to interface 129association status 93association status and type 92, 94asterisk next to field name 33authenticationdiagnostics 159, 162means 5server 153, 321status and type 92timeout 163user 12, 147zones 14, 155, 321authorization state 187auto/manual identification 186auto-discovery 202automatic channel selection 69automatically generated password 169, 174auto-select channel 63auto-sync database 204auxiliary manager 244Bbackground scanning 63backhauladmission criteria 73AP and BP radios 134applications 133authentication 133candidate APs 141configuration 133definition 321link criteria 138security 136trunk 135, 141uplink criteria 140viewing topology 184backhaul point (BP)description 59mode, selecting 66backup 245, 250backup/restore portal databases 206band 69basic rate set 75basic service set (BSS)definition 321type 188beaconname 63, 141period 77bootstrappingAP 34NM Portal 180policy 198security mode 37BP. see backhaul point (BP)br1 bridge name 107br4094 bridge name 107branch office installation 16Bridge and STP tab 106bridges

Index330 Installation and User Guide: NMS ProMMAC addressassociation to AP 92authentication 323configuration 76in topology window 186MAC-ACL users 225managementinterface options 8VLAN 111management information base (MIB) 130management IP address 241management portaldescription 4system requirements 27management VLAN 112managingfaults 210users 221maskbits 323maximum number of leases 207media access control (MAC) address 323menu tree 39, 180MIB. see management information base (MIB)mid-size office installation 16mobility management 4model number 47module name, logging 213multi domain support 44, 62multiple SSIDs 83, 90multiple VLANs 6NNAT. see network address translation (NAT)navigating web interface 39neighbors 187networkconnectivity parameters 62default settings 105density 62discovery 200information requirements 28management 12, 179radio neighbors 187topology 181, 221network address translation (NAT) 323network density 37network interface card (NIC) 323network management system (NMS)configuration 243definition 323network time protocol (NTP) 324server 207networking services 105NIC. see network interface card (NIC)NM Explorer Home panel 180NM Portalaccess 47features 179initializing 38supported services 4NM services 197NMS. see network management sys-tem (NMS)NMS-Professionalfeatures 2, 179interface options 8node 324normal AP 133NTP. see network time protocol (NTP)Oopen access 152open encryption 147open security, quick-start option 37operating band 37operating bands 37, 44operational state 186options, hardware 244Ppacket filters 126password authentication procedure (PAP) 157passwordsadministrator 157AP 183path selection criteria 140performance configuration 70, 73persona 66ping test 131planning your installation 9policybootstrapping 198defining 198management 197table 197policy-based networking 324port number 155portalarchitecture 4configuration 203database backup/restore 206database version 204secure backup 205services overview 4services, configured 187table 204portal AP, initializing 38power over Ethernet (PoE) 29, 324power requirements 28preamble type 324primary manager 244problems and solutions 256product features 2product suite 1profile table 89protocols, data rates, and coverage 10PuTTY application 27Qquality of service (QoS)advanced features 121class order 118, 122definition 324features 117overview 6statistics 121task overview 15user group-based 6Quick Start 34, 42Rradioadvanced configuration 74channel configuration 68configuration panel 60diagnostics 99discovered 187interface 37, 44neighbors 82, 187operating band 37resource management 4state 77statistics 77, 79radio frequency (RF) 324RADIUS. see Remote Authentication Dial-In User Service (RADIUS)

Installation and User Guide: NMS Pro 333Indexworld modecountry code 44, 62influence on channels 69multi domain support 44, 62WPA security 151WPA-AES 147WPA-EAP 151WPA-PSK 147, 151WPA-PSK passphrase 37WPA-TKIP 147Zzone privacy 164

Index334 Installation and User Guide: NMS Pro

Navigation menu