Airgo Networks AGN1202AP0000 802.11 a/b/g True MIMO Access Point User Manual 1

Airgo Networks Inc. 802.11 a/b/g True MIMO Access Point 1

User Manual 1

Airgo Networks, Inc.900 Arastradero RoadPalo Alto, CA 94304P: 650-475-1900F: 650-475-1708www.airgonetworks.com Part Number: 640-00068-00Published: July 2004Installation and Configuration GuideAirgo Access Point
Copyright © 2004 by Airgo, Inc. All Rights Reserved.No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of Airgo unless such copying is expressly permitted by U.S. copyright law.
Installation and Configuration Guide: Airgo Access Point iii ContentsPreface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x1 Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1Product Suite - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1Features Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2Radio Resource Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3Mobility Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3Portal Architecture - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5VLANs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5Quality of Service - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6IP Routing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Multiple SSIDs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Guest Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Rogue AP Detection and Classification - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Standards and Data Rates - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7Integration With the Existing Wired Network - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7Management Interface Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82 Planning Your Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9Example Wireless Network Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 9Assessing Coverage and Capacity Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 10Site Surveys - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11Assessing Security Needs and Architecture - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11Selecting a Network Management Method - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12Planning Network Features - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14Example Deployment Scenarios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16Example 1: Small office, single AP, possible future growth - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 16Example 2: Small to mid-size business with wireless backhaul - - - - - - - - - - - - - - - - - - - - - - - - - - 18Example 3: Mid-size business, multiple SSIDs, multiple VLANs - - - - - - - - - - - - - - - - - - - - - - - - - 19Example 4: Large business, guest access, extended network services - - - - - - - - - - - - - - - - - - - - - - 21Example 5: Large Campus with Branch Offices - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 233 Installing the Access Point - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25Using the Configuration Interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25Hardware Components - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25Installation Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25
Installation and Configuration Guide: Airgo Access Point ivPower and Cabling Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26Network Information Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26Installing the Access Point - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 26Using Power Over Ethernet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27Placement and Orientation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27Verifying the Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28Interpreting the LEDs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28Connecting the Serial Port - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29Resetting the Access Point - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29Using the Configuration Interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30Using the Web Browser Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30Using AP Quick Start to Initialize the Access Point - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31Initializing a Normal AP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33Initializing the Portal AP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 36Navigating the Web Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37The Home Panel - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 37Quick Start Panels - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 39Other Panels - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45NM Portal Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45Configuration Wizards - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45User Security Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 45Guest Access Wizard - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 504 Configuring Radio Settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 55Configuring Radio Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 56Global Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 57Admin State Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 62Channel Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 64Performance - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 66Admission - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 68Setting the Advanced Radio Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69802.11 Policy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 69MAC Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 71Viewing Radio Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72Radio State - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 72Radio Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 75Viewing Radio Neighbor Details - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 77Configuring SSID Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 78SSIDs and Service Profiles - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 79SSID Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 80SSID Details - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 82Profile Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 84Multiple SSIDs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 85Managing Client Stations - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 86Stations - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 87
Installation and Configuration Guide: Airgo Access Point vLink Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88Security Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89Configuring Inter Access Point Protocol (IAPP) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90IAPP Service - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91IAPP Topology - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91IAPP Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92Performing Radio Diagnostics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 93Link Test - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 94Walk Test - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 975 Configuring Networking Settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99Interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 99Configuring Bridging Services - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100Bridge and STP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 100Bridge Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102ARP Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 102Configuring IP Routes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 103Configuring VLANs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 105VLAN Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 106Interface VLAN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 107User VLAN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 108VLAN Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 110Configuring Quality of Service - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 111Ingress QOS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 113Egress COS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 114QoS Stats - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 115Configuring Advanced QoS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 115Class-Order - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 116IP-DSCP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 117IP Protocol - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 118IP Precedence - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 119Configuring Packet Filters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 119Filter Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 119Filter Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 121Configuring Interfaces - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 121Interface Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 122Interface Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 123Configuring SNMP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 123Ping Test - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1256 Configuring a Wireless Backhaul - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 127Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 127Use of Radios for Backhaul - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128Wireless Backhaul Trunks - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128Wireless Backhaul security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128
Installation and Configuration Guide: Airgo Access Point viSetting Up a Wireless Backhaul - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129Link Criteria - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129Candidate APs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 131Trunk Table - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 131Trunk Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1327 Managing Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 135Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 135AP Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 136Administrative Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 136User Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 136Data Encryption - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 137Configuring Wireless Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 138Security Mode - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 138SSID Authentication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 140Configuring Authentication Zones - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 143Authentication Zones - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 143Authentication Servers - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 144Configuring Administrator Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 144External RADIUS Server Settings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 145Viewing Security Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 146Authentication Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 146Supplicant Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 147Authentication Diagnostics - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 149Configuring Advanced Parameters - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1508 Configuring Guest Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 153Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 153Internal Landing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 154External Landing Page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 155Open Subnet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 156Configuring Guest Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 156Guest Access Services Panel - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 158Guest Access Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1609 Managing the Network - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 163Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 163Using NM Portal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 164Home Panel - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 164Menu Tree - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 164Using the Network Topology Menu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 165Enrolling APs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 165Viewing Backhaul Topology - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 168Viewing IP Topology - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 169Displaying Discovered Radios - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 171Managing Rogue Access Points - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 173
Installation and Configuration Guide: Airgo Access Point viiIP Rogue AP Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 174Wireless Rogue AP Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 176Using the NM Services Menu - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 179Working With Policies - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 179Configuring Network Discovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 182Configuring Portals - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 185Configuring the DHCP Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 188Managing Network Faults - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192Viewing Alarms - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 192Viewing the Syslog - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 202Managing Users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 203Adding Wireless Users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 203Adding Administrative Users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 205Adding MAC-ACL Users - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20610 Maintaining the Access Point - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 209Rebooting the AP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 209Managing the System Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 209IP Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 210Syslog Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 211License Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 212NMS Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 212Hardware Options - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 213Managing the AP Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 214Secure Backup - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 214Configuration Reports - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215Reset Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 217TFTP Backup - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 218Upgrading Software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 219Software Image File - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 220Upgrading the AP Software - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 220Canceling a Distribution - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 223Download Status - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 223Image Recovery - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 224Common Problems and Solutions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 224A Using the Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 227Using the Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 227Using the Console Port for CLI Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 228B Regulatory and License Information - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 231C Alarms - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 233Discovery: Discovered new node - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 235Discovery: Node deleted from network - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 235Discovery: Managed nodes limit exceeded - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 236Enrollment: Node Enrolled - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 236
Installation and Configuration Guide: Airgo Access Point viiiEnrollment: Node Un-enrolled - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 237Policy: Policy Download Successful - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 238Policy: Policy Download Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 238Software Download: Image Download Succeeded - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 239Software Download: Image Download Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 239Software Download: Software Distribution Succeeded - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 240Wireless: Radio enabled (BSS Enabled) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 241Wireless: Radio Disabled (BSS disabled) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 241Wireless: BSS Enabling Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 242Wireless: Frequency Changed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 242Wireless: STA Association Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 243Wireless: STA Associated - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 244Wireless: STA Disassociated - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 245Wireless: WDS Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 246Wireless: WDS Up - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 246Wireless: WDS Down - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 247Security: Guest Authentication Succeeded - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 248Security: Guest Authentication Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 249Security: User rejected by RADIUS Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 249Security: BP rejected by RADIUS Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 250Security: RADIUS Server timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 251Security: Management User login success - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 252Security: Management User login failure - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 253Security: STA failed EAPOL MIC check - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 253Security: STA attempting WPA PSK – no Pre-shared Key is set for SSID - - - - - - - - - - - - - - - - - 254Security: Auth Server Improperly configured on this SSID - - - - - - - - - - - - - - - - - - - - - - - - - - - 255Security: STA failed to send EAPOL-Start - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 256Security: RADIUS sent a bad response - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 256Security: RADIUS timeout too short - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 257Security: STA authentication did not complete in time - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 258Security: Upstream AP is using an untrusted auth server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 259Security: Upstream AP is using a non-portal node as its auth server - - - - - - - - - - - - - - - - - - - - - 260Security: Upstream AP failed MIC check during BP authentication - - - - - - - - - - - - - - - - - - - - - 260Security: Premature EAP-Success received - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 261Security: Profile not configured for user-group - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 262Security: STA has failed security enforcement check - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 263Security: Guest Authentication Failed - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 264Security: AP Detected Bad TKIP MIC - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 265Security: BP Detected Bad TKIP MIC on Incoming Unicast - - - - - - - - - - - - - - - - - - - - - - - - - - 266Security: BP Detected Bad TKIP MIC on Incoming Multicast/Broadcast - - - - - - - - - - - - - - - - - 266Security: STA Detected Bad TKIP MIC on Incoming Unicast - - - - - - - - - - - - - - - - - - - - - - - - - 267Security: STA Detected Bad TKIP MIC on Incoming Multicast/Broadcast - - - - - - - - - - - - - - - - 268Security: TKIP counter-measures lockout period started - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 268Security: EAP User-ID timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 269Security: EAP response timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 270
Installation and Configuration Guide: Airgo Access Point ixSecurity: EAPOL Key exchange – message 2 timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 271Security: EAPOL Group 2 key exchange timeout - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 272Glossary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 275Index - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 281
Installation and Configuration Guide: Airgo Access Point xPrefaceThis guide explains how to install and configure the Airgo Access Point (Airgo AP), which is used with Wi-Fi certified clients to provide PC laptop and desktop users with wireless network access.The Airgo Access Point provides the following features:•High throughput and range through dual-band radio transceivers•Easy installation•Wireless networking features that include bridging, VLAN, Quality of Service (QoS), IP routing, and network backhaul capabilities•Comprehensive security that includes support for WEP, TKIP, AES, EAP-PEAP, EAP-TLS, and RADIUS•Automated radio resource management, including controls for operating channels, capacity, and range•Policy-based managementAudienceThis guide is designed to help you install and configure the Airgo Access Point successfully even if you are unfamiliar with wireless networking technology. Some familiarity with local area networking technology is assumed. If you encounter a term or acronym with which you are unfamiliar, refer to the glossary at the end of the guide, just before the index.Organization of this GuideThis guide consists of the following chapters:• Chapter 1, “Overview,” provides a high-level overview of the Airgo Access Point products.• Chapter 2, “Planning Your Installation,” describes various deployment scenarios and helps determine how many Airgo Access Points will be needed and the appropriate network management scheme.• Chapter 3, “Installing the Access Point,” describes how to install the Airgo Access Point and how to use the Quick Start panels for fast and easy configuration. Also explains how to use the Airgo AP web interface.• Chapter 4, “Configuring Radio Settings,” explains how to configure the Airgo Access Point radios.• Chapter 5, “Configuring Networking Settings,” explains how to configure the advanced networking features of the Airgo Access Point.• Chapter 6, “Configuring a Wireless Backhaul,” explains how to use the wireless backhaul feature to configure a wireless distribution system that can cover a large area with limited wired network connectivity.• Chapter 7, “Managing Security,” describes the encryption and authentication features of the Airgo Access Point and explains how configure the security options. • Chapter 8, “Configuring Guest Access,” describes how to configure guest access for the network.
Prefacexi Installation and Configuration Guide: Airgo Access Point• Chapter 9, “Managing the Network,” explains how to use the NM Portal features of the Airgo Access Point to manage multiple APs across your network. • Chapter 10, “Maintaining the Access Point,” describes the tools available to maintain the Airgo Access Point.• Appendix A, “Using the Command Line Interface,” describes how to use the console and command line interface (CLI) to configure the Airgo Access Point, with cross-references to the Airgo Command Line Interface Reference Manual.• Appendix B, “Regulatory and License Information,” provides regulatory specifications. for the Airgo Access Point.• Appendix C, “Alarms,” provides a description of the alarms generated by the Airgo Access Point.• Glossary— Provides definitions for acronyms, networking terminology, and Airgo-specific terms.Conventions Used in this GuideThis guide uses the following conventions for instructions and information.Notes, Cautions, and WarningsNotes, cautions, and time-saving tips use the following conventions and symbols.Command ConventionsTable 1 describes the command syntax used in this document.NOTE: Notes contain helpful suggestions or information that may be of importance to the task at hand.CAUTION: Caution indicates that there is a risk of equipment damage or loss of data when certain actions are performed.WARNING: Warnings are intended to alert you to situations that could result in injury (such as exposure to electric current, for example).Table 1:Command ConventionsConvention Descriptionboldface Commands and keywords.italic Command input that is supplied by you.[ ] Optional keywords and default responses to system prompts appear within square brackets.{x|x|x} A choice of keywords (represented by x) appears in braces separated by vertical bars. You must select one.Ctrl Represents the key labeled Ctrl. For example, when you read ^D or Ctrl-D, you should hold down the Control key while you press the D key.panel font Examples of information displayed on a panel.boldface panel font Examples of information the user must enter.
PrefaceInstallation and Configuration Guide: Airgo Access Point xiiRelated DocumentationThe following documentation related to the Airgo wireless networking product line is available on CD-ROM and also on the Airgo website, http://www.airgonetworks.com.• Airgo Client Installation and User Guide — Explains how to install and configure the Airgo Wireless LAN Client Adapter, which provides PC laptop and desktop users with access to the Airgo Access Point products.• Airgo NMS Pro Installation and Configuration Guide — Explains how to use Airgo NMS Pro to manage an enterprise wireless network.• Airgo Command Line Interface (CLI) Reference Manual — Provides a listing of all the commands available for Airgo wireless products through serial console access and the command line interface. Intended for advanced users and system administrators.
Prefacexiii Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 11OverviewThis chapter introduces the features and capabilities of the Airgo Access Point and presents the following topics:•Product Overview•Features Overview•Standards and Data Rates•Radio Resource Management•Mobility Management•Portal Architecture•Security•Integration With the Existing Wired Network•Management Interface OptionsProduct OverviewThe Airgo Access Point is part of an innovative suite of wireless technology products designed to dramatically improve the quality and convenience of wireless networking. By greatly increasing the range, speed, reliability, security, and ease-of-use of wireless LAN (WLAN) systems, Airgo products help to promote the mainstream adoption of wireless technology, and help to foster new wireless applications. Product SuiteThe Airgo product suite comprises these wireless networking products:•Airgo Access Point•Airgo Wireless LAN Client Adapter•Airgo Professional Network Management System (NMS Pro)Airgo Access PointsAirgo Access Points (Airgo AP) provide network connectivity for wireless client stations. Incorporating the latest technological advances in radio design and implementation, the dual-radio Airgo Access Point offers very high wireless performance, financial-grade security, and extended wireless coverage. Airgo Wireless LAN Client AdapterThe Airgo Wireless LAN Client Adapter provides the communications link between laptop or desktop PC users and wireless network. Available in PC Card and Mini PCI Card form factors, the Airgo Wireless LAN Client Adapter is designed to take full advantage of the performance, range, security, and management capabilities of the Airgo Access Point. For more information, refer to the Airgo Wireless LAN Client Adapter Installation and User Guide.
1 Overview2 Installation and Configuration Guide: Airgo Access PointAirgo NMS ProAirgo’s NMS Pro provides enterprise-class management for the wireless network, including complete configuration and image control, security, and performance and fault monitoring. For more information, refer to the NMS Pro Installation and Configuration Guide.Figure 1 shows how Airgo products operate in concert to create a wireless network. Figure 1: Airgo Wireless NetworkFeatures OverviewAirgo Access Points extend the range, coverage, and bandwidth of traditional wireless equipment, while also supporting the latest network security and management features. All Airgo Access Point models include the following features:•Dual radios, each operating in 802.11b/g or 802.11a mode•Optional Airgo enhanced data rates up to 108 Mbps•Automated frequency management•Cell size and range management•Support for all current IEEE 802.11 standards and draft versions of 802.11 standards•Multiple SSID support•Bridging, including layer 2 filtering, encapsulation modes, 802.1x support, and static forwarding•Easy installation and configuration•Single and multiple VLAN support, interface-based and user-based•802.11 roaming support•Web and command line user interfacesClient(s)DNS & DHCPServerRADIUSServerAccessPointWireless ClientsWireless Clients Wireless ClientsAccessPointAccessPointEnterpriseNetworkA0001DNMS ProServer
Features OverviewInstallation and Configuration Guide: Airgo Access Point 3•Embedded Network Management and Security Portal services•Financial grade security•Effective security management•Guest user access•Rogue AP detection•Quality of service (QoS)•Wireless backhaul modes•Integration with existing wired network infrastructure•Static IP routing•SNMP MIB support•Authentication using RADIUS services•Software and firmware upgrades•Back up and restoration of AP configuration data•SYSLOG and diagnostic tools for monitoring and troubleshootingRadio Resource ManagementThe Airgo AP supports management of radio channels, cell size, and range. Channel management features include automatic channel selection, support for international channel sets, dynamic channel changes in response to network conditions, and the ability to assign channels manually to fine tune channel quality. Cell size and range capabilities enable you to optimize equipment placement, eliminate dead spots, and reduce interference.Mobility ManagementMobility management features include Layer 2 roaming (as users move from one coverage area of an access point to another or are switched for load balancing purposes), quality of service support, and comprehensive security features. The Airgo AP also provides support for 802.11f based Inter-Access Point Protocol (IAPP).
1 Overview4 Installation and Configuration Guide: Airgo Access PointPortal ArchitectureTo support the range of network sizes and configurations served by Airgo products, Airgo has designed a built-in, flexible, portal services architecture for management and security. Each AP can be configured as an NM Portal AP to support the following services:Figure 2 illustrates portal services within the Airgo network. NM Portal provides overall network management functionality and monitoring. The enrollment portal feature enables verification of additional APs and authorization for operation in the network. The security portal feature verifies the identity of individual users wanting access to the network.Figure 2: Portal ServicesRegardless of network size, configuring one or more Airgo APs as NM Portals yields the following benefits:•Even with as few as two APs in a network, NM Portal offers a single point of focus for monitoring the network and managing security. Configuring the first AP as an NM Portal makes it easy to enroll additional APs.•The configuration of the NM Portal AP is easily distributed to the other APs in the network, assuring consistent application of configuration parameters.Service DescriptionManagement NM Portal services provide network management functionality for small to mid-size wireless networks. Each Airgo AP configured as an NM Portal can operate in stand-alone mode to provide network management for the entire network or as a location or branch manager working in conjunction with NMS Pro, the Airgo Professional Network Management System. Security Security portal services include support for secure user authentication by way of a RADIUS server internal to the Airgo AP. Security portal services are part of NM Portal, but can also be configured independently for backup authentication in the event that the primary internal RADIUS server becomes unavailable.Enrollment Each Airgo wireless network requires an enrollment server to verify the identity of Airgo APs and authorize them for operation in the network. The enrollment portal feature is automatically enabled in the access point as part of NM Portal. NM Portal should be used for enrollment unless NMS Pro has been implemented as the enterprise network management solution.A0028BNM Portal:Manage andMonitor theNetworkOther APsEnrollment Portal:Verify AP IdentitySecurity Portal:Authenticate Clients
Features OverviewInstallation and Configuration Guide: Airgo Access Point 5•NM Portal can provide user authentication services for an entire small to mid size network or serve as a backup security server if an external RADIUS authentication service is used.Security Airgo offers a comprehensive security solution that adheres to the following industry standards and draft standards:•Data encryption—WEP, Wi-Fi Protected Access (WPA) with TKIP or AES encryption•User authentication—IEEE 802.1x authentication, including EAP-PEAP or EAP-TLS; WPA-PSK•Key management—Microsoft-IAS, FUNK-RADIUS, Airgo NMS Pro, Airgo integrated security portal, and manual key management capabilitiesThese features are part of a security architecture that provides the wireless network a greater degree of security than most traditional wired networks. The following security features are included with all Airgo AP:•Built-in maximum industry-standard security•Auto-detection of the security capability of clients and APs•Policy-based configuration of security settings•Hardware support for high-performance encryption•Support for installations ranging from the small-office/home-office (SOHO) to multi-site enterprises•Command-line access using SSH (secure shell)•Web-based management interface and policy-based management using HTTPS (SSL)•SNMP management interface through SNMPv3•IEEE 802.11i standards•User-authentication using EAP-TLS, EAP-PEAP, WPA-PSK, WEP•Rogue AP detection•Rogue client detectionVLANsBy decoupling traffic flow and network services from the physical network topology, virtual LANs (VLANs) enable enterprises improve network traffic flow, increase load, and deliver varying levels of service and access to different groups of users. The Airgo AP VLAN feature readily extends an existing wired VLAN structure to the wireless network. It can also be used to implement new network privileges and services; for example, user VLANs are integral to the Airgo guest access feature (see “Guest Access” on page 6).Airgo supports interface-based VLANs and user-based VLANs. Interface VLANs separate traffic according to the Ethernet and radio interfaces on the Airgo AP. Packets destined for a specific interface VLAN are directed to the port with that VLAN assigned. By contrast, user VLANs separate traffic according to user groups. Users can be assigned to the same VLAN even if they are in different physical LANs and at geographically dispersed locations. User VLANs are useful for managing manage enterprise work groups and differentiating among categories of users. The Airgo Access Point supports up to 16 VLANs, including a default VLAN.
1 Overview6 Installation and Configuration Guide: Airgo Access PointQuality of ServiceQuality of Service (QoS) features enable differential treatment of network traffic types to support special applications or extend priority access to designated groups of users. For example, applications as streaming media and voice over Internet suffer serious quality degradation if data transmission is interrupted or bandwidth fluctuates excessively. You can assign a higher quality of service to applications of this type, while still maintaining adequate service for less intensive applications such as print and file sharing. Network utilization is increased with little to no negative effect on user productivity. QoS can also be used to lower the priority for non-critical applications. For example, FTP transfers, which are generally not time critical but can consume significant network bandwidth, can be assigned lower priority than streaming media applications or database transactions.QoS can also be assigned on a user group basis. For example, network administrators can be assigned a higher quality of service than other employees, thereby enhancing their ability to manage and troubleshoot a heavily loaded network. Airgo implements quality of service features using classes of service (COS). Eight COS levels are available for assignment according to user or application based rules. The COS approach does not guarantee bandwidth, but it does give “best effort” priority according to the assigned level. A flexible approach to service quality, it scales easily and accommodates a variety of mapping rules. MAC layer mappings for COS levels and COS to IP layer mappings are supported, and priority settings can be assigned for different COS mapping rules.IP RoutingIP routing adds flexibility to AP management and expands the addressing capability of the AP. You can specify static IP addresses outside the local subnet along with routing information to reach the addresses.Multiple SSIDsThe Airgo AP supports multiple SSIDs within each individual AP. Using the multiple SSID feature, users can access separate networks through a single physical infrastructure. For example, if you want to create different levels of resource access for employees and visitors, you can create two SSIDs, one with high security and one with open security. Guest AccessThe Airgo AP supports flexible, secure managing of guest access at corporate locations. By contrast with most other guest access solutions, the Airgo AP supports guest access without requiring any changes to the physical network topology. VLAN tags on the existing access points segregate users into corporate and guest VLANs, and guests are automatically directed to an internal or external web landing page. Guest passwords can be assigned statically or change dynamically according to a pre-set schedule. An open access option is available to provide unauthenticated guests with access to an open subnet.Rogue AP Detection and ClassificationMaintaining a secure wireless network requires ongoing monitoring of potential rogue access points and the ability to classify them as known to the local or neighboring network, or as true rogues. The network management functions of NM Portal include automatic network scanning and display of all the detected APs that potentially qualify as rogues. Using the information included in
Standards and Data RatesInstallation and Configuration Guide: Airgo Access Point 7the display, network administrators can identify and classify the APs that are known. The remaining APs are classified as rogues. By examining the information available for each rogue AP, it is generally possible to pinpoint the location of the rogue and take action to remove it from the network. Standards and Data RatesAirgo supports the wireless networking standards shown in Table 2.The 802.11 standard specifies the following data rates:•802.11b: DSSS (1, 2, 5.5 and 11 Mbps)•802.11a: OFDM (6, 9, 12, 18, 24, 36, 48, 54 Mbps)•802.11g: OFDM (6, 9, 12, 18, 24, 36, 48, 54 Mbps)Airgo also offers enhanced data rates of 72, 96, and 108 Mbps for enhanced performance.Integration With the Existing Wired NetworkAirgo wireless networking solutions are standards-compliant to ensure seamless integration with existing wired network infrastructures. The following integration features are included with all Airgo APs:•10/100 Ethernet connectivity•802.1Q VLAN support•802.1p QOS support•802.3af Power-over-Ethernet supportTable 2: Supported Wireless Networking StandardsStandard Area StatusIEEE 802.11b Wireless LAN Approved StandardIEEE 802.11a Wireless LAN Approved StandardIEEE 802.11g Wireless LAN Approved StandardIEEE 802.11d World Mode Support Approved StandardIEEE 802.11e HCF & eDCF Draft StandardIEEE 802.11f Inter-AP Protocol (IAPP) Draft StandardIEEE 802.11h TPC and DFS additional regulatory domains Approved StandardIEEE 802.11i Wireless Security Approved StandardIETF Standards Security EAP-TLS Draft StandardMicrosoft Standard Security EAP-PEAP Draft StandardIETF SNMP MIBs Numerous RFC MIBs StandardIETF Protocols Bridging, Routing StandardWPA Security Standard StandardWi-Fi Alliance Wireless Interoperability Certification
1 Overview8 Installation and Configuration Guide: Airgo Access Point•Layer 2 and Layer 3 QoS support•DHCP server and client support•NTP for time-synchronizationManagement Interface OptionsManagement support for the Airgo AP is available through four different interfaces:Interface DescriptionWeb Browser Interface This is the primary user interface for basic and advanced AP configuration support for a single AP. This guide presents all configuration tasks using the web browser interface.NM Explorer A built-in NM Portal web interface is available to manage multiple APs. For details on using NM Portal, see Chapter 9, “Managing the Network.”Command Line Interface (CLI) The command line interface (CLI) for the Airgo AP is accessible through a local 9-pin serial console port or over SSH. For more information on using the CLI to configure the AP, see Appendix A, “Using the Command Line Interface.”NMS Pro The NMS Pro user interface provides access to AP configuration functions and is designed to manage very large numbers of access points and networks. For more information, see the NMS Pro Installation and User Guide.
Installation and Configuration Guide: Airgo Access Point 92Planning Your InstallationThis chapter provides guidelines on planning a wireless network. It includes example network configurations and explains how to plan for coverage, capacity, security, and network management. The chapter includes the following topics:•Introduction•Assessing Coverage and Capacity Requirements•Assessing Security Needs and Architecture•Planning Network FeaturesIntroductionCareful planning of a new wireless network can greatly enhance your ability to install, maintain, manage, and expand the network. There are several dimensions to installation planning:•Coverage and capacity requirements—Identify the numbers and types of access points to install and determine optimal placement.•Security needs—Choose a security architecture and features.•Network management—Choose a method to manage the network and monitor its health.•Network features—Determine VLAN assignment, user groups, services, and privileges.If planned properly, a wireless network can be easily expanded and adjusted to changing conditions and requirements while preserving effective security and enabling network-wide management support. Example Wireless Network InstallationFigure 3 shows the elements of a typical Airgo wireless network. Airgo Access Points provide wireless connectivity to client stations (laptop or desktop computers) and connect in turn to the existing wired network infrastructure and beyond to the Internet. Network size and complexity may also dictate the need for an external RADIUS server for user authentication, as well as installation of Airgo NMS Pro for enterprise network management.
2 Planning Your Installation10 Installation and Configuration Guide: Airgo Access PointFigure 3: Typical Wireless NetworkAssessing Coverage and Capacity Requirements Airgo wireless technology significantly increases wireless coverage or capacity by comparison with other wireless LAN products. This wireless advantage allows an access point to service a large area or provide higher data rates, depending upon the conditions at your location. Figure 4 illustrates the contrast between typical wireless coverage and Airgo wireless coverage. Each Airgo AP can service a wider area or provide higher data rates than alternative solutions. Precise coverage and capacity vary considerably depending on factors such as the specific 802.11 protocol being used, antenna placement and location, building construction materials, and local obstructions.Enterprise BoundryNMSProRADIUS10/100 EthernetCorporateNetworkInternetLAN Switch/RouterWAN Routerwith FirewallNetwork Operations CenterAP with2 Radios AP with1 RadioAP with1 Radio802.11a802.11g/b802.11a(or 802.11g/b)802.11g/b(or 802.11a)A0008C
Assessing Security Needs and ArchitectureInstallation and Configuration Guide: Airgo Access Point 11Figure 4: Airgo AP Coverage Compared with Other Access PointsSite SurveysSite surveys are used to measure the wireless characteristics of the physical environment and thereby determine cost-efficient placement of equipment in the network. They are important because the physical attributes of a location may have a significant impact on realized coverage and data rates. The site survey involves a detailed assessment of the radio signal environment of the site based on experiments and testing. After the wireless network equipment is installed, radio signals are sent between the AP and a mobile client (laptop) to effectively tune the placement of APs. A professional site survey is highly recommended for large installations, but can be an expensive and time-consuming process, especially for installations with a variety of buildings and building materials, radio signal conditions, and restrictions on equipment placement. Thanks to the dramatic improvements in capacity and coverage provided by Airgo APs, many small to mid-size companies can forgo the traditional site survey process and rely instead on general guidelines. Assessing Security Needs and ArchitectureThe latest security innovations and standards make it possible to provide complete and effective security for wireless networks. The specifics of an optimal security solution will vary according to the type and size of organization. For each environment, Airgo offers a selection of features to satisfy all your security needs.Three aspects of security require planning and decisions:•Enrollment—Specifying the Airgo AP or NMS Pro server used to verify which access points are authorized to be part of the wireless network.108 Mbps54 MbpsAccess PointLocationTypicalWireless CoverageLegacyCoverageCoverageDataRateLegacyWirelessCoverageA0020A
2 Planning Your Installation12 Installation and Configuration Guide: Airgo Access Point•Data encryption—Specifying the method of security for wireless data communications between client stations and the AP.•Authentication—Specifying the method to verify the identity of users who want to access the wireless network, and assign access restrictions and services to them.EnrollmentEnrollment is the process of verifying the identity of APs and confirming that they are authorized to be a legitimate part of the wireless network. It is recommended to designate a single enrollment server for the entire network. For small and mid-size networks, this should be an AP configured as an NM Portal (see “Selecting a Network Management Method” on page 12). For large offices and campuses, it is recommended to use the enrollment module within NMS Pro as the enrollment server. The process of enrollment is discussed in “Enrolling APs” on page 165.Data EncryptionData encryption is the process whereby data packets are encoded to prevent intruders from deciphering the content. The first wave of IEEE 802.11 products introduced encryption based on the Wired Equivalent Privacy (WEP) standard. The WEP algorithm uses keys configured on the AP and in the user client software to encrypt wireless data. Unfortunately, WEP is vulnerable to compromise and difficult to manage and configure. Temporal Key Integrity Protocol (TKIP) is the secure successor to WEP.The current state of the art for data encryption is the Advanced Encryption Standard (AES), adopted by the Wi-Fi Alliance as part of the IEEE 802.11i working group efforts and grouped under the heading Wi-Fi Protected Access (WPA). The new IEEE 802.11i standard provides financial-grade security with extremely strong AES over-the-air encryption. The keys used for every user session are unique and are established automatically using the IEEE 802.1x protocol. Unless your wireless network must support WEP encryption, using WPA with AES for data encryption, regardless of your network size or complexity, is recommended.User AuthenticationUser authentication is the process of verifying user identity and assigning access rights based on predetermined rules. For small to mid-size networks, the internal RADIUS server within the Airgo AP security portal provides authentication services across the network. A second AP can also be configured as a backup security portal.For large office and campus installations, one or more external RADIUS authentication servers may already be in place to provide authentication services for the wired network based on the IEEE 802.1x RADIUS standard. It is a straightforward exercise to extend that infrastructure to the wireless network, thereby creating an integrated user authentication process for the entire enterprise network. The security portal feature of the Airgo AP plays a special role in wireless backhaul authentication. For more information, see Chapter 6, “Configuring a Wireless Backhaul.”Selecting a Network Management MethodAs with user authentication, appropriate network management solutions depend upon the size and complexity of the network, and Airgo products and features are available to support the full range of possibilities.
Assessing Security Needs and ArchitectureInstallation and Configuration Guide: Airgo Access Point 13For small and mid-sized networks, it is recommended to configure one of the APs on the network as a portal AP to provide NM Portal, security portal, and enrollment services. It is also recommended to designate another AP as a backup for the security portal.For large offices and campuses, enterprise-wide control and advanced network management features become essential to reliable network operations. For these networks, it is recommended to use the Airgo NMS Pro network management application, which provides a comprehensive network management solution. Install the NMS Pro server on any suitably configured network computer, and permit network administrators to obtain access from any designated client station. For more information, see the Airgo NMS Pro Installation and Configuration Guide.NMS Pro can be installed as a stand-alone network management solution, or it can be used in conjunction with NM Portal APs to create an efficient distribution system for network management data and policies across multiple locations. For enterprises with multiple locations, an AP in each location can be assigned as the NM Portal. The NM Portal serves an auxiliary function, executing commands for AP management updates and distributing them to all the APs at the remote location or collecting data from all the APs at the location and sending the data back to NMS Pro. This model can significantly reduce the time and network load associated with performing network management functions such as policy distribution and software updates.
2 Planning Your Installation14 Installation and Configuration Guide: Airgo Access PointPlanning Network FeaturesThe Airgo AP offers an extensive set of configuration parameters and network service features. Automated and default options are available for most of these, making it necessary to configure only a few of the AP parameters to set up a basic network. As needs change, additional features can be configured to support new network services. Network feature planning involves the following decisions:Feature Planning IssuesPhysical Network Estimate how many APs are expected initially and with growth. Determine whether wireless backhaul will be required.Network Management Determine the network management structure. •A network management solution such as NM Portal or NMS Pro is strongly recommended for all multiple AP installations.•NM Portal is recommended for small to mid-size networks.•NMS Pro is recommended for large enterprise networks. NMS Pro can be used in conjunction with NM Portal for an efficient, hierarchical network management solution.•If wireless backhaul is selected, then network management must include NM Portal.Authentication Determine how to verify the identity of users requesting access to the network. An authentication scheme is required for all except Open access.• Pre-shared key (PSK) authentication uses matching keys assigned prior to the authentication session and stored on the AP and in the client. With PSK, no external authentication server is required. This approach is useful for small to mid-size networks in which keys can be easily configured and modified, as needed.• RADIUS user authentication relies upon individual login and password. This approach is preferred for medium-large and enterprise networks that must accommodate large, changing user populations. RADIUS is the most common protocol used in authentication servers.The Airgo AP can take advantage of the authentication services provided by an external third party RADIUS server, or the internal RADIUS security portal on the Airgo AP can be used. In conjunction with an external RADIUS server, the security portal provides wireless backhaul authentication services and can serve as a back-up authentication server if the external RADIUS server is not available.An authentication zone is a group of one or more RADIUS servers providing user authentication services within an SSID. If multiple SSIDs are configured, then you can create an authentication zone for each. The chosen authentication method influences how services can be configured in the network. Security Modes Choose WPA, WEP, or open security modes.•WPA is recommended, unless WEP is required for communication with legacy systems. •WPA security is compatible with WEP and with open security. WEP is not compatible with open security. •Guest access requires the open security mode.•The preferred encryption method is AES, unless TKIP or WEP are required for compatibility with legacy systems.
Planning Network FeaturesInstallation and Configuration Guide: Airgo Access Point 15VLAN VLANs permit the network to be segmented according to functional needs without the restrictions of the physical topology. •If your enterprise uses multiple VLANS, they can be supported in the wireless network.•Multiple VLANs are required for guest access.SSID Decide whether one or multiple SSIDs will be supported. •Multiple SSIDs are desirable for applications such as wireless Internet service (WISP), in which a single physical access point supports multiple user populations in distinct networks. •Multiple SSIDs permit support of multiple service levels in networks that rely on PSK rather than user-based authentication. Services are bound to the SSID rather than to specific user groups.Quality of Service Quality of Service (QoS) allows you to set priorities for user traffic, thereby increasing the likelihood that critical data will obtain the needed priority. QoS is implemented by way of class of service (COS) mappings. Accept the default mappings or define custom mappings to create special high or low priority classes of service.•Default and custom mappings are compatible with other feature selections.Service Profile Service profiles specify the services available for an SSID or for designated user groups within an SSID. Accept the default service profile or create custom service profiles to provide varying levels of service. The service profile includes VLAN assignment, COS, and minimum security.Once created, a service profile can be bound to an SSID with or without a specified user group. •If a user group is included in the binding of a service profile to an SSID, then members of the user group are automatically assigned that profile when authenticated. •If no user groups are specified, then all users who access the SSID are assigned the same profile.Guest Access Guest access refers to special treatment of users who are not authorized to access the main corporate network. The guest access feature allows non-authorized users to gain network access in a controlled way. Decide whether the network will support guest users and if so, how guest access will be managed.•Guest access requires open access security, and is not compatible with WEP.•Guest users can be authenticated by way of an internal or external web landing page, or can be given open access to a restricted portion of the corporate network.Feature Planning Issues
2 Planning Your Installation16 Installation and Configuration Guide: Airgo Access PointExample Deployment ScenariosThis section describes the feature decisions for an example company as a function of network size, management structure, and network services.Example 1: Small office, single AP, possible future growthAcme Works begins as a small company with 20 users. The office is at a single location served by one access point connected to the wired backbone. The elements of the network are shown in Figure 5.Figure 5: Example 1 NetworkOne AP is able to meet current coverage and capacity needs. The AP is configured as an NM Portal to assure that the appropriate network management structure will be in place in the event that the business expands and additional APs are required. Since the user base is small, there is no need for a RADIUS authentication infrastructure. The security mode is WPA with pre-shared keys (PSK) and AES encryption. A single SSID is in place, and the default VLAN, QoS, and service profiles are used.Figure 6: Example 1 Feature DecisionsA0037CAP (NM Portal Mode)A0036APhysical Network One AP Multiple APs Wireless BackhaulNetwork Management NM PortalDefault VLANSingle SSID (default)Default COS Mappings Custom COS MappingsDefault Service Profile Custom Service ProfilesDisabled (default) EnabledMultiple SSIDsMultiple VLANsNMS PROUser Authentication Built-In Security Portal External RADIUS ServerSecurity Modes WPA (default) Open WEPVLANSSIDQuality of Service (Class of Service - COS)Service ProfileGuest Access
Example Deployment ScenariosInstallation and Configuration Guide: Airgo Access Point 17The following table lists the tasks required for configuration and provides pointers to the detailed instructions in this guide.Table 3: Example 1 Configuration Tasks Task ProcessBring up the first (or only) Airgo AP 1Make sure a DHCP server is available on the network, and create a DHCP reservation for the MAC address of this AP.2Have the information sheet shipped with the AP available.3Bootstrap the AP as an NM Portal. Defaults are acceptable for most settings. 4Choose an SSID (wireless network name).5Choose an administrative password and WPA pre-shared key.6Configure clients with compatible WPA security using the same pre-shared key.References: “Initializing a Normal AP” on page 33, “Initializing the Portal AP” on page 36Confirm that the network is up •Open the IP Topology panel in NM Portal to confirm that the AP is listed as discovered.•Open the Station Management panel at any time to view a list of client stations associated to the AP.References: “Viewing IP Topology” on page 169 and “Managing Client Stations” on page 86.
2 Planning Your Installation18 Installation and Configuration Guide: Airgo Access PointExample 2: Small to mid-size business with wireless backhaulAcme Works has now grown to 70 users. The site is the same as in Example 1; however Acme wants to provide coverage to a temporary building that has no wired connection. An additional AP is added to provide user access via a wireless backhaul (Figure 7). Figure 7: Example 2 NetworkFigure 8 summarizes the feature decisions for this example. The security portal capability within NM Portal provides authentication for the backhaul AP. The security mode is WPA with pre-shared keys (PSK). A single SSID is in place, and the default VLAN, QoS, and service profiles are used. Figure 8: Example 2 Feature DecisionsA0042ESSID="Corp" SSID="Corp"10/100 Switched EthernetA0036B Physical Network One AP Multiple APs Wireless BackhaulNetwork Management NM PortalDefault VLANSingle SSID (default)Default COS Mappings Custom COS MappingsDefault Service Profile Custom Service ProfilesDisabled (default) EnabledMultiple SSIDsMultiple VLANsNMS PROUser Authentication Built-In Security Portal External RADIUS ServerSecurity Modes WPA (default) Open WEPVLANSSIDService ProfileGuest AccessQuality of Service (Class of Service - COS)
Example Deployment ScenariosInstallation and Configuration Guide: Airgo Access Point 19Example 3: Mid-size business, multiple SSIDs, multiple VLANsNow a successful business, the management at Acme Works wants to position the company for continued growth. The company decides to deploy an external RADIUS server to manage user authentication centrally for the entire company. The RADIUS authentication infrastructure works well for a changing user population (employees joining, leaving, or moving to new departments) and readily supports further network service enhancements. The company creates two SSIDs as a way to separate the Finance department network traffic from the main corporate network traffic. Two RADIUS servers are configured, each in its own authentication zone. To separate Finance department traffic from the overall network traffic, a Finance VLAN is created. A Finance service profile is also created and bound to the Finance SSID. The service profile is configured to include the Finance VLAN, high security and higher-than-normal COS. Once this structure is in place and a member of the Finance group is authenticated by way of the RADIUS server, the Finance group tag is passed to the Airgo AP, and the Finance service profile is applied to the user.The network configuration for this example is shown in Figure 9, and the feature decisions are shown in Figure 10.Figure 9: Example 3 NetworkRADIUSServerA0044BCorporateVLANCorporateVLANVLAN SwitchFinanceVLANFinanceVLANCorporate Finance
2 Planning Your Installation20 Installation and Configuration Guide: Airgo Access PointFigure 10: Example 3 Feature DecisionsThe following table lists the tasks required to link to an external RADIUS server and add multiple VLANs, and provides pointers to the detailed instructions in this guide.Table 4: Example 3 Configuration TasksTask ExplanationAdd authentication servers and zones 1Identify the RADIUS server for each authentication zone.2Select the authentication option for the SSID, with reference to the defined authentication zone.References: “Configuring SSID Parameters” on page 78 and “Configuring Authentication Zones” on page 143Set up VLANs 1Choose the VLAN structure for the network.2Configure the VLANs.Reference: “Configuring VLANs” on page 105.Add VLANs to the service profiles 1Define or modify service profiles to include VLAN selection.2Bind each profile to an SSID with an existing or new user group.Reference: “Profile Table” on page 84 and “SSID Details” on page 82.A0036APhysical Network One AP Multiple APs Wireless BackhaulNetwork Management NM PortalDefault VLANSingle SSID (default)Default COS Mappings Custom COS MappingsDefault Service Profile Custom Service ProfilesDisabled (default) EnabledMultiple SSIDsMultiple VLANsNMS PROUser Authentication Built-In Security Portal External RADIUS ServerSecurity Modes WPA (default) Open WEPVLANSSIDService ProfileGuest AccessQuality of Service (Class of Service - COS)
Example Deployment ScenariosInstallation and Configuration Guide: Airgo Access Point 21Example 4: Large business, guest access, extended network servicesAcme Works is now a widely known and successful enterprise. With an ever increasing number of visitors requiring network access, the network administrator decides to implement a corporate guest access solution. A guest VLAN and service profile are created and bound to the Corporate SSID, and a guest password is created. Guests can now visit Acme Works, log in using the guest password through a web browser, and obtain access to the resources available on the guest VLAN.As additional needs arise, the network administrator can easily add new VLANs and service profiles, and change the available levels of service. New VLANs are created to segregate traffic for the Manufacturing and Engineering departments, and new service profiles are created to accommodate members of those departments. Special classes of service are assigned for applications sensitive to interruption or bandwidth fluctuation, such as voice over IP, and low priority, bandwidth-intensive applications such as FTP transfers.The network configuration for this example is shown in Figure 11, and the feature decisions are shown in Figure 12.Figure 11: Example 4 NetworkRADIUSServerA0045DCorpVLANCorp-VLANVLAN SwitchGuestVLANGuest-VLANCorp Guest AccessGuestIDPassword
2 Planning Your Installation22 Installation and Configuration Guide: Airgo Access PointFigure 12: Example 4 Feature DecisionsThe following table lists the tasks required to configure guest access and provides pointers to the detailed instructions in this guide.Table 5: Example 4 Configuration Tasks Task ExplanationSet up guest VLANs •Configure a VLAN for guest access.Reference: “Configuring VLANs” on page 105.Create guest service profile •Add a guest service profile with the guest VLAN and desired COS and open security.Reference: “Profile Table” on page 84 and “SSID Details” on page 82.Configure landing page 1Choose an internal or external landing page.2Assign guest password.Reference: “Configuring Guest Access” on page 156A0036APhysical Network One AP Multiple APs Wireless BackhaulNetwork Management NM PortalDefault VLANSingle SSID (default)Default COS Mappings Custom COS MappingsDefault Service Profile Custom Service ProfilesDisabled (default) EnabledMultiple SSIDsMultiple VLANsNMS PROUser Authentication Built-In Security Portal External RADIUS ServerSecurity Modes WPA (default) Open WEPVLANSSIDService ProfileGuest AccessQuality of Service (Class of Service - COS)
Example Deployment ScenariosInstallation and Configuration Guide: Airgo Access Point 23Example 5: Large Campus with Branch OfficesWith continued growth, the original Acme Works building is now surrounded by multiple buildings within a large campus setting. The company also has two branch offices in neighboring communities. The decision is made to implement NMS Pro for enterprise-class network management. This solution will provide network administrators with extensive control and oversight, centralized monitoring, and fault management. The campus buildings and branch offices lend themselves to a hierarchical management structure in which an NM Portal AP is configured in each building. Each NM Portal AP handles policy distribution and software upgrades at its location as directed by NMS Pro. The NM Portal AP also serves as a backup security portal in the event that another RADIUS authentication server in its zone becomes unavailable. The network configuration for this example is shown in Figure 13, and the feature decisions are shown in Figure 14.Figure 13: Example 5 NetworkA0046CNMS ProServerNM Portal APEnterpriseNetworkRADIUSServerNM Portal APLocation A Location B
2 Planning Your Installation24 Installation and Configuration Guide: Airgo Access PointFigure 14: Example 5 Feature DecisionsThe following table summarizes the tasks required to provide network management for the campus installation:Table 6: Example 5 Configuration Tasks Task ExplanationInstall NMS Pro Reference: NMS Pro Installation and Configuration GuideEnroll APs •Use the NM Portal in the local building or the campus NMS Pro system to enroll additional APs.Reference: “Enrolling APs” on page 165 or the NMS Pro Installation and Configuration GuideCreate and distribute policies •Use NMS Pro to create configuration policies and distribute them to APs across the network.Reference: NMS Pro Installation and Configuration GuideA0036APhysical Network One AP Multiple APs Wireless BackhaulNetwork Management NM PortalDefault VLANSingle SSID (default)Default COS Mappings Custom COS MappingsDefault Service Profile Custom Service ProfilesDisabled (default) EnabledMultiple SSIDsMultiple VLANsNMS PROUser Authentication Built-In Security Portal External RADIUS ServerSecurity Modes WPA (default) Open WEPVLANSSIDService ProfileGuest AccessQuality of Service (Class of Service - COS)
Installation and Configuration Guide: Airgo Access Point 253Installing the Access PointUsing the Configuration InterfacesThis chapter explains how to install and quickly configure the Airgo Access Point and provides instructions for accessing the web and command line interfaces. The chapter includes the following topics:•Hardware Components•System Requirements•Installation Requirements•Installing the Access Point•Using the Configuration Interfaces•Using AP Quick Start to Initialize the Access Point•Navigating the Web Interface•Configuration WizardsHardware ComponentsThe Airgo Access Point shipping package contains the following items:•Airgo Access Point•Power supply and separate AC cord•Software and documentationSystem RequirementsThe following are required to connect to the Airgo Access Point:•For web browser or network management portal access, a computer with a web browser capable of secure HTTP connections (HTTPS)•For SSH connection, a computer with an SSH utility (the PuTTY application meets this requirement and is available as freeware)•10/100 Ethernet cable to connect to the APThe computer designated for AP access should be located on the same Local Area Network (LAN), with a compatible IP address and subnet mask, or it must be able to be routed to the AP.To connect directly to the console port in order to access the command line interface, have the following available:•A 9-pin DCE female to female null modem connector to connect the PC to the Access Point•Terminal emulator softwareInstallation RequirementsAirgo Access Points are radio frequency devices and are therefore susceptible to RF interference and obstructions. When selecting locations for AP placement, try to choose places that are free of
3 Using the Configuration Interfaces26 Installation and Configuration Guide: Airgo Access Pointlarge metallic structures such as equipment racks, steel bookcases or filing cabinets, or crowded by computer enclosures.If using an external antenna with the AP (optional), try to place the unit as high as possible, where it is free of obstruction. Install the AP away from sources of RF interference, such as microwave ovens, cordless phones, electric motors, and similar appliances.Power and Cabling RequirementsThe following equipment is required to install the Airgo Access Point:•AC power outlet (100-240V, 50-60Hz standard) to power the AP (a surge-protected power supply is recommended)•RJ-45 port on a standard 10/100BaseT Ethernet device (hub, switch, router, or similar device), if connecting to a wired network•Industry standard Category 5 UTP Ethernet cables•9-pin-to-9-pin DCE serial null modem cable or serial to USB cable, if connecting the consoleNetwork Information RequirementsHave the following information accessible before configuring the AP: •IP address assigned to the AP (fixed IP address or DHCP-reserved address) •IP addresses for the default gateway, DNS Server and NTP Server, if DHCP is not used to provide IP addresses•IP address of the SMTP email server, if the AP is to send alerts to a specified email address•Email address of the administrator who will receive the alertsInstalling the Access PointFollow these steps to install the Airgo Access Point:1Connect the Ethernet cable to the RJ-45 Ethernet connector on the AP (see Figure 15).2Plug the other end of the Ethernet cable into an available Ethernet port on your wired network.3(Optional) If an external antenna is to be used, attach it to the AP. Place or mount the antenna in an unobstructed location.4Plug the AC power cable into the power module.5Plug the other end of the AC power cable into an approved three-prong grounded outlet (surge-protected and/or UPS is recommended).6Connect the power module connector to the power connector on the AP.The Airgo Access Point powers up automatically.
Installing the Access PointInstallation and Configuration Guide: Airgo Access Point 27Figure 15: Airgo AP ConnectionsUsing Power Over EthernetPower-over-Ethernet, based on the 802.3af standard, can be used to supply power to the Airgo AP. If both DC power and power-over-Ethernet are used at the same time, then failover takes place automatically in the event that one of the power sources is lost. For failover, the following rules apply:•The AP uses the power source with the highest voltage.•Unplugging either cable causes power to switch automatically to the other source. Placement and OrientationMake sure that the Airgo AP is positioned in an upright position for airflow and antenna placement (Figure 16).100/10BaseTEthernet portDefaultResetA0003BConsole portDC power
3 Using the Configuration Interfaces28 Installation and Configuration Guide: Airgo Access PointFigure 16: Airgo AP PlacementVerifying the InstallationTo verify the Airgo Access Point is operational, examine the front of the AP.•Is the status LED red or green? If not, check the power connections and whether or not the AC outlet has power.•(For wired-AP installations) Is the Ethernet connection LED on? If not, check the Ethernet cable to make sure it is seated securely in both the AP and the network port.Interpreting the LEDsRefer to Figure 17 and Table 7 for LED definition.Figure 17: Airgo AP LEDsResetDefaultLEDsConsole port100/100BaseT Ethernet portPower connectorA0002BA0004A
Installing the Access PointInstallation and Configuration Guide: Airgo Access Point 29Connecting the Serial PortFollow these steps to connect a terminal to the serial port for command line interface access:1Attach a serial null modem cable to the AP (see Figure 15). 2Attach the other end of the cable to the serial port of your computer.3Use a terminal emulation tool such as HyperTerminal. Configure the terminal as follows:• 115,200 BAUD• 8-bits• No parity• 1 stop bit• No flow controlA command prompt should now be available to access the command line interface.Resetting the Access PointReset the AP in any of the following ways. If the AP has a buzzer installed, the AP beeps once when reset. If the AP has a buzzer installed and is reset to factory defaults, then the AP beeps twice when booted.Table 7: LED DefinitionsLED DescriptionWLAN1 Blinks green for activity.AP STAT There are two AP status LEDs that indicate the AP status. When the AP is reset or powered on, the bottom LED turns red and then the top LED blinks green. Once the AP successfully boots up, the top LED turns green and stays green.When the AP is reset to defaults, the LEDs light up in the same sequence as described above. If the AP has a buzzer installed, two short beeps indicate that the AP is being reset to defaults.ETH ACT Blinks green for activity.100/10 Indicates Ethernet Link. Two LEDs. Only one of them will be lit up at a time.•Top LED: 100BT Link – Lights up Green when 100 Mbit link is established. Off means no link on 100 Mbit.•Bottom LED: 10BT Link – Lights up Yellow when 10 Mbit link is established. Off means no link on 10 Mbit.WLAN0 Blinks green for activity.Method DescriptionWeb browser interface Use the Configuration Management panel under System Configuration. See “Reset Configuration” on page 217.Reset button Press the reset button on the side of the AP.Power down Power down the AP by disconnecting the power cable (not recommended).
3 Using the Configuration Interfaces30 Installation and Configuration Guide: Airgo Access PointReset the configuration of the AP to the factory default in any of the following ways:Using the Configuration InterfacesFour different secure interfaces are available for administering the Airgo Access Point:•Web browser (https)•Command line interface (SSH or console)•SNMP (SNMPv3)•Policy management (https, XML-based)This section explains how to access each of these interfaces. The configuration procedures in this guide are all presented using the web browser interface. For additional information on the CLI, see the CLI Reference Manual. Using the Web Browser InterfaceThe Airgo AP web browser interface is the easiest way to configure an AP or check the current settings. It includes the QuickStart facility to get the AP running as quickly as possible and full set of AP features. NM Portal can also be launched from the web interface.Method DescriptionWeb browser interface Use the Configuration Management panel under System Configuration. See “Reset Configuration” on page 217. CLI Use the command sequence config system > reset-to-defaults factory-defaultsReset buttons on the AP This is useful if the administrative password is lost; however, before performing the reset, make sure to have the original factory-assigned AP password available. Follow these steps:1Make sure the AP is connected to power (power adaptor or Power-over-Ethernet).2On the side of the AP, hold down both the Reset and the Default buttons. The button closest to the antenna is the Reset button. The button below it is the Default button.3Release only the Reset button and continue to hold down the Default button. After 10 seconds, the Status LED blinks from Red to Green twice. If the AP has a buzzer, a beep indicates that the restore operation has started. 4Now release the Default button. The AP continues to reboot.The Status LED turns Green when the reboot is successful and the AP is operational. During this process, all passwords and configurations are reset to factory defaults. If the AP was previously enrolled in a network, it must be re-enrolled. The new administrator password is now the original AP unique password that was set at the factory.NOTE: In the web interface, a red asterisk (*) next to a field name indicates that the field is required. Error messages are presented in text near the top of the panel.
Using AP Quick Start to Initialize the Access PointInstallation and Configuration Guide: Airgo Access Point 31To connect to the AP using the web browser interface requires an IP connection to the AP network and a computer with a browser capable of Secure Sockets Layer (SSL) connections. Follow these steps:1Launch the web browser. aIf your network has a DHCP server, enter the DHCP-assigned address of the AP in the address bar. bIf your network does not use a DHCP server, assign the static address 192.168.1.1/24 to your computer, and then enter https://192.168.1.254 in the browser address bar.2Depending on the browser security settings, a security alert may open with a prompt on whether to accept the Airgo security certificate. Click Yes to accept the certificate and to open the login panel.3In the login panel, enter or confirm the administrative user name, enter the password, select a language, and click OK to open the web interface. The factory default for administrator access is user name: admin. If the AP has not been initialized, the user name field is grayed out. The factory default password is shipped with the AP on a paper insert. Use the password from the insert to log in.4The system response at this point depends upon whether the AP has already been initialized. aIf the AP has been initialized, the Home feature panel opens. See “The Home Panel” on page 37.bIf the AP has not been initialized, the QuickStart Welcome panel opens. Use the QuickStart panels, described in the next section, to quickly configure the AP.Using AP Quick Start to Initialize the Access PointWhen accessing the web interface for the first time or after resetting the AP to factory defaults, the Welcome panel of the AP Quick Start Wizard opens (Figure 18). From this panel, initialize the AP in either of two roles:•Normal Access Point •Portal Access Point (NM Portal)NOTE: Each AP has DHCP enabled by default. If you are installing the AP on a network that already has a DHCP server, enter the DHCP-assigned address of the AP to access the web interface.
3 Using the Configuration Interfaces32 Installation and Configuration Guide: Airgo Access PointFigure 18: AP Quick Start Welcome PanelBoth roles allow the AP to function as an IEEE 802.11 wireless network node. As a portal AP, the following additional functions are available: •Configuration of the Airgo wireless network using secure AP enrollment and policy-based configuration of APs•Authentication of wireless users via built-in RADIUS server and certificate based identity management system •Monitoring of Airgo network for faults, configuration alerts, performance and security (FCAPS) •Upgrade of the Airgo AP network with new software images
Using AP Quick Start to Initialize the Access PointInstallation and Configuration Guide: Airgo Access Point 33Initializing a Normal AP1Click Bootstrap Normal AP from the Quick Start Welcome panel to open the first initialization panel (Figure 19). Figure 19: QuickStart Configuration ParametersThe following fields are available on this panel; however, none is required to get the AP up and running:NOTE: Click Logout if it is necessary to leave the Quick Start panels. If you log out prior to completing the set-up process, then settings are not saved.Field DescriptionAP Hostname Alphanumeric name for the AP. The factory default for this field is AP followed by the MAC address of the AP’s Ethernet interface (eth0).Enable DHCP Assigned IP Address Checkbox that indicates whether DHCP is used to obtain an IP address. If the box is cleared, the static Management IP Address fields are activated; if the box is selected, the static Management IP Address fields are inactive.IP Address/Maskbits Static IP address and subnet prefix for the AP. Required if the IP address is not obtained automatically. The default is 192.168.1.254/24.
3 Using the Configuration Interfaces34 Installation and Configuration Guide: Airgo Access Point2Click Next to continue to the next panel (Figure 20). Use this panel to configure network identity.Figure 20: QuickStart Network Identity3Configure the following information on this panel:Default Gateway IP address of the gateway to the wired network. Required if the IP address is not obtained automatically to provide complete network access. The default is the existing network gateway.Domain Name Servers IP address of the server supplying DNS service. Required if the IP address is not obtained automatically to provide complete network access. The default is the DNS server for the existing network. Date Current date in MM/DD/YYYY formatTime Current time in HH:MM:SS format (hours 0-23)Time Zone US-zone or GMT option. For US zone, click the radio button and select a time zone. For GMT, click the radio button and select an offset in HH:MM format.Field DescriptionSSID Name Service set identifier for the network, also known as the Wireless Network Name. The default name must be changed. (required)Network Density Indication of how close the APs will be to each other. For closely spaced APs that can support high data rates, select the high density option. For maximum coverage at lower data rates, selection the low density option. The default setting is Low.Field Description
Using AP Quick Start to Initialize the Access PointInstallation and Configuration Guide: Airgo Access Point 354Click Next after making selections.The last two panels (Figure 21) configure each of up to two radios on the AP. After entering settings on the first of the two panels, click Next to open the second panel. Figure 21: QuickStart Radio Parameters5Set the following information:Bootstrap Security Mode WPA-PSK, WEP-64, WEP-128, or Open security option. The option determines the security mode for the AP.WPA-PSK Security Mode Activated if WPA is selected as the security mode. Enter a alphanumeric string at least eight characters in length. (required if security mode is WPA-PSK).WEP Key Activated if WEP is selected as the security mode. Enter a WEP key. A WEP-64 key is 10 hex characters, and a WEP-128 key is 26 hex characters. (required if security mode is WEP)Field DescriptionSelect Radio Interface Specific radio to be configured on the AP (wlan0 or wlan1). These correspond to the WLAN0 and WLAN1 LEDs on the front of the AP.Select Operating Band and Mode 802.11b mode in the 2.4-GHz band, 802.11b or g mode in the 2.4-GHz band, 802.11a mode in the 5-GHz band, or auto selection (Any).Configure Channel Select Auto-Select Channel or Assign Fixed Channel options:•Auto-Select: Select At Start-up to automatically determine the channel when the AP is booted, or Periodic to auto-select the channel at the specified number of minutes.•Assign Fixed Channel: Select a static channel. In both of these cases, the channel set used for auto-scanning can also be restricted.Field Description
3 Using the Configuration Interfaces36 Installation and Configuration Guide: Airgo Access Point6After entering settings for both radios, click Finish to complete the initialization process. (If initializing a portal AP, as described in the next section, the button is labeled Next.)Initializing the Portal APUsing the QuickStart panels to initialize NM Portal is similar to initializing a normal AP. The first four panels, as described in the previous section, are the same as for the normal AP. When configuring the second radio, click Next to set the administration and networking configuration (Figure 22).Figure 22: Portal QuickStart panel7Enter the following information consistent with your corporate standards:8Click Finish to complete the initialization process and bring up the AP Explorer Home panel. The process takes approximately two minutes. When the process is complete, the Home panel opens.NOTE: The defaults for radio configuration have been selected for the best operational radio behavior across a variety of environments. Modifying these parameters alters radio behavior, which may have an impact on network performance or services. For example, selecting an operating band of 5GHz (802.11a) may prevent legacy client adapters from associating to the AP.Field DescriptionAdmin Password Enter and confirm the password used to manage this AP and other enrolled APs. The password must be between 8 and 32 characters and is used for local administrator login and SNMP v3 login. (required)SMTP Server Name or IP Address Address of your SMTP serverAdministrator Email Address Email address of the person to be notified regarding alerts
Navigating the Web InterfaceInstallation and Configuration Guide: Airgo Access Point 37Navigating the Web Interface The Airgo AP web interface is divided into three main areas. The menu tree (Figure 23) provides access to all the panels and features of the web interface. To expand a menu in the menu tree, click the arrow to the left of the menu name. Figure 23: Menu TreeThe lower left alarm panel (Figure 24) lists the number of current alarms.To update the alarm summary, periodically click the browser refresh button.Figure 24: Alarm AreaWhen you select an item from the menu tree, the information is displayed in the Detail panel, which takes up most of the browser window (shown for the Home panel in Figure 25).The Home PanelThe Home panel (Figure 25) opens when you first log in to the web interface, or if Home is selected from the menu tree. The Home screen contains top-level summary information about the AP. To access detailed information, click More for any of the following sections:•AP Summary—Opens the Bootstrap Configuration panel under the AP Quick Start menu (see “Quick Start Panels” on page 39).•Version Summary—Opens a detailed list of model and serial numbers and hardware and software versions (see “Version Table” on page 44).•Wireless Summary links—Opens panels to configure SSID, client stations, radios, and encryption.•Management Summary—Shows current network management address settings.
3 Using the Configuration Interfaces38 Installation and Configuration Guide: Airgo Access PointFigure 25: Home Panel
Navigating the Web InterfaceInstallation and Configuration Guide: Airgo Access Point 39Quick Start PanelsUse the AP Quick Start menu items to open the Bootstrap Configuration and Version panels. Each of the tabs in the Bootstrap Configuration panel corresponds to one of the screens used to initialize an AP in AP Quick Start.IP Config TabThe IP Config tab opens when you choose Bootstrap Configuration is selected from the AP Quick Start menu (Figure 26). Use this tab to configure addresses for the bootstrap configuration.Figure 26: AP Quick Start - Bootstrap Configuration - IP ConfigThis tab contains the following settings:Field DescriptionDHCP Assigned IP Address Indicate whether to use DHCP to obtain an IP address for the AP. If the box is cleared, the other Management IP Configuration fields are activated; if the box is selected, the other Management IP Configuration fields are inactive.APs.
3 Using the Configuration Interfaces40 Installation and Configuration Guide: Airgo Access PointClick Apply to save changes in each section on the screen or Reset to return to previously saved values.Radio Config TabUse the Radio Config tab (Figure 27) to configure bootstrap parameters for the two AP radios. DNS IP Address Enter the IP address of the server or servers supplying DNS service. This is required if the IP address is not obtained automatically. The default is the DNS server for the existing network. Multiple DNS server addresses may be specified, space-separated. The AP will use the addresses in the order specified. Manually configured DNS addresses always take precedence over the DNS addresses returned by a DHCP server. If the DNS IP Address field is empty, then all manually configured DNS server addresses will be removed.If you delete DNS servers, only those added manually are deleted. DHCP-assigned DNS servers continue to be available.Management IP Address/Maskbits Enter the IP address and subnet prefix for this AP. This is required if the IP address is not obtained automatically. The default is 192.168.1.254/24.Gateway IP Address Enter the IP address of the gateway to the wired network. This is required if the IP address is not obtained automatically. The default is the existing network gateway.Host Name Enter an alphanumeric name for the AP. The factory default for this field is AP followed by the MAC address of the AP’s Ethernet interface (eth0).AP Location Enter the physical location of the AP as a text string.Administrator Contact Enter contact information for the person responsible for managing this AP (phone or email address).Field Description
Navigating the Web InterfaceInstallation and Configuration Guide: Airgo Access Point 41Figure 27: AP Quick Start - Bootstrap Configuration - Radio ConfigThis tab contains the following settings:Field DescriptionRadio Admin State Select each AP radio (wlan0 or wlan1) to enable or disable.Network Connectivity Indicate whether the radio will be used in a normal AP connected to the wired network (Wired-Only), for wireless backhaul (Wireless-Only), or may be used for either (Any). If Any is specified, the system will automatically choose one.Network Density Indicate the relative concentration of APs in the network. For closely spaced APs that can support high data rates, select the high density option. For maximum coverage at lower data rates, selection the low density option. The default setting is Low.Multi Domain Support Enable or disable 802.11d operation. If Enable is selected, the radio advertises country, channel and associated maximum transmit power information in beacons and probes responses to stations or clients in the BSS. The default setting is enabled.World Mode - Country Code Select Default to set the channel and power for the radio to the factory default country setting (U.S.). Alternatively, enter a country code.World Mode - Deployment EnvironmentSpecify the type of environment in which the AP is installed (indoor, outdoor, or both). The Environment setting determines the maximum transmit power and allowed channels of operation.
3 Using the Configuration Interfaces42 Installation and Configuration Guide: Airgo Access PointFor further information regarding these settings, see Chapter 4, “Configuring Radio Settings.”Clock Config TabUse the Clock Config tab (Figure 28) to set time parameters for the bootstrap configuration. Figure 28: AP Quick Start - Bootstrap Configuration - Clock ConfigThis tab contains the following settings:Configure Channel Select Auto-Select Channel or Assign Fixed Channel options:•Auto-Select: Select At Start-up to automatically determine the channel when the AP is booted, or Periodic to auto-select the channel at the specified number of minutes. The default is Periodic and 30 minutes.•Assign Fixed Channel: Select a static channel. In both of these cases, the channel set used for auto-scanning can also be restricted.Field DescriptionDate Current date in MM/DD/YYYY formatTime Current time in HH:MM:SS format (hours 0-23)Time Zone US-zone or GMT option. For US zone, click the radio button and select a time zone. For GMT, click the radio button and select an offset in HH:MM format.Field Description
Navigating the Web InterfaceInstallation and Configuration Guide: Airgo Access Point 43Portal Config TabUse the Portal Config tab (Figure 29) to enable portal services on this AP. See “Portal Architecture” on page 4 for a description of the portal services. Figure 29: AP Quick Start - Bootstrap Configuration - Portal ConfigAdmin Email TabIf the AP is configured as a portal AP, use the Admin Email tab (Figure 30) to specify how to alert the network administrator regarding critical faults or security breaches. Configure the following fields:Synchronize Clock Indicate whether time will be synchronized manually through the date and time fields, or by way of an NTP server. If you select the server option, enter the IP address of the server in the space provided. If an NTP is currently assigned, the address of the server is displayed, as shown in Figure 28.Multiple NTP servers may be specified (space separated). If more than one server is specified, they are contacted in the order given. If the Synchronize Clock is empty, then all manually configured NTP servers will be deleted.If the AP is configured to receive an IP address via DHCP, then the DHCP server could also return the set of NTP servers. In such a scenario the manually configured NTP servers take precedence over the DHCP returned NTP servers.If you delete NTP servers, only those added manually are deleted. DHCP-assigned NTP servers continue to be available.Field DescriptionSMTP Server Address Enter the IP address of the SMTP server used to reach the network administrator.Admin E-mail Address Enter the email address of the network administrator.Field Description
3 Using the Configuration Interfaces44 Installation and Configuration Guide: Airgo Access PointFigure 30: AP Quick Start - Bootstrap Configuration - Admin EmailVersion TableThe Version Table panel (Figure 25) lists model number, serial number, and hardware and software version information.Figure 31: AP Quick Start - Version Tablerjones@acmeworks.com
Configuration WizardsInstallation and Configuration Guide: Airgo Access Point 45Other PanelsThe other panels accessible from the menu tree contain detailed information and fields to set the AP configuration. Most of the panels have multiple tabs, and some have special entry panels. NM Portal AccessIf the AP is booted in Portal mode, the left side of the browser interface includes a Manage Wireless Network button just below the menu tree. Click the button to open a new browser window for NM Portal services. For information on using portal services, see Chapter 9, “Managing the Network.”Configuration WizardsThe Airgo AP web interface includes wizards that enable fast configuration of user security and guest access.User Security WizardThe User Security wizard provides a one-stop interface for configuring user security parameters. You can use the wizard to configure security or make changes to individual security screens in the AP web browser interface. For detailed information on security options, see Chapter 7, “Managing Security.”To open the User Security wizard:Click User Security Wizard under AP Quick Start on the side menu. The User Access wizard opens (Figure 32).Figure 32: User Security Wizard
3 Using the Configuration Interfaces46 Installation and Configuration Guide: Airgo Access PointThe wizard presents several options for configuring user security. For additional information about these options, see Chapter 7, “Managing Security.”The security option you select determines the next step of the User Security wizard.To configure WPA-EAP:1In the User Security Wizard, select Using WPA-EAP.2Click Next to open the next User Security wizard panel (Figure 33).Figure 33: User Security Wizard - WPA-EAP3Confirm the SSID (wireless network name).4Select whether to use the internal RADIUS server included in the AP or an external RADIUS server.5Click Finish.Option DescriptionWPA-EAP (with AES encryption) Configures the AP to work with RADIUS authentication servers.•The wizard prompts for selection of the internal RADIUS server included in the AP or an external RADIUS server.WPA-PSK Configures the AP to work with pre-shared key authentication.•The wizard prompt for the pre-shared security key.WEP Configures the AP to use WEP encryption to support legacy equipment.•The wizard prompts for selection of 64-bit or 128-bit key length option, up to four distinct WEP keys, and determination of which will be the default.Open Access Configures the AP with no authentication or encryption.•The wizard prompts for confirmation that this is desired.
Configuration WizardsInstallation and Configuration Guide: Airgo Access Point 47To configure WPA-PSK:1In the User Security Wizard, select Using WPA-PSK.2Click Next to open the next User Security wizard panel (Figure 34).Figure 34: User Security Wizard - WPA-PSK3Enter the pre-shared key to use for network authentication and confirm your entry.4Click Finish.
3 Using the Configuration Interfaces48 Installation and Configuration Guide: Airgo Access PointTo configure WEP:1Select Using WEP, and click Next to open the next User Security wizard panel (Figure 35).Figure 35: User Security Wizard - WEP2Select the WEP key length. 3Enter up to four WEP keys, and indicate which will be the default.4Click Finish.
Configuration WizardsInstallation and Configuration Guide: Airgo Access Point 49To configure open access:1Select Open Access, and click Next to open the next User Security wizard panel (Figure 36).Figure 36: User Security Wizard - Open Access2Confirm that you want to configure the AP without user security.3Click Finish.
3 Using the Configuration Interfaces50 Installation and Configuration Guide: Airgo Access PointGuest Access WizardThe Guest Access wizard enables you to configure the network to give guest users limited access while protecting the network from unauthorized use. For a complete description of guest access rules and options, see Chapter 8, “Configuring Guest Access.”To open the Guest Access wizard:•Click Guest Access Wizard under AP Quick Start on the side menu.The wizard (Figure 37) provides options to configure an internal landing page or an external landing page for users who open a web browser while on site.Figure 37: Guest Access Wizard
Configuration WizardsInstallation and Configuration Guide: Airgo Access Point 51To use an internal landing page:1In the Guest Access wizard, select Internal.2Click Next to open the next wizard panel.3Enter and confirm a guest password (Figure 38). The password must be from 1 to 63 characters in length and may be manually distributed to guests who visit your corporate facility.Figure 38: Guest Access Wizard - Internal Landing Page4Indicate whether the guest users will be able to access a subnet before they are authenticated as guest users. If yes, enter the IP address of the subnet.5Click Next.
3 Using the Configuration Interfaces52 Installation and Configuration Guide: Airgo Access Point6Select an existing VLAN in which to place authenticated guest users, or create a new VLAN by entering a numeric VLAN ID and VLAN name (Figure 39). The list of existing VLANS includes only those that support open access.Figure 39: Guest Access Wizard - VLAN Entry7Click Finish.Guest access is now configured. When guests access the external landing page, they follow an externally-determined process to log in to the network. If a subnet has been specified, then guests can access the subnet even if they are not able to log in. For further information about guest access, or to modify guest access parameters, see Chapter 7, “Managing Security.”
Configuration WizardsInstallation and Configuration Guide: Airgo Access Point 53To use an external landing page:1In the Guest Access wizard, select External.2Click Next to open the next wizard panel.Figure 40: Guest Access Wizard - External Landing Page3Enter the full URL for the external landing page (Figure 39). The URL for the landing page must use an IP address rather than a domain name. Regardless of the authentication process selected for the external page, it is necessary to forward authentication results to the AP upon completion of successful or unsuccessful guest authentication. The Airgo AP is shipped with an sample external landing page.4Enter the shared secret string that the AP will use to authenticate itself to the web server. The code must be from 1 to 63 characters in length.5Indicate whether the guest users will be able to access a subnet before they are authenticated as guest users. If yes, enter the IP address of the subnet.6Click Next.7Select an existing VLAN in which to place authenticated guest users, or create a new VLAN by entering a numeric VLAN ID and VLAN name (Figure 39 on page 52). The list of existing VLANS includes only those that support open access.8If desired, select a quality of service (QoS) level. Numeric QoS values range from 0 (lowest priority) to 7 (highest priority).9Click Finish.Guest access is now configured. When guests access the external landing page, they follow an externally-determined process to log in to the network. If a subnet has been specified, then guests can access the subnet even if they are not able to log in. For further information about guest access, or to modify guest access parameters, see Chapter 7, “Managing Security.”
3 Using the Configuration Interfaces54 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 554Configuring Radio SettingsThis chapter describes the configuration settings for the Airgo Access Point radios and explains how to set the configuration using the Airgo AP web interface. It covers all the features accessible from the Wireless Services menu except backhaul configuration, which is discussed in Chapter 6. The chapter includes the following topics:•Introduction•Configuring Radio Parameters•Setting the Advanced Radio Configuration•Viewing Radio Statistics•Viewing Radio Neighbor Details•Configuring SSID Parameters•Multiple SSIDs•Configuring Inter Access Point Protocol (IAPP)•Performing Radio DiagnosticsIntroduction The Airgo Access Point can be configured with one or two radios, each of which forms a distinct wireless cell or basic service set (BSS), as shown in Figure 41. Each radio can operate in either of the following modes:•In normal mode, the AP is connected to the wired network, and the radio directly services downstream client stations or access points, or both. (AP mode).•In wireless backhaul mode, the radio establishes a wireless link to a radio in AP mode on another Airgo AP in order to relay data through the wireless medium. The AP is not attached to a wired connection, instead it is connected through the wireless medium to another AP.1 In this mode, the radio is called a Backhaul Point (BP mode). Wireless backhaul is also known as a wireless distribution system (WDS).1Except in certain special configurations.
4 Configuring Radio Settings56 Installation and Configuration Guide: Airgo Access PointFigure 41: AP Radios and CoverageUse the Wireless Services items on the menu tree to access wireless parameters. The following rules apply to the wireless settings:•Some of the settings apply globally (for both radios); others apply on a per-radio basis. •For configuration and reference purposes, the individual radios are labeled wlan0 and wlan1. The wired Ethernet interface is labeled eth0.•Some of the commands apply only to one mode (AP or BP). •If the radio is in BP mode, parameters are stored and later applied if and when the radio takes on the AP mode. Each of the items in the Wireless Services menu leads to a specific area of radio configuration:To open one of the Wireless Services panels, choose the topic from the menu tree.Configuring Radio ParametersChoose Radio Configuration from the Wireless Services menu to open the AP Radio Configuration panel. The panel contains the following tabs:•Global Configuration—Set parameters that apply to both of the AP radios. •Persona Configuration—Set the radio mode or persona for normal (AP) operation or wireless backhaul (BP).Menu Item DescriptionRadio Configuration General radio parametersAdvanced Configuration 802.11 mode for each radioRadio State & Statistics Detailed status and statistics for each radioRadio Neighbors Identity of neighboring APs within beacon rangeSSID Configuration Identification of the SSID parameters and assignment of service profilesBackhaul Configuration Configuration of wireless backhaul links (See Chapter 6, “Configuring a Wireless Backhaul.”)Station Management List of stations associated to the Airgo APIAPP Configuration Configuration of Inter-Access Point Protocol for roaming and load balancingRadio Diagnostics Interface to perform link and walk testsAP2 CellAP1 CellAP1(Wired AP)AP2(Backhaul Point)Wired NetworkA0019A
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 57•Channel Configuration—Configure channel usage for each radio.•Performance—Configure enhanced data rates and performance attributes.•Admission—Specify categories of client stations that are permitted to associate to the selected radio. To configure settings on these tabs, select each in sequence, or step through using the Go links at the bottom of the panel (shown in Figure 42).Many of the radio parameters are interdependent, and the Airgo AP performs consistency checks during configuration to prevent user actions from adversely affecting radio performance. This is especially true of dual radio APs, due to the proximity of the two radios. If you attempt to make configuration changes that are not accepted by the AP, an error message may or may not appear. Consult the appropriate section in this chapter to determine which parameters are in conflict.Global Configuration Use the Global Configuration tab (Figure 42) to define settings that apply to both of the Airgo AP radios.Figure 42: Radio Configuration - Global ConfigNOTE: All the settings on this tab are optional. If the AP radio is enabled when the global configuration is changed, then it is necessary to reset the AP for the changes to take effect. If the radio is disabled, the changes take effect once the radio is enabled.
4 Configuring Radio Settings58 Installation and Configuration Guide: Airgo Access PointSet the following global parameters on this tab:Field DescriptionNetwork Connectivity Specify the mode of connectivity to the wired network. •The default value of Any means that the AP auto-determines whether or not to initiate a backhaul based on the presence or absence of an active Ethernet link. The Any setting is influenced by the number of radios in the Airgo AP and whether or not the AP has active Ethernet connectivity. If Any is selected, then the Airgo AP is allowed to change between wireless and wired mode based on a change in Ethernet status. •The Wired-Only setting means that the Airgo AP operates only as wired node. The node is disabled if the Ethernet link is not active. All radios take on the AP persona unless explicitly configured as a BP radio. •The Wireless value means that the AP operates only as a wireless backhaul node with wireless backhaul connectivity to the wired network. One radio is automatically assigned the BP persona and one the AP persona. Applies to dual radio APs only.The default setting of Any is recommended. Network Density Set the wireless network density (low, medium, or high). Moving APs closer to each other increases wireless capacity by providing higher data rates to clients. To support this configuration, select the high density option. For maximum coverage at lower data rates, use the low density setting. Each setting determines the defer threshold parameters for the Airgo AP. The default is low; the default setting of “low” is appropriate for maximum coverage.World Mode - Multi-Domain Support Enables or disables 802.11d operation. If Enable is selected, the radio advertises country, channel and associated maximum transmit power information in beacons and probes responses to stations or clients in the BSS. The default setting is enabled.World Mode - Country Code Specify the country of operation of the AP. Select Default to set the channel and power for the radio to the factory default country setting (U.S.). Alternatively, enter a country code from the pull-down menu.World Mode - Deployment EnvironmentSpecify the type of environment in which the AP is installed (indoor, outdoor, or both). Choosing the environment and country influences the channels of operation that the AP or BP operate in or use for scanning and the maximum radio transmit power. If the country or environment is changed, the following occur:•The channel selection setting is reset to auto-select channel at startup. To configure a radio on a specific channel, apply the country configuration and then specify the channel using the Channel Configuration tab (see “Channel Configuration” on page 64).•The channel set configuration is set to system determined band configuration.•All radios in the AP are reset.For reference, Table 8 provides a list of world modes, including countries, environments, bands, and valid channels.AP Name in Beacon Confirm the AP node name advertised in beacons and probe responses. This is the AP name that clients see when they scan for access points. The default is the unique ID derived from the Ethernet MAC address of the AP. It is recommended to accept the default setting. (required, AP radio only)
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 59Click Apply to save changes or Reset to return to previously saved values.Background Scanning Enable or disable background scanning. Background scanning is performed to collect interference and radio neighbor information from the surrounding RF environment. If auto-select-channel is enabled with the Periodic option, background scanning should also be enabled. See “Channel Configuration” on page 64.Field (continued) DescriptionTable 8:World Modes Country Environment Band Valid Channel NumbersUSA Any 2.4 1,2,3,4,5,6,7,8,9,10,11USA Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11USA Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11USA Any 5 52,56,60,64,149,153,157,161USA Indoor 5 36,40,44,48,52,56,60,64,149,153,157,161USA Outdoor 5 52,56,60,64,149,153,157,161Mexico Any 2.4 1,2,3,4,5,6,7,8,9,10,11Mexico Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11Mexico Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11Mexico Any 5 149,153,157,161Mexico Indoor 5 36,40,44,48,52,56,60,64,149,153,157,161Mexico Outdoor 5 149,153,157,161Argentina Any 2.4 1,2,3,4,5,6,7,8,9,10,11Argentina Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11Argentina Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11Argentina Any 5 52,56,60,64,149,153,157,161Argentina Indoor 5 52,56,60,64,149,153,157,161Argentina Outdoor 5 52,56,60,64,149,153,157,161Brazil Any 2.4 1,2,3,4,5,6,7,8,9,10,11Brazil Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11Brazil Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11Brazil Any 5 149,153,157,161Brazil Indoor 5 149,153,157,161Brazil Outdoor 5 149,153,157,161Countries listed under the leading Europe include major European countries not explicitly listed by name in this table. Europe Any 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Europe Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Europe Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Europe Any 5 100,104,108,112,116,120,124,128,132,126,140
4 Configuring Radio Settings60 Installation and Configuration Guide: Airgo Access PointEurope Indoor 5 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132, 126,140Europe Outdoor 5 100,104,108,112,116,120,124,128,132,126,140France Any 2.4 9France Indoor 2.4 9France Outdoor 2.4 9France Any 5 Not allowedFrance Indoor 5 36,40,44,48,52,56,60,64France Outdoor 5 9,10,11,12,13Austria Any 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Austria Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Austria Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Austria Any 5 Not allowedAustria Indoor 5 36,40,44,48,52,56,60,64Austria Outdoor 5 Not AllowedBelgium Any 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Belgium Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Belgium Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Belgium Any 5 Not allowedBelgium Indoor 5 36,40,44,48,52,56,60,64Belgium Outdoor 5 Not AllowedSpain Any 2.4 10,11Spain Indoor 2.4 10,11Spain Indoor 2.4 10,11Spain Any 5 100,104,108,112,116,120,124,128,132,126,140Spain Indoor 5 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,126,140Spain Outdoor 5 100,104,108,112,116,120,124,128,132,126,140Switzerland Any 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Switzerland Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Switzerland Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13Switzerland Any 5 Not allowedSwitzerland Indoor 5 36,40,44,48Switzerland Outdoor 5 Not AllowedJapan Any 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13,14Japan Indoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13,14Japan Outdoor 2.4 1,2,3,4,5,6,7,8,9,10,11,12,13,14Table 8:World Modes (continued)Country Environment Band Valid Channel Numbers
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 61Japan Any 5 34,38,42,46Japan Indoor 5 34,38,42,46Japan Outdoor 5 34,38,42,46Singapore Any 2.4 9,10,11,12,13Singapore Indoor 2.4 9,10,11,12,13Singapore Outdoor 2.4 9,10,11,12,13Singapore Any 5 52,56,60,64,149,153,157,161Singapore Indoor 5 36,40,44,48,52,56,60,64,149,153,157,161Singapore Outdoor 5 52,56,60,64,149,153,157,161Israel Any 2.4 4,5,6,7,8,9Israel Indoor 2.4 4,5,6,7,8,9Israel Outdoor 2.4 4,5,6,7,8,9Israel Any 5 52,56,60,64,149,153,157,161Israel Indoor 5 36,40,44,48,52,56,60,64,149,153,157,161Israel Outdoor 5 52,56,60,64,149,153,157,161Table 8:World Modes (continued)Country Environment Band Valid Channel Numbers
4 Configuring Radio Settings62 Installation and Configuration Guide: Airgo Access PointAdmin State Configuration Use the Admin State tab (Figure 43) to assign the mode or persona of each radio interface. Figure 43: Radio Configuration - Admin StateSet the following parameters on this tab:Click Apply to save changes or Reset to return to previously saved values. Click Reset Radio to Default to return the settings on all the radios to their factory defaults. Feature DescriptionSelect Radio Interface Select the AP radio (wlan0 or wlan1)Admin State of Selected Radio Enable or disable the selected radio. When the AP radio is in the disabled state, all valid configuration settings are saved. When the AP radio is enabled, the latest configuration is applied. It is not possible to disable the BP radio by administrative intervention. (AP radio only)Persona of Selected Radio Select whether the AP radio is to operate as a normal AP (AP) or in backhaul point mode (BP). Select Any to determine the radio mode automatically based on network connectivity, configuration, number of radios, and presence of Ethernet connectivity. It is recommended to accept the default setting of Any.NOTE: Each access point can have at most one BP radio.
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 63InterdependenciesIf Network Connectivity on the Radio Global tab (“Global Configuration” on page 57) is set to Wireless, then at least one radio must have the BP or Any persona. If the Network Connectivity setting is Wired or Any, then the personas of AP, BP, and Any are all permitted.Table 9 shows how the Network Connectivity setting on the Global Configuration tab relates to the Radio Persona Configuration on the Admin state tab.Table 9: Radio Settings for Network Connectivity and PersonaNumber of Radios Wired ConnectionaaWired Connection means that the AP has Ethernet connectivity and that the connection is active.Network Connectivity Setting Persona Setting Resulting radio persona or modeOne Yes Any Any or AP APOne Yes Any BP BPTwo Yes Any All combinations of Any and AP Both radios APTwo Yes Any All combinations that specify a BP radio1 radio AP, 1 radio BPTwo No Any One radio set as BP 1 radio AP, 1 radio BPTwo No Any Both radios AP Not permittedOne Yes Wired Any APTwo Yes Wired All combinations of Any and AP Both radios APTwo No Wireless All combinations except both radios AP1 radio AP, 1 radio BPTwo No Wireless Both radios AP Not permitted
4 Configuring Radio Settings64 Installation and Configuration Guide: Airgo Access PointChannel Configuration Use the Channel Configuration tab (Figure 44) to define rules for selecting radio channels. If two radios are installed in the same AP, each radio operates in a different band (2.4 GHz for one radio and 5 GHz for the other).Figure 44: Radio Configuration - Channel ConfigSet the following values in the Radio Interface Selection and Channel Configuration areas of the tab:Feature DescriptionSelect Radio Interface Select the AP radio (wlan0 or wlan1).Channel Number Select a valid channel for radio operation, or accept the Automatic Channel Selection option.
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 65Click Apply to save changes or Reset to return to previously saved values. Click Force Select Best Channel to trigger the channel selection algorithm for the AP radio, including a switch-over to a better channel, if available. The Force Select Reselect Channel button applies only to the selected AP radio interface.Automatic channel selection Specify whether the channel is chosen when the AP is started, or whether it is selected periodically. The time range for periodic channel selection is 30 minutes to 24 hours (1440 minutes). It is recommended to accept the default setting of automatic channel selection of periodic at 30 minutes. Channel Set Determine which channels the AP scans in order to determine the best channel for operation. If Auto-Selection is enabled, this determines the channel set for auto-selection. The following choices are available for channel set:Band—Select a specific band, or the system-determined band option (recommended). •The System Determined Band setting means that the system chooses the channel list or band for each radio based on the number of AP radios, the persona of the radio, and the channel set of any second radio in the AP. If the radio is in AP mode, then the node selects the best channel across both bands. If the radio is in BP mode, then the BP radio scans on both bands.•If the Airgo AP is configured with two AP radios and Auto-Selection is chosen for both, then the preferred band configuration for both radios is System Determined. If both radios are in AP mode, then one operates in the 2.4 GHz band and the other in the 5 GHz band.•If the Channel Set is 2.4 or 5GHz, then the AP radio operates only in the specified band. If it is set to 2.4 GHz, the AP chooses only non-overlapping channels for operation (for example 1, 6, and 11). It is not acceptable to set both radios to operate in the 2.4 GHz or 5GHz band.•If both bands are selected, the AP radio chooses the best channel based on the mode and band of the other radio on the AP (if installed). •If a BP radio establishes a backhaul in the same band as the other AP radio, this triggers the AP radio to change bands, provided that the AP radio is configured for auto-selection and the system determined band.Channel List—Enter a specific list of channels to be scanned, separated by a single space (e.g.,1 2 6 11 13...). Overlapping channels can be specified in the 2.4 GHz band.NOTE: World mode and environment settings influence the channel and channel set configurations. See “Global Configuration” on page 57 for information on world modes.Feature (continued) Description
4 Configuring Radio Settings66 Installation and Configuration Guide: Airgo Access PointPerformance Use the Performance tab (Figure 45) to configure enhanced data rates of 72, 96, or 108 Mbps.Figure 45: Radio Configuration - PerformanceSet the following values on this tab:Feature DescriptionSelect Radio Interface Select the AP radio (wlan0 or wlan1)Enhanced Data Rates Enable or disable the Airgo enhanced data rates of (72, 96, and 108 Mbps). This setting is rejected if the enhanced Dot11 extensions are disabled and an attempt is made to configure enhanced data rates. It is recommended to accept the default of Enabled.Rate Adaptation Enables or disables automatic data rate adaptation in the system. To use auto-adaptation, select the Auto Adapt button and select the Basic or Advanced option. Otherwise, select fixed along with a fixed rate. It is recommended to accept the default value of Auto Adapt and Basic.
Configuring Radio ParametersInstallation and Configuration Guide: Airgo Access Point 67Click Apply to save changes or Reset to return to previously saved values.InterdependenciesSome restrictions apply to combinations of settings on the Channel Configuration and Performance tabs. •For fixed data rate configurations:• If the configured channel is in the 5 GHz band or the Channel Set Band/List is 5 GHz, System Determined, or Both, then at least one of the fixed rates must be other than an 11b rate (1,2,5.5,or 11).• If the configured channel is in the 2.4 GHz band or the Channel Set Band/List is 2.4 GHz only, then only 11b/g rates are accepted. • Assigning an enhanced rate (72, 96, and 108 Mbps), requires that the enhanced rates option be enabled. •To enable the Dot11 QoS settings on the Performance tab, you must enable the standard Dot-11 extensions on the 802.11 Policy tab (see “802.11 Policy” on page 69).Ack Mode Determines the acknowledgement policy for data packets. The following selections are available:•Immediate Ack – Acknowledgement is sent for every packet received. This is the default setting.•No Ack – No acknowledgement is sent when data packets are received. • To enable high performance, use this setting together with one of the enhanced data rates.• If this setting is used, then auto-adaptation cannot be enabled for the selected radio. Only the fixed rate setting applies.• This mode setting can be used for operations with Airgo clients.•Auto-ack – The acknowledgement policy is selected automatically based on current link conditions. Dot11 QoS Enables or disables 802.11e QoS. If enabled, the MAC mode is set to EDCF or HCF. If disabled, then the MAC mode is DCF. It is recommended to accept the default of Enabled.Feature (continued) Description
4 Configuring Radio Settings68 Installation and Configuration Guide: Airgo Access PointAdmission Use the Admission tab (Figure 45) to specify categories of client stations that are permitted to associate to the selected radio. Figure 46: Radio Configuration - AdmissionSet the following values on this tab:Feature DescriptionSelect Radio Interface Select the AP radio (wlan0 or wlan1).802.11b-g STA Admission Criteria - Accept Association fromApplies to the 2.4 Ghz band only. Specify the type of 802.11g or 802.11b and g client stations permitted to associate. Selecting 802.11g-only keeps 802.11b stations from degrading BSS performance. 802.11b and g is the default setting.Multi-Vendor STA Admission Criteria - Multi-Vendor StationAccept allows all stations to associate; Reject restricts association to compatible client stations, excluding non-compatible or non-Airgo stations. Backhaul Admission Criteria - Accept Association FromIndicates whether to accept association from client stations, trunks or both: STA or Trunk—Accept association from client stations or BP radios.STA Only—Accept associations only from client stations.Trunk Only—Accept associations only from BP radios.Max Number of Trunks Determines the maximum number of trunks which are allowed to form with the AP radio (range is 1-10). Default is 6.
Setting the Advanced Radio ConfigurationInstallation and Configuration Guide: Airgo Access Point 69Setting the Advanced Radio ConfigurationSelect Advanced Configuration from the Wireless Services menu to open the Advanced Configuration feature panel. The panel contains the following tabs:•802.11 Policy—Set the 802.11 modes for the AP radios. •MAC Config—Set details of the radio beacon and MAC configuration for each radio.To configure settings on these tabs, select each in sequence, or step through the tabs using the Go links at the bottom of the panel (Figure 47).802.11 Policy Use the 802.11 tab(Figure 47) to set the 802.11 modes and data rates for each AP radio. Figure 47: Advanced Configuration - 802.11 PolicySet the following values on this panel:Feature DescriptionSelect Radio Interface Select the AP radio (wlan0 or wlan1).IEEE 802.11 Mode in 2.4 Band Select whether the radio is configured for 802.11b or 802.11g operation when it operates in the 2.4 GHz band.
4 Configuring Radio Settings70 Installation and Configuration Guide: Airgo Access PointClick Apply to save changes or Reset to return to previously saved values.IEEE 802.11 Extensions Indicate whether to support standard Dot11 extensions, enhanced extensions, or both. The checkboxes enable or disable standard 802.11 extensions such as 11h, 11e, 11g or 11i, or Airgo enhanced features, which are compatible only with Airgo client stations. If the Enhanced 802.11 extensions option is selected, then it is possible to enable the following through the CLI (they are not automatically enabled). •Enhanced rate set (specific flag needs to be set) •Proprietary burst ack •Advanced rate adaptation •Wireless backhaul AP name in beacon (if not enabled, the AP name in beacon is suppressed)802.11G Protection Select to enable 802.11g protection mode, short slot time, and short preamble if the radio is operating in 802.11g mode. If the checkbox is selected, all 3 aspects are enabled; if not, all 3 aspects are disabled. The default setting is disabled.Select Basic Rate Set Enter basic data rates for the different 802.11 modes. To set rates, select Set and enter the rates with a space as the delimiter. The basic 802.11 rates are advertised in beacons and inform the client stations of the minimum set of rates it must support to be part of the BSS. 802.11 control frames such as ACKS, CTS, and RTS are transmitted at basic rates.Feature (continued) Description
Setting the Advanced Radio ConfigurationInstallation and Configuration Guide: Airgo Access Point 71MAC Configuration Use the MAC Configuration tab (Figure 48) under special circumstances if it is necessary to tune low level operational parameters of the radio MAC (Medium Access Control) layer. Figure 48: MAC Configuration TabNOTE: Changes on the MAC Configuration tab should only be made by trained network personnel. The AP radio restarts automatically when these parameter changes are applied.
4 Configuring Radio Settings72 Installation and Configuration Guide: Airgo Access PointSet the following parameters on the MAC Configuration tab:Click Apply to save changes or Reset to return to previously saved values. The changes take effect immediately if the radio is enabled.Viewing Radio StatisticsSelect Radio State & Statistics from the Wireless Services menu to view the current state of each radio and the current communication statistics. This panel contains the following tabs:•Radio State—View current configuration.•Radio Statistics—View information about current operation.Radio State The Radio State tab (Figure 49) contains details on the current configuration and utilization of each radio interface. The state information varies according to whether the radio is operating as a normal access point radio (AP mode) or as a backhaul point (BP mode).Field DescriptionSelect Radio Interface Select the AP radio (required, wlan0 or wlan1).Beacon Period Enter the desired interval between RF beacons, in milliseconds. It is recommended to accept the default of 100 ms. (required).DTIM (Delivery Traffic Indication Message) PeriodEnter the interval between the times that the radio forwards multicast and broadcast packets to client stations. It is recommended to accept the default of 1 beacon period. (required).Fragmentation Threshold Enter the maximum packet size that can be transmitting as a single unit. A low setting may be desirable in areas that have significant interference or poor signal conditions. The range is 256-2346. It is recommended to accept the default of 2000.RTS Threshold Enter a packet size greater than which the AP issues a request-to-send (RTS) message before sending the packet. Enter a low threshold if the ambient conditions might make it relatively difficult for clients to associate to the AP. The range is 0-2347. It is recommended to accept the default of 2347.Short Retry Limit Enter a number of transmission retries (greater than or equal to data frame MSDU size) after which a transmission is deemed a failure. The range is 1-255.Long Retry Limit Enter a number of transmission retries (greater than or equal to data frame MSDU size) after which a transmission is deemed a failure. The range is 1-255.
Viewing Radio StatisticsInstallation and Configuration Guide: Airgo Access Point 73Figure 49: Radio State TabUse the pull-down list to switch between radios. This tab contains the following information:Field DescriptionRadio Persona Mode of the radio - AP or BPRadio MAC Address MAC address of radioRadio Admin State Administrative status of the radio (enabled or disabled)Radio Operation State Operational status of the radio (enabled or disabled)Operating Band Current band of operation
4 Configuring Radio Settings74 Installation and Configuration Guide: Airgo Access PointCurrent Channel Number Current channel of operation Number of channel changes Number of times the channel has changed since boot-up (AP persona only)Channel Change Cause Reason the frequency changed since boot-up, if appropriate, due to user intervention or performance degradation (AP persona only)Number of Associated Stations The number of stations that are associated to the radio (AP persona only)Number of trunks Number of backhaul trunks associated with the radio (AP persona only)Average Station Load Average load on client stations in percent (AP persona only)Average Channel Utilization Average load on channels in percent (AP persona only)Radio QoS Mode Mode used for class of service mappingLoad Balanced Number of stations that are load balanced (AP persona only)CFP-Period Number of DTIM intervals between the start of Contention Free Periods (CFPs).CFP Max Duration Maximum duration of the CFP in time units that may be generated by the AP.Privacy Option Implemented Security settingBasic Rate Set Set of basic rates for BSS (AP persona only)Operational Rate Set Set of operational rates for BSSCCA mode supported List of all of the Clear Channel Assessment (CCA) modes supported by the PHYCurrent CCA mode current CCA method in operationTemp Type Current physical operating temperature range capability.Max Receive Lifetime Maximum MSDU receive lifetimeExternal antenna Indication of whether the radio has an external antenna (true) or not (false)Interference Radio interference in the surrounding wireless environment pertaining to the channel of operation, in dBm. (AP persona only)Field (continued) Description
Viewing Radio StatisticsInstallation and Configuration Guide: Airgo Access Point 75Radio Statistics The Radio Statistics tab (Figure 50) contains information on the operation of each radio. This information varies according to whether the radio is in the AP or BP persona. The statistics refresh every 10 seconds. Figure 50: Radio Statistics TabUse the pull-down list to switch between radios. This tab contains the following information:Field DescriptionTransmitted Fragment Count Number of transmitted fragments (MAC Protocol Data Units) that have been acknowledged since last power-up or last Clear Statistics requestTransmitted Multicast Frame Count Number of transmitted multicast frames (MAC Service Data Units) Failed Count Count of MSDU not transmitted successfully due to the number of transmit attempts exceeding either the dot11ShortRetryLimit or dot11LongRetryLimit. Received Fragment Count Count for successfully received MPDUs of type Data or Management. Received Frame Count Count of successfully received frames (MSDUs)
4 Configuring Radio Settings76 Installation and Configuration Guide: Airgo Access PointFCS Error Count Count of FCS errors detected when receiving a MPDU. Received Multicast Frame Count Count when a MSDU is received with the multicast bit set in the destination MAC address. Multiple Retry Count Count of successful transmissions after more than one retransmission. Retry Count Count of successful transmissions after one or more retransmission Frame Duplicate Count Count of frames received in which the Sequence Control field indicates it is a duplicate frame. Ack Failure Count Count of expected acks not received. RTS Success Count Count of successful CTS received in response to a RTS RTS Fail Count Count of RTS for which a CTS response is not received. Transmitted Frame Count Count for successfully transmitted MSDUs. WEP Undecryptable Count Number of times a frame is received with the WEP subfield of the Frame Control field set to one and the WEPOn value for the key mapped to the Transmitter MAC address indicates that the frame should not have been encrypted or that frame is discarded due to the receiving STA not implementing the privacy option. (Valid only if encryption is WEP) # of transmitted Beacons Count of successfully transmitted beacons Field (continued) Description
Viewing Radio Neighbor DetailsInstallation and Configuration Guide: Airgo Access Point 77Viewing Radio Neighbor Details A radio neighbor is a radio whose beacon frame is detected by the AP. Select Radio Neighbors from the Wireless Services menu to view summary information on all the neighboring APs within beacon range (Figure 51). Figure 51: Radio NeighborsThe summary table lists the following information:Field DescriptionInterface The AP radio (wlan0 or wlan1)BSSID The MAC address of the neighboring AP radio, which determines the BSSSSID The name of the network (ESS) in which the AP is operatingBSS Type Infrastructure or ad-hoc network arrangementChannel Current channel of operation for the neighboring BSSAP Beacon Name Name of the neighboring AP in the beacon frameCompatibility Status Indication of whether or not the neighbor is an AP with which the IAPP protocol can be establishedStrength Strength of Radio neighbor signal, in percentLoad percentage Load on the AP, in percentSTA Count Number of client stations served by the neighboring AP
4 Configuring Radio Settings78 Installation and Configuration Guide: Airgo Access PointUse the scrolling bars to display the full range of interfaces and data.Configuring SSID ParametersA wireless network is formed when a set of APs advertises the same value as the SSID, or network name. Figure 52 shows the Acme Works network with multiple Airgo APs, each advertising the same “Corporate” SSID.Figure 52: Example “Corporate” NetworkEach Airgo AP is shipped with a default SSID, which must be replaced during the bootstrap process (see “Using AP Quick Start to Initialize the Access Point” on page 31) or from the SSID Configuration panel, as explained in this section. Multiple SSIDs are also supported. “Multiple SSIDs” on page 85 explains how to enable this feature and permit clients to access multiple wireless networks through the same access point.A0042DSSID="Corp" SSID="Corp"10/100 Switched Ethernet
Configuring SSID ParametersInstallation and Configuration Guide: Airgo Access Point 79SSIDs and Service ProfilesA service profile consists of VLAN, COS, and minimal security attributes applied to a network or to designated classes of users once they are authenticated by a RADIUS authentication server (security portal or external authentication server). If the service profile is defined without reference to a specific user group and bound to an SSID, then the profile is applied to all users who access the network.Figure 53 illustrates the relationship between users, user groups, service profiles, and SSID. A RADIUS authentication server stores user group information and uses that information to match users to groups during authentication. Upon authentication, a previously-defined service profile is assigned to the user based on user group membership. The service profile, in turn, is bound to the SSID and thereby determines level of service awarded to the user.Figure 53: SSIDs and Service ProfilesFrom the SSID Configuration panels, you can define service profiles for user groups and then bind the profiles to the SSID. A user who requests access to the network is authenticated and placed into the appropriate user group, and the AP software automatically applies the privileges and restrictions defined in the service profile for that group. Each user group can be assigned to just one service profile, but multiple groups can share the same service profile.Select SSID Configuration from the Wireless Services menu to open the SSID Configuration panel. The panel contains the following tabs:•SSID Table—View the current SSID configuration, modify the configuration, or add new SSIDs.•SSID Details—View the association between SSIDs and service profiles.•Profile Table—Manage service profiles.•Multiple SSID—Enable the multiple SSID feature.NOTE: The SSID settings in this section apply only to AP mode radios. The Backhaul Configuration panel described in “Configuring a Wireless Backhaul” on page 127 is used to configure the SSID for the BP radio. Make sure that the SSID configuration for the AP matches that of the other APs in the network. A0029User GroupsAssigned to Service ProfileVLANQOSEncryptionBound toSSIDUsersMembers ofUsers
4 Configuring Radio Settings80 Installation and Configuration Guide: Airgo Access PointSSID Table Select SSID Configuration from the Wireless Services menu to open the SSID Table (Figure 54).Figure 54: SSID Configuration - SSID TableThe table lists the following information about each SSID:Field DescriptionSSID Name Name (maximum 32 alphanumeric characters). This name is used only by the radio in AP mode, and is broadcast in its beacon. For a radio in backhaul point mode, the SSID name is entered in the Backhaul Configuration, Link Criteria tab (see Chapter 6).Max stations The maximum number of stations that can be associated to this SSID on this AP. The range is 1-512. If the maximum number of stations is reached and a new client tries to associate to the AP, the association attempt is rejected. Association is also rejected if the number of clients is less than the maximum but exceeds the number of client stations permitted by the AP license.Auth Zone The RADIUS authentication zone for the SSIDPSK-Type The type of pre-shared key used, if WPA is the encryption suiteMAC-ACL MAC-ACL authentication enabled or disabledAuth Servers The RADIUS server used for user authentication
Configuring SSID ParametersInstallation and Configuration Guide: Airgo Access Point 81Follow these steps to rename the SSID or modify its configuration:1Click Modify to open the SSID Details table, which also provides access to service profiles for the SSID. 2Enter the new SSID name.3Click Apply. If an SSID is renamed, all configuration details related to the old SSID name, such as service profile associations and security configuration, are automatically transferred, and the radios that operate in AP mode now broadcast the new SSID in the beacon. The default SSID cannot be modified. If an attempt is made to modify the default SSID, the system prompts you to first rename it. If you select the current SSID in the table and click Delete, the SSID reverts to the default. The Airgo AP can be configured to support multiple SSIDs. If this feature is enabled on the Multiple SSID tab (“Multiple SSIDs” on page 85), then it is possible to add new SSIDs from the SSID Table tab, in addition to modifying or deleting an existing SSID. Perform the following functions on the SSID Table tab:Function DescriptionAdd new SSID (if multiple SSID is enabled) 1Click Add and enter the following information:• SSID name—This name is used only by the radio in AP mode. For a radio in backhaul point mode, enter the SSID name in the Backhaul Configuration, Link Criteria tab (see Chapter 6).• Max Number of Stations—Enter a maximum number of clients stations, if desired. The range of values is 1-512. If the maximum number of stations is reached and a new client tries to associate to the AP, the association attempt is rejected. Association is also rejected if the number of clients is less than the maximum but exceeds the number of client stations permitted by the AP license.2Click Apply.Modify an existing SSID 1Select the SSID and click Modify to open the SSID Details table, which also provides access to service profiles for the SSID.2Enter the new SSID name.3Confirm the maximum number of stations4Click Apply.Delete an SSID (if multiple SSID is enabled) Click Delete, and click OK to confirm.Change the SSID broadcast setting (single SSID configurations only)For single SSID configurations, the SSID Table tab provides the option to broadcast the SSID in the AP beacon, or to suppress broadcast of the SSID for increased security. The SSID is never broadcast in multiple SSID configurations.To change the SSID broadcast setting:1Select no or yes.2Click Apply.
4 Configuring Radio Settings82 Installation and Configuration Guide: Airgo Access PointSSID Details Use the SSID Details Tab (Figure 55) to modify an SSID and bind service profiles to an SSID.Figure 55: SSID Configuration - SSID DetailsThe tab contains two areas. Use the Modify SSID Configuration area to change the current SSID configuration, as described in “SSID Table” on page 80. The bottom area shows the service profiles currently bound to the SSID. This list includes the following information for each service profile:Feature DescriptionUser Group User group linked to the service profile. If this entry is empty, the user group is null. The null user group is automatically assigned to the default service profile, unless it is explicitly bound to another service profile. RADIUS authentication must be active in order for user groups to be effective. The user group for a given client is passed to the AP as a RADIUS attribute for each successfully-authenticated user. To edit the group information, click the group name link. Any attempt to delete the null user group, automatically associates it to the default service profile.Profile Service profile name.VLAN VLAN assigned to the service profile.COS Class of service values assigned to the service profile.
Configuring SSID ParametersInstallation and Configuration Guide: Airgo Access Point 83Perform the following functions from the service profile list on this tab:Figure 56: SSID Configuration - Bind Service Profile to SSIDSecurity Enforcement Type of encryption required for the service profile. For user groups assigned to this service profile, the security enforcement setting supersedes the encryption type configured for the overall network.Function StepsBind an existing service profile to an SSID 1Click Add to open the Bind Service Profile to SSID entry panel (Figure 56). 2Select the profile name, or click Add New Profile to create a new profile according to the instructions in “Profile Table” on page 84.3Select a group name from the existing RADIUS group names to associate with the profile, or select New Group and enter a new user group name.4Click Apply.Change service profile binding 1Select the checkbox for the user group and profile, and click Modify to open the Bind Service Profile to SSID entry panel (Figure 56) in modify mode.2Select a profile to bind to the SSID, or click Add New Profile to create a new profile according to the instructions in “Profile Table” on page 84.3Click Apply.Delete service profile binding 1Select the checkbox for the user group and profile, and click Delete.2Click OK to confirm.Configure security for the SSID Click Go at the bottom of the panel. The button leads to the SSID Authentication tab of the Wireless Security panel. For instructions on defining the security settings, refer to “SSID Authentication” on page 140. After defining the security settings, click Back on the browser to return to the SSID Details tab.Feature (continued) Description
4 Configuring Radio Settings84 Installation and Configuration Guide: Airgo Access PointProfile Table The Profile Table tab (Figure 57) lists all the currently defined service profiles. Each service profile includes attributes for security enforcement, VLAN ID, and COS value. Binding a service profile to an SSID determines the privileges and restrictions that apply to user groups associated with the profile.Figure 57: SSID Configuration - Profile TableNOTE: Changes made to SSID or service profiles cause affected users to be automatically disassociated from the AP. The AP then attempts to reassociate them automatically. This causes a momentary interruption in service.
Configuring SSID ParametersInstallation and Configuration Guide: Airgo Access Point 85Perform the following functions from this tab:Multiple SSIDsWith the multiple SSID feature, the same physical network infrastructure can support multiple wireless networks. Each network (identified by SSID) can have its own service profile and associated level of service. For example, Figure 58 shows how Acme Works configured two SSIDs: one to accommodate the normal corporate network and one for a separate video conference network, which requires a higher quality of service. Figure 58: Example Use of Multiple SSIDs to Differentiate Levels of ServiceFunction StepsAdd a new service profile 1Click Add to create a new service profile.2Enter the profile name, which must be unique. (required)3Select the VLAN for the profile.4Enter a COS value for the profile. The range is 0-7. For more information, see “Configuring Quality of Service” on page 111.5Select an enforcement level for data encryption to apply to the profile. This setting provides fine-grained security options at the user group level. Default-enforcement refers to the encryption settings that prevail in the network at large. The security enforcement applies after authentication is complete.6Enter a description, if desired.7Click Apply to save the profile or Cancel to return to the Profile Table.Modify a profile 1Select the profile from the table and click Modify. 2Make changes as desired, and click Apply, or click Cancel to return to the Profile Table without saving changes. User groups bound to the profile automatically inherit any modified attributes.It is not possible to modify the default profile.Delete a profile A service profile can only be deleted if there are no groups under the SSID bound to the profile. It is not possible to delete the default profile.A0043BSSID="Corporate" SSID="Video"10/100 Switched EthernetCorporate VideoCOS=7COS=4
4 Configuring Radio Settings86 Installation and Configuration Guide: Airgo Access PointUse the Multiple SSID tab (Figure 59) to enable the multiple SSID feature. Make a selection, and click Apply. After enabling the multiple SSID feature, additional SSIDs can be added on the SSID Table (see “SSID Table” on page 80).When multiple SSIDs are enabled on the Airgo AP, that AP no longer broadcasts an SSID in its beacon frame. In order for a client to associate with the Airgo AP configured for multiple SSIDs, a profile for each target SSID must be created on the client workstation using the Windows Zero Config (WZC) Add function or the Airgo Client Utility Create function. Figure 59: SSID Configuration - Multiple SSIDManaging Client Stations Select Station Management from the Wireless Services menu to open the Station Associations panel. The panel contains the following tabs:•Stations—View all client stations associated to this Airgo AP.•Link Stat—View signal strength, signal quality and all the MAC level statistics.•Security Stat—View 802.1x security statistics.
Managing Client StationsInstallation and Configuration Guide: Airgo Access Point 87Stations The Stations tab (Figure 60) shows the client stations that are currently associated to the AP.Figure 60: Station Management - StationsUse this panel to control association to the Airgo AP. The panel lists the following information for each client station associated to the AP:Field DescriptionInterface The AP radio (wlan0, wlan1)MAC address MAC address of the client stationUser Name User name assigned through the RADIUS server. If MAC ACL is used, then the user name is the MAC address of the client stationEncryption Type of encryption used by client station (AES, TKIP, WEP or no encryption)Authentication Type of authentication used by the client station (Open, Shared Key, EAP or MAC-ACL)SSID SSID to which the client station is associatedGroup name Group to which the client station belongsAssociation Type Normal or transferred. Transferred means that the client station has been moved from the mate AP radio.Association Status Associated or Reassociated to the AP
4 Configuring Radio Settings88 Installation and Configuration Guide: Airgo Access PointSelect a station from the list and click a button at the bottom of the panel to perform any of the following functions:Link StatisticsThe Link Stats table (Figure 61) provides details on the signal quality and strength between the AP and client station. Figure 61: Station Link StatisticsSelect a station from the Station Associations table and click Link Stats to display the following information:Item DescriptionDisassociate Detach the station from the AP and remove station related information.Link Stats Display information about the link strength and quality between the AP and stationSecurity Stats Display current security statisticsField DescriptionStation MAC address The MAC address that identifies the stationMode 802.11 mode used by the station (11a, 11b or 11g)Uplink Signal Strength Average signal strength on uplink (station to AP direction) as a percentage
Managing Client StationsInstallation and Configuration Guide: Airgo Access Point 89Security StatisticsThe Security Stats table (Figure 62) provides detailed security information for the connection between the AP and client station.Figure 62: Station Security StatisticsUplink Signal Quality Average signal quality on uplink (station to AP direction) as a percentageUplink Rate Average uplink data rate on uplink (Mbps)Downlink rate Average downlink data rate on uplink (MbpsReceived Bytes Bytes received from the stationTransmitted Bytes Bytes transmitted to stationTransmitted Fragments Count of transmitted MPDUsFailed Transmitted Packets Number of MSDUs that were not transmitted successfully since retries exceeded short or long retry limitSingle Retry Packets Number of packets that were successfully transmitted after one retryMultiple Retry Packets Number of packets that were successfully transmitted after multiple retriesAcknowledgement Timeouts Number of packets that did not receive expected acknowledgementField (continued) Description
4 Configuring Radio Settings90 Installation and Configuration Guide: Airgo Access PointSelect a station from the Station Associations table and click Security-Stats to display the following information:Configuring Inter Access Point Protocol (IAPP)Inter-Access Point Protocol enables neighboring access points to keep up-to-date information concerning the status of roaming client stations. Select IAPP Configuration from the Wireless Services menu to configure the IAPP settings and to view the associated topology and statistics. The panel contains the following tabs:•IAPP Service—Enable or disable IAPP.•Topology—View BSSID, IP address, and compatibility details.•Stats—View statistics details, including notifications sent and received, “move” notification and response details, and details on Intra-AP moves.Field DescriptionStation MAC address The MAC address that identifies the stationAuth Type Authentication used by station (Open, Shared key, EAP or MAC-ACL) Encryption Encryption used by station (AES, TKIP, WEP, or open access) AES Transmitted Blocks Number of AES transmitted blocks. Valid only if encryption is AES AES Received blocks Number of AES received blocks. Valid only if encryption is AES AES Replays Number of AES replays. Valid only if encryption is AES AES Decrypt Errors Number of AES decryption errors. Valid only if encryption is AES WEP Excluded Count Number of WEP exclude packets Valid only if encryption is WEPWEP Undecryptable Count Number of times frames were not encrypted or a frame was discarded due to the receiving station not implementing the privacy option. (Valid only if encryption is WEP.)
Configuring Inter Access Point Protocol (IAPP)Installation and Configuration Guide: Airgo Access Point 91IAPP Service Use the IAPP Service tab (Figure 63) to enable IAPP. Selecting Enable initializes IAPP to perform network discovery and communicate with other APs. Click Apply to save changes.Figure 63: IAPP Configuration - IAPP ServiceIAPP Topology The read-only IAPP Topology tab (Figure 64) displays information about all the neighboring APs this AP has discovered, including the BSSID, IP address, and Compatibility (whether the IAPP protocol can be established with the neighboring AP).Figure 64: IAPP Configuration - IAPP Topology
4 Configuring Radio Settings92 Installation and Configuration Guide: Airgo Access PointIAPP Statistics The IAPP Stats tab (Figure 65) lists information about IAPP activity.Figure 65: IAPP Configuration - IAPP StatsThis tab contains the following information:Item DescriptionAdd Notifications Sent Number of add-notifications sent to other APs in the local multicast domain due to stations associating to the APAdd Notifications Received Number of add-notifications received by the AP due to stations associating with other APs in the local multicast domainMove Notifications Sent Number of move notifications sent to other APs where the stations were previously associatedMove Notifications Received Number of move notifications received from other APs to which the stations are currently associatedMove Responses Sent Number of move responses sent to other APs when stations have reassociated with the other APsMove Responses Received Number of move responses received from other APs in the process of stations reassociating with this APMove Notifications Timeouts Number of move notifications which were not sent in the maximum time allowed for a move transactionMove Notifications Retransmitted Number of times the move notifications were retransmitted for all the move transactions (not supported)
Performing Radio DiagnosticsInstallation and Configuration Guide: Airgo Access Point 93Click Clear Statistics to return the statistics to zero and begin re-collecting them, and click Refresh to update the display with the most current information.Performing Radio DiagnosticsChoose Radio Diagnostics from the Wireless Services menu to test the radio signal between the AP and a client station. The panel contains 2 tabs:•Link Test—Test the radio link between the AP and a client station. •Walk Test—Advanced parameters regarding rate and range performance testing.Move Response Failures Sent Number of move responses with a FAILURE status sent to other APs during the station reassociating processMove Response Failures Received Number of move responses with a FAILURE status received from other APs during the station reassociating processNumber of Intra-AP Moves Number of successful station reassociations between APsNumber of Intra-AP Moves Failures Number of unsuccessful station reassociations between APsItem Description
4 Configuring Radio Settings94 Installation and Configuration Guide: Airgo Access PointLink Test Use the Link Test tab (Figure 66) to test connections to IP devices or run performance tests on specified links.Figure 66: Radio Diagnostics - Link TestThe Link Test tab includes the following information for each defined link test:Field DescriptionInterface Select the AP radioStation MAC Select the MAC address of the station included in the link testPacket Size Specify the size of each link packet (in bytes)Duration Period during which the which the test runsAverage Interval Sampling intervalStatus Current status of the link test. Click the Link Test tab to refresh
Performing Radio DiagnosticsInstallation and Configuration Guide: Airgo Access Point 95To perform a link test:1Click Add to open the Link Test Setup entry panel (Figure 66). Figure 67: Radio Diagnostics - Link Test - Setup2Configure the following:3Click OK to save the test. To confirm that the test is running, click Link Test to return to the Link Test table. Scroll the table columns to the right to view the Status column. When the test begins, the column displays the message: Link Test Active. Continue to refresh the display until you see the message: Link Test Completed Successfully. Other recommendations for running a link test:•Set the test duration to be greater than 5 minutes (or equivalent number of packets, for example 5 minutes = 1200 packets), and set the averaging interval greater than 30 seconds. This compensates for any momentary glitches in the wireless link.•Generate traffic (such as ping traffic) to the station when performing the link test. If rate adaptation is active, this helps the uplink and downlink data rates settle at the maximum sustainable rates for that link. A maximum of 10 link tests can be active on an AP at one time. The collected link test data is retained even after the link test is retained until manually deleted.To graph the results of a link test, select the test on the Link Test tab, and click Graph. The Graph panel (Figure 68) opens.Field DescriptionInterface Select the AP radioStation MAC Address Select the MAC address of the station included in the link testTest Criteria Select whether the test is for a specified duration (seconds) or number of packets. Enter the duration in the area to the right of the Test Criteria pull-down list.Packet Size Specify the size of each link packet (in bytes)Average Interval Enter the interval over which link test data such as signal strength or signal quality is averaged
4 Configuring Radio Settings96 Installation and Configuration Guide: Airgo Access PointSelect from the following set of link test parameters to display a graph of the test results:When a parameter is selected, that graph is displayed.Figure 68: Radio Diagnostics - Link Test - GraphItem DescriptionDownlink signal strength Strength of the signal sent from the AP to the client station (percentage).Uplink signal strength Strength of the signal sent from the client station to the AP (percentage).Downlink signal quality Quality of the signal sent from the AP to the client station (percentage).Uplink signal quality Quality of the signal sent from the client station to the AP (percentage).Downlink data rate Transmission rate from the AP to the client station (Mbps).Uplink data rate Transmission rate from the client station to the AP (Mbps).
Performing Radio DiagnosticsInstallation and Configuration Guide: Airgo Access Point 97Walk Test Figure 69: Radio Diagnostics - Walk TestCAUTION: These Radio Diagnostics are to be used only by Product Engineers. The information below is for reference only.Parameter Parameter Description Range/UnitsWNI_CFG_CURRENT_TX_ANTENNA #of TX chains 1 to 2 / +WNI_CFG_CURRENT_RX_ANTENNA # of RX chains 1 to 3 / –WNI_CFG_DEFER_THRESHOLD Packet Detection Threshold 0–254 / dBm + 130WNI_CFG_ACK_TIMEOUT_11A Ack Timeout 802.11a 0 - 100 / Micro secondsWNI_CFG_ACK_TIMEOUT_11B Ack Timeout 802.11b 0 - 100 / Micro secondsWNI_CFG_MAX_ACK_RATE_11A Max Ack Rate 802.11a MAC rate encoding:Rate - Entered Value6 - 129 - 1812 - 2418 - 3624 - 4836 - 72
4 Configuring Radio Settings98 Installation and Configuration Guide: Airgo Access PointWNI_CFG_MAX_ACK_RATE_11B Max Ack Rate 802.11b MAC rate encoding:Rate - Entered Value1 - 22 - 45.5 - 1111 - 22WNI_CFG_SHORT_PREAMBLE Enables or Disables Short Preamble DISABLE (0), ENABLE (1)WNI_CFG_CWMIN_0_11A Min Contention Window Size for 802.11a (TC0) 0 - 1023 / slotsWNI_CFG_CWMIN_0_11B Min Contention Window Size for 802.11b (TC0) 0 - 1023 / slotsWNI_CFG_CWMIN_0_11G Min Contention Window Size for 802.11g (TC0) 0 - 1023 / slotsWNI_CFG_CWMAX_0_11A Max Contention Window Size for 802.11a (TC0) 0 - 1023 / slotsWNI_CFG_CWMAX_0_11B Max Contention Window Size for 802.11b (TC0) 0 - 1023 / slotsWNI_CFG_CWMAX_0_11G Max Contention Window Size for 802.11g (TC0) 0 - 1023 / slotsWNI_CFG_PROXIMITY Used to set the transmit power for radio 0 (operates at max power), 1 (operates at reduced power) Parameter (continued) Parameter Description Range/Units
Installation and Configuration Guide: Airgo Access Point 995Configuring Networking SettingsThis chapter explains how to configure the advanced networking features of the Airgo Access Point. It includes the following topics:•Introduction•Configuring Bridging Services•Configuring IP Routes•Configuring VLANs•Configuring Quality of Service•Configuring Advanced QoS•Configuring Packet Filters•Configuring Interfaces•Configuring SNMP•Ping TestIntroductionThe Airgo Access Point provides advanced features to configure wireless networking services and extend services to network users. From the Networking Services menu, assign interfaces, define quality of service, configure VLANs, and define packet filters. Statistics are also available to monitor network activity.InterfacesFigure 70 illustrates the physical and logical elements of an Airgo wireless network. Each Airgo Access Point has virtual interfaces that correspond to specific communications functions, as listed in Table 10. The interfaces wlan0 and wlan1 provide access to the BSS created on the AP radios; the interface eth0 provides access to the Ethernet network. In addition, a separate interface is reserved for each wireless backhaul trunk. NOTE: It is not necessary to modify any of the default networking settings in order to get a wireless network up and running. The default settings may also be acceptable for normal operation of small to mid-size networks.
5 Configuring Networking Settings100 Installation and Configuration Guide: Airgo Access PointFigure 70: Airgo Wireless Network ElementsConfiguring Bridging ServicesUse the Bridging panel, accessible from the Networking Services menu, to view the relationships among bridges, interfaces, and client stations. The panel contains the following tabs:•Bridge & STP—View bridges, their interface members, and spanning tree protocol (STP) settings.•Bridge Stats—View packet counts for each bridge.•ARP Table—View the ARP cache.Bridge and STP Choose Bridging from the Networking Services menu to open the Bridge & STP tab (Figure 71), The tab displays how bridging is currently configured and lists the interfaces and MAC addresses Table 10: AP Interfaces Interface Descriptioneth0 Wired Ethernet interfacewlan0 Wireless interface, radio 0wlan1 Wireless interface, radio 1wlan0.tkx Backhaul x created on wlan0. Each radio can support multiple backhauls.wlan1.tkx Backhaul x created on wlan1. Each radio can support multiple backhauls.Enterprise BoundryNMSProRADIUS10/100 EthernetCorporateNetworkInternetLAN Switch/RouterWAN Routerwith FirewallNetwork Operations CenterAP with2 Radios AP with1 RadioAP with1 Radio802.11a802.11g/b802.11a(or 802.11g/b)802.11g/b(or 802.11a)A0008C
Configuring Bridging ServicesInstallation and Configuration Guide: Airgo Access Point 101learned at each interface (port) of the bridge. The bridge configuration is automatic and requires no user configuration. Figure 71: Bridge Configuration - Bridge & STPEach bridge name is composed of a prefix, br, together with a bridge number. When the VLAN feature is enabled, the VLAN ID is used as the bridge number. br1 represents VLAN 1 and is the default bridge for forwarding user data traffic. br4094 represents VLAN 4094, which is an internal VLAN assigned to the default bridge used for the Spanning Tree Protocol (see “Spanning Tree Protocol (STP)” on page 101). The Bridge table on the Summary tab lists each bridge and its associated interfaces (or ports). The Bridge Forwarding table, located at the bottom of the panel, lists each bridge and interface, and specifies which MAC addresses are learned at the interface. Spanning Tree Protocol (STP)The Summary tab also provides an option for enabling or disabling Spanning Tree Protocol (STP). STP is a protocol that prevents bridging loops from forming due to incorrectly configured networks. STP provides protection against looping, but it does increase network overhead. Before STP allows traffic through a specific port, there may be a time lapse of 30 seconds. Operations may also take longer than normal.
5 Configuring Networking Settings102 Installation and Configuration Guide: Airgo Access PointThe default setting for STP is enabled. Disable STP if the network is small to mid-size and looping is not a concern.Bridge Statistics The Bridge Stats tab (Figure 72) provides a summary of transmit/receive statistics for each bridge or VLAN. The statistics are calculated from the last time the AP was rebooted or the Clear Statistics button was selected. Click Clear Statistics to return the collected values to zero and start collecting statistics again.Figure 72: Bridge Configuration - Bridge StatsARP Table The Address Resolution Protocol (ARP) tab (Figure 73) displays the current mapping of IP addresses to MAC addresses associated with the listed interface. During normal operations, the ARP table is updated automatically based on the number of MAC entities in the network. If a mapping changes, however, some entries of the ARP table may become invalid. In this case, click Clear ARP Cache on the tab to remove the current ARP entries and repopulate the table automatically with valid entries. Click Refresh to update the display.
Configuring IP RoutesInstallation and Configuration Guide: Airgo Access Point 103Figure 73: Bridge Configuration - ARP TableConfiguring IP RoutesIP routing expands the addressing capability of the Airgo AP and allows you to mange the AP from outside its local subnet. Use the IP Routing panel (Figure 73) to explicitly address subnets that are not local. If a destination subnet is not entered into this panel, then default network routing applies.Figure 74: IP RoutingThe Route table shows the static route entries currently configured on the AP and bound to bridging interfaces. To create a new route, click Add, enter the following information, and click Save.Field DescriptionDestination IP Enter the IP address of the subnet to which packets can be forwarded, along with the subnet prefix for the address.
5 Configuring Networking Settings104 Installation and Configuration Guide: Airgo Access PointGateway IP Enter the IP address of the gateway that will route traffic between this AP and the destination subnet.Interface Name Enter the name of the bridging interface. Use the br prefix, as described in “Configuring Bridging Services” on page 100.Field Description
Configuring VLANsInstallation and Configuration Guide: Airgo Access Point 105Configuring VLANsVLANs are key to helping enterprises improve network traffic flow, increase load, and deliver varying levels of service and access to different groups of users. For example, Figure 75 shows how Acme Works uses two VLANs: one for normal corporate traffic and one for Finance Department traffic. When a Finance Department user logs in to the network, the Finance group tag is passed to the Airgo AP, and the Finance service profile, including Finance VLAN, is applied to the user. Database transaction traffic, which was previously a burden on the overall network, is now handled through the Finance VLAN and is transparent to normal corporate users.Figure 75: Example Use of VLANs to Manage Enterprise Traffic The Airgo AP supports up to 16 VLANs including the default VLAN. Use the VLAN Configuration panel, accessible from the Networking Services menu, to add new VLANs and map VLANs to specific AP interfaces. The VLAN panel contains a list of users assigned to user VLANs; to make user VLAN assignments, use service profiles (“SSIDs and Service Profiles” on page 79).The VLAN Configuration panel contains the following tabs:•VLAN Table—View the list of currently defined VLANs and add or modify VLANs.•Interface VLAN—Assign VLANs for untagged frames arriving at the AP.•User VLAN—View the list of users assigned to each VLAN by virtue of user group membership.•VLAN Stats—View packet statistics for each VLAN.RADIUSServerA0044BCorporateVLANCorporateVLANVLAN SwitchFinanceVLANFinanceVLANCorporate Finance
5 Configuring Networking Settings106 Installation and Configuration Guide: Airgo Access PointVLAN Table Choose VLAN from the Networking Services menu to list information about each VLAN and interface (Figure 76). Figure 76: VLAN Configuration - VLAN TableThe VLAN table contains the following columns of information:Field DescriptionVLAN ID Identifier for the VLAN. In bridging notation, this is the numeric ID that follows the br prefix. Name Alphanumeric name of the VLAN. The field is optional, unless it is the default VLAN. The maximum length of VLAN Name is 80 characters.IP Address The IP address and subnet prefix assigned to the VLAN. Assigning an IP address enables the VLAN to be managed from this AP.Management VLAN Indication of whether this VLAN is the management VLAN or not.Interface The logical AP interface. The table contains a separate row for each VLAN/interface combination.
Configuring VLANsInstallation and Configuration Guide: Airgo Access Point 107Use the buttons on the Summary tab to add a new VLAN, configure an existing VLAN, delete an interface from a VLAN, delete IP addresses from a VLAN, or set an interface as part of the management VLAN. The default VLAN cannot be modified.To add a new VLAN, click Add to open the Add VLAN Entry panel (Figure 77).Figure 77: VLAN Configuration - Add VLAN Entry PanelEnter the following information to define the new VLAN:Click Apply to create the new VLAN and return to the VLAN table.Interface VLAN When the AP receives a frame, it must determine the VLAN to which the frame belongs. If the received frame is tagged, then VLAN is already known, and the AP can route the packet Tagged Indication of whether the identity of the VLAN is explicitly encoded in transmitted packets. Each frame contains a four-byte tag that encodes the VLAN to which the packet belongs when it is sent on a tagged interface. If the received packet is untagged, the packet is classified as belonging to the interface VLAN. If the VLAN interface is not tagged, then the AP drops any VLAN-tagged packet. When the packet is transmitted from the interface, it is be untagged. Field DescriptionVLAN Name Enter an alphanumeric name for the VLAN. The maximum length of VLAN name is 80 characters. (optional)VLAN ID Enter a numeric identifier for the VLAN. This number is used for table references and as part of the bridging ID. The range is 2 - 4093. (required)IP Address/Maskbits Enter the IP address and maskbits used to access the VLAN for management purposes. If the address is to be assigned by a DHCP server, select DHCP Assigned.If the VLAN is to be used for guest access, you must assign an IP address. See “Configuring Guest Access” on page 156Select Interface Select interfaces for the VLAN. If an interface is assigned to the VLAN, then packets transmitted over that interface are included in that VLAN. Tagged Select Tagged for an interface to mark packets sent out over the interface as belonging to the VLAN.Field Description
5 Configuring Networking Settings108 Installation and Configuration Guide: Airgo Access Pointaccordingly. The Interface VLAN tab (Figure 78) specifies treatment of frames that arrive at the AP in an untagged state. Each interface is assigned to a VLAN, which then receives all untagged frames arriving at the interface. Figure 78: VLAN Configuration - Interface VLANMake sure that the VLAN is defined before assigning an interface, and then configure the following fields: Click Add to assign the interface to the specified VLAN.User VLAN The read-only User VLAN tab (Figure 79) lists the client stations mapped to each VLAN by way of bound service profiles. The tab contains the following information:See “Configuring SSID Parameters” on page 78 for information on service profiles.Field DescriptionSelect Interface Select the AP interface.VLAN ID Enter the VLAN ID. (required)Default Select to assign this as the default VLAN for untagged frames.Field DescriptionVLAN ID VLAN identifierVLAN name Alphanumeric name of the VLANIP Address Address used to access the VLANMAC Address MAC addresses of the client stations that are mapped to this VLAN through their user group’s service profile
Configuring VLANsInstallation and Configuration Guide: Airgo Access Point 109Figure 79: VLAN - User VLAN
5 Configuring Networking Settings110 Installation and Configuration Guide: Airgo Access PointVLAN Statistics The VLAN Stats tab (Figure 80) provides a summary of transmit/receive statistics for each VLAN. The statistics are calculated from the last time that the AP was rebooted or the Clear Statistics button was selected. Click Refresh to update the statistics or Clear Statistics to return the collected values to zero and start collecting statistics again.Figure 80: VLAN - Stats
Configuring Quality of ServiceInstallation and Configuration Guide: Airgo Access Point 111Configuring Quality of Service Under normal network conditions, traffic in the wireless network is routed on a best-effort basis, and all types of traffic are treated with equal priority. Quality of Service (QoS) permits priority setting for different types of traffic, which can be important for applications in which even minor interruptions in packet transmission can have a deleterious effect on perceived results. Examples include streaming media or voice-over-IP (VoIP). With a QoS process in place, multiple clients can run applications with varying traffic delivery requirements over a single shared network.Airgo supports QoS through hierarchical classes of service (COS) that control how network bandwidth is shared among multiple entities. COS specifies a numeric class code with values ranging from 0 (lowest priority) to 7 (highest priority). This method does not guarantee bandwidth for different traffic types, but does assure that high COS traffic will be given preference.For example, when Acme Works wanted to set up a video conference center, it was important to provide a higher quality of service for the video conference application. The company accordingly set up a structure of multiple SSIDs in which a higher COS value was assigned to the service profile for the Video SSID (Figure 81). Figure 81: Example Applications with Different COS LevelsThe Airgo AP supports several options for assigning COS to the packets passing into the AP (the ingress to the AP).Rule DescriptionTCID-to-COS mapping Defines a COS mapping based on the Traffic Class Identifier (TCID), which is part of the standard 802.11 frame header. Incoming packets with a TCID value assigned can be mapped to COS. VLAN-to-COS Defines a COS mapping for packets that are not VLAN-tagged upon arrival at the AP. Interface-to-COS Associates a COS value to each of the AP interfaces (eth0, wlan0, wlan1). MAC Uses the COS value from the user group’s service profile (see “Configuring SSID Parameters” on page 78).A0043BSSID="Corporate" SSID="Video"10/100 Switched EthernetCorporate VideoCOS=7COS=4
5 Configuring Networking Settings112 Installation and Configuration Guide: Airgo Access PointUse the QoS Configuration panel to define TCID, VLAN, and Interface COS mappings. Use the Advanced QoS Configuration panel (“Configuring Advanced QoS” on page 115) to define the IP and DSCP mapping and to assign class order.The QoS Configuration panel is divided into the following tabs:•Ingress QOS—Define COS mappings packets entering the AP. •Egress COS—Assign priority to the 802.11 packets leaving the AP.•QOS Stats—Display QoS statistics for each of the AP interfaces.IP Precedence Defines a mapping based on the first 3 bits in the Type of Service (TOS) byte of the IP header. Incoming packets that have an IP Precedence value can be mapped to COS.DiffServ Code point (DSCP)-to-COS Defines a mapping based on the first 6 bits in the TOS byte of the IP header. Incoming packets that have a DSCP value can be mapped to COS.IP Protocol Assigns COS value based on the standard numbers for individual IP protocols.Class Order Determines the order in which all the COS mapping rules are applied. Rule (continued) Description
Configuring Quality of ServiceInstallation and Configuration Guide: Airgo Access Point 113Ingress QOS Use the Ingress QOS tab to assign COS values to incoming 802.11 packets. If a packet has a COS value in the VLAN tag when it arrives at the AP, then its COS value is honored by the AP. If the packet is not VLAN-tagged, then it can be classified at the ingress interface by way of a COS map defined on the Ingress QOS tab (Figure 82).Figure 82: QOS Configuration - Ingress QOS
5 Configuring Networking Settings114 Installation and Configuration Guide: Airgo Access PointPerform the following functions on this tab:Egress COS Use the Egress COS tab (Figure 84) to modify the default priorities assigned to 802.11 packets leaving the AP by creating a COS-to-TCID mapping. If a TCID to COS mapping is defined, the TCID value is obtained from the mapping table of the interface based on the COS field of the frame. By default, COS-to-TCID mapping is one-to-one, i.e. COS 0 maps TCID 0, 1 maps to 1, … and 7 maps to 7. If your network supports fewer than 8 priority levels, you can map multiple COS levels to a single TCID value.Figure 83: QOS Configuration - Egress COSFunction StepsDefine TCID to COS mapping 1Select the radio interface for the mapping.2Select a COS value for each TCID value, or select Default to accept the default mapping.3Click Apply.Define VLAN-to-COS mapping 1Click Add.2Select the AP interface.3Select the VLAN ID. (See “Configuring VLANs” on page 105 for information on VLAN IDs.)4Select a COS value or select Default to use the default mapping.5Click Apply.Interface-to-COS 1Click Add.2Select the AP interface.3Select a COS value or select Default to use the default mapping.4Click Apply.
Configuring Advanced QoSInstallation and Configuration Guide: Airgo Access Point 115Configure the following fields on this tab:Click Apply to save your changes or Reset to return to previously saved values.QoS StatsThe QoS Stats tab (Figure 84) presents incoming packet and outgoing packet counts for each of the AP interfaces. The counts are indexed to one of the eight available COS levels. Every statistic is a comma-separated set of numbers, each of which corresponds to one of the COS levels: 0-7. For example, the out-of-packet count for wlan0 in the figure shows 77614 packets at COS level 0 and 36127 packets at COS level 7.Click Clear Statistics to return the values to zero and restart the collection process.Figure 84: QOS Configuration - QOS StatsConfiguring Advanced QoSUse the Advanced QoS panel to assign COS values to packets entering the AP based on IP layer information and choose the QoS class order. The panel contains the following tabs:•Class-Order—Determine the order in which to apply all the QoS rules.•IP-DSCP—Define COS mapping based on the first 6 bits in the TOS byte of the IP header. •IP Protocol—Use standard IP protocol numbers assigned to different IP layer protocols.•IP Precedence—Define COS mapping based on the first 3 bits in the TOS byte of the IP header.Field DescriptionSelect Radio Interface Select the AP interface.Default Select to use the default mapping.TCID If Default is not selected, map each COS level to a TCID level.
5 Configuring Networking Settings116 Installation and Configuration Guide: Airgo Access PointClass-OrderThe COS mappings on the QoS and Advanced QoS Configuration panels may yield conflicting results for ingress packet priority. Use the Class-Order tab (Figure 84) to specify the order in which to apply each of the rules. When a packet arrives at the AP, the AP checks to see whether a mapping exists for the first rule in the class-order list. If so, that mapping is applied to the packet. If not, the AP checks whether a mapping exists for the second rule. If so, that mapping is applied. If not, the AP continues down the class-order list. The default class order is:•TCID• IP Protocol•DSCP• IP Precedence•MAC•VLAN• InterfaceFigure 85: Advanced QOS Configuration - Class-OrderConfigure the following fields on the Class-Order tab:Field DescriptionSelect Radio Interface Select the AP interface.Ingress Class Order - Default Select to use the default mapping.Ingress Class Order - Move to Top If the default order is not chosen, select a COS mapping type and click Apply to move it to the top of the class-order priority list. Repeat as needed to create the desired ordering.
Configuring Advanced QoSInstallation and Configuration Guide: Airgo Access Point 117Click Apply to save all the changes on the tab.IP-DSCPUse the IP-DSCP tab (Figure 86) to map DiffServ Code point (DSCP) values to COS and to view the current DSCP to COS maps. DSCP uses the first 6 bits in the TOS byte of the IP header, so the possible values range from 0 to 63.Figure 86: Advanced QOS Configuration - IP-DSCP
5 Configuring Networking Settings118 Installation and Configuration Guide: Airgo Access PointConfigure the following fields on this tab:Click Apply to save all the changes on the tab.IP ProtocolUse the IP Protocol tab (Figure 87) to base the COS mapping on IP protocol numbers, as defined in Version 4 of the IP protocol. Current protocol number assignments are available at http://www.iana.org.Figure 87: Advanced QOS Configuration - IP ProtocolConfigure the following fields to define the IP Protocol-to-COS map:Click Apply to save all the changes on the tab.Field DescriptionSelect Radio Interface Select the AP interface.Default Select to use the default mapping.DSCP String If Default is not chosen, enter up to eight DSCP values that you want to map to a specific COS value. COS Select the COS value.Field DescriptionSelect Radio Interface Select the AP interface.IP Protocol ID Enter the number assigned to the IP protocol.COS Select the COS value.
Configuring Packet FiltersInstallation and Configuration Guide: Airgo Access Point 119IP PrecedenceUse the IP Precedence tab (Figure 88) to base the COS mapping on the first 3 bits in the TOS byte of the IP header.Figure 88: Advanced QOS Configuration - IP PrecedenceConfigure the following fields to define an IP Precedence-to-COS map:Click Apply to save all the changes on the tab.Configuring Packet FiltersUse the Filter Configuration panel, accessible from the Networking Services menu, to define packet filtering rules for the specific AP interfaces. Filters can help improve performance by reducing load on the wireless side of the network.The panel contains the following tabs:•Filter Table—View currently-defined packet filters and add or edit filters.•Filter Stats—View counts of packets that match the filter criteria.Filter Table Choose Filter Configuration from the Networking Services menu to open the Filter Table tab (Figure 89). By default, an incoming and outgoing filter is defined for each of the interfaces wlan0, wlan1, and eth0. The Filter table displays the name of the interface, whether it is for incoming or outgoing traffic, whether to accept or discard the packet, and the criterion used to accept or discard it.Field DescriptionSelect Radio Interface Select the AP interface.Default Select to apply the default mappingCOS If Default is not chosen, select the desired COS values.
5 Configuring Networking Settings120 Installation and Configuration Guide: Airgo Access PointFigure 89: Filter Configuration - Filter TableFrom the Filter Table tab, add a new filter by clicking Add, or edit an existing one by selecting the filter and clicking Edit. The Add Filter Entry panel opens(Figure 90). Enter or select values for the following fields:Click Apply to save the values and return to the Summary tab. Click Cancel to return to the Summary tab without saving the values.Field DescriptionInterface Name If creating a new filter, select an interface from the pull-down list.Filter Direction Specify whether the filter is for incoming (ingress) or outgoing (egress) communications. It is necessary to create a separate filter for each.Accept/Discard Indicate whether the filtering rule is to accept or discard the packet. Select Match Indicate if the filter rule is satisfied when a packet contains an Ether Type value that matches the specified Ether Type, or if the filter rule is satisfied when a packet contains an Ether Type that does not match any other filter rule. Ether Type is the standard Ethernet code for the type of packet (e.g., for IP, the code is 2048, or 0x800 hex).
Configuring InterfacesInstallation and Configuration Guide: Airgo Access Point 121Figure 90: Filter Configuration - Add Filter Entry PanelFilter Statistics The Filter Stats tab (Figure 91) lists statistics for each defined filter. The statistics are calculated from the last time that the AP was rebooted or the Clear Statistics button was selected. The Hits column shows the number of packets of the specified type received on the interface with the defined filter. Click Refresh to update the statistics or Clear Statistics to return the collected values to zero and start collecting statistics again.Figure 91: Filter Configuration - Stats TabConfiguring InterfacesUse the Interface Configuration panel, accessible from the Networking Services menu, to configure the physical AP interfaces (wlan0, wlan1, eth0). The panel contains the following tabs:•IF Table—View the administrative and operation state of each of the interfaces, and bind an IP address to each interface.•IF Stats—View the packet and byte statistics for traffic traversing each interface.
5 Configuring Networking Settings122 Installation and Configuration Guide: Airgo Access PointInterface Table Choose Interface from the Networking Services menu to open the Interface Table (Figure 92). Use this tab to assign an IP address to each interface, thereby making it possible to route traffic to the interface. Without an assigned IP address, traffic can only be bridged to the interface, not routed. Figure 92: Interface Configuration - IF TableThe Interface table lists each interface along with its IP address, enabled or disabled flag, and indication of whether the interface is currently operational. Enable, disable, or delete an IP address assigned to an interface by selecting the interface entry and clicking Enable, Disable, or Delete-IP.To assign an IP address to an interface, enter the following values under IP Address Configuration, and click Apply:Use the Encapsulation Configuration section at the bottom of the tab to ensure that the AP can operate with older equipment that is not fully 802.11-compatible. 802.1h is the current standard for encapsulation. For other, incompatible equipment, select Encapsulated to encase the Ethernet frames from the equipment within standard 802.11 frames. Click Apply after making any change.Field DescriptionInterface Name Select the AP interface name from the pull-down listIP Address Enter the IP address to assign to the interface (required)Maskbits Enter the subnet prefix length for the IP address (required)
Configuring SNMPInstallation and Configuration Guide: Airgo Access Point 123Interface Statistics The Interface Statistics tab (Figure 93) shows packet and byte statistics for each of the AP interfaces. The statistics are calculated from the last time that the AP was rebooted or the Clear Statistics button was selected. Click Refresh to update the statistics or Clear Statistics to return the collected values to zero and start collecting statistics again.Figure 93: Interface - Stats TabConfiguring SNMP Simple Network Management Protocol (SNMP) is an industry standard protocol used to manage interactions with the Airgo APs. The protocol works through message passing between SNMP managers and agents, which are devices that comply with the SNMP protocol. The information of interest to the SNMP manager is stored in the agents’ management information bases (MIBs) and sent to the SNMP manager upon request. SNMP communities restrict access to the MIBs to authorized agents. Each community can be earmarked with read or read/write status, indicating the type of authorized MIBs access. An SNMP trap filters the SNMP messages and saves or drops them, depending upon how the system is configured.Choose SNMP Configuration from the Networking Services menu to open the SNMP panel (Figure 94) to configure SNMP parameters.
5 Configuring Networking Settings124 Installation and Configuration Guide: Airgo Access PointFigure 94: SNMP ConfigurationEnter values in the following fields to define the basic SNMP configuration:Click Apply to save your changes, or Reset to return to previously saved values.The bottom of the SNMP panel contains a table of currently defined traps. To delete a trap, select it in the SNMP Agent Table, and click Delete.Field DescriptionCommunity String Enter the alphanumeric community string (required)Community Read/Write Status Indicate the read or read/write status of the communityTrap Sink IP Address Enter the IP address where SNMP traps should be sent (required)Trap Community Enter the community for SNMP trapsTrap Sink Port Indicate the port identified for the SNMP traps (default is 162)
Ping TestInstallation and Configuration Guide: Airgo Access Point 125Ping Test Use the Ping Test panel to execute an ICMP Echo Request to check network connectivity to a remote IP host. Enter the hostname or IP address of the remote host. Figure 95 shows the Ping Test panel with test results presented.Figure 95: Ping Test
5 Configuring Networking Settings126 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 1276Configuring a Wireless BackhaulThis chapter explains how to set up a wireless distribution system to cover a large area with limited wired network connectivity. It covers the following topics:•Introduction•Setting Up a Wireless BackhaulIntroductionWireless backhaul refers to the process of delivering data from a node on the wireless network back to the wired network. In a wireless backhaul configuration, some APs connect directly to the wired network, while others relay wireless signals from clients to the APs that are connected to the wired network. Wireless backhaul interconnects multiple Airgo Access Points to form a wireless distribution system, in which an 802.11x network covers large areas, such as a campus or open area with relatively few wired access points (Figure 96).Figure 96: Wireless Backhaul NetworkApplications of wireless backhaul include building-to-building bridging and 802.11b traffic aggregation. Airgo support for wireless backhaul includes bridge creation, instantiation of logical bridge ports on radios, and bridging functions such as address learning, packet forwarding, and Spanning Tree Protocol (STP).A0007BWireless Backhaul = 10/100 Switched Ethernet
6 Configuring a Wireless Backhaul128 Installation and Configuration Guide: Airgo Access PointUse of Radios for BackhaulEach access point in a backhaul configuration must have two radios and be enrolled in the network. One of the radios operates in normal mode to serve downstream APs or clients. The other radio assumes the backhaul role (BP), relaying network traffic from clients or other APs through the backhaul arrangement up to the wired network. Each radio operates in a different band.For a backhaul point radio to establish a link with an AP, it must be able to receive its radio signals. Accordingly, the AP node with the BP radio must be within range of the upstream AP radio. A radio can be configured to operate in the BP mode even if its node is directly connected to the wired network, as in the case of building-to-building bridge applications. From the perspective of the wired APs, each backhaul AP appears as a client; however, these “clients” are not identified in the RADIUS user database. For authentication purposes, identity information for the backhaul APs is automatically entered into the internal RADIUS database on the security services portal AP upon enrollment of the backhaul node. Users cannot view or modify this information.Wireless Backhaul TrunksA trunk is a wireless connection from one access point radio to another. An access point that is not connected to the wired network or an access point explicitly configured in the BP mode tries to establish a wireless trunk connection to another access point. A succession of trunks established between access points provides a path from client stations through the wireless network to the wired network.If a trunk connection fails or a backhaul link goes down, then the access point that established the trunk re-scans the wireless environment and attempts to connect to another AP radio with compatible wireless and network characteristics. This process is called retrunking. Backhaul retrunking usually occurs quickly (2-3 seconds) if uplink candidates are available. Subnets do not change as a result of retrunking. If a backhaul trunk fails and the BP radio cannot reestablish (recover) backhaul within 30 minutes, all backhaul links formed with its uplink AP radio are brought down. This gives an opportunity for the downlink nodes to attempt to form alternate backhaul paths.Wireless Backhaul securityAfter enrollment, the BP radio uses WPA (EAP) for authentication and AES for encryption on its trunk or trunks. The following security restrictions apply:•The upstream AP must have WPA enabled. •All WPA-compatible authentication and encryption schemes are permitted.•WEP may be enabled in addition to WPA on the upstream AP•Both upstream and downstream APs must be enrolled by NM Portal.For more information on security, see Chapter 7, “Managing Security.”NOTE: The access point must have a wired connection to be enrolled in the network (see “Enrolling APs” on page 165). After the AP is enrolled, the wired connection can be removed.
Setting Up a Wireless BackhaulInstallation and Configuration Guide: Airgo Access Point 129Setting Up a Wireless BackhaulChoose Wireless Backhaul from the Wireless menu to bring up the Wireless Backhaul configuration panel. The panel contains 4 tabs:•Link Criteria—Configure criteria for backhaul trunk formation.•Candidate APs—Identify APs to use for the uplink.•Trunk Table—View the list of current backhaul trunks.•Trunk Stats—View statistics for the backhaul trunks.Link Criteria Use the Link Criteria tab (Figure 97) to set up the network parameters for the wireless backhaul. These parameters specify the rules that apply to the backhaul point (BP) radios which form uplink backhaul trunks by associating to normal radios (AP). These rules are used to determine the candidate parent list of upstream APs for the backhaul trunk.Figure 97: Backhaul Configuration - Link Criteria
6 Configuring a Wireless Backhaul130 Installation and Configuration Guide: Airgo Access PointThe Uplink Configuration settings on this tab restrict how the backhaul is configured. Select some or all of the settings, or leave this section blank to permit unrestricted choice of uplinks:After making changes in the Uplink Criteria Configuration section, click Apply. Click Reset to return the parameters on the panel to the previous saved values.Use the area at the bottom of the tab to specify the BSSID criteria (in conjunction with the Uplink BSSID buttons):After adding BSSIDs, click Apply. The BP now attempts to establish a backhaul link based upon the configured rules. Click Delete to remove a BSSID from the list.Field DescriptionSelect Radio Interface Select radio wlan0 or wlan1.SSID Criteria Select Detected SSID to connect to a specific network. To add an SSID which is not currently in operation, select New SSID and enter the name of the SSID. This configuration is one of the attributes used by the radio in BP mode to form a backhaul.IP Subnet Criteria Enter an IP address and subnet prefix length to restrict the backhaul to a specific subnet. The BP radio selects those APs as candidates that advertise the specified subnet. If the IP address is 0.0.0.0, the BP radio ignores the subnet ID as a criterion when selecting AP candidates for trunk formation. Path Selection Criteria Choose the criterion for selecting the best wireless backhaul route from the following three options:•Lowest Weighted Cost—Candidate parent APs are selected in ascending order of path cost. (The candidate parent with lowest path cost to the wired network is the one with highest priority). Path cost is a cumulative metric in which each hop contributes to the path cost value. The calculation factors in the backhaul and non-backhaul traffic load on the candidate AP and quality of the link between the backhaul end points. •Smallest Hop Count—Candidate parents are selected in ascending order of hop count (number of hops to the wired network).•Highest Node priority—Candidate parents are selected in ascending order of priority as determined by the configured uplink BSSID list.Uplink BSSID Criteria This parameter is used in conjunction with the area entitled BSSIDs For Uplink Criteria at the bottom of the tab to restrict uplink candidates to a specific set of BSSIDs or to permit all BSSIDs except a designated list. •To restrict candidates to a designated list, select Accept from BSSIDs.•To avoid candidates on a specified list, select Discard from BSSIDs.Field DescriptionAdd BSSID To add BSSIDs to the Selected list, add from the pull-down list, and click Add. Alternatively, enter the name of a BSSID, and click Add. The saved BSSIDs are displayed in the selected BSSIDs list on the right. This list that determines acceptable uplink candidates (if Accept from BSSIDs was selected in Uplink BSSID Criteria), or eliminated uplink candidates (if Discard from BSSIDs was selected).
Setting Up a Wireless BackhaulInstallation and Configuration Guide: Airgo Access Point 131Candidate APs Select the Candidate APs tab (Figure 98) to identify the access points that can be used to create the uplink to the wired network. Figure 98: Backhaul Configuration - Candidate APsThe panel displays the discovered APs that are able to provide uplink connectivity. The table of uplink candidate APs shows the following information:If no uplink candidate APs are available, the table is empty.Trunk TableSelect the Trunk Table tab (Figure 99) to view the list of current backhaul trunks. The backhaul is established if the MAC address of the backhaul trunk is listed in the table.Figure 99: Backhaul Configuration - Trunk TableFeature DescriptionInterface Radio interface of uplink candidate parentDestination MAC Address BSSID of the remote uplink candidate parentAP beacon name Name of the AP node of the candidate parent, sent in beacons
6 Configuring a Wireless Backhaul132 Installation and Configuration Guide: Airgo Access PointThis tab contains the following information:If no trunks are detected, the table is empty.Trunk Statistics Select the Trunk Statistics tab (Figure 100) to statistics for the available backhaul trunks. If no trunks are detected, the table is empty. To clear the cumulative statistics, click Clear Statistics.Figure 100: Backhaul Configuration - Trunk StatsThis tab contains the following information:Feature DescriptionInterface Name Radio interface of the BP radio (uplink) or AP radio to which downlink trunks are connected. Applies to uplink and downlink trunks.Band (2.4 GHz or 5 GHz, or both) Operating band of the uplink or downlink trunks. Applies to uplink and downlink trunks. For the uplink trunk the band is the operating band of the BP radio. For downlink trunks the band is the operating band of the AP radio. Trunk Dest MAC MAC address (BSSID) of the remote backhaul destination. For Uplink trunks this is the MAC address of the parent AP; for downlink trunks it is the MAC address of the BPs (children) associated with the AP radio. Applies to uplink and downlink trunks.Channel ID of the channel on which the backhaul trunks (uplink and downlink) are operating. Applies to uplink and downlink trunks.Re-trunk counts Number of times the BP (uplink) retrunked (could be due to trunk failure or trunk optimization). Applies only to the uplink trunk.Link Type Indication of whether the interface is an uplink or downlink trunkField DescriptionInterface The AP radio interface (wlan0 or wlan1)Rx Bytes Number of bytes received at this APRx Packets Number of packets received at this AP
Setting Up a Wireless BackhaulInstallation and Configuration Guide: Airgo Access Point 133Click Clear Statistics to return the counts in this tab to zero and begin collecting statistics again.Tx Bytes Number of packets transmitted by this APTx Packets Number of packets transmitted by this APRx Multicast Packets Number of multicast packets received by this APField Description
6 Configuring a Wireless Backhaul134 Installation and Configuration Guide: Airgo Access Point
Installation and Configuration Guide: Airgo Access Point 1357Managing SecurityThis chapter describes the encryption and authentication features of the Airgo Access Point and explains how to set the security configuration. The chapter includes the following topics:•Introduction•Configuring Wireless Security•Configuring Authentication Zones•Configuring Administrator Security•Viewing Security Statistics•Configuring Advanced ParametersIntroductionAirgo offers the strongest available security options for wireless networking, as listed here and illustrated in Figure 101:•AP Security verifies the identity of individual APs and authorizes them to be part of the wireless network. APs can be enrolled individually or pre-enrolled as group. The process uses a certificate and password to fully verify the identity of the AP. By clearly identifying which APs belong to the authorized set, the enrollment process can also help identify unauthorized or rogue APs. •Administrator security authorizes designated users to access the configuration and management capabilities of the AP using HTTPS, SSH, or SNMPv3 for the web interface, CLI, or network management system. •User security encompasses authentication and encryption. Authentication verifies the identity of individual users and gives them access to the network, restricted to specific network service profiles. Once the network and authenticated users are in place, data encryption protects the privacy of user data transmitted over the wireless network.•Guest access security provides password or custom access control for guest users, including the configuration of a guest-VLAN for Internet access and session management.NOTE: For information on security for access point enrollment, refer to Chapter 9, “Managing the Network.”
7 Managing Security136 Installation and Configuration Guide: Airgo Access PointFigure 101: Elements of Airgo Security AP SecurityAirgo provides a highly secure process to enroll access points. Three distinct levels of identification verify the AP: Device ID, Thumbprint, and a bootstrap password unique to the AP. To assure central control of the verification process, it is recommended that a single enrollment server handle enrollment for the entire wireless network. The architecture supports two enrollment server options:•AP Enrollment Server—Designate an NM Portal AP as the enrollment server for the network. For instructions, see Chapter 9, “Managing the Network.”•NMS Pro—The NMS Pro network management system, offered as a separate product, operates as a complete enrollment solution for the enterprise. In addition to supporting manual AP enrollment, NMS Pro includes automatic AP pre-enrollment by way of a bar code reader interface. For information on using NMS Pro, see the NMS Pro Installation and Configuration Guide.Administrative SecuritySSH, https, and SNMPv3 are used for secure administrative access to the AP.User SecurityAcceptable and effective solutions for user authentication depend upon the network size, complexity, and existing authentication infrastructure. Users Security• All WPA Modes• EAP-TLS, -PEAP, -PSK• AES, TKIP or WEP EncryptionA0047AP Security• Secure AP Enrollment• Batch or One-Click• Certificates & PasswordAdmin Security• Admin & Operator• Username, Password• SSH, HTTPS, SNMPv3Guest Security• Password or Custom Access Control• Guest-VLAN for Internet Access• Session ManagementGuest SecurityUser SecurityAdmin SecurityAPSecurity
Data EncryptionInstallation and Configuration Guide: Airgo Access Point 137Current user authentication standards are based on the IEEE 802.1x specification, which identifies users and permits connectivity based upon policies established in a central server. Many authentication servers use the Remote Authentication Dial-In User Service (RADIUS) protocol, which enables remote access servers to communicate with the central server to authenticate users and authorize service or system access. Within the RADIUS context, the most effective authentication methods use versions of the Extensible Authentication Protocol (EAP) for the end-to-end authentication of the client by the authentication server.The Airgo AP can meet all the user authentication needs for the full range of wireless networks. (See Chapter 2, “Planning Your Installation.”) Airgo supports several modes of authentication, as listed in Table 11. WPA-PSK uses pre-shared keys (PSK) that is configured directly by the administrator into the AP and network clients. Based on the network wide key, the clients and AP receive unique session keys for each client session. This approach can be effective for small businesses for whom strong encryption is desired but a centralized authentication infrastructure is not available. EAP-TLS (EAP with Transport Layer Security) is a certificate-based authentication method based on the TLS protocol. The RADIUS security services within the Airgo AP provide EAP-TLS for user authentication. Airgo also supports integration with RADIUS servers that support EAP-TLS or EAP-PEAP.In addition to the EAP-based authentication methods, Airgo supports WEP-based encryption for legacy clients. Airgo also supports the option of no user authentication. Data EncryptionTable 12 lists the available options for data encryption, in order of decreasing protection. The current standard for data encryption is WPA-AES, which provides financial-grade protection. The WEP encryption options use 64-bit or 128-bit encryption keys, assigned manually or dynamically, as dictated by the capabilities of the client. These offer some protection against casual interlopers; however, the WEP algorithms are vulnerable to compromise and can be difficult to maintain. WPA-TKIP closes the major WEP loopholes and can be an acceptable alternative to standard WEP. Open Table 11: Authentication Options Type DescriptionEAP-TLS Certificate-based authentication, used by the Airgo security services portal and many external RADIUS serversEAP-PEAP EAP-PEAP RADIUS based authenticationWPA - PSK Authentication acceptable for small to mid-size installations, in which manual distribution of keys is convenient and centralized management is not requiredDynamic WEP with 802.1x Not recommended due to limitations of the WEP algorithms. If it is necessary to use this option to support legacy equipment, make sure that a RADIUS server configured for the SSID. The RADIUS server should be configured to support EAP-TLS or EAP-PEAP. Note that the Airgo Wireless LAN Client Adapter does not support dynamic WEP.None No user authentication

Navigation menu